Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 17:24 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19966C1782B1 for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:24:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihN5xTPqOGOf for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 10:24:21 -0700 (PDT)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E0EC15153F for <ipv6@ietf.org>; Mon, 22 May 2023 10:24:21 -0700 (PDT)
Received: by mail-pj1-x102d.google.com with SMTP id 98e67ed59e1d1-25394160fd3so2101828a91.3 for <ipv6@ietf.org>; Mon, 22 May 2023 10:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684776261; x=1687368261; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=wljA0tbCG11rW/mG8HMCSXsqXG2fR3/rbhCV6QAf1tI=; b=dmXhVW5EpfBuvHlsV9yfKwqNpybZpQw3ftt3Q6OAjJnAgnjjFuPYNWJZsuUP6MHp1k d3SznUGVG0v6cvWDk06RJ4FxbNbzcivAUavkJmyJG5xCP5lfqN0H3ZUIBwMZ5GN2t2D3 KrZ4/c2GCfwZbPNeKNyIs/cqBCCzWEvkUw/G6B4JGxIg90gHVuapFpvIHr7PgyaREE4v qh+Rprtj1D6urYYfUTXPqUX7CmGaU4aKTI68IXUO7KSqexcsSveW0dliR8pk9EIgX6v6 LpuPTY6VBSNXNBAEi2wJfMEaEQZkbfCh0RIz/F7dtETatp6u+us4GiwSfdSWdirDmrJl 9ccg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684776261; x=1687368261; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wljA0tbCG11rW/mG8HMCSXsqXG2fR3/rbhCV6QAf1tI=; b=locbkS6+Rc8IQxGCjDPlYy7MiT68oqIQEJCxqziFozpaZ6lju+eGuzHcZDYg79GTRh WBroLfbqfVLiZvpLGGAarBvAf9+Wgs3lJNK1M0nvRMlZdIEWdtfAmM16yb9WJIby1U3F k4qbjg/+ccMWW3MIOx9fiI22lB5x5Qf2QX9fZRCpJUG7t4rbPjmHKP7+l8PYV/x7NePC E2v7BP9EOELcWYBjzl7Rhha5T15x09FED79cOTPm6TKnMAufZHd9+40nFTC79CTkaVAi Vy27jxDixaYunOrp+YJfJIpXRK0RCDIYEs1kh9qeeirHP7ouxqiWk887CuuYl0E0JOow RWLw==
X-Gm-Message-State: AC+VfDxGbibgeQzNrgedc/8PSqIcqG2tHYBQXhkoygn3D4cEL+UhSyJQ +WLqNxSdjbfYrh7hGblPM1/yKmw+IBETzeTe9ZVuFA==
X-Google-Smtp-Source: ACHHUZ4vGeYG4cHelKutzFuJSTDMKEmrjnhe607HEPCqhN+ZJadcIg5uUatU3lX9Dt8wvDzTKxWtFmKUxw7ICXJkNaw=
X-Received: by 2002:a17:90b:4d91:b0:255:7d50:c1aa with SMTP id oj17-20020a17090b4d9100b002557d50c1aamr2703320pjb.44.1684776260620; Mon, 22 May 2023 10:24:20 -0700 (PDT)
MIME-Version: 1.0
References: <338409937.875780.1684768913874@mail.yahoo.com> <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org> <193402587.928006.1684773327427@mail.yahoo.com> <9078375A-F5F7-4D44-AAB8-03CED422B6F7@employees.org>
In-Reply-To: <9078375A-F5F7-4D44-AAB8-03CED422B6F7@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 10:24:07 -0700
Message-ID: <CALx6S35g39O6sc+ECwXFb9Zm6c2fNWvJRVY2TMw-ewznT4ZGQQ@mail.gmail.com>
To: Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, Ole Troan <otroan@employees.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/r6PJ98yGmwAHVqO-ewTrVfCpuFE>
Subject: Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:24:27 -0000
On Mon, May 22, 2023 at 10:09 AM Ole Troan <otroan=40employees.org@dmarc.ietf.org> wrote: > > Nalini, > > > > > Once bugs are fixed, then we need to consider carefully what BCP around EHs should be done, taking into account various common topologies as well as devices such as proxies and load balancers. I mention those in particular as what we have found points to those devices in particular as posing problems rather than transit networks. > > I look at load balancers as an extension of the application (or network function). Ole, If you're talking about a transparent proxy or a transparent stateful device in the network, I tend to view those devices as potentially invasive and harmful to an application as opposed to an extension of the application. Think of all the problems we've had with stateful middleboxes and all the hacks we need in networking stacks to work around them... > Unless the application had a particular use for a extension header I would not implement it. So you only run one application in your network? :-) Even if you polled every user in the network about every application they're running and found they don't currently use a certain protocol, what happens the next day when one of your customers wants to use the banned protocol? > And that’s with an implementors hat on. Writing custom load-balancers for network services. > What would you even do with EHs through a load balancer? Provide ALGs for EHs containing addresses inside of them? It would have to be on a case by case basis. Why would a load balancer care about EH? In the worst case, don't you just need to parse over the extension headers to find the transport layer headers for load balancing (note RFC8200 allow intermediate nodes to not process HBH options). Tom > > > > Of course, our testing to date is absolute lack of transmission rather than lack of transmission based on EH length or type. We felt that was the logical first step. > > O.
- [IPv6] Why folks are blocking IPv6 extension head… Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] Why folks are blocking IPv6 extension … Ted Lemon
- Re: [IPv6] Why folks are blocking IPv6 extension … David Farmer
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [IPv6] Why folks are blocking IPv6 extension … Jen Linkova
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [IPv6] Why folks are blocking IPv6 extension … Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Fernando Gont
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [IPv6] Why folks are blocking IPv6 extension … Tom Herbert
- Re: [IPv6] [OPSEC] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Dale W. Carder
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Nick Buraglio
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Michael McBride
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Ole Troan
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Andrew Campling
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Bob Natale
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [EXT] Re: [OPSEC] [v6ops] Why folks ar… Bob Natale
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… David Farmer
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Trøan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… David Farmer
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Ole Troan
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Brian E Carpenter
- Re: [IPv6] [v6ops] Why folks are blocking IPv6 ex… hsyu
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Vasilenko Eduard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Vasilenko Eduard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Arnaud Taddei
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… nalini.elkins@insidethestack.com
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Brian E Carpenter
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Bob Natale
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Haisheng Yu
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Warren Kumari
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Ole Troan
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Warren Kumari
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Andrew Campling
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [v6ops] [OPSEC] [EXTERNAL] Re: Why fol… Clark Gaylord
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Brian E Carpenter
- Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why fol… Brian E Carpenter
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [IPv6] [v6ops] [EXTERNAL] Re: [OPSEC] Why fol… Andrew Alston
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Tom Herbert
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Andrew Campling
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Tom Herbert
- Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking… Dirk Trossen
- Re: [IPv6] [EXTERNAL] Re: [v6ops] [OPSEC] Why fol… Mike Simpson
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Haisheng Yu
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Nick Hilliard
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [IPv6] [OPSEC] [EXTERNAL] Re: [v6ops] Why fol… Bob Natale