IETF Logo Mail Archive

Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Mon, 22 May 2023 16:45 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 690F7C169527 for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 09:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VL8u-W49TEM4 for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 09:45:32 -0700 (PDT)
Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D136C159A1D for <ipv6@ietf.org>; Mon, 22 May 2023 09:45:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684773931; bh=1pbNSMRZt039yJO8hZcoUpHp+oI5qOTWHAeVnMVOAvk=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=h/t1jxITU7LDUOSbKnXVZvdSz+PM+X3JaE9MjNjsyZyV85c20qahyHFAYMDKR4cn2pe3206NIAvPZNhfWwJMllvitwhN+/wuX1mp/6WwXOoznNUogySN5ewcjmIiI9oKlu31FeSynd6Veh7ngUPr9Rqdc0n/h5DNChz31ZtLg9qo4db445hJw+oKKgbIpfJojeDFI2mv6J4uhwEfw2mMcTzuItAcdkG5BO6uYI9Vozb2s4N1JPgsFu9X+ds/EDOrejvdfb+GNlCo9RvfJXk0OacXmRaKfmc7RgRgaXjYHN76Plke3UeU6BGLwhBUO8bINgUWQHCdrvTRbKjxhRF6PA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684773931; bh=yGottu8n6gF0BBPfzxJXtbdzVFj+M6ZVmRw0OzT9zjH=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=LFKebSQGZQxBmejM6A7bCKKy2H0x25hJWcMhR3ed18b3yVn8dTfSzqul8116nWWNiVn7W/NRGW/G88U3FJNnLRpat6I7lOXfVFNkDs6uD7i/VguOCHr9ZlK2PYPd2ZvH1LLClushNgE6ET9TDLz1VFPPePJvB82fMXVIZ4eXc7uBM9kAV0UTCxOiRVhiep/zVScy6ByqU18Qxsa7jsf3r8IS18edm6LI+TioU3K7QbfjC/p5aS5kvBa8OMJcoYl+dkb1+Fa98XgT0x38ViO95Ewkh/eYKz9LRj+deJfgaF7WjsvsMlwQgwkxC38ZCIvGPduqGBb+ZzPfPDMbsbnpOQ==
X-YMail-OSG: n9DU04wVM1liXZMab27BtCcD98yohuKZH6U4bcrtDWzbgsW0tGFmVu.pdh3j8n0 Sg3FLyz9MPDh1ooUv7SJGpetn3bjqGfkK7XyXnrbl6_KOR0BEtXjWUbYIXXcPI70NyqjlWGsI1eC y0G_ZDBPgkk2_RZ57FLSghoNs3TcaJSY9S4H9zBkRkNNgVHtubBdNyBg.qCFnw25JL3TPMqWfLzW .JczVSqU3VKnr0Y.Pn.jUkZbWpw4joMq7IYLc7GlgjgS7iPXyzgHSs5_R5fQVOwCF4YjPPskzYv6 SiXLSlpGS1D9vVGfRnRE1m_AtTC2OAgaq8uA6ZwJE3IRBaitgPW1KWCNbGCrC9kCoAbY0Jv4Z1XQ 7ahIbe3cynAnHAbXq7ysEgmpl_TfcBxLDkHc5kgdVFzyqCNMHqoKRB_1W8qM1slGW.snzNerG8.c KRR.jbjfFClgV5GjY0qXsY27SUrQLLe.m14L8i5Xhpy0OqSDDiA6J..Obur4qNcmdFJlYXEd.aXl h164.nI_u_X5uKDiooOt0MxeBEw7PbLJu_xi2goYxhueCWVxYTJwPUfH82nrj_2aYbikMc91o5NY UU93o29uQUQZZBIERw.XX0AoHHXdCizJCBm.2yLugbnO9ebA6sZvdocr8_2ItCHqzGtG5VYV5z.6 H3mT_BwxeQxO5ODxGChddfuswhvc9IyekMbx49wxxnfyiycXcaplBc298KCCdHOHB.2v.v1veIQD ZAWNXKDILVi.l_I3kehR1doDBASvzqAnJlSj203_gTV7RTToe0SczLJY1oaOZEy5XR9y1PfPDJlt rqUtaKImadTUPsDYVc3coLqMHCowqRz4HMqfefePUpqO1XJGbcAMggJ6_MlDB_3LfFG66OE0twBB TpVgENu7parhYu7_ZiIc1uyeH87JzgjEH3Z33y7gao9iIb6ShWsknCU_1WcCxAS1cLoga8_Q0NO5 lM7WjuS1aucL6n5xzMA2rlGJDNGNv3EGYnbj0U_0ydDNSeEUvjKxZbTRT4JfG1mzzpvbLDrNVMuV ST4hgPm8CSp8rWqrBteCVhKBKw7C66.mdQ_35SJ2O.BINoLPbki.bY8wu2ruULFIkQNnS7blaqhE GiYtVoL9MelqfsJbUY4AaROKKx.IRCoclvMgwMzYypWSptJXx5st0wvKKZxkM8oU_8ADMP30NMMV DjLmbpBgd.ds8JykrktD9VMuqkqIV39ef.o7cyh8orsuF.QgoXDGcnxldKbnCsgW9daJyrhuNVGU FbW47eSx0X4ZlcG6HQFSPw0.EJJGYxZ5EgJ9zm7C_YJIXxiq.oA6wueFXeXepSc_2lF2zK7DWkGg nIfZoLZ2SavzHPcqZ280E3fp_2ffZp2hQnm0i.lbiNc584mDKKQFD6_rVeqMMJ8PYOR_.ysMV1.X TDyD1aFoN.LzFu.72cGG.fiuf2CLwY_ra6UNnjvGr.jECB2f7MbisUpKoMzMDmxN3pQ4zfNIE7F0 E0fMVJE.YwSXhG4dOCGVD5RdDlSU8skTpmC4OZDE3pgIHLhIDHuV1_UdktzU2jZP9.5.rucOK3yw G1xpTeM0AEJ6B4hkVFHvoTnHarPvszK7aLjfVgNk2epvzRoYwauuej6gkAuzT0jN.RUhSSFH192a ONqwThWHyJ7jnJjMncfpCm5KdClUWZlvI0zwe2z4O6T71tR6LAVgTf_xyF3GBLJM11gEM7ktxv9n Wz56b30xuLerz717NhVRGXQ7_zVgH.3.iMl0yuowFpI0Cm689_co8pDyIRg8x1gVSyZRPyRT1OpR DfLNqHCn.TjqJT35DrZdHNZ5oyBqS51kMUYPqS68jYM01WS7btjEGhTuiCy4mL_6orFwroDQ_VvX CBaITqW4lsZeVZ0hnOVRQmg8Ounh.gttDIcItLJshhSKNzYopt79yPyZ.hlLhhGTm2CTgyT.jWWz PDxmV2OuwmujG9AWiIJ4qWjXqkt5vZbzYaqgBJZYcbPXN3By20t0Rg1XTqk2NqwnGv_iEkeis4il xiMciGpeEyGP5Lb6GCOmzNYkypqZtFCErP_O.ES7r6vjXh_ihxmjmetsle_QIVZGVI_d9QuaFAc6 DSSoTL7UM.5dL9bvIbvZaWihyp9Uc7WjHjhH5eg5DemPGJwjemztCFKNUmR2cTwkSehwCwX61KJl vgzMsyx5h1gIn8fVGPCXPBDsIFuc_hFgjrRYMEIcKYdOP5cioOI6H6mYGsG6STPzofRCKwkD34wc 1auUIRy3YUoXNVjq2WY69q1u7wtnh6ZLAgzRSJ7dOiHX0UDqPs8nljhA2OmyED7Q-
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: e95dfe21-9d7b-4208-97d4-51cae01d5649
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Mon, 22 May 2023 16:45:31 +0000
Date: Mon, 22 May 2023 16:35:27 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Ole Trøan <otroan@employees.org>
Cc: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Ole Troan <otroan=40employees.org@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Message-ID: <193402587.928006.1684773327427@mail.yahoo.com>
In-Reply-To: <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org>
References: <338409937.875780.1684768913874@mail.yahoo.com> <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: WebService/1.1.21495 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rUlqozp2MDoNI_hUdGYeJqGSrL8>
Subject: Re: [IPv6] [OPSEC] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 16:45:36 -0000

