IETF Logo Mail Archive

Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Thu, 25 May 2023 14:14 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A86C13AE36 for <ipv6@ietfa.amsl.com>; Thu, 25 May 2023 07:14:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JiIqiV5kRw1Z for <ipv6@ietfa.amsl.com>; Thu, 25 May 2023 07:14:28 -0700 (PDT)
Received: from sonic316-26.consmr.mail.ne1.yahoo.com (sonic316-26.consmr.mail.ne1.yahoo.com [66.163.187.152]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C6D3C13AE32 for <ipv6@ietf.org>; Thu, 25 May 2023 07:14:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1685024067; bh=AYqmdJoqvbtZrpaImpxNXAi9g9I+rQkAFHP7I/D7BbU=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=qekWe9DsFQ+OV0qayWYEEtUtz5lf9YCgKIxqFPLNjBNWisJRq3Znghr+YFtYbsTsTAkp1wPL+QPLjpM1fL1evEmLdidkTYS16CVnV8aqHp2zp/LoQs9f3aBSMQYdlcSgSFv1Ke8VZeFjGicYRYqSFJaHyTbLUrnOA6t2R6xBv/DK7QdOXY0fHJJ/NU3pUQ7vetsBLTaGZDzYzz7HjGHGptAbu9V5ntUDuskStJ2Z6s7tSouYteLCHEbkLYqLwiEBcr63HXHe5J9ORWIPsHhTrYiXVU/hRgjsIvUZEofjcnv6ulVGyXCSS7IwdBwyRnJN7Sg3w1K1zg3Jlcw9eiYEaQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1685024067; bh=4OqRn+4kWCfG3DGtX/DpfC32K1B2rqyI1EzoJzmt612=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=WXjqRfTEj15togrc9M21GjEhHq4eElsH0ROnA/QNXTsNoTnYKlyR5LQpZz8mFPUzih7PUYQ+7C9Snl198lZjP2F0cratb8ENlAuauda4ahv9S5KLZXV+ZEfLYvXosDA/vkI9GgOZgf/K8V0fGNFeH5gyxX3uOxRy81ZtUshTlPKsikF9KNIktzEf2TQexNT7sgEbKOXWtYAA+WfDqXvW7a3Ubg2oa5/mo6PSqV5+7DpHTKtceqzrKdccjwIyZTcx9QTUNjNVLy9cD3zlDYLbS5kNCKGIqQ4MPdCwXHrbzMgtRpUNxiWx9g6ZIz6+E4ASXfLc42GBp5hlx+9eDhjfuw==
X-YMail-OSG: G6xTpfAVM1llrRqrFgqQu3QPGFT25sjiBjaiWWgaGiVQoQXXjOUx.A1EpIrWxQL PglIIW182vBJypSd7_.fskuYYkBZsRmUzan9XCY4Jg8M54cXETitHxvT31wFYpLecXWsaQx8x_X. 24H_qHvCfv6OS8tdHGGG9anwXnSlIF_izUVca_ZefsaR4e0mXWNuY4KzbFpgpv3NmAx0YQQMOjOy WIx9x_KI8sy6lpfsd1d89AzyKmaAw7YJr8SiKpo5FW9ZLRPHE04g89qrJZGRC3iXPwDbYKWo2AIH lklL76K8DQ837v5hMC4To317OT.Kz1BeMwNI2D.q3YVHdh3FOaP0RPPF8dT3JJGgrIxVAQg40NMm lk9Fq.MC6qRTVjVgKrz_kAT8acXJt2Ad3aZMJQXSSeJTyH6MNQAaA3iOJwVcUxjHqajNbM.ctsjk CglZt_FeJ56a_3SJIVHIHOOTvuxN4Eu6ZVgAkTkPqGBjr2HJZ6dBP1X._i5UPxGjwponsLrNGxcU NKg7JjxQJuey5JjgMAuX_77XCp6J_XrtsiiaWfJwEIxlL_8AiIrYWDs5OM9nLHMUXs0glVLwXxqP J80OPUoCAsqw6xNAgfVefuuK6Qw0.KKsPkHX8LStehKr6D78hiI1VS0hEdL4lnLM1vX9sUYMQshw r8FUPUbfTrmOFZERVn.vzJ9cVhBdz55YMCDlOMfcOmtej64zwAp_EmyZOR8JruXDfkXRhXqWtWP0 i7ZrnK3JuscnTCJFRQac_idI0nQokoskrpmTFQi2ZKySHDwxKV2yK7Wvjgj5S7.PIsnDWnAUmsTH h1OJqd6Y2KmNLVDVLLDxTMf7hRF2huIfbiyCkPv21cFaPqdogoaeWRM.UHZbDeAFOGXVEUmMCQrn vl9.ZE.PekNWD5osSgxzZNU6bn8tt0dhNHaFOTHo5KQy22sN8t_Ho_MACkmZYsYiBQt1mPhb9_e1 