IETF Logo Mail Archive

Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Thu, 25 May 2023 14:25 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55B94C151554 for <v6ops@ietfa.amsl.com>; Thu, 25 May 2023 07:25:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgRTDkQ6EkeG for <v6ops@ietfa.amsl.com>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A00AC13AE43 for <v6ops@ietf.org>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1ae87bdc452so10756585ad.2 for <v6ops@ietf.org>; Thu, 25 May 2023 07:25:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685024707; x=1687616707; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xrr6LU6iE4Wz/rJ7WqmBawSn5cYQQO0ovQG5iED7jqU=; b=Dhq6KX+hfRmCYxlJPGypEaeH70xPuSJ36fAbLQlXwpRyHpq2FjzLubIPwzLciS2PCZ RIJW93mOQfhW82G7anfvSiObNAzCUBVy/oAqFaqQR53FIeCqwbPxSDx9ZeA6nmmaKPjL KZj6TQ4Q7fkb/YZJko2RSOgHX/fZSgqJdtRXEHY2/1r4j3IqfN9YFHs+y7L+HoY/DBzO iUHhvTJENf1f/EWWHuiP6H+CuuYlZJwGJYPBuHpJqZB9ciF8DAIrzRVJtHAZVOAk2H/H GCnBXmkMmglDFymFwxJ0F1vqV219ippZOu/oW9Ww87SLSLoGxQAWRDPn28A2wI5ItzlX OnBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685024707; x=1687616707; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xrr6LU6iE4Wz/rJ7WqmBawSn5cYQQO0ovQG5iED7jqU=; b=dudIQXl2zjxPBE12CIR0MyF13ETvKaWSz8YUGsI/xwFxyxvi4wnpVFRiYhXOyGkc12 2XVfYYdtBkbLEglbw7Pmq+qubcK3g/eYSuNzbyNmZAMChqtr3GJ6r2JbJaphIaABFMCA fGc3RLYJmcFEyaDwAl48MgoO1zlQ3UfkXBawfiRW36cBFdD5Ti2wvbuYvcV8W9dUPfDi vD+HzzfGdJudqM1sLvbueGmjK1nRIyE2M9a93CDMvDmUagFtkah8CVasVm6s1VvUFeVh G0qW68qQtUB+1q3mmpel9UayZjWh+priAp/192PrxE01hRylGl+gA6to6Ukl7e3tmVx/ ps0A==
X-Gm-Message-State: AC+VfDxkhkjJ4V2cJZZMmIDhjQQMgAqhRr51pZgesdUP9EmRSc2+eJn8 9pDEaJuV7S+73WeGwfoQ7zfEUjl2H5TlmaVjVRoCGw==
X-Google-Smtp-Source: ACHHUZ6O7xHUmKpdI/GU8kX6rmtwEv7hONduDeAauhyFPOeauYZ20rUHJo44sCFK+vUUbFfwbdjGJY7lAYtOWEd46Z4=
X-Received: by 2002:a17:903:10c:b0:1a9:40d5:b0ae with SMTP id y12-20020a170903010c00b001a940d5b0aemr1650648plc.12.1685024706707; Thu, 25 May 2023 07:25:06 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <72784f8e65f34bcc9f5652c0a553c70c@boeing.com>
In-Reply-To: <72784f8e65f34bcc9f5652c0a553c70c@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 25 May 2023 07:24:53 -0700
Message-ID: <CALx6S373P2X-JRbCNpOCGuq_Cum0+OzJFRBkuQ64h5R52B7Dhw@mail.gmail.com>
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/EuDhHIlldiTLgD6DNnRkbvxNBGg>
Subject: Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 14:25:11 -0000

On Wed, May 24, 2023 at 6:02 PM Manfredi (US), Albert E
<albert.e.manfredi@boeing.com> wrote:
>
> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Fernando Gont
>
> > Given the amount of things that get connected to the Net (smart bulbs, refrigerators, etc.) -- and that will super-likely never receive security updates, you may have to **rely on your own network**.
> >
> > For instance, I wouldn't have my smart TV "defend itself".
>
> Agreed, "on your own network." From the viewpoint of a household, whatever network defense has to be behind that household's router, for it to be credible, and preferably right in each host. Yeah, some IoT devices may not be updated regularly.

Bert,

It's more than a preference to have host security, it is an absolute
requirement that each host provides security for its applications and
users. This requirement applies to SmartTVs, SmartPhones, home
computers, and pretty much all the several billion end user devices
connected to the Internet. No host device would ever assume that the
network consistently provides any adequate level of security, for real
security we need to assume that the host is the first and last line of
defense (i.e. zero trust model).

Tom


>
> The ISP has to worry about protecting that ISP's own network. Households have to be responsible for protecting their household's network. (And connected TVs do get regular software updates, as a matter of fact.)
>
> No one would trust their online banking transactions on an ISP's network protections, for example.
>
> Bert
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email