Re: Last Call: (Implications of Oversized IPv6 Header Chains) to Proposed Standard

e wg didn't want that in -- and I did raise the issue a few times. So what we have is what the 6man wg had consensus on. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: Last Call: (Implications of Oversized IPv6 Header Chains) to Proposed Standard

semble-inspect-and-refragment... or even reassemble the TCP stream (e.g. think about a SSL/TCP-based VPN...) Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: Last Call: (Implications of Oversized IPv6 Header Chains) to Proposed Standard

gt; discussions we had earlier and the resulting draft from Mark > Andrews on what to do when the header chain spans multiple > fragments? Are we trying to keep the header chain all within > the first fragment or not? Yes. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6n

Re: AD Evaluation: draft-ietf-6man-oversized-header-chain

On 10/02/2013 08:50 PM, Tom Taylor wrote: > Just a trivial change: "including" -> "subject to" Agreed. But I can fix it this after IETF LC or even durng AUTH48. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C

Re: AD Evaluation: draft-ietf-6man-oversized-header-chain

nts, and sends an ICMPv6 error message due to the discard, then the ICMPv6 error message MUST be Type 4 ("Parameter Problem") and MUST use Code TBD ("First- fragment has incomplete IPv6 Header Chain"). ? > 5. I would suggest adding a reference to 2460 for the 12

Re: UDP+Fragmentation (was: "Deprecate")

ing askance at IPv6 fragmentation is not > logical if one is not at least as concerned about TCP, which does > NOT seem to be widely blocked FWIW, I came across this (worth-reading) article: <http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/> --

Re: [6MAN] UDP+Fragmentation

covered (and are not being actively exploited), it > takes significant time to regression test / smoke test new code, and > significant time to upgrade an entire network. It therefore makes > sense to try and limit the exposure / attack surface… I understand. At the end of the day, the

Re: [6MAN] UDP+Fragmentation (was: "Deprecate")

ments, no matter which device they are directed to. > Anyway, I figured folk might find this interesting: > http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-ipv6vfr I did find the pointer interesting (thanks!). If folks know more about this vulner

Re: UDP+Fragmentation (was: "Deprecate")

ant to use TCP. There are a bunch of attacks that can be (by far) more devastating than the fragmentation-based ones (see <http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>). Thanks, -- Fernando Gont SI6 Networks e-mail:

Re: Detailed review of draft-ietf-6man-stable-privacy-addresses-13 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)

resses, it certainly applies to those technologies (and probably is as "general" as you can get in this respect). >>> Nits ==== >>> >>> indentation of /Cryptographically Generated / >>> >>> indentation of

Re: Detailed review of draft-ietf-6man-stable-privacy-addresses-13 A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)

se specified in [RFC2464])" with "(such as those specified in [RFC2464], [RFC2467], and [RFC2470])" The only downside is that there are many instances of this, and hence the text would become a bit cumbersome. > Nits > > indentation of /Cryptographically Gen

Re: Detailedl review of draft-ietf-6man-oversized-header-chain-06

Doesn't that make things ("slightly", if you want) harder for an implementer? Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: Detailedl review of draft-ietf-6man-oversized-header-chain-06

is removed prior to publication, I guess one has to navigate IANA's site, or Google for he registry?? Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -

Re: 6MAN Adoption call on

s. Hence you can have your own network be an amplifier to attack a third party. Not to mention that if you're employing e.g. an openvpn Ethernet bridge, it becomes fuzzy what's your local link (i.e. real links vs. "virtual" link). IMO, this is the kind of feature

Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-13.txt

Group of the IETF. > > Title : A Method for Generating Semantically Opaque Interface > Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC) > Author(s) : Fernando Gont > Filename: draft-ietf-6man-stable-privacy-addresses-13.txt &

Re: Definition of Extension Header in draft-ietf-6man-oversized-header-chain-05.txt (was Re: I-D Action: draft-ietf-6man-oversized-header-chain-05.txt)

