Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
Tom Herbert <tom@herbertland.com> Fri, 26 May 2023 21:37 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67631C14F726 for <opsec@ietfa.amsl.com>; Fri, 26 May 2023 14:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnZ-GYsXvAUi for <opsec@ietfa.amsl.com>; Fri, 26 May 2023 14:37:19 -0700 (PDT)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D818EC14CE27 for <opsec@ietf.org>; Fri, 26 May 2023 14:37:19 -0700 (PDT)
Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-64d30ab1ef2so1117789b3a.2 for <opsec@ietf.org>; Fri, 26 May 2023 14:37:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685137038; x=1687729038; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ryOSN3Fh83gd2ph8Ak7FfkBb4QvKj9u/TV8LS+XHmhE=; b=Oin+gIfan/cQsCRjCn9h3zqEYYLqyeZRdwv+pOXW91i8NPsekRyjDQ71af1vDkN9+M Lf1sKHBBeMW7tTzzaYUYwbyXeBEHP6ftqU9Grs+sEdKaEb4+ymbwqXDVt7K9IvzBzqrx AnnRl/kKT11384zobIIdbbDdf47An8yjOlRH9Z8GYfdXV/hQ/zQn5n0aKpU19AIlroT7 OnCfEX6M4eAPpp/pw8agYTJhMs4EnK8EgANHaiWtTnUZL+eVv/OEgSDRqIyJnu8qO44R pfJSbRxCTb5XyuSNrBzmVstsSVuSgS6oliN4QrGD4+br5oBce0nDEUp2yT14nkgp+7rH y97A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685137038; x=1687729038; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ryOSN3Fh83gd2ph8Ak7FfkBb4QvKj9u/TV8LS+XHmhE=; b=ShsJPr6VjKdfOwj55GGcsDB1Y6hcquaFjr6WkhlH+udCZ+ezMMPBK8BDrv4k8zwRu7 jJu2heTKf77qlvKNq1xweibG13Jtui8TCzfFY4hI6s9tA9u7o0Yt908ODeY8HFUXkWTa hP0+bXZWQCXPSO0HPawC125vR4iBsj4XYnfdaGIxk1oPIM836NQ6zbrIvbCBAXGIJTos guSuGgJk2rfIqshOedS68YryL0a9YsfeOqeMavlQlfZJ4ScTcpA6uf6g9Dd3T4+NjSo/ dvt3ZJdSv16xzg4BfY+WZ8FDaVWSr0usNOW3osv1ViWM150gWAs93iEeTXYVeq68gexs ROgw==
X-Gm-Message-State: AC+VfDxiszIxyvpYNtpU1/XC8cDU1ebWXopZJRTJbiC2sSwGMIS0N2Yq yODoAbqYO9apmRkqTqTGO2gkxlrPMWsJd9rrcKHIU7eGzBe0ifXwcz8=
X-Google-Smtp-Source: ACHHUZ6Vb5tfn/qa7u1Hre5dNRYt48HI8DAiyaJL2Y4wS0CiQLE35KgAoZDvwyzz5+f6EWgC1VT00ELAfBhd6dVOhQ0=
X-Received: by 2002:a05:6a20:728c:b0:10f:13bb:5d4f with SMTP id o12-20020a056a20728c00b0010f13bb5d4fmr1004935pzk.2.1685137038168; Fri, 26 May 2023 14:37:18 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <4FCF75B585A1D068+7D9B99BB-B24B-4FE8-A3FD-54877C7C1131@cfiec.net> <375ea678-b05f-7bb6-5ae2-43c54cd271f4@si6networks.com> <CALx6S34u5=2UxEz3zeApv+_-W=PTj0PzMRHS1UC=zRchqVCDyQ@mail.gmail.com> <882610dc-cf8f-e08d-8d9e-0e786097f520@si6networks.com>
In-Reply-To: <882610dc-cf8f-e08d-8d9e-0e786097f520@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 26 May 2023 14:37:06 -0700
Message-ID: <CALx6S34AnMaVyEVQxaO0b1JGbQetQvDC+xDHk6aH5vbXM-KT7A@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: "Haisheng Yu (Johnson)" <hsyu@cfiec.net>, "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "andrew.campling@419.consulting" <andrew.campling@419.consulting>, "opsec@ietf.org" <opsec@ietf.org>, "fernando@gont.com.ar" <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/r1ZRK-LVxjkXbNoWtZR80-Etf9E>
Subject: Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 May 2023 21:37:24 -0000
On Fri, May 26, 2023 at 1:44 PM Fernando Gont <fgont@si6networks.com> wrote: > > > > On 26/5/23 18:01, Tom Herbert wrote: > > On Fri, May 26, 2023 at 8:12 AM Fernando Gont <fgont@si6networks.com> wrote: > [...] > >> > >> That said, I'm not that fine if invited to a party where, if anything, I > >> will only pay the bills. So, I block everything that I don't use. e.g., > >> I have no use for EHs in any of my servers, except the pentesting boxes > >> that I use to send weird packets to others. > > > > Fernando, > > > > If you're making that decision as the operator of a public network > > then you are not making that decision for yourself, but you're making > > RFC9098. > > > a "big brother" decision for others and preventing permissionless > > innovation as Brian stated nicely. I don't believe it could be claimed > > that this is for "the good of the Internet". > > Companies are run to make money, not for the good of the Internet. And IETF exists for the good of the Internet and the world's population, not so your company can make money! > > And if your clients get downtime as a result of you keeping things wide > open "for the good Internet", you'll likely have an interesting > (unpleasant) conversation with your upstream management. > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
- [OPSEC] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Vasilenko Eduard
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Andrew Campling
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Ackermann, Michael
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Xipengxiao
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Michael McBride
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Ackermann, Michael
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Troan
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Haisheng Yu
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Andrew Campling
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Bob Natale
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Ole Troan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [EXT] Re: [v6ops] [IPv6] Why folks ar… Bob Natale
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… David Farmer
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Michael Richardson
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Trøan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Troan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… David Farmer
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Ole Troan
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Michael Richardson
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… hsyu
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Fernando Gont
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Arnaud Taddei
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Vasilenko Eduard
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Arnaud Taddei
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Vasilenko Eduard
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Arnaud Taddei
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [OPSEC] [IPv6] [v6ops] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Fernando Gont
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Tom Herbert
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Manfredi (US), Albert E
- Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why fol… Andrew Alston
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Tom Herbert
- Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why fol… Andrew Campling
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Tom Herbert
- Re: [OPSEC] [IPv6] [v6ops] Why folks are blocking… Dirk Trossen
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Mike Simpson
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Haisheng Yu
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Nick Hilliard
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Fernando Gont
- Re: [OPSEC] [IPv6] [EXTERNAL] Re: [v6ops] Why fol… Bob Natale