IETF Logo Mail Archive

Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Thu, 18 May 2023 14:53 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68AD0C151719 for <opsec@ietfa.amsl.com>; Thu, 18 May 2023 07:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zeeq0VSMVLnl for <opsec@ietfa.amsl.com>; Thu, 18 May 2023 07:53:29 -0700 (PDT)
Received: from sonic321-29.consmr.mail.ne1.yahoo.com (sonic321-29.consmr.mail.ne1.yahoo.com [66.163.185.210]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A40DC1519BF for <opsec@ietf.org>; Thu, 18 May 2023 07:53:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684421602; bh=OiVPZ3JRRsWOiwf4BC+5U/s7vh1VCu0ZjzGC5VtV/qs=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=knncSYBJnJqyEFbiALl5AMNgGm6VJu0Op9+bB9kx/121awVYJ1BfScx4H6KRFY+peDrn/sTzWPp2vaGb/bxXY3AccvjCctFt0/FaXrqRMbv/bz8/JCL+QFHJg9U/rzu7x4VSkZXsRikz+U+q49aObve7VCAtGKSt2Vf27RI6MOAU6KMrqkx2W3XmaZZ2ekOeR6HHS4QnZnBZiVYbSB+JcB8QQAOpbeK2fwIAGdXZHRObk9CIy+V/Xt4qiW1h2rgsKEy2TM/UQwpsnTClc9B943TRW2I1myD1ptmAeDnaCEQW40LG8LAWh2ioiVh4hpCa4+vtru018Xyr2OBgluaK4A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684421602; bh=N0mDdvslRgQOjNQwCbLxOWhWaj1f9+z/nE6crOOd8vq=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=FWS+YPkmBCraeeZ4BSIdApgsNkb3vfc5mdx84inUVBjLPedsN4yO1OH1zHEKjjGRl3TnHO+Qk7sXjs7LYE3DgmfF7ER0821eyFDEVvpv0Vos3z1yHcwFbWItoMuk5txrXqYzQVq5iGv+yiuCh4TQt0IB7nHMEZ7NVZJHK/l5Mccb00x3jN/dBHr02encyIHxcclcLTg5ZKIPcIl9gYXeC2yWf8zjhyGXIuIcf922LQU6NuXaMpEvRBPEtoHLwsscKUc2+oyjDwqQ4d3H6VmcOzHtZjZC37yV6Irv0p9evToc2rX+uGOibFKa+V1E8KjkEcMTvgRo1RTvYKjaMq1LSg==
X-YMail-OSG: FINTbuEVM1n17PANMrCC1AKsTVDlYD59HytZfSctRDC_BJ8PYQVIgufhtKf3uxZ GiC4RkMHbu_9IHYYjXeUfJVuNE9ZwQo196tr93MDMrz4IbK4y9xXxmt4hmovP1l3f3SqsOwfe2ic lIF1.wFzu1DE.IPJYTGY_4Yssv4AM6jbY7GUPJUVOZ0px5ojEJ3xtkACNKsdBp5vvjw7ppGQtSTx HKJ1ItpkQuHDQq0FV32ai4G5L4Tf3TfYAasN3tlew6y9jaonMcwp.OBD4vROYvHl0ivlioAU1b.C TiKpwG5BHj7CSEh37W0l.rwY4kywkOoMZpLyUIJfXYjiI04IEHMHpTRfacL87eBsbc0uN8.b0nDZ MNBbpO6rsU1SX7G8nb78S8Whx7K1nkficjmN2hg30sZ_t4zDtLd66Crv5SFP977fRTuSwxb7Xm08 UpftRMD0QLi4zrk5FMo6AHgAdQyuE2NAoQVD.yjsG0xmuJOlV6tRcrRj0puSHfSED1HHyYJjsVEK 8V.U5Xf7nIS6akZJ4au6auRCulGn0t9Bp2V7PH2Z.PeS37Oo1WaGaUky38YJnPdLCoEKSmA8PpFo _ZkuDRf6ekGdejFO7biz5raJltjspZCLDhlU7s4aGAsf.oZZu1hYvASTsiYDlSgB3PvhqcJCnoYA e17qIDG93ERiwxpZ9IpM4jGvgiQl2HsiXPSi9PxsDyyitm6xvvmfgFGr9R8e9Zw0No5FZwoz3Dzd FIoKXfyn0VH86aeigyXtLkP7klune61LIxjVEqQqChanqbe6BX4LIhdGJGygMR0MVhnF5mcyYppr ybO4fQkSudnod6o0LVIusYpVO39vQaJSiSyY6pRAgToh6E05IO8dNMdVyPRBJwr2nho0fW5OTmAw