IETF Logo Mail Archive

Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Bob Natale <RNATALE@mitre.org> Thu, 25 May 2023 22:15 UTC

Return-Path: <RNATALE@mitre.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D40F2C151B20; Thu, 25 May 2023 15:15:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6L1frPM3-_2; Thu, 25 May 2023 15:15:07 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB72BC151B1C; Thu, 25 May 2023 15:15:06 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D7999132E02E; Thu, 25 May 2023 18:15:04 -0400 (EDT)
Received: from smtpxrhbv1.mitre.org (unknown [198.49.146.55]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtpvbsrv1.mitre.org (Postfix) with ESMTPS id 89328132E026; Thu, 25 May 2023 18:15:04 -0400 (EDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02lp2104.outbound.protection.outlook.com [104.47.65.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpxrhbv1.mitre.org (Postfix) with ESMTPS id 6C1F6413DC7; Thu, 25 May 2023 18:15:04 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LLYoe25+YQuHqTZBzhlpdT+iEKY+NooiHIoUukI9Al+uwIccLSWi39IVVQAqoxw7BsB/mO1hd313eUI+qcPlrqZIDxP6V9yAKRAbW7oMsPU/3+7XeKEutEOf0HNHmxGXh6a6ROOqKGpBi67UF9Z2H+1Ubho7z0Ac8bBa0xPrEuP18cRYrRSCzv/SjSNXee+NgN6JYqEX0hOAhECOtPDKrQVvv4hwkyznjkVBktbqojT0jKZMq3YvzZ1ua8t2HJxFGTAxHDEx67RyUuWb2hGddiM1/z8JHbIxmLZlvq88K0RjCZi8EsIcxbu0ohWPhn7/gjB9wMy6fWsHtKggyJGKbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HJ1Q82p65adwDDWQ+cQ9aEjit8RHy8+9o5A7fX+CH7c=; b=Yp0Y50WVTB2yjejUVHZ7DOUbJgsPEou0Z4SDyCWIzO3L2VZP1IdsJmTeBl0MyElSbFf1kbtrfKSdio3VffqTlMFqussOVQE192tcBMcjOoV6RvBx7/ZnjZVh4shT5gXc8jH5qTCKwQuBMGVdovbOLTA6TMWXyxyZhvIRkZ3ap4QsqGPSMs8gpuZ34C6fIjUwDPRvBhv56EkOicJVgyzU0wexVrfH3cyp+DSSgLFceg4zhGnUYSEXZi0WPkstkVs6YCXTQ5xp5jsJ1zWuvXusE34jBM6XB8zJY5Wnzs4QbN1SyIutZImUMvOEAGtS1CjHxQcs0HZopr217pANByVd9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from MN2PR09MB4716.namprd09.prod.outlook.com (2603:10b6:208:216::19) by BLAPR09MB6594.namprd09.prod.outlook.com (2603:10b6:208:2a5::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.16; Thu, 25 May 2023 22:15:00 +0000
Received: from MN2PR09MB4716.namprd09.prod.outlook.com ([fe80::13cf:6f04:8e99:9811]) by MN2PR09MB4716.namprd09.prod.outlook.com ([fe80::13cf:6f04:8e99:9811%4]) with mapi id 15.20.6433.017; Thu, 25 May 2023 22:15:00 +0000
From: Bob Natale <RNATALE@mitre.org>
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Thread-Index: AQHZjxS4rUKmcSGJ40CNRGJCvQwKLa9rbm8ggAAO3ICAAAhvAIAAB+3w
Date: Thu, 25 May 2023 22:15:00 +0000
Message-ID: <MN2PR09MB4716AC6A2B257315A4B210DEA8469@MN2PR09MB4716.namprd09.prod.outlook.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com> <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com> <222731ea012b4b0ebd7a51f72b5bcd40@boeing.com> <dd61024e-1bd8-ff3d-216f-22cc7600ad10@gmail.com> <fb20cb79bb3b44378d25bd5ea65b89c5@boeing.com>
In-Reply-To: <fb20cb79bb3b44378d25bd5ea65b89c5@boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mitre.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR09MB4716:EE_|BLAPR09MB6594:EE_
x-ms-office365-filtering-correlation-id: e13b5f4a-0b9f-4642-539d-08db5d6d7b4b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7TA1tJ9aVOeZnFs/EOsPm6qfQ4qSpWeKGEDfmSCCg45vGSjj7siDxaMRdWKqstE68fBa2/XQj6yoLuWkzf691YY+0JAvMlCO14dOZWa4It8Xvk+dP9/rHgQX0gwtV8zgzDGVdAiw0H6Z/Bpvnl2kCCj+SVZpvBL1qgePVHhblWMWLJMglOdTkh3L/ryZezm2NawP8+F0XFrrxdwxK3ZlHp+0Q8x/ojkZ/nNZF+fIFZ+P93TWL49nMklvoZ6TrX2WocnSbP2CBilBtMJYLRLRCI033OehKC+overZMEUxHpNyYbMKnl8jxxN49Cw6HHsWPlVIJ/ZoBJKwu1aOnKGjb5QpzqCaVIgirP95HRJQbdwwyPedVwqucetCbhoM5nDyJPCfaH3E6CSyj/839Z42kZYlKzVB5n7xHsKAJEmsIuKBQLpP+VNtZbvauleYMF+sRUwosRcNR075difv7590kQ9IYLfTKi3fzYkuxNo5FbJDBVdFUyHZNbU9bb0cdSJcGlOKQAMzq1lvkpZKT1+jtg9iWIJBZfajUd2uoaEmPwrLYcpcWWEzY9kzwfWt/wQSfMq5PtCJ7Orx4StGlpXcJniS+Oa3ZKshvF2LyLbrFaRBrrsLxgOeuHsMdwXElsOX
