-----Original Message----- From: Brian E Carpenter <brian.e.carpen...@gmail.com>
> It's perfectly fine if a host chooses to block incoming packets for any > reason whatever, including unknown extension headers. That's quite consistent > with the *network* allowing permissionless innovation. Right, but, as others mentioned, there are likely going to be IoT devices in my home, or in my enterprise, which are not as updatable as my smarter boxes. And those need protecting too. So the easiest approach is to keep out anything potentially harmful from the inside network. Also, this same sort of security gateway model is used in the defense industry. Put the burden on some gateway box rather than relying too much on individual hosts. Why? Because "We don't necessarily trust the vendors of individual hosts, so we'll use a broader brush approach." This is real. > The problem arises when any upstream intermediate node drops a packet because > it doesn't like it for some reason. There, you immediately create the tussle > between transparency and security, and I strongly suspect that there is no > universal way of avoiding that tussle. Not every new feature has backing from > Google. Agreed, and my bet is, the tussle will favor not banking too much on header extensions, when security is an issue. And security is increasingly an issue, as we have seen over past decades. > I don't want my ISP or my CE router to block any extension headers. My bet is that over time, IPv6 CE routers will likely block anything unneeded by default, and then maybe permit users to go to "advanced options" to fine-tune the router to their special needs. And as we know, the very vast majority will never attempt any such thing. (Just as the very vast majority never even change the default name of their home WiFi access point.) I understand your point about the IPv6 sales pitches. Skepticism about sales pitches is not unusual, however. Bert _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
