IETF Logo Mail Archive

Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 27 May 2023 04:43 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4562AC151541; Fri, 26 May 2023 21:43:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7qSGWakKXSl; Fri, 26 May 2023 21:43:13 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7263CC151522; Fri, 26 May 2023 21:43:13 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1ae875bf125so9505475ad.1; Fri, 26 May 2023 21:43:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685162592; x=1687754592; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=rHAPxcWcPXEa0tOo5FrexXWYn6XQ10ShAkU0NMGWqC0=; b=TErUU2OLtMBRKYymKeotGxsRdq7bOw4LNI5ljmMhTuYcLbb1/W9c/V1p02J5erWO2m 2JjA3n1gM+Gakc2LVabPCBysTD1aKZxoSgLeb4XZv2tow/EH2o1DK/6b2ZwcVWs1X/MO GCRETMFJLTnR+6FLpd9hPoncEUmJwlIEWXDTRona5fHcEcuTqvY61C5548qDQUbAjhhz ygqZ7wQDgPo67z7JsVDo+VbFiG6oJfUssqIyHiJMv39i/lWyjZcn7aemTO0NmTGpZrVc /eg8Wz+sVtBI93RvBw3fZHCF2BCGguicbUuo7FIbElPaaz8msrvDRxTaeXQPYmjmKrcI +NQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685162592; x=1687754592; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rHAPxcWcPXEa0tOo5FrexXWYn6XQ10ShAkU0NMGWqC0=; b=YYWV5fmu9cLuYIevRM2MYO66C/TQSOLaURPKAEKw7Hsib5Py3MXcSsLZqpk0qdnTcJ dDxcXLm86PLqlcwjWkfchP+Ok/g7bbtXNjaFlPLXPl4P4LPzhIOQoR2v6JhnfTovxPh1 OY2nJeJBBN0FczeeqU4dmDP1FhIQPzX+Kvw3lb3s3EB17Ug62FcfXkUSLKADlVHLZP4P yDAj4fptfuhDRToxXv1yZyJAK5WkwVkgmZ4A3F7WXXTpm78bNicyUFG2vJX9kclKwq0X XkLwhicqwJkgHOcyOGF8VjnrC0UXj6y2nbXB030+tywoTLfVH7XlmqrRd3mH21D1aPJT pNTg==
X-Gm-Message-State: AC+VfDyKNgPeFx20KMaWq02WDMg7LX9g0TqN1x6oF1RKHjAhQLfMqyJP bGtwGrNdJGAPaiX+dLXmpACNlQ40+pj/5Q==
X-Google-Smtp-Source: ACHHUZ4tO7VdN1b/UyjC5dPNbVmlH+eJZgw0dDxcqxFrthFzwM3Pw2hQxZmTEUpj9bs4PlEDuGlf2A==
X-Received: by 2002:a17:903:41c5:b0:1ad:edbd:8547 with SMTP id u5-20020a17090341c500b001adedbd8547mr5442461ple.15.1685162592595; Fri, 26 May 2023 21:43:12 -0700 (PDT)
Received: from ?IPV6:2406:e003:1184:f001:9991:d1ad:8c20:42bd? ([2406:e003:1184:f001:9991:d1ad:8c20:42bd]) by smtp.gmail.com with ESMTPSA id t9-20020a1709028c8900b001a980a23802sm3985905plo.111.2023.05.26.21.43.09 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 May 2023 21:43:12 -0700 (PDT)
Message-ID: <872fcf48-c408-ecf1-bdab-46b0de37392b@gmail.com>
Date: Sat, 27 May 2023 16:43:06 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Warren Kumari <warren@kumari.net>
Cc: Albert E Manfredi <albert.e.manfredi@boeing.com>, Tom Herbert <tom@herbertland.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com> <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com> <dd61024e-1bd8-ff3d-216f-22cc7600ad10@gmail.com> <CAHw9_iJyXiT=O5cMyy08bVq+U7VTtKTkR_60OfvrcCng8Joe5w@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CAHw9_iJyXiT=O5cMyy08bVq+U7VTtKTkR_60OfvrcCng8Joe5w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/bbOVL2Vj9g-U3FKzyF4yw8-sA_k>
Subject: Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 04:43:14 -0000

