XiPeng
Great suggestions & info on all counts.
This is why you are in charge! š
Regards to the default policy(s) for EHs. If we adopt the policy āOnly allow
the ones you really needā, I am concerned that most of us at Enterprises donāt
understand EHs enough to make that determination. So we may be better served
to understand the ones we DONāT need or that could have negative impact. I
am hopeful that an effective BCP, could perhaps accomplish both. That way if
an organization prefers implicit deny vs implicit allow, both could be
accomplished.
And good question about creating a new use case document or updating older
ones. In general, I would prefer to have as few separate docs as possible,
but it depends on what the gaps are. I would like hear from Nalini and others
on this.
Like Nick, I think Brianās book is great and am already suggesting it to
anyone that will listen.
And finally, the Worldwide IPv6 portal sounds good, if done and promoted
properly. It would be very helpful to have one entry point for those who do
not know where or how to start. Is ISOC responsible for itās structure and
content?
Once again, great thoughts.
Thanks!
Mike
From: Xipengxiao <xipengx...@huawei.com>
Sent: Thursday, May 18, 2023 1:03 PM
To: Ackermann, Michael <mackerm...@bcbsm.com>;
nalini.elk...@insidethestack.com; Tom Herbert
<tom=40herbertland....@dmarc.ietf.org>; Nick Buraglio
<burag...@forwardingplane.net>
Cc: Andrew Campling <andrew.campling@419.consulting>; Fernando Gont
<fg...@si6networks.com>; V6 Ops List <v6...@ietf.org>; 6...@ietf.org; opsec WG
<opsec@ietf.org>
Subject: RE: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension
headers? (Episode 1000 and counting) (Linux DoS)
[External email]
Hi Mike,
Yes, we have been trying to work towards an IPv6 BCP, via āside meetingā
discussions, āoperational presentationā case sharing, etc. The EH
recommendation can be part of it. But I suspect that this will boil down to
what Fernando already said: "just allow the ones you really need".
Another 2 things are discussed/requested in this thread:
* From Nalini: a āuse caseā document for EH: should we create a new
document, or just add use cases to 6man-eh-limits (or other existing documents)?
* From Nick: an IPv6 portal, "where is a place I can learn more about X (in
IPv6)"
* Nick recommended Brianās book
https://github.com/becarpenter/book6/blob/main/Contents.md. I think itās
possible. But putting too much content into Brianās book will delay its
publication, and possibly make it too big to read.
* An alternative is the ISOC IPv6 portal:
https://www.internetsociety.org/deploy360/ipv6/. This portal already links to
useful documents in RIPE, APNIC, etc. It can link to Brianās book and other
useful documents too. The documents there are dated in 2012-2015. ISOC has
agreed to work with us to update it. I think we can work together with ISOC to
make this the worldwide entry point for IPv6. What do you folks think?
Regards,
XiPeng
From: Ackermann, Michael <mackerm...@bcbsm.com<mailto:mackerm...@bcbsm.com>>
Sent: Thursday, May 18, 2023 5:23 PM
To: nalini.elk...@insidethestack.com<mailto:nalini.elk...@insidethestack.com>;
Tom Herbert
<tom=40herbertland....@dmarc.ietf.org<mailto:tom=40herbertland....@dmarc.ietf.org>>;
Nick Buraglio
<burag...@forwardingplane.net<mailto:burag...@forwardingplane.net>>; Xipengxiao
<xipengx...@huawei.com<mailto:xipengx...@huawei.com>>
Cc: Andrew Campling
<andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>>;
Fernando Gont <fg...@si6networks.com<mailto:fg...@si6networks.com>>; V6 Ops
List <v6...@ietf.org<mailto:v6...@ietf.org>>;
6...@ietf.org<mailto:6...@ietf.org>; opsec WG
<opsec@ietf.org<mailto:opsec@ietf.org>>
Subject: RE: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension
headers? (Episode 1000 and counting) (Linux DoS)
This message was sent securely using ZixĀ®<http://www.zixcorp.com/get-started/>
+1
This would be very helpful for enterprises!
And for Xipeng,
Would not such a BCP be VERY consistent with the āSide Meetingā efforts of
V6OPS?
Thanks all
Mike
From: ipv6 <ipv6-boun...@ietf.org<mailto:ipv6-boun...@ietf.org>> On Behalf Of
nalini.elk...@insidethestack.com<mailto:nalini.elk...@insidethestack.com>
Sent: Thursday, May 18, 2023 10:53 AM
To: Tom Herbert
<tom=40herbertland....@dmarc.ietf.org<mailto:tom=40herbertland....@dmarc.ietf.org>>;
Nick Buraglio
<burag...@forwardingplane.net<mailto:burag...@forwardingplane.net>>
Cc: Andrew Campling
<andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>>;
Fernando Gont <fg...@si6networks.com<mailto:fg...@si6networks.com>>; V6 Ops
List <v6...@ietf.org<mailto:v6...@ietf.org>>;
6...@ietf.org<mailto:6...@ietf.org>; opsec WG
<opsec@ietf.org<mailto:opsec@ietf.org>>
Subject: Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension
headers? (Episode 1000 and counting) (Linux DoS)
[External email]
Nick,
> neither really have use cases
I think a use cases document is a great idea! Although, IMHO one of the points
of extension headers is that they can be used to extend the protocol for
purposes which we cannot think of today!