Ole,

>>> it might be time that we accept that this was a bad idea. Which deployment status has confirmed.

>> Is it your intent to submit a draft deprecating IPv6 Extension Headers?

> Do you want me to?
> A couple of them seem to have found some use within limited domains. Those problems could likely have 
> been solved also with encapsulation and as it turns out the limited domains end up with additional 
> encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs.

> If nothing else they have served as a way to extend the ip protocol name space. 

No, it just seemed to be the logical extension of your thinking.   Please correct me if I have misunderstood.

I believe that EHs can provide a great deal of useful functionality and will do so even more in the future.   We, ourselves, are working with a team in India to investigate DNS resiliency using our PDM Destination Options Extension Header.   

I believe that we need to find out exactly what the situation is as far as EH's.  If there are bugs in network device code, then we need to fix them.  We have found a number already and are working with the relevant vendors.

Once bugs are fixed, then we need to consider carefully what BCP around EHs should be done, taking into account various common topologies as well as devices such as proxies and load balancers.  I mention those in particular as what we have found points to those devices in particular as posing problems rather than transit networks.  

Of course, our testing to date is absolute lack of transmission rather than lack of transmission based on EH length or type.  We felt that was the logical first step.

Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360






On Monday, May 22, 2023 at 09:21:33 AM PDT, Ole Trøan <otroan@employees.org> wrote: 






Hi Nalini,

>> it might be time that we accept that this was a bad idea. Which deployment status has confirmed.
> 
> Is it your intent to submit a draft deprecating IPv6 Extension Headers?

Do you want me to?
A couple of them seem to have found some use within limited domains. Those problems could likely have been solved also with encapsulation and as it turns out the limited domains end up with additional encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs.

If nothing else they have served as a way to extend the ip protocol name space. 

O. 

v2.23.0 | Report a Bug | By Email