IETF Logo Mail Archive

Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Ole Troan <otroan@employees.org> Mon, 22 May 2023 14:37 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14FA4C0DA97B for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 07:37:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.43
X-Spam-Level:
X-Spam-Status: No, score=-6.43 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=employees.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLzeDYCthK_Q for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 07:37:05 -0700 (PDT)
Received: from proxmox03.kjsl.com (proxmox03.kjsl.com [IPv6:2605:8e00:12:1::d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41649C1519B9 for <v6ops@ietf.org>; Mon, 22 May 2023 07:37:05 -0700 (PDT)
Received: from proxmox03.kjsl.com (localhost.localdomain [127.0.0.1]) by proxmox03.kjsl.com (Proxmox) with ESMTP id C0C8D142E42; Mon, 22 May 2023 14:37:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=employees.org; h=cc:cc:content-transfer-encoding:content-type:content-type :date:from:from:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=prox2023; bh=oGLskij5hKCy5ux2 a63u2RbUQSSJhaTMm4mYn2gTdDw=; b=PSXh5q0ZdFWUjMbTwExBwbIuUumc6IBV ysBAtM63V52HBgvnoyrcuXN9JQn2zd70s1XuBXOQ6moeALbn9Zvo+vKFgaadF08h I7a9axNVxr+OzC/pqdjEwRq3/q2FiAIgoYtCXUlw60yTNMQl5yPAnjERh6M7iz1+ UOshwaQ2jxKVraiwkxfFPtPq13S8ZWCA+e+nJFeTtkQcU2ruc6ytYzDhHTmfkeaA sCgpymdqiGr9idNeKLELFdpV+cxak2vHk9EdF4n+06mDI63ogB0szgU0aGyQvkaR 6oZm3qIPGtG7yhvcjqHViae7ZNPOWjg+seQRab0e4poPODvs5BN90A==
Received: from clarinet.employees.org (clarinet.employees.org [198.137.202.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by proxmox03.kjsl.com (Proxmox) with ESMTPS id A3207142E3F; Mon, 22 May 2023 14:37:03 +0000 (UTC)
Received: from smtpclient.apple (dhcp1851258197.blix.com [185.12.58.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by clarinet.employees.org (Postfix) with ESMTPSA id 4623B4E11B83; Mon, 22 May 2023 14:37:02 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <CALx6S35aUNqgyO+8H_QnP4FPp6eRi6aAUfi38AF16SXWAqa6UQ@mail.gmail.com>
Date: Mon, 22 May 2023 16:36:48 +0200
Cc: Andrew Campling <andrew.campling@419.consulting>, IPv6 Operations <v6ops@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, 6man WG <ipv6@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E54182CA-D47C-4EFE-ACE1-03C10F72D55A@employees.org>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35aUNqgyO+8H_QnP4FPp6eRi6aAUfi38AF16SXWAqa6UQ@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/dcvaTIbW-ZiliXbaEpMx06RQ0lo>
Subject: Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 14:37:11 -0000

Tom,

> The problem is in public networks where the service provider acts as
> "anonymous big brother" to enforce its concept of security to
> "protect" the users. While I'm sure they'd like us to think that they
> are acting for the benefit of the users and it's for the "good of the
> Internet", the reality is that having a patchwork of random security
> policies across the Internet is counterproductive, and, frankly, some
> of these policies are driven more by localized business interests
> rather than the users' best interests.
> 
> As a host and networking stack developer, I view the network and these
> arbitrary inconsistent security policies as the problem not as the
> solution to application and host security. The best tool developers
> have is to encrypt as much of the packet as possible to keep network
> providers from meddling in protocol layers they shouldn't be, but
> unfortunately that isn't applicable to all protocols like EH for
> instance (although, given that IPsec was on Fernando's approved list
> of extension headers, I suppose we could hide all the extension
> headers we want in IPsec :-) )

I don’t think Fernando has argued the case that some EHs should be filtered in public transit networks?
In the whole I think it’s not a good idea that the IETF has some working groups working hard at defining new protocols and other working groups working hard at defining policies to block them.

For public transit networks, the IETF could work on describing ‘what is Internet access’. The production declaration if you like. And then regulation  could be used to enforce that. We’d need encryption too I’m sure.

Now for EHs in general. Their functionality of providing a separate signalling channel independent of the application… it might be time that we accept that this was a bad idea. Which deployment status has confirmed.


Best regards,
Ole

v2.23.0 | Report a Bug | By Email