IETF Logo Mail Archive

Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Thu, 25 May 2023 14:25 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73D1EC13AE43 for <ipv6@ietfa.amsl.com>; Thu, 25 May 2023 07:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oEnDT2kq5kly for <ipv6@ietfa.amsl.com>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E51B5C13AE4C for <ipv6@ietf.org>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-53469299319so1179857a12.3 for <ipv6@ietf.org>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685024707; x=1687616707; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xrr6LU6iE4Wz/rJ7WqmBawSn5cYQQO0ovQG5iED7jqU=; b=Dhq6KX+hfRmCYxlJPGypEaeH70xPuSJ36fAbLQlXwpRyHpq2FjzLubIPwzLciS2PCZ RIJW93mOQfhW82G7anfvSiObNAzCUBVy/oAqFaqQR53FIeCqwbPxSDx9ZeA6nmmaKPjL KZj6TQ4Q7fkb/YZJko2RSOgHX/fZSgqJdtRXEHY2/1r4j3IqfN9YFHs+y7L+HoY/DBzO iUHhvTJENf1f/EWWHuiP6H+CuuYlZJwGJYPBuHpJqZB9ciF8DAIrzRVJtHAZVOAk2H/H GCnBXmkMmglDFymFwxJ0F1vqV219ippZOu/oW9Ww87SLSLoGxQAWRDPn28A2wI5ItzlX OnBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685024707; x=1687616707; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xrr6LU6iE4Wz/rJ7WqmBawSn5cYQQO0ovQG5iED7jqU=; b=hVFXFKpqS+031oKSxLUo82A5HmYMzRwAh39Ei6GpxPcggx2yic8xSJTU2kTeDEvnIE wxBjuqU0uM1Ix7AgU9YGyZ1lfKNCNlNGqWecLYPAtvFVgDL9oyefmSDBFedUJI7f4wTT 8TN9hvijJTLcbwJq0n6+IQdMPUQNSIO1GKAbGpUPKq0Hus67m+70sYUJSksTNsFMdnFA Ax6F++B+g9PWAh0ByN2+Bg0GiZCvP19OCXle5kx2BxhCTP4cIVwGTcBTDcOIi6eMA6cU bOJL3V7GwB++NYCzuByst+aOM8Ow1g3S274dYu4xOjBh6mEArN44dQ+gExace9k12Tyx gLSQ==
X-Gm-Message-State: AC+VfDyVmQo+WfkBRbMK1MO1zKNDa0LgvSJRIfFhDwW3jbIyvw3H6h8K OYMNJc2YlzaeReHjFrdV7ylSerG4HPA5H8orN/kxL4jb1kxxl3Gc
X-Google-Smtp-Source: ACHHUZ6O7xHUmKpdI/GU8kX6rmtwEv7hONduDeAauhyFPOeauYZ20rUHJo44sCFK+vUUbFfwbdjGJY7lAYtOWEd46Z4=
X-Received: by 2002:a17:903:10c:b0:1a9:40d5:b0ae with SMTP id y12-20020a170903010c00b001a940d5b0aemr1650648plc.12.1685024706707; Thu, 25 May 2023 07:25:06 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com>
In-Reply-To: <72784f8e65f34bcc9f5652c0a553c70c@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 25 May 2023 07:24:53 -0700
Message-ID: <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com>
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Ygqdj8Y_yYma-qSpYh-rgt9p3xc>
Subject: Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 14:25:11 -0000

On Wed, May 24, 2023 at 6:02 PM Manfredi (US), Albert E
<albert.e.manfredi@boeing.com> wrote:
>
> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Fernando Gont
>
> > Given the amount of things that get connected to the Net (smart bulbs, refrigerators, etc.) -- and that will super-likely never receive security updates, you may have to **rely on your own network**.
> >
> > For instance, I wouldn't have my smart TV "defend itself".
>
> Agreed, "on your own network." From the viewpoint of a household, whatever network defense has to be behind that household's router, for it to be credible, and preferably right in each host. Yeah, some IoT devices may not be updated regularly.

Bert,

It's more than a preference to have host security, it is an absolute
requirement that each host provides security for its applications and
users. This requirement applies to SmartTVs, SmartPhones, home
computers, and pretty much all the several billion end user devices
connected to the Internet. No host device would ever assume that the
network consistently provides any adequate level of security, for real
security we need to assume that the host is the first and last line of
defense (i.e. zero trust model).

Tom


>
> The ISP has to worry about protecting that ISP's own network. Households have to be responsible for protecting their household's network. (And connected TVs do get regular software updates, as a matter of fact.)
>
> No one would trust their online banking transactions on an ISP's network protections, for example.
>
> Bert
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email