IETF Logo Mail Archive

Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Mon, 22 May 2023 15:33 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1BDC159A1D for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 08:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ezl4hv9S4sJ for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 08:33:15 -0700 (PDT)
Received: from sonic304-27.consmr.mail.ne1.yahoo.com (sonic304-27.consmr.mail.ne1.yahoo.com [66.163.191.153]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6F6EC165767 for <v6ops@ietf.org>; Mon, 22 May 2023 08:31:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684769515; bh=AeVYdiREwlUamcgEFOwT7Xhut+68vevU4Cy/16J7MeI=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=K+WvyAylbG5yLUIyRLL1cEIolTDJjl/kJvR4DK2ErRMMXbPsr9FvPK8YLpIIvIx29fSB4qZzdcN9H8jrKBMgYVQrLlgIXSnNaYoPjA16kxtZUH3O8OtpabaUJWHu8+jo5w2WpwG5k8lkOeLcReaNE0xUb6lQxGUAP5UVumD5c73jvxsdWMhc1j+bHJ6JQ4lZb9ZZmG2tZCuIWiNf3IPKaMe5/AZ8iaT2Gx9jAmeiDIYEDLJNKCthHHAzc5wt76WBLNoGgyPd/pXE/9IZpUASAbAMQ+uKOMLNiLK+rJvDPUTjTFVknZMAXfUAf59/q/LTlhiNBATqCFrXuDWW8OkL5w==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1684769515; bh=Gz+RBIuEtlH0aigWdT2Lp6ATUOaR33vKRO7QcxtS9Dr=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=pxAWObEWPBFyacJ8Zya6af2qzcjwVVnuhQAlq457xCNUo906hDz2bzw68E8RzEWwt7sJFbAUFBDB4bkWf2YcHwS/hcDMaRpXK1gNU7tWS+NTP8zuO5yO85SjAeVKDkJlfUVnb6iXDiAC14LiGaSQmCcKdWq2DImH81Pme7DxnBif2TrFnAbhW5PTppYkXnKXve7DO0EOPi2MEEg48JfPHhcP/xTj6sUtDKbXLfy9qdxizfG8q4wjZF8qfp1IHkotxKWtgponiRvoU/go04rxK0yAog6JSvPxf1XnYtcfeXRZZrxe2sq9l/o0mPJLnWDbCMETPknMQ+m8Hbwv6sN0xw==
X-YMail-OSG: MzWOWeYVM1m4OESfVcVkPXuakJgqdL4r_e4vRirQaRXjnpxY0e3aYx9BaQQ8ifj BcR21qpRJinpalVDDkgwvDzFIwMJ8t6IUaXvW1aEbGch2pRIpHsq4L4p_fFsdUoEwJjVkA2VsChF XlhRIJpkOi0mInViaeXeYiEORfODecIiIdCeaO2gU9Os8mpxJSXntp.1kmuIeP0ZUhaExdSa0fPh ji87UHffcrB7NzfOBaL.k35kSiU_w0hjcekflXgBGwcNYy9jpAHips6HXmOJutIoIIXMV3LsBZCP jJ0y5qFrZbfTatEtC7UKaJljxX0_DY6QB7MpZ5he.8prOtDE6udKt3gvcuOSLlN4racU9uH9.IhH I5K9HdgDX1IesFOj4VOO6Zt5lbejO2BRXLCqEEHWcTiD5KUvlooCmuW1Y1E.GVwN.t_JkWsEcNTE lARNyp6Am_ZzhWL03magmR2H4wUhhvN7Gt9YyJYwjgXAPj119ky03mwkHiGcNJ2G0hK569MW9mAp Gp6g_qYsj0j4X0s1rJo9uXHAaaWC4Eb3HYf2gr6fvcTJ2oObKdmqP4DsMvp_j4uH_hUnhezW4TGt Q6VqlqTSEP0CqIxJa2BsLrZSjQcPiKJpE728Y18msu7jftv9r7v0989LkrgfO7mnIPJtp.VlN_SZ Tfu9.sKrAaZ_gXoxU0mIeOsm9lj4.0rAIYkb0YU5bH3r.u0s5kLp8LbDicIt8cMk7y5FJMhmjDUx GnKQPXOKzFfxmqLSBVgh_igMpiU7Ueqa_c4sA6W3fv8iz4qGeA.ELutA.HfY3d2gdxSntv6p0lFZ ApNFhXMpHL0UZpltrgSn5qWsLGOpY1wxXFBKurZTocA4mr3SQp7Z7YQ4Owqjus.FzNneXS6u4EVW zNfQ6jIKEcK0djxYMMBXy87IJqJIPEnbUQr.2oa4XraC.BHlYEdtpl2XDkes00yd7cF7DbcatfVm EmKfbJCdzJD2t432fiXT6T7n92akRZrKZXuadznej628hzne15pqLHDvYq_FvTiOTtQs4piRbpJZ 6SVvdByf8vCTBM6u3Y71L8rfYy8K6nHqx5YAIkLSnyMsTZPyVKlrVyW6xdsXHOHeTeobQwAOJ7w0 ifWCtXncHMoYcUikw68HWpGqbcrB6Snepv8y7x4cH0Vc2.FAwQCLnxcFEnCI5bbtmurlu2Qa52Dm ohVpkKcdyLILJND3Fe25_iVjCIhr07udWI34rP_q3lXiGREkaEEGmzisLgavoBtRGCg_WactgKNg JIpaXbowgmaPSmrl7ozKOSmy9pD__6N4HCytRzXJ7DOAslC8P5fqx9p6tcMcYVpP5xuIUNEG4qlG KHkJo1pM6PEqIfKJeixukMG9DTSxol9cBK7.hH53lRHZLl5mIebb6NH6M4TJ6uabdXFnQt3ieOVD qlNLO0b4TGYidAtLWAu32OgCpyzwzq8e0_8aBp2QTSvOxvX0YU7ja4kTz.D7rnzE2NWQX3xqHKJR Ibb5N7lFW6dx3xRJnY7S.wsNKAYIwDv0tn1fg9gTd18nNiPSApqzW0uML0u2l.q5YupnlLIup5my cSKyhVfVdsR1H1lzzMS.iXUmDVoZ2MpdxPk3V.ZSNiHBfqmNO1Ib_xbxJcVMcH1BfM2N9eBbXG5I e2_Pea8VvMi3gndPGQwGGii75MeACo3vAu6x7cxLnq8sT2q5lhhNFSY6NHP8oX0pgTzmMu23m9CQ IeIMF23kHF4B6pcr9DT4_yWwipPzsl40t0KJh_PMjkhpp1x3xyaT.qBhwxQKSAdlvDhCk57WmrOl 1WeK38ZqJYxL7iPH9hAClbM6p2zwGtogu1VZjFBUqFfKBM0nWUu5nmcjBUuPjx7B0A_eNsgjiC.k jgu9fz6A9aVnSwntKrQyTzIwtURxdsNLx0d2KUaw4z4Lgz8x83Qh_PPdt8n0HAIyZ6fmWwISOD4x Ns0uyLtuJkQeW7jv.6o0.sUufVhFPcU6SqBaTiVJ6i3oKM9jT2mW54.ouyGVYOuYk_CmYPAjKA.J zxtEJG0pUORorAuEmvFAYdq0H2pYJLWfXxCXWauYfmF0Bqote8C1GN.oISq0eA1h3ywa2DqaNu80 r9v4OX4p.EovN22a0i2vYJuEqIY_8OaRwNiXhP_rldsrwE8dN9MxapHouHBrV3ASavcQwR_Q3fjV oYoogJIkQUT3YxE9JG_7skDbQVeTNUNcOp4vwFEWPoar13zHbICktiFMmm5t8FluJ2NLMH1QDecJ sxUM9IsF_HttZHQAXX8OYSe0CoS5Xzf5gViv1SQOEJDGXP9RxQjaNp5OuUMGHCuaIL_1fw.m0hg- -
X-Sonic-MF: <nalini.elkins@insidethestack.com>
X-Sonic-ID: 1cd577ad-4e75-459b-b8ef-ed79c35f2156
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 22 May 2023 15:31:55 +0000
Date: Mon, 22 May 2023 15:21:53 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: Andrew Campling <andrew.campling@419.consulting>, IPv6 Operations <v6ops@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Message-ID: <338409937.875780.1684768913874@mail.yahoo.com>
In-Reply-To: <E54182CA-D47C-4EFE-ACE1-03C10F72D55A@employees.org>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35aUNqgyO+8H_QnP4FPp6eRi6aAUfi38AF16SXWAqa6UQ@mail.gmail.com> <E54182CA-D47C-4EFE-ACE1-03C10F72D55A@employees.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_875779_1832172956.1684768913872"
X-Mailer: WebService/1.1.21495 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/VO9QfERFfPENKA3rLoaS5wOPuuA>
Subject: Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 15:33:19 -0000

Ole,
> it might be time that we accept that this was a bad idea. Which deployment status has confirmed.

Is it your intent to submit a draft deprecating IPv6 Extension Headers?
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360 

    On Monday, May 22, 2023 at 07:38:20 AM PDT, Ole Troan <otroan=40employees.org@dmarc.ietf.org> wrote:  
 
 Tom,

> The problem is in public networks where the service provider acts as
> "anonymous big brother" to enforce its concept of security to
> "protect" the users. While I'm sure they'd like us to think that they
> are acting for the benefit of the users and it's for the "good of the
> Internet", the reality is that having a patchwork of random security
> policies across the Internet is counterproductive, and, frankly, some
> of these policies are driven more by localized business interests
> rather than the users' best interests.
> 
> As a host and networking stack developer, I view the network and these
> arbitrary inconsistent security policies as the problem not as the
> solution to application and host security. The best tool developers
> have is to encrypt as much of the packet as possible to keep network
> providers from meddling in protocol layers they shouldn't be, but
> unfortunately that isn't applicable to all protocols like EH for
> instance (although, given that IPsec was on Fernando's approved list
> of extension headers, I suppose we could hide all the extension
> headers we want in IPsec :-) )

I don’t think Fernando has argued the case that some EHs should be filtered in public transit networks?
In the whole I think it’s not a good idea that the IETF has some working groups working hard at defining new protocols and other working groups working hard at defining policies to block them.

For public transit networks, the IETF could work on describing ‘what is Internet access’. The production declaration if you like. And then regulation  could be used to enforce that. We’d need encryption too I’m sure.

Now for EHs in general. Their functionality of providing a separate signalling channel independent of the application… it might be time that we accept that this was a bad idea. Which deployment status has confirmed.


Best regards,
Ole
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email