IETF Logo Mail Archive

Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)

Mike Simpson <mikie.simpson@gmail.com> Tue, 30 May 2023 12:09 UTC

Return-Path: <mikie.simpson@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB957C15153D; Tue, 30 May 2023 05:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2b9h8XEW3WvK; Tue, 30 May 2023 05:09:51 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DF85C151539; Tue, 30 May 2023 05:09:51 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3f60dfc6028so45702955e9.1; Tue, 30 May 2023 05:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685448589; x=1688040589; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=JV5aPQzgFqkll0jfwuVp24J4FZz5tG3phP/LVD8N9E0=; b=n6R/wHqzYviJAT6snNwSOiCGpeiAUUtbO6TbrtXiL7nQfqBPa7XN00wCat5wqCO1KY K2ggbs9YfX0GiruNRuCImnchAgBOlZ5t4XGAiBJLUWo8ni6yuIClfMmpKiyMPqsq7wHV HZ327+ihVQ4IhKq3dcMJsAvePptsqWJTAWlxevqZ/VpRAy/yubkV9ATcxGFzmxRg4bf0 diuBMYPie27iFDy+41yDiGmfOezeHYaj/BAeet+UOxZZRBCHcx8uoXeUkVJcRGNSPuHu iWSW0nc4KX8zjOtd+XTrU1CPhzd6pBqxN4GsA0F5uzxPY6pZjxfCKZ7Fd9M8JG+rI8ge W44w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685448589; x=1688040589; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JV5aPQzgFqkll0jfwuVp24J4FZz5tG3phP/LVD8N9E0=; b=dMMjQvhfwW/i0iPAw6IZuoFjVphuf69r0m5NJcHNg6+B57+jk3zbfrQHhnmnPuedW3 ZZZC1qYmzljkZQNomI9fjO4LsRMrwoZL8ZA3qgvAZK3BfjtBrqQCx9k6k1Y6C4biwTym tjHZcuWuAAZIjQYUEmCqtjRJ5E6FDKjJk7tBFcet/iFLwZ284+3d/5SbYzajjGLNiBzU FmtQobOFuYOvMUjmpyih64B3EedEBneAr8booA9OkBGKM6+DHmnMqEgh/7iwRmDiZDgX CI2a22zmuxOJBgJUnN4EE/G9tM57pGYcJbeaFkMpzRsJAmdPzcH7nmmJQgytVk4HJ5HP Y2Ug==
X-Gm-Message-State: AC+VfDxfIrgd7FyZL/NQwazzUVlH3rXb1dNxk0OyzJzzdHU8zEeZRVts 4bASBPixcunaIdqxOTIideM=
X-Google-Smtp-Source: ACHHUZ6dikHrRF4rH6DzxifncWSCuz6jxUXy49KVAr85+qUScl1uplWOuT3lq8CgH5SY/qQH+eiKkg==
X-Received: by 2002:a7b:c048:0:b0:3f6:490:a7f3 with SMTP id u8-20020a7bc048000000b003f60490a7f3mr1652157wmc.9.1685448588874; Tue, 30 May 2023 05:09:48 -0700 (PDT)
Received: from smtpclient.apple ([2a00:23ee:2218:d46a:5413:1eae:162c:675d]) by smtp.gmail.com with ESMTPSA id k15-20020a05600c0b4f00b003f611b2aedesm17297899wmr.38.2023.05.30.05.09.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 May 2023 05:09:48 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mike Simpson <mikie.simpson@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 30 May 2023 13:09:36 +0100
Message-Id: <9E8596DA-12E3-4084-9295-DD63888371E3@gmail.com>
References: <CALx6S36Vv57AZFr=2adfEMYnVSOECsowXw1c7pTo_E-FWokB6Q@mail.gmail.com>
Cc: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>, v6ops@ietf.org, ipv6@ietf.org, opsec@ietf.org
In-Reply-To: <CALx6S36Vv57AZFr=2adfEMYnVSOECsowXw1c7pTo_E-FWokB6Q@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (20F66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Ek8WK5iOy3rZMES1Z0ouapH0W9E>
Subject: Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 May 2023 12:09:55 -0000

Apologies for the top posting

The degree of cognitive dissonance in this thread is quite high. 