27;s go with normative. Ok. Please let me know if we're fine with the above change (para that goes in the Terminology section + normative reference) and I'll rev the I-D. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C

Re: Definition of Extension Header in draft-ietf-6man-oversized-header-chain-05.txt (was Re: I-D Action: draft-ietf-6man-oversized-header-chain-05.txt)

MHO it would be incorrect, as discussed with Brian). (please see the P.S., anyway). > I agree that we should publish these two documents together. +1 for this. Isn't there a way to request this without a normative ref? P.S.: Ple

Re: Definition of Extension Header in draft-ietf-6man-oversized-header-chain-05.txt (was Re: I-D Action: draft-ietf-6man-oversized-header-chain-05.txt)

IANA is .xml based. >> >> Do you know which file is the authoritative one? > > If you follow links from the IANA home page, you get to > https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml > As far as I know that is the primary reference. Ok, I will

Re: Definition of Extension Header in draft-ietf-6man-oversized-header-chain-05.txt (was Re: I-D Action: draft-ietf-6man-oversized-header-chain-05.txt)

days IANA is .xml based. Do you know which file is the authoritative one? Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 working group m

Definition of Extension Header in draft-ietf-6man-oversized-header-chain-05.txt (was Re: I-D Action: draft-ietf-6man-oversized-header-chain-05.txt)

been specified in [RFC2460] itself and in other later documents. (which IMO would still be fine, since we don't really need to provide the full list here) Thoughts? Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4

Re: 6MAN Adoption call on

on't think > this attack vector is that serious. That might help preventing an attacker to exploit this against an arbitrary system, but not against all nodes. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networ

Re: 6MAN WG Last Call:

ng used with other address configuration mechanisms, such as DHCPv6 or static address confguration" at the end of Section 1, right before the "terminology" paragraph? Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C

Re: 6MAN WG Last Call:

case specifically). Please see above. Moral of the story: be proactive. A bad idea is... a bad idea. So if you don't find a scenario where a bad idea can be harmful, that doesn't mean attacker won't find it, or that such scenario doesn't exist. Cheers, -- Fernando Gont SI6 Net

Re: 6MAN - active documents

't that specifically warrant more text on the subject? The Network_ID parameter is optional. If you can come up with a Network_ID for your network, you can use it. However, in the case of Ethernet I don't think there's an obvi

Re: 6MAN - active documents

implementors. That's left unspecified, since it might be tricky: there's might be more than one local router, for redundancy purposes -- but since it's the same network, you'd want your addresses to be stable. That's why in the SSID example we use the SSID, a

Re: 6MAN WG Last Call:

L > datagrams, which is at the heart of the subject matter of > draft-bonica-6man-frag-deprecate. The wg discussed this, and I seem to recall that the outcome was that we were not ready to ban the use of fragmentation, but rather that we should move away from it. Cheers, -- Fernando Gont S

Re: 6MAN WG Last Call:

n 4). > > I agree that this all seems fine in theory. Are we collectively > convinced this will not lead to tragically (IPv6-)orphaned machines in > certain scenarios? Sorry, what are the scenarios you have in mind? Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.c

Re: Detailed review of draft-ietf-6man-ext-transmit-02

e >>> they are experimental values defined by a standards track RFC. Go figure!) >> >> I think we might be able to do both "1)" and "2)" above by adding a tag >> along the lines of "not expected in the public Internet"? (with the >> impl

Re: Detailed review of draft-ietf-6man-ext-transmit-02

so tricky, because > they are experimental values defined by a standards track RFC. Go figure!) I think we might be able to do both "1)" and "2)" above by adding a tag along the lines of "not expected in the public Internet"? (with the implication that "it&#x

Detailed review of Significance of IPv6 Interface Identifiers

but in practice, > there are various methods of forming such an interface identifier. s/that that/that/ * Section 1 > Finally it updates RFC 4291 accordingly. Missing comma right after "Finally". * Section 2: > If not, the problem will be detected by duplicate address detec

