That's a good point, my mind just tends to go toward "where is a place I can learn more about X", and the easier that is to find, the happier I tend to be =) Even something that lays down examples and potentials would be really handy for folks wanting to learn more. Perhaps we should flesh it out in book6 instead. https://github.com/becarpenter/book6/blob/main/2.%20IPv6%20Basic%20Technology/Extension%20headers%20and%20options.md
nb On Thu, May 18, 2023 at 9:53 AM [email protected] < [email protected]> wrote: > Nick, > > > neither really have use cases > > I think a use cases document is a great idea! Although, IMHO one of the > points of extension headers is that they can be used to extend the protocol > for purposes which we cannot think of today! > > Thanks, > > Nalini Elkins > CEO and Founder > Inside Products, Inc. > www.insidethestack.com > (831) 659-8360 > > > On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio < > [email protected]> wrote: > > > Is there any document that details the current operational best practices > or explains the EH options and use cases in a succinct document? I didn't > find one (although I did not look terribly hard). If not, that sounds like > an opportunity to work through them and create one, perhaps? > Nalani has a deep dive study here > https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html > and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ > but I wasn't able to find a list with some use cases akin to the ND > considerations draft here > https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/ > RFC7045 has a decent, and RFC2460 explains what they are but neither > really have use cases. > > nb > > On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom= > [email protected]> wrote: > > On Thu, May 18, 2023 at 7:24 AM Andrew Campling > <[email protected]> wrote: > > > > I wonder if part of the issue here is that insufficient attention is > being given to operational security matters and too much weight is given to > privacy in protocol development, irrespective of the security implications > (which is of course ultimately detrimental to security anyway)? > > Andrew, > > There is work being done to address the protocol "bugs" of extension > headers. See 6man-hbh-processing and 6man-eh-limits for instance. > > Tom > > > > > Andrew > > > > > > From: OPSEC <[email protected]> on behalf of Fernando Gont < > [email protected]> > > Sent: Thursday, May 18, 2023 2:19 pm > > To: David Farmer <[email protected]>; Tom Herbert <tom= > [email protected]> > > Cc: [email protected] <[email protected]>; V6 Ops List <[email protected]>; opsec > WG <[email protected]> > > Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension > headers? (Episode 1000 and counting) (Linux DoS) > > > > Hi, David, > > > > On 18/5/23 02:14, David Farmer wrote: > > > > > > > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > > > <[email protected] > > > <mailto:[email protected]>> wrote: > > [...] > > > > > > Maximum security is rarely the objective, I by no means have maximum > > > security at my home. However, I don’t live in the country where some > > > people still don’t even lock there doors. I live in a a city, I have > > > decent deadbolt locks and I use them. > > > > > [....] > > > > > > So, I’m not really happy with the all or nothing approach the two of > you > > > seem to be offering for IPv6 extension headers, is there something in > > > between? If not, then maybe that is what we need to be working towards. > > > > FWIW, I[m not arguing for a blank "block all", but rather "just allow > > the ones you really need" -- which is a no brainer. The list you need > > is, maybe Frag and, say, IPsec at the global level? (from the pov of > > most orgs). > > > > (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). > > > > Thanks, > > -- > > Fernando Gont > > SI6 Networks > > e-mail: [email protected] > > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 > > > > _______________________________________________ > > OPSEC mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/opsec > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops >
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
