IETF Logo Mail Archive

Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 22:26 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB75FC14CEFC for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 15:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VH-eDimxevDs for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 15:26:28 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3FDC14CEFD for <v6ops@ietf.org>; Mon, 22 May 2023 15:26:28 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-64d604cc0aaso1606239b3a.2 for <v6ops@ietf.org>; Mon, 22 May 2023 15:26:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684794388; x=1687386388; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=WLrZheMPpX+0ttYpvSw9ht+3f4dhdCZo+/6Og1hLsyA=; b=GYTE+CWUH46ZsI8uKAlhn38c6hWaVRHfbvdLil7NGXDRkwwetrfxTpHcolyVmhEY73 dz2bC8ibVxmk6dmZSiHCcRLitjkqkMWWKRXzLO7syQKtIUsXuUih4o31B4u50dGzdIP9 3UvXgzNlSuy26WCgUXsNdYN9AghN+TMD2uIORFp2irR7+VHFVXw4ZdvzOB9q3Out6YK4 +g2jJt7L4Fy2VLo+ANjzZ8T3oLYt9G5l25dN2sISJd4pPRQ+H7082fOoFUU2zTbknaqs B6GN6KDJgoRKl6ASD3Xe+caKEG7ND5ZdhO1xbk2l8EThtNmxS3mXEgfXOyPIQ4Yn/Aeg IxAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684794388; x=1687386388; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WLrZheMPpX+0ttYpvSw9ht+3f4dhdCZo+/6Og1hLsyA=; b=Fz3T9LQ+Aq/iouZcEYv+zrspcF/JABP+SgBaGNtCA+qDx2vJsD5MiT4/OoATn7wBlj SaQQh146NsTl6q8HRAU84gKJCzAnm6uKHaoFRyrdjU9nSRi3GcS947d+/2dQju/IMwXQ Lr5y29y9Gwcrm8uJJfhJFdMsWTEkNcK6e/IXZUdWuLTV8QMSRjmWHaNJiHFXPDj2jS5G a3EoufT9iootgc2dme4ebmM2YZQ1/qfNJIa8FrFR4PTUrfLp1ZSXEiPQpKnyFbenwkak vPvCy7S0noiAuO5mwYn+IWuA5qvDDT/QlXcK+zMHKRS86rj8TjLPpPoIZsst+C0TX1li 4UIA==
X-Gm-Message-State: AC+VfDxYtOizKq9JijrQaDx3nH5uu05qpULR1TxVOyYoHWg5ZQVmFYgY DlaIImHTwnXlasf73/7UI1MTsIlsNhAoOE1OnNZqZQ==
X-Google-Smtp-Source: ACHHUZ7hwpFZFVE2NnBaEBoLIQ6OjBoiI2ZWZWaXpnBIDTH6bWdf59L0ENCEflf5vo9yOvKgkjCR/MKGo9VaVAgPEeo=
X-Received: by 2002:a17:902:ea84:b0:1a1:a800:96a7 with SMTP id x4-20020a170902ea8400b001a1a80096a7mr12299495plb.8.1684794388091; Mon, 22 May 2023 15:26:28 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35aUNqgyO+8H_QnP4FPp6eRi6aAUfi38AF16SXWAqa6UQ@mail.gmail.com> <E54182CA-D47C-4EFE-ACE1-03C10F72D55A@employees.org> <87a1b11d-5d70-022a-f934-193f89d211c1@si6networks.com>
In-Reply-To: <87a1b11d-5d70-022a-f934-193f89d211c1@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 15:26:15 -0700
Message-ID: <CALx6S37=Wxecb6mrFb8bGwCaBO-BfkHsR3ocbTDL+DsP4fg69Q@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Ole Troan <otroan@employees.org>, Andrew Campling <andrew.campling@419.consulting>, IPv6 Operations <v6ops@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ETi_zf_cI6UW1zv9Z-RY4YQAsFs>
Subject: Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 22:26:32 -0000

On Mon, May 22, 2023 at 12:05 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> Hi, Ole,
>
> On 22/5/23 15:36, Ole Troan wrote:
> [...]>>
> >> As a host and networking stack developer, I view the network and these
> >> arbitrary inconsistent security policies as the problem not as the
> >> solution to application and host security. The best tool developers
> >> have is to encrypt as much of the packet as possible to keep network
> >> providers from meddling in protocol layers they shouldn't be, but
> >> unfortunately that isn't applicable to all protocols like EH for
> >> instance (although, given that IPsec was on Fernando's approved list
> >> of extension headers, I suppose we could hide all the extension
> >> headers we want in IPsec :-) )
> >
> > I don’t think Fernando has argued the case that some EHs should be filtered in public transit networks?
>
> No, I certainly wasn't. -- I was just arguing about filtering at e.g. an
> Enterprise edge.
>
> As for transit networks... it's tricky. In a lof of cases, the dropping
> of such packets doesn't have to do with trying to protect the
> destination AS, but rather because EHs may result in e.g. performance
> issues when the transit AS tries to protect e.g. their own
> infrastructure (see RFC9098). In such scenarios, I'm not sure there are
> many alternatives to just dropping the offending packets (even if
> undesirable).

Fernando,

I don't understand what the performance issue is here or why EH would
adversely affect transit network infrastructure. RFC8200 allows
intermediate nodes to ignore all extension headers including HBH
Options, so, IMO, in a transit network the best behavior for routers
is to ignore *all* EH and just forward packets on to their
destination. The one adverse effect might be that EH impacts ECMP to
cause inconsistent routing within a flow, but that could only affect
end-to-end performance that the application sees and not harm the
infrastructure (and in that case, the host would probably only see
performance issue if  was inconsistently sending extension headers for
packets in a flow).

Tom

>
>
> > In the whole I think it’s not a good idea that the IETF has some working groups working hard at defining new protocols and other working groups working hard at defining policies to block them.
>
> FWIW, I don't think anyone wants to block them, but rather to provide
> guidance about what's sensible to do. e.g., what to do with EHs at the
> Enterprise trust boundary is a usual question from Enterprise folks.
>
>
>
> > Now for EHs in general. Their functionality of providing a separate signalling channel independent of the application… it might be time that we accept that this was a bad idea. Which deployment status has confirmed.
>
> Agreed on this.
>
> Cheers,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

v2.23.0 | Report a Bug | By Email