Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

[Vasilenko Eduard <vasilenko.eduard@huawei.com>]

IMHO: Fernando comes here with a good example (EH DoS). Security is a good reason to block EHs.
But for business, every feature should be tested, supported, and somebody should pay an additional performance penalty.
I am not sure which reason is bigger: additional cost or security risk. It depends on the organization type.
Ed/
-----Original Message-----
From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Arnaud Taddei
Sent: Thursday, May 25, 2023 8:12 AM
To: Fernando Gont <fgont@si6networks.com>
Cc: Manfredi (US), Albert E <albert.e.manfredi@boeing.com>; IPv6 Operations <v6ops@ietf.org>; 6man <ipv6@ietf.org>; opsec@ietf.org
Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Would like to support Fernando again, and not just because I have a Sony TV too. 

Cybersecurity is in such a bad state that I can only plea for a sense of realism and pragmatism vs dogmatism to get real solutions at hand to the defenders practitioners

If not I will ask people here to consider spending a week in a Security Operation Center when there is a Ransomware breaking up 

Fernando’s paper intentions will be appreciated by the defenders  



> On 25 May 2023, at 03:07, Fernando Gont <fgont@si6networks.com> wrote:
> 
> 
> 
> On 25/5/23 02:01, Manfredi (US), Albert E wrote:
>> -----Original Message-----
>> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Fernando Gont
>>> Given the amount of things that get connected to the Net (smart bulbs, refrigerators, etc.) -- and that will super-likely never receive security updates, you may have to **rely on your own network**.
>>> 
>>> For instance, I wouldn't have my smart TV "defend itself".
>> Agreed, "on your own network." From the viewpoint of a household, whatever network defense has to be behind that household's router, for it to be credible, and preferably right in each host. Yeah, some IoT devices may not be updated regularly.
> 
> So, that's why people block them at the edge.
> 
> (just the messenger)
> 
> 
> 
>> The ISP has to worry about protecting that ISP's own network. 
> 
> That's e.g. where RFC9098 comes in, with notes on why they are dropped in places other than the edge network.
> 
> 
> 
>> Households have to be responsible for protecting their household's 
>> network. (And connected TVs do get regular software updates, as a 
>> matter of fact.)
> 
> I guess it all depends on the TV? e.g., I for one I'm not planning to throw it out just because Sony decided to quit pushing updates (which were never automatic for my set).
> 
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/ops
> ec&source=gmail-imap&ust=1685581681000000&usg=AOvVaw2CR1KLp2V-YO9ZOvhw
> rWtn


--
This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.