Hi, Ran, On 12/20/2011 02:07 PM, RJ Atkinson wrote: > MORE GENERALLY: > > We need to AVOID falling into the trap that things > not explicitly allowed are always security > vulnerabilities and lack legitimate reasons to exist. > IPv6 is not "done" -- any useful deployed protocol > will evolve over time.
FWIW, draft-gont-6man-ipv6-atomic-fragments avoid the security implications while still allowing the use of the aforementioned packets. Actually, one might even argue that trying to "reassemble" an atomic packet with any other fragment is rather non-sensical... > So it is not helpful to publish documents that > advise firewall/middlebox/router vendors to filter out > "unknown" behaviour or "curious" packet patterns or > unrecognised options. > > For example, if a firewall doesn't recognise > (e.g. due to lack of firewall firmware update) > some new IPv6 option (e.g. carried in an IPv6 > Destination Header), the firewall ought NOT > filter/drop packets with that new/unrecognised > option. While I understand your concern, from the firewall perspective things generally are "whatever I have not explicitly allowed, is blocked". There are understandable arguments both ways. From a networking point of view, the aforementioned behaviour hurts protocol evolution and extensibility. From a security point of view, you only allow what you really need (i.e. "need to pass" basis ;-) ). > We do NOT want to close the door on IPv6 (or IPv4 > or TCP or UDP or ...) evolution. Proscriptive and > paranoid recommendations to implementers WILL and > DO close the door on evolution -- and hence can be > harmful to the Internet. Just to clarify on this point, I don't think any of these 6man I-Ds I've published last week fall into this category. In particular, the fragmentation-related ones aim at mitigating security implications without any impact on protocol evolution. Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
