Thanks! On Nov 21, 2013, at 8:54 AM, Carlos Pignataro (cpignata) <[email protected]> wrote:
> Closing the loop on this Gen-ART review. > > Thanks again Suresh for reviewing. > > Thumb typed by Carlos Pignataro. > Excuze typofraphicak errows > > Begin forwarded message: > >> From: Suresh Krishnan <[email protected]> >> Date: November 18, 2013 at 4:12:19 PM EST >> To: "Carlos Pignataro (cpignata)" <[email protected]>, RJ Atkinson >> <[email protected]> >> Cc: Fernando Gont <[email protected]> >> Subject: Re: Gen-ART Telechat review of >> draft-ietf-opsec-ip-options-filtering-05.txt >> >> Hi Carlos/Ran, >> This text looks good to me. Thanks for taking care of this quickly. >> >> Regards >> Suresh >> >> On 11/18/2013 10:21 AM, Carlos Pignataro (cpignata) wrote: >>> Looks good, thank you Ran. I will incorporate this in our live >>> copy. >>> >>> Suresh, any concerns? >>> >>> Thanks, >>> >>> -- Carlos. >>> >>> On Nov 18, 2013, at 10:07 AM, RJ Atkinson <[email protected]> >>> wrote: >>> >>>> >>>> On 18 Nov 2013, at 09:41 , Carlos Pignataro (cpignata) wrote: >>>>> Here's the complete proposal for the complete Section 4.12.5 >>>>> (and equivalent for 4.13.5). >>>>> >>>>> Does this work? Please let me know and I can incorporate: >>>> >>>> A lightly edited version follows -- edited mainly to reduce >>>> redundant/ duplicative text and to retain phrasing "because the >>>> IP packet contains this option" that was added in an earlier >>>> round of review. >>>> >>>> --- 4.12.5. Advice >>>> >>>> A given IP router, security gateway, or firewall has no way to >>>> know a priori what environment it has been deployed into. Even >>>> closed IP deployments generally use exactly the same commercial >>>> routers, security gateways, and firewalls that are used in the >>>> public Internet. >>>> >>>> Since operational problems result in environments where this >>>> option is needed if either the option is dropped or IP packets >>>> containing this option are dropped, but no harm results if the >>>> option is carried in environments where it is not needed, the >>>> default configuration SHOULD NOT (a) modify or remove this IP >>>> option or (b) drop an IP packet because the IP packet contains >>>> this option. >>>> >>>> A given IP router, security gateway, or firewall MAY be >>>> configured to drop this option or to drop IP packets containing >>>> this option in an environment known to not use this option. >>>> >>>> For auditing reasons, Routers, security gateways, and firewalls >>>> SHOULD be capable of logging the numbers of packets containing >>>> the BSO on a= per-interface basis. Also, Routers, security >>>> gateways, and firewalls SHOULD be capable of dropping packets >>>> based on the BSO presence as well as the BSO values. --- >>>> >>>> Similar text, edited to reflect "ESO" rather than "BSO", should >>>> replace the existing advice about the IPSO ESO. >>>> >>>> Cheers, >>>> >>>> Ran >>>> >>>> >>> >> _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
