>-----Original Message----- >From: james woodyatt [mailto:[EMAIL PROTECTED] >Sent: Thursday, June 14, 2007 21:53 >To: IETF IPv6 Mailing List >Subject: Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 > >On Jun 14, 2007, at 18:27, Thomas Narten wrote: >> >> I understand that the default security policy/config is "just say no". >> >> But if we accept that, in this case, then I think the implication >> really is we might as well toss out the routing header entirely. >> [...] > >We already did accept that as the Best Current Practice for residential >IPv6 gateways, c.f. the discussion in the V6OPS working group over what >eventually went on to become RFC 4864, and which led to the formation of >the V6CPE Design Team mailing list where I am editing a draft that will >elaborate on the recommendation for the default security policy/config >in residential IPv6 gateways that it essentially should be "just say >no." > >I'm not sure I see a good argument for tossing out the routing header >entirely. At the moment, our draft recommends only blocking RH0. It >does not recommend blocking all routing headers. Those participants >with reasonable arguments for recommending that all routing headers be >blocked should present them.
For clarification - let's say we have a device that can filter based on the presence of a routing header, but cannot be more granular and filter based on what type of routing header it is. Is the recommendation be to "fail closed" - block all RHs, including Type2, thus breaking Route Optimization? Or should we "fail open" - permit them, including potentially malicious Type0s? I know that to date my recommendation has been to fail closed, block them all if you can't be more specific ... /TJ (Yes - I agree, the "right" answer is to upgrade to something that can be more granular ... but work with me for a moment :) ) -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------