IETF Logo Mail Archive

Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Mon, 22 May 2023 17:26 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B508C14CF1E for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_Fic40sMcxu for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:26:15 -0700 (PDT)
Received: from sonic301-38.consmr.mail.ne1.yahoo.com (sonic301-38.consmr.mail.ne1.yahoo.com [66.163.184.207]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1293C151096 for <ipv6@ietf.org>; Mon, 22 May 2023 10:26:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684776374; bh=PYqbDXRggGiP43Qa6xxMRKQuVl7FDeWzcsJBUgLT7oc=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=JCZn49UnhKTyy1qm5J652FPTdpjOnihZZq6gQntsPCEaPiDBN916rdk4SSzgTbKd2Z++z/bKpHroiuu+l9rgiE5JPZg07g/n6/BewkeRbCoQvTgcnWSjUqyTUC8Z1WnyX3WvZys0quSoR8JRqDEgCUzmiIi052x1LXpKb6fZZovd0DOgI1RekmnPB3cs2uSbFNaXWfiftdgg4n5fqTixont+K7y3uOmpZ+8XH2NAWb5VwM8MqvytwY2Sc26vYeD1L4mAoIfUcHWYjafbr7cEJdoyVDA0VdOLgc1IIi/81VRGRBWklzMa2fbzNvsf3Vpb/fb/eIIRrObQ1841eVFszA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684776374; bh=wcub5PnnULdpScMzWTaUWCTbjgFCk8iIbSIE9NVApAs=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=kdDqSL0QbLZGT/PBohmtZrK9HgxNFnAT0Do6sawtHBb1hm2OcYVFtbQe1/7BTxlDMCA/7AkF+I1KvMl0PXMJBqHxRa5xML1lnjH/OUgD15YE2wgsxuiYcAAxm65NwqBLPLru5uJLVOff1wZtAgREk2I4PH6oeUuUbANcI/hreTU/9/sm37+/pxJL613n4CgO3wNS+wTI6KwuTPFuYc4opl3vvJBSW7FVCztV5Nwi3CL+ostqEuscs9dIS1bbV1AEsnOqKndgqAJgW3O6ht3PsKj0cTR0WzgatVh+v4GetspR9Q0XMbPTuK9hnCPo/q2jLfXYFQFHXhm+rrLarABJGQ==
X-YMail-OSG: 4BHEvuoVM1kIoIW9wn0Y9jWahuXpDURzo658RArBtp7st0fnk71oBOq7jyjMCOq MYq7quwBXBCBg2lsoRaySaUw_VVs65UMoUOgi4LbdUwbhkqwmogerjvAMJeIkpuF6_1vxX.eKXj2 oxezNaqGvdLO55aQ4WDaUpTGKWjFqg3FE7OBOoRH17Q696KrTgGXH7PauBnoBiJcZu_qeHX6.6pY 1EgHX0GNkIDpukutAmt9rMyemF6xXppYN_RfLJJAEslWjQxAZx9rpk86myMqDi1Yib8ZN5SyWXy4 eSDTat4O5yl1bCB6pBZduMtJyFtDco_OfmRv8HgKA_YY9sSJS8NgXvY3t2hCmwqIj0LqyFXnU2vn GzgyTX9EEMgp2wakvzYJUwhkLCF.5Xl3q.vQfYz3dUOQWPzIFAYP1s1I87AYiRHizdPA5xMqAnn1 HonzLF2EIXGi4HneEcVqtnN4AJPd_kbIB2QAUgKxSJf9zYwD1tH.9.hCRT9D2Ovmi5FJqWtGGYXR bdcof6qjcppZkEiqp0K6B1B9dx.8UaHbym8tdXLXK.GpZXkJA1t1Q.Jkf.G85sShNJJ9cBED6hUa MyBoIMfTcHG_IcN83exPZMJAxwbHzMKRN6HJbkQyJDMvVKbEOBPcyQjFuHWl1jcDV_Xea9OWBoEE uIloSbQuaZ2ukMIC_e2n.4Oj.InBMSLb4SDHXCGvm2NypwDhZGbW0XTTpjvshXiQiwLDFcHry136 lKS91zeDzuw9yA1u0S1UqWkhuAmVCXZKIr8H6ICynMUCHozcZNTJFL_2e0XwAIoD.atXFSO._9KJ Y4yYD1r4QKTq6Z0edl01JwutiU6cprJsnX8jK2aA0M5PL1xuV6zu3T9Dbol4.Sk97icLtWQhwgHU yORF2YqKpLjOMhQ_EQu1fuhKmkTIb7G5pm3AkfCxNwL2O2ZovZH_PdVq3mYtCcd7BhYqPoaUewKe OGzQt1OML5t38pdOq_JmCE82q4hcAGS6Rw5saZlLIZGTCcvYyFeW5j7Nwx3CWfMxb9c7xHP1VJl6 bLUOEBv83J10zQ1qITkLRPK730mED73r5WgfHDf3Ivlz_3bbCWjJvFdN8GXFrc6pwGnP5unHWuJJ 4N5YsV_9X2hE3F8VuOzM4iozdXAQrbTB8Jlbm5tUIzkEFxQe1W1sxrYpGMdxokJ8hn0KT3YajsdU zJA6n0JDrAg6mR3cU_DULctf9aJmCrNFIpnUC5oJjxNbmMt.dfeuG0cwaXSUjaXqXj7WCMDTbQt3 1jG.l_jvP2eLj_Y05YIEm8zN7KTR0nTDG_Q42Ctt0aUWpivFnsImmk1lgOtyZjsFuhaeJ0TdnfPx lf_HWEBdxebNqND4NvIEmz4LOxf4jcZQdl9EeoCXIRZ4nob3pF8oug_l_j9fPR4uTfXKWg84J_My ANEDOmcNhHJUPo76F_AFDRpgn58PtxB8xnqD.grZ1rmMc1OE5dIwgy8c7ux4ii4d16xmVVICxc3H P.UVWe..IztAt91PIa.RnAIjuU0Oyb3pns7NzWbqk6CbIwre3HmXEJeyRN_3tOpjcT2f8ftr8M5L UXmCiJIpr8Fr1.e.Yh4Jk1H9uGNUZfXo1H4ge_1NTp8w.npVBzJGE3FMrbFr.GHp5_vyERDOlpmD f5wdidirmmIgS_FzK_BrxSeAex9hR.DLuoXkyBngyyeGSyEzoUTtBS8lwhOvHODU551yCJEQd6Sr PZDTkgp_ptxJ9U4q.jGTXOnaNxi4ILRiAtIkHEKjqs50ak6nt1HuuUGZXasTkUQh7QKIqc6tfi_L b6gE5zpam0mHOmJy_VSQO8_SMeDVs7TWx_02bOpsG4UyCXsaoD5EXetzHk757g3eHZAmzX0HsTDI lUhWvuB4w5dlh06bCIdrSIOXC_0Nu4_z4MPm3zktJrl7T0lyEZTXjCRESVTk7kKHoP6QgnUY0clO nTG5pZkQtZzPfrWNCf9.gn5nS7hRsTpLve9QGP0moxqx4o1QGqptKx9FbwCFgfXg2L3BvxyIuXNf .Rt4IRoUtyBCnu6AmmOFrZ7EE0gR3cXuhiDcpY4dnsFs1HUvuwNXykAgDGZvORzQ9kvv6CmSByTF X9GZAMBYgbTGV_y08sVuSQniE2ArSw6MzgaVimx.HC0WdMW0qq.PCwCkXLMznPeBh8mG.uWRMkOz c_bZTUl1cthNRYEvYmLAqDJI_NXpTJJQ_JabmZm4QbRVPZVR24voDRXLueYwaF7bPh.0D_5wRHrs bY2ao48Z_m7azNQRH1_ZNf1YBNRzSsMDe1e9iY6GAWh3RwOXXS.EE2g--
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: fdc718c2-b078-438c-a174-eb4b988da6b2
Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Mon, 22 May 2023 17:26:14 +0000
Date: Mon, 22 May 2023 17:16:08 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Ole Troan <otroan@employees.org>
Cc: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Ole Troan <otroan=40employees.org@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Message-ID: <1426330979.960783.1684775768382@mail.yahoo.com>
In-Reply-To: <9078375A-F5F7-4D44-AAB8-03CED422B6F7@employees.org>
References: <338409937.875780.1684768913874@mail.yahoo.com> <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org> <193402587.928006.1684773327427@mail.yahoo.com> <9078375A-F5F7-4D44-AAB8-03CED422B6F7@employees.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_960782_1771322403.1684775768381"
X-Mailer: WebService/1.1.21495 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/HQlho2UDaSV6W3gkNo4S4jsRb1M>
Subject: Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:26:21 -0000

