Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Tom Herbert <tom@herbertland.com> Thu, 18 May 2023 14:17 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE92DC14CE30 for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 07:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oV2SC40X-Ieo for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 07:17:12 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2762C14CEE3 for <v6ops@ietf.org>; Thu, 18 May 2023 07:17:12 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-510b7b6ef59so3785709a12.3 for <v6ops@ietf.org>; Thu, 18 May 2023 07:17:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684419431; x=1687011431; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cD+5OEBio/IT2DrX3SpaY8VJak87o2u6ymeCrZQ5EjY=; b=fwAyaSaE+nevclYpc3Mt6rINWpQefgt45fF+oaaA67QV8T1l7b99CBV+HbKUKJfK7P kGN1JYpMWJSHft7Y+91I2pIs+P5ywTOeNonFqabyLeAzBNA+cIX7Mj5USzQxQX+aFkw5 d8XKvTtJv6tDiWGRXwkFQs1/V1DTzZWcAAj9ikbPeBQBTKD5+crACXdX5W282/Evx2YI BMPIQPpJit6hhcq0eAtBgOHa72aYlyYBqIjuVxhye0vk189Zqk7er+eyWS/obleAASUR kJNaQWLpNxtlNcwTdVeJLRMq7ejNzxD4z80WkM5OHvvnVI6E30sPxnxySQWQE0P3K5pT Nksg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684419431; x=1687011431; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cD+5OEBio/IT2DrX3SpaY8VJak87o2u6ymeCrZQ5EjY=; b=Md0HOkScF0AUyDy6qhYtEoDZdZi25FgOu2xh4csM3lRU2caz9X/ovABdTUPGY+/6tm C9RTtL6V1n+Tq7X2RGZi2sw2xHQkz3XDCvMLZMGjWIZNvA/e1lo+qGMQchY4inbtrZfe etJoWNXT5zvetL7wNA+bs5iP3d3EdGIa7AtoT/BY1oymBzLa+ceg/yK7tOk84Pf6iGVK n9K7KudapSLjEAOSiwjrCeIkvBANopV9VKmWYg6h4BCFKXcrHIdBzjvh0kiInWlMLfSR MWHTBJv/VruNEpHCdvOJmZhf6cApUuWgjlxZTMwZJon+ftx4KXjnCUqOaO7uvEDVQC1u 0pTA==
X-Gm-Message-State: AC+VfDxJKKORz/xJdF3VchN7zoX1wgXpAi3hjNiE4q3NZ+uYGISzShQN uemA2sAHKyGkWMjbrEqMLwazH3UELSy1N1Yk81PNSdgBMWMLwRNq
X-Google-Smtp-Source: ACHHUZ629HidFNzCsZHO+YxJdzLP8DM/Dtb4s1YUH/i82afwXQAf5XQ8Gd3n2887WautQSrG5Qvk+SDz2XogaZJHYv4=
X-Received: by 2002:aa7:c486:0:b0:510:dd3e:86cd with SMTP id m6-20020aa7c486000000b00510dd3e86cdmr3158841edq.20.1684419431185; Thu, 18 May 2023 07:17:11 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <45979491-9fcc-7a1c-5b11-88acf91d765f@si6networks.com>
In-Reply-To: <45979491-9fcc-7a1c-5b11-88acf91d765f@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 18 May 2023 07:16:56 -0700
Message-ID: <CALx6S36gyAUke-SX9iVam8A2Rxr-vL9geiPdGmS4WwbKX203xQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: 6man@ietf.org, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/OC_SKI71tZO_xxZt7VIHZe2N6aI>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 14:17:16 -0000
On Thu, May 18, 2023 at 6:10 AM Fernando Gont <fgont@si6networks.com> wrote: > > HI, Tom, > > On 17/5/23 19:56, Tom Herbert wrote: > > > > > Fernando, > > > > There's an old saying phrased in the form of a question: "What is the > > most secure network in the world?". The answer is "One that's turned > > off". > > It is not about "most secure network", but rather about unnecessary risk. > > Go look the CVEs for IPv6 EHs. Then go enable them in your network, and > when you get DoSed, you tell your manager that while thr feature wasn't > needed, and you were aware about the long track of CVEs associated with > the feature, you leave it if enabled "for the good of the Internet". I'm a developer, so it's more likely I have to explain to my manager why we have to put in a bunch hacks to in the networking stack to work around ad hoc, arbitrary, and inconsistent "security policies" of a few networks; I have to explain why we can't easily deploy a new transport protocol because some marketing manager at a network provider decided that TCP is necessary and sufficient for all purposes; I have to explain why we're trying to encrypt the hell out of packets, including transport layer headers, to keep network devices from meddling in protocol layers they're not supposed to be. > > That line of thought would have never thought with anybody I have worked > for in a security role. > Your viewpoint is clearly from that of a network operator for one network, my viewpoint is that of someone trying to develop applications that need to work across the whole Internet. Security has a different meaning in that regard, I need to worry about security of the host stack. As I've pointed out on this list before, I have never, not even once, seem code that relies on the network to provide security, and not even a single comment praising the network for providing security for the host-- to the contrary there's a whole bunch of hacks and comments about work arounds for non standard practices in the network. So instead of randomly disabling features in networks when we find implementation bugs, my motivation is to fix the bug! > > > So, if you want to build a network with maximum security then by all > > means drop packets with extension headers; but, also be sure to drop > > packets containing other protocols that are potentially susceptible to > > implementation which includes any other transport protocol other than > > TCP, IP fragmentation, and you probably should consider IPv6 as well > > since we certainly haven't seen the last of the implementation bugs > > for that. UDP as a secure protocol is right out! For the remaining > > "authorized" protocols, which is just TCP over IPv4, immediately drop > > all TCP packets that are not to or from port 443 because anything else > > is insecure. Also a TCP implementation could have bugs, so require > > that users only use a network provider approved TCP stack > > implementation verified to be bug free and frozen in time that only > > allows bug fixes (we need to avoid regressions!). > > There's 20/30+ additional years of experience and tests of IPv4 and TCP > implementations than with these IPv6 features. And there are still security issues being found with those protocols. Recently, there have been a whole bunch of DoS and security issues discovered with caches. Look at CVEs for those. Tom > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
- [v6ops] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Michael McBride
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ole Troan
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Bob Natale
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks ar… Bob Natale
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Trøan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… hsyu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Andrew Alston
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Mike Simpson
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Haisheng Yu
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Nick Hilliard
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] [EXTERNAL] Re: Why fol… Bob Natale