IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

David Farmer <farmer@umn.edu> Mon, 22 May 2023 17:06 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF56AC151553 for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 10:06:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwonaGYgKXT2 for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 10:06:10 -0700 (PDT)
Received: from mta-p8.oit.umn.edu (mta-p8.oit.umn.edu [134.84.196.208]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96D58C15153F for <v6ops@ietf.org>; Mon, 22 May 2023 10:06:10 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 4QQ3kV0FVjz9vKMT for <v6ops@ietf.org>; Mon, 22 May 2023 17:06:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECNamnUklbAy for <v6ops@ietf.org>; Mon, 22 May 2023 12:06:09 -0500 (CDT)
Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 4QQ3kT415qz9vKMj for <v6ops@ietf.org>; Mon, 22 May 2023 12:06:09 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p8.oit.umn.edu 4QQ3kT415qz9vKMj
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p8.oit.umn.edu 4QQ3kT415qz9vKMj
Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-96fe843f61eso148439766b.2 for <v6ops@ietf.org>; Mon, 22 May 2023 10:06:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; t=1684775168; x=1687367168; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=a7GjIHctjWyoxNEYpwWvhfjCJn0d8ncudXEVBcKAnFM=; b=dn2MHn6eFNMCJZXnksOk5vdQnMu31S9l8THPUm/Yej5MOQkwDKyckAFtz4Bp/whpep hHbjjvHseivnzvHAmhDT/1/ZpByIF7B3qnf3YEcw2Kg1ICatQFKBSh/xcnE+FKQ1YxDu Jy1OmIWAQgLaF2nbMCGtVM7VkHxO++/I0nQD7Rr+T/8jO4V1ubGWkJ5dnmJOtRYiS5NM RSqNLy2DmUh7cW9guTIsRX3rGRiuBngLmhdvv1PNGEY67WRUFyRPQygx/0Xcpy1xSRYN DdVIRZT633Ctjqh1Ko2yfv5ptbLyYiEPfVYyrSfFEGPBiyqKhgYQsyMS2W9Tvp59SucT ip+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684775168; x=1687367168; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a7GjIHctjWyoxNEYpwWvhfjCJn0d8ncudXEVBcKAnFM=; b=L39bdbJ0bStRPLsUtuUnunAMFa25Cvlmz0kct2pWowEtJxbrFjJny8uB4PuGHBevJL Hg+B26k58cBbixUqU+rqDCkgA/UB/G9WUKD47PYGj/Dl9GJmAiWJhKa/g3F4rWfggL/M icnYjwq4TWHTkjvJ8S2RCuxlMyIU+vBX/IP1kMhaUif0f0J/iyh43InHAt8oCjZ1Mzt9 1YnfzWRJGwV3SgRwffnJg8zeIBgKT+qDpOq4FndaxsXam32pPtlImhMp5FZ6eKWpUSP3 XEBfY4zNbC/IyFl39a5a+f/o7lJ8D6A9h2EiE6VYObkyVhfh6Xx2xLGuYrIpQe2Yyi5s VD8A==
X-Gm-Message-State: AC+VfDzs6IXxejukRb7PXda6Y6fpE0OD0q4+Iz/gyH5kuAVaYaJB/0yX AEdrePi6RGhrkiRk9fKmwTIgamTZogtweL7Ry40MSNQfgO4a+n5Qy3dwsSbqWIO8LImeHqm1VbY tIblaDhik6Z4BVC7Z2nfp/srsIZ0zjrrFArTv
X-Received: by 2002:a17:906:ee88:b0:94e:4489:f24d with SMTP id wt8-20020a170906ee8800b0094e4489f24dmr9453054ejb.61.1684775167876; Mon, 22 May 2023 10:06:07 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ7lt5YoQjkLgQtxsxQMNhuNmOP1TV8ijwGb9hBCam4uz1KXbxbJzp6pJkZ+YKiCP7sWU1DP9QprNqKZrf56Pv8=
X-Received: by 2002:a17:906:ee88:b0:94e:4489:f24d with SMTP id wt8-20020a170906ee8800b0094e4489f24dmr9453013ejb.61.1684775167238; Mon, 22 May 2023 10:06:07 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com> <2341.1684770818@localhost>
In-Reply-To: <2341.1684770818@localhost>
From: David Farmer <farmer@umn.edu>
Date: Mon, 22 May 2023 12:05:50 -0500
Message-ID: <CAN-Dau04XOL0Afyrb-msE5OHX2c9KFuYt2N5san9mqq8k1BW3w@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005eb5fe05fc4b49d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/3N2hDGE0Vav4vHFYZfmEvZ58OoY>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:06:14 -0000

On Mon, May 22, 2023 at 10:53 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:
>     > "permissionless innovation."  That being said, we MUST balance these
>     > multiple priorities. which means we can not completely sacrifice
>     > "permissionless innovation" to "security" and "privacy" either.
>
> +1
>
>     > 1. Certain EH constructs SHOULD never be allowed; we need reasonable
>     > and practical limits; I think Tom's draft makes significant progress
>     > here.  2. Certain EHs SHOULD be allowed in certain places and SHOULD
>     > NOT be allowed in others; this thread is at least a good starting
> point
>     > for some recommendations along these lines.  3. Certain EHs almost
>     > always need to be allowed; these need to be enumerated similarly to
> RFC
>     > 4890 for ICMPv6.
>
> I think that many of us are still reeling from default configuration of
> certain "firewalls" that banks seemed like, which dropped packets
> containing
> ECN, and TCP options, and made it very very difficult to deploy new things.
> Even when at the IETF standards level... (so "innovation with permission")
>

So, I think we need "permissionless innovation" at the Internet level.
Nevertheless, that doesn't mean "innovation with permission" isn't
appropriate in some or even many situations. For example, in a situation
involving public safety, like a nuclear reactor or a missile control
system. We can all agree that "permissionless innovation" isn't necessarily
appropriate in situations like these.


>     > Dropping EHs just because they are unknown, especially by transit
>     > providers, probably isn't appropriate in most situations. Dropping
>     > unknown EHs by a host or by a middlebox very close to the host could
> be
>     > appropriate, at least in some situations. Nevertheless, that doesn't
>     > mean there are no EHs that it is appropriate for transit providers to
>     > drop.
>
> I guess I'd be okay if it were the EH itself that was dropped, but I
> suspect
> it's still the entire packet.  I don't even really want to drop the EH, so
> much as write over it with an EH that is blank.  I don't think that's a
> defined action.
>

If it's not ok to add an EH on the fly, why should it be ok to remove or
blank it out? We only allow relatively minor alterations to EHs on the fly,
removing or completely blanking them out seems too far.


>     > third-party server, often referred to as firewall traversal.
> Similarly,
>     > we should think about techniques for hosts wanting the communicate
>     > using EHs that are not allowed on the network path between them.
> Maybe
>     > call this EH traversal, and it likely involves a tunnel or
>     > encapsulating the packet with the unknown EHs between the two
>     > hosts. I'll note that adding EHs in flight is not allowed, and a
> common
>     > technique is to add a new IPv6 header with the new EHs encapsulating
>     > the old packet.
>
> Hmm. That's an interesting idea.
>

-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email