Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

ment is, IMO, a major change. I guess we must agree to disagree. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

current version of draft-ietf-6man-oversized-header-chain essentially bans packets such as thos in page 5 of <http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-07> Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8F

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

maintenance, upkeep, and advancement of the IPv6 protocol specifications and addressing architecture. It is not chartered to develop major changes or additions to the IPv6 specifications. The working group will address protocol limitations/issues discovered during deployment and operation. Cheers, -- Fe

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

period. FWIW, I don't think anyone has proposed "if the chain is larger than X, then drop". We're just aiming at limiting the header chain length, *not* encouraging router to drop when the header chain exceeds that length. Cheers, -- Fernando Gont SI6 Netwo

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

drop v6 packets with extension headers by default. > just to be clear I'm not against the IETF documenting e.g. in a BCP, what the > longest expected header chain should be. Well, that seems more std track than bcp to me. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si

[Int-area] Discussion about header chains (was Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain))

rm; that is, no complaints yet ;) Probably because nobody uses such headers in practice ;-) Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Int-area m

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

re going to get to their intended destination? Some random folks, for some reason, starts sending those packets. He's packets miserably die in the network. He comes to us, and we all say "oh yeah... they are being dropped.. we know that". And the folk asks us "why didn

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

; > On the other hand - I, as an operator, may well decide to drop such > packets. Agreed. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

On 06/13/2013 12:07 AM, Joe Touch wrote: > > On 6/12/2013 2:44 PM, Fernando Gont wrote: >>> just to be clear I'm not against the IETF documenting e.g. in a BCP, >>> what the longest expected header chain should be. >> >> Well, that seems more std track th

Re: [Int-area] [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

bytes, because otherwise interoperability will be affected". Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [6MAN] Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

n expect them to work. If we continue on the current path (do nothing), they will be effectively killed. (see Brian et al's I-D, Warren et al's I-D, etc.). Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB

Re: [Int-area] [v6ops] [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt

es: over 40% of packet drop rate for HBH, already. And quite a few folks (e.g. Google) drop all packets that contain IPv6 EHs. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [v6ops] [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt

you want to allow everything withing your organization, or if you just don't care if your network melts down. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [OPSEC] [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt

dividual -00 version. Nothing is set on stone. Even it I don't agree with all of them, the filtering > recommendations in this draft do seem to motivated by legitimate operational > concerns, not blanket paranoia. > > I think we should move further discussion back to OPSEC and V6OP

Re: [Int-area] [v6ops] [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt

the > standards process in the first place. All because you think that > anything you don't expect is an attack. It isn't. It just means you're > not prepared. We seem to be in disagreement. If anything, anything that I don't want is not an attack, but rathe

[Int-area] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)

ffman , Fernando Gont , Fernando Gont , Fred Baker , Fred Baker , Paul Hoffman A new version of I-D, draft-gont-opsawg-firewalls-analysis-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsawg-firewalls-analysis Revision

Re: [Int-area] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)

privacy, bad for firewalls > as they are blind now and mostly useless Yes and no. If you mean TLS, it prevents DPI, but still allows for filtering based on port numbers... > - recommendation for NOT BLOCKING traffic over the Internet (except to >

Re: [Int-area] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)

not appear to be new and have been mentioned > in other documents already. FWIW, the recommendations will be moved out into a separate document. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _

[Int-area] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt

-01.txt Date: Tue, 13 Oct 2015 06:45:30 -0700 From: internet-dra...@ietf.org To: Fred Baker , Fernando Gont A new version of I-D, draft-gont-opsawg-firewalls-analysis-01.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsawg

Re: [Int-area] [OPSAWG] [OPSEC] "On Firewalls in Internet Security" (Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-00.txt)

houghts? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt

on needs for access > (More common than you might think). Yes. Or, at times, a user/app trying to circumvent unmanaged firewalls. -- Ironically, at times these protocols are referred to as "firewall friendly". Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [v6ops] Fwd: New Version Notification for draft-gont-opsawg-firewalls-analysis-01.txt

Ironically, at times these protocols are referred to as "firewall > friendly". > > [Rick] The scenario makes no sense other than a mismanaged company > frankly. You are essentially encouraging something against BCP. Even > beyond security you will make it difficult to t

Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

s more of a "fingers crossed" thing (if anything). I'm not saying that I'm happy with the outcome, but rather that I think that from an engenering point of view, it all looks like this ship has sailed, and we should probably figure out how to deal with those cases where fragmentatio

Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

On 07/27/2018 05:15 PM, Tom Herbert wrote: > On Fri, Jul 27, 2018 at 5:38 AM, Fernando Gont wrote: >> Hi, Joe, >> >> On 07/26/2018 04:14 AM, Joe Touch wrote: >>> Hi, all, [] >> >> Side coments: >> >> It would all seem that there are tw

Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

ook at RFC7872, t all looks like anything that is EHs is dropped to some extent (while not included in the RFC, I also mesured IPsec, and you get similar numbers). So besides the issues that are specific to fragmentation, anything that is EHs gets dropped here an there. -- and ding ECMP with t

Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

ed over UDP to be able to survive NATs and firewalls Yes, and one hand is not nice to have to account for all types of brokenness and filtering. OTOH, it would make any sense to enigneer a protocol that only works on paper. -- Fernando Gont e-mail: ferna...@gont.com.ar || f

Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom Herbert)

to make such assumption. Where you can't, you may have to do stateful firewalling. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] I-D Action: draft-herbert-ipv4-udpencap-eh-00.txt

Haven't checked the I-D yet. Quick question: do you expect NATs parse past this EHs to be able to do NAPT as they do nowadays? Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _

Re: [Int-area] Fwd: New Version Notification for draft-herbert-ipv4-udpencap-eh-00.txt

aders used with IPv4). Use of the fragment header with IPv4 is > compelling because it could address deficencies in IPv4 fragmentation > like the small ID field. It might also free up IPID to be used as an > IPv4 flow label (RFC6864 states IPID can be arbitrarily set for atomic > datagrams).

Re: [Int-area] New Version Notification for draft-herbert-ipv4-udpencap-eh-00.txt

functionality should be removed. + fwiw, i don't care that much about the outcome, as long as there's some level of convergence among specs, devices, and deployed reality Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6netw

Re: [Int-area] Alissa Cooper's Discuss on draft-ietf-intarea-frag-fragile-15: (with DISCUSS and COMMENT)

o be supported. The message here is "unless you really know what you are doing and you're in e.g. a controlled environment where fragmentation is known to be supported, you shouldn't rely on fragmentation". I wouldn't mind myself stronger advice, but this is what the wg s

Re: [Int-area] Alissa Cooper's Discuss on draft-ietf-intarea-frag-fragile-15: (with DISCUSS and COMMENT)

Tom, On 7/8/19 04:50, Tom Herbert wrote: > On Tue, Aug 6, 2019 at 6:17 PM Fernando Gont wrote: >> >> Hello, Alissa, >> >> Thanks for your comments! Inline... >> >> On 6/8/19 23:

Re: [Int-area] Alissa Cooper's Discuss on draft-ietf-intarea-frag-fragile-15: (with DISCUSS and COMMENT)

(and essentially IPv6 EHs, as per RFC7872). That is: can you reliably use them? --Not at all... expect when you run the network yourself. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96

Re: [Int-area] Alissa Cooper's Discuss on draft-ietf-intarea-frag-fragile-15: (with DISCUSS and COMMENT)

Os for generating stuff that is not possible to implement in a meaningful way, vendors for claiming they support something when they do it in a very poorly way, or ops folks for solving their problems with what they have at hand (instead of e.g. to applying pain to vendors or SDOs, if at all p

Re: [Int-area] Alissa Cooper's Discuss on draft-ietf-intarea-frag-fragile-15: (with DISCUSS and COMMENT)

On 7/8/19 17:07, Joe Touch wrote: > > >> On Aug 7, 2019, at 7:01 AM, Fernando Gont > <mailto:ferna...@gont.com.ar>> wrote: >> >> On 7/8/19 16:30, Joe Touch wrote: >>> Things that don’t work aren’t always either deprecated or security >>&

Re: [Int-area] Warren Kumari's Yes on draft-ietf-intarea-frag-fragile-15: (with COMMENT)

he document we employ RFC2119 language to quote requirements from other RFCs, while in this specific case we use caps to stress that this is the advice we are giving out. FWIW, the advice hopefully triggers work for any protocols expected to work across the Internet, and that currently rely on

