IETF Logo Mail Archive

Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Thu, 25 May 2023 21:06 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DCFCC13739F for <ipv6@ietfa.amsl.com>; Thu, 25 May 2023 14:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hs_XVOKCc-p7 for <ipv6@ietfa.amsl.com>; Thu, 25 May 2023 14:05:56 -0700 (PDT)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63FDEC151543 for <ipv6@ietf.org>; Thu, 25 May 2023 14:05:56 -0700 (PDT)
Received: by mail-pg1-x534.google.com with SMTP id 41be03b00d2f7-53eee18a192so6555a12.3 for <ipv6@ietf.org>; Thu, 25 May 2023 14:05:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685048756; x=1687640756; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=I2vpsujuR7kMYUETp042hsw0mhGdYvSmtFUoYYLYeis=; b=G9gHm8ZTiuvfY35CORr91mQKo9IhwUhmC9ywwq8crdh9a0cFIfxoKIcy+zMDNU5KEA qYKsTSbI/fZosRu7Gj8dwV6K1oIPXTQvb1khCjJLx8LQF+vxoq5UM6F9dE5jJmLDBsaS uLFv/44JF9ziBeZIAyVthjdKcx5RkftjBwGt242SQeUSoJZOWA1ftExicup+lkmg/V13 4GlrY2W/JLAtz+sjQbPhKS0K0ehXNEmQFmMKypZmRM6NznnkUvXa+CJkZ1B8w8pZ6roJ ayJf4LbNvmAhmBqpar59PJvbPh+jExiM6iyo3InFl3FxhpcNKyNeKdSkFqAcB3er7eo2 LMng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685048756; x=1687640756; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=I2vpsujuR7kMYUETp042hsw0mhGdYvSmtFUoYYLYeis=; b=XXYVpHovJw8fQal8CZ62rz5iwsQ5Qi+cmJlLtI6wVvUuRPSA6u1z/XMn6ZkJQRWeC5 aW/m8Ys87ygtJ0OVOnPfh79dGEvrynY34pzqbobyiokHkWSDDmIMVt7q60Q36nuec20G N8pNs0XMTFpFzGgEDDLhKVWJmGdHmlPn5TZeVvE5FZNiblC7jm6jIPiSsiUOB+RY7RTu 1D93lXVjtH+fSXGDZjKSFXFYv/qkppgk5vSmHE08hjNaGNKsKiy5D6ZJvZY3N8pAZoFN X71PiUF1VtT3Gt/wwWXaMTRjVA5wATaeT1wj/8jha/SdftsXdxBp5X5wFzTXRNq3YC4S 6lJA==
X-Gm-Message-State: AC+VfDwRsLU41eMimV09/UoncrbxCYMiMd5Tvlf6dAEzKc9n1uS98R5A baYcnddZ2Y0J+ZIEAMtuZJbzAdE8LXDRxtPVgR8alQ==
X-Google-Smtp-Source: ACHHUZ6yxCDz79XBGHZq8fd4GzoBlepplJoOYXhyP6uAKqMIx6tgD3wCbmqudngRX0bUqtBj29yFgMfyqoR/6aQYDas=
X-Received: by 2002:a17:902:dac3:b0:1a6:6f3f:bc3 with SMTP id q3-20020a170902dac300b001a66f3f0bc3mr3309583plx.57.1685048755709; Thu, 25 May 2023 14:05:55 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com> <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com>
In-Reply-To: <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 25 May 2023 14:05:43 -0700
Message-ID: <CALx6S37H0f2WF+=PmyuxG+v2OVdqPpwgdJxYPVrHY_8XntucRA@mail.gmail.com>
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
Cc: IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/h8lPut9yT6TY9h2t1CSreUlJqE8>
Subject: Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 21:06:00 -0000

On Thu, May 25, 2023 at 1:34 PM Manfredi (US), Albert E
<albert.e.manfredi@boeing.com> wrote:
>
> -----Original Message-----
> From: Tom Herbert <tom@herbertland.com>
>
> > It's more than a preference to have host security, it is an absolute requirement that each host provides security for its applications and users. This requirement applies to SmartTVs, SmartPhones, home computers, and pretty much all the several billion end user devices connected to the Internet. No host device would ever assume that the network consistently provides any adequate level of security, for real security we need to assume that the host is the first and last line of defense (i.e. zero trust model).
>
> I could not agree more, Tom. So, as Fernando and others have said, the impulse is to block everything coming in from the Internet that you figure you don't need **right now**. Such as weird complicated header extensions.
>
> The ISP has its own concerns, to protect its network, but I, in my enterprise or household, have different concerns. I'm not going to trust the ISP's security mechanisms to provide my own security needs.
>
> Honestly don’t see how IPv6 is going to change that. Over time, perhaps, some specific extensions used out in the wild will be seen as crucially important to my enterprise or household, and maybe those will not be blocked. But "trust me, you must accept all these EHs"? More likely, those potential innovations will go unused and maybe will eventually be implemented in a different way.

Bert,

It's your prerogative to block all EH on your home router. But not
everyone does that. And even if you do, when you leave home and
connect to WIFI at the local coffee shop do you verify that the
network provider for the coffee shop has properly blocked the
extension headers that are "insecure"? Have you verified that your
mobile carrier properly blocks EH, or whatever carrier you connect to
when roaming? Or for that matter, when you attend IETF do you demand
that the NOC team blocks extension headers? (I don't believe that they
are blocked, but it would be quite ironic if they were :-) ).

As Johnson Yu said, the security of the entire network depends on the
weakest part within it. If we extrapolate that logic to Internet
scale, then the security of the Internet depends on the weakest part;
so if extension headers really are the threat that some are making
them out to be, then we need more than ad hoc secuity policies applied
across the Internet with no consistency.

Tom

>
> Security evolved as it did, over IPv4, for a reason, methinks.
>
> Bert

v2.23.0 | Report a Bug | By Email