IETF Logo Mail Archive

Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Sat, 27 May 2023 22:05 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E74F4C151082 for <v6ops@ietfa.amsl.com>; Sat, 27 May 2023 15:05:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L5RJMQ-nC-aP for <v6ops@ietfa.amsl.com>; Sat, 27 May 2023 15:05:23 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E8E0C151092 for <v6ops@ietf.org>; Sat, 27 May 2023 15:05:22 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1b0236ee816so7222995ad.1 for <v6ops@ietf.org>; Sat, 27 May 2023 15:05:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1685225122; x=1687817122; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3amohgK92mqpNbK35l0MwjkdUfrq+NKiHcYSS/9mDiM=; b=ZNjGlqpCfO4Bobmjke2Mj4kwlB+nJbX0YUTnxIK1TsB632h6osN+AMWUL/YjZNPYoR tHMTd7Gm3SGVaWCYocB6mFrbXXBGcoXMWaFw7rmmGFNVHuaQHkdgYNyzwY96j0xOy8dF 9edMiv4gLod6rfar5iMD82ABFPfp26M2nLuh4dBoG44gdYf7JMsl9fu6vqpqGUqL8dx3 8IHygKFCy5RiJQakYEBtiJPDSdrJyzAOWGgIeF+moEOeBv8G07YP1kFXZvQK79vJ8q8X KPHFJq1Y8/WAOEGK/u+Q0X0+Qtic0zrsBZ9OChJOMdSdP0oMOsc8FsngNZ3pz+nQFMLi TxhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685225122; x=1687817122; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3amohgK92mqpNbK35l0MwjkdUfrq+NKiHcYSS/9mDiM=; b=fcb4wiK/BcQ/GiMYsqTkrEzj2dHmIwQc0NStHNjdV65maiCUTkhoYoNcvbF9CQ7yvD W5DWhVNE3P9yjgbpOqIOdYE/32AdUJwtmeg7hytzI8zcbR5072+iChNmRw7T7X/y2TZg 7w7utabwf/kyc5D1l+YM4AKnBbyPxdwVhO6/3a30OLkAj+N/Px6TNef75HO0HsnlpryS yDTAS/IPHnuq9R2WdFH7oXRtjp+12fIS1LgM+yBljQ2H0n+rBSOUwkaL9sBGEfrZ/n8w 30CDIZfOD7hDZzMmZnuOelj/hxe+1XBGYnOE4c0rfOd5nnTZBaLRksUGMVHRNtpKM264 Dw3A==
X-Gm-Message-State: AC+VfDx+gLYJo/8Crm2GwlywM0NYYJtWD2kAJ8M5VfeVZ5dU7fL5w6DJ wiayAbXGi+BJoqpVBTB/etK6BOjK6xahOnY1bmZQ2A==
X-Google-Smtp-Source: ACHHUZ6kybINbScU5VlOcze58y90FPYWUusQCAz33N6oFa0ReWQ3PfjTzCO+AE77RFYI6q+7SCBr9oLBjdBR8IdKbP0=
X-Received: by 2002:a17:902:d2d0:b0:1ae:8fa:cd4c with SMTP id n16-20020a170902d2d000b001ae08facd4cmr3958065plc.7.1685225122027; Sat, 27 May 2023 15:05:22 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CWXP265MB5153E4687BE45480DBC5A531C2439@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <27d28224-0cb0-eec2-8d54-f0d175596c85@gmail.com> <f5758380-9967-b67b-744d-dc36b7b599ab@si6networks.com> <4FCF75B585A1D068+7D9B99BB-B24B-4FE8-A3FD-54877C7C1131@cfiec.net> <375ea678-b05f-7bb6-5ae2-43c54cd271f4@si6networks.com> <CALx6S34u5=2UxEz3zeApv+_-W=PTj0PzMRHS1UC=zRchqVCDyQ@mail.gmail.com> <882610dc-cf8f-e08d-8d9e-0e786097f520@si6networks.com> <CALx6S34AnMaVyEVQxaO0b1JGbQetQvDC+xDHk6aH5vbXM-KT7A@mail.gmail.com> <2a02905427604fa6a4c95e2eaa1dd165@boeing.com> <CALx6S36pmsZighJVBLEZWvYqTh1tJtU4SH2Ym0V7oS87dPWAHQ@mail.gmail.com> <6b3a40ef922c47a483860468aac73502@boeing.com>
In-Reply-To: <6b3a40ef922c47a483860468aac73502@boeing.com>
From: Tom Herbert <tom@herbertland.com>
Date: Sat, 27 May 2023 15:05:08 -0700
Message-ID: <CALx6S36Vv57AZFr=2adfEMYnVSOECsowXw1c7pTo_E-FWokB6Q@mail.gmail.com>
To: "Manfredi (US), Albert E" <albert.e.manfredi@boeing.com>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/k4l46k_ykgj1C1_zmerJ7S9iE38>
Subject: Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why folks are blocking IPv 6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 May 2023 22:05:27 -0000

