On 12/5/2018 10:08 AM, Gert Doering
wrote:
On Wed, Dec 05, 2018 at 06:57:28PM +0100, Ole Troan wrote:
You are creating the ???perceived??? security problem yourself, by requiring processing deeper into the packet than is required.
Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header.
You seem to think HBH still means ???punt to software???. If it ever meant that.
There???s no need for rate-limiting for not processing HBH obviously.
I *must* be able to look at the protocol field of packets coming in on
our borders (see detailed description on our rate-limiting rules in
another mail of today). If there are EHs in the way so our routers'
hardware cannot decide if this is a TCP or UDP packet, these packets
go down the drain.
Gert, I think that you are actually pointing at a significant
issue with the draft.
The draft goes into an evaluation of "security issues", without
actually explaining some basic assumptions. For example, it is
hard to believe that a router forwarding too many packets of any
kind will cause an issue for the security *of that router*. But on
the other hand there is a widely distributed practice of network
equipment attempting to provide differential treatment of packets
based on protocol types and port numbers. That practice is not
acknowledged in the RFC that specify IPv6. In fact, the IPv6
design assumes that routers only look at the address and flow-id
fields. This design is actually a departure from IPv4, whose
header format makes it easy to skip over the option field and
assess the "five tuple".
The draft *implicitly* assumes that routers will try to find the
protocol and port numbers "because of security reasons", but never
actually delineates these reasons. I think the discussion would be
much more productive if the draft started by explaining why
network managers believe that access to the "five tuple" is
essential for a variety of reasons, many of which are only
tangentially related to "security". At that point we can have a
discussion between protocol designers assuming that the network
routers shall only look at IPv6 addresses and that everything else
is end-to-end on one side, and on the other side network managers
explaining why they need access to the payload type and port
numbers.
My personal preferences on the subject are not very relevant, and
I could actually line up arguments for both sides of that debate.
But I believe that getting to a resolution there would be much
better than arguing piecemeal over this or that end-to-end option.
-- Christian Huitema
