Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
Haisheng Yu <hsyu@biigroup.cn> Thu, 08 June 2023 08:02 UTC
Return-Path: <hsyu@biigroup.cn>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBE11C14CE38; Thu, 8 Jun 2023 01:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.485
X-Spam-Level:
X-Spam-Status: No, score=-5.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_ILLEGAL_IP=1.3, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UdlCMarCG7uU; Thu, 8 Jun 2023 01:02:32 -0700 (PDT)
Received: from smtpbgsg1.qq.com (smtpbgsg1.qq.com [54.254.200.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72101C14CE51; Thu, 8 Jun 2023 01:02:26 -0700 (PDT)
X-QQ-mid: bizesmtpipv603t1686211316tlpn
Received: from DESKTOP-3U2VLEE ( [255.81.159.14]) by bizesmtp.qq.com (ESMTP) with id ; Thu, 08 Jun 2023 16:01:54 +0800 (CST)
X-QQ-SSF: 00400000000000L0Z000000A0000000
X-QQ-FEAT: YHTLUubWl24y9Av7YaRomN/BbgK9AhXfucByZ+4pJaNMv0P92FvywV2lTbet1 DWkSjKgNn6aVl4EOnZYrUp0WVK7ua9Va/rWC6Ek1h6y5AWLQYStVjDAtVqFoLla/i1IGdkw w4TEnz3ZHWkqbV0Ir4eUY62X61RFCmFHaDwQUQaQRcHTzqlIZaaKwNyJjfYvl6esEjMn5eB w359goRCLx6qPc2/NviTjBZRHroQYx6itC87XE2Ri50cjn8hXKovRtvl1yH9N4VIGrB8ANP tKqpmXc9YFWzCXEnmHt048S1psjv3PLQS+dNsOgoPw+hHbCLZyKqFFsZTw0JWBpbYyDripV iAV6/Am+bMLAMRn52KoSbjNLvqnS7cARpmVVMppNMvo/TQtgHL7A6/GMUAGvOjUNIdPeQNE w1p5fYHAeLI=
X-QQ-GoodBg: 2
X-BIZMAIL-ID: 7501326081474308082
Date: Thu, 08 Jun 2023 16:01:53 +0800
From: Haisheng Yu <hsyu@biigroup.cn>
To: "fgont@si6networks.com" <fgont@si6networks.com>, "tom=40herbertland.com@dmarc.ietf.org" <tom=40herbertland.com@dmarc.ietf.org>
Cc: "andrew.campling@419.consulting" <andrew.campling@419.consulting>, "tom=40herbertland.com@dmarc.ietf.org" <tom=40herbertland.com@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Message-ID: <79E4E13AA53D1956+88643FCA-56CF-4A3B-A7EC-571290B76A9C@biigroup.cn>
In-Reply-To: <CALx6S35VA7g95HA-HK1kAr4rehX6hmrzybGS-Hx8j6Mit5FBMg@mail.gmail.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <4FCF75B585A1D068+7D9B99BB-B24B-4FE8-A3FD-54877C7C1131@cfiec.net> <375ea678-b05f-7bb6-5ae2-43c54cd271f4@si6networks.com> <CALx6S34u5=2UxEz3zeApv+_-W=PTj0PzMRHS1UC=zRchqVCDyQ@mail.gmail.com> <882610dc-cf8f-e08d-8d9e-0e786097f520@si6networks.com> <CALx6S34AnMaVyEVQxaO0b1JGbQetQvDC+xDHk6aH5vbXM-KT7A@mail.gmail.com> <2a02905427604fa6a4c95e2eaa1dd165@boeing.com> <CALx6S36pmsZighJVBLEZWvYqTh1tJtU4SH2Ym0V7oS87dPWAHQ@mail.gmail.com> <6b3a40ef922c47a483860468aac73502@boeing.com> <CALx6S36Vv57AZFr=2adfEMYnVSOECsowXw1c7pTo_E-FWokB6Q@mail.gmail.com> <CWXP265MB51535486342FD27A30CFEE6EC2459@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35VA7g95HA-HK1kAr4rehX6hmrzybGS-Hx8j6Mit5FBMg@mail.gmail.com>
X-Mailer: MailMasterPC/4.17.9.1009 (Win10 19H2)
X-CUSTOM-MAIL-MASTER-SENT-ID: CE0B82AB-79B3-47D7-9EB5-A5EB30416F8F
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
X-QQ-SENDSIZE: 520
Feedback-ID: bizesmtpipv:biigroup.cn:qybglogicsvrsz:qybglogicsvrsz3a-1
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/7nDkn9IiSnhz_igsT_AXC03uFZg>
Subject: Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 08:02:35 -0000
https://mail-online.nosdn.127.net/997bfaaa29267122f3b7334a5d4895ce.jpg"> | 喻海生 Haisheng Yu(Johnson) |
下一代互联网关键技术和评测北京市工程研究中心有限公司 13654947748 |
From | Tom Herbert<tom=40herbertland.com@dmarc.ietf.org> |
Date | 5/30/2023 02:32 |
To | Andrew Campling<andrew.campling@419.consulting> |
Cc |
Tom Herbert<tom=40herbertland.com@dmarc.ietf.org>
, v6ops@ietf.org<v6ops@ietf.org> , ipv6@ietf.org<ipv6@ietf.org> , opsec@ietf.org<opsec@ietf.org> |
Subject | Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS) |
<andrew.campling@419.consulting> wrote:
On Sat, May 27, 2023 at 11:05 PM Tom Herbert <tom@herbertland.com> wrote:
Application developers and stack developers are also players in this
game. And while each network provider might have the luxury of only
focusing on their customer set, developers have to potentially
address the needs of all users across the Internet. This is why
network providers' attempts to protect the user are irrelevant to
application developers-- without consistency across the Internet
this level of security may as well not exist from their perspective.