Re: [Int-area] Alissa Cooper's Discuss on draft-ietf-intarea-frag-fragile-15: (with DISCUSS and COMMENT)

gt; Alissa, >>>> >>>> Are you distinguishing between protocol development and application >>>> development? >>> >>> I’m specifically wondering about application protocols (as distinct from >>> other protocols) developed in the IETF (a

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

Pv6 the only guarantee is 1280. Therefore, in order to robustly support > the minimum IPv6 MTU tunnels MUST employ fragmentation. Isn't that an oxymoron? If fragmentation is fragile, if you need something robust, you need to rely on something else -- Fernando Gont SI6 Networks e-mail: f

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

On 3/9/19 18:39, Tom Herbert wrote: > > > On Tue, Sep 3, 2019, 8:31 AM Fernando Gont <mailto:fg...@si6networks.com>> wrote: > > On 3/9/19 17:33, Templin (US), Fred L wrote: > > Why was this section taken out: > >  > >> 1.1.  IP

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

On 3/9/19 18:41, Templin (US), Fred L wrote: > > >> -Original Message----- >> From: Fernando Gont [mailto:fg...@si6networks.com] >> Sent: Tuesday, September 03, 2019 7:50 AM >> To: Templin (US), Fred L ; Joe Touch >> ; Alissa Cooper >> Cc: Joel

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

roblem of widespread famine, and others. I don't think that logic has solved any real problems in the real world. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

On 4/9/19 00:02, Templin (US), Fred L wrote: > Fernando, > >> -Original Message----- >> From: Fernando Gont [mailto:fg...@si6networks.com] >> Sent: Tuesday, September 03, 2019 1:49 PM >> To: Tom Herbert ; Bob Hinden >> Cc: Templin (US), Fred L ; int-ar

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

On 4/9/19 00:34, Tom Herbert wrote: > On Tue, Sep 3, 2019 at 1:49 PM Fernando Gont wrote: >> >> On 3/9/19 23:33, Tom Herbert wrote: >>> Bob, >>> [] >> "fragile" means that it fails in an uncceptably large number of cases. >> ~30 failur

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

ear. That seems pretty good to me. Which shows that implementers > have taken IP fragmentation seriously and put in the hard work necessary to > optimize the performance. Have you ever checked the number of CVEs related to fragmentation? -- Fernando Gont SI6 Networks e-mail: fg...@si6networ

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

On 4/9/19 16:46, Templin (US), Fred L wrote: > Hi Fernando, > >> -Original Message----- >> From: Fernando Gont [mailto:fg...@si6networks.com] >> Sent: Tuesday, September 03, 2019 2:45 PM >> To: Templin (US), Fred L ; Tom Herbert >> ; Bob Hinden >&

Re: [Int-area] Alissa Cooper's No Objection on draft-ietf-intarea-frag-fragile-16: (with COMMENT)

On 5/9/19 17:31, Tom Herbert wrote: > On Wed, Sep 4, 2019 at 5:34 PM Fernando Gont wrote: >> >> On 4/9/19 18:26, Templin (US), Fred L wrote: >>> Hi Ole, >>> >>>> -Original Message- >>>> From: Ole Troan [mailto:otr...@employees.org]

Re: [Int-area] Discussion about Section 6.1 in draft-ietf-intarea-frag-fragile

would claim this is hand-waving. FWIW, I don't remember seeing anything like this at the network layer. (One might guess that in theory you *could* get feedback from upper layers, but...) This kind of thing is easier at *higher* layers -- such as trying to do the 3WHS with the ECN bits set, and if y

Re: [Int-area] Discussion about Section 6.1 in draft-ietf-intarea-frag-fragile

idea that some set of layers > inflates the headers (e.g., with signatures or key exchanges) beyond the MTU > somewhere. This would seem to be incorrect. IP has a minimum MTU of 68 bytes, and IPv6 has a minimum MTU of 1280. Hence if you send packets smaller than or equal to the minimum MTU, th

Re: [Int-area] Existing use of IP protocol 114 (any 0-hop protocol)

use small or large hop limit, depending on whether you want to make sure that packets cannot be injected, or that packets cannot leak out. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 __

[Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

Thoughts or advice on the technical and/or procedural aspects will be appreciated. Thanks! Cheers, Fernando ---- Forwarded Message Subject: Errata #5933 for RFC8200 Date: Thu, 27 Feb 2020 17:07:36 -0300 From: Fernando Gont To: Suresh Krishnan CC: 6...@ietf.org <6...@ietf.org> Suresh,

Re: [Int-area] [arch-d] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

x27;s not for lack of trying-- for instance I proposed a direction to try for an engineering compromise in draft-herbert-6man-eh-attrib-00, but saw little discussion on that. Tom On Thu, Feb 27, 2020 at 1:43 PM Fernando Gont wrote: Folks, If you haven't been following recent developments in

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

do better than simply rubber-stamping any hacks a vendor with big pockets may bring up. Otherwise, I don't see the point of all this big structure. For instance, we have an "Internet Architecture Board", which I guess have a say on things that affect architecture? Thanks, -- Fern

Re: [Int-area] [arch-d] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

lated at will *within the same organization that published the specs*. As noted by Jinmei here <https://mailarchive.ietf.org/arch/msg/spring/XZ_D_cfPNNzXpi4_ZbuTidMTo4k/> , I believe not only are we just rubber-stamping stuff, but also I believe that our processes are being circumven

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

something they actually sent. EH removal breaks that. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.o

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

are en-route to their intended destination, etc. Thanks, Fernando On 27/2/20 20:21, Joe Touch wrote: EH isn't a HBH option or extension. Joe On 2020-02-27 15:06, Fernando Gont wrote: On 27/2/20 19:52, Joe Touch wrote: FWIW - there are separable issues here: - whether an IP heade

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

hitecture and principles that we're developing specs within? Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [arch-d] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

omething that won't have a single bit of coherence, virtually impossible to digest by anybody else other by than a limited group of people that just happens to know how everyone violates each others specs. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint:

Re: [Int-area] [arch-d] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

like: "When there's stuff at stake, only big vendors get to play, with their own rules". I'll refer to Jinmei's email, which esentially conveys the same message <https://mailarchive.ietf.org/arch/msg/spring/hmmgQygE0qIhOrt4Ii_1ANDQgHM/> Thanks, -- Fernando Gont SI

Re: [Int-area] [arch-d] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

On 27/2/20 23:18, Phillip Hallam-Baker wrote: On Thu, Feb 27, 2020 at 8:52 PM Fernando Gont <mailto:fg...@si6networks.com>> wrote: On 27/2/20 20:58, Robert Raszuk wrote: > [...] > > We need to ask ourselves what is more important ... quality of dat

Re: [Int-area] [arch-d] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

- nobody knows what to expect, because one document says one thing, and another says another thing. There's a reason for which we have the "Update" and "Obsolete" tags in RFCs... -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

ep trying to push similar ideas in other documents. -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Int-area mailing list Int-area@ietf.org https://www.ietf

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

On 29/2/20 23:19, Joseph Touch wrote: On Feb 29, 2020, at 5:46 PM, Fernando Gont <mailto:ferna...@gont.com.ar>> wrote: I did look at the protocols involved here; the ingress does add headers but doesn’t appear to handle fragmentation. That’s a non-starter if you want your p

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

low the insertion/removal of extension header while the packets are en-route to the final destination. I wished this conversation could go back to a honest one. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7

Re: [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

ocument. I'm glad that there are more eyes now looking at what's going on. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Int-area mailing lis

Re: [Int-area] PSP and a logical application of RFC8200

7;t. If it is, RFC8200 should have an explanation of how PMTUD and error reporting works. And it doesn't have one. In that light, I'm curious how folks can state that eh insertion/removal is allowed. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com P

Re: [Int-area] [v6ops] Still need to know what has changed.... Re: IPv10 draft (was Re: FW: v6ops - New Meeting Session Request for IETF 109 - IPv10)

(> 1M customers) DNS resolver in Germany in July. More than 2/3 of all DNS traffic from that resolver to the Internet was over IPv6, less than 1/3 over IPv4. At least for DNS, IPv6 is doing pretty good. Modulo fragmentation? ;-) Thanks, -- Fernando Gont e-mail: ferna...@gont.com.

