Replying with my IPv6 + shepherd hats Indeed, I fail to understand why *transit* SP are dropping EH (as opposed to final destination router/firewall, which should drop some EH)
I sincerely hope that this document will rather 'open the gate' as some EH are recommended to go through -éric -----Original Message----- From: iesg <iesg-boun...@ietf.org> on behalf of Robert Wilton via Datatracker <nore...@ietf.org> Reply-To: "Rob Wilton (rwilton)" <rwil...@cisco.com> Date: Wednesday, 14 July 2021 at 16:21 To: The IESG <i...@ietf.org> Cc: "opsec@ietf.org" <opsec@ietf.org>, "opsec-cha...@ietf.org" <opsec-cha...@ietf.org>, Eric Vyncke <evyn...@cisco.com>, "draft-ietf-opsec-ipv6-eh-filter...@ietf.org" <draft-ietf-opsec-ipv6-eh-filter...@ietf.org> Subject: Robert Wilton's No Objection on draft-ietf-opsec-ipv6-eh-filtering-08: (with COMMENT) Robert Wilton has entered the following ballot position for draft-ietf-opsec-ipv6-eh-filtering-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-eh-filtering/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Hi, Thanks for this document, it is useful to try and tame how SPs are filtering IPv6 extension headers. However, I did find some of this document somewhat surprising in the context of RFC 8200, and this is perhaps just my naivety on how it is actually deployed: My reading on RFC 8200 extension headers can be summarized as: - Hop by hop options default to being off unless you enable them. - Other extension headers only have relevance once the packet reaches the destination node, and hence I would have thought that all transit nodes should by default just ignore them. Given that this document is specifically only for transit nodes where the packets are not destined to them, I was expecting a summary along the lines of: - Ignore hop by hop options unless they protocols in the transmit domain are making use of them. - Allow, and ignore, all other extension headers. Maybe filter RH types 0 and 1 because they should not be used, but even this processing could be left until the destination node. My slight fear with the current draft is that it makes this all seem very complicated and protocol specific which possibly might encourage ISPs to just drop all packets using EHs. Regards, Rob _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec