IETF Logo Mail Archive

Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Arnaud Taddei <arnaud.taddei@broadcom.com> Thu, 25 May 2023 07:21 UTC

Return-Path: <arnaud.taddei@broadcom.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37ECCC03212E for <v6ops@ietfa.amsl.com>; Thu, 25 May 2023 00:21:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5NRgJDX6PKT for <v6ops@ietfa.amsl.com>; Thu, 25 May 2023 00:21:15 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB801C151B0C for <v6ops@ietf.org>; Thu, 25 May 2023 00:21:14 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-50bcb4a81ceso3730228a12.2 for <v6ops@ietf.org>; Thu, 25 May 2023 00:21:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1684999273; x=1687591273; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=qGd9Li2GJhIOYOqazOFfBlRvGmdm779uTBXwllE/5YI=; b=UNx8xRL1bz/2FecchZ6596WUNyJLV4OEAINzvUNziSk7Xr88coorDFD8bctxte8ApN kCMUEHCfVjJgZDWPfnQGVOi0GGccHvOlxAvuINm6esW1yoBN5llgm9Hvm7qkU3ApLeFu mAWY+Of3alXB+BSzWz7W9YegQn08t6O4t6U2I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684999273; x=1687591273; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qGd9Li2GJhIOYOqazOFfBlRvGmdm779uTBXwllE/5YI=; b=WhHFGGJa4utcSsJqQj5UnECh3JNiebg/CQ6cfxEqz97YosgZIVvdWzX1bss7aYly0W dIT9gPiC7Q1Ojma/0o3ui3/JKqHWLjL3MHoB9n0f2G3TGNZ5+rpgUWWqcbs3Lo0JWDNk atVrfFi2aBRwZaqeJ6MemsnLOewvPyxV8rWUcv8lxTEOEQOQjkU1tr0qM+iXKtIrrC0n sKGpWJmISwCQxBmyms8Xeu3kGAfkJSJAqsTMTAXJOq39pG3Vh729zG195HJbC/D24s7a tFJ9Gh9jDAE1Dh2c6WfKKLyl70riZTJx0petB4DqQxV4iow+I4hxLdzJnwwTWaA/uABW wNAA==
X-Gm-Message-State: AC+VfDw2W1xNXP1D3kF6eVYT4ff1t/NsK5b2trNTkvTfiJtUhJTNNwOz nPNVBYO5nlhuzCeJ2PMAYe4/R5aNGyWLQkfRBE9ZulXkrYP1aF+OEHh3kGwktbRHpSLKD/6O
X-Google-Smtp-Source: ACHHUZ4ePDo+4gE1OmxW17ROYZ+Ua4Ge/u4Q8PnCFTHg0WKrb07yyk314LLueAlVn2ZT5jdx9Crdbg==
X-Received: by 2002:a17:906:d54a:b0:96f:cde5:5f5e with SMTP id cr10-20020a170906d54a00b0096fcde55f5emr780772ejc.29.1684999273029; Thu, 25 May 2023 00:21:13 -0700 (PDT)
Received: from smtpclient.apple ([178.197.198.212]) by smtp.gmail.com with ESMTPSA id ja8-20020a170907988800b00961277a426dsm432010ejc.205.2023.05.25.00.21.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 May 2023 00:21:12 -0700 (PDT)
From: Arnaud Taddei <arnaud.taddei@broadcom.com>
Message-Id: <402D5736-9E62-4166-8309-6051E9749EE3@broadcom.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
Date: Thu, 25 May 2023 09:21:00 +0200
In-Reply-To: <be71e1ef87ac4a27b776104bc43f7efc@huawei.com>
Cc: Fernando Gont <fgont@si6networks.com>, "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
To: Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <1cf9c93b-32db-6d30-9ea9-951172587a9a@si6networks.com> <588C62B7-0FA1-4C3F-8EE2-1CB58A667407@broadcom.com> <f42e5db6d0ad4ed284c7ae9c4d6abecb@huawei.com> <5057DFBA-3593-4939-8C92-7B6C58DDFA04@broadcom.com> <be71e1ef87ac4a27b776104bc43f7efc@huawei.com>
X-Mailer: Apple Mail (2.3731.500.231)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000024de2805fc7f7701"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/2JTTEj4bbAQadnBpMH9yqblKhcs>
Subject: Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 07:21:19 -0000

Ok Eduard I recognise a bit of the epidermic reaction (after all I am half latin blood) and missed the telco context because I see the drama in enterprise context every single day!

Now ironically the example I took below was a telco!

