Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
David Farmer <farmer@umn.edu> Mon, 22 May 2023 15:31 UTC
Return-Path: <farmer@umn.edu>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16305C151087 for <opsec@ietfa.amsl.com>; Mon, 22 May 2023 08:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQ_RF6akDHIS for <opsec@ietfa.amsl.com>; Mon, 22 May 2023 08:31:26 -0700 (PDT)
Received: from mta-p6.oit.umn.edu (mta-p6.oit.umn.edu [134.84.196.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 103CFC15108E for <opsec@ietf.org>; Mon, 22 May 2023 08:31:26 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p6.oit.umn.edu (Postfix) with ESMTP id 4QQ1d75xHzz9wJh6 for <opsec@ietf.org>; Mon, 22 May 2023 15:31:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p6.oit.umn.edu ([127.0.0.1]) by localhost (mta-p6.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JEr5cgXMF4s for <opsec@ietf.org>; Mon, 22 May 2023 10:31:23 -0500 (CDT)
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p6.oit.umn.edu (Postfix) with ESMTPS id 4QQ1d727Jrz9v8yF for <opsec@ietf.org>; Mon, 22 May 2023 10:31:23 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p6.oit.umn.edu 4QQ1d727Jrz9v8yF
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p6.oit.umn.edu 4QQ1d727Jrz9v8yF
Received: by mail-ed1-f71.google.com with SMTP id 4fb4d7f45d1cf-51392d645d5so1941749a12.1 for <opsec@ietf.org>; Mon, 22 May 2023 08:31:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1684769481; x=1687361481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7ihapGl5mxaPDKg0xgm+orQIj4wSeoZvOQ4fKGz4lOI=; b=MA/vwhr5vui0zQYwLUive9WKuKJ8NF/idj/JeIv+VGeHISjCY5cDof0a2MS5tVrMVy jALkG6IPIlIURzZn3zLc6CuhlbvUxGLmB5NfwoXPlpk7pJ9ymHH7KLpPxcoDSRwUIb57 7l/L6nxxfjZ06ZoefeAdS9aOPqKnGJ2mHYMt1K3OwGl+33cy5NOJ0+6YGzTuDIdgN6gy +Y0/OHcMoMOvSmWTr/UUiVFPfaLxuB5UdqoWtQ7GTfUCvkCrGOO289if6uvIPY1WxVYD 8xsgJSr13fgNa+Un3NvjvxHzuFrFWXNfKtDc1AMCn3AAwrHAefkhA1UGRDel0SRqJirn 2kBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684769481; x=1687361481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7ihapGl5mxaPDKg0xgm+orQIj4wSeoZvOQ4fKGz4lOI=; b=Q/HGuR8JPUUCvHgwvfaMxF8GgDIHBCW22r5XW+174MXLeLxs1slmtuYpbrjQZ0s1gI JbqeGqDnVtPl9fvFtmVst7bIb26RBZjFmJd6WVe1TAbeyXgbyYx7ySLuJ+7mqNVEFMAE uCVF0HnNWzq3ZabJkBV59bXHZOybc+FtpY9bS23bG3MrIMgJ2saIIeNky+cwKCowXm6/ M3CzERQQepV4Sa+D6JSNjotMg43HizdA2dh6AF/qEwOxA31T4UC7l9JswLHMLKAMXRaB zna88R6t5CaYnEfycl+GAYd3u7aQ3U2xHjotg4f/WYNkWg7OD/qpfB7/ysjaRo2kmIE/ 5AUw==
X-Gm-Message-State: AC+VfDyNjPCRpB+ikv019dfkNKlnj4kTF6gkEMLxEYsnYiZ/aLG1n0tC glw3dURz6o96nNampGvmEhgAN8hAt6PCyruUZ8jyXALuxy8tXXqVrCuEhQjVN3U7jy537PDUmEP NSM15SGtYY/amsTKEW+MjnJeIlA==
X-Received: by 2002:aa7:c45a:0:b0:50b:c380:a929 with SMTP id n26-20020aa7c45a000000b0050bc380a929mr8383840edr.10.1684769480633; Mon, 22 May 2023 08:31:20 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ6c3rsOLbokXR5UFVazA2j/SII5Hiq+sdlEZ4oH07XcDuYoE1j0gN+pTDXkw0YkioamPRW6KooS7hykCq5fnyw=
X-Received: by 2002:aa7:c45a:0:b0:50b:c380:a929 with SMTP id n26-20020aa7c45a000000b0050bc380a929mr8383808edr.10.1684769480057; Mon, 22 May 2023 08:31:20 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com>
In-Reply-To: <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Mon, 22 May 2023 10:31:03 -0500
Message-ID: <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Fernando Gont <fernando@gont.com.ar>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000633b9e05fc49f69f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/Gi_DQv4ga1zU-IUbzak-Btfp06A>
Subject: Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 15:31:30 -0000
On Sun, May 21, 2023 at 4:29 PM Brian E Carpenter < brian.e.carpenter@gmail.com> wrote: > On 21-May-23 21:33, Fernando Gont wrote: > > Typically. whoever runs the destination AS or network. Or the transit > > AS, if the packets will affect the transit AS. > > And there's the problem. The operator of a large network cannot possibly > know which extension headers every host on the network needs. It's > called permissionless innovation, and is supposed to be one of the main > success factors for the Internet. > While "permissionless innovation" remains important. However, particularly over the last 25 years, we also think "security" and "privacy" are at least equally important and can not be sacrificed to "permissionless innovation." That being said, we MUST balance these multiple priorities. which means we can not completely sacrifice "permissionless innovation" to "security" and "privacy" either. > Well, yes, there's no big brother making decisions about mine or your > > networks' policies.... hence everyone makes decisions independently. > > From the point of view of hosts, there is an anonymous Big Brother, the > moment that any upstream operator blocks a wanted extension header. > We need to be careful not to speak in absolutes here; it is neither appropriate to allow or require all possible EHs nor deny or prohibit all possible EHs. Fernando has admitted at least some EHs are necessary, and Tom's Draft defines where certain invalid or impracticably large EH constructs can and should be dropped. There needs to be sufficient nuance and practicality involved in the conversation; It is unhelpful to portray opposing arguments as extreme strawmen. 