Obviously this situation didn't materialize overnight and it shouldn't
be surprising that we've had to implement work-arounds to this
problem. For instance, encryption goes a long way in limiting the
network's visibility in the packet, but that does have its limits.
Tom
Let's not forget that some of those same developers are responsible for implementing surveillance capitalism, one of the most egregious invasions of user privacy and surely contrary to RFC 7258 - I know that people generally seem to focus on network-based monitoring, however application-based monitoring is potentially far more invasive. Some of the application-based "work-arounds" to network security measures you reference could be helpful in allowing those applications to exfiltrate user data; if applications behave increasingly like malware then it should not come as a surprise if they are treated as such by networks in an effort to protect users.
Andrew,
That's a very general statement. Can you give a specific example?
Maybe one possibility is STT (draft-davie-stt) which was designed to
repurpose TCP protocol number 6 as a tunneling protocol to circumvent
some networks that filter UDP. But that proposal was rejected by IETF
and never accepted into Linux.
But even if a network assumes responsibility to protect the user from
malware, its ability to offer any reasonable protection to users is
extremely limited and becoming more limited. Network devices don't
have the E2E visibility or context to properly filter application
malware-- this is both true architecturally and in practice given the
prevalence of TLS deployment.
As noted elsewhere, I believe that it would be beneficial to the IETF community if greater efforts were made to engage with enterprise and public network CISOs, as well as more network operators. This would help inject more understanding of current operational security practices and considerations into protocol development activity, which might help to avoid puzzlement when new developments are unleashed, only to find them blocked or only greeted with luke-warm enthusiasm by those that have operational responsibility for security, customer service etc.
"those that have operational responsibility for security, customer
service etc." is not limited to network operators, application
developers, server operators, and OS providers also assume that
operational responsibility-- so if there is a conversation it should
include all the players. Also, I'm not sure that "understanding of
current operational security practices" would be of use here. As far
as I can tell, there are no uniform security practices amongst network
providers on the Internet. For instance, with respect to extension
headers, some providers allow all of them, some allow none, and some
seem to allow a subset. Besides that there's already RFC9098 that
highlights some reasons why packets with extension headers might be
discarded, but doesn't quantify the practices (exactly who is dropping
packets and why).
Tom
Tom
Andrew
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
- [IPv6] Why folks are blocking IPv6 extension head… Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] Why folks are blocking IPv6 extension … Ted Lemon
- Re: [IPv6] Why folks are blocking IPv6 extension … David Farmer
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [IPv6] Why folks are blocking IPv6 extension … Jen Linkova
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [IPv6] Why folks are blocking IPv6 extension … Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Dale W. Carder
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Michael McBride
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Ole Troan
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Andrew Campling
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Bob Natale
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [EXT] Re: [OPSEC] [v6ops] Why folks ar… Bob Natale
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… David Farmer
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Trøan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… David Farmer
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… hsyu
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Vasilenko Eduard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Vasilenko Eduard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Brian E Carpenter
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Bob Natale
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Haisheng Yu
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Warren Kumari
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Warren Kumari
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Andrew Campling
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… Clark Gaylord
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Brian E Carpenter
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Brian E Carpenter
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Andrew Alston
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Andrew Campling
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Dirk Trossen
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Mike Simpson
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Haisheng Yu
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Nick Hilliard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Bob Natale