Hello, Ran, I realize that you had sent feedback on this topic before, but for sme reason I had missed it -- my apologies for that!
Please find my comments in-line.... On 07/06/2018 03:43 PM, R. Atkinson wrote: > Fernando, > > Regarding this draft, I have some feedback with respect to CALIPSO > (in part because I am one of the co-authors of RFC-5570, which specifies > CALIPSO). > > 1. Section 4.3.9 makes an incorrect assumption. > > Contrary to 4.3.9.5, an intermediate system (e.g., IP router) has no method > to learn or know whether or not it is deployed in an MLS-enabled > environment. > > An MLS-enabled IPv6 environment might well be using globally routable > addresses, so the routing prefixes in use are not informative about the > deployment type. > > Further, the majority of routers in an MLS-enabled environment are ordinary > commercial off-the-shelf IP routers from the usual IP router vendors. Some > routers and firewalls in such environments might have MLS-enhancements, > but many more will NOT have MLS-enhancements. This is partly because > the MLS-enabled label enforcement only is needed at enclave boundaries. > > Explicit configuration is the only method via which a particular deployed > intermediate system can learn whether or not it is in an MLS-enabled > network environment. This is sad, but also is reality. Question: would you argue that this would warrant forwarding them at transit routers? (I ask because while the answer to this question would most likely be "yes" if within a domain, I bet at a transit router it would be better to drop the MLS traffic to avoid leaks?) -- please see the applicability statement in Section 2.2. > > SUGGESTED ADDITIONAL TEXT for 4.3.9.1: > > "Explicit configuration is the only method via which a particular deployed > intermediate system can learn whether or not it is in an MLS-enabled > network environment." We will incorporate this. Thanks for suggesting text! > 2. As a result, the advice in 4.3.9.5 is not good or correct. Incorrect > assumption > above leads to an incorrect conclusion about advice on option handling. > > My suggestion is to revise the advice in 4.3.9.5. > > PROPOSED REPLACEMENT TEXT for 4.3.9.5: > > “Intermediate systems that do not implement RFC-5570 SHOULD have > a configuration option to EITHER (a) drop packets containing the > CALIPSO option OR (b) to ignore the presence of the CALIPSO option > and forward the packets normally.” A couple of questions here: * What would you argue that de default value of this knob should be? * In any case, I'd somehow rephrase the advice, since it implies a requirement for a CALIPSO-specific knob --while we don't require any option-specific knob for any other option. Thoughts? Thanks! Cheers, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
