Hi Fernando, Please see response inline. > -----Original Message----- > From: Fernando Gont > [mailto:fernando.gont.netbook....@gmail.com] On Behalf Of > Fernando Gont > Sent: Monday, January 03, 2011 4:43 PM > To: Brian E Carpenter > Cc: Thomas Narten; ipv6@ietf.org; Suresh Krishnan > Subject: Re: I-D Action:draft-ietf-6man-exthdr-01.txt > > On 03/01/2011 06:25 p.m., Brian E Carpenter wrote: > > > The basic motivation for the present draft is clear: > > > >> However, > >> some intermediate nodes such as firewalls, may need to > look at the > >> transport layer header fields in order to make a > decision to allow or > >> deny the packet. > > > > That is, help middleboxes to violate e2e transparency and, > > furthermore, allow unknown headers to cross those middleboxes. > > I don't think this I-D will make a difference. > > From the POV of a firewall, unless it really wants a packet > to pass-through, it will block it. > > So, whether the Extension Header is unknown, or whether > draft-ietf-6man-exthdr-01.txt is implemented and the Specific > type is unknown will lead to the same result: the packet will > be discarded. > > This proposal would only be useful to firewalls that > implement a "default allow", and that simply want to somehow > ignore an unknown extension header and base their decision on > the upper-layer protocol (only). -- But we all know that > firewalls operate (or should operate) in "default deny" > rather than "default allow". > > So IMHO this proposal won't be useful for such firewalls.
Yes. You are correct. This proposal will not be useful for such firewalls. On the other hand http://tools.ietf.org/html/draft-ietf-v6ops-cpe-simple-security-16 allows a class of firewalls that can put application transparency over strict filtering (see REC-11). In such case differentiating an unknown transport layer protocol from an unknown extension header would be useful. Whether or not such firewall would exist in the wild is an interesting question, but I do not see how to answer that conclusively. Thanks Suresh -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------