On Thu, May 18, 2023 at 6:17 AM Fernando Gont <fg...@si6networks.com> wrote: > > Hi, David, > > On 18/5/23 02:14, David Farmer wrote: > > > > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > > <tom=40herbertland....@dmarc.ietf.org > > <mailto:40herbertland....@dmarc.ietf.org>> wrote: > [...] > > > > Maximum security is rarely the objective, I by no means have maximum > > security at my home. However, I don’t live in the country where some > > people still don’t even lock there doors. I live in a a city, I have > > decent deadbolt locks and I use them. > > > [....] > > > > So, I’m not really happy with the all or nothing approach the two of you > > seem to be offering for IPv6 extension headers, is there something in > > between? If not, then maybe that is what we need to be working towards. > > FWIW, I[m not arguing for a blank "block all", but rather "just allow > the ones you really need" -- which is a no brainer.
Fernando, I'm not sure how that's a no brainer, who decides "the ones you really need"? If everyone independently makes that decision then we wind up with an Internet that can't evolve and is perpetually stuck in the status quo. > The list you need > is, maybe Frag and, say, IPsec at the global level? (from the pov of > most orgs). > > (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). > It might be productive if you suggested a more concrete direction here. Maybe a proposed BCP suggesting the EHs that you believe should be universally blocked and the rationalization for that and why the problems with them can't be fixed. Tom > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fg...@si6networks.com > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec