Re: [v6ops] Extension Headers / Impact on Security Devices
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 15 May 2015 20:36 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 442B01A1BFA for <v6ops@ietfa.amsl.com>; Fri, 15 May 2015 13:36:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rk1VE7t0BK2M for <v6ops@ietfa.amsl.com>; Fri, 15 May 2015 13:36:38 -0700 (PDT)
Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD3DE1A0270 for <v6ops@ietf.org>; Fri, 15 May 2015 13:36:38 -0700 (PDT)
Received: by pabru16 with SMTP id ru16so27251018pab.1 for <v6ops@ietf.org>; Fri, 15 May 2015 13:36:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=CCRegco97fo2gcqQMQBEYNI6A2C9PV89wxRi6vSh4Ro=; b=vdgS4VsMi3GUNqLRBMnNDhx6InvBq3uFGxhbztQL8WOoCiIGf8d7jHy4bQ11BXb9js H9KNZUXQrnd/rvsoBr1hbI8ErdpFvYjneW60ual3onBWpqzyO+wtr8ZqrBwrDFUMN2lP EHGvWY1WZj3IV+M4uTUqiltAmErjpNV81Y3lk4ZqU13xgXDSy2+J0m7MghKE/mDYRq9C Yy1vWqjh0YPAfIy8+xh2EvIDFDzCBNJUx/0qmbLvmu7Cq99i92G1L8xVVB/Fz2EizBkw Wj84Shfso52Z2JtcRn6pnjxUrs0RyBK3R5eqHU8GfP8A3406Irv2Jgcb512m0kT7R1Va 19fg==
X-Received: by 10.68.135.36 with SMTP id pp4mr21754355pbb.134.1431722198325; Fri, 15 May 2015 13:36:38 -0700 (PDT)
Received: from ?IPv6:2406:e007:6f4c:1:28cc:dc4c:9703:6781? ([2406:e007:6f4c:1:28cc:dc4c:9703:6781]) by mx.google.com with ESMTPSA id zt9sm2735137pac.9.2015.05.15.13.36.35 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 May 2015 13:36:37 -0700 (PDT)
Message-ID: <555658DE.6080402@gmail.com>
Date: Sat, 16 May 2015 08:36:46 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Enno Rey <erey@ernw.de>, v6ops@ietf.org
References: <20150515113728.GH3028@ernw.de>
In-Reply-To: <20150515113728.GH3028@ernw.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/dzBTW59aOUne0S_eQEeyT9TJCgE>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 20:36:40 -0000
Enno, On 15/05/2015 23:37, Enno Rey wrote: ... > As for the topic itself I'd like to summarize our position as follows: > - it has not happened in the past 17 yrs (since publication of RFC2460) that compelling, Internet-scale use cases of extension headers have been brought up. I object to that logic. Firstly, the timescale is misleading: IPv6 deployment has been so painfully slow that you really can't look at the 17 year span for this argument; it's only within the last 5 years or so that the words "compelling" and "Internet-scale" could be relevant. That's why the obvious issues in RFC 2460 were only fixed in 2013, by the way (RFC 7045). We haven't even had time for those fixes to reach deployment. Secondly, "compelling" is entirely a matter of judgement. There's no possibility of a compelling case for something that is undeployable, and it's well known that because of faulty handling of new extension headers by middleboxes, no new extension headers are deployable today. > - we're hence quite sceptical as for the "we might see cool use cases in 15-20 yrs" position someone expressed at the mic. Of course you won't, until middleboxes stop breaking them. Extensibility is for the future and unpredictable, by definition. > - from a security perspective they turn out to be a nightmare for (a number of) current security architectures and controls. it is hence understandable (and we actually advise to do so) that they are blocked at the _border_ of networks that have not yet managed to identify a compelling use case. That is automatically a self-fulfilling prophecy. The new rules in RFC 7045 were carefully constructed to offer a way out of this. I hope your advice is to follow those rules and to insist on products that allow this (correct defaults, for example). > - looking at the "liberty" RFC2460 provides as for ext_hdrs (wrt to their number, order, options, fragmentable vs. unfragmentable part etc.) we do not expect that type of security issues to disappear soon (the main reason why we did not continue the IDPS research was that the involved student eventually delivered his thesis. one can probably find much more issues provided time & resources. following LANGSEC it might be impossible to "fix" all of them either). I assume you are following documents like draft-ietf-6man-deprecate-atomfrag-generation, RFC 7112, RFC 6946, etc. It isn't as if the IETF is unaware of the issues. > Adding more parsing cycles & intelligence (read: silicon) is not an option, at least not for sth that doesn't have a use case. Well, Moore's law is stll with us, so I think that is plain wrong as products evolve, which is exactly why we should update the standards accordingly. Of course that applies to vendors, not operators. > - the results of this (blocking) approach have been observed and documented by Jen & Fernando and others (Tim Chown). > - now that "this vicious circle" has gained sufficient ground it will be evfixesen less incentivized to develop a compelling use case. which is why we do not expect to see one in the future. It's possible, but that doesn't mean that the IETF should give up on extensibility. We should continue to mitigate the problems, which is what we've been doing for several years, since they became apparent. Nobody, I think, is arguing that the extensibility design in IPv6 is middlebox-friendly. But that's history and we have to deal with it. Brian
- [v6ops] Extension Headers / Impact on Security De… Enno Rey
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Mark ZZZ Smith
- Re: [v6ops] Extension Headers / Impact on Securit… Gert Doering
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Silvia Hagen
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Ole Troan
- Re: [v6ops] Extension Headers / Impact on Securit… sthaug
- Re: [v6ops] Extension Headers / Impact on Securit… Nick Hilliard
- Re: [v6ops] Extension Headers / Impact on Securit… Fernando Gont
- Re: [v6ops] Extension Headers / Impact on Securit… Ted Lemon
- Re: [v6ops] Extension Headers / Impact on Securit… Gert Doering
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Ted Lemon
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Sander Steffann
- Re: [v6ops] Extension Headers / Impact on Securit… Mark ZZZ Smith
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Tim Chown
- Re: [v6ops] Extension Headers / Impact on Securit… Eric Vyncke (evyncke)
- Re: [v6ops] Extension Headers / Impact on Securit… Silvia Hagen
- Re: [v6ops] Extension Headers / Impact on Securit… Nick Hilliard
- Re: [v6ops] Extension Headers / Impact on Securit… Mark ZZZ Smith
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Gert Doering
- Re: [v6ops] Extension Headers / Impact on Securit… Ray Hunter
- Re: [v6ops] Extension Headers / Impact on Securit… Tim Chown
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Eric Vyncke (evyncke)
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Stefano Previdi (sprevidi)
- Re: [v6ops] Extension Headers / Impact on Securit… Stefano Previdi (sprevidi)
- Re: [v6ops] Extension Headers / Impact on Securit… Howard, Lee
- Re: [v6ops] Extension Headers / Impact on Securit… Fred Baker (fred)
- Re: [v6ops] Extension Headers / Impact on Securit… Fred Baker (fred)
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Enno Rey
- Re: [v6ops] Extension Headers / Impact on Securit… Eric Vyncke (evyncke)
- Re: [v6ops] Extension Headers / Impact on Securit… Ca By
- Re: [v6ops] Extension Headers / Impact on Securit… Mark ZZZ Smith
- Re: [v6ops] Extension Headers / Impact on Securit… Ca By
- Re: [v6ops] Extension Headers / Impact on Securit… Jen Linkova
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- Re: [v6ops] Extension Headers / Impact on Securit… Fred Baker (fred)
- Re: [v6ops] Extension Headers / Impact on Securit… Ca By
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Fred Baker (fred)
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Jen Linkova
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … sthaug
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Nick Hilliard
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Jen Linkova
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Jen Linkova
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … sthaug
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Jen Linkova
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] Extension Headers / Impact on Securit… Ca By
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Fred Baker (fred)
- Re: [v6ops] Extension Headers / Impact on Securit… Jen Linkova
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian Haberman
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] Extension Headers / Impact on Securit… Fred Baker (fred)
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Tore Anderson
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian Haberman
- Re: [v6ops] Extension Headers / Impact on Securit… Joe Touch
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Tore Anderson
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … sthaug
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian E Carpenter
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Warren Kumari
- Re: [v6ops] Extension Headers / Impact on Securit… Brian E Carpenter
- [v6ops] So what is or are the problem or problems… Mark ZZZ Smith
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … sthaug
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian Haberman
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Gert Doering
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Joe Touch
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Ole Troan
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … sthaug
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Ole Troan
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Enno Rey
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Mark ZZZ Smith
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian E Carpenter
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Warren Kumari
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Ronald Bonica
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Mark ZZZ Smith
- Re: [v6ops] Extension Headers / Impact on Securit… Fernando Gont
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Fernando Gont
- Re: [v6ops] [ipv6-wg] Extension Headers / Impact … Brian Haberman