IETF Logo Mail Archive

Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

David Farmer <farmer@umn.edu> Thu, 18 May 2023 01:14 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72332C15C501 for <ipv6@ietfa.amsl.com>; Wed, 17 May 2023 18:14:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SADpO711tpyt for <ipv6@ietfa.amsl.com>; Wed, 17 May 2023 18:14:55 -0700 (PDT)
Received: from mta-p8.oit.umn.edu (mta-p8.oit.umn.edu [134.84.196.208]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18429C151073 for <6man@ietf.org>; Wed, 17 May 2023 18:14:54 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4QMBpk2bRhz9vCGL for <6man@ietf.org>; Thu, 18 May 2023 01:14:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmJVZkU0EmWN for <6man@ietf.org>; Wed, 17 May 2023 20:14:54 -0500 (CDT)
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4QMBpj6LN5z9vCGD for <6man@ietf.org>; Wed, 17 May 2023 20:14:53 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4QMBpj6LN5z9vCGD
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4QMBpj6LN5z9vCGD
Received: by mail-ed1-f71.google.com with SMTP id 4fb4d7f45d1cf-50de84a3861so1469700a12.3 for <6man@ietf.org>; Wed, 17 May 2023 18:14:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1684372492; x=1686964492; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=A/XbSu/AwiIHMm/mHCs0vG+40m9GPYfzdlzBCTG0Dxw=; b=lc4qFESKE4bArdC2R5nlNrXMDid5zC7Lx98TLTgdAiti30QkDpwYZuKSIlcj8Cz1fe 2dYts2v7jarCV1pmw+y+X5VsBTXicKsQgYnCD5/CXl/g7fgEmhP22rbJnx+Wg5UF7Fy6 TQE6vWB6uCJpr+tVYIw0Iw4lZPpBa+gh7vFGw5VkdGGJNFb1bHQCdF6hlCrkkuM0JL5H mr0kAak5msafxUJR9Lu+oL4X0qCTUVNxdJ4zY1OLgHoD8TH0NgN4iw5t6GpldmkgjFUs gzcudVxeWLT/V1QrK0ytVd5v6S8ZiUB5crVNfS1iZmFCjLG4IPzCPciCXm5tyUJsUTh7 b7mA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684372492; x=1686964492; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A/XbSu/AwiIHMm/mHCs0vG+40m9GPYfzdlzBCTG0Dxw=; b=Lin269fUVwygssAhYasnzlCNr5jMJ6kScRGF2HZ5VL9T7Auf3ga1ih0X/2eTP+uMVC I/FHJq35ty3KsBr3MiRRPCfchrr53PAgMkMcNVeGdBfNoV+6U2OF0E+F1eRdcAVFF6uS YBQMVkohF9SrXwIUE6xzs+1IXlnrSeOIrs07jNRKL0l5rFFhEjFr2mEutUrsBwn8ipAr h5T+BDLoD9Yu1Cba77mQLOINko00WjqLiEQAUdFd4dwVE1hTwdLdG9j5Xj4Q9C+EVOe9 imrW4Xt+suDiavwEzaMirC0nJMHFX5/yjHoBnHqGH2A223vsyADnVjiaILGpaz7gl5un RdNQ==
X-Gm-Message-State: AC+VfDyEWK2N6gZxRCv1Wn+0sjAN/B0Cbxjx9vGJxg87EZ+TEGMtchLo gsAalgmqgPaYDEOSqv3521yV5yj9SNO0cDKNoVoBYePNJCeBi7zgxQiJyPMNMauknKEgV31M+O1 +EeqDiTlYczPM6QZNg24DwjLE
X-Received: by 2002:a17:907:5cb:b0:953:457c:7976 with SMTP id wg11-20020a17090705cb00b00953457c7976mr39894957ejb.23.1684372491869; Wed, 17 May 2023 18:14:51 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4VZDfU+poG8vUsyBYaHukiZZxWjVlNAA/T2iZNqesxjgTUZUml8SDcLo0vp9qi5EcNdoyKsJKFJpvkrz8JaxQ=
X-Received: by 2002:a17:907:5cb:b0:953:457c:7976 with SMTP id wg11-20020a17090705cb00b00953457c7976mr39894929ejb.23.1684372491328; Wed, 17 May 2023 18:14:51 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com>
In-Reply-To: <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Wed, 17 May 2023 20:14:40 -0500
Message-ID: <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
Cc: 6man@ietf.org, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003fa2d05fbed8897"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/BP4eBix2Sl77R7OzTfQWR-rM6AM>
Subject: Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 01:14:59 -0000

On Wed, May 17, 2023 at 13:57 Tom Herbert <tom=
40herbertland.com@dmarc.ietf.org> wrote:

> On Wed, May 17, 2023 at 6:00 AM Fernando Gont <fgont@si6networks.com>
> wrote:
> >
> > Hi,
> >
> > I believe we've already covered the topic quite thoroughly in RFC 9098.
> >
> > But if you want yet another data point, FYI this is instance N++ of a
> > DoS based on IPv6 EHs implementation flaws:
> > https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death
> >
> > It should be no surprise what security-minded folks tend to do with IPv6
> > EHs, particularly when there's currently no much reliance on them these
> > days.
>
> Fernando,
>
> There's an old saying phrased in the form of a question: "What is the
> most secure network in the world?". The answer is "One that's turned
> off". …
>
> So, if you want to build a network with maximum security then by all
> means drop packets with extension headers; …


Maximum security is rarely the objective, I by no means have maximum
security at my home. However, I don’t live in the country where some people
still don’t even lock there doors. I live in a a city, I have decent
deadbolt locks and I use them.

Most people want some level of reasonable security for both their home and
for their Internet connection as well. The question is blocking or allowing
IPv6 extension headers reasonable security? That’s not an easy question to
answer.

In my opinion, allowing all possible extension header is more akin to
living in the country with your doors unlocked. While on the other hand
blocking all possible extension headers seems like  more than the dead bolt
locks security level I have for my home.

So, I’m not really happy with the all or nothing approach the two of you
seem to be offering for IPv6 extension headers, is there something in
between? If not, then maybe that is what we need to be working towards.

Thanks


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email