Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 17:11 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9F9C15153E for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:11:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZ5QqPYpMZf3 for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:11:36 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2F11C13AE2C for <ipv6@ietf.org>; Mon, 22 May 2023 10:11:27 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-25275edf6caso2699672a91.1 for <ipv6@ietf.org>; Mon, 22 May 2023 10:11:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684775487; x=1687367487; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=qtGoWcKmMXCGi2vWuDDmhXMlOLsadKcDwzBwe7xDgCw=; b=Q959fvD+OQ80NP7QreJj6Cjn4+k3+AZiDXJPu/rN/2yTEuRJY1uL0b5kGWHljeKIVM PLtvuIGbadWrx5aXElBSPp4WPK16+mKF/gyNFvHNSFx7qteOAamR1hg10c0yYOuaASNo ApwAZSoDobrzwrRKo0LWKprmz9muC+Qcg+gBlKgwtgkBMG5PfWhxkvaQT1GXLuRGn4Fz XpdNMlXxDcYjrNrkcmiwKwS7Asr/qnVCXZD++eL8S6G1YMJv9Ci32BwGlsZ2peH2kDTq BUvxi5diNmNSEEWzJX4O7DSSoSRqAsOqKwDOUtD9JrxQMiGmhGcW6ZH13wjaS6mmLzM4 LH6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684775487; x=1687367487; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qtGoWcKmMXCGi2vWuDDmhXMlOLsadKcDwzBwe7xDgCw=; b=Scm1XwFzOhMWWwp6Y0A2P+60oVEjegqIV5XrWoMxPcZdBJx9DWpZA+A+hNaB80pj34 F5qwOWjXKvmPy7uyFg9YCcUmybOl1Q3IDK0Vs5fnwaZZP7tThtP1j6Ucnh4AORqAGaZY 94F62QDRwuW70Cb7FUaG3ft+vrDiNjZpOYddaFmwP5yzilu49CI3AENnNYeIu1QJOtHw eqzQgrDdi2kjtNDNBJIwM48CNeLVvNtdOl9/7jeB444NEcXq+NQssVummwiESYDEzyxM ooExIutoeOYaER5IgvfxWJOpraSbvJLJ2te6DxYd674jEOQAM/kiIFBYK/hCthOPMI6N F0kA==
X-Gm-Message-State: AC+VfDyfGnwh5lJIwCU16fvwdsNydZC9c7OcfroCUzBSw+gHEUgQ8LZy r4ymo7RoPS8Grfb4/mX4gw20rzrSgeH2wQ7NJD0y9Q==
X-Google-Smtp-Source: ACHHUZ4wT3KifyRildgDzqRlxXW5d3ICW/DmkjwjpWF825YcNMmI63mrW1mIZYl3ocKc/fnQi/UWBmsAR7VoMXXntmo=
X-Received: by 2002:a17:90a:3e03:b0:253:6e6f:f5c5 with SMTP id j3-20020a17090a3e0300b002536e6ff5c5mr14819760pjc.7.1684775486988; Mon, 22 May 2023 10:11:26 -0700 (PDT)
MIME-Version: 1.0
References: <338409937.875780.1684768913874@mail.yahoo.com> <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org> <193402587.928006.1684773327427@mail.yahoo.com>
In-Reply-To: <193402587.928006.1684773327427@mail.yahoo.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 10:11:14 -0700
Message-ID: <CALx6S37EJ_zZEVd650=ch=_9ooyVht+3ZePu=shJ1ChcP9JSVA@mail.gmail.com>
To: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
Cc: Ole Trøan <otroan@employees.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/oIoOX3OAWqxqT9YO9MrTXL7bdvI>
Subject: Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:11:40 -0000
On Mon, May 22, 2023 at 9:35 AM nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote: > > Ole, > > >>> it might be time that we accept that this was a bad idea. Which deployment status has confirmed. > > >> Is it your intent to submit a draft deprecating IPv6 Extension Headers? > > > Do you want me to? > > A couple of them seem to have found some use within limited domains. Those problems could likely have > > been solved also with encapsulation and as it turns out the limited domains end up with additional > > encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs. > > > If nothing else they have served as a way to extend the ip protocol name space. > > No, it just seemed to be the logical extension of your thinking. Please correct me if I have misunderstood. > > I believe that EHs can provide a great deal of useful functionality and will do so even more in the future. We, ourselves, are working with a team in India to investigate DNS resiliency using our PDM Destination Options Extension Header. > > I believe that we need to find out exactly what the situation is as far as EH's. If there are bugs in network device code, then we need to fix them. We have found a number already and are working with the relevant vendors. > Nalini, Thanks for all your efforts! I'd also point out that work is also underway to fix the protocol "bugs" with EH in draft-ietf-6man-hbh-processing and draft-ietf-6man-eh-limits. > Once bugs are fixed, then we need to consider carefully what BCP around EHs should be done, taking into account various common topologies as well as devices such as proxies and load balancers. I mention those in particular as what we have found points to those devices in particular as posing problems rather than transit networks. Agreed, IMO if a network provider disallows a protocol it should be because there is an inherent risk or unfixable bug in the protocol and, not because of a fixable implementation bug or because of an "opt-in" model for IETF protocols. Of course, if IETF is publishing protocols that are an inherent security risk then maybe they should be deprecated! (I don't think that's generally the case for EH). Tom > > Of course, our testing to date is absolute lack of transmission rather than lack of transmission based on EH length or type. We felt that was the logical first step. > > Thanks, > > Nalini Elkins > CEO and Founder > Inside Products, Inc. > www.insidethestack.com > (831) 659-8360 > > > > > > > On Monday, May 22, 2023 at 09:21:33 AM PDT, Ole Trøan <otroan@employees.org> wrote: > > > > > > > Hi Nalini, > > >> it might be time that we accept that this was a bad idea. Which deployment status has confirmed. > > > > Is it your intent to submit a draft deprecating IPv6 Extension Headers? > > Do you want me to? > A couple of them seem to have found some use within limited domains. Those problems could likely have been solved also with encapsulation and as it turns out the limited domains end up with additional encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs. > > If nothing else they have served as a way to extend the ip protocol name space. > > O.
- [IPv6] Why folks are blocking IPv6 extension head… Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] Why folks are blocking IPv6 extension … Ted Lemon
- Re: [IPv6] Why folks are blocking IPv6 extension … David Farmer
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [IPv6] Why folks are blocking IPv6 extension … Jen Linkova
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [IPv6] Why folks are blocking IPv6 extension … Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Dale W. Carder
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Michael McBride
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Ole Troan
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Andrew Campling
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Bob Natale
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [EXT] Re: [OPSEC] [v6ops] Why folks ar… Bob Natale
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… David Farmer
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Trøan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… David Farmer
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… hsyu
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Vasilenko Eduard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Vasilenko Eduard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Brian E Carpenter
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Bob Natale
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Haisheng Yu
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Warren Kumari
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Warren Kumari
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Andrew Campling
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… Clark Gaylord
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Brian E Carpenter
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Brian E Carpenter
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Andrew Alston
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Andrew Campling
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Dirk Trossen
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Mike Simpson
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Haisheng Yu
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Nick Hilliard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Bob Natale