IETF Logo Mail Archive

Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"Manfredi (US), Albert E" <albert.e.manfredi@boeing.com> Thu, 25 May 2023 20:34 UTC

Return-Path: <albert.e.manfredi@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C04AAC1522D9; Thu, 25 May 2023 13:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqzFdvbSIkoo; Thu, 25 May 2023 13:34:11 -0700 (PDT)
Received: from ewa-mbsout-01.mbs.boeing.net (ewa-mbsout-01.mbs.boeing.net [130.76.20.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7480C1522D7; Thu, 25 May 2023 13:34:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by ewa-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 34PKY6p0049864; Thu, 25 May 2023 13:34:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1685046848; bh=6c2kVN3sgT+6EJBcmfx3fHEFC38G9t8tK2LId/0INJI=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=XSIWNOk8FP2TgFLfUJoB6kRfIXYpZ1dq4sUP/DwG47VhARNU2uwsMEYnqwIiNI/HY 7JSkmpC0zNS9GOS2WVeqUrReJ6K08twoQIe1D3CNFuIGs835YsMqHA1MWOpHHqfeH8 ExQT6idqW+MtlBnaq7l1EyfVi8noMpzqKAjpwXb7wLzr4MPAppc4Doz9DwFrjaWn/6 axOucTpKo3p3MInZRhucQYDEUfdGOjz/iZZz5HfhursbdpXW2viiur6DutNi2kwLtc d3D5wFD+QfQQm8Gs/r4t19eWKmUyXSBWnl2FzMUedM7He9QKzpBWS9J7vALz0v9u9S bNwy5IrYTReUw==
Received: from XCH16-08-03.nos.boeing.com (xch16-08-03.nos.boeing.com [137.137.111.42]) by ewa-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 34PKXuLI049799 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 25 May 2023 13:33:57 -0700
Received: from XCH16-08-01.nos.boeing.com (137.137.111.40) by XCH16-08-03.nos.boeing.com (137.137.111.42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.17; Thu, 25 May 2023 13:33:55 -0700
Received: from XCH16-08-01.nos.boeing.com ([fe80::e4ad:46fa:7f1a:20e4]) by XCH16-08-01.nos.boeing.com ([fe80::e4ad:46fa:7f1a:20e4%10]) with mapi id 15.01.2507.017; Thu, 25 May 2023 13:33:55 -0700
From: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
To: Tom Herbert <tom@herbertland.com>
CC: IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Thread-Index: AQHZjxS4rUKmcSGJ40CNRGJCvQwKLa9rbm8g
Date: Thu, 25 May 2023 20:33:55 +0000
Message-ID: <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com>
In-Reply-To: <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [144.115.204.6]
x-tm-snts-smtp: 24982B504B1A475E361402CE249831FA09F8030CF671BA73E6A67F549485A7582000:8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MyJm74W8WGoe2KPbNk7PdcXBjk4>
Subject: Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 20:34:14 -0000

-----Original Message-----
From: Tom Herbert <tom@herbertland.com> 

> It's more than a preference to have host security, it is an absolute requirement that each host provides security for its applications and users. This requirement applies to SmartTVs, SmartPhones, home computers, and pretty much all the several billion end user devices connected to the Internet. No host device would ever assume that the network consistently provides any adequate level of security, for real security we need to assume that the host is the first and last line of defense (i.e. zero trust model).

I could not agree more, Tom. So, as Fernando and others have said, the impulse is to block everything coming in from the Internet that you figure you don't need **right now**. Such as weird complicated header extensions.

The ISP has its own concerns, to protect its network, but I, in my enterprise or household, have different concerns. I'm not going to trust the ISP's security mechanisms to provide my own security needs.

Honestly don’t see how IPv6 is going to change that. Over time, perhaps, some specific extensions used out in the wild will be seen as crucially important to my enterprise or household, and maybe those will not be blocked. But "trust me, you must accept all these EHs"? More likely, those potential innovations will go unused and maybe will eventually be implemented in a different way.

Security evolved as it did, over IPv4, for a reason, methinks.

Bert

v2.23.0 | Report a Bug | By Email