[Int-area] Fwd: IPv6 addressing: Gaps? (draft-gont-v6ops-ipv6-addressing-considerations)

-considerations) Date: Fri, 12 Feb 2021 18:50:48 -0300 From: Fernando Gont To: IPv6 Operations Folks, In the aforementioned document (https://tools.ietf.org/html/draft-gont-v6ops-ipv6-addressing-considerations), we have tried to do at least three things: 1) Look at what we have and try to discuss

Re: [Int-area] WGLC: draft-ietf-behave-nat-icmp-09

" Does REQ-6 really apply here? (ICMP PTBs are not query/response messages) Kind regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area

Re: [Int-area] [BEHAVE] WGLC: draft-ietf-behave-nat-icmp-09

t they be deprecated as > with the > information request/response? [suresh] I believe, It is not in the scope of this document to deprecate ICMP messages or their use outside of NATs. For this reason, the requirement for Address mask request/Reply support for

[Int-area] Some feedback on draft-touch-intarea-ipv4-unique-id

e) Nits Section 6.3 > o >> The IP ID MUST NOT be reused when sending a copy of an earlier > non-ATOMIC packet S/ATOMIC/atomic/ ? > RFC 1122 also suggests that fragments can overlap [RFC1122]. Such > overlap can occur if successive retransmissions use differe

Re: [Int-area] Some feedback on draft-touch-intarea-ipv4-unique-id

ug may be horrible, but if the mod introduces interoperability problems, that's not good, either. -- not that it makes me happy. >> Section 10: >> >>>>> During the transition period, a small ID space SHOULD be used to >>> assist with debugging and detecti

Re: [Int-area] Some feedback on draft-touch-intarea-ipv4-unique-id

ufficiently documented in an RFC. As a result, we're treating it as an > error and silently dropping it. We're following the Postel Principle > here - the data is unexpected, but since it could be non-malicious we're > not treating it as such. I don't follow.

Re: [Int-area] Some feedback on draft-touch-intarea-ipv4-unique-id

It's about what you accept. And this scheme is less liberal than the one specified in RFC 791. (I'm not judgding the technical merits of your proposal... I'm just arguing that IMO it does not follow Postel's Principle) > IMO, reassembling them in ways that create undetectab

Re: [Int-area] introducing a new IPv4 option [was RE: [BEHAVE] Revealing identity of TCP client connection when sharing IPv4 address]

expect that it will be *replaced* in 5 years or so with something else, I'd argue "Why not?". There are estimates of 15-20 more years of living with IPv4, so Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 3

Re: [Int-area] IP-capable nodes must support IPv6 - new draft-george-ipv6-required

> in the world. End-to-end transparency in the sense that every node will be reachable from every node? -- IMHO, forget about it (see slide 13 of: http://www.gont.com.ar/talks/lacnog2010/fgont-lacnog2010-ipv6-security.pdf) Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP

Re: [Int-area] IP-capable nodes must support IPv6 - new draft-george-ipv6-required

P-capable devices". > Such devices are important when a cluster of devices is intended to act > as a single device on the Internet, and a NAT can be an effective way to > implement that front-end. ... and don't forget about "renumbering". Thanks, -- Fernando

Re: [Int-area] End-to-end "address transparency"

t), needs to have state for that "incoming connection". -- In general, there won't be such state, *or* the firewall would need to be smart enough to understand the application protocol to create such state before it's needed (so, again, forget about the "dumb network"). Th

Re: [Int-area] [v6ops] End-to-end "address transparency"

> > UDP encapsulation of IPsec is a work around, specifically to get around > the problems of lack of IPv4 address transparency i.e. NAT. It isn't an > acceptable answer when NAT doesn't need to exist. You're assuming that the only motivation to have NATs is address e

Re: [Int-area] New draft about formally obsoleting some historic IPv4 options

Hi, Lars, On 06/12/2012 04:36 AM, Eggert, Lars wrote: > Hi, > > shouldn't we at the same time also be making the RFCs that originally > registered these option numbers Historic? You're absolutely right. The next rev will do this. Cheers, -- Fernando Gont e-mail: fern