IETF Logo Mail Archive

Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Thu, 18 May 2023 03:55 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A66C15106D for <ipv6@ietfa.amsl.com>; Wed, 17 May 2023 20:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JcWbqzrMea0 for <ipv6@ietfa.amsl.com>; Wed, 17 May 2023 20:55:53 -0700 (PDT)
Received: from sonic321-30.consmr.mail.ne1.yahoo.com (sonic321-30.consmr.mail.ne1.yahoo.com [66.163.185.211]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50444C15E3FC for <6man@ietf.org>; Wed, 17 May 2023 20:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684382152; bh=JdX4ifwCioGg/y1uBnUc3HNjbeKtOS8jzCC4eFaDx/Y=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=M67B2/rb1SXHuE0Z6dh3gPCdFJCz4MBK5UdaUsLh0IwOS7CyglMkO8wnlWp3AIWOPPpDAj6XdH61YD3UDHKLAgIX+7ghUvZgZFVBGLYNoX2WcE72VjONpTaiI1O4SSdbPxIGTfvvm3GefrFHeQn03PmtVyyPv9p2HTC4PeIWlnGI4qLjXVlCidr/ArPcQlQxMKxon2jqqVhGeSOscbRlCnOtykoqyBcrbtnqJ2dbJAlBJq9+yYRfnRk1b7iIf6VzojrhsqdU09emDAFI7PnfzM175oNQtF1Gtl4fDNXe9B9sQY+M8t9S79U4b7eJmyrPHPSd0+VePQzLnFyhEh+0Kg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684382152; bh=fAiXUZhutG9AbfqES6oUsYkG9G4c73agYWpzjt+rM0s=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=AtsxUKswvbimXz3vDv5ewT4qjQKvhipUWsAwSSNPgUYOHurW4fRRHsdEy/Ewu2IM0PctdzmrMmW5quKw3h6Gvo6bSoUyMkV3Ow70CVkrMxJdijFyo5C9PG874RGOKJJFjMUzw3wOY6HEtw77qS+mvnL7D1LPuVyM1lAXC2oRuVjgGssN8RbT0M0SwzC7ZSETovwmKltFhu07hqRxyqenJ0dBtUqasgA+g5RKTDtlymigohDSPqq/DCNk9FLhLvtuiUxKXT8AgwfhU+VDOPPm1EI92rX9DTDAeg7C28EOAehQq5wje9qMb9RukHuYZV7yZjCP1cVPZSYs7BC917drdQ==
X-YMail-OSG: q3qxN1AVM1mTSJeLSykNBttKbUk3ztF8FdNuzwgcFLIdT25q5_ojp9Ev7Nb76wZ bYucvoo8Nmvgb__eJmyZXvgSUOirtdorRRkJSEX2uX1Y0uDNe9lDRZxgFII2jOQBs9qk87RFddLK 96vivI5DtT4QmPdcmap8lCHrKtVCi4KUmKZ_hiX6ROfid5EZLDoBfzt8EceiIWFa8kRAEfTCIXZ3 cBxSdHhrLqXJTj8wOfNeRXK5DVzjqQKZ7cpWBhVuqTFfJoVz3oU8QCneWvZ3DN9faV9jhlvGR7En QSRWjqL8Rdw1.uVAiE_0X1zYEcYv4QZif86ClhPFxCW5BK04g6TZN5DB33Ii0L6P8jaYDHrvDRJf cJmPSzxr_gvhiSos4fWcW1Tj1Op.wjK3Zdumv5muOfF5RSPU3XpHmAqUik1ZD7XKo6ZawJEMlpjE RB3CKkJ5Spc8CgMkot5_R0TMM1pJpXCmJ4umLUX7.YjJY5VsUvoINdpCn6byO2Jw49tvDvNEvW1e AQJbH6Uvi2DBrnRY2dgcs9TGPJKa7eiNimfcQThPcQsx1q8GQ2fr.M6za6KMwT2ZKjfPV8ekldWA nimTUGEzg0S6qiY.ggdpcewqXapn3B4Bw.msjlJ6pfKFdJLTB6v0ePyQ98smDgECT5E0MZfjcUUO EbaLhD6R1moAn5D.qAaA__RFrcsZoJ6KXB2X4ziq5.e7OsJ4AQnfO.84xhL73MKO9oXJK49j2RJ8 yu1DVxA5LPqbOuIFvu3q3Q15_od2TY8_yZtD7a9vIzZ3MgmK9Q4gkB4JKF.dGMnPBxvdxRQ0o19o Coxeybc0F.wP3nGsF4PmJoOmL7LE3sLR8gsdvZRRE4bVOMxx98XSUUBKD7PM3w7IRtez7FdGYRvp rs2qDYQE3x3SsfgWO4YotPYhDCz3Tf4DftHnhnZdGmS4i4a53jGcV5gTOjm0Xx0A7pvB89.GL2Yy hF2Fp3GOEeeHT0jViLlzsx47utV0XGI3dknMInv6N60GWjvOwqoSE53jI4ElnszteCmTjYvkSiFT VR88oS8ZYKINhpL1ZkQQOgZ8cKahqiBK5omenGZrlkdYmUcn.jxYEAdVnLOk2Ho8nM0vEGwFbycD G2h4IhS4klkBDKyTnYuldZi8nXNJKQBNmCeoeyf7BNAC8TEGR.JbsXSpWlXS4v0yq8vi7vlu0uX1 7yy3ioxBnF3zSKaIAABa6vdoiNHSeMx0jK1kcI6UPdh54W9RLyTF.YL_i90MYhO9vJcpjSXdN033 IiSWDiHSRp27FaIKJwoNHpVr4UfWWd9yYcbpFv9c_Huby878ipK67h.02iFcW06pAJmlnJLfpaL7 pVRK3SOrbOY2YXbjRagdUo40RxLD6PpU2e_nxKKlavdKygF64zQpIcCgVy8njCs0IIIc0HOwwQyQ BjR5C420Dp_yRNiTtJzcLQVaByXqwrdd_qc3i9h_nk7M64ra5ZxXgIlURsk5gPYwlEpzjATEvTfk LHgx5C7ot3oPazJ5CdABn4mcbolhIgtKCBu.Jm1HqMoj4hxijV6notGdOgHD9miw4P21FcMbt1dv UpLLNAxc4FswZtNMqvCTMEZYIW3RuVyaDiL4t65mL_WWVAJCx3VOxlYFm1ZiEaZmtwbT9x3qOh4U OTok9JeoKK7bMIzAJ61dpVwWC6f7TWE3kO12grQOFkHd7eTR..C4XC_x_QIUlG8jgtETp0xg37bH 7k4pnZUS1bPvR_M_Qw2dmnvrM0XKW3kXz.OC1qD88Fl_CA0QSOddEm067krfc7nRwbZBFQHSXUcf 0AmRt4rxgN8sWBNqaD3qEbTvB8.2s88UtWNghPkbnACfByr.5DpCzz0fGnnNBucO1IRWTKKIPRns 8YyS8_IXNx0obOwEGGUc_409k2eP7Q0qfPamidTuwxF_571ZDbU3aQUp63D1SGlcZtIkDgdCX9Ap h3n9G.nuVFqyxsjCTpYB.66nAgtwiAgz7jjapjOT_k1URxDv.yeIBn64LxEA4RrLmPPt2Q_8gnYH m2Ecz2v5iTv4Ym.l1ILb8EQVkHfTjdixvHyfUDvcCcQCDGfi71Uvpzo1yAJ_dOmytF.Zy2ku6Pi. l0Bpp0P3SiueHagHaxOiH7Xs_7LkMC1ldSj3oHI7F6inDXSxMjrdzeHl6eIDLqcxgCD.xvREZbzO XGitPkmvLjofwK8GgkRKXfLiyPk6QG7kK9u1BOcNgpYQGFAUEvHR.aIPkKYNkvrHotENlZU5OUAR ro3hxvoW8QfGw9h_YUjxg3w2fHGp4J61iKuKU8fyYRrH2ebUSHreTXF.ZcTriIXX4kA--
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: c7b0b080-6eec-4406-80ec-acdf35bc7f70
Received: from sonic.gate.mail.ne1.yahoo.com by sonic321.consmr.mail.ne1.yahoo.com with HTTP; Thu, 18 May 2023 03:55:52 +0000
Date: Thu, 18 May 2023 03:55:48 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, David Farmer <farmer=40umn.edu@dmarc.ietf.org>
Cc: "6man@ietf.org" <6man@ietf.org>, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Message-ID: <1774665488.3820496.1684382148774@mail.yahoo.com>
In-Reply-To: <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3820495_391503504.1684382148772"
X-Mailer: WebService/1.1.21471 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/r7jC7on2kR9VBztcmFVAyfFAZCE>
Subject: Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 03:55:57 -0000