Re: I-D Action: draft-ietf-6man-oversized-header-chain-04.txt

y not just avoid counting, note that some "ext headers were specified in [RFC2460] and others in subsequent RFCs", and point to the corresponding (upcoming) IANA registry for ext headers? Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 666

Detailed review of draft-ietf-6man-ext-transmit-02

rved that certain firewalls do not even >handle all the extension headers standardised in RFC 2460, including >the fragment header [I-D.taylor-v6ops-fragdrop], causing fundamental >problems of connectivity. I'd probably s/connectivity/interoperability/ * Section 1: > It ca

Re: draft-ietf-6man-stable-privacy-addresses: Document title

HO, I wouldn't personally opt for changing the title, since I think it conveys the information it is meant to convey. That say, if we (wg) want to go that path, something along the lines of what I suggested above (essentially *your* suggestion, with a minor mod) would seem to be the best alt

Re: ra-privacy : addressed the deficiencies of RFC 4941- applied recent comments

omments have not been addressed, since you've stated that they have. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 work

Re: draft-ietf-6man-stable-privacy-addresses: Document title

lar case of someone leaking a secret key above (but we still call them "secret"). The best thing a reader of this document can do is read the I-D we're co-authoring with Dave and Alissa. Whatever title we were to chose won't help the reader avoid the ned to do that. Cheer

Re: draft-ietf-6man-stable-privacy-addresses: Document title

>> Me, I don't care much about the title. However, given that folks >> have become used to refer to this scheme as "stable-privacy >> addresses", and that so far alternative titles don't seem to do a >> much better job, I'd leave the title &

Re: draft-ietf-6man-stable-privacy-addresses: Document title

es are "stable per network", too. Me, I don't care much about the title. However, given that folks have become used to refer to this scheme as "stable-privacy addresses", and that so far alternative titles don't seem to do a much better job, I'd leave the

Re: ra-privacy : new version accomodated all the comments

problem > for them. :-) if so, Pascal can explain this better. Unless IOS has became free software, it looks like you're not reading what I'm writing. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 74

Re: ra-privacy : new version accomodated all the comments

SSAS, the > problem of using CGA is not IPR otherwise without any reason people accepted > SSAS and I did not need to put effort to convince people :-). The problem of your scheme is that is an extremely complex way of doing something that can be much simpler. IPRs *are* a problem. If you think y

Re: ra-privacy : new version accomodated all the comments

easonable and Non-Discriminatory License to All > Implementers This is a non-starter for many free-software projects. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 --

draft-ietf-6man-stable-privacy-addresses: Document title

with the current title. Besides, the community has become used to refer to this method as "stable-privacy-addresses".. so changing the title at this point would, IMHO, only contribute to confusion. Thoughts? Thanks, -- Fernando Gont SI6 Networks e-mail

Re: ra-privacy : new version accomodated all the comments

pseudo-CGA as I had to change > some inputs so nobody can claim about IPR for this algorithm. :-) I won't fight this one with you, Hosnieh. You have received my input. It's up to you what you do with it. Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PG

Re: ra-privacy : new version accomodated all the comments

esides, there are IPRs on the CGA algorithm... but RFC4941 itself doesn't have any. SO this document would essentially IPR-encumber RFC4941 -- the farther that you can get from that, the better, I'd say. :-) Cheers, -- Fe

Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-11.txt

: A method for Generating Stable Privacy-Enhanced > Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC) > Author(s) : Fernando Gont > Filename: draft-ietf-6man-stable-privacy-addresses-11.txt > Pages : 25 > Date

Re: ra-privacy : new version accomodated all the comments

to that RFC , I just briefly mentioned that the node > "MIGHT" follow the other external policies for the lifetime and “Might” > not follow those of RFC 4941. > > > > > > If there are any other issues that I should consider for this draft, > ple

