IETF Logo Mail Archive

Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 27 May 2023 04:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A94C14CF1A; Fri, 26 May 2023 21:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djTxLV_C2RSb; Fri, 26 May 2023 21:47:37 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BABCC151522; Fri, 26 May 2023 21:47:37 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-64d4e4598f0so1898832b3a.2; Fri, 26 May 2023 21:47:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685162857; x=1687754857; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=t/kQ2lZwB/U3yDebPnaatHybHhy9EKOpyGmV9AEsshw=; b=XSZFRBipPfiL/FUX1I2TGpG3TenXt9m+Bh+KiAD7LFM0GxO1GVVHBL1bhwG3beLAjA dw9oFdAYo/d70oaDmU10EgEmYrMZ6rfCyAQIAqxsrqxY7az1mbMbG+wPaiAgS+kIAMhX iw1BJSbqS9haY7P83r1MTK2vaeg9m7jYt6OL8rjKE71hHy4IROfiHol4NRJWn3R6oBWA X+1ULTfz8EB7JYcxif4gcLBCI/sOWK5dLlcBwhugfIobHf7NqmGd6ehG6ErOMIDhJwri 5waTDYGK2oRme7xmruEnvftcgidJSCswe6TiJ5bXtudEJwejLzfE0W2w6d+5kbLH011Z s5qA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685162857; x=1687754857; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=t/kQ2lZwB/U3yDebPnaatHybHhy9EKOpyGmV9AEsshw=; b=dmLl0xqk+/IezyzUrQa9oUaNz0MxVU+/6LFNdbcJhKmaFpLuZiWLFvdADwRJHNruji ZahWJ0Il343FqNCChec9m3QgTE0eVzdJ2Y39AvlYWpDvFxj/gRGyd1SJ+odKUsrlAZHz kjmJZ+qLIuXGuFATWZGDMWh6+zmufngkKeQGb8d+f1/7/itr9B0sj/AFXgP+AQzpTkag dlm30iXOeIX0LxodbeMfGOH+Qp5KFNNNDSDo/nQ6lhVqfMGiZPrB20i1wBtKtIIKj9LZ vPmyU3O9F92zroj8LO2DwBcU3UyxadpGW7kfzHvULuH1BO6woRr3Qh4UJiaX+xw59SYF u26A==
X-Gm-Message-State: AC+VfDyectBizh2ZFYHs5Xm2B8FP4P408jcFgbtY/+Gszmk72HpU/IGm MU+1KkEMP/SGiO6IANtrCdc=
X-Google-Smtp-Source: ACHHUZ7tSeJ2KhfcxuAeegHVIkudcKMAAZv5/NZe/1I5+FpZDi/BuzoQZQkmROKHdzHVsxbR7CGQ8w==
X-Received: by 2002:a05:6a00:23c8:b0:63d:2d7d:b6f2 with SMTP id g8-20020a056a0023c800b0063d2d7db6f2mr7439010pfc.4.1685162856764; Fri, 26 May 2023 21:47:36 -0700 (PDT)
Received: from ?IPV6:2406:e003:1184:f001:9991:d1ad:8c20:42bd? ([2406:e003:1184:f001:9991:d1ad:8c20:42bd]) by smtp.gmail.com with ESMTPSA id n2-20020a62e502000000b0064ccfb73cb8sm3382962pff.46.2023.05.26.21.47.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 May 2023 21:47:36 -0700 (PDT)
Message-ID: <8e46cab9-47aa-c38d-7a1a-f72d0d9f2f3b@gmail.com>
Date: Sat, 27 May 2023 16:47:29 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Ole Troan <otroan@employees.org>, Warren Kumari <warren@kumari.net>
Cc: Albert E Manfredi <albert.e.manfredi@boeing.com>, Tom Herbert <tom@herbertland.com>, IPv6 Operations <v6ops@ietf.org>, 6man WG <ipv6@ietf.org>, opsec@ietf.org
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com> <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com> <dd61024e-1bd8-ff3d-216f-22cc7600ad10@gmail.com> <CAHw9_iJyXiT=O5cMyy08bVq+U7VTtKTkR_60OfvrcCng8Joe5w@mail.gmail.com> <CC81C789-A751-43C6-9ABF-BC137B2E9803@employees.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <CC81C789-A751-43C6-9ABF-BC137B2E9803@employees.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/uQshApnOT4SbxCKZXwr_Obkq51A>
Subject: Re: [IPv6] [OPSEC] [v6ops] [EXTERNAL] Re: Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 04:47:41 -0000

On 26-May-23 21:13, Ole Troan wrote:
>> A well-implemented host will not be troubled by unkown extension headers or options.
>>
>> Indeed. However, not all hosts are well-implemented.
> 
> "Not be troubled by” == “drop”?

Yes, discard as RFC 8200 says.

> I don’t agree that a well-implemented host and application should blindly accept any and all extension headers.

Indeed. I wasn't arguing otherwise.

> If my application cannot use those extension headers why do you send them to me?

Because that's what RFC 8200 describes as normal.

> If they are purely for the use in the network, then again why do you expose them to the application?

That's a socket API function, isn't it? I don't think you'll find many apps that use it.
  
> If you can give some practical examples where it’s beneficial to “process” unknown extension headers by hosts/applications, then this may be a little easier to reason over.

I never intentionally argued for that.

    Brian

v2.23.0 | Report a Bug | By Email