Re: [v6ops] Extension Headers / Impact on Security Devices

Tim Chown <> Wed, 27 May 2015 11:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5E3351ACE08 for <>; Wed, 27 May 2015 04:35:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.231
X-Spam-Status: No, score=-1.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I_35Et1BHlcU for <>; Wed, 27 May 2015 04:34:57 -0700 (PDT)
Received: from ( [IPv6:2001:630:d0:f102::25e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 41BA31ACE0D for <>; Wed, 27 May 2015 04:34:57 -0700 (PDT)
Received: from (localhost []) by (8.13.8/8.13.8) with ESMTP id t4RBYo9a005446 for <>; Wed, 27 May 2015 12:34:50 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 t4RBYo9a005446
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;; s=201304; t=1432726490; bh=d6AajLCkOgVvCguDyWA+0yagcdY=; h=Mime-Version:Subject:From:In-Reply-To:Date:References:To; b=az7qX333sCkMoJ5iUuPk2x3WXmcN+Crjh5dLyy54wWdnZ1y14kQ+5BFUKRLF+Bg5+ 21M5mz+1TaowP6QhdnFrMWOzjEybND2GYFH0sBDGflmSo33EftbMrOrz4eY0BUCbPX bhilMBOcf7MA4/57HCJRAAldiPKZbEnOb9oLMp4E=
Received: from ([2001:630:d0:f102:250:56ff:fea0:401]) by ( [2001:630:d0:f102:250:56ff:fea0:68da]) envelope-from <> with ESMTP (valid=N/A) id r4QCYo0803206396bs ret-id none; Wed, 27 May 2015 12:34:50 +0100
Received: from [IPv6:2001:630:d0:f111:ed71:8eeb:6cb1:d085] ([IPv6:2001:630:d0:f111:ed71:8eeb:6cb1:d085]) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id t4RBYoJO014096 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Wed, 27 May 2015 12:34:50 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Tim Chown <>
In-Reply-To: <>
Date: Wed, 27 May 2015 12:34:50 +0100
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|4027e1934fee90011217477564c4873br4QCYo03tjc||>
References: <> <> <> <>
To: "" <>
X-Mailer: Apple Mail (2.2098)
X-smtpf-Report: sid=r4QCYo080320639600; tid=r4QCYo0803206396bs; client=relay,forged,no_ptr,ipv6; mail=; rcpt=; nrcpt=1:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: t4RBYo9a005446
X-ECS-MailScanner: Found to be clean
Archived-At: <>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 May 2015 11:35:04 -0000


> On 27 May 2015, at 00:06, Brian E Carpenter <> wrote:
> On 26/05/2015 17:27, Mark ZZZ Smith wrote:
>> ______________________________
>> From: Eric Vyncke (evyncke) <>
>> To: Tim Chown <>uk>; Joe Touch <> 
>> Cc: "" <> 
>> Sent: Wednesday, 20 May 2015, 22:28
>> Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
>> On 20/05/15 10:14, "Tim Chown" <> wrote:
>>> The other question is what existing work is being done that relies on the
>>> correct (desired) operation of EHs? The two that would spring out would
>>> be segment routing and sfc, at least one of which is using the existing
>>> Routing Header. If such protocols are constrained to specific
>>> administrative domains then their successful operation I would assume is
>>> down to specific EH handling in the equipment in that domain, and its
>>> capabilities, rather than (undesired) operator filtering somewhere
>>> between sender and receiver.
>> The primary use case of segment routing is indeed within a single
>> administrative domain, so, EH does not cause a problem.
> I've lost track of who wrote that (Tim?), but it's only true if
> all middleboxes respect RFC 7045, especially the bits about what
> needs to be configurable and what the factory defaults should be.

I think the point is that drops caused by administrative configuration should not be an issue within a domain under your full control. Which is presumably why sfc/spring are limiting their primary use cases in this way. The exposure is presumably then only equipment within their domain that has some limitation in EH handling.

>> OTOH, this whole discussion is pretty close to having a discussion on
>> whether an ISP should block everything which is neither UDP nor TCP? Or
>> block currently-unallocated TCP/UDP ports? (and I appreciate that there
>> are differences of course).
> Again: all these choices need to be configurable, so that providers
> can make their own choices and decide what to break. I assume that
> discussion belongs in opsec.

With the caveat that you can’t control what you can’t control.


>   Brian
>> / +1
>> / In my opinion a huge amount of security context is missing from this discussion, to the point where the question has been simplified to a too simplistic and binary EHs or not question, and there is never going to be consensus on that question.
>> / There seems to be an underlying and unstated set of assumptions behind the sorts of "block EHs","must be able to look at TCP/UDP headers in the network" questions/statements : 
>> / (a) the network is the only place that network, host and application security can and must be done, implying that hosts and applications do nothing to protect themselves
>> / (b) that the contents of packets will always remain transparent to the network, allowing them to be inspected in the network
>> / and (c) that all traffic to and from a host/application will always traverse a single inspection/choke point in the network and will always use the same Internet protocol.
>> / I think all of the above assumptions were true up until about the mid 1990s (if I remember well enough). Since then, they've all become false to varying degrees. Consequently, a choke point in the network may not be the best place to perform all network, host and application security measures, and in some cases persisting with that model will cause security failures. (For example, it seems that hosts aren't the lowest hanging fruit for network delivered malware any more, it is residential CPE itself - the device that is supposed to be so effective at providing "security" (including implicitly via NAT) that theoretically downstream hosts don't need firewalls at all.)
>> To Enno's original point: it is fair for a destination domain to handle
>> (permit, drop, log, inspect) incoming (or outgoing BTW) packets based on
>> layer-4 ports, layer-4 protocols or extension headers. This is their own
>> responsibility
>> -éric
>> _______________________________________________
>> v6ops mailing list
>> _______________________________________________
>> v6ops mailing list