wWKucdk.lfd6ILPsxGAWs38etOoy7_m5Xsj5ofb3W4j5KD2_ZQZND3z1c.R4PeZW0ORao1tcifgf O1qsCZhM5atfJ5d9U9CmJ77xFFAZXu_lIx9f8EO8Nk_PZb00K3OFHVJYK6CtjyLQMKwqGgzPqUpW .N4H94bV_hS0oblx7uDlWpCoP3J0t2tyGd2nSue5Lp4fohVQ71BxxIE9ReUL7bgEEvNYrK713hx3 YOGX_E.hePRAG25BZmIIas9TNbyGXXK64dblZ2gHZHN_QthP_P41NUx3mbzd_wmS3164H5HCdT1S N2h6O3WGISwmAmOghwxbdYB1CYvDTl7NwVjAJ97kJ5Ao94qf7.Rre6LWRvEYOpFTxyjOpQDUM0Co sijccsotGYzkqSzj5Nrj5Iw.Zi.dNTBcSbzUPj9V6k3YHHIEeDwqYD86NUnDZ4pBX4lser_Go0Kd TRO.O.l4PhxDxVFZ_Ge1iBBbGRTTVit1Ifb6pxTEcY6Lwy0S9ro4i3mJgUMgCeoXjzVvh2HifCyN BhCl0m4rLf8jXML_w9Ocnod09AvfPyAKS_UVUAJtmLH49GyjcryAJ4Y_SUc87dvy42VQS7fiF6qM QVB_ye80jBHbFeEDG5KGU0ELH5b0Bn9wpcuizpQKZBVptC0PWmv6NR.u6m7ulIPu.Fcw0V7phlW9 L.U0McmtXA.LkktmbYgEFPV0zxjUiqzm2rO7b6ZSUEpajBCyG9nmLVMLEtkMfHKottWhn_c9BQ2z NpFKrEqG0Azn2Ywy3nEY_B0GyNjcRooKSOUEamfhejwFfJ.oe11NUN0GyAQvmStLFnYcHIsuZDfw AbZneaaow3nzawqCdcB3IXRDFnd6ETSoRzjReKRCBAkjMrRNB7mfIFip93jBoHRLC0EYDJM0rZBW QIpKGPFPWTmXxNcsvTCU218rXcAEBd_girtlPozdh2rphHcCDRHdknc6cgAAFtzMeaT1R1UfClFJ i0cwE0EiE8qS7SMMXcssIkO.BacCUN34a9N446yLCd.KMhCg.lFHn8qVy6Wzdbdy5hTcS83A0Hxz 3hXGRpR_RX3x5UD02ddmzSG1PO6nPeLq37IyN_cGCyynvz4K7MwzBfmDkMcx2.PItWzSpbTJE.Xt QLgLnHjK8.C5Dom62AmpXgCf_pEWNXmDisxV55QNDkc9iEuThjFIpPfwguXBBlLXiqHHozJqZfX4 zl56CDHkBkm3paLQGHvAgTRduQcVhcQePvoaX31KlbXUG4867CLEis3x.MtDY2yY55av7AkMo32u yWpR1WbJog5II6dfyDX0ORg_MXN77JaSwlmpEwJTLCbsMO8T8qPAl8KX46_PMy.ZqA6SgLg--
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: 8dac112b-dffb-4f21-b672-174d6632bbaf
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Thu, 25 May 2023 14:14:27 +0000
Date: Thu, 25 May 2023 14:04:23 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>, Arnaud Taddei <arnaud.taddei=40broadcom.com@dmarc.ietf.org>
Cc: Fernando Gont <fgont@si6networks.com>, "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Message-ID: <1782809155.2506667.1685023463014@mail.yahoo.com>
In-Reply-To: <402D5736-9E62-4166-8309-6051E9749EE3@broadcom.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <1cf9c93b-32db-6d30-9ea9-951172587a9a@si6networks.com> <588C62B7-0FA1-4C3F-8EE2-1CB58A667407@broadcom.com> <f42e5db6d0ad4ed284c7ae9c4d6abecb@huawei.com> <5057DFBA-3593-4939-8C92-7B6C58DDFA04@broadcom.com> <be71e1ef87ac4a27b776104bc43f7efc@huawei.com> <402D5736-9E62-4166-8309-6051E9749EE3@broadcom.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2506666_1416598211.1685023463011"
X-Mailer: WebService/1.1.21495 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/eXxLQHPJZysIzWC7g37nZnV4GR4>
Subject: Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 14:14:32 -0000

