On Thu, Mar 7, 2019 at 11:57 PM Joe Touch <[email protected]> wrote: > > > On 3/7/2019 9:03 AM, Tom Herbert wrote: > > 1) Allow IPv4 to carry IPv6 extension header numbers in the protocol > > field, and process as IPv4 extension headers. > > I heard someone on another list argue strongly for fixed headers of the > sort IPv4 already uses. ;-) > > > 2) Encapsulate extension headers and following transport packet in GUE/UDP > > Which, as I noted, undermines the useful work performed by firewalls. > Joe,
Then so does QUIC, TLS, IPsec and anything else that would obfuscate the data that firewalls might want to inspect. You seem to be convoluting firewalls and security, they are not the same thing. Firewalls are not required for security, real security comes in the application and end point processing. Consider that QUIC purpose encrypts as much of the transport layer as possible. Only the two endpoints of communication have the key. And when a QUIC end point receives a packet, it can decrypt and process the packet. Note that is _not_ the actions of a firewall at the endpoint, it is the action of an end host processing an end to end protocol and being compliant with the protocol specification. > All so we can have routers process options - something they basically > don't do anyway...(I don't know who's pushing otherwise in 6man, but > this issue has been a big one for *many* years) Take a look at 6man. There are efforts underway and there is starting to be deployment of extension headers (segment routing for instance). Tom > > Joe > _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
