IETF Logo Mail Archive

Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Thu, 25 May 2023 14:25 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA32C151554 for <opsec@ietfa.amsl.com>; Thu, 25 May 2023 07:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXhuJUTruBIR for <opsec@ietfa.amsl.com>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA62C13AE4B for <opsec@ietf.org>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id d9443c01a7336-1ae50da739dso10821005ad.1 for <opsec@ietf.org>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685024707; x=1687616707; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xrr6LU6iE4Wz/rJ7WqmBawSn5cYQQO0ovQG5iED7jqU=; b=Dhq6KX+hfRmCYxlJPGypEaeH70xPuSJ36fAbLQlXwpRyHpq2FjzLubIPwzLciS2PCZ RIJW93mOQfhW82G7anfvSiObNAzCUBVy/oAqFaqQR53FIeCqwbPxSDx9ZeA6nmmaKPjL KZj6TQ4Q7fkb/YZJko2RSOgHX/fZSgqJdtRXEHY2/1r4j3IqfN9YFHs+y7L+HoY/DBzO iUHhvTJENf1f/EWWHuiP6H+CuuYlZJwGJYPBuHpJqZB9ciF8DAIrzRVJtHAZVOAk2H/H GCnBXmkMmglDFymFwxJ0F1vqV219ippZOu/oW9Ww87SLSLoGxQAWRDPn28A2wI5ItzlX OnBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685024707; x=1687616707; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xrr6LU6iE4Wz/rJ7WqmBawSn5cYQQO0ovQG5iED7jqU=; b=B3Y8fF0J21FX2r/EZESmZGXXMRN75IQmeC8LYYkIAW2XTUJ3VkEkrs+NJJYmiNApFg s2R3lJKm7GVChGXptMPeSY4hu672vjr4gbzZuDrgevtiXdMoguhI2rCBgvWkXMG1S0vD XDpjkMI81nB6lQ4UDuzKEMIdE4pNoviuEbHYCk7rYd88rhkEaSRgeMEZr80D399tdgMU k74ZX4fG6xsJHLBWF4vdiYvPJSPhgJJYGi1paOUeyEgmKjErF7cnJubOGOXkvoYGNpGZ A9M9Zhoz4nsjFiMlUGoEKWejEwhkvzMNhi08LX7nztvT1o6Hn5+TdalOyX7sfZnuGwTJ YiTw==
X-Gm-Message-State: AC+VfDwC9kdpJm4ZWcO3Xegfmf/BC6bk9RcHKowVeZIhMIEC7kMe35AF jIajBZCqQm3/7429l2dHgNilAcgMaoZ774q+oC0eJA==
X-Google-Smtp-Source: ACHHUZ6O7xHUmKpdI/GU8kX6rmtwEv7hONduDeAauhyFPOeauYZ20rUHJo44sCFK+vUUbFfwbdjGJY7lAYtOWEd46Z4=
X-Received: by 2002:a17:903:10c:b0:1a9:40d5:b0ae with SMTP id y12-20020a170903010c00b001a940d5b0aemr1650648plc.12.1685024706707; Thu, 25 May 2023 07:25:06 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com>
In-Reply-To: <72784f8e65f34bcc9f5652c0a553c70c@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 25 May 2023 07:24:53 -0700
Message-ID: <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com>
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/R127RgW4mKkUY3cWjosbAHg3h-A>
Subject: Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 14:25:12 -0000

On Wed, May 24, 2023 at 6:02 PM Manfredi (US), Albert E
<albert.e.manfredi@boeing.com> wrote:
>
> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Fernando Gont
>
> > Given the amount of things that get connected to the Net (smart bulbs, refrigerators, etc.) -- and that will super-likely never receive security updates, you may have to **rely on your own network**.
> >
> > For instance, I wouldn't have my smart TV "defend itself".
>
> Agreed, "on your own network." From the viewpoint of a household, whatever network defense has to be behind that household's router, for it to be credible, and preferably right in each host. Yeah, some IoT devices may not be updated regularly.

Bert,

It's more than a preference to have host security, it is an absolute
requirement that each host provides security for its applications and
users. This requirement applies to SmartTVs, SmartPhones, home
computers, and pretty much all the several billion end user devices
connected to the Internet. No host device would ever assume that the
network consistently provides any adequate level of security, for real
security we need to assume that the host is the first and last line of
defense (i.e. zero trust model).

Tom


>
> The ISP has to worry about protecting that ISP's own network. Households have to be responsible for protecting their household's network. (And connected TVs do get regular software updates, as a matter of fact.)
>
> No one would trust their online banking transactions on an ISP's network protections, for example.
>
> Bert
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email