Well IMHO I think the requirements are precisely the other way around: extensions should be simple to parse, demonstrably not a security issue or likely to cause harm, and useful: not that firewalls should blindly pass everything thrown at them. Hop by hop has already been labelled potentially harmful in http://tools.ietf.org/html/draft-krishnan-ipv6-hopbyhop-05. The market is still deciding what headers are "good". Agreed. I'd support a draft with these goals, but let's keep it realistic. Providing a clear list of extensions in a repository, what their benefits are, and how they work, is a completely different matter to mandating behaviour of middleware boxes that is directly contradictory to current industry best-practice. Agreed. Extensions should also clearly have been designed with firewalls and other middleware boxes in mind. And new extensions should too. Firewall code and other middleware box code will always significantly lag IETF standards. I don't really see how the Uniform Format header structure defined in http://tools.ietf.org/html/rfc6564 truly addresses the firewall issue. If we were starting from scratch I'd prefer that unknown extensions should be easily "strippable", rather than having to drop the entire packet if they cannot be parsed, or still having to traverse the full chain without truly understanding the contents and then passing that unknown content into a secure zone. How you achieve that practically I don't really know. Thinking out loud, we could potentially define yet another new extension header that defines a fork in the header chain: next header field = following (optional) header extensions, plus length to reach the next header as per RFC6564; final header field (contained as header specific data within the new header) = top level protocol of the final header value e.g. TCP= 6, plus offset to reach the final payload header in either octets or 8-octet units. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Final Header | offset to | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | final header | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ That in itself of course will not be fully backwards compatible. But at least it would be a once-off action. And firewalls could strip out the optional headers, whilst easily locating and parsing payload data. regards, RayH
|
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
