IETF Logo Mail Archive

Re: [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Thu, 18 May 2023 14:31 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 518F7C1519AD for <ipv6@ietfa.amsl.com>; Thu, 18 May 2023 07:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHKifEL0y_vS for <ipv6@ietfa.amsl.com>; Thu, 18 May 2023 07:31:48 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCC1AC169505 for <6man@ietf.org>; Thu, 18 May 2023 07:30:47 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-96b0235c10bso381154266b.3 for <6man@ietf.org>; Thu, 18 May 2023 07:30:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684420246; x=1687012246; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mAvgx3B67jOmfv1eyI9dTnMGzg9cJfdlGWMPe4hOHh8=; b=E46FKB2a0VCzH5bP1M67t1czNZK88j/Bv9wZQNU+F8w0WlJvM6eap3BYY/ZEhE0KhE 5v5Usm+hJq9GAyqhLv7z3hX1cqaAGVsDsX6bUkvSm9z6g51UGdi70WNt37eZQBWPw3Mr z9ajEEFTw7cgCjpZ7GZxXv0PgRZCaUBIufaAKaSrVZPbGTZPi8CUkwx+nDE4h8qupVKl Ye1h4Lzdfuf/DIqqOn/sqvDw4ahGsO84xBF0yuDPUJh7eErEUxKMVz5kOb9/K+s58Crv ltrJ4mFh8i1YzZuqjKDNunpgV0ScpqvzQ9im/dy29ycEB9XwGLpwOitFHmhmHp6ECAC/ fo0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684420246; x=1687012246; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mAvgx3B67jOmfv1eyI9dTnMGzg9cJfdlGWMPe4hOHh8=; b=NkJT5Fza29Zn3vRKTczD8X4ClkQ9BaDRVMDn2xUKfR+EjbiVJDsw/He9fEweL5Ch4f IaxQq6DxeLY0nH1py+Z5uxv/RiZ2Ntr01bYYiGo5PmooeyvDd+2N9qBbj8WJDbEq+hSw avO4CQvPD0yb5Vdgcb2Q3QtuclfQQtdIS1AvoQk3Idj4ob4PYI56H2vd7A6X3f9JRL4o zIWqCQvIurU2lm/2Tk6sj2PJgE1yfIqu6Sm0R+XYsD9rYqHCuhytVgCRug1q6KAuWOo+ qnLFPKFrHC4cnRAiMo8mf06zDcJnPvWetNrriO4EuxKq5vtR83b/IQ6gAtCBeWuM57S8 TJaA==
X-Gm-Message-State: AC+VfDyNCGLTc2SbesEIhimrBCtCJdEbBMrxr2wbs2msMLoT+3fQ4v+h 97Nxp48xyVQWcLubQw5o+fxOCWdyS0BPWgQV2RZKbA==
X-Google-Smtp-Source: ACHHUZ47usX/dFIOcpVfRH1Rv5tDi6IXrcjHBQzh5fYZpoJ2DxIsH59vnxknes+9M9SlOhNKCyvLcrGbgLgSSQwkcgw=
X-Received: by 2002:a17:907:a0e:b0:94e:e6b9:fef2 with SMTP id bb14-20020a1709070a0e00b0094ee6b9fef2mr39178367ejc.67.1684420245711; Thu, 18 May 2023 07:30:45 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
In-Reply-To: <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 18 May 2023 07:30:33 -0700
Message-ID: <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com>
To: Andrew Campling <andrew.campling@419.consulting>
Cc: Fernando Gont <fgont@si6networks.com>, David Farmer <farmer@umn.edu>, "6man@ietf.org" <6man@ietf.org>, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/V4se-hnNkU-W8oYhy3re97UmVZw>
Subject: Re: [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 14:31:52 -0000

On Thu, May 18, 2023 at 7:24 AM Andrew Campling
<andrew.campling@419.consulting> wrote:
>
> I wonder if part of the issue here is that insufficient attention is being given to operational security matters and too much weight is given to privacy in protocol development, irrespective of the security implications (which is of course ultimately detrimental to security anyway)?

Andrew,

There is work being done to address the protocol "bugs" of extension
headers. See 6man-hbh-processing and 6man-eh-limits for instance.

Tom

>
> Andrew
>
>
> From: OPSEC <opsec-bounces@ietf.org> on behalf of Fernando Gont <fgont@si6networks.com>
> Sent: Thursday, May 18, 2023 2:19 pm
> To: David Farmer <farmer@umn.edu>; Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
> Cc: 6man@ietf.org <6man@ietf.org>; V6 Ops List <v6ops@ietf.org>; opsec WG <opsec@ietf.org>
> Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
>
> Hi, David,
>
> On 18/5/23 02:14, David Farmer wrote:
> >
> >
> > On Wed, May 17, 2023 at 13:57 Tom Herbert
> > <tom=40herbertland.com@dmarc.ietf.org
> > <mailto:40herbertland.com@dmarc.ietf.org>> wrote:
> [...]
> >
> > Maximum security is rarely the objective, I by no means have maximum
> > security at my home. However, I don’t live in the country where some
> > people still don’t even lock there doors. I live in a a city, I have
> > decent deadbolt locks and I use them.
> >
> [....]
> >
> > So, I’m not really happy with the all or nothing approach the two of you
> > seem to be offering for IPv6 extension headers, is there something in
> > between? If not, then maybe that is what we need to be working towards.
>
> FWIW, I[m not arguing for a blank "block all", but rather "just allow
> the ones you really need" -- which is a no brainer. The list you need
> is, maybe Frag and, say, IPsec at the global level? (from the pov of
> most orgs).
>
> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email