Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Security as Functionality
Tom Herbert <tom@herbertland.com> Mon, 27 July 2020 14:39 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14A9E3A1DB5 for <v6ops@ietfa.amsl.com>; Mon, 27 Jul 2020 07:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtpRUGdhN1RB for <v6ops@ietfa.amsl.com>; Mon, 27 Jul 2020 07:39:32 -0700 (PDT)
Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10AD03A2170 for <v6ops@ietf.org>; Mon, 27 Jul 2020 07:36:35 -0700 (PDT)
Received: by mail-ej1-x643.google.com with SMTP id d6so3485828ejr.5 for <v6ops@ietf.org>; Mon, 27 Jul 2020 07:36:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=X7Wi19RqcHJequXKL7m6dmXIERvuwS5qxD7WAUsDtwc=; b=awlk8v770Gt1SXM0Fz/OWJXaxv3DWGoZmojgJKRjQS7WWm4+4Ia8M6tR09ZhxKcYZD BCf1iufPthuRVRfarAYmhACUF+Nq2tCQvOMvNXVSPlh3fY5sq0BGr4yOi99PHO8AYw7d 0/nQQfKCuREzP3dSBd+Urf9LzaVT46Ad91oiwzgO8ux3vFlwhqaSrajwrQQlqOJ7104p L4gz2hpGt2x53+eUO8iV3aFE2E5yD8OkD+U07BeQnhixygqGQ4Lv2pwnTMkRVPtcRCNu lskh11wcdLcKt3GmzsRYx56O1lwWWrmOtRUXKOAVe7eI4YrraPMDc2gZsm7jkc3enNhx YzhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=X7Wi19RqcHJequXKL7m6dmXIERvuwS5qxD7WAUsDtwc=; b=LGw4dz885PIULRtOkeqcCyeK9AeyUyjK/3Thdh+kwZ89PhjCTGDgGtyYiqHYlFfwTt aOEzF4Ow3J0WimvYCJ1kvTd8lkSKYs6JE939qr/Jg0Q1W/+gldLZ4Ycm2YOJqY1XThup WkknNJz6+wvhllMLtOWuE7avIOWSUVfazDALkHGqeyargDpfvyiFAporVX89rkvUAEK+ Po32kl8qEdCHnlpzNcYUFxlxp1tGbVZvG70YenVEUWLN4pfiVe+gcNNP10pT9+9j0it8 tt27o7RgTAcoz6Dg0BmiRSOzwojgowIrjeF/ouptI4T82c+OOe1EE2T8tkwDnXILyrsx m2jQ==
X-Gm-Message-State: AOAM533YRJnEotUQCK6EuoHb5oBgrBS/7FuLIJ8m41fHOPSL0S+20DRq hpVtMtslLyJt5KytDKcx0yFhSbdZZR65LtfDE0LxVDVj
X-Google-Smtp-Source: ABdhPJzbfeDXdCm93FjokM1ElHBZ3d+QbyPBOIRNTnvIQvk1n0qBGkTHLqM1UW+Bc4LqGGiMKMmniAedT9pRoLS8tts=
X-Received: by 2002:a17:906:b146:: with SMTP id bt6mr21228570ejb.138.1595860594346; Mon, 27 Jul 2020 07:36:34 -0700 (PDT)
MIME-Version: 1.0
References: <ee0bbb4d1f844ee8aef70dff0986685f@huawei.com>
In-Reply-To: <ee0bbb4d1f844ee8aef70dff0986685f@huawei.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 27 Jul 2020 07:36:23 -0700
Message-ID: <CALx6S34ZM=8PPz60hgv-yXrekxkzDBNap2J73yZO+-M=h73FWg@mail.gmail.com>
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, "draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/UNPnu3IdAh3cER84XukdE0dVrP8>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Security as Functionality
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 14:39:40 -0000
On Mon, Jul 27, 2020 at 1:57 AM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote: > > Hi Fernando, > Security is sometimes functionality, not vulnerability or attack vector. The good example is Firewall. Firewall needs to parse all headers to be useful. > Hence, I believe it is in the logic of this draft to have section 5.1.5: one additional "use case" when parsing of ALL headers are mandatory. FW, IDPS Eduard, I would love to see the firewall device that is capable of processing ALL protocol headers in the IETF protocol suite! Reality is that firewalls can only process what they are programmed to process which is typically a very small subset of the possible protocols a host might want to use. The effect of this model is protocol ossification since firewalls drop anything that they don't understand even if the protocols are otherwise useful to the host endpoints. EH is one victim of protocol ossification in this regard, but it's not the only the one. For instance QUIC and any future transport protocols will encrypt as much as the packet as possible expressly for the purpose of avoiding ossification of these protocols by middleboxes. Tom > Eduard > -----Original Message----- > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Fernando Gont > Sent: 26 июля 2020 г. 8:46 > To: IPv6 Operations <v6ops@ietf.org> > Cc: draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org > Subject: [v6ops] Operational Implications of IPv6 Packets with Extension Headers (Fwd: New Version Notification for draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt) > > Folks, > > We have posted a rev of our IETF I-D "Operational Implications of IPv6 Packets with Extension Headers". > > The I-D is available at: > https://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt > > Your feedback will be appreciated. > > Thanks! > > Cheers, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt > Date: Sat, 25 Jul 2020 22:28:50 -0700 > From: internet-drafts@ietf.org > To: Fernando Gont <fgont@si6networks.com>, Gert Doering <gert@space.net>, Geoff Huston <gih@apnic.net>, Warren Kumari <warren@kumari.net>, Nick Hilliard <nick@inex.ie> > > > A new version of I-D, draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt > has been successfully submitted by Fernando Gont and posted to the IETF repository. > > Name: draft-gont-v6ops-ipv6-ehs-packet-drops > Revision: 04 > Title: Operational Implications of IPv6 Packets with Extension Headers > Document date: 2020-07-25 > Group: Individual Submission > Pages: 15 > URL: > https://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt > Status: > https://datatracker.ietf.org/doc/draft-gont-v6ops-ipv6-ehs-packet-drops/ > Htmlized: > https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops-04 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-ehs-packet-drops > Diff: > https://www.ietf.org/rfcdiff?url2=draft-gont-v6ops-ipv6-ehs-packet-drops-04 > > Abstract: > This document summarizes the security and operational implications of > IPv6 extension headers, and attempts to analyze reasons why packets > with IPv6 extension headers may be dropped in the public Internet. > > > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] Operational Implications of IPv6 Packets … Vasilenko Eduard
- Re: [v6ops] Operational Implications of IPv6 Pack… Fernando Gont
- Re: [v6ops] Operational Implications of IPv6 Pack… Vasilenko Eduard
- Re: [v6ops] Operational Implications of IPv6 Pack… Tom Herbert
- Re: [v6ops] Operational Implications of IPv6 Pack… Joseph Touch