On Mon, 14 Jul 2014, Brian E Carpenter wrote:
Hi,
(Excuse cross posting but I'm sure v6ops folk will have an opinion,
and I'm not on opsec.)
Yes, at least I do. Thanks for bringing it to v6ops attention. Weird
thing, I can't even find the original announcement neither in my opsec nor
v6ops folder.
Oh, well. Feedback:
I find this document advocates dropping things way too much. It uses the
term "intermediate" devices. I would like this split up into two types of
devices, a "pure packet forwarding device" (=core router), and a "security
inspection device" (=device that might have ACLs or being a stateful
firewall).
I believe a core router which just forwards packets, should not drop
packets because of options it can't handle very well. If it can't handle a
lot of hop-by-hop header packets, then don't inspect these hop-by-hop
header packets, just forward the packets without looking at them.
The thought of our core networks limiting what we can and can't do in the
future with IPv6, makes me a sad panda. I can understand devices that
enforce some kind of security to drop packets they don't understand, but
generally recommending blanket dropping of some packets in the core
because of potential edge problems, that just doesn't make sense to me.
--
Mikael Abrahamsson email: [email protected]
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