It seems that we are discussing a world where telcos aren’t still running IOS 12.x and won’t/can’t upgrade because of ITIL or where people don’t choose the version of networking OS that they run based on “the bugs my network can live with”

Indeed we are also apparently living in a world where “limited domain” means something magical so that I don’t have to block RFC1918 IPv4 addresses from my network edge because ISPs are conforming to the SHALL NOT and SHOULD NOT in that particular RFC

Also it seems that the core internet is also run on routers and switches that can totally manage punting packets to cpu off the fast path in order to process these extensions to a protocol that 1) works really well and solves the problems that it was designed to solve and 2) has been used in production for decades. 

I appreciate that a lot of these EHs are designed to get round limitations in the alternatives available as presumably doing facial rec/total take on sizeable populations is difficult but not taking into account of the reality of most of the world seems odd. 

If there are significant problems that need addressing and I’m sure there are, then the correct approach would be a new version of IP ( which will either lead to “triple stack” or would eventually replace v6) or encapsulate the traffic. 

Either way, repeating the same mistakes made with IPv4 like magical “limited domains” or not ignoring what is actually running the internets in terms of all the 20 year old kit on 20 year old software or thinking that my favourite network vendor is going to start releasing code that doesn’t contain bugs is dooming us all to more failure and more downtime, more chaos thus directly leading to even more stagnation. 

Mike

> On 27 May 2023, at 23:06, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
> 
> On Sat, May 27, 2023 at 2:16 PM Manfredi (US), Albert E
> <albert.e.manfredi@boeing.com> wrote:
>> 
>> -----Original Message-----
>> From: Tom Herbert <tom@herbertland.com>
>> 
>>> Correct, that's the fundamental problem. When public network providers apply ad hoc protocol filtering, that limits the capabilities and opportunities to provide value to the users. For instance, if someone came up with a new transport protocol that improves user security by 10x, we couldn't deploy it because some network providers would block it. So the very security policies that are ostensibly in place to protect the users can actually harm them.
>> 
>> Potentially, I agree. Problem is, each of the players has to determine what is an acceptable risk. If an ISP wants to keep his infrastructure secure, he's got the responsibility to make it so, as best he can. He can’t trust mechanisms that either don’t exist yet or that might introduce their own new vulnerabilities. Someone says, trust me, these extensions will be for your own good, and yet he is fully cognizant that those extensions could also be used in ddos attacks, he'll say thanks but no thanks. Maybe I'll let those through after we're satisfied with testing and experience.
>> 
> 
> Albert,
> 
> Application developers and stack developers are also players in this
> game. And while each network provider might have the luxury of only
> focusing on their customer set, developers have to potentially address
> the needs of all users across the Internet. This is why network
> providers' attempts to protect the user are irrelevant to application
> developers-- without consistency across the Internet this level of
> security may as well not exist from their perspective. Obviously this
> situation didn't materialize overnight and it shouldn't be surprising
> that we've had to implement work-arounds to this problem. For
> instance, encryption goes a long way in limiting the network's
> visibility in the packet, but that does have its limits.
> 
>>> As for what constitutes the "the greater good", like pretty much everything else in IETF shouldn't that be something determined by "rough consensus"?
>> 
>> Yes, but unfortunately, that does not absolve the players of their own responsibilities. In matters of security, no one will blindly follow "rough consensus." We are 180 degrees from the Postel principle:
> 
> No, but it seems like providing reasonable guidance falls under the
> auspices of IETF.
> 
>> 
>> "Be conservative in what you do, be liberal in what you accept from others," is turned on its head, as we know. For system security, you cannot be liberal in what you accept from others.
>> 
>>> Even if the consensus were that extension headers need to be deprecated, to me that would be better than the current situation where we, specifically application and host developers, need to deal with a patchwork of anonymous and seemingly arbitrary network provider policies that degenerate the end to end services we can provide to users to rely only on least common denominator of protocols which we can only deduce by guess work.
>> 
>> I get your point completely. We don’t have an IETF dictatorship though, so what happens is that over time, smart people have to decide how best to do their jobs, given the realities of today. There is a lot of infrastructure flexibility, and apps, thought really cool when they were developed, that go unused for just this reason. Such as, you might be better off, in your network, to use proxy-MLD and to block PIM-SM. Same goes for some or even much of ICMP. It's the tussle Brian C talks about.
> 
> It's a proverbial "chicken and the egg" problem. Some network
> providers will only allow them once there's deployment, but we can't
> deploy them if they're not allowed through the network. The good news
> is, we are starting to see deployment at least in limited domains. As
> experience with them grows and issues are addressed, hopefully the
> barriers will fall and the vision of an extensible Internet protocol
> will be realized in time.
> 
> Tom
> 
>> 
>> Bert
>> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email