Ole,
> What would you even do with EHs through a load balancer? 
I think a load balancer should pass EHs from the origin or destination through unchanged or undropped.   I, being a developer myself, can think of some quite unfortunate actions which could occur if this is not done.   It should not be the job of a load balancer to act as a firewall -- unless that is explicit.   Load balancers should not be  dropping packets which contain EH.
It is interesting though, some people appear to call a device a "load balancer" when it is really acting as a proxy.
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360




 
 
 On Monday, May 22, 2023 at 10:09:38 AM PDT, Ole Troan <otroan@employees.org> wrote: 





Nalini,

> 
> Once bugs are fixed, then we need to consider carefully what BCP around EHs should be done, taking into account various common topologies as well as devices such as proxies and load balancers.  I mention those in particular as what we have found points to those devices in particular as posing problems rather than transit networks.  

I look at load balancers as an extension of the application (or network function).
Unless the application had a particular use for a extension header I would not implement it.
And that’s with an implementors hat on. Writing custom load-balancers for network services.
What would you even do with EHs through a load balancer? Provide ALGs for EHs containing addresses inside of them? It would have to be on a case by case basis.



> Of course, our testing to date is absolute lack of transmission rather than lack of transmission based on EH length or type.  We felt that was the logical first step.

O.

v2.23.0 | Report a Bug | By Email