Thanks,
Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com<http://www.insidethestack.com>
(831) 659-8360
On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio
<burag...@forwardingplane.net<mailto:burag...@forwardingplane.net>> wrote:
Is there any document that details the current operational best practices or
explains the EH options and use cases in a succinct document? I didn't find one
(although I did not look terribly hard). If not, that sounds like an
opportunity to work through them and create one, perhaps?
Nalani has a deep dive study here
https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html and
https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ but I
wasn't able to find a list with some use cases akin to the ND considerations
draft here https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/
RFC7045 has a decent, and RFC2460 explains what they are but neither really
have use cases.
nb
On Thu, May 18, 2023 at 9:33āÆAM Tom Herbert
<tom=40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>>
wrote:
On Thu, May 18, 2023 at 7:24āÆAM Andrew Campling
<andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>> wrote:
>
> I wonder if part of the issue here is that insufficient attention is being
> given to operational security matters and too much weight is given to privacy
> in protocol development, irrespective of the security implications (which is
> of course ultimately detrimental to security anyway)?
Andrew,
There is work being done to address the protocol "bugs" of extension
headers. See 6man-hbh-processing and 6man-eh-limits for instance.
Tom
>
> Andrew
>
>
> From: OPSEC <opsec-boun...@ietf.org<mailto:opsec-boun...@ietf.org>> on behalf
> of Fernando Gont <fg...@si6networks.com<mailto:fg...@si6networks.com>>
> Sent: Thursday, May 18, 2023 2:19 pm
> To: David Farmer <far...@umn.edu<mailto:far...@umn.edu>>; Tom Herbert
> <tom=40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>>
> Cc: 6...@ietf.org<mailto:6...@ietf.org>
> <6...@ietf.org<mailto:6...@ietf.org>>; V6 Ops List
> <v6...@ietf.org<mailto:v6...@ietf.org>>; opsec WG
> <opsec@ietf.org<mailto:opsec@ietf.org>>
> Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers?
> (Episode 1000 and counting) (Linux DoS)
>
> Hi, David,
>
> On 18/5/23 02:14, David Farmer wrote:
> >
> >
> > On Wed, May 17, 2023 at 13:57 Tom Herbert
> > <tom=40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>
> > <mailto:40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>>>
> > wrote:
> [...]
> >
> > Maximum security is rarely the objective, I by no means have maximum
> > security at my home. However, I donāt live in the country where some
> > people still donāt even lock there doors. I live in a a city, I have
> > decent deadbolt locks and I use them.
> >
> [....]
> >
> > So, Iām not really happy with the all or nothing approach the two of you
> > seem to be offering for IPv6 extension headers, is there something in
> > between? If not, then maybe that is what we need to be working towards.
>
> FWIW, I[m not arguing for a blank "block all", but rather "just allow
> the ones you really need" -- which is a no brainer. The list you need
> is, maybe Frag and, say, IPsec at the global level? (from the pov of
> most orgs).
>
> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fg...@si6networks.com<mailto:fg...@si6networks.com>
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org<mailto:OPSEC@ietf.org>
> https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________
v6ops mailing list
v6...@ietf.org<mailto:v6...@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops
_______________________________________________
v6ops mailing list
v6...@ietf.org<mailto:v6...@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops
The information contained in this communication is highly confidential and is
intended solely for the use of the individual(s) to whom this communication is
directed. If you are not the intended recipient, you are hereby notified that
any viewing, copying, disclosure or distribution of this information is
prohibited. Please notify the sender, by electronic mail or telephone, of any
unintended receipt and delete the original message without making any copies.
Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
nonprofit corporations and independent licensees of the Blue Cross and Blue
Shield Association.
This message was secured by Zix<http://www.zixcorp.com>Ā®.
The information contained in this communication is highly confidential and is
intended solely for the use of the individual(s) to whom this communication is
directed. If you are not the intended recipient, you are hereby notified that
any viewing, copying, disclosure or distribution of this information is
prohibited. Please notify the sender, by electronic mail or telephone, of any
unintended receipt and delete the original message without making any copies.
Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are
nonprofit corporations and independent licensees of the Blue Cross and Blue
Shield Association.
This message was secured by Zix(R).
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec
