IETF Logo Mail Archive

Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Nick Buraglio <buraglio@forwardingplane.net> Thu, 18 May 2023 15:06 UTC

Return-Path: <nick@buraglio.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F59C151098 for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 08:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.646
X-Spam-Level:
X-Spam-Status: No, score=-6.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=forwardingplane-net.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cY9jA0NlEdN for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 08:06:17 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FB7BC1519A4 for <v6ops@ietf.org>; Thu, 18 May 2023 08:05:46 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-64d2b42a8f9so142329b3a.3 for <v6ops@ietf.org>; Thu, 18 May 2023 08:05:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane-net.20221208.gappssmtp.com; s=20221208; t=1684422345; x=1687014345; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=I3blS9E+kzfNlaSYXhACr9S2rbZCoxigPC2VTl3ziEs=; b=mKSKvt3Y8EuTljVXUAP/+3bQa8zmMGqh9FymlKS5fWSC3f9aDaWkPli8Kb4rhB5LY1 q9FLPMW0e79aA0zG1tvVLJVlZtUWLoStt68GKKaHY6ECj1omGfl6MW4cRWdmgnw7LG5l GMGoLB94Fk/ik49MbFrJ0DY/ORQys4U7QB6kvNuyoyJy0OCGZH/faoQoc+JU6FlV0fEn rbT0sFIU/0XuKvNbv3af2oHb3EsXf/L3lc1I0Fhs98mRA+frHFTwxQwVscDTTlHJaCLE 8Cq7qznSPvc1YIGt87auWIINQ7ejuJPZ6rMS/x5xBZnGdVtNl19Ig16d7bK0lmLd9pXG WHgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684422345; x=1687014345; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I3blS9E+kzfNlaSYXhACr9S2rbZCoxigPC2VTl3ziEs=; b=DZJrGSGWlWwiAOxO0T65dVP011Nea1Dm9NAqRldhlWtX4zNfSwH5luy7Vb1urDuCh9 rtCyZaQ7t/0Lspy7TmtR6VY4AAeQw8d2chKNnpVvZrXaNAIougrWl6kTP19ODc35ErwY zdIn6aV4laKxmuar4uHDmdfB/XFFaPSKIEGqICc5Zky4E7FVnMbnjkQTaG9l1kpV0yig gs+vwjOffBkAAQR4oI3+GiP1qUetiVnKRm5jnL5HtanoiFjU6tJbSace5CPnO7Jk3th2 JGc5KzF8lIjYrlQbZAeMdy4iHfZtDE8BCzI+5YatUhXSCmb4WDesX5bgauUo9jrAer0d jMKg==
X-Gm-Message-State: AC+VfDwCkAw5in7nhogRfKjaf0NJCMBI3Xn12zKE2UEDKbnNKhk2ZWUW mLlJiOrqotLl2IPrsE8EIvZaPYpiqRtxtlywu9D9Hg==
X-Google-Smtp-Source: ACHHUZ7NblscuOZaO0DdDlhuhs25f0sqzgviU9I+/KEQE6MqZc3fDBEsnoPL44UYGzMLyEM0Q91xzRlJge8ZCK5jKtk=
X-Received: by 2002:a05:6a20:8e04:b0:106:999f:64e5 with SMTP id y4-20020a056a208e0400b00106999f64e5mr1972177pzj.60.1684422345091; Thu, 18 May 2023 08:05:45 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com> <CAGB08_djDtrFRY37ZTH_draGLTxM3vO7bMfT6YyyKFrTH_Tx5w@mail.gmail.com> <1200504588.3592661.1684421597958@mail.yahoo.com>
In-Reply-To: <1200504588.3592661.1684421597958@mail.yahoo.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Thu, 18 May 2023 10:05:34 -0500
Message-ID: <CAGB08_dgnacFfk=m-rBM_hPn9iPA+TVSM0G0sdMs1UBNp+HzBQ@mail.gmail.com>
To: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
Cc: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Andrew Campling <andrew.campling@419.consulting>, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008811b305fbf923be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/J4P_Arfv-hB6v23u7EHacY4lrac>
Subject: Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 15:06:21 -0000

