IETF Logo Mail Archive

Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Mon, 22 May 2023 17:46 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C401FC14CF12 for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id goy83DNqfoNh for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:46:26 -0700 (PDT)
Received: from sonic321-29.consmr.mail.ne1.yahoo.com (sonic321-29.consmr.mail.ne1.yahoo.com [66.163.185.210]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 030E6C14EB17 for <ipv6@ietf.org>; Mon, 22 May 2023 10:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684777585; bh=90h+sQgGY8VwuYD7UefkWQgPW4B1sIIQBqZUVV7LOws=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=NNFehGAo85lRlwoqQQiSKiIhcNJjnhRUROexyU0til8wzbr0deWeKumuIp8QKeHxieIbpSiD7VYAlztWwysxMTdP7u8+5qr0xvg7E59VtCdGICHMqTG47YAqomZekAtp8YsUJ8Dc6ofQJfqopPzU5RW2kTKi9OLn/Rj26rWEq/3vP9wpxA2mUMveueI9gu5RhbV1Iw6GcL0ZAxKSlZ0ZFfS4RYcTBIagqEmmRgdyXok5WY8BdldIufP6l5vqC8j1tMK2p0J8CcAII12VZg3+2ktiS5y1+zmVgtcxESYqlUTmWP92N+a8FpJ3hG/gyksl5wmcHUUddpbSUNCJzZ/4pw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684777585; bh=mvOxRwnJARpI45FD989zM91R1eZUq0EUnrAJA+JqT+R=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=iWlkFxAp659VoXUEgQ5hmX65iCamkXSgQuB0SI/qq7eejFvOPR6bDwX701xW41nvkMJkOcCf5YWiFi6PYYCV1A2eHTWQYqmL0gRPUVflfG2ga3MULa5Id7pSzLyJhQG2R5EczFQkAfZfknZw1xxvhD/O1WXOPtQf3Ub6UEBigXY257keGAsHbTAfW57ZKvmP5jWVt3E74cmgy+uOi6+K7CY2q5WwL0y5UE6csv5HLHih9PjaJVnC6snsZgtm/4Skr9J3hvgjNPIJjlyFts+EuPazTkDHl+9lb2hK/SLKO2iajUdCdyOCI3/fZAwhye3mnMsYo+8S/4aImDmyM8NgIA==
X-YMail-OSG: mWGwLuwVM1n372X9N3rDbLz6fPKt5MJFA5GbUYiYSnAhqMcV4a4iYL7jgofD1UJ kKGE5NfwXVKjLOe2f9hFd1MkNjZny7stcf2YQrXjkKNUKXDkf2Qip_lPtVCE3uvHdpUNS787Fcip vf.x.FXmjgjodtHaOgPgt7sjlMqfyjW327J7e6TPxqOmoPzgaswlyxXV1QM1IFNUZvqECoQJrhPn rHCAIp_BNVyyxTnvGDUM0aI_7OLcyQQbvvCfB.roq2DRLouC6DKhbv4Oquo6m.Hhhf5j.pvAZ_dk yafX.vjpsR8o5kjOrnqPvV36BbuQf1.N7gYo_AnSE4ISPt.gnWt36PZOddqJ8sEYk185_yeqZNpa AC.eoUBTUICnrljgaougAj7e0bYlMwLD0XxLwfDzqVoM0QKOk2wnlJQuw66hV7D6ucB4tnbKQfxo kUMCXP3c9vyajRbbpoE3gumL83krUhb6Lzq3kqYXz0I1ujOIyg6pN0jZHxJQQQi5sCouEvtUYvai YuRROp1Hj1lzqzIIzEo5LQuCH6mfccHfkxvcY9WVUbzPeEx5qWpByxUeafgOuZ1aMRDdf93fBMRP J1kINXh_rCnf4vvZvuEw3UXpzdyzVc42RTpQZBTqY7Lz2cu_UuIfdgpgXk0U6itl_4Gi7Mt9ItLz B5Ak.4Qghr.1vNoKJGlrLzHP.LvwkjGQRxsi9JTCKlAfhVeYlx83OYtWCXFA4W0t5AezmTe4u2Dc .pgQxSpaFmymljZVXGMkea5tPB7A8Dz0k5vXBEhijnDyEc9wAU73D_CwdXnDX9MJHDMs6B4u308P EVw3sGzoS2PgVe6KrudLPCUlj0FV788tw5lNJ8u5H_UhQYYOFAdTl0vvd292Y0AlsjsoWM8eKYzm