IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 22 May 2023 23:33 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BACCDC14CF0D; Mon, 22 May 2023 16:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOwEH6tX5Cof; Mon, 22 May 2023 16:33:08 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9515C14CEFC; Mon, 22 May 2023 16:33:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9DBEC38990; Mon, 22 May 2023 19:33:05 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id SZf1nmhVD4pj; Mon, 22 May 2023 19:33:04 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 58AE13898F; Mon, 22 May 2023 19:33:04 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1684798384; bh=DfNKCm6GMoNSVoI9HU5xlIBE+eMewJX5YHubwfNN5eY=; h=From:To:Subject:In-Reply-To:References:Date:From; b=mSFmMgx0J0XEbAQfNNwZJM9Hpf8KuHdI/3mOgSovi/DgvG2knCUChvaYEP8e/5Gh2 lusQJz8etcL0aiW6COFRRsB7V7pM8LDLkJOhv6ykGIJnrM4x4yyaYEzDvBb/+sfEPH nkhLsOIZLgZOf2qzpV07A16Ivfwx4Ufl8cB+G8yttqow1tR8pCGBOg1Yi1hH+kFKcd HkGEhwiYRiA+R6iFL2RuLmkU24L1j9Tsek6zNwCPb5NjVCrxOI4GT2TAZlSeTyfjdy R+FFV8YPgjG9U7vaGDScoxl/wD7K1NecSz0mSeMpY3fBl0g7GwVFFE21cjxNEJhzFW F5OdA3k3y73Pw==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 38268130; Mon, 22 May 2023 19:33:04 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: David Farmer <farmer@umn.edu>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
In-Reply-To: <CAN-Dau04XOL0Afyrb-msE5OHX2c9KFuYt2N5san9mqq8k1BW3w@mail.gmail.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com> <2341.1684770818@localhost> <CAN-Dau04XOL0Afyrb-msE5OHX2c9KFuYt2N5san9mqq8k1BW3w@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 22 May 2023 19:33:04 -0400
Message-ID: <13042.1684798384@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Er_VSt_Vmcw6VITSqoRXFQVSMqE>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 23:33:12 -0000

David Farmer <farmer@umn.edu> wrote:
    >> I think that many of us are still reeling from default configuration
    >> of certain "firewalls" that banks seemed like, which dropped packets
    >> containing ECN, and TCP options, and made it very very difficult to
    >> deploy new things.  Even when at the IETF standards level... (so
    >> "innovation with permission")

    > So, I think we need "permissionless innovation" at the Internet level.
    > Nevertheless, that doesn't mean "innovation with permission" isn't
    > appropriate in some or even many situations. For example, in a
    > situation involving public safety, like a nuclear reactor or a missile
    > control system. We can all agree that "permissionless innovation" isn't
    > necessarily appropriate in situations like these.

Just to be clear: this means that the SSL/HTTPS VPN that let's Homer Simpson
do safety work from home, stops working when the browser-OS is upgraded with ECN,EH,etc.

    >> I guess I'd be okay if it were the EH itself that was dropped, but I
    >> suspect it's still the entire packet.  I don't even really want to
    >> drop the EH, so much as write over it with an EH that is blank.  I
    >> don't think that's a defined action.
    >>

    > If it's not ok to add an EH on the fly, why should it be ok to remove
    > or blank it out? We only allow relatively minor alterations to EHs on
    > the fly, removing or completely blanking them out seems too far.

Well, I agree: neither should be allowed.
So, why should it be okay to blank the ENTIRE PACKET?


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email