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR09MB4716.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(366004)(451199021)(4326008)(33656002)(55016003)(6506007)(53546011)(86362001)(8676002)(8936002)(9686003)(26005)(186003)(110136005)(5660300002)(83380400001)(76116006)(52536014)(54906003)(64756008)(66556008)(66476007)(966005)(66946007)(38070700005)(66446008)(122000001)(71200400001)(498600001)(7696005)(38100700002)(66574015)(2906002)(221023011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: diExr/nMNE8spui/mUC90cwB1YxFrSUV27SRZM/XDVZfaCfzGJp0IFAldUpmNalelgESI3nQfE///tIeCliINdJ/T4ReGSHdLSAP0AJS4uj3ZCvmkU+5rbshieX/zpXxUBMXqEc6kwlO7cduzZTJ19yVPJ4LjvuOuSiOeUhi6GyrIrGcnMKID3Hy2IaybHMmW8A26PU8tydGyUt+f8DucdZlOaIo76TdHbdOIWIHqcBx/QQ6x9ZqrG+ThJ+2gx4spQE/qQrJvzL7baMTEJz1ycPYc8r5qMbh8HA+8zcjsCcpfC/2690fE64fM23Jj5Ihf2FrlmH5BmImmo7ar7m+sHPPJxUfplQ4Ufy8m3KBYC/IFZVwREMvYy6whjsHgDFp+0uTNirixRr1atOKhI0/pV8NSjGy37iqb4CXQd9Q2EpSygsa4zosrKhsXfYzXCFkKAr9zCX+G8MwWFqYMwmHUBY/x5h02jB5wUaWRpHHdr/0XA3jc9PDddyJIHvqcUQccdNvdeRr1bj0ziSRYAQL3zUJGDTkJ31DF/blOOxlsAP3L464PGh4InQZe7d1Z10W4v/XUU+4Ptqgqncu0yS0M92wABL+2HMRu7Tc7tyMcf1xW0kTog1FHpoAQ/HgZJ6ZiIWfhO/1rV4FcNECjCpSdDpF7eJaXLTbveSI+l7rAAck7HMKjFffIiv9cDYDwsk2dyp8jVG6cVVvWN+HhDAmnqOHLdON4PFWZk/mcT8sbktNMcjXiRyav8aeX/fKT55lPcRzSp0mPnMw73b2+pav1M+6eJmagrFeaD7XriNr6eYihsKcnu3Udb63EvB1mSvtvppzt7J6lyklPZlTTnGsgvEVKw6gZJEqlrG7rkCLdYGMevhF3IG9KDEoES+K04TFhpWTr0kTt7fWKrkh2b5WW1w9tWowhRpGdpGk1vv4L0q8oSXfoH8ievwJqyLdu96WhFKYDD63nVDK8vQ6M723byMb8OktCRynqGUa6CZ/WBfs42RI4lSsDGVtA1RWmWAN2nh30qAjh4ZUTWc6xs45asGfBsg5yBZ/OSdKER8mMhe1w13M/n01KjBIqCN9GompVvrkFaHadWmkbSk2HqrVi6EQHmPtlgE9J4hjt3lRasC2wVEqdO/lBRmm7MFfGgaPwr9W2u5AwNxTAz5rD3XKtV2xSXMUDQm8pGnjoVC07plb76JXMcYdrSAz3vcfQTIVc8Y9FXAxulHQf9FOH/ve9YRC839RNrQyFoHrnKPqOlpcU034R5/LaG7hG9Uo+dmQXkLcEeNKQQ+wc7BScsIBJrqr8dpQ+KCvs/e8q3B7qRfLluBLorhWvm59o/gfzREUpDaFq7uT4G34BL3zvrIVHIzQ4xxD6w/5CTDqPobgBBl7XkTNrCFUx9VVTIKev7/vr3hUEWNtIa9J8HBjESudWuBdo50AgJktfV2/WPaV4sKth1Je+WlgEjQTWcZYPyPCrXTJM6FFcQaJ3xkiJLN7tSXPMDcCUURVCiBUgTQrRMQKuwmqMkgkYyI3TWIbwYOAaM6yzdxxCbTTziCcsUdLSrKX+9Rf66QBkqnP7bDQLSM=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: hUHzA/Y8MG05vo6CiXPVJO75+0MZnviYD9S20kj+m6KGMrM8F2P8vKfza0E6SxT4VnIrkzUr7iOQwJGYTNd8kw2nb8GbZrXUf9lmt3t4aoHZm/AW+GvifLNnZDZWZNi4ssE3O3kPfgXSVEFh4yh36+KWY3DFmWljo6AQB9BJ1Cbr4lnOZYLiwx4CORuqytVpZpbDsO6jfYJNP1sv+LoCvZxVa1Qtn08ZgIcZxBkvXxt4qEYOwfoBG2nSr+yxQcveB8000qnpmYN7GdIgd3Sq4L7eh9SkV6OxnJpzRSX9CgfcHtmKlFpHzOLq1jLhjyzQK8oon/AAQPJizXZ29siLfooZvUza9AEhCFQ7UFsFwinuTdgeRynL270bSvWrGyTkmhQSUxFenYvmi7aTDQI0hmc11+YNGM9pYD9xH988P0Jv4OmhLcxFOO17BO3JP4PiIzvdnncFgLVsd2P3IT7qkSyVnXPLBFP86o+ucMKN/9vwDitHGyiEsMWn+uydTnSnyPLARMKF9thUBZ8oAJEWv0iV/b8hwG7v/1c7qn7h0yNOjtdnG2BZi43k9tq90UuDRHgiTmoYQ7HqdKSRNrlRXv/H6HfJB2pHtStww+L9PomLlHsqC4PHMdtZgZ0NxiCOhFidvf0WHFGQmjT5WVM5Vjs+nSUy85y5BvrMXgaabJGU6gp7m4y5bqBgfidnOQy4Uuh1gHRDAoUaJ81wimLvyfanJZIGTtcN7XMq0aH4xUWqzncsDkbTorpWsI9mQxZcNAw0JD5bKPGPZSZr0Ro+whQkWBFjGGTV/H8mEu6tzixYzQQokTSJftj93SmJpKAPQ2kNMUJ8hRRJT+2g7iZvFQ==
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR09MB4716.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e13b5f4a-0b9f-4642-539d-08db5d6d7b4b
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2023 22:15:00.4308 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR09MB6594
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:content-transfer-encoding:mime-version; s=mZkevYdL; bh=HJ1Q82p65adwDDWQ+cQ9aEjit8RHy8+9o5A7fX+CH7c=; b=s7cR9MV6XF+z2dv65lFINik5IysyHWBMSc6a8vYcBtQ6YtsylKj80wk0EODhMjHdv5Q5q7ZI8kfyK8hpU2BsFNzbAirUIDjHBrAeaaQcl9KSEZxqqT81r85PXwVtoKNZreEPGp/aLDNGNOAVU/wb4cwxBmOeCL/ef3XMU038Bq4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/3ceUc8NLdndcJWR7avj8f6X7bBw>
Subject: Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 22:15:10 -0000