Kn37YB8WZJHmNhzHaKKHbCvMm3oUk1BZBlVmNBACGlm4jvMyeSjNcMgDMLKtPIhligrx4OIXHP90 8.RB55dHXfi8vKQzKwEUC83CLBcN.zeCARvIt93sUWReekBQzBZzlCF0hPrMWwTTLqo3TTzBuMGN vUaDbzFpq0SRvCCAQA3OUQGChFgh7xr.pXe9WrYOzseam3g4.ORMbFrX4ogy4jEMHA0MJBQmhbFU CPJNvUTyRFbbnCyiul46wZpwMlFfaMqn4w6LO586VzKafwEcxL0KFEfb3L6nJ3IMc5pi5zof7KDs 9lNRNkbktu3pwGtDCR9NDKaAQfXBzzhIVvxsLgNmWoByoVuAoqdxNTBiEpUSwz.bcNluRAGcavbM tSQAUoy50NyO7hDU6wD0qa2Yt3aI3w4LxYC9p4F1dSdUezsHvnMd1kkdSAcik748TPCLBgrOHE5a rjmnKR3bXY9lFyH4HL3lY2sIIGDElQU0Absm4UOT4_B0Enuwa9OJLdWjdfI19uTkEiFMM38Q3EON TFriBPn2dOpUzsOykSNM5BfxNbRUZ6X9oPFNDMiv3kSZnQVrSWXhv0OZZiOiKwderAWpHElTSNuW _VjSn0C2FQL5Dps_GTIXw5H2DKTkyHaojydO8flgHncTV6ll5HZ5TIBwsfXNdNgwJL0QrvkKJj6O yWBkqo1iWUWrIC.OaCQk0fnw.bnAXaHRhf8qyBGdZq3NxYnzO3Sp1Qd9TOVURMxkgXi7PdFsrVXw XzP.pm72rNk5AbAMVyyhiJFWPLD4F5yylglYS0CUWaF_IXJolz9JXFArMbDInNzlF.z41Y4nTYII sOnQkyP4kPXNTv4tSgyqKKYBTxs3.hkoGbzfWe6bsLC98umMRWhzQiQoEDJNfsdehNbwLXDY4szQ S7vMXU79HpvLnbk50PjvZXUou_Ph7FYgC855QeLZJ9UEGeJz2gpAYdyjGps4nluJRmwdc2fR86ZY XAlcILAaW1r2ZmMsRMwBwipEFiFB6FlJa76EzJKUxGOygo0ni6IT3v8Rhsg2o_fVcVnHSil1Qw78 BXyyj49n68JKvTuQjcbGO7VNruGeg9dP66_bSdlWzQDlkH71Bf5OhCwzKvbZMah5GwANE.EzpBKN .JSt0vu9MGvDDEPsqG3S39RqOMYTATmIiXBEi7L2FKlTOrQjuwEwcMoIw9FghTmrNciL6PUGuFy7 q5VGOTh0ir2FY9Dg8NJmCuFhdGVrXMH.zZ.h3vub9iNkmLcsOmHUvbrkHdj5OIjTkBF80ay_Vlkj HQyyK6PGIbX.t_3mmnTze8.2gzxCoY3_SUn56tUnEE2dgdtcnXyBxnXnlyXTrjDppP9aZduk19La b9Yrr0rofUIE.mBcdl0xqJ31xVT86J6WA7D12Wn7Mi9Q2fS7GAiwJ6Raj_okmzvYlg7o-
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: e9f59062-a714-403f-9d0b-316e35aa0477
Received: from sonic.gate.mail.ne1.yahoo.com by sonic321.consmr.mail.ne1.yahoo.com with HTTP; Thu, 18 May 2023 14:53:22 +0000
Date: Thu, 18 May 2023 14:53:17 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Nick Buraglio <buraglio@forwardingplane.net>
Cc: Andrew Campling <andrew.campling@419.consulting>, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>, opsec WG <opsec@ietf.org>
Message-ID: <1200504588.3592661.1684421597958@mail.yahoo.com>
In-Reply-To: <CAGB08_djDtrFRY37ZTH_draGLTxM3vO7bMfT6YyyKFrTH_Tx5w@mail.gmail.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com> <CAGB08_djDtrFRY37ZTH_draGLTxM3vO7bMfT6YyyKFrTH_Tx5w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3592660_1145313865.1684421597956"
X-Mailer: WebService/1.1.21471 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/E1rpW9Z3jKiH6Fskt9p0WeS5BHs>
Subject: Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 14:53:33 -0000

