Ron, >>> I am supporting this draft because the community has become >> accustomed to stateless firewalls on routers. These stateless firewalls >> are capable of filtering based upon information gleaned from both the >> IPv6 and L4 header. >> >> don't get me wrong, I'm also in support of this work. ;-) but if we go >> down this slippery slope. where do we draw the line? I do know of >> filtering routers that look at the L7 headers. >> and I'm sure there are those that inspect the payload as well. >> do we arbitrary choose to stop at the L4 header? > > Clearly, we have to draw the line somewhere. I think that it is reasonable to > stop at the L4 header.
agree. >> as Karl pointed out, what do we do with the ESP header? do you define >> which part of the ESP header that must be included in the first >> fragment? or does this mean that a packet with ESP MUST NOT be >> fragmented? >> are there other headers where what consist of the "entire ipv6 header >> chain" is unclear? > > The document needs to make a special exception for encrypted payloads. In > that case, the ESP header must begin on the first fragment, but need not end > on the first fragment. > > Does this sound reasonable? yes, I'll leave it to the ipsec experts to determine if there is a part of the header that should be in the first fragment or not. >>> When a stateless firewall encounters an IPv6 datagram in which the >> IPv6 header and L4 header don't appear in the first fragment, it can't >> make an informed filtering decision on any fragment. However, if there >> is a guarantee that the IPv6 header and the L4 header are in the first >> fragment, it can at least make an informed decision regarding that >> fragment. >>> >>> Would the draft be more acceptable if we stated this as the >> motivation and removed references to NAT64? >> >> yes, I think that would help. > > I will work with Fernando on this. thanks! cheers, Ole -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
