IETF Logo Mail Archive

Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Ole Trøan <otroan@employees.org> Mon, 22 May 2023 16:21 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66F0DC15109D; Mon, 22 May 2023 09:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.428
X-Spam-Level:
X-Spam-Status: No, score=-6.428 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=employees.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXxwh6_ieD26; Mon, 22 May 2023 09:21:39 -0700 (PDT)
Received: from proxmox03.kjsl.com (proxmox03.kjsl.com [204.17.39.173]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0585C153CA8; Mon, 22 May 2023 09:21:31 -0700 (PDT)
Received: from proxmox03.kjsl.com (localhost.localdomain [127.0.0.1]) by proxmox03.kjsl.com (Proxmox) with ESMTP id 40D67142F57; Mon, 22 May 2023 16:21:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=employees.org; h=cc:cc:content-transfer-encoding:content-type:content-type :date:from:from:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=prox2023; bh=mdkU07+PGqeiqwRR TzF39vN7gESGlCcC0/XCqK5Fi14=; b=NnYREqK1hp5sBCJhQaPChiDBgOPMR2N5 LPp00ac8/D10d3vsbJ0HT7S5urw0V9d8Pt+z8VtsxcGnCgY2MkzVQlFTyKbfdyCc lqQ6wXd72Qy/a4O/qTvT8fvUPphWlPruLcI7RfbKJptw1nlkhZASCAG+s0+6RjJ/ TCLLpK1UwjOMIXHwmZHMnAg0uWayeQQn/8ESLYomoPmyr8H5sM8lpphWI1RnVXvT 1Z/PpCO2/si0NNeppPDpbN1DBK6IGPwY73qfOWAAC2sXNsH69Vyr3aZHPt3j0FTd gr4SKTL3aeD8KnxbtJb/frSuQ8Z/uUo1XAE2xIuGg1lSlhGkBZr/gg==
Received: from clarinet.employees.org (clarinet.employees.org [IPv6:2607:7c80:54:3::74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by proxmox03.kjsl.com (Proxmox) with ESMTPS id 2475C142F52; Mon, 22 May 2023 16:21:31 +0000 (UTC)
Received: from smtpclient.apple (unknown [IPv6:2a02:2121:621:e0bc:4dc4:a648:3ccd:3bed]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id AAB5B4E11B6F; Mon, 22 May 2023 16:21:29 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-A6DD9474-476B-4558-A6A7-CEA162312D59"
Content-Transfer-Encoding: 7bit
From: Ole Trøan <otroan@employees.org>
Mime-Version: 1.0 (1.0)
Date: Mon, 22 May 2023 18:21:17 +0200
Message-Id: <C90EF571-2754-4C12-B7D6-FEDD1D17CA19@employees.org>
References: <338409937.875780.1684768913874@mail.yahoo.com>
Cc: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Ole Troan <otroan=40employees.org@dmarc.ietf.org>, opsec@ietf.org, 6man WG <ipv6@ietf.org>, IPv6 Operations <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <338409937.875780.1684768913874@mail.yahoo.com>
To: nalini.elkins@insidethestack.com
X-Mailer: iPhone Mail (20F66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ZWA0KgZD7pxMIkbFigZsUvTjCws>
Subject: Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 16:21:43 -0000

Hi Nalini,

> > it might be time that we accept that this was a bad idea. Which deployment status has confirmed.
> 
> Is it your intent to submit a draft deprecating IPv6 Extension Headers?

Do you want me to?
A couple of them seem to have found some use within limited domains. Those problems could likely have been solved also with encapsulation and as it turns out the limited domains end up with additional encapsulation too. Encapsulation is in my a view a better way to reason about these extensions than EHs.

If nothing else they have served as a way to extend the ip protocol name space. 

O.

v2.23.0 | Report a Bug | By Email