But I buy your point … all good

> On 25 May 2023, at 07:58, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org> wrote:
> 
> Hi Arnaud,
> It is a good point that Enterprises have much more serious attention to security. But Telco is not so much paranoid about security.
> The last initiative in this WG is about “to push Telco to tolerate all EHs”. The context of this discussion is more about Telco.
>  
> > The additional cost you can find ways to write them off
> In the majority of cases “No”. Because tests could not be free, support could not be free either. Performance penalty may be close to Zero (only a small loss of bandwidth) – depending on the EH type (maybe a 2x drop of performance because of recirculation).
>  
> > the ‘additional cost’ and the ’security risk’ are not symmetric at all.
> Yes, it is an apple and orange comparison. But both exist, and both may be discussed.
>  
> Ed/
> From: Arnaud Taddei [mailto:arnaud.taddei=40broadcom.com@dmarc.ietf.org] 
> Sent: Thursday, May 25, 2023 8:47 AM
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: Fernando Gont <fgont@si6networks.com>; Manfredi (US), Albert E <albert.e.manfredi@boeing.com>; IPv6 Operations <v6ops@ietf.org>; 6man <ipv6@ietf.org>; opsec@ietf.org
> Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
>  
> +1 just that the ‘additional cost’ and the ’security risk’ are not symmetric at all.
>  
> The additional cost you can find ways to write them off
>  
> The security risk is much more damaging because it is a compliancy risk (think DORA for the FSI in EU), a reputation risk that is now captured by credit rating agencies, a revenue risk, a  stock rating agencies (your stock will drop), insurance ratings, etc. and 1) it is getting substantial and 2) it is even existential with a few examples that some organizations literally lost e.g. an MNO of €1.3B and 30 years of existence (only survived by 1 backup link), etc
>  
> On 25 May 2023, at 07:21, Vasilenko Eduard <vasilenko.eduard=40huawei.com@dmarc.ietf.org <mailto:vasilenko.eduard=40huawei.com@dmarc.ietf.org>> wrote:
>  
> IMHO: Fernando comes here with a good example (EH DoS). Security is a good reason to block EHs.
> But for business, every feature should be tested, supported, and somebody should pay an additional performance penalty.
> I am not sure which reason is bigger: additional cost or security risk. It depends on the organization type.
> Ed/
> -----Original Message-----
> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Arnaud Taddei
> Sent: Thursday, May 25, 2023 8:12 AM
> To: Fernando Gont <fgont@si6networks.com <mailto:fgont@si6networks.com>>
> Cc: Manfredi (US), Albert E <albert.e.manfredi@boeing.com <mailto:albert.e.manfredi@boeing.com>>; IPv6 Operations <v6ops@ietf.org <mailto:v6ops@ietf.org>>; 6man <ipv6@ietf.org <mailto:ipv6@ietf.org>>; opsec@ietf.org <mailto:opsec@ietf.org>
> Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
> 
> Would like to support Fernando again, and not just because I have a Sony TV too. 
> 
> Cybersecurity is in such a bad state that I can only plea for a sense of realism and pragmatism vs dogmatism to get real solutions at hand to the defenders practitioners
> 
> If not I will ask people here to consider spending a week in a Security Operation Center when there is a Ransomware breaking up 
> 
> Fernando’s paper intentions will be appreciated by the defenders  
> 
> 
> 
> 
> On 25 May 2023, at 03:07, Fernando Gont <fgont@si6networks.com <mailto:fgont@si6networks.com>> wrote:
> 
> 
> 
> On 25/5/23 02:01, Manfredi (US), Albert E wrote:
> 
> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>> On Behalf Of Fernando Gont
> 
> Given the amount of things that get connected to the Net (smart bulbs, refrigerators, etc.) -- and that will super-likely never receive security updates, you may have to **rely on your own network**.
> 
> For instance, I wouldn't have my smart TV "defend itself".
> Agreed, "on your own network." >From the viewpoint of a household, whatever network defense has to be behind that household's router, for it to be credible, and preferably right in each host. Yeah, some IoT devices may not be updated regularly.
> 
> So, that's why people block them at the edge.
> 
> (just the messenger)
> 
> 
> 
> 
> The ISP has to worry about protecting that ISP's own network. 
> 
> That's e.g. where RFC9098 comes in, with notes on why they are dropped in places other than the edge network.
> 
> 
> 
> 
> Households have to be responsible for protecting their household's 
> network. (And connected TVs do get regular software updates, as a 
> matter of fact.)
> 
> I guess it all depends on the TV? e.g., I for one I'm not planning to throw it out just because Sony decided to quit pushing updates (which were never automatic for my set).
> 
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com <mailto:fgont@si6networks.com>
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org <mailto:OPSEC@ietf.org>
> https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.ietf.org/mailman/listinfo/ops&source=gmail-imap&ust=1685596906000000&usg=AOvVaw1SaRszq_Trn0SZdoxCGfAf <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps://www.ietf.org/mailman/listinfo/ops%26source%3Dgmail-imap%26ust%3D1685596906000000%26usg%3DAOvVaw1SaRszq_Trn0SZdoxCGfAf&source=gmail-imap&ust=1685599164000000&usg=AOvVaw1Ks-hcGIE31wbUUcpZphiX>
> ec&source=gmail-imap&ust=1685581681000000&usg=AOvVaw2CR1KLp2V-YO9ZOvhw
> rWtn
> 
> 
> --
> This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
>  
> 
> This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.


-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

v2.23.0 | Report a Bug | By Email