Re: "Deprecate"

r proposed way forward. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 working group mailing list ipv6@ietf.org Administ

Re: "Deprecate"

w implementations), nor we're advising networks to drop fragments. -- i.e., something along the lines of what we did in RFC 6093 for the TCP urgent mechanism. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8

Re: Need Jabber Scribe and Minute Taker

g a non-native English speaker, at times it gets hard to dynamically adapt :-) to the different accents). Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE

Re: I-D Action: draft-ietf-6man-oversized-header-chain-03.txt

ized IPv6 Header Chains > Author(s) : Fernando Gont > Vishwas Manral > Ronald P. Bonica > Filename: draft-ietf-6man-oversized-header-chain-03.txt > Pages : 12 > Date

Re: Meta-issues: On the deprecation of the fragmentation function

> merits or lack thereof. Again: Why is this more special in v6 than in v4? -- You seem to be ignored the "questions" that I've asked. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 --

Re: Meta-issues: On the deprecation of the fragmentation function

some implementation does something stupid about it, then I wonder what we'd be left with. -- for instance, you should be deprecating Neighbor Discovery, because many implementations do things such as allowing the NCE to consume all memory, not doing any sanity checks on the received link-la

Meta-issues: On the deprecation of the fragmentation function

hey employ multicast... which might mean that they need to send such "large" UDP datagrams). ** Therefore ** Considering the above, I guess I'm in the camp of "avoid fragmentation where possible". However, I don't think I'd go as far as deprecating it. Jus

Re: New Version Notification for draft-bonica-6man-frag-deprecate-00.txt

On 06/27/2013 06:14 AM, Fred Baker (fred) wrote: > > On Jun 26, 2013, at 4:52 PM, Fernando Gont > wrote: > >> On 06/26/2013 12:56 PM, Mark ZZZ Smith wrote: >>> >>> One of the issues with conventional ICMP PTB based PMTUD is the >>> default rate limi

Re: New Version Notification for draft-bonica-6man-frag-deprecate-00.txt

ses. Many implementers don't want to rely on a 100% ICMP-less PMTUD because of the potentially-lng convergence time (i.e. time to discover the PMTU). Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076

Re: Progressing stable-privacy-addresses (bis) (was Re: Progressing draft-ietf-6man-stable-privacy-addresses (Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-10.txt))

at "we need to make sure we understand the bigger picture"... because the I-D was brought back to the wg for a low-level detail, and not for the "bigger picture". Just me trying to make progress. Cheers, --

Progressing stable-privacy-addresses (bis) (was Re: Progressing draft-ietf-6man-stable-privacy-addresses (Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-10.txt))

o be what the wg is supporting? This document has been suffering from unnecessary delays for almost a year now. It's not very encouraging for people to contribute opinions to this wg if, when most people seem to be arguing one way, but you decide to go another. Cheers, -- Fernando Go

Re: Progressing draft-ietf-6man-stable-privacy-addresses (Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-10.txt)

July/August (1.5 months from now) to ship the document? -- So far, all comments I've seen (at least 5) have argued in favor of shipping the document... so it looks like there's consensus on shipping... Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Finger

Re: Progressing draft-ietf-6man-stable-privacy-addresses (Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-10.txt)

ssed, and that there's general agreement to move the document forward. So, procedurally-speaking, I don't understand the basis of stalling this document. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fing

Re: Progressing draft-ietf-6man-stable-privacy-addresses (Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-10.txt)

ping? On 06/12/2013 07:55 PM, Fernando Gont wrote: > Folks, > > This latest revision addresses the feedback sent by Alissa Cooper. > > Should we progress this document now? > > Thanks! > Fernando > > > > > On 06/12/2013 07:45 PM, internet-dra...@iet

