Hi, Tom,
On 18/5/23 15:27, Tom Herbert wrote:
[....]
So, I’m not really happy with the all or nothing approach the two of you
seem to be offering for IPv6 extension headers, is there something in
between? If not, then maybe that is what we need to be working towards.
FWIW, I[m not arguing for a blank "block all", but rather "just allow
the ones you really need" -- which is a no brainer.
Fernando,
I'm not sure how that's a no brainer, who decides "the ones you really
need"?
Typically. whoever runs the destination AS or network. Or the transit
AS, if the packets will affect the transit AS.
If everyone independently makes that decision then we wind up
with an Internet that can't evolve and is perpetually stuck in the
status quo.
Well, yes, there's no big brother making decisions about mine or your
networks' policies.... hence everyone makes decisions independently.
(IN a way that's why QUIC runs on top of UDP ... although in the case of
QUIC, I bet it has more to do with NATs thatn with explicit firewalling)
The list you need
is, maybe Frag and, say, IPsec at the global level? (from the pov of
most orgs).
(yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
It might be productive if you suggested a more concrete direction
here. Maybe a proposed BCP suggesting the EHs that you believe should
be universally blocked and the rationalization for that and why the
problems with them can't be fixed.
Are your referring to the "transit AS" case, the "dest AS/network" case,
or both?
In any case, my comment was simply a two-liner email comment, as opposed
to full-fledged advice.
Thanks!
Regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec
