IETF Logo Mail Archive

Re: [v6ops] [OPSEC] [Int-area] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt

Warren Kumari <warren@kumari.net> Fri, 18 July 2014 15:52 UTC

Return-Path: <warren@kumari.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D1A1ABB2C for <v6ops@ietfa.amsl.com>; Fri, 18 Jul 2014 08:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8RAVZbECij8 for <v6ops@ietfa.amsl.com>; Fri, 18 Jul 2014 08:52:01 -0700 (PDT)
Received: from mail-we0-f173.google.com (mail-we0-f173.google.com [74.125.82.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB28A1A0199 for <v6ops@ietf.org>; Fri, 18 Jul 2014 08:52:00 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id q58so4888036wes.32 for <v6ops@ietf.org>; Fri, 18 Jul 2014 08:51:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NfxyEZ9iRUl0lxbOMdCha4PUUQLAiShZnj3smyaOdNk=; b=EQFUDbAva09uOkrzfnXJjc6fNmCJ2rfoCZi1SR1pwz/N/m8/1ZPFJgeBRMW3eFZ54i 3lXMqpe3hoOUnB2ztEb7ZxI/bSA+VkBq1hfqMGhuGokDiESwsYXeLU7hFSZncf+VSrDG zVOf/GXledLzr4QenpY0T9ZfRMXqPOPl9oOG6VrMxBO/ye6uHpm/xA26lZGhspVe22+K GtB1TNycycNxtnWwWV4uFweAHwptce+wryx8ZH011ZjBd1CVMTBKVWOJxEbTHHnjmqHk 98wCZUT+AsIKU1FIxVrzsld2S1RqUg1McUa5CCFIh+4XDDQvVa2gcGjPwFvCsTTfF7wY krBQ==
X-Gm-Message-State: ALoCoQk4omJuwESaWjypiDfg7G8F969L7PIHtpwPuZN9DhRjeMuBx6KghvuAOEaP+mjoLS1fWCCh
MIME-Version: 1.0
X-Received: by 10.180.90.132 with SMTP id bw4mr32715259wib.42.1405698719213; Fri, 18 Jul 2014 08:51:59 -0700 (PDT)
Received: by 10.194.248.233 with HTTP; Fri, 18 Jul 2014 08:51:59 -0700 (PDT)
In-Reply-To: <53C8A0DF.9000605@si6networks.com>
References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53C57F39.7080800@gont.com.ar> <53C5C279.2090600@gmail.com> <53C5C91C.2020203@isi.edu> <53C5CAEE.5080805@si6networks.com> <53C6B1E5.4060905@isi.edu> <Pine.LNX.4.64.1407161401400.6057@shell4.bayarea.net> <53C82DE3.5010007@isi.edu> <53C84841.3050702@si6networks.com> <53C8506E.1050002@isi.edu> <53C8A0DF.9000605@si6networks.com>
Date: Fri, 18 Jul 2014 11:51:59 -0400
Message-ID: <CAHw9_iJDOp=F28Q5ypyXYjtirsBU_Q0BuK-hHZ62X_eUcxY5=g@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/wcbDjq4YPEm_0yVdHRuYz-5I4_w
Cc: "C. M. Heard" <heard@pobox.com>, OPSEC <opsec@ietf.org>, Internet Area <int-area@ietf.org>, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] [Int-area] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jul 2014 15:52:04 -0000

On Fri, Jul 18, 2014 at 12:21 AM, Fernando Gont <fgont@si6networks.com> wrote:
> On 07/17/2014 04:38 PM, Joe Touch wrote:
>>>>
>>>> They need to be characterized as what they are:
>>>>
>>>>      - an attempt to accommodate devices that are NOT IPv6-compliant
>>>
>>> I'd have a hard time coming uup with a vendor/device that can process
>>> IPv6 packets with HBH header with the same performance as regular
>>> packets. So.. are you suggesting that we start claiming that "we
>>> currently do not know of any ipv6-compliant routers", or what? (fwiw, I
>>> expect you are not)
>>
>> If we are, then it's time to adjust RFC2460.
>
> I disagree. Operational policy != protocol specification. Actually, the
> IETF can do whatever it wants with the protocol specs, but not that much
> with the operational stuff (other than providing *advice* -- because ops
> folks can do whatever they want with their networks).
>
>
>> IMO, we ought to:
>>
>>     - define the features/capabilities we think are necessary
>>
>>     - require that anything that doesn't support what's necessary
>>     as non-compliant
>>
>> Otherwise, you're just un-doing all the work that goes into the
>> standards process in the first place. All because you think that
>> anything you don't expect is an attack. It isn't. It just means you're
>> not prepared.
>
> We seem to be in disagreement. If anything, anything that I don't want
> is not an attack, but rather an unnecessary attack surface.

Related to this is
http://tools.ietf.org/html/draft-taylor-v6ops-fragdrop-02 -- Why
Operators Filter Fragments and What It Implies

This expired, but I suspect we may need to revive it...

W

> But again,
> please read the I-D... because it really doesn't follow that reasoning.
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email