On 3/8/2019 7:56 AM, Tom Herbert wrote: > On Thu, Mar 7, 2019 at 11:57 PM Joe Touch <[email protected]> wrote: >> >> On 3/7/2019 9:03 AM, Tom Herbert wrote: >>> 1) Allow IPv4 to carry IPv6 extension header numbers in the protocol >>> field, and process as IPv4 extension headers. >> I heard someone on another list argue strongly for fixed headers of the >> sort IPv4 already uses. ;-) >> >>> 2) Encapsulate extension headers and following transport packet in GUE/UDP >> Which, as I noted, undermines the useful work performed by firewalls. >> > Joe, > > Then so does QUIC, TLS, IPsec and anything else that would obfuscate > the data that firewalls might want to inspect.
Of those, only IPsec hides application transport numbers. And your proposal - though not encrypted, it buries them far enough that firewalls won't go looking. > You seem to be > convoluting firewalls and security, Security has 4 dimensions: - privacy - integrity - authentication (identity) - resource protection Firewalls help with the 4th dimension. It's still called security and they're still very widely used (much more widely than any support likely to come of new IP EHs, I'll happily wager). And I know there are some in 6man talking about deployment. There were those who started to deploy Active Nets in the 1990s too. Wouldn't they be just as effective for what you want? Oh, wait - they' were fringe at best and disappeared. Curious why... Joe _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