Zy.a4KficQTTyE85c.fvuMZloUpqAiRNIqojbJQFowes5GP9cn67tVoPOaT5hxG08i1rp8v9dUOe WHboue97RztCWk91r3Pknz59J_huku0pUNTtvbVKjGLwNQANOxXQXEn4hilQ12nWuOqxSuGw7AiH PnR7Q7bw9un8VmrTkXITe5RF4q7bduF6g_osDi1lMwsUlNOhHch42ywHPmciwtyluQFa78OlN_i9 2l637aNTftMX1AQr8db1xB6zdZLZxjay7yUt.Cj55jEDsV38.xrpDsbv4zK9mvDViCoP_.OUjSak l.myuFzvaAZsJmxBLpjgbd4iJPM6Jkv2wLJchdB9WKiLf2N9hQft5GfjZJ9DJrgum.o.N2ol28d6 j_qtH1lotdUuWwp_AJFeV1saKEdu425Ni6GgtWeohcTL2Q5xApd7ptsLCelFK6AvZnP5Uh8D4LCs t1R6gJ7XHCEtoG9Ae3_t.4lcq_vpUWqeHl7h55stMNxR3cbrlgxTjN9gzsz1XnSLB4rt_crtQ2IT mHkjUdTmaoXJ_vaVuCiODmP4CLlBPMVqR1_OHX4bn4KUqbmYlDmnUWlQMkB1yOotf1CWj7QGeqqD 0XSvUqpu2EzFwF4GmVTEbUErQY_n6rAtp_u2bfO3oGEQPwioey3s9V_n53_kcBvlTQ2Bmd._otAZ 2TLFKYMIsFO1hilW9j2J3tyA25zdwC2ZeahHDX0mgiAiCmhcbjOka8vVtgYQDm.DJ_ju9g7wKWt1 Zj04ruA0IEUczTUouVvPiTFhXgJFRiuY5L8K1x.YOsq2y_y.nhV34JwZ2_hG9I2w.sWXLnv8qfl. EdlczzTHtR04CQz8bNH4Fr6Ln9_qT8Ngeri8M1Cma_6xFG.FoM5jSaxZYqw_5ptGJq6KgswdOlOi P1lOzSWKIBymR9HEub_3YFEoXs_ZlW9TgGNVhV.DFr4aZa0PUwYcViB8gxarqRyBoed8DzGajuCO IhAk7g3UtHQW8CHDr0qT.8cVsHF6RELGaJCgOIitO5_l7BZCKfrQdJ.qNE2i6iOMslHDEolELTh9 O6EXysj_6TSNVixHAXI4sSh0zloygUBzhHRhCHcla5UK9UmVg2iq8T82GTPKCxi0a._dpoCr28Gr ZdlffiWchrmtIVmpuOplycE8N3CnHXdixTJOz0qqNXTSvPq8W.v7UI4wGl3R9aj_o582mtSyzS5p S_FgSHP5HZMptOYCKL6UMGJuult1n2DpY9txisMY1uR92B75l9VuALzeX2ssZjNeaJahjbpoRCX3 XKWklH4S0kg4XwWwy.TTTtIkpsCbhlnDTdXbBk1Fr.UBmXPlU2GRRU.NuK9hovCMss2mwQ1HGqXJ GfkR1BAZg9TrFq.cmdXul3KQLVXCkfu0lWedgVqwCWwIjKcma2xlXfz80jzSRPQ--
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: 74124244-89b0-43cf-a1fe-9532181f4aef
Received: from sonic.gate.mail.ne1.yahoo.com by sonic321.consmr.mail.ne1.yahoo.com with HTTP; Mon, 22 May 2023 17:46:25 +0000
Date: Mon, 22 May 2023 17:46:20 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Tom Herbert <tom@herbertland.com>
Cc: Ole Trøan <otroan@employees.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Message-ID: <1280283752.963490.1684777580367@mail.yahoo.com>
In-Reply-To: <CALx6S37EJ_zZEVd650=ch=_9ooyVht+3ZePu=shJ1ChcP9JSVA@mail.gmail.com>
References: <338409937.875780.1684768913874@mail.yahoo.com> <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org> <193402587.928006.1684773327427@mail.yahoo.com> <CALx6S37EJ_zZEVd650=ch=_9ooyVht+3ZePu=shJ1ChcP9JSVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_963489_471613432.1684777580366"
X-Mailer: WebService/1.1.21495 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/q36E-A3HR8nuO6jFzy3AEs8-1I4>
Subject: Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:46:30 -0000