That's a good point, my mind just tends to go toward "where is a place I
can learn more about X", and the easier that is to find, the happier I tend
to be =)
Even something that lays down examples and potentials would be really handy
for folks wanting to learn more. Perhaps we should flesh it out in book6
instead.
https://github.com/becarpenter/book6/blob/main/2.%20IPv6%20Basic%20Technology/Extension%20headers%20and%20options.md

nb

On Thu, May 18, 2023 at 9:53 AM nalini.elkins@insidethestack.com <
nalini.elkins@insidethestack.com> wrote:

> Nick,
>
> > neither really have use cases
>
> I think a use cases document is a great idea!  Although, IMHO one of the
> points of extension headers is that they can be used to extend the protocol
> for purposes which we cannot think of today!
>
> Thanks,
>
> Nalini Elkins
> CEO and Founder
> Inside Products, Inc.
> www.insidethestack.com
> (831) 659-8360
>
>
> On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio <
> buraglio@forwardingplane.net> wrote:
>
>
> Is there any document that details the current operational best practices
> or explains the EH options and use cases in a succinct document? I didn't
> find one (although I did not look terribly hard). If not, that sounds like
> an opportunity to work through them and create one, perhaps?
> Nalani has a deep dive study here
> https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html
> and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/
> but I wasn't able to find a list with some use cases akin to the ND
> considerations draft here
> https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/
> RFC7045 has a decent, and RFC2460 explains what they are but neither
> really have use cases.
>
> nb
>
> On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom=
> 40herbertland.com@dmarc.ietf.org> wrote:
>
> On Thu, May 18, 2023 at 7:24 AM Andrew Campling
> <andrew.campling@419.consulting> wrote:
> >
> > I wonder if part of the issue here is that insufficient attention is
> being given to operational security matters and too much weight is given to
> privacy in protocol development, irrespective of the security implications
> (which is of course ultimately detrimental to security anyway)?
>
> Andrew,
>
> There is work being done to address the protocol "bugs" of extension
> headers. See 6man-hbh-processing and 6man-eh-limits for instance.
>
> Tom
>
> >
> > Andrew
> >
> >
> > From: OPSEC <opsec-bounces@ietf.org> on behalf of Fernando Gont <
> fgont@si6networks.com>
> > Sent: Thursday, May 18, 2023 2:19 pm
> > To: David Farmer <farmer@umn.edu>; Tom Herbert <tom=
> 40herbertland.com@dmarc.ietf.org>
> > Cc: 6man@ietf.org <6man@ietf.org>; V6 Ops List <v6ops@ietf.org>; opsec
> WG <opsec@ietf.org>
> > Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension
> headers? (Episode 1000 and counting) (Linux DoS)
> >
> > Hi, David,
> >
> > On 18/5/23 02:14, David Farmer wrote:
> > >
> > >
> > > On Wed, May 17, 2023 at 13:57 Tom Herbert
> > > <tom=40herbertland.com@dmarc.ietf.org
> > > <mailto:40herbertland.com@dmarc.ietf.org>> wrote:
> > [...]
> > >
> > > Maximum security is rarely the objective, I by no means have maximum
> > > security at my home. However, I don’t live in the country where some
> > > people still don’t even lock there doors. I live in a a city, I have
> > > decent deadbolt locks and I use them.
> > >
> > [....]
> > >
> > > So, I’m not really happy with the all or nothing approach the two of
> you
> > > seem to be offering for IPv6 extension headers, is there something in
> > > between? If not, then maybe that is what we need to be working towards.
> >
> > FWIW, I[m not arguing for a blank "block all", but rather "just allow
> > the ones you really need" -- which is a no brainer. The list you need
> > is, maybe Frag and, say, IPsec at the global level? (from the pov of
> > most orgs).
> >
> > (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
> >
> > Thanks,
> > --
> > Fernando Gont
> > SI6 Networks
> > e-mail: fgont@si6networks.com
> > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
> >
> > _______________________________________________
> > OPSEC mailing list
> > OPSEC@ietf.org
> > https://www.ietf.org/mailman/listinfo/opsec
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email