> On Jul 6, 2018, at 12:24, Fernando Gont <[email protected]> wrote: > It does. :-) (agreed on making the knob available) > > Regarding the advice, I'm wondering what would be the recommended advice > for transit routers. I guess it would be "drop, unless it's a MLS > network", with the operator applying this configuration (and hence > knowing what's the context in which this device s operating)
Fernando, I don’t think "transit router true/false” is the variable that would determine whether to drop CALIPSO packets or not. Instead, it is “MLS enabled true/false” that would determine whether to drop. I am open to word-smithing/editing, but here is some candidate revised replacement text for 4.3.9.5 based on today’s email: "Recommendations for handling the CALIPSO option depend on the deployment environment, rather than whether an intermediate system happens to be deployed as a transit device (e.g., IPv6 transit router)." “Explicit configuration is the only method via which an intermediate system can know whether or not that particular intermediate system has been deployed within a Multi-Level Secure (MLS) environment. In many cases, ordinary commercial intermediate systems (e.g., IPv6 routers & firewalls) are the majority of the deployed intermediate systems inside an MLS network environment. “For Intermediate systems that DO NOT implement RFC-5570, there SHOULD be a configuration option to EITHER (a) drop packets containing the CALIPSO option OR (b) to ignore the presence of the CALIPSO option and forward the packets normally. In non-MLS environments, such intermediate systems SHOULD have this configuration option set to (a) above. In MLS environments, such intermediate systems SHOULD have this option set to (b) above. The default setting for this configuration option SHOULD be set to (a) above, because MLS environments are much less common than non-MLS environments." “For Intermediate systems that DO implement RFC-5570, there SHOULD be configuration options (a) and (b) from the preceding paragraph and also a third configuration option (c) to process packets containing a CALIPSO option as per RFC-5570. When deployed in non-MLS environments, such intermediate systems SHOULD have this configuration option set to (a) above. When deployed in MLS environments, such intermediate systems SHOULD have this set to (c). The default setting for this configuration option MAY be set to (a) above, because MLS environments are much less common than non-MLS environments." Thanks very much. Yours, Ran _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
