IETF Logo Mail Archive

Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Wed, 17 May 2023 18:57 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF1CC14CE55 for <ipv6@ietfa.amsl.com>; Wed, 17 May 2023 11:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUDuFbs6_lXt for <ipv6@ietfa.amsl.com>; Wed, 17 May 2023 11:57:06 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D9CC14F5E0 for <6man@ietf.org>; Wed, 17 May 2023 11:57:06 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-64359d9c531so841096b3a.3 for <6man@ietf.org>; Wed, 17 May 2023 11:57:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684349826; x=1686941826; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=x79NMAOxjwjBNnX67V2T/0TknTn4GHPlvBhChiopciQ=; b=EwFI2cBg3bioE1CREmmZC9SCEf2ofxqf/RcWCmIbsH8e96+6/7wCWtyRiDAE2Avnc3 vDPYtCaF1SGohycGrdAI7eHsV1MXt0aMzoZfpwkPik3+kV7iediwPabTuCvi7/Z+VAMK jXE2gRjVIqpJdok5M8N/qL3l0xIsdatE/RlvF8Oi0TTCUxsb2Kth9VAj50sOXiro+sw9 F558mxsgNxkty80u9l/d4oRgZPKJDgUQYW3OuPHO+rnlu7egc5ecJtiS6hmYULG/OVLi TKuGfwQUl2Q3VEkVBFG4fPavJX15YqQhnlADd408Z0wXJMkW52nubZMperSQgRjKw7Pz I5uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684349826; x=1686941826; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x79NMAOxjwjBNnX67V2T/0TknTn4GHPlvBhChiopciQ=; b=XgZsTZfN0AF1OSSU75CiVy7rVA7ezkx+kw44q6Ui6RJuJ1baP3+kbU6S9E1wlmcmPD LmPScHZpySAPc0CPtAtuChFBgsGDIJXuAxVKvwLDDRNuDaATMyyLwgzAt4I+2UjBNd2U UT6fp5g/cqoJk7s9nLJQROaWlIke6nAkyLW+Eixa7cb7T/A/M/BfNDixWoc7/5dIQ5yP 94FNTnnOxRBU+/wDS3dUHzIYig5kDLN07vtQq6f7sKuCAZCvWBaEV8Uuj4DL6r2r8nJ4 Csn0g22sYUJw6bemGUyZZzXEt3eggwokZsmD8DXXEP/J9gb6O9ftKzObMTAiZDB9xEhV RU3Q==
X-Gm-Message-State: AC+VfDyprW3R5GdBCCuW8z72HtmieOWxSoNUN+wuM/3noxQu3IytjKmh m0OaRuy/+BSOGs2CEBUHk7cuVUelTzAde1Rn38/qvg==
X-Google-Smtp-Source: ACHHUZ5FS9hR+9fu6j09rQA8blcQrFs9zoUpGKAXRODRajwqF2s+TJSSnDZlW/PREc7TJI81WmznDdEP+hM75Yf3Xvg=
X-Received: by 2002:a05:6a21:788f:b0:101:37b2:62f3 with SMTP id bf15-20020a056a21788f00b0010137b262f3mr39808109pzc.61.1684349825729; Wed, 17 May 2023 11:57:05 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com>
In-Reply-To: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 17 May 2023 11:56:54 -0700
Message-ID: <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: 6man@ietf.org, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/scZH2j_Kx2zxJbpZEpnxLvR1_B4>
Subject: Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2023 18:57:10 -0000

On Wed, May 17, 2023 at 6:00 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> Hi,
>
> I believe we've already covered the topic quite thoroughly in RFC 9098.
>
> But if you want yet another data point, FYI this is instance N++ of a
> DoS based on IPv6 EHs implementation flaws:
> https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death
>
> It should be no surprise what security-minded folks tend to do with IPv6
> EHs, particularly when there's currently no much reliance on them these
> days.

Fernando,

There's an old saying phrased in the form of a question: "What is the
most secure network in the world?". The answer is "One that's turned
off". The analogy to this for a network is that if we want maximum
security, but still connect to the Internet, then only allow the
absolute bare minimum set of protocols to be used in the network and
always drive to maintain the status quo before any other
considerations.

So, if you want to build a network with maximum security then by all
means drop packets with extension headers; but, also be sure to drop
packets containing other protocols that are potentially susceptible to
implementation which includes any other transport protocol other than
TCP, IP fragmentation, and you probably should consider IPv6 as well
since we certainly haven't seen the last of the implementation bugs
for that. UDP as a secure protocol is right out! For the remaining
"authorized" protocols, which is just TCP over IPv4, immediately drop
all TCP packets that are not to or from port 443 because anything else
is insecure. Also a TCP implementation could have bugs, so require
that users only use a network provider approved TCP stack
implementation verified to be bug free and frozen in time that only
allows bug fixes (we need to avoid regressions!).

Do all this, and I think you might be able to claim to have a secure
network connected to the Internet :-)

Tom


Tom

>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email