Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 17 June 2015 21:13 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7FD1A8756 for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 14:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqR18vDy7e6T for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A82541A8729 for <v6ops@ietf.org>; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
Received: by pdbki1 with SMTP id ki1so49302525pdb.1 for <v6ops@ietf.org>; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=bKOVIUSUVRmLwxCr2AagMum7bcAFcGxWjPZ56eN6j0c=; b=ByYtde5ws64HhPkFkfLqTXPekJ34t9WWsKu7pv0AJq6DDo3nK8DJaXHJb3bQE3+2dF uieUAH11Q6v4SIaWdvUCNr4C//T6BVgDvym3ygnP1mwk5EM2dEbF4yh7PoDHhNgtK5cm ALTQu5tWt6I1QaqMVi0ol1Ind1rKTMof+by8dqYT6f3lb76GoeUqkSHBdXdua9NMvAHN 6cE/P5nEjyPQeOY7uwsgSiTx9dH2lJXBYwG76PEFz1pmQbwJaj0KfN3QS01NAKaWp5CJ Evz43QAcOaW8VhXkp9BxJw+cp//aihXdxBAL0fncJvcB4zF+UGEAyYttJI8yPzCMAzKy IKSg==
X-Received: by 10.66.119.174 with SMTP id kv14mr14471904pab.5.1434575614397; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
Received: from ?IPv6:2406:e007:64d6:1:28cc:dc4c:9703:6781? ([2406:e007:64d6:1:28cc:dc4c:9703:6781]) by mx.google.com with ESMTPSA id o7sm5706139pdi.16.2015.06.17.14.13.30 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jun 2015 14:13:32 -0700 (PDT)
Message-ID: <5581E2FF.9080902@gmail.com>
Date: Thu, 18 Jun 2015 09:13:35 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Enno Rey <erey@ernw.de>, Jen Linkova <furry13@gmail.com>
References: <CAFU7BAR0YeGe7NbYTqNSAcMukGjAz6akWaVcODWVJwpTJKQhWQ@mail.gmail.com> <20150617.140235.74748217.sthaug@nethelp.no> <CAFU7BARNa--MEuOzH5ZsBJ+hY8hCxUH4tVDcSEP95BdkmooLgw@mail.gmail.com> <20150617.152750.41635871.sthaug@nethelp.no> <20150617133328.GB16716@ernw.de> <CAFU7BATv3U7TtSnM8Litneq+xGvXmmHLBHHz0HFGE=AjoYeSHg@mail.gmail.com> <20150617140032.GB16806@ernw.de>
In-Reply-To: <20150617140032.GB16806@ernw.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/GREdLMmn0uqKeJxRISdz1nQzHk8>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6-wg@ripe.net IPv6" <ipv6-wg@ripe.net>
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 21:13:36 -0000

Catching up on a few points in this thread that went crazy
while I was sleeping...

On 18/06/2015 02:00, Enno Rey wrote:

...
> Yes, we're aware of RFC7112. It's just: no OS we know and no devices we're aware of (feel free to provide pointers) implement RFC 7112 as of today. 

No, it's too new. But I suggest that it gives you license to drop packets
with fragmented header chains, and tell anyone who complains that they
don't conform to the IPv6 standard.

> but many attack tools implement the techniques mentioned above. Which is why quite some operators (in particular, but not only) from enterprise and managed service provider/cloud space drop all EHs except, maybe, AH+ESP.

Whereas dropping *all* EHs breaks the IPv6 standard.

On 18/06/2015 03:11, Ca By wrote:

> For the folks looking for extension header innovation, would you be willing
> to work on IP version X instead of IPv6?  Or perhaps you can use the Class
> E IPv4 space for your innovation?

Now that's a polemic, not an argument. But since you ask: of course not.

> Serious.  IPv6 is not a place for innovation at the Network / Internet
> layer.

EHs as an extension mechanism are *not* innovation. They've been in the design
for 20 years. I'm actually with Fred on this: it's time for the hardware
designers to step up. With RFC 7112, we've told them that the maximum packet
size they need to parse is 1280 (after removing tunneling overhead).

   Brian