On Feb 3, 2011, at 23:08, Fernando Gont wrote: > On 04/02/2011 03:53 a.m., Bhatia, Manav (Manav) wrote: >> One of the major reasons given for not accepting this was that no new >> extension headers need to be *ever* defined in future because you >> MUST either use hop-by-hop ext header or the destination options ext >> header. > > What type of options are you envisioning that would not fit in any of > the existing extension headers? -- That was the main argument against > the publication of the aforementioned I-D.
Once again, I will repeat that I-D.woodyatt-ald envisioned a profile of ICMPv6 messages that need to be processed by firewall devices. I would have preferred to specify a new class of header extension that is neither hop-by-hop nor destination oriented that would include a new Firewall Alert option. I suppose a HBH extension would suffice, but it would mean passing a lot of packets through the HBH path in routers that are not also firewalls. Another option would be to expect firewalls to snoop all the ICMPv6 traffic looking for ALD packets, but that would have negative performance effects as well. What to do what to do what to do... In any case, there isn't currently a class of extension headers intended for processing only at some middleboxes and not all routers. I appreciate that IETF would like to keep the middleboxes from getting too uppity, but that goal is in conflict with IETF recommendations to implement security functions in packet filters integrated with routers, c.f. RFC 6092. It would be helpful if more participants would bear this in mind, so that we don't have to keep having discussions in which we pretend that the conflict isn't happening when it clearly is an ongoing problem. -- james woodyatt <[email protected]> member of technical staff, communications engineering -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