> Thanks for all your efforts! 
Thanks for the kind words, Tom.
> I'd also point out that work is also underway to fix the protocol "bugs" with EH in> draft-ietf-6man-hbh-processing and draft-ietf-6man-eh-limits.
Great!
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360 

    On Monday, May 22, 2023 at 10:11:28 AM PDT, Tom Herbert <tom@herbertland.com> wrote:  
 
 On Mon, May 22, 2023 at 9:35 AM nalini.elkins@insidethestack.com
<nalini.elkins@insidethestack.com> wrote:
>
> Ole,
>
> >>> it might be time that we accept that this was a bad idea. Which deployment status has confirmed.
>
> >> Is it your intent to submit a draft deprecating IPv6 Extension Headers?
>
> > Do you want me to?
> > A couple of them seem to have found some use within limited domains. Those problems could likely have
> > been solved also with encapsulation and as it turns out the limited domains end up with additional
> > encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs.
>
> > If nothing else they have served as a way to extend the ip protocol name space.
>
> No, it just seemed to be the logical extension of your thinking.  Please correct me if I have misunderstood.
>
> I believe that EHs can provide a great deal of useful functionality and will do so even more in the future.  We, ourselves, are working with a team in India to investigate DNS resiliency using our PDM Destination Options Extension Header.
>
> I believe that we need to find out exactly what the situation is as far as EH's.  If there are bugs in network device code, then we need to fix them.  We have found a number already and are working with the relevant vendors.
>

Nalini,

Thanks for all your efforts! I'd also point out that work is also
underway to fix the protocol "bugs" with EH in
draft-ietf-6man-hbh-processing and draft-ietf-6man-eh-limits.

> Once bugs are fixed, then we need to consider carefully what BCP around EHs should be done, taking into account various common topologies as well as devices such as proxies and load balancers.  I mention those in particular as what we have found points to those devices in particular as posing problems rather than transit networks.

Agreed, IMO if a network provider disallows a protocol it should be
because there is an inherent risk or unfixable bug in the protocol
and, not because of a fixable implementation bug or because of an
"opt-in" model for IETF protocols. Of course, if IETF is publishing
protocols that are an inherent security risk then maybe they should be
deprecated! (I don't think that's generally the case for EH).

Tom

>
> Of course, our testing to date is absolute lack of transmission rather than lack of transmission based on EH length or type.  We felt that was the logical first step.
>
> Thanks,
>
> Nalini Elkins
> CEO and Founder
> Inside Products, Inc.
> www.insidethestack.com
> (831) 659-8360
>
>
>
>
>
>
> On Monday, May 22, 2023 at 09:21:33 AM PDT, Ole Trøan <otroan@employees.org> wrote:
>
>
>
>
>
>
> Hi Nalini,
>
> >> it might be time that we accept that this was a bad idea. Which deployment status has confirmed.
> >
> > Is it your intent to submit a draft deprecating IPv6 Extension Headers?
>
> Do you want me to?
> A couple of them seem to have found some use within limited domains. Those problems could likely have been solved also with encapsulation and as it turns out the limited domains end up with additional encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs.
>
> If nothing else they have served as a way to extend the ip protocol name space.
>
> O.

v2.23.0 | Report a Bug | By Email