On Sat, May 27, 2023 at 2:16 PM Manfredi (US), Albert E
<albert.e.manfredi@boeing.com> wrote:
>
> -----Original Message-----
> From: Tom Herbert <tom@herbertland.com>
>
> > Correct, that's the fundamental problem. When public network providers apply ad hoc protocol filtering, that limits the capabilities and opportunities to provide value to the users. For instance, if someone came up with a new transport protocol that improves user security by 10x, we couldn't deploy it because some network providers would block it. So the very security policies that are ostensibly in place to protect the users can actually harm them.
>
> Potentially, I agree. Problem is, each of the players has to determine what is an acceptable risk. If an ISP wants to keep his infrastructure secure, he's got the responsibility to make it so, as best he can. He can’t trust mechanisms that either don’t exist yet or that might introduce their own new vulnerabilities. Someone says, trust me, these extensions will be for your own good, and yet he is fully cognizant that those extensions could also be used in ddos attacks, he'll say thanks but no thanks. Maybe I'll let those through after we're satisfied with testing and experience.
>

Albert,

Application developers and stack developers are also players in this
game. And while each network provider might have the luxury of only
focusing on their customer set, developers have to potentially address
the needs of all users across the Internet. This is why network
providers' attempts to protect the user are irrelevant to application
developers-- without consistency across the Internet this level of
security may as well not exist from their perspective. Obviously this
situation didn't materialize overnight and it shouldn't be surprising
that we've had to implement work-arounds to this problem. For
instance, encryption goes a long way in limiting the network's
visibility in the packet, but that does have its limits.

> > As for what constitutes the "the greater good", like pretty much everything else in IETF shouldn't that be something determined by "rough consensus"?
>
> Yes, but unfortunately, that does not absolve the players of their own responsibilities. In matters of security, no one will blindly follow "rough consensus." We are 180 degrees from the Postel principle:

No, but it seems like providing reasonable guidance falls under the
auspices of IETF.

>
> "Be conservative in what you do, be liberal in what you accept from others," is turned on its head, as we know. For system security, you cannot be liberal in what you accept from others.
>
> > Even if the consensus were that extension headers need to be deprecated, to me that would be better than the current situation where we, specifically application and host developers, need to deal with a patchwork of anonymous and seemingly arbitrary network provider policies that degenerate the end to end services we can provide to users to rely only on least common denominator of protocols which we can only deduce by guess work.
>
> I get your point completely. We don’t have an IETF dictatorship though, so what happens is that over time, smart people have to decide how best to do their jobs, given the realities of today. There is a lot of infrastructure flexibility, and apps, thought really cool when they were developed, that go unused for just this reason. Such as, you might be better off, in your network, to use proxy-MLD and to block PIM-SM. Same goes for some or even much of ICMP. It's the tussle Brian C talks about.

It's a proverbial "chicken and the egg" problem. Some network
providers will only allow them once there's deployment, but we can't
deploy them if they're not allowed through the network. The good news
is, we are starting to see deployment at least in limited domains. As
experience with them grows and issues are addressed, hopefully the
barriers will fall and the vision of an extensible Internet protocol
will be realized in time.

Tom

>
> Bert
>

v2.23.0 | Report a Bug | By Email