Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

[Haisheng Yu <hsyu@cfiec.net>]

Hi, Fernando 

I guess it all depends on the TV? e.g., I for one I'm not planning to throw it out just because Sony decided to quit pushing updates (which were never automatic for my set).

I don't have a Sony TV, so I have a slightly different perspective.

The essence of the extension header issue is determined by the competition between operators and equipment vendors. For most internet users, they rely on the default configurations provided by the operators or equipment vendors. Operators always want devices from vendors that offer powerful features (e.g., in SRv6, equipment vendors aim to support as many layers of Segment Routing lists as possible). However, during actual deployment, only a portion of these features is used due to security concerns. Equipment vendors are motivated to innovate as they seek to outperform their competitors and gain profits in the market.

The extension headers in IPv6 provide a significant advantage beyond the address space of IPv4, enabling flexible and programmable network transmissions. Looking at the current applications of IPv6 extension headers, notable achievements have been made (such as SRv6). Perhaps it's time to consider reducing restrictions on extension headers and allow for more innovation and application.

Johnson Yu

https://dashi.163.com/projects/signature-manager/detail/index.html?ftlId=1&name=%E5%96%BB%E6%B5%B7%E7%94%9F&uid=hsyu%40cfiec.net&iconUrl=https%3A%2F%2Fmail-online.nosdn.127.net%2F997bfaaa29267122f3b7334a5d4895ce.jpg&company=%E4%B8%8B%E4%B8%80%E4%BB%A3%E4%BA%92%E8%81%94%E7%BD%91%E5%85%B3%E9%94%AE%E6%8A%80%E6%9C%AF%E5%92%8C%E8%AF%84%E6%B5%8B%E5%8C%97%E4%BA%AC%E5%B8%82%E5%B7%A5%E7%A8%8B%E7%A0%94%E7%A9%B6%E4%B8%AD%E5%BF%83%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8&position=Haisheng+Yu+%28Johnson%29&items=%5B%22%22%2C%22%22%2C%22%22%2C%22hsyu%40cfiec.net%22%2C%2213654947748%22%5D" rel="nofollow">

https://mail-online.nosdn.127.net/997bfaaa29267122f3b7334a5d4895ce.jpg">	喻海生 Haisheng Yu (Johnson)
下一代互联网关键技术和评测北京市工程研究中心有限公司 hsyu@cfiec.net 13654947748

---- Replied Message ----

From	Fernando Gont<fgont@si6networks.com>
Date	5/25/2023 08:49
To	Brian E Carpenter<brian.e.carpenter@gmail.com> , Andrew Campling<andrew.campling@419.consulting> , Fernando Gont<fernando@gont.com.ar>
Cc	IPv6 Operations<v6ops@ietf.org> , 6man<ipv6@ietf.org> , opsec@ietf.org<opsec@ietf.org>
Subject	Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Hi, Brian,

On 23/5/23 00:41, Brian E Carpenter wrote:
[...]

That depends where you choose to apply the zero trust model. As Steve
Bellovin argued many years ago in his distributed firewalls paper,
distributing the trust model to the end systems is best, because you no
longer have to trust any intermediate systems.

Given the amount of things that get connected to the Net (smart bulbs,
refrigerators, etc.) -- and that will super-likely never receive
security updates, you may have to rely on your own network.

For instance, I wouldn't have my smart TV "defend itself".

Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops
ÿ