1. Certain EH constructs SHOULD never be allowed; we need reasonable and practical limits; I think Tom's draft makes significant progress here. 2. Certain EHs SHOULD be allowed in certain places and SHOULD NOT be allowed in others; this thread is at least a good starting point for some recommendations along these lines. 3. Certain EHs almost always need to be allowed; these need to be enumerated similarly to RFC 4890 for ICMPv6. Dropping EHs just because they are unknown, especially by transit providers, probably isn't appropriate in most situations. Dropping unknown EHs by a host or by a middlebox very close to the host could be appropriate, at least in some situations. Nevertheless, that doesn't mean there are no EHs that it is appropriate for transit providers to drop. > > (IN a way that's why QUIC runs on top of UDP ... although in the case of > > QUIC, I bet it has more to do with NATs thatn with explicit firewalling) > > It's to do with *any* barrier to IP layer transparency. This is a very > basic tussle in the architecture. So, a default deny inbound policy is fairly well accepted for client hosts behind a stateful firewall and/or NAT. This doesn't mean communication between two such clients is impossible, but that such communication needs to be directly or indirectly mediated through a third-party server, often referred to as firewall traversal. Similarly, we should think about techniques for hosts wanting the communicate using EHs that are not allowed on the network path between them. Maybe call this EH traversal, and it likely involves a tunnel or encapsulating the packet with the unknown EHs between the two hosts. I'll note that adding EHs in flight is not allowed, and a common technique is to add a new IPv6 header with the new EHs encapsulating the old packet. Thanks -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
- [OPSEC] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Vasilenko Eduard
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Ackermann, Michael
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Xipengxiao
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Michael McBride
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Ackermann, Michael
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Troan
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Haisheng Yu
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Andrew Campling
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Bob Natale
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Ole Troan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [EXT] Re: [v6ops] [IPv6] Why folks ar… Bob Natale
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… David Farmer
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Michael Richardson
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Trøan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Troan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… David Farmer
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Troan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Michael Richardson
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… hsyu
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Fernando Gont
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Arnaud Taddei
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Vasilenko Eduard
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Arnaud Taddei
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Vasilenko Eduard
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Arnaud Taddei
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Tom Herbert
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Andrew Alston
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Tom Herbert
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Andrew Campling
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Dirk Trossen
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Mike Simpson
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Haisheng Yu
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Nick Hilliard
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Bob Natale