Re: [6MAN] Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

n expect them to work. If we continue on the current path (do nothing), they will be effectively killed. (see Brian et al's I-D, Warren et al's I-D, etc.). Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

bytes, because otherwise interoperability will be affected". Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 working

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

On 06/13/2013 12:07 AM, Joe Touch wrote: > > On 6/12/2013 2:44 PM, Fernando Gont wrote: >>> just to be clear I'm not against the IETF documenting e.g. in a BCP, >>> what the longest expected header chain should be. >> >> Well, that seems more std track th

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

; > On the other hand - I, as an operator, may well decide to drop such > packets. Agreed. -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 I

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

re going to get to their intended destination? Some random folks, for some reason, starts sending those packets. He's packets miserably die in the network. He comes to us, and we all say "oh yeah... they are being dropped.. we know that". And the folk asks us "why didn

Discussion about header chains (was Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain))

rm; that is, no complaints yet ;) Probably because nobody uses such headers in practice ;-) Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

drop v6 packets with extension headers by default. > just to be clear I'm not against the IETF documenting e.g. in a BCP, what the > longest expected header chain should be. Well, that seems more std track than bcp to me. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

period. FWIW, I don't think anyone has proposed "if the chain is larger than X, then drop". We're just aiming at limiting the header chain length, *not* encouraging router to drop when the header chain exceeds that length. Cheers, -- Fernando Gont SI6 Netwo

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

current version of draft-ietf-6man-oversized-header-chain essentially bans packets such as thos in page 5 of <http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-07> Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1

Progressing draft-ietf-6man-stable-privacy-addresses (Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-10.txt)

s draft is a work item of the IPv6 Maintenance Working Group of the IETF. > > Title : A method for Generating Stable Privacy-Enhanced > Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC) > Author(s) : Fernando Gont > Filename

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

ment is, IMO, a major change. I guess we must agree to disagree. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 working group

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

maintenance, upkeep, and advancement of the IPv6 protocol specifications and addressing architecture. It is not chartered to develop major changes or additions to the IPv6 specifications. The working group will address protocol limitations/issues discovered during deployment and operation. Cheers, -- Fe

Re: Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

f the existing headers. Use > ICMPv6 Parameter Problem as a signal to switch back to the old > fragmentation header. mm.. not sure what you mean. P.S.: Any thoughts regarding limiting the extension header chain to some specific size? Thanks, -- Fernando Gont SI6 Networks e-mail: fg...

Re: [6MAN] draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

e destined to, and whether there can be a legitimate use case for them or not (e.g., you might want to allow fragments for clients, but drop them if they are destined to your web server... in the same way that you might filter fragments to your router, but not through your router). Cheers, -- Ferna

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

all chance of getting through the > network, and that's much more guidance than we give today. And it > gives hardware designers a target that seems to relate to reality. FWIW, that's my take, as well. Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

mmed through the that thread... but it seems unlreated to this issue -- that thread seems to be about filtering RHT0, which has/had known security issues such as being useful for amplification attacks. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP

Re: [6MAN] draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

your network using something for which there wasn't a legitimate use case (legitimate == such traffic was needed by the task to be performed, and this was known as such to the admin). -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C

Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

e of the IPv6 header chain? 2) If so, which limit should we pick? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IET

Re: [6MAN] draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

packet. With an IPv6 minimum MTU of 1280 bytes, a limit of XXX bytes for the entire header chain already allows for YYY % of overhead. (for the first bullet, we could add an informative reference to Warren et al's I-D). Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6n

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

some people are re-using old hardware cards > they had hanging around does not mean everyone has to go along with it. Agreed: You can always choose to "engineer" an un-deployable protocol/mechanism and complain about the network. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@s

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

em to be so unreliable already, that if you're to implement an "extension", you better rely on something else. -- not that I like it, but... me not liking it doesn't make the situation any better :-( Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fi