Warren,
On 26-May-23 21:03, Warren Kumari wrote:
> 
> 
> 
> 
> On Thu, May 25, 2023 at 11:13 PM, Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
> 
>     On 26-May-23 08:33, Manfredi (US), Albert E wrote:
> 
>         -----Original Message-----
>         From: Tom Herbert <tom@herbertland.com <mailto:tom@herbertland.com>>
> 
>             It's more than a preference to have host security, it is an absolute requirement that each host provides security for its applications and users. This requirement applies to SmartTVs, SmartPhones, home computers, and pretty much all the several billion end user devices connected to the Internet. No host device would ever assume that the network consistently provides any adequate level of security, for real security we need to assume that the host is the first and last line of defense (i.e. zero trust model).
> 
>         I could not agree more, Tom. So, as Fernando and others have said, the impulse is to block everything coming in from the Internet that you figure you don't need **right now**. Such as weird complicated header extensions.
> 
>     It's perfectly fine if a host chooses to block incoming packets for any reason whatever, including unknown extension headers. That's quite consistent with the *network* allowing permissionless innovation.
> 
>     The problem arises when any upstream intermediate node drops a packet because it doesn't like it for some reason. There, you immediately create the tussle between transparency and security, and I strongly suspect that there is no universal way of avoiding that tussle. Not every new feature has backing from Google.
> 
>         The ISP has its own concerns, to protect its network, but I, in my enterprise or household, have different concerns. I'm not going to trust the ISP's security mechanisms to provide my own security needs.
> 
>         Honestly don’t see how IPv6 is going to change that. Over time, perhaps, some specific extensions used out in the wild will be seen as crucially important to my enterprise or household, and maybe those will not be blocked. But "trust me, you must accept all these EHs"? More likely, those potential innovations will go unused and maybe will eventually be implemented in a different way.
> 
>     A well-implemented host will not be troubled by unkown extension headers or options.
> 
> 
> Indeed. However, not all hosts are well-implemented.
> 
>     If my "smart" TV isn't capable of ignoring unkown extension headers, its vendor will have to give me my money back.
> 
> 
> Erm, have you ever tried this? I certainly haven't, but I'd assume that trying to contact [Vizio|Sony|LG|Sharp|Kenmore] and explain that e.g a packet with the "IOAM Destination Option and IOAM Hop-by-Hop Option" makes the TV turn off will not be particularly fruitful (or fun).

No. I'd go to the retail outlet and say "That TV you sold me keeps crashing." And then I'd invoke a wonderful law we have here called "The Consumer Guarantees Act." I'd have a reasonable chance.

But more seriously, our job here is surely to specify host behaviour correctly. There's not a lot more we can do to improve the situation.

As I've said already, there's a tussle here that we (the IETF) probably can't abolish.

    Brian

> 
> 
>     I don't want my ISP or my CE router to block any extension headers.
> 
> 
> 
> Your ISP and CPE vendor are incentivized to reduce costs (people calling customer service to complain that their FoozleWhatzit TV keeps rebooting) and drama (press articles that bad people are turning on  cameras on BarzleWerg baby monitors and posting "interesting" videos online).
> 
> It's hard to write a breathless press article that Comcast doesn't allow Shim6 EH, and the number of people calling to complain that HIP EH doesn't pass through their CPE is likely to be very small.
> 
> Until this changes, ISPs and CPEs are likely to continue blocking. Yup, from an architectural and purity standpoint this is not a good thing - but, sadly,  principles don't pay the bills.
> 
> Explaining to your enterprise security admin that allowing the mobility header it is the right thing do is hard, especially when she's pointing at the badge reader that keeps rebooting because it's IPv6 stack is awful. She has a clear and tangible story - random packets make this thingie reboot, why would you trust it to handle some potential new EH in a secure manner?! Your story is much harder and hand-wavy — some new EH might possibly be defined at some point in the future that might possibly allow some future feature that somehow improves things...
> 
> 
>         Security evolved as it did, over IPv4, for a reason, methinks.
> 
>     There is really no difference between the story of IPv4 options and IPv6 extension headers, except that extensibility was a sales argument for IPv6, so naturally people have tried to use them. And it would be exactly the same for IPvN where N>6.
> 
> 
> 
> Yup - just like with e.g IPv4 source route options, the incentives need to be correct — the risk of allowing IPv4 source routed packets into the network exceeded to benefit to the network, and so they got blocked.
> 
> This is why we cannot have nice things - the incentive model prefers security, stability and cost over future extensibility and principles.
> 
> W
> 
> 
>     Brian
>     _______________________________________________
>     v6ops mailing list
>     v6ops@ietf.org <mailto:v6ops@ietf.org>
>     https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
> 
>

v2.23.0 | Report a Bug | By Email