IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 18 May 2023 11:37 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38317C15108C; Thu, 18 May 2023 04:37:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRfif2zOfa4U; Thu, 18 May 2023 04:37:48 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3809C14CF1F; Thu, 18 May 2023 04:37:47 -0700 (PDT)
Received: from mscpeml100001.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4QMSc761nWz67HqD; Thu, 18 May 2023 19:36:39 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml100001.china.huawei.com (7.188.26.227) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 18 May 2023 14:37:44 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2507.023; Thu, 18 May 2023 14:37:44 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Jen Linkova <furry13@gmail.com>, David Farmer <farmer=40umn.edu@dmarc.ietf.org>
CC: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, "6man@ietf.org" <6man@ietf.org>, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Thread-Topic: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Thread-Index: AQHZiL+ZzOjh7z4y90+T0IBG8zYA/a9enucAgABpjACAAKXIgIAAONdQ
Date: Thu, 18 May 2023 11:37:44 +0000
Message-ID: <d847d6491bca413480e26783012c657f@huawei.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <CAFU7BAQH0nrbbcYiOMaAGE=UVJmRHQ8FgoD=o5kZOCrjnz7EkA@mail.gmail.com>
In-Reply-To: <CAFU7BAQH0nrbbcYiOMaAGE=UVJmRHQ8FgoD=o5kZOCrjnz7EkA@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.192.248]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/gkJV0Ky0_kswz1EJqJHmnAxi22c>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 11:37:49 -0000

EH has no problems in the closed domain. If it is needed then it would be tested, activated, and supported. Security risk and potential performance penalty would be properly managed.
Never-ever open Internet would permit many EHs. Because every feature activated has an associated cost for the above mentioned procedures.
You are fighting ghosts. It is not harmful, just useless.
Ed/
-----Original Message-----
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Jen Linkova
Sent: Thursday, May 18, 2023 2:08 PM
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
Cc: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>; 6man@ietf.org; Fernando Gont <fgont@si6networks.com>; V6 Ops List <v6ops@ietf.org>; opsec WG <opsec@ietf.org>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

On Thu, May 18, 2023 at 11:15 AM David Farmer <farmer=40umn.edu@dmarc.ietf.org> wrote:
> Most people want some level of reasonable security for both their home and for their Internet connection as well. The question is blocking or allowing IPv6 extension headers reasonable security? That’s not an easy question to answer.
>
> In my opinion, allowing all possible extension header is more akin to living in the country with your doors unlocked. While on the other hand blocking all possible extension headers seems like  more than the dead bolt locks security level I have for my home.
>
> So, I’m not really happy with the all or nothing approach the two of you seem to be offering for IPv6 extension headers, is there something in between? If not, then maybe that is what we need to be working towards.

I think EHs are almost the same from the filtering PoV as any other L4 protocol. Would I allow all of them? Probably no (unless my policy for the given device or network is "permit any any". Would I allow one I need? Most likely yes.
If an EH is dropped it means either that EH is not used in this network, or it's used, smth gets broken but nobody has complained yet.
So we need to make a use case for EH, make it attractive enough and make the failure mode unpleasant enough for users to complain.

--
SY, Jen Linkova aka Furry

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email