On 14/02/2013 21:15, Ray Hunter wrote:
>
> Brian E Carpenter wrote:
>> https://datatracker.ietf.org/doc/draft-carpenter-6man-ext-transmit/
>>
>> There was some discussion of this draft when it came out, but nothing
>> that led to any specific changes. We should perhaps emphasise that
>> it's complementary to draft-ietf-6man-oversized-header-chain.
>>
>> I'd like to ask for opinions about taking this draft forward.
>>
>> I won't be in Orlando, but the other author (Sheng) will be.
>>
>> Regards
>> Brian
>>
>>
> You can write what you like about firewalls needing to have an explicit
> policy configured (manually) before dropping any packets.
Ray, the IETF is supposed to make the Internet work better. So we should
write down requirements for that to happen.
> And this standard will then (quite rightly) be ignored by every single
> firewall manufacturer I know.
That parenthesis is a value judgement, but in any case, the idea of the
draft is to push implementors in the direction of parsing all well-defined
extensions, and of making policy control possible.
> If an extension proves itself safe, easily parse-able, and useful, it
> will be transported over the public Internet. If it doesn't, it will get
> dropped.
At the moment this is impossible. There is no place for firewall
implementors to find a master list of all well-defined extension headers
and no way for site IT managers to configure firewalls to block or allow
specific extension headers. So there is no way for a new extension
header to prove itself safe and viable. It's pure Catch 22.
Firewalls should be designed to make new extension headers subject
to user control, and the IETF should structure its designs, documents and
IANA registries to make life as easy as possible for both firewall
implementors and users.
That's what we need to fix. We can maybe state it more clearly in the draft;
thanks for pointing to the existing Catch 22.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