Speaking of sales pitches (and IMHO): "Zero trust" is an oxymoron in all but trivial operating environments.

(That's a blasé assertion anyway ... we're on to "observability" now!)

BobN

-----Original Message-----
From: OPSEC <opsec-bounces@ietf.org> On Behalf Of Manfredi (US), Albert E
Sent: Thursday, May 25, 2023 5:44 PM
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: IPv6 Operations <v6ops@ietf.org>; 6man <ipv6@ietf.org>; opsec@ietf.org
Subject: Re: [OPSEC] [v6ops] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

-----Original Message-----
From: Brian E Carpenter <brian.e.carpenter@gmail.com> 

> It's perfectly fine if a host chooses to block incoming packets for any reason whatever, including unknown extension headers. That's quite consistent with the *network* allowing permissionless innovation.

Right, but, as others mentioned, there are likely going to be IoT devices in my home, or in my enterprise, which are not as updatable as my smarter boxes. And those need protecting too. So the easiest approach is to keep out anything potentially harmful from the inside network.

Also, this same sort of security gateway model is used in the defense industry. Put the burden on some gateway box rather than relying too much on individual hosts. Why? Because "We don't necessarily trust the vendors of individual hosts, so we'll use a broader brush approach." This is real.

> The problem arises when any upstream intermediate node drops a packet because it doesn't like it for some reason. There, you immediately create the tussle between transparency and security, and I strongly suspect that there is no universal way of avoiding that tussle. Not every new feature has backing from Google.

Agreed, and my bet is, the tussle will favor not banking too much on header extensions, when security is an issue. And security is increasingly an issue, as we have seen over past decades.

> I don't want my ISP or my CE router to block any extension headers.

My bet is that over time, IPv6 CE routers will likely block anything unneeded by default, and then maybe permit users to go to "advanced options" to fine-tune the router to their special needs. And as we know, the very vast majority will never attempt any such thing. (Just as the very vast majority never even change the default name of their home WiFi access point.)

I understand your point about the IPv6 sales pitches. Skepticism about sales pitches is not unusual, however.

Bert
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email