Re: problems with draft-ietf-ipv6-deprecate-rh0-00.txt

[Pekka Savola <pekkas at netcore.fi>]

On Fri, 18 May 2007, Iljitsch van Beijnum wrote:
> To fix this, we should explain the problems that source routing and/or the 
> routing header type 0 can cause, define what "deprecate" means and then what 
> deprecation of the routing header type 0 means in practice, and how this 
> solves the problems explained earlier. Or we simply forego use of the word 
> "deprecate".

IMHO, the key point is to make a decision how to go forward.  The WG 
chairs have read the consensus as 'deprecate' (mail on Mon, 14 May 
2007 16:12:04 -0400).

It is not clear to me whether you're arguing against the result of 
that consensus call, or arguing about the lack of clarity in this 
draft (in general or specific to section 3).

I do not think it's very productive to rathole over argument which 
underlying problems are critical, which of them are "security" versus 
something else, etc.  While it would likely be beneficial to put this 
on the written record, getting consensus on these underlying problems 
would take much longer than getting consensus for which action to 
take.

As such, I'd be supportive of having the source routing issues 
documented in a separate (non-normative) I-D, but that should not 
block advancing this I-D.  (On the other hand, I don't think such a 
document is strictly necessary, either.)

I'm supportive of your concern that the interpretation of the word 
"deprecate" may have different meanings and more explicit language 
might be warranted; Section 3 defines its result without an explicit 
definition.  I'm also supportive of your concern that the draft should 
tone down "serious security implications" that can be "exploited" -- 
even if these were true, I don't feel it's necessary to have such 
(potentially) contentious words in this draft; the key point is the 
deprecation, not getting perfect consensus on why we deprecate and how 
exactly we write it down.

However, as I think the draft shouldn't spend words in enumerating the 
various attacks, it shouldn't discuss the mitigations either. (Both of 
these are potential ratholes that we should avoid.)

With regard to IPv4, ADs seemed to feel that it should be addressed in 
a separate document.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------