On 2007-06-15 03:53, james woodyatt wrote:
On Jun 14, 2007, at 18:27, Thomas Narten wrote:
I understand that the default security policy/config is just say no.
But if we accept that, in this case, then I think the implication
really is we might as well toss out the routing header entirely.
On Thu, 14 Jun 2007 17:09:09 -0700, Thomas Narten [EMAIL PROTECTED]
wrote:
I'm slightly concerned that such advice flies in the face of
conventional advice given to those constructing firewall policy. It
is normal practice, I believe, for end-site firewall policy to be
deployed based on
On 14-Jun-2007, at 14:09, james woodyatt wrote:
On Jun 14, 2007, at 02:56, JORDI PALET MARTINEZ wrote:
Just avoiding ANY collision risk. VERY VERY VERY LOW is not enough
for them.
My attitude is that IETF should tell them that's THEIR problem, not
OURS. Has the operator community
-Original Message-
From: james woodyatt [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 14, 2007 21:53
To: IETF IPv6 Mailing List
Subject: Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01
On Jun 14, 2007, at 18:27, Thomas Narten wrote:
I understand that the default security
TJ wrote:
[..]
For clarification - let's say we have a device that can filter based on the
presence of a routing header, but cannot be more granular and filter based
on what type of routing header it is.
Then that device's IPv6 implementation is inherently broken. This, as
with the current
-Original Message-
From: james woodyatt [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 14, 2007 14:10
To: IETF IPv6 Mailing List
Subject: Re: [***SPAM*** Score/Req: 10.4/4.5] Re: Revising Centrally
Assigned ULA draft
On Jun 14, 2007, at 02:56, JORDI PALET MARTINEZ wrote:
Just avoiding
If you need to choose either accepting or blocking all routing
headers, which do you recommend to your (potentially very paranoid,
and that isn't necessarily bad) clients?
RH2 are harmless and are only supported by Mobile IPv6 aware nodes
(Mobile Nodes, and Correspondent Nodes supporting
Is the recommendation be to fail closed - block all RHs, including
Type2, thus breaking Route Optimization?
If you block all RHs, you break Mobile IPv6 and not only the Route
Optimization.
The RH2 is used to *carry* the Binding Acknowledgment from the home
agent to the mobile node.
Excellent point, thank you.
It still begs the question however -
If you need to choose either accepting or blocking all routing headers, which
do you recommend to your (potentially very paranoid, and that isn't necessarily
bad) clients?
(Yes, still with an emphasis on the right approach of
How about if I say traffic amplification over a remote path instead
of packet amplification?
wfm.
Seems like a sentence or two describing the exploitation itself would
be good. Not a lot of detail, but more than just it can be
exploited. (Later, I see that you include such text in the
=?windows-1252?q?R=E9mi_Denis-Courmont?= [EMAIL PROTECTED] writes:
Le mercredi 13 juin 2007, Thomas Narten a écrit :
To be clear, if even a small fraction of firewalls get deployed that
just block all traffic with a RH, MIPv6 breaks and becomes
undeployable in practice. For EVERYONE!
I have been trying to unsubscribe from this mailing list
unsuccessfully. Could someone help!
Nina Nour
[EMAIL PROTECTED]
-Original Message-
From: Thomas Narten [mailto:[EMAIL PROTECTED]
Sent: Friday, June 15, 2007 10:17 AM
To: Rémi Denis-Courmont
Cc: ipv6@ietf.org
Subject: Re:
Jeroen Massar [EMAIL PROTECTED] writes:
JORDI PALET MARTINEZ wrote:
Operators have said that they will not be able to use ULA, but they cou=
ld
use ULA-C, for example for thinks like microallocations for internal
infrastructure's.
I really wonder where you got that idea, as I know of no
[excuses for the intermission, but clearly it is time to state it again]
Nour, Nina N. wrote:
I have been trying to unsubscribe from this mailing list
unsuccessfully. Could someone help!
For clarity, mainly for people who don't ask and do want to get out:
As described below:
On Jun 15, 2007, at 05:20, TJ wrote:
For clarification - let's say we have a device that can filter
based on the
presence of a routing header, but cannot be more granular and
filter based
on what type of routing header it is.
Is the recommendation be to fail closed - block all RHs,
Hi Marla,
In fact, when I started to work on this, it was because I realized about the
possibility to use ULA-C as the space for the microallocations and talking
with different folks they said that it will be possible with ULA-C, but not
ULA.
I also talked with people from the AC and they
They need a trusted entity running the tool to void any clash chance, that's
one good reason for making it different than ULA.
Regards,
Jordi
De: Brian E Carpenter [EMAIL PROTECTED]
Responder a: [EMAIL PROTECTED]
Fecha: Thu, 14 Jun 2007 11:42:20 +0200
Para: [EMAIL PROTECTED]
CC:
-Original Message-
From: Thomas Narten [mailto:[EMAIL PROTECTED]
The answer to the upcoming question must be obvious to many
people here,
but anyway not to me: Does blocking RH2 breaks Mobile Nodes in your
network, or does it break both Mobile Nodes *AND* Correspondant
Le vendredi 15 juin 2007, Manfredi, Albert E a écrit :
Hence, if such filtering becomes even occasionaly common on the
open Internet, MIPv6 will become unusable/undeployable in practice.
If you mean ISPs, I agree. If you mean home nets, it doesn't matter
so much. The home user can simply be
On Fri, 15 Jun 2007 15:13:40 -0500
Kevin Kargel [EMAIL PROTECTED] wrote:
I agree wholeheartedly. There is nothing you can do with ULA-C that you
can't do with PI and a minor firewall rule or two. Leaving the space as
PI gives it either-or capability, putting it as ULA reduces PI. (And
20 matches
Mail list logo