Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

[Tom Herbert <tom@herbertland.com>]

On Thu, May 18, 2023 at 6:10 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> HI, Tom,
>
> On 17/5/23 19:56, Tom Herbert wrote:
>
> >
> > Fernando,
> >
> > There's an old saying phrased in the form of a question: "What is the
> > most secure network in the world?". The answer is "One that's turned
> > off".
>
> It is not about "most secure network", but rather about unnecessary risk.
>
> Go look the CVEs for IPv6 EHs. Then go enable them in your network, and
> when you get DoSed, you tell your manager that while thr feature wasn't
> needed, and you were aware about the long track of CVEs associated with
> the feature, you leave it if enabled "for the good of the Internet".

I'm a developer, so it's more likely I have to explain to my manager
why we have to put in a bunch hacks to in the networking stack to work
around ad hoc,  arbitrary, and inconsistent "security policies" of a
few networks; I have to explain why we can't easily deploy a new
transport protocol because some marketing manager at a network
provider decided that TCP is necessary and sufficient for all
purposes; I have to explain why we're trying to encrypt the hell out
of packets, including transport layer headers, to keep network devices
from meddling in protocol layers they're not supposed to be.
>
> That line of thought would have never thought with anybody I have worked
> for in a security role.
>
Your viewpoint is clearly from that of a network operator for one
network, my viewpoint is that of someone trying to develop
applications that need to work across the whole Internet. Security has
a different meaning in that regard, I need to worry about security of
the host stack. As I've pointed out on this list before, I have never,
not even once, seem code that relies on the network to provide
security, and not even a single comment praising the network for
providing security for the host-- to the contrary there's a whole
bunch of hacks and comments about work arounds for non standard
practices in the network. So instead of randomly disabling features in
networks when we find implementation bugs, my motivation is to fix the
bug!

>
> > So, if you want to build a network with maximum security then by all
> > means drop packets with extension headers; but, also be sure to drop
> > packets containing other protocols that are potentially susceptible to
> > implementation which includes any other transport protocol other than
> > TCP, IP fragmentation, and you probably should consider IPv6 as well
> > since we certainly haven't seen the last of the implementation bugs
> > for that. UDP as a secure protocol is right out! For the remaining
> > "authorized" protocols, which is just TCP over IPv4, immediately drop
> > all TCP packets that are not to or from port 443 because anything else
> > is insecure. Also a TCP implementation could have bugs, so require
> > that users only use a network provider approved TCP stack
> > implementation verified to be bug free and frozen in time that only
> > allows bug fixes (we need to avoid regressions!).
>
> There's 20/30+ additional years of experience and tests of IPv4 and TCP
> implementations than with these IPv6 features.

And there are still security issues being found with those protocols.
Recently, there have been a whole bunch of DoS and security issues
discovered with caches. Look at CVEs for those.

Tom

>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494