On 13-Jun-2007, at 10:42, Thomas Narten wrote:
Firewall policy intended to protect against packets containing RH0must be constructed such that routing headers of other types are not filtered by default. Doing so will break other uses of the routing headers such as the Routing Header Type 2 used by Mobile IPv6 [RFC3775] and future functionality designed using other routing header types.Could be even stronger. How about: It must be understood that blocking all traffic with any RH (rather than restricting blockage only to type 0) has very serious implications for the deployment of future technology. Quite simply, if even a small percentage of deployed firewalls block other types of routing headers by default, it will become impossible to deploy technologies using a routing header. MIPv6 [RFCxxx] relies on a type 2 RH. If even a small fraction of firewalls block MIPv6 traffic, MIPv6 will become undeployable in practice. Consequently, firewall policy intended to protect against packets containing RH0 MUST NOT simply filter all traffic with a routing header; it must be possible to disable forwarding of type 0 traffic without blocking other types of routing headers. In addition, the default configuration MUST be to permit forwarding of traffic using a RH other than 0.
I'm slightly concerned that such advice flies in the face of conventional advice given to those constructing firewall policy. It is normal practice, I believe, for end-site firewall policy to be deployed based on denying everything by default, and only permitting those packets which are known to correspond to traffic which ought to be permitted. I believe it is generally considered to be good advice to block all "future technology" by default, and to permit it only once the implications of doing so are well-known.
Outside end-sites, in the core, dropping packets based on the presence of any type of routing header is clearly a bad idea.
If we want the advice in this section to be taken seriously, do we need to distinguish between firewall policy in end-sites and packet filters that might be added to core/ISP networks as a mitigation of the specific problems associated with RH0?
Joe -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
