Hello, Ran, Apologies for the delay in my response...
On 07/06/2018 07:57 PM, R. Atkinson wrote: > > >> On Jul 6, 2018, at 12:24, Fernando Gont <[email protected]> wrote: >> It does. :-) (agreed on making the knob available) >> >> Regarding the advice, I'm wondering what would be the recommended advice >> for transit routers. I guess it would be "drop, unless it's a MLS >> network", with the operator applying this configuration (and hence >> knowing what's the context in which this device s operating) > > Fernando, > > I don’t think "transit router true/false” is the variable that would determine > whether to drop CALIPSO packets or not. Instead, it is “MLS enabled > true/false” that would determine whether to drop. Point taken. (A side question, for my own personal interest: If you have an MLS environment, wouldn't it be your bet that transit drops your packets -- i.e., they are *transit*) > I am open to word-smithing/editing, but here is some candidate revised > replacement text for 4.3.9.5 based on today’s email: > > "Recommendations for handling the CALIPSO option depend on the > deployment environment, rather than whether an intermediate system > happens to be deployed as a transit device (e.g., IPv6 transit router)." > > “Explicit configuration is the only method via which an intermediate system > can know whether or not that particular intermediate system has been > deployed within a Multi-Level Secure (MLS) environment. In many cases, > ordinary commercial intermediate systems (e.g., IPv6 routers & firewalls) > are the majority of the deployed intermediate systems inside an MLS > network environment. > > “For Intermediate systems that DO NOT implement RFC-5570, there > SHOULD be a configuration option to EITHER (a) drop packets containing > the CALIPSO option OR (b) to ignore the presence of the CALIPSO option > and forward the packets normally. In non-MLS environments, such > intermediate systems SHOULD have this configuration option set to (a) > above. In MLS environments, such intermediate systems SHOULD > have this option set to (b) above. The default setting for this > configuration > option SHOULD be set to (a) above, because MLS environments are much > less common than non-MLS environments." > > “For Intermediate systems that DO implement RFC-5570, there SHOULD > be configuration options (a) and (b) from the preceding paragraph and > also a third configuration option (c) to process packets containing > a CALIPSO option as per RFC-5570. When deployed in non-MLS > environments, such intermediate systems SHOULD have this configuration > option set to (a) above. When deployed in MLS environments, such > intermediate systems SHOULD have this set to (c). The default setting > for this configuration option MAY be set to (a) above, because MLS > environments are much less common than non-MLS environments." The text looks great, and I will incorporate it in the next rev- If any folks have any objections please do let us know. Thanks so much, Ran! Cheers, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
