Re: Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 27, 2018 at 11:46 AM C. M. Heard wrote:
> As I look at the advice for specific options more carefully, I find
> some inconsistencies in the advice for certain cases [...].
>
> I will follow up after doing a more thorough review of the specific
> advice for each option.

Here is the promised/threatened follow up.

Section 3.4.1.2, Specification of the Hop-by-Hop Options extension
header: the deprecated Endpoint Identification Option (Type 0x8A)
should not be listed here. The reference cited for this option states
that it is a Destination Option to convey Nimrod EIDs.

Section 3.4.6.2, Specification of the Destination Options extension
header: the Performance and Diagnostic Metrics (PDM) Option should be
listed here. The reference is RFC 8250.

Section 4: A subsection documenting the PDM Option needs to be added.
Insofar as this is a standard option that is to be ignored by systems
that do not implement it, the advice "should not discard" would be an
appropriate default.

Section 4: The advice for specific options is not conditioned upon
whether they are found in a Hop-by-Hop Options header or a Destination
Options header. However, every defined option (other than padding and
experimental types) is intended to appear in only one of those headers.
At a minimum this needs to be pointed out. It may be appropriate to
advise that packets with defined options that appear within the "wrong"
header should be discarded.

Section 4: The advice for Router Alert (Type=0x05, Proposed Standard)
and SMF_DPD (Type=0x08, Experimental) is "should discard", while the
advice for Quick-Start (Type=0x26, Experimental) is "should not
discard". All of these Hop-by-Hop options are applicable only in limited
domains (RFC 6398 says so for Router Alert), and Quick Start and Router
Alert have substantial security implications. Thus, I have a hard time
wrapping my head around the fact that they do not all get the same
advice. How about something like "intermediate systems should discard
packets that contain this option, except when deployed in an
administrative domain where the option is in use" for all of them?

Section 4: Randall Atkinson has provided detailed comments on CALIPSO.
I support those comments. Note that systems compliant with RFC 8200
that do not implement RFC 5570 would simply ignore the option.

Sections 4.3.18.5 and 4.4.5: as I previously stated, I think the right
strategy is to remain neutral and say that operators should determine
according to their own circumstances whether to discard packets
containing these options. Reiterated only for completeness.

Unused reference: I-D.ietf-6man-hbh-header-handling

Mike Heard




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux