Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 15:42 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12719C151532 for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 08:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEKVVEDAiBQT for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 08:42:37 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E2BDC1782C4 for <v6ops@ietf.org>; Mon, 22 May 2023 08:42:14 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-5304913530fso5622514a12.0 for <v6ops@ietf.org>; Mon, 22 May 2023 08:42:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684770133; x=1687362133; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dEV6wYF7UMfcNbjXH+xALs5ikU+Vjl2EytHBO1tsRT0=; b=LNIH2kiM5NbtpvB5CblQR1l2Z/WCh1pkfVpE9Nj9CYjzo7o5TQoPXMpeLoxJ6Ra8W+ BCAaSM1kI9HVV0AImD+mqIlyAbO12lY6DCcgXlWcGhisK4xuEo+ABTf7ObAP6D5Y1Ca4 pTy/+1wQeQIMuCsPmsMUuyyIUEiaDKqelB5FIbF1cSdeNesWM4M/ToalvnsA8B/b/tgW hzrdG7aErgBVHKL92C44vJ2/v+qQtT08P+yAy3Vv54jf59icapZB9CPaks6mHcv5qkkc JGR4ko7QOTVzsWPC5NGXVjdtS94AXrp+aMW14iWmsSxd1PAnPL1PYgpgYZ2UN0dqYp// n3pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684770133; x=1687362133; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dEV6wYF7UMfcNbjXH+xALs5ikU+Vjl2EytHBO1tsRT0=; b=AGBZOCcPNCwKplqcJgw7lhmbd36AgWa6va/4Ie9b8/WrdZ6ZWkUh7zDzM7+erA4Zxt lsRuL0YeNOh7XWSTF5O+Q7hjIFI9TQdwqHPEXrIdve1ojsGYhWY1JHXS8U4ApZckfPse Flxt9hb3rpF/0pvmZ33oA6pH1y9vR6KPVEmlafGjGNBMka8DvvMGDrUvzf6hhofWP/3c 2Bxv4WKEIp78mbyRPjKxFW20LPVM7LbvMoLUGvhmUxyMr2z5QitY4uz9iPQV+EPCtKnU LKW6/j66wuBZKetlUb3/GQKEB7QLCkte6d3qKuHdrYWqbPcohg5AZ+aAVcuqAN3pT0vf ikrw==
X-Gm-Message-State: AC+VfDzYIxEN/+bzlKRB/+r064yX+se3IOSyCA/sUt5uRmUI4JxroR8+ 1NMndahs3biw1dQPk3oiYziPuJbza0g9XiXVyESrkTXYQK7FyAgA
X-Google-Smtp-Source: ACHHUZ6U8XTiBz4svKlzeZ91UMFrxZg90ULNTxb2/dtT7mSj1WMVcdd4JzdtnZep2g8BQmcILX4Qf7Y3UG93cV0DaTI=
X-Received: by 2002:a17:90b:1014:b0:255:2dde:17cc with SMTP id gm20-20020a17090b101400b002552dde17ccmr7702682pjb.47.1684770132906; Mon, 22 May 2023 08:42:12 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35aUNqgyO+8H_QnP4FPp6eRi6aAUfi38AF16SXWAqa6UQ@mail.gmail.com> <E54182CA-D47C-4EFE-ACE1-03C10F72D55A@employees.org>
In-Reply-To: <E54182CA-D47C-4EFE-ACE1-03C10F72D55A@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 08:42:01 -0700
Message-ID: <CALx6S35zXhjqKYXJjxwzJiMPrbgWdSYXMrCaFwY8rWPijbK6ew@mail.gmail.com>
To: Ole Troan <otroan=40employees.org@dmarc.ietf.org>
Cc: Andrew Campling <andrew.campling@419.consulting>, IPv6 Operations <v6ops@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/bU9vAg5xAa4pPhF4Fa9Ilqlfsv0>
Subject: Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 15:42:42 -0000
On Mon, May 22, 2023 at 7:37 AM Ole Troan <otroan=40employees.org@dmarc.ietf.org> wrote: > > Tom, > > > The problem is in public networks where the service provider acts as > > "anonymous big brother" to enforce its concept of security to > > "protect" the users. While I'm sure they'd like us to think that they > > are acting for the benefit of the users and it's for the "good of the > > Internet", the reality is that having a patchwork of random security > > policies across the Internet is counterproductive, and, frankly, some > > of these policies are driven more by localized business interests > > rather than the users' best interests. > > > > As a host and networking stack developer, I view the network and these > > arbitrary inconsistent security policies as the problem not as the > > solution to application and host security. The best tool developers > > have is to encrypt as much of the packet as possible to keep network > > providers from meddling in protocol layers they shouldn't be, but > > unfortunately that isn't applicable to all protocols like EH for > > instance (although, given that IPsec was on Fernando's approved list > > of extension headers, I suppose we could hide all the extension > > headers we want in IPsec :-) ) > > I don’t think Fernando has argued the case that some EHs should be filtered in public transit networks? > In the whole I think it’s not a good idea that the IETF has some working groups working hard at defining new protocols and other working groups working hard at defining policies to block them. > > For public transit networks, the IETF could work on describing ‘what is Internet access’. The production declaration if you like. And then regulation could be used to enforce that. We’d need encryption too I’m sure. > > Now for EHs in general. Their functionality of providing a separate signalling channel independent of the application… it might be time that we accept that this was a bad idea. Which deployment status has confirmed. Ole, I don't necessarily agree with that. We are seeing traction with extension headers like routing header (e.g. segment routing) and hop-by-hop options (like IOAM). Ostensibly, such extension headers are meant to only be used in a limited domain as opposed to the open Internet. There are three problems with the "limited domain" argument: 1) There is no normative definition of a limited domain 2) Even if there was a normative definition, I think there would be substantial pushback in bifurcating the protocol suite to have one set of protocols for limited domains and another defined for general Internet. 3) The lines between a limited domain and the open Internet will inevitably be blurred anyway. For the last point, consider that it is common for large networks to host servers for content providers like Facebook or YouTube. Conceivably, one could envision a HBH option that allows the provider to provide fine grained QoS for their customers reaching those servers (like draft-herbert-fast). How would this be viewed in using HBH in a limited domain? Or extrapolating this scenario, suppose two providers partner and want to share such signaling. How does this work in light of limited domains? I would assume as long as transit networks don't drop packets with EH it should work (hopefully without having to tunnel packets across the Internet). Tom > > > Best regards, > Ole
- [v6ops] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Michael McBride
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ole Troan
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Bob Natale
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks ar… Bob Natale
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Trøan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… hsyu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Andrew Alston
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Mike Simpson
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Haisheng Yu
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Nick Hilliard
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] [EXTERNAL] Re: Why fol… Bob Natale