+1
> On Dec 5, 2018, at 11:26 AM, Christian Huitema <[email protected]> wrote: > > >> On 12/5/2018 10:08 AM, Gert Doering wrote: >>> On Wed, Dec 05, 2018 at 06:57:28PM +0100, Ole Troan wrote: >>> You are creating the ???perceived??? security problem yourself, by >>> requiring processing deeper into the packet than is required. >>> Just comply with RFC8200. As long as a router is not configured to process >>> any HBH options, it can ignore the header. >>> You seem to think HBH still means ???punt to software???. If it ever meant >>> that. >>> >>> There???s no need for rate-limiting for not processing HBH obviously. >> I *must* be able to look at the protocol field of packets coming in on >> our borders (see detailed description on our rate-limiting rules in >> another mail of today). If there are EHs in the way so our routers' >> hardware cannot decide if this is a TCP or UDP packet, these packets >> go down the drain. > Gert, I think that you are actually pointing at a significant issue with the > draft. > > The draft goes into an evaluation of "security issues", without actually > explaining some basic assumptions. For example, it is hard to believe that a > router forwarding too many packets of any kind will cause an issue for the > security *of that router*. But on the other hand there is a widely > distributed practice of network equipment attempting to provide differential > treatment of packets based on protocol types and port numbers. That practice > is not acknowledged in the RFC that specify IPv6. In fact, the IPv6 design > assumes that routers only look at the address and flow-id fields. This design > is actually a departure from IPv4, whose header format makes it easy to > skip over the option field and assess the "five tuple". > > The draft *implicitly* assumes that routers will try to find the protocol and > port numbers "because of security reasons", but never actually delineates > these reasons. I think the discussion would be much more productive if the > draft started by explaining why network managers believe that access to the > "five tuple" is essential for a variety of reasons, many of which are only > tangentially related to "security". At that point we can have a discussion > between protocol designers assuming that the network routers shall only look > at IPv6 addresses and that everything else is end-to-end on one side, and on > the other side network managers explaining why they need access to the > payload type and port numbers. > > My personal preferences on the subject are not very relevant, and I could > actually line up arguments for both sides of that debate. But I believe that > getting to a resolution there would be much better than arguing piecemeal > over this or that end-to-end option. > > -- Christian Huitema > > > > _______________________________________________ > Tsv-art mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tsv-art
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
