IETF Logo Mail Archive

Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Warren Kumari <warren@kumari.net> Fri, 26 May 2023 09:04 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38CBAC15256E for <ipv6@ietfa.amsl.com>; Fri, 26 May 2023 02:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUpGTeOudWlE for <ipv6@ietfa.amsl.com>; Fri, 26 May 2023 02:03:58 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9B27C151082 for <ipv6@ietf.org>; Fri, 26 May 2023 02:03:58 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-3f767eec104so3698721cf.1 for <ipv6@ietf.org>; Fri, 26 May 2023 02:03:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1685091838; x=1687683838; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=U2HPZi2xG8skGb82f1kx4WsAf79ZfJHNN0hbYbUQVos=; b=LgcQlcvLOJqNBatEX6CD5KcPnByzBNZKJmUh3DJImxtRR48AAFf940GivCXNRCtpe4 WXaZ2CMh5oWHcAUtfQA2caoj/3Oc9KPKoFQFKN7kkYOVW9gF5I4AH2sd1SLMgk2DQWu5 GNXbX76MDceDGXW7ahTbSkBhWeJQoUCkTpTPw97CGkjKDr/a4DctDccrJwwaZVk5Cl4U /CE7crrVAnIcTcbbcZMuYiNuKWx9CSO0tcEsaq3AVzjy6VVD2C38LVbb4nLQVTzfZfEE wWm5b/NfpLqKQcCzX7GI5zr0DEpxtxd5Szi5mH784Iut7wONObeL4hLaYl1ZKukLhb2m B8LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685091838; x=1687683838; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=U2HPZi2xG8skGb82f1kx4WsAf79ZfJHNN0hbYbUQVos=; b=RBzS988d/y08mckiD2TpK51FqhxLwGgQDErvYNyeg4UhYBhgcq8gr8dBwE+v4Cem9N TQ1uyOCNncE6+fA6nlYuOTSYsoIzGe50bm3EyCe7ZH1zqhzcY1ThnhiLLIO8rwJoQGpx 9zUZzWbP641k7Gb6tjnQmDtnSMdZjCPcbrP+8B7Mfu8He9D/e8kMDW8lGSB1/lHf38gA cIXnRfa7Ugac5I22ENcpgNE5Uqs6Ms0+YJmKnEwCvHk325j8UOW9FXjDEU8Sk20UPsMS kaQnG505k5gcqfQ9dcFZTyJoq1lQlkthrkz/WlT4gsAlFCpp21yfEqSk0ioDJHeg7gp9 1lVg==
X-Gm-Message-State: AC+VfDzgNGQ4YUMTLjb8zxd68zfT7HT61s9RZ/6J6zZA2iMJHxeTEJRb 7e5SSoyPZLVGyiy40Iwpk99KT7aHvqq5s47bdKjl+A==
X-Google-Smtp-Source: ACHHUZ4agV+ApZpedDaytqNx9Syb/ObWkqRyYKgRpinhQ+y5gQFwys++qdKF9qK3Xmzko/NHSDgcxFkvGtElJZBeDT4=
X-Received: by 2002:a05:622a:1910:b0:3f6:c465:9582 with SMTP id w16-20020a05622a191000b003f6c4659582mr941610qtc.0.1685091837508; Fri, 26 May 2023 02:03:57 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Fri, 26 May 2023 02:03:56 -0700
Mime-Version: 1.0
X-Superhuman-ID: li4c5qoh.8f2d9947-07b6-48bd-8a0d-87d5c81358dd
X-Superhuman-Draft-ID: draft00af39186bd9e25a
In-Reply-To: <dd61024e-1bd8-ff3d-216f-22cc7600ad10@gmail.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com> <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com> <dd61024e-1bd8-ff3d-216f-22cc7600ad10@gmail.com>
From: Warren Kumari <warren@kumari.net>
X-Mailer: Superhuman Desktop (2023-05-24T19:40:18Z)
Date: Fri, 26 May 2023 02:03:56 -0700
Message-ID: <CAHw9_iJyXiT=O5cMyy08bVq+U7VTtKTkR_60OfvrcCng8Joe5w@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Albert E Manfredi <albert.e.manfredi@boeing.com>, Tom Herbert <tom@herbertland.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006395cc05fc950494"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EPu86GEzQYSott4TV3MpVF830UY>
Subject: Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 May 2023 09:04:03 -0000

On Thu, May 25, 2023 at 11:13 PM, Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 26-May-23 08:33, Manfredi (US), Albert E wrote:
>
> -----Original Message-----
> From: Tom Herbert <tom@herbertland.com>
>
> It's more than a preference to have host security, it is an absolute
> requirement that each host provides security for its applications and
> users. This requirement applies to SmartTVs, SmartPhones, home computers,
> and pretty much all the several billion end user devices connected to the
> Internet. No host device would ever assume that the network consistently
> provides any adequate level of security, for real security we need to
> assume that the host is the first and last line of defense (i.e. zero trust
> model).
>
> I could not agree more, Tom. So, as Fernando and others have said, the
> impulse is to block everything coming in from the Internet that you figure
> you don't need **right now**. Such as weird complicated header extensions.
>
> It's perfectly fine if a host chooses to block incoming packets for any
> reason whatever, including unknown extension headers. That's quite
> consistent with the *network* allowing permissionless innovation.
>
> The problem arises when any upstream intermediate node drops a packet
> because it doesn't like it for some reason. There, you immediately create
> the tussle between transparency and security, and I strongly suspect that
> there is no universal way of avoiding that tussle. Not every new feature
> has backing from Google.
>
> The ISP has its own concerns, to protect its network, but I, in my
> enterprise or household, have different concerns. I'm not going to trust
> the ISP's security mechanisms to provide my own security needs.
>
> Honestly don’t see how IPv6 is going to change that. Over time, perhaps,
> some specific extensions used out in the wild will be seen as crucially
> important to my enterprise or household, and maybe those will not be
> blocked. But "trust me, you must accept all these EHs"? More likely, those
> potential innovations will go unused and maybe will eventually be
> implemented in a different way.
>
> A well-implemented host will not be troubled by unkown extension headers
> or options.
>

Indeed. However, not all hosts are well-implemented.

If my "smart" TV isn't capable of ignoring unkown extension headers, its
> vendor will have to give me my money back.
>

Erm, have you ever tried this? I certainly haven't, but I'd assume that
trying to contact [Vizio|Sony|LG|Sharp|Kenmore] and explain that e.g a
packet with the "IOAM Destination Option and IOAM Hop-by-Hop Option" makes
the TV turn off will not be particularly fruitful (or fun).


I don't want my ISP or my CE router to block any extension headers.
>


Your ISP and CPE vendor are incentivized to reduce costs (people calling
customer service to complain that their FoozleWhatzit TV keeps rebooting)
and drama (press articles that bad people are turning on  cameras on
BarzleWerg baby monitors and posting "interesting" videos online).

It's hard to write a breathless press article that Comcast doesn't allow
Shim6 EH, and the number of people calling to complain that HIP EH doesn't
pass through their CPE is likely to be very small.

Until this changes, ISPs and CPEs are likely to continue blocking. Yup,
from an architectural and purity standpoint this is not a good thing - but,
sadly,  principles don't pay the bills.

Explaining to your enterprise security admin that allowing the mobility
header it is the right thing do is hard, especially when she's pointing at
the badge reader that keeps rebooting because it's IPv6 stack is awful. She
has a clear and tangible story - random packets make this thingie reboot,
why would you trust it to handle some potential new EH in a secure manner?!
Your story is much harder and hand-wavy — some new EH might possibly be
defined at some point in the future that might possibly allow some future
feature that somehow improves things...


Security evolved as it did, over IPv4, for a reason, methinks.
>
> There is really no difference between the story of IPv4 options and IPv6
> extension headers, except that extensibility was a sales argument for IPv6,
> so naturally people have tried to use them. And it would be exactly the
> same for IPvN where N>6.
>


Yup - just like with e.g IPv4 source route options, the incentives need to
be correct — the risk of allowing IPv4 source routed packets into the
network exceeded to benefit to the network, and so they got blocked.

This is why we cannot have nice things - the incentive model prefers
security, stability and cost over future extensibility and principles.

W


> Brian
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email