Hi, Brian,
On 21/5/23 22:28, Brian E Carpenter wrote:
[...]
I'm not sure how that's a no brainer, who decides "the ones you really
need"?
Typically. whoever runs the destination AS or network. Or the transit
AS, if the packets will affect the transit AS.
And there's the problem. The operator of a large network cannot possibly
know which extension headers every host on the network needs. It's
called permissionless innovation, and is supposed to be one of the main
success factors for the Internet.
If everyone independently makes that decision then we wind up
with an Internet that can't evolve and is perpetually stuck in the
status quo.
Well, yes, there's no big brother making decisions about mine or your
networks' policies.... hence everyone makes decisions independently.
FWIW, I was referring to filtering at the destination AS or network.
From the point of view of hosts, there is an anonymous Big Brother, the
moment that any upstream operator blocks a wanted extension header.
Well, that depends on the type of network. If we-re referring to an
enterprise user, yes, by definition there's a Big Brother (security team).
If we're reerring to e.g. a home user (ISP client), then I agree with
you. But then, there's RFC9098 -- where the ISP is not trying to protect
their user, but their own infrastructure.
(IN a way that's why QUIC runs on top of UDP ... although in the case of
QUIC, I bet it has more to do with NATs thatn with explicit firewalling)
It's to do with *any* barrier to IP layer transparency. This is a very
basic tussle in the architecture.
That depends on what one means by "IP layer transparency". If you mean
the existence of e.g. filtering at layer 4+, well, that's probably long
gone (at least for r.g. enterprise and home networks).
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
