IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 21 May 2023 21:29 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD5F8C13AE2F; Sun, 21 May 2023 14:29:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDWaEQminSE0; Sun, 21 May 2023 14:29:02 -0700 (PDT)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35D1C13AE2E; Sun, 21 May 2023 14:29:02 -0700 (PDT)
Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-64d30ab1f89so1861014b3a.3; Sun, 21 May 2023 14:29:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684704542; x=1687296542; h=content-transfer-encoding:in-reply-to:cc:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=VqtBDMAUlKsZ6o0xHznZIzsj594/J5Oc5IKLvDj9vO0=; b=HcigrUG3Bc9An7Z0JNIklHThj8eCd9th9iSHS615VciNNjREwJNbxaVyLj7f6UkN25 D9gJAMzEZgYetSCH9zNTjYJubi1wiZSxAa7jzpVaRRbwbKwWHpR3hYjky6Thx0WGhX5o 9Sh6lnplJsRuF4abVqWdhvgmnF4oywM5/dAjc5OsHnw1jpav5gMhQSzWYV2NK2wNV08r 1sc6tsXe7ZSXeWkY10k+hQdB8Q3/UloU9axK7lHDpDEWWnfc3GCTbiF8QOpoV8Gs3nqi wMvYsPHIdP6uaCFEwKcl6hAhIxEPNXSVzhR2Lwxz3f9uIy1VCWIFcSN7Yv+mSgNFpaCK s8Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684704542; x=1687296542; h=content-transfer-encoding:in-reply-to:cc:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VqtBDMAUlKsZ6o0xHznZIzsj594/J5Oc5IKLvDj9vO0=; b=LAnOFPdGqpHddWKCaNq8dYaocY2rqYt1PKa44sJ62h1f/TK/AJXuwGQIpZ0XZX7dNr Oa+pLkpickkUP+lWXF/ObvtL0urmU5Ekxlv94ogON3EowjCTgPKeaySgxZOWITdnGZ+l KTnct9+JGhE/5PS2sD4c6CP3e/2FKmDI8mDGecDLTfv6/JQAPI/OTOlGl2mdicIGqiN2 GpaRk4YPnVUhGoecAeadD57fC0uAO7SfeacRA82KRCJ3J7z/A343ACUZ5E9fTWGNERgE kJSJpEJ7pgNCsa7RBXfvHu+Ae8GNFElPY6cz8GrFnuQcm8yRvVWubXPUS1eoCrfb4YI7 eB7A==
X-Gm-Message-State: AC+VfDwFNJutwMdHpv3a9p6Kw0Ea3xMgFQfsd9Wul9fqffLsydGATRSv br/RRDmHnKwj+LqgE0Ln9g06LLJ0eUB9Yg==
X-Google-Smtp-Source: ACHHUZ7BnRl33uuMCMB4lUQo2FVSQkl95CR2V7exsMpCcCk5ZozuK+WsiYRJnKGJD23q24zLcIO8Iw==
X-Received: by 2002:a17:902:db07:b0:1ae:89a:9e with SMTP id m7-20020a170902db0700b001ae089a009emr11329339plx.61.1684704541855; Sun, 21 May 2023 14:29:01 -0700 (PDT)
Received: from ?IPV6:2406:e003:1184:f001:abb6:ea4f:cf8e:1d0d? ([2406:e003:1184:f001:abb6:ea4f:cf8e:1d0d]) by smtp.gmail.com with ESMTPSA id v1-20020a170902b7c100b001a95c7742bbsm3391456plz.9.2023.05.21.14.28.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 21 May 2023 14:29:01 -0700 (PDT)
Message-ID: <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com>
Date: Mon, 22 May 2023 09:28:55 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Fernando Gont <fernando@gont.com.ar>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
In-Reply-To: <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/fsSbeY5-sAwOlHao4SBNd7rJ8Zs>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 May 2023 21:29:04 -0000

On 21-May-23 21:33, Fernando Gont wrote:
> Hi, Tom,
> 
> On 18/5/23 15:27, Tom Herbert wrote:
> [....]
>>>>
>>>> So, I’m not really happy with the all or nothing approach the two of you
>>>> seem to be offering for IPv6 extension headers, is there something in
>>>> between? If not, then maybe that is what we need to be working towards.
>>>
>>> FWIW, I[m not arguing for a blank "block all", but rather "just allow
>>> the ones you really need" -- which is a no brainer.
>>
>> Fernando,
>>
>> I'm not sure how that's a no brainer, who decides "the ones you really
>> need"?
> 
> Typically. whoever runs the destination AS or network. Or the transit
> AS, if the packets will affect the transit AS.

And there's the problem. The operator of a large network cannot possibly
know which extension headers every host on the network needs. It's
called permissionless innovation, and is supposed to be one of the main
success factors for the Internet.

>> If everyone independently makes that decision then we wind up
>> with an Internet that can't evolve and is perpetually stuck in the
>> status quo.
> 
> Well, yes, there's no big brother making decisions about mine or your
> networks' policies.... hence everyone makes decisions independently.

 From the point of view of hosts, there is an anonymous Big Brother, the
moment that any upstream operator blocks a wanted extension header.

> 
> (IN a way that's why QUIC runs on top of UDP ... although in the case of
> QUIC, I bet it has more to do with NATs thatn with explicit firewalling)

It's to do with *any* barrier to IP layer transparency. This is a very
basic tussle in the architecture.

    Brian

> 
>>> The list you need
>>> is, maybe Frag and, say, IPsec at the global level? (from the pov of
>>> most orgs).
>>>
>>> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>>>
>> It might be productive if you suggested a more concrete direction
>> here. Maybe a proposed BCP suggesting the EHs that you believe should
>> be universally blocked and the rationalization for that and why the
>> problems with them can't be fixed.
> 
> Are your referring to the "transit AS" case, the "dest AS/network" case,
> or both?
> 
> In any case, my comment was simply a two-liner email comment, as opposed
> to full-fledged advice.
> 
> Thanks!
> 
> Regards,

v2.23.0 | Report a Bug | By Email