Arnaud,
First, nice to hear from you.
Next, I think blocking EH without nuance or care is throwing out the baby with the bathwater.
IMHO, if we have problems with EH because people have not carefully considered their use.   I think if we do not make IPv6 an extensible and flexible protocol, we will be looking at creating a new version - IPv8?  IPv10? before we know it.
There are many problems with, for example, some TCP packets, and we do not say "just block TCP".
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360 

    On Thursday, May 25, 2023 at 12:23:02 AM PDT, Arnaud Taddei <arnaud.taddei=40broadcom.com@dmarc.ietf.org> wrote:  
 
 Ok Eduard I recognise a bit of the epidermic reaction (after all I am half latin blood) and missed the telco context because I see the drama in enterprise context every single day!
Now ironically the example I took below was a telco!
But I buy your point … all good

On 25 May 2023, at 07:58, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org> wrote:

Hi Arnaud,It is a good point that Enterprises have much more serious attention to security. But Telco is not so much paranoid about security.The last initiative in this WG is about “to push Telco to tolerate all EHs”. The context of this discussion is more about Telco.  > The additional cost you can find ways to write them offIn the majority of cases “No”. Because tests could not be free, support could not be free either. Performance penalty may be close to Zero (only a small loss of bandwidth) – depending on the EH type (maybe a 2x drop of performance because of recirculation).  > the ‘additional cost’ and the ’security risk’ are not symmetric at all.Yes, it is an apple and orange comparison. But both exist, and both may be discussed.  Ed/From: Arnaud Taddei [mailto:arnaud.taddei=40broadcom.com@dmarc.ietf.org] 
Sent: Thursday, May 25, 2023 8:47 AM
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: Fernando Gont <fgont@si6networks.com>; Manfredi (US), Albert E <albert.e.manfredi@boeing.com>; IPv6 Operations <v6ops@ietf.org>; 6man <ipv6@ietf.org>; opsec@ietf.org
Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)  +1 just that the ‘additional cost’ and the ’security risk’ are not symmetric at all.  The additional cost you can find ways to write them off  The security risk is much more damaging because it is a compliancy risk (think DORA for the FSI in EU), a reputation risk that is now captured by credit rating agencies, a revenue risk, a  stock rating agencies (your stock will drop), insurance ratings, etc. and 1) it is getting substantial and 2) it is even existential with a few examples that some organizations literally lost e.g. an MNO of €1.3B and 30 years of existence (only survived by 1 backup link), etc  
On 25 May 2023, at 07:21, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org> wrote:  IMHO: Fernando comes here with a good example (EH DoS). Security is a good reason to block EHs.
But for business, every feature should be tested, supported, and somebody should pay an additional performance penalty.
I am not sure which reason is bigger: additional cost or security risk. It depends on the organization type.
Ed/
-----Original Message-----
From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Arnaud Taddei
Sent: Thursday, May 25, 2023 8:12 AM
To: Fernando Gont <fgont@si6networks.com>
Cc: Manfredi (US), Albert E <albert.e.manfredi@boeing.com>; IPv6 Operations <v6ops@ietf.org>; 6man <ipv6@ietf.org>opsec@ietf.org
Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Would like to support Fernando again, and not just because I have a Sony TV too. 

Cybersecurity is in such a bad state that I can only plea for a sense of realism and pragmatism vs dogmatism to get real solutions at hand to the defenders practitioners

If not I will ask people here to consider spending a week in a Security Operation Center when there is a Ransomware breaking up 

Fernando’s paper intentions will be appreciated by the defenders  





On 25 May 2023, at 03:07, Fernando Gont <fgont@si6networks.com> wrote:



On 25/5/23 02:01, Manfredi (US), Albert E wrote:


-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Fernando Gont


Given the amount of things that get connected to the Net (smart bulbs, refrigerators, etc.) -- and that will super-likely never receive security updates, you may have to **rely on your own network**.

For instance, I wouldn't have my smart TV "defend itself".
Agreed, "on your own network." >From the viewpoint of a household, whatever network defense has to be behind that household's router, for it to be credible, and preferably right in each host. Yeah, some IoT devices may not be updated regularly.

So, that's why people block them at the edge.

(just the messenger)





The ISP has to worry about protecting that ISP's own network. 

That's e.g. where RFC9098 comes in, with notes on why they are dropped in places other than the edge network.





Households have to be responsible for protecting their household's 
network. (And connected TVs do get regular software updates, as a 
matter of fact.)

I guess it all depends on the TV? e.g., I for one I'm not planning to throw it out just because Sony decided to quit pushing updates (which were never automatic for my set).

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.ietf.org/mailman/listinfo/ops&source=gmail-imap&ust=1685596906000000&usg=AOvVaw1SaRszq_Trn0SZdoxCGfAf
ec&source=gmail-imap&ust=1685581681000000&usg=AOvVaw2CR1KLp2V-YO9ZOvhw
rWtn


--
This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
  
This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it._______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email