Hi, Mikael, Thanks so much for your feedback! Comments in-line...
On 07/14/2014 02:55 AM, Mikael Abrahamsson wrote: > > I find this document advocates dropping things way too much. Actually, of the top of my head, the only EH that we were advocated dropping (from the standard set) is/was HBH (this is to be changed in the upcoming rev of the document). > It uses the > term "intermediate" devices. I would like this split up into two types > of devices, a "pure packet forwarding device" (=core router), and a > "security inspection device" (=device that might have ACLs or being a > stateful firewall). Me, I'd probably stick to intermmediate device, or maybe "forwarding node" or "router". If you bring "firewalls" into the game, reality is that a firewall will typically be "default deny". > I believe a core router which just forwards packets, should not drop > packets because of options it can't handle very well. If it can't handle > a lot of hop-by-hop header packets, then don't inspect these hop-by-hop > header packets, just forward the packets without looking at them. We're trying to provide advice to the same sort of devices that are dropping packets in draft-gont-v6ops-ipv6-ehs-in-real-world.... > The thought of our core networks limiting what we can and can't do in > the future with IPv6, makes me a sad panda. I can understand devices > that enforce some kind of security to drop packets they don't > understand, but generally recommending blanket dropping of some packets > in the core because of potential edge problems, that just doesn't make > sense to me. That's not what we're doing (modulo HBH, as noted above). Please let us know if there are specific portions of the document that you're objecting to or that you'd like to be clarified. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
