+1 This would be very helpful for enterprises! And for Xipeng, Would not such a BCP be VERY consistent with the “Side Meeting” efforts of V6OPS?
Thanks all Mike From: ipv6 <ipv6-boun...@ietf.org> On Behalf Of nalini.elk...@insidethestack.com Sent: Thursday, May 18, 2023 10:53 AM To: Tom Herbert <tom=40herbertland....@dmarc.ietf.org>; Nick Buraglio <burag...@forwardingplane.net> Cc: Andrew Campling <andrew.campling@419.consulting>; Fernando Gont <fg...@si6networks.com>; V6 Ops List <v6...@ietf.org>; 6...@ietf.org; opsec WG <opsec@ietf.org> Subject: Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) [External email] Nick, > neither really have use cases I think a use cases document is a great idea! Although, IMHO one of the points of extension headers is that they can be used to extend the protocol for purposes which we cannot think of today! Thanks, Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com<http://www.insidethestack.com> (831) 659-8360 On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio <burag...@forwardingplane.net<mailto:burag...@forwardingplane.net>> wrote: Is there any document that details the current operational best practices or explains the EH options and use cases in a succinct document? I didn't find one (although I did not look terribly hard). If not, that sounds like an opportunity to work through them and create one, perhaps? Nalani has a deep dive study here https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ but I wasn't able to find a list with some use cases akin to the ND considerations draft here https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/ RFC7045 has a decent, and RFC2460 explains what they are but neither really have use cases. nb On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom=40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>> wrote: On Thu, May 18, 2023 at 7:24 AM Andrew Campling <andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>> wrote: > > I wonder if part of the issue here is that insufficient attention is being > given to operational security matters and too much weight is given to privacy > in protocol development, irrespective of the security implications (which is > of course ultimately detrimental to security anyway)? Andrew, There is work being done to address the protocol "bugs" of extension headers. See 6man-hbh-processing and 6man-eh-limits for instance. Tom > > Andrew > > > From: OPSEC <opsec-boun...@ietf.org<mailto:opsec-boun...@ietf.org>> on behalf > of Fernando Gont <fg...@si6networks.com<mailto:fg...@si6networks.com>> > Sent: Thursday, May 18, 2023 2:19 pm > To: David Farmer <far...@umn.edu<mailto:far...@umn.edu>>; Tom Herbert > <tom=40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>> > Cc: 6...@ietf.org<mailto:6...@ietf.org> > <6...@ietf.org<mailto:6...@ietf.org>>; V6 Ops List > <v6...@ietf.org<mailto:v6...@ietf.org>>; opsec WG > <opsec@ietf.org<mailto:opsec@ietf.org>> > Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? > (Episode 1000 and counting) (Linux DoS) > > Hi, David, > > On 18/5/23 02:14, David Farmer wrote: > > > > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > > <tom=40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org> > > <mailto:40herbertland....@dmarc.ietf.org<mailto:40herbertland....@dmarc.ietf.org>>> > > wrote: > [...] > > > > Maximum security is rarely the objective, I by no means have maximum > > security at my home. However, I don’t live in the country where some > > people still don’t even lock there doors. I live in a a city, I have > > decent deadbolt locks and I use them. > > > [....] > > > > So, I’m not really happy with the all or nothing approach the two of you > > seem to be offering for IPv6 extension headers, is there something in > > between? If not, then maybe that is what we need to be working towards. > > FWIW, I[m not arguing for a blank "block all", but rather "just allow > the ones you really need" -- which is a no brainer. The list you need > is, maybe Frag and, say, IPsec at the global level? (from the pov of > most orgs). > > (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fg...@si6networks.com<mailto:fg...@si6networks.com> > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org<mailto:OPSEC@ietf.org> > https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ v6ops mailing list v6...@ietf.org<mailto:v6...@ietf.org> https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ v6ops mailing list v6...@ietf.org<mailto:v6...@ietf.org> https://www.ietf.org/mailman/listinfo/v6ops The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. This message was secured by Zix(R).
_______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec