IETF Logo Mail Archive

Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Mon, 29 May 2023 18:32 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE188C14CE4F for <ipv6@ietfa.amsl.com>; Mon, 29 May 2023 11:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-ZFIYDAKmj2 for <ipv6@ietfa.amsl.com>; Mon, 29 May 2023 11:31:57 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC362C151981 for <ipv6@ietf.org>; Mon, 29 May 2023 11:31:57 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1b01d912a76so20247405ad.2 for <ipv6@ietf.org>; Mon, 29 May 2023 11:31:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685385117; x=1687977117; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Y6KmQQqa5WfwpgieDeOIZbt33p0Jikwwa9/hIhXU/qI=; b=IkPl5I26mO6vi8KiUqj2X3KC2iHsqV/fzCyiB+TxBfubK+qXXWYUgT09IhwuJSCTgJ +7IrlXp8w2TCtIQAeDvzxin7tr4JIyzsfBrj6NNNWtVIkG4i3iKLE1j4Byg2yGJx9Q4e JBdSqWfcohhzSOEo81J+EI5mHVP/5onjxcv5sIMxpOJttEicTh/TRvRZosfJFqKYZF3e DIu4RRogivpOGkcl0aArk+drvFtXGuIpti8HhPHF683Aox9ifXfZOmePw0KQlbGz4CVR Ku7pOmNumyznV22c3NJu6yiNb3RtG8PfYAR5+0D4o08ncSHu7PLAAimuhDcjOtLdlK8N Rgag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685385117; x=1687977117; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y6KmQQqa5WfwpgieDeOIZbt33p0Jikwwa9/hIhXU/qI=; b=SPmbS985e9GGR2RZNy/H1y/GD0u2iqNYcNcR5RI/tSKO+TlOoTg4maE+iuH7QQjiTd LabbqvlZzQy5zmaEp9vrt5aacxBB5I5CtwgyOuNLOTZCmeBuvkxs3WqjNrU+HCNeTIFP znMJ8FwSdVVv5ASZx0En4IK7yHnUN4ABzEKmmb57jQ5afQU1vZvUFBnlIRJwpRcYcAqK SgetKIaRoKPAsgXidqEydLj0YQpK03JhYeSke1l+6pRcvYPdXJg1PPWXOBsde8WMeYMi fm2tjoQZDnBQYgmESk6JlUCEVbJ/HSN8GQNvHx2isVPcIJ4R7BUtXx0H7pD5EAnc4OyT z+sw==
X-Gm-Message-State: AC+VfDz1vXlZw0EbwF6H9efpbNXHBpdBo/pZkzw8Cs93D+PNuNUu1vbh so01qZ5g0iXPtdJDYQ/jnBvtzZ3Zg2ZPY6/6GmFMHA==
X-Google-Smtp-Source: ACHHUZ46SMz7Fhhe3YsZsa8X8eZCxcHcBKAT2Bj4uxOZIaRC8AUAMPRUjSmQvEmhBws0HprnKyJVt45HNd6UYkN3EqY=
X-Received: by 2002:a17:902:f7d6:b0:1b0:26f0:4c8e with SMTP id h22-20020a170902f7d600b001b026f04c8emr6196578plw.69.1685385116842; Mon, 29 May 2023 11:31:56 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <4FCF75B585A1D068+7D9B99BB-B24B-4FE8-A3FD-54877C7C1131@cfiec.net> <375ea678-b05f-7bb6-5ae2-43c54cd271f4@si6networks.com> <CALx6S34u5=2UxEz3zeApv+_-W=PTj0PzMRHS1UC=zRchqVCDyQ@mail.gmail.com> <882610dc-cf8f-e08d-8d9e-0e786097f520@si6networks.com> <CALx6S34AnMaVyEVQxaO0b1JGbQetQvDC+xDHk6aH5vbXM-KT7A@mail.gmail.com> <2a02905427604fa6a4c95e2eaa1dd165@boeing.com> <CALx6S36pmsZighJVBLEZWvYqTh1tJtU4SH2Ym0V7oS87dPWAHQ@mail.gmail.com> <6b3a40ef922c47a483860468aac73502@boeing.com> <CALx6S36Vv57AZFr=2adfEMYnVSOECsowXw1c7pTo_E-FWokB6Q@mail.gmail.com> <CWXP265MB51535486342FD27A30CFEE6EC2459@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
In-Reply-To: <CWXP265MB51535486342FD27A30CFEE6EC2459@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 29 May 2023 11:31:44 -0700
Message-ID: <CALx6S35VA7g95HA-HK1kAr4rehX6hmrzybGS-Hx8j6Mit5FBMg@mail.gmail.com>
To: Andrew Campling <andrew.campling@419.consulting>
Cc: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>, "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ETzGVFNuUhSAfqlEmJTjMT9fwDk>
Subject: Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2023 18:32:01 -0000

On Sun, May 28, 2023 at 10:13 AM Andrew Campling
<andrew.campling@419.consulting> wrote:
>
> On Sat, May 27, 2023 at 11:05 PM Tom Herbert <tom@herbertland.com> wrote:
>
> > Application developers and stack developers are also players in this
> > game. And while each network provider might have the luxury of only
> > focusing on their customer set, developers have to potentially
> > address the needs of all users across the Internet.  This is why
> > network providers' attempts to protect the user are irrelevant to
> > application developers-- without consistency across the Internet
> > this level of security may as well not exist from their perspective.
> > Obviously this situation didn't materialize overnight and it shouldn't
> > be surprising that we've had to implement work-arounds to this
> > problem. For instance, encryption goes a long way in limiting the
> > network's visibility in the packet, but that does have its limits.
>
> Tom
>
> Let's not forget that some of those same developers are responsible for implementing surveillance capitalism, one of the most egregious invasions of user privacy and surely contrary to RFC 7258 - I know that people generally seem to focus on network-based monitoring, however application-based monitoring is potentially far more invasive.  Some of the application-based "work-arounds" to network security measures you reference could be helpful in allowing those applications to exfiltrate user data; if applications behave increasingly like malware then it should not come as a surprise if they are treated as such by networks in an effort to protect users.

Andrew,

That's a very general statement. Can you give a specific example?
Maybe one possibility is STT (draft-davie-stt) which was designed to
repurpose TCP protocol number 6 as a tunneling protocol to circumvent
some networks that filter UDP. But that proposal was rejected by IETF
and never accepted into Linux.

But even if a network assumes responsibility to protect the user from
malware, its ability to offer any reasonable protection to users is
extremely limited and becoming more limited. Network devices don't
have the E2E visibility or context to properly filter application
malware-- this is both true architecturally and in practice given the
prevalence of TLS deployment.

>
> As noted elsewhere, I believe that it would be beneficial to the IETF community if greater efforts were made to engage with enterprise and public network CISOs, as well as more network operators.  This would help inject more understanding of current operational security practices and considerations into protocol development activity, which might help to avoid puzzlement when new developments are unleashed, only to find them blocked or only greeted with luke-warm enthusiasm by those that have operational responsibility for security, customer service etc.

"those that have operational responsibility for security, customer
service etc." is not limited to network operators, application
developers, server operators, and OS providers also assume that
operational responsibility-- so if there is a conversation it should
include all the players. Also, I'm not sure that "understanding of
current operational security practices" would be of use here. As far
as I can tell, there are no uniform security practices amongst network
providers on the Internet. For instance, with respect to extension
headers, some providers allow all of them, some allow none, and some
seem to allow a subset. Besides that there's already RFC9098 that
highlights some reasons why packets with extension headers might be
discarded, but doesn't quantify the practices (exactly who is dropping
packets and why).

Tom


Tom

>
> Andrew
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email