>>> Some tricky and potentially malicious cases will be avoided by forbidding
>>> very long chains of extension headers that need to be
>>> fragmented [I-D.ietf-6man-oversized-header-chain].
>
> I wonder if this is the place to define "very long"?
>> I guess those two words can be deleted - the issue is only that the header
>>chain gets fragmented at all. The full discussion is in the cited draft, of
>>course.
I know the draft that you have cited and they do not define "long" either.
There has been quite a bit of discussion about what "long" means and IMHO
somewhere, someone needs to take some kind of reasonable stand.
>>The IETF hasn't done much about firewalls at all. This search produces far
>>more expired drafts than anything else:
>>
>>https://datatracker.ietf.org/doc/search/?name=firewalls&rfcs=on&activeDrafts=on&oldDrafts=on&search_submit=
The reason I asked is because I think defining RFCs or rules for firewalls is a
really good thing to do but if the vendors are not in the habit of having to be
compliant, then why would they pay attention to this draft that we are
discussing? I actually think maybe an RFC which explicitly talks about
firewalls is probably a good thing to do. Now, getting vendors to comply...
Thanks,
Nalini Elkins
Inside Products, Inc.
(831) 659-8360
www.insidethestack.com
________________________________
From: Brian E Carpenter <brian.e.carpen...@gmail.com>
To: Nalini Elkins <nalini.elk...@insidethestack.com>
Cc: 6man <ipv6@ietf.org>
Sent: Wednesday, June 5, 2013 9:47 PM
Subject: Re: draft-ietf-6man-ext-transmit-01
On 06/06/2013 16:23, Nalini Elkins wrote:
> Brian,
>
> Two questions:
>
> First:
>
>>> Some tricky and potentially malicious cases will be
>>> avoided by forbidding
>>> very long chains of extension headers that need to be
>>> fragmented [I-D.ietf-6man-oversized-header-chain].
>
> I wonder if this is the place to define "very long"?
I guess those two words can be deleted - the issue is only that
the header chain gets fragmented at all. The full discussion is
in the cited draft, of course.
>
> Second:
>
> Are there other RFCs which have rules for what "middle boxes"
> will do? I am not referring to translation techniques such
> as SIIT, etc. which is implemented in some load balancers. I
> guess I am wondering more about if there is a precedent for
> regulating what packets firewalls will and will not forward.
The IETF hasn't done much about firewalls at all. This search
produces far more expired drafts than anything else:
https://datatracker.ietf.org/doc/search/?name=firewalls&rfcs=on&activeDrafts=on&oldDrafts=on&search_submit=
Brian
>
> BTW, thanks so much for doing this!
>
>
> Thanks,
>
>
> Nalini Elkins Inside Products, Inc. (831) 659-8360
> www.insidethestack.com
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