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

On 06/09/2013 06:36 PM, Ray Hunter wrote: >> Fernando Gont <mailto:fg...@si6networks.com> >> 9 June 2013 15:46 >> Ray, >> >> I'd say one should enforce a "each EH can be present at most once". >> >> ANd, me, I'd limit the EH

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

e IPv6 minimum MTU... so we'd be allowing packets that are 100& overhead. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

inful. I guess having a L4-pointer would have helped quite a lot. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 working grou

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

n such a document even before this whole discussion came up). To some extent, including such whole discussion here looks a bit side-tracking. But I'd love to hear what you and others think about it. Thanks! Best regards,

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

In practice, it wouldn't make much sense, probably (most of the packet containing overhead?). Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Re: draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)

imit the number of instance of each extension header -- but that wouldn't probably fly here... Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 --

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

ode's > stable IPv6 address," correct? Yes. If you think it'd be better to phrase it that way, I can update the text accordingly. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ---

Re: I-D Action: draft-ietf-6man-stable-privacy-addresses-09.txt

work item of the IPv6 Maintenance Working Group of the IETF. > > Title : A method for Generating Stable Privacy-Enhanced > Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC) > Author(s) : Fernando Gont > Filename: draft-ietf

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

dresses" are > employed together with stable addresses such as those based on IEEE > identifiers, implementation of the mechanism described in this > document would mitigate address-scanning attacks and also mitigate > some vectors for correlating host activities that are

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

#x27;t it a *requirement* to do that, already? >>> B.1.3 Worth any consideration of MIPv6 here? >> >> It has been years since I last checked MIPv6 (and when I did, I >> mostly just skimmed through it). So... up to yo

Re: Revision of draft-ietf-6man-stable-privacy-addresses

Hi, Tim, On 05/22/2013 10:50 AM, Tim Chown wrote: > > On 21 May 2013, at 03:00, Fernando Gont wrote: >> >> Additionally, I'd like to better understand the stability properties of >> UUIDs (and add some text about it right after the text that you have >> su

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

at this example is important, since the example is > one where there's nothing the target node itself can do about it, > which is non-obvious. Otherwise readers could be as confused as > I was. So pointing it out adds significant clarity. Ok. Will do. Thanks! Best regards,

Re: draft-ietf-6man-oversized-header-chain?

hat got me sidetracked (including a car accident -- although everything's fine now). Thanks for checking! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ---

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

27;t it enough simply noting that the target node can be probed? Getting into the specific details of the probe packet (stimulus/response) seems like "over-specifying" things to me... Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

using PRFs in novel ways to do specific things. What I did was to apply Bellovin's RFC1948. So any IPR claim on draft-ietf-6man-stable-addresses that predates RFC1948 and that's is not Bellovin's is claiming credit for somebody else's work. Thanks, -- Fernando Gont SI6 Ne

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

tacks, and what stable privacy addresses do about them (analyzing this for every possible address generation mechanism would be out of scope for this I-D, IMO). Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

your local router >> (i.e., if I receive one of such messages, you're not there. If I don't, you >> are). > > Ok, yes that one is interesting. An attacker just needs one vector to be successful. And at the point such vector is not under your control (as in this case),

Re: Comments on draft-ietf-6man-stable-privacy-addresses-07

). * CGAs are IPR encumbered. draft-ietf-6man-stable-privacy-addresses are not. * CGAs cannot be used in conjunction with RFC4941. To be honest, the argument of "using CGAs instead of stable privacy" sounds to me pretty much like "you don't need a hammer, because you can use

Re: solution to RFC 4941 I-D action : draft-rafiee-6man-ra-privacy.txt

27;s the right thing to do Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 IETF IPv6 working group mailing list ipv6@ietf.org Admi

Re: Router advertisement based privacy - I-D: Action :draft-rafiee-6man-ra-privacy

node is in the same network for > a long time or permanently. Please add and elaborate on this in your I-D, because I don't follow the relationship between bank accounts and IPv6 addresses. Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Finge

  1   2   3   4   5   6   >