Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

[Fernando Gont <fgont@si6networks.com>]

HI, Tom,

On 17/5/23 19:56, Tom Herbert wrote:

> 
> Fernando,
> 
> There's an old saying phrased in the form of a question: "What is the
> most secure network in the world?". The answer is "One that's turned
> off". 

It is not about "most secure network", but rather about unnecessary risk.

Go look the CVEs for IPv6 EHs. Then go enable them in your network, and 
when you get DoSed, you tell your manager that while thr feature wasn't 
needed, and you were aware about the long track of CVEs associated with 
the feature, you leave it if enabled "for the good of the Internet".

That line of thought would have never thought with anybody I have worked 
for in a security role.


> So, if you want to build a network with maximum security then by all
> means drop packets with extension headers; but, also be sure to drop
> packets containing other protocols that are potentially susceptible to
> implementation which includes any other transport protocol other than
> TCP, IP fragmentation, and you probably should consider IPv6 as well
> since we certainly haven't seen the last of the implementation bugs
> for that. UDP as a secure protocol is right out! For the remaining
> "authorized" protocols, which is just TCP over IPv4, immediately drop
> all TCP packets that are not to or from port 443 because anything else
> is insecure. Also a TCP implementation could have bugs, so require
> that users only use a network provider approved TCP stack
> implementation verified to be bug free and frozen in time that only
> allows bug fixes (we need to avoid regressions!).

There's 20/30+ additional years of experience and tests of IPv4 and TCP 
implementations than with these IPv6 features.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494