IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 22 May 2023 15:53 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2559FC151532; Mon, 22 May 2023 08:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uh9HOrNTU0yz; Mon, 22 May 2023 08:53:43 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABD87C151068; Mon, 22 May 2023 08:53:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 348203898E; Mon, 22 May 2023 11:53:40 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WzXsbtHJqgzk; Mon, 22 May 2023 11:53:38 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id CF96E3898B; Mon, 22 May 2023 11:53:38 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1684770818; bh=/XW1D37kO10XnnTZYdHHbEtlOoZ497OVeeICxN7wOCA=; h=From:To:Subject:In-Reply-To:References:Date:From; b=PzRJKIo/7NbDeWp5XGEkExqDl0E/XEyq9id4QaWSkv12nR4rh9aCdPlWnh9FpGoHL 4gwMZfAA11iL8TG1UTsC7dF2O62Y0pLmoHpe+G9QxxRRXBVYP9lOtXE5CKCvob6RLQ Et9rBMcBTl5n1PMXAwFm0bLVsVwHdaBmRSJYT+wlRu3vl7UyOSPQd5MPIgDVt2Nh9F wonlqRzwNv9KIx/SjwqrS43EQ7BF7zZ5idNBICOeDKTxY6KuCQj0ygr0GydHoh1G98 U537t2+n+ONabCPVFz08KxsnfarfG4yE5IYqsTAXZNw1Y8wuqgbrdIK57JiWH9O98U 4AguBdxi5kevQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B2B0B130; Mon, 22 May 2023 11:53:38 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
In-Reply-To: <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 22 May 2023 11:53:38 -0400
Message-ID: <2341.1684770818@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/SsNfjjGoOuuAS1cdK5VFRQubfCc>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 15:53:47 -0000

David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:
    > "permissionless innovation."  That being said, we MUST balance these
    > multiple priorities. which means we can not completely sacrifice
    > "permissionless innovation" to "security" and "privacy" either.

+1

    > 1. Certain EH constructs SHOULD never be allowed; we need reasonable
    > and practical limits; I think Tom's draft makes significant progress
    > here.  2. Certain EHs SHOULD be allowed in certain places and SHOULD
    > NOT be allowed in others; this thread is at least a good starting point
    > for some recommendations along these lines.  3. Certain EHs almost
    > always need to be allowed; these need to be enumerated similarly to RFC
    > 4890 for ICMPv6.

I think that many of us are still reeling from default configuration of
certain "firewalls" that banks seemed like, which dropped packets containing
ECN, and TCP options, and made it very very difficult to deploy new things.
Even when at the IETF standards level... (so "innovation with permission")

    > Dropping EHs just because they are unknown, especially by transit
    > providers, probably isn't appropriate in most situations. Dropping
    > unknown EHs by a host or by a middlebox very close to the host could be
    > appropriate, at least in some situations. Nevertheless, that doesn't
    > mean there are no EHs that it is appropriate for transit providers to
    > drop.

I guess I'd be okay if it were the EH itself that was dropped, but I suspect
it's still the entire packet.  I don't even really want to drop the EH, so
much as write over it with an EH that is blank.  I don't think that's a
defined action.

    > third-party server, often referred to as firewall traversal. Similarly,
    > we should think about techniques for hosts wanting the communicate
    > using EHs that are not allowed on the network path between them. Maybe
    > call this EH traversal, and it likely involves a tunnel or
    > encapsulating the packet with the unknown EHs between the two
    > hosts. I'll note that adding EHs in flight is not allowed, and a common
    > technique is to add a new IPv6 header with the new EHs encapsulating
    > the old packet.

Hmm. That's an interesting idea.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email