RE: draft-ietf-ipv6-deprecate-rh0-01-candidate-01

Fri, 15 Jun 2007 05:21:22 -0700 

>-----Original Message-----
>From: james woodyatt [mailto:[EMAIL PROTECTED]
>Sent: Thursday, June 14, 2007 21:53
>To: IETF IPv6 Mailing List
>Subject: Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01
>
>On Jun 14, 2007, at 18:27, Thomas Narten wrote:
>>
>> I understand that the default security policy/config is "just say no".
>>
>> But if we accept that, in this case, then I think the implication
>> really is we might as well toss out the routing header entirely.
>> [...]
>
>We already did accept that as the Best Current Practice for residential
>IPv6 gateways, c.f. the discussion in the V6OPS working group over what
>eventually went on to become RFC 4864, and which led to the formation of
>the V6CPE Design Team mailing list where I am editing a draft that will
>elaborate on the recommendation for the default security policy/config
>in residential IPv6 gateways that it essentially should be "just say
>no."
>
>I'm not sure I see a good argument for tossing out the routing header
>entirely.  At the moment, our draft recommends only blocking RH0.  It
>does not recommend blocking all routing headers.  Those participants
>with reasonable arguments for recommending that all routing headers be
>blocked should present them.


For clarification - let's say we have a device that can filter based on the
presence of a routing header, but cannot be more granular and filter based
on what type of routing header it is.
        Is the recommendation be to "fail closed" - block all RHs, including
Type2, thus breaking Route Optimization?
        Or should we "fail open" - permit them, including potentially
malicious Type0s?

I know that to date my recommendation has been to fail closed, block them
all if you can't be more specific ... 



/TJ
(Yes - I agree, the "right" answer is to upgrade to something that can be
more granular ... but work with me for a moment :) )


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to