IETF Logo Mail Archive

Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 17:24 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8D3C1516E0 for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 10:24:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgPr22UTMGSb for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 10:24:21 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FBDAC15153E for <v6ops@ietf.org>; Mon, 22 May 2023 10:24:21 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-1ae4baa77b2so45163985ad.2 for <v6ops@ietf.org>; Mon, 22 May 2023 10:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684776261; x=1687368261; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=wljA0tbCG11rW/mG8HMCSXsqXG2fR3/rbhCV6QAf1tI=; b=dmXhVW5EpfBuvHlsV9yfKwqNpybZpQw3ftt3Q6OAjJnAgnjjFuPYNWJZsuUP6MHp1k d3SznUGVG0v6cvWDk06RJ4FxbNbzcivAUavkJmyJG5xCP5lfqN0H3ZUIBwMZ5GN2t2D3 KrZ4/c2GCfwZbPNeKNyIs/cqBCCzWEvkUw/G6B4JGxIg90gHVuapFpvIHr7PgyaREE4v qh+Rprtj1D6urYYfUTXPqUX7CmGaU4aKTI68IXUO7KSqexcsSveW0dliR8pk9EIgX6v6 LpuPTY6VBSNXNBAEi2wJfMEaEQZkbfCh0RIz/F7dtETatp6u+us4GiwSfdSWdirDmrJl 9ccg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684776261; x=1687368261; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wljA0tbCG11rW/mG8HMCSXsqXG2fR3/rbhCV6QAf1tI=; b=RBtRoYDvsFe31kO3jtwP0uvJZY/p0zwjT3JfQQ+CF1geAnb1mDUrkC3AO/gBXSR8Hi bQCCei83FGmUCP+QjBu/1z0CziUWnt1P1Sk62TzdLkrfBN0hS688Kw5FWTXgb23o46pD EoPopAgh9baXONcHI8IAS1IzQiImr4wmxJZ0xK8uSijo39ASOKIaLd/74ILkWp+ZIQBz 6q7BXjMtKAiQvWkE/4mPNamU4V4EcCi4jRIkpCi2v01A2u6dzUWUlsu6HGnp8rDY4N5d vQF2uZgvH4J5JRF4etkt9fQitNm2nVoxqMSWyKSQKRL+NFtERoRDMd+EeaQpsSHX/kNR HTGA==
X-Gm-Message-State: AC+VfDze0HiS+Q3FrwxvLrW3O+nmYRf38lQL+KkYnn41sNb8JPj/T9SS giYdP6XJei1OXiOaKP101yx93l+uZbOrvtGNeIqJ0Q==
X-Google-Smtp-Source: ACHHUZ4vGeYG4cHelKutzFuJSTDMKEmrjnhe607HEPCqhN+ZJadcIg5uUatU3lX9Dt8wvDzTKxWtFmKUxw7ICXJkNaw=
X-Received: by 2002:a17:90b:4d91:b0:255:7d50:c1aa with SMTP id oj17-20020a17090b4d9100b002557d50c1aamr2703320pjb.44.1684776260620; Mon, 22 May 2023 10:24:20 -0700 (PDT)
MIME-Version: 1.0
References: <338409937.875780.1684768913874@mail.yahoo.com> <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org> <193402587.928006.1684773327427@mail.yahoo.com> <9078375A-F5F7-4D44-AAB8-03CED422B6F7@employees.org>
In-Reply-To: <9078375A-F5F7-4D44-AAB8-03CED422B6F7@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 10:24:07 -0700
Message-ID: <CALx6S35g39O6sc+ECwXFb9Zm6c2fNWvJRVY2TMw-ewznT4ZGQQ@mail.gmail.com>
To: Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, Ole Troan <otroan@employees.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/HDyr-KCI2FdTwQZT8-3lusTNmSs>
Subject: Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 17:24:26 -0000

On Mon, May 22, 2023 at 10:09 AM Ole Troan
<otroan=40employees.org@dmarc.ietf.org> wrote:
>
> Nalini,
>
> >
> > Once bugs are fixed, then we need to consider carefully what BCP around EHs should be done, taking into account various common topologies as well as devices such as proxies and load balancers.  I mention those in particular as what we have found points to those devices in particular as posing problems rather than transit networks.
>
> I look at load balancers as an extension of the application (or network function).

Ole,

If you're talking about a transparent proxy or a transparent stateful
device in the network, I  tend to view those devices as potentially
invasive and harmful to an application as opposed to an extension of
the application. Think of all the problems we've had with stateful
middleboxes and all the hacks we need in networking stacks to work
around them...

> Unless the application had a particular use for a extension header I would not implement it.

So you only run one application in your network? :-) Even if you
polled every user in the network about every application they're
running and found they don't currently use a certain protocol, what
happens the next day when one of your customers wants to use the
banned protocol?

> And that’s with an implementors hat on. Writing custom load-balancers for network services.
> What would you even do with EHs through a load balancer? Provide ALGs for EHs containing addresses inside of them? It would have to be on a case by case basis.

Why would a load balancer care about EH? In the worst case, don't you
just need to parse over the extension headers to find the transport
layer headers for load balancing (note RFC8200 allow intermediate
nodes to not process HBH options).

Tom

>
>
> > Of course, our testing to date is absolute lack of transmission rather than lack of transmission based on EH length or type.  We felt that was the logical first step.
>
> O.

v2.23.0 | Report a Bug | By Email