IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Fernando Gont <fernando@gont.com.ar> Sun, 21 May 2023 13:54 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0CB3C151085; Sun, 21 May 2023 06:54:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.308
X-Spam-Level:
X-Spam-Status: No, score=-5.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gtckYAx4TiR; Sun, 21 May 2023 06:54:42 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B24EC151091; Sun, 21 May 2023 06:54:36 -0700 (PDT)
Received: from [10.89.9.171] (unknown [91.90.189.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 264EC280347; Sun, 21 May 2023 10:54:32 -0300 (-03)
Message-ID: <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar>
Date: Sun, 21 May 2023 11:33:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Fernando Gont <fgont@si6networks.com>
Cc: V6 Ops List <v6ops@ietf.org>, 6man@ietf.org, opsec WG <opsec@ietf.org>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com>
From: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/epdEyxDp7_HGKQjGn_hzs2ezNrk>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 May 2023 13:54:43 -0000

Hi, Tom,

On 18/5/23 15:27, Tom Herbert wrote:
[....]
>>>
>>> So, I’m not really happy with the all or nothing approach the two of you
>>> seem to be offering for IPv6 extension headers, is there something in
>>> between? If not, then maybe that is what we need to be working towards.
>>
>> FWIW, I[m not arguing for a blank "block all", but rather "just allow
>> the ones you really need" -- which is a no brainer.
> 
> Fernando,
> 
> I'm not sure how that's a no brainer, who decides "the ones you really
> need"? 

Typically. whoever runs the destination AS or network. Or the transit 
AS, if the packets will affect the transit AS.


> If everyone independently makes that decision then we wind up
> with an Internet that can't evolve and is perpetually stuck in the
> status quo.

Well, yes, there's no big brother making decisions about mine or your 
networks' policies.... hence everyone makes decisions independently.

(IN a way that's why QUIC runs on top of UDP ... although in the case of 
QUIC, I bet it has more to do with NATs thatn with explicit firewalling)

>> The list you need
>> is, maybe Frag and, say, IPsec at the global level? (from the pov of
>> most orgs).
>>
>> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>>
> It might be productive if you suggested a more concrete direction
> here. Maybe a proposed BCP suggesting the EHs that you believe should
> be universally blocked and the rationalization for that and why the
> problems with them can't be fixed.

Are your referring to the "transit AS" case, the "dest AS/network" case, 
or both?

In any case, my comment was simply a two-liner email comment, as opposed 
to full-fledged advice.

Thanks!

Regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01

v2.23.0 | Report a Bug | By Email