Re: [OPSEC] [v6ops] Call for WG adoption - Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Headers

Mon, 13 Oct 2014 00:32:17 -0700 

On Mon, 13 Oct 2014, Ole Troan wrote:


shouldn't this be a draft authored by operators? giving operational 
recommendations coming out of... well, actual operations?


Well, another way of looking at this is that operators just want things to work 
as well as they can, so they need guidance from vendors and protocol designers.

Isn't this a BCOP style document? I believe at least one of the authors is 
active in one or more BCOP group.


the protocol designer's recommendation does appear pretty clear, RFC2460:

  "With one exception, extension headers are not examined or processed
  by any node along a packet's delivery path, until the packet reaches
  the node (or each of the set of nodes, in the case of multicast)
  identified in the Destination Address field of the IPv6 header."

my point is that I don't think the IETF should be making recommendations about 
how they should run their network, and certainly not make recommendations that 
are at odds with the functioning of the protocol.


You mean you don't want non-operators in the IETF to make recommendations?


The way I see it is that vendors are making equipment based on customer 
requirements. Since a lot of vendor equipment obviously inspect packets, 
including those with extension headers along the way (probably to do 
ACLs), then this equipment is already violating the functioning of the 
protocol (which of course is nothing new).



My opinion is that it's better to look at common implementation and 
document and give recommendations where this differs from the blueprints.



What I don't like is that if we follow along this path we're basically 
saying "extension headers don't work on the Internet" which has the 
implication that fewer will use them, meaning the vendors that don't 
follow the protocol designer intention has little downside, and thus 
perpetuating the problem.



I don't know how to make it right though. I would like to see extension 
headers working well, but I also understand that people want to be able to 
do filtering.


--
Mikael Abrahamsson    email: [email protected]

_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec























					Reply via email to