On 21-May-23 21:33, Fernando Gont wrote:
Hi, Tom,
On 18/5/23 15:27, Tom Herbert wrote:
[....]
So, I’m not really happy with the all or nothing approach the two of you
seem to be offering for IPv6 extension headers, is there something in
between? If not, then maybe that is what we need to be working towards.
FWIW, I[m not arguing for a blank "block all", but rather "just allow
the ones you really need" -- which is a no brainer.
Fernando,
I'm not sure how that's a no brainer, who decides "the ones you really
need"?
Typically. whoever runs the destination AS or network. Or the transit
AS, if the packets will affect the transit AS.
And there's the problem. The operator of a large network cannot possibly
know which extension headers every host on the network needs. It's
called permissionless innovation, and is supposed to be one of the main
success factors for the Internet.
If everyone independently makes that decision then we wind up
with an Internet that can't evolve and is perpetually stuck in the
status quo.
Well, yes, there's no big brother making decisions about mine or your
networks' policies.... hence everyone makes decisions independently.
From the point of view of hosts, there is an anonymous Big Brother, the
moment that any upstream operator blocks a wanted extension header.
(IN a way that's why QUIC runs on top of UDP ... although in the case of
QUIC, I bet it has more to do with NATs thatn with explicit firewalling)
It's to do with *any* barrier to IP layer transparency. This is a very
basic tussle in the architecture.
Brian
The list you need
is, maybe Frag and, say, IPsec at the global level? (from the pov of
most orgs).
(yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
It might be productive if you suggested a more concrete direction
here. Maybe a proposed BCP suggesting the EHs that you believe should
be universally blocked and the rationalization for that and why the
problems with them can't be fixed.
Are your referring to the "transit AS" case, the "dest AS/network" case,
or both?
In any case, my comment was simply a two-liner email comment, as opposed
to full-fledged advice.
Thanks!
Regards,
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec
