Re: [v6ops] [OPSEC] [Int-area] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt
Warren Kumari <warren@kumari.net> Fri, 18 July 2014 15:52 UTC
Return-Path: <warren@kumari.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D1A1ABB2C for <v6ops@ietfa.amsl.com>; Fri, 18 Jul 2014 08:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8RAVZbECij8 for <v6ops@ietfa.amsl.com>; Fri, 18 Jul 2014 08:52:01 -0700 (PDT)
Received: from mail-we0-f173.google.com (mail-we0-f173.google.com [74.125.82.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB28A1A0199 for <v6ops@ietf.org>; Fri, 18 Jul 2014 08:52:00 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id q58so4888036wes.32 for <v6ops@ietf.org>; Fri, 18 Jul 2014 08:51:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NfxyEZ9iRUl0lxbOMdCha4PUUQLAiShZnj3smyaOdNk=; b=EQFUDbAva09uOkrzfnXJjc6fNmCJ2rfoCZi1SR1pwz/N/m8/1ZPFJgeBRMW3eFZ54i 3lXMqpe3hoOUnB2ztEb7ZxI/bSA+VkBq1hfqMGhuGokDiESwsYXeLU7hFSZncf+VSrDG zVOf/GXledLzr4QenpY0T9ZfRMXqPOPl9oOG6VrMxBO/ye6uHpm/xA26lZGhspVe22+K GtB1TNycycNxtnWwWV4uFweAHwptce+wryx8ZH011ZjBd1CVMTBKVWOJxEbTHHnjmqHk 98wCZUT+AsIKU1FIxVrzsld2S1RqUg1McUa5CCFIh+4XDDQvVa2gcGjPwFvCsTTfF7wY krBQ==
X-Gm-Message-State: ALoCoQk4omJuwESaWjypiDfg7G8F969L7PIHtpwPuZN9DhRjeMuBx6KghvuAOEaP+mjoLS1fWCCh
MIME-Version: 1.0
X-Received: by 10.180.90.132 with SMTP id bw4mr32715259wib.42.1405698719213; Fri, 18 Jul 2014 08:51:59 -0700 (PDT)
Received: by 10.194.248.233 with HTTP; Fri, 18 Jul 2014 08:51:59 -0700 (PDT)
In-Reply-To: <53C8A0DF.9000605@si6networks.com>
References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53C57F39.7080800@gont.com.ar> <53C5C279.2090600@gmail.com> <53C5C91C.2020203@isi.edu> <53C5CAEE.5080805@si6networks.com> <53C6B1E5.4060905@isi.edu> <Pine.LNX.4.64.1407161401400.6057@shell4.bayarea.net> <53C82DE3.5010007@isi.edu> <53C84841.3050702@si6networks.com> <53C8506E.1050002@isi.edu> <53C8A0DF.9000605@si6networks.com>
Date: Fri, 18 Jul 2014 11:51:59 -0400
Message-ID: <CAHw9_iJDOp=F28Q5ypyXYjtirsBU_Q0BuK-hHZ62X_eUcxY5=g@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/wcbDjq4YPEm_0yVdHRuYz-5I4_w
Cc: "C. M. Heard" <heard@pobox.com>, OPSEC <opsec@ietf.org>, Internet Area <int-area@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] [Int-area] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2014 15:52:04 -0000
On Fri, Jul 18, 2014 at 12:21 AM, Fernando Gont <fgont@si6networks.com> wrote: > On 07/17/2014 04:38 PM, Joe Touch wrote: >>>> >>>> They need to be characterized as what they are: >>>> >>>> - an attempt to accommodate devices that are NOT IPv6-compliant >>> >>> I'd have a hard time coming uup with a vendor/device that can process >>> IPv6 packets with HBH header with the same performance as regular >>> packets. So.. are you suggesting that we start claiming that "we >>> currently do not know of any ipv6-compliant routers", or what? (fwiw, I >>> expect you are not) >> >> If we are, then it's time to adjust RFC2460. > > I disagree. Operational policy != protocol specification. Actually, the > IETF can do whatever it wants with the protocol specs, but not that much > with the operational stuff (other than providing *advice* -- because ops > folks can do whatever they want with their networks). > > >> IMO, we ought to: >> >> - define the features/capabilities we think are necessary >> >> - require that anything that doesn't support what's necessary >> as non-compliant >> >> Otherwise, you're just un-doing all the work that goes into the >> standards process in the first place. All because you think that >> anything you don't expect is an attack. It isn't. It just means you're >> not prepared. > > We seem to be in disagreement. If anything, anything that I don't want > is not an attack, but rather an unnecessary attack surface. Related to this is http://tools.ietf.org/html/draft-taylor-v6ops-fragdrop-02 -- Why Operators Filter Fragments and What It Implies This expired, but I suspect we may need to revive it... W > But again, > please read the I-D... because it really doesn't follow that reasoning. > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec
- Re: [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-… Brian E Carpenter
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Mikael Abrahamsson
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Brian E Carpenter
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Joe Touch
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-… C. M. Heard
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Joe Touch
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… C. M. Heard
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Joe Touch
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Joe Touch
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Fernando Gont
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Fernando Gont
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Joe Touch
- Re: [v6ops] [Int-area] [OPSEC] I-D Action: draft-… Fernando Gont
- Re: [v6ops] [OPSEC] [Int-area] I-D Action: draft-… Warren Kumari
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… RJ Atkinson
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Mikael Abrahamsson
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Fernando Gont
- Re: [v6ops] [OPSEC] I-D Action: draft-gont-opsec-… Smith, Donald