Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

[hsyu <hsyu@cfiec.net>]

Hi, Tom

Hi, David,

On 22/5/23 18:05, David Farmer wrote:
[...]

I think that many of us are still reeling from default configuration of
certain "firewalls" that banks seemed like, which dropped packets
containing
ECN, and TCP options, and made it very very difficult to deploy new
things.
Even when at the IETF standards level... (so "innovation with
permission")


So, I think we need "permissionless innovation" at the Internet level.
Nevertheless, that doesn't mean "innovation with permission" isn't
appropriate in some or even many situations. For example, in a situation
involving public safety, like a nuclear reactor or a missile control
system. We can all agree that "permissionless innovation" isn't
necessarily appropriate in situations like these.

For the Security guy, the "nuclear reactor" is the infrastructure that,
if compromised or DoS, causes clients to complain, money to be lost, and
eventually, staff to be fired.

Fernando,

That's the viewpoint for a Network Security guy, but as a Host
Security guy, network policy ostensibly put in place to protect the
host is irrelevant. The reason should be obvious, unless there was a
network security policy consistently implemented across all networks,
we, host developers and application developers, can't count on it and
it really doesn't help securing the host. In fact it's more likely
that these inconsistent policies are counter productive since we have
to insert hacks to try to work around network secure policies which
themselves could create issues (for instance, think about the hacks we
need to do to try to keep an anonymous stateful firewall in the path
from arbitrarily evicting our connection from its cache).

Tom

Tom,

I agree with you.

Host operators and network operators have different priorities when it comes to security and efficiency. Host operators focus more on ensuring basic data security while improving the speed of data transmission. On the other hand, network operators prioritize network security while striving to maximize network efficiency.

Based on what I've observed, most data breaches on the internet occur due to security vulnerabilities in applications (like leaks of usernames and passwords) or physical intrusions, rather than issues during data transmission over the network.

During the process of transmitting data through the network, there is indeed a Nash equilibrium relationship between security and efficiency, and this balance determines the overall user experience. If we excessively prioritize security without considering efficiency, it can lead to slower performance and reduce the usefulness for users. Similarly, if we focus too much on network efficiency without ensuring adequate security measures, it can result in data breaches, which also diminishes the user experience. Therefore, to achieve the best user experience, both security and efficiency need to be taken into account and maintained.

The network also experiences what is called the "bucket effect," where the security of the entire network depends on the weakest part within it. Even if most subnetworks within the network are secure, the presence of a vulnerability in one subnetwork can pose a threat to the overall network security. Therefore, network operators need to pay special attention to and strengthen the security of the weakest subnetwork to ensure the overall security of the entire network.

Johnson Yu

Yes, I love to play with EHs.... in a lab. :-)

Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

https://dashi.163.com/projects/signature-manager/detail/index.html?ftlId=1&name=%E5%96%BB%E6%B5%B7%E7%94%9F&uid=hsyu%40cfiec.net&iconUrl=https%3A%2F%2Fmail-online.nosdn.127.net%2F997bfaaa29267122f3b7334a5d4895ce.jpg&company=%E4%B8%8B%E4%B8%80%E4%BB%A3%E4%BA%92%E8%81%94%E7%BD%91%E5%85%B3%E9%94%AE%E6%8A%80%E6%9C%AF%E5%92%8C%E8%AF%84%E6%B5%8B%E5%8C%97%E4%BA%AC%E5%B8%82%E5%B7%A5%E7%A8%8B%E7%A0%94%E7%A9%B6%E4%B8%AD%E5%BF%83%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&position=Haisheng+Yu+%28Johnson%29&items=%5B%22%22%2C%22%22%2C%22%22%2C%22hsyu%40cfiec.net%22%2C%2213654947748%22%5D" rel="nofollow">

https://mail-online.nosdn.127.net/997bfaaa29267122f3b7334a5d4895ce.jpg">	喻海生 Haisheng Yu (Johnson)
下一代互联网关键技术和评测北京市工程研究中心有限公司 hsyu@cfiec.net 13654947748