Nick,
> neither really have use cases

I think a use cases document is a great idea!  Although, IMHO one of the points of extension headers is that they can be used to extend the protocol for purposes which we cannot think of today!
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360 

    On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio <buraglio@forwardingplane.net> wrote:  
 
 Is there any document that details the current operational best practices or explains the EH options and use cases in a succinct document? I didn't find one (although I did not look terribly hard). If not, that sounds like an opportunity to work through them and create one, perhaps? Nalani has a deep dive study here https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ but I wasn't able to find a list with some use cases akin to the ND considerations draft here https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/ RFC7045 has a decent, and RFC2460 explains what they are but neither really have use cases. 
nb
On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:

On Thu, May 18, 2023 at 7:24 AM Andrew Campling
<andrew.campling@419.consulting> wrote:
>
> I wonder if part of the issue here is that insufficient attention is being given to operational security matters and too much weight is given to privacy in protocol development, irrespective of the security implications (which is of course ultimately detrimental to security anyway)?

Andrew,

There is work being done to address the protocol "bugs" of extension
headers. See 6man-hbh-processing and 6man-eh-limits for instance.

Tom

>
> Andrew
>
>
> From: OPSEC <opsec-bounces@ietf.org> on behalf of Fernando Gont <fgont@si6networks.com>
> Sent: Thursday, May 18, 2023 2:19 pm
> To: David Farmer <farmer@umn.edu>; Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
> Cc: 6man@ietf.org <6man@ietf.org>; V6 Ops List <v6ops@ietf.org>; opsec WG <opsec@ietf.org>
> Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
>
> Hi, David,
>
> On 18/5/23 02:14, David Farmer wrote:
> >
> >
> > On Wed, May 17, 2023 at 13:57 Tom Herbert
> > <tom=40herbertland.com@dmarc.ietf.org
> > <mailto:40herbertland.com@dmarc.ietf.org>> wrote:
> [...]
> >
> > Maximum security is rarely the objective, I by no means have maximum
> > security at my home. However, I don’t live in the country where some
> > people still don’t even lock there doors. I live in a a city, I have
> > decent deadbolt locks and I use them.
> >
> [....]
> >
> > So, I’m not really happy with the all or nothing approach the two of you
> > seem to be offering for IPv6 extension headers, is there something in
> > between? If not, then maybe that is what we need to be working towards.
>
> FWIW, I[m not arguing for a blank "block all", but rather "just allow
> the ones you really need" -- which is a no brainer. The list you need
> is, maybe Frag and, say, IPsec at the global level? (from the pov of
> most orgs).
>
> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email