On 17/02/2013 11:37, Bob Hinden wrote:
> Just to focus on one area at the moment:
>
>>> If an extension proves itself safe, easily parse-able, and useful, it
>>> will be transported over the public Internet. If it doesn't, it will get
>>> dropped.
>> At the moment this is impossible. There is no place for firewall
>> implementors to find a master list of all well-defined extension headers
>> and no way for site IT managers to configure firewalls to block or allow
>> specific extension headers. So there is no way for a new extension
>> header to prove itself safe and viable. It's pure Catch 22.
>
> My personal view is that it is very useful to have a single IANA registry
> that lists all IPv6 extension headers. I would like to think I am fairly
> knowledgable about IPv6, and it's hard for me to find them all. This is a
> win independent of what policy we recommend that firewall/middlebox/etc.
> vendors support. Let's not loose that.
Indeed. That is one of the two proposals in the draft.
The other proposal is to specify what firewalls should do to make extension
headers deployable (subject to site policy). I think this is complementary to
the oversized-header-chain draft, which is necessary to remove some cases
that are unreasonable for any firewall to handle.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