> So, I’m not really happy with the all or nothing approach the two of you seem to be offering for IPv6 extension headers, > is there something in between? If not, then maybe that is what we need to be working towards.
I agree with you.  IMHO, I think we need to think about:
- what EHs should be blocked (and by what kind of device)- what EHs should be encrypted (and at what point)- what EHs should be signed / authenticated (and at what point)
We have been testing on various cloud implementations and will be sharing those results with the group soon.
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360 

    On Wednesday, May 17, 2023 at 06:16:08 PM PDT, David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:  
 
 

On Wed, May 17, 2023 at 13:57 Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:

On Wed, May 17, 2023 at 6:00 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> Hi,
>
> I believe we've already covered the topic quite thoroughly in RFC 9098.
>
> But if you want yet another data point, FYI this is instance N++ of a
> DoS based on IPv6 EHs implementation flaws:
> https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death
>
> It should be no surprise what security-minded folks tend to do with IPv6
> EHs, particularly when there's currently no much reliance on them these
> days.

Fernando,

There's an old saying phrased in the form of a question: "What is the
most secure network in the world?". The answer is "One that's turned
off". …

So, if you want to build a network with maximum security then by all
means drop packets with extension headers; …

Maximum security is rarely the objective, I by no means have maximum security at my home. However, I don’t live in the country where some people still don’t even lock there doors. I live in a a city, I have decent deadbolt locks and I use them.  
Most people want some level of reasonable security for both their home and for their Internet connection as well. The question is blocking or allowing IPv6 extension headers reasonable security? That’s not an easy question to answer.
In my opinion, allowing all possible extension header is more akin to living in the country with your doors unlocked. While on the other hand blocking all possible extension headers seems like  more than the dead bolt locks security level I have for my home.
So, I’m not really happy with the all or nothing approach the two of you seem to be offering for IPv6 extension headers, is there something in between? If not, then maybe that is what we need to be working towards.
Thanks



-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota   
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
=============================================== _______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email