Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Nick Buraglio <buraglio@forwardingplane.net> Thu, 18 May 2023 14:49 UTC
Return-Path: <nick@buraglio.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA90EC15199A for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 07:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.646
X-Spam-Level:
X-Spam-Status: No, score=-6.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=forwardingplane-net.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XL4X_nxErNC9 for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 07:49:33 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E058EC1516F3 for <v6ops@ietf.org>; Thu, 18 May 2023 07:49:33 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-24df4ecdb87so1505453a91.0 for <v6ops@ietf.org>; Thu, 18 May 2023 07:49:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane-net.20221208.gappssmtp.com; s=20221208; t=1684421373; x=1687013373; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=P0JP5fPXaJ/l2PjYqOFBOpwFOtY2bK5VmjxTwwUMixY=; b=x/X7BUNRLzQT2wzjZBtC9bNIuBc7bD8eWD1Mn8lXfC3vebro0Ewsxt47snbPNc0PNN DqswuBtGsZbFXPGn7Er7jHjMXR88j4AWD7iPwI/QS3lzoWUtchibg5p4rmQk14voZEA3 WXu0arae+d3lybPXXoKHoD1Ds5Hq2biqmssPM5tD4LTJpWrQ8zH305qYzkyJTveJhzuY CFiGbLYe1/uINj68AbcXXTLveUZkppgPJ+PAODRM3167IVlzZBBVbCtD2YmNuTRLWumF 2n9AgEOg7OlkAu2V2/7ephW7E2iqUSatuoHIg4ONPtPz9gYPAlES8hw8KQ5BnMQP40rn rkzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684421373; x=1687013373; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=P0JP5fPXaJ/l2PjYqOFBOpwFOtY2bK5VmjxTwwUMixY=; b=PoSm38WBjBJw0JIJOEvDaA0xubL27YlrmbjyT469duGr3WQA5tuK7J5XKNdqsDilFI BXZKd4kSpqXkSx6ZYFezyzM9gqRE+75X/0EDgswVaUEEjmJCX9uCWD/oJA0lChFkLmFw nOxuAmyCgmoKdvyRqjsAhMSpb3zHISBlniGGnNTJh+MxafCbXNrqCp81I99prfZiXP8G /yEIN+KjBD61c2rnRlXrHZsLcHz9bhghNf7ahWr3K9FxawBV4RGx+V589zOlQTfSlBpJ pPERJv86J/1RBbH8MPZ7scvazt/e3ZWoFmlbKChNUBhj3fDDMb7hGuAY8eJ3U7+2xhdy 5CQg==
X-Gm-Message-State: AC+VfDyDi6+Q/P+1kaEpYOKjDOyfQ3BBvBYRYHWMoaWtLfxAfAC3+rK9 /lUIKHhUVvGmb+HofEoUT+AJenpR303Zb68ZiUN/8g==
X-Google-Smtp-Source: ACHHUZ4XS0ivXXs+lYpwz5+qmFF9nTllv4MqPUiua3YttgTJwtBUCMZvMqJnHvk1ZOwd/jFZv3dqT7vVYrxuks8cIfk=
X-Received: by 2002:a17:90a:cb81:b0:24c:df8:8efa with SMTP id a1-20020a17090acb8100b0024c0df88efamr2656005pju.39.1684421372628; Thu, 18 May 2023 07:49:32 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com>
In-Reply-To: <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Thu, 18 May 2023 09:49:21 -0500
Message-ID: <CAGB08_djDtrFRY37ZTH_draGLTxM3vO7bMfT6YyyKFrTH_Tx5w@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
Cc: Andrew Campling <andrew.campling@419.consulting>, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000916e9505fbf8e97c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/3GBos6wrNDtc9y_HEWlpOAUkwbo>
Subject: Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 14:49:34 -0000
Is there any document that details the current operational best practices or explains the EH options and use cases in a succinct document? I didn't find one (although I did not look terribly hard). If not, that sounds like an opportunity to work through them and create one, perhaps? Nalani has a deep dive study here https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ but I wasn't able to find a list with some use cases akin to the ND considerations draft here https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/ RFC7045 has a decent, and RFC2460 explains what they are but neither really have use cases. nb On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom= 40herbertland.com@dmarc.ietf.org> wrote: > On Thu, May 18, 2023 at 7:24 AM Andrew Campling > <andrew.campling@419.consulting> wrote: > > > > I wonder if part of the issue here is that insufficient attention is > being given to operational security matters and too much weight is given to > privacy in protocol development, irrespective of the security implications > (which is of course ultimately detrimental to security anyway)? > > Andrew, > > There is work being done to address the protocol "bugs" of extension > headers. See 6man-hbh-processing and 6man-eh-limits for instance. > > Tom > > > > > Andrew > > > > > > From: OPSEC <opsec-bounces@ietf.org> on behalf of Fernando Gont < > fgont@si6networks.com> > > Sent: Thursday, May 18, 2023 2:19 pm > > To: David Farmer <farmer@umn.edu>; Tom Herbert <tom= > 40herbertland.com@dmarc.ietf.org> > > Cc: 6man@ietf.org <6man@ietf.org>; V6 Ops List <v6ops@ietf.org>; opsec > WG <opsec@ietf.org> > > Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension > headers? (Episode 1000 and counting) (Linux DoS) > > > > Hi, David, > > > > On 18/5/23 02:14, David Farmer wrote: > > > > > > > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > > > <tom=40herbertland.com@dmarc.ietf.org > > > <mailto:40herbertland.com@dmarc.ietf.org>> wrote: > > [...] > > > > > > Maximum security is rarely the objective, I by no means have maximum > > > security at my home. However, I don’t live in the country where some > > > people still don’t even lock there doors. I live in a a city, I have > > > decent deadbolt locks and I use them. > > > > > [....] > > > > > > So, I’m not really happy with the all or nothing approach the two of > you > > > seem to be offering for IPv6 extension headers, is there something in > > > between? If not, then maybe that is what we need to be working towards. > > > > FWIW, I[m not arguing for a blank "block all", but rather "just allow > > the ones you really need" -- which is a no brainer. The list you need > > is, maybe Frag and, say, IPsec at the global level? (from the pov of > > most orgs). > > > > (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). > > > > Thanks, > > -- > > Fernando Gont > > SI6 Networks > > e-mail: fgont@si6networks.com > > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 > > > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Michael McBride
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ole Troan
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Bob Natale
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks ar… Bob Natale
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Trøan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… hsyu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Andrew Alston
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Mike Simpson
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Haisheng Yu
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Nick Hilliard
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] [EXTERNAL] Re: Why fol… Bob Natale