David Farmer <far...@umn.edu> wrote:
>> I think that many of us are still reeling from default configuration
>> of certain "firewalls" that banks seemed like, which dropped packets
>> containing ECN, and TCP options, and made it very very difficult to
>> deploy new things. Even when at the IETF standards level... (so
>> "innovation with permission")
> So, I think we need "permissionless innovation" at the Internet level.
> Nevertheless, that doesn't mean "innovation with permission" isn't
> appropriate in some or even many situations. For example, in a
> situation involving public safety, like a nuclear reactor or a missile
> control system. We can all agree that "permissionless innovation" isn't
> necessarily appropriate in situations like these.
Just to be clear: this means that the SSL/HTTPS VPN that let's Homer Simpson
do safety work from home, stops working when the browser-OS is upgraded with
ECN,EH,etc.
>> I guess I'd be okay if it were the EH itself that was dropped, but I
>> suspect it's still the entire packet. I don't even really want to
>> drop the EH, so much as write over it with an EH that is blank. I
>> don't think that's a defined action.
>>
> If it's not ok to add an EH on the fly, why should it be ok to remove
> or blank it out? We only allow relatively minor alterations to EHs on
> the fly, removing or completely blanking them out seems too far.
Well, I agree: neither should be allowed.
So, why should it be okay to blank the ENTIRE PACKET?
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
