On Thu, 14 Jun 2007 17:09:09 -0700, Thomas Narten <[EMAIL PROTECTED]> wrote: >> I'm slightly concerned that such advice flies in the face of >> conventional advice given to those constructing firewall policy. It >> is normal practice, I believe, for end-site firewall policy to be >> deployed based on denying everything by default, and only permitting >> those packets which are known to correspond to traffic which ought to >> be permitted. I believe it is generally considered to be good advice >> to block all "future technology" by default, and to permit it only >> once the implications of doing so are well-known. > > Understood. So maybe we should just go ahead and deprecate all routing > headers now? Why bother complicating implementations, if in practice, > no one will be able to enable/use such features because there is no > way to get firewall configs updated?
I think the point is, we should stngly emphasis that blocking all RH kills existing technology (e.g. Mobile IPv6 Correspondant Nodes) than future technologies. Or better yet, that it kills both. Two reasons why blocking RH are bound to convince more people than one. And it is widely known that "future technology" frightens some firewall operators (whether that's justified or not is not relevant in this case). > We need to assume that other types of routing headers are "safe" to > use, and make sure than any usage actually is safe. Yes. -- Rémi -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
