Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices Wed, 17 June 2015 20:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5DAA81A0092 for <>; Wed, 17 Jun 2015 13:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A4uJSgRU1csb for <>; Wed, 17 Jun 2015 13:26:05 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id BE4C71A007E for <>; Wed, 17 Jun 2015 13:26:04 -0700 (PDT)
Received: (qmail 52782 invoked from network); 17 Jun 2015 20:26:02 -0000
Received: from (HELO localhost) ( by with SMTP; 17 Jun 2015 20:26:02 -0000
Date: Wed, 17 Jun 2015 22:26:02 +0200 (CEST)
Message-Id: <>
In-Reply-To: <>
References: <> <> <>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jun 2015 20:26:07 -0000

> > Taking into account that stateless ACLs of all router vendors we
> > tested (results tb published soon) can be avoided/evaded by adding ~5
> > extension headers to datagrams I fully understand any operator who
> > does not want SSH on its devices to be reachable from the Internet
> > (over v6 with extension headers) and hence acts in a way similar to
> > the one Steinar described.
> There is a big difference between an operator dropping all packets with
> EHs that are destined for *his own devices/routers* (I have no problem
> with that - your devices, your rules), and an operator that drops
> *transit* traffic destined for his customers because his routers cannot
> understand/parse/filter its L4/EH payload.

I certainly appreciate this distinction. However, problems arise in
practice when customers *ask* for various types of protection - which
are most sensibly implemented on border routers.

Just to be clear - we don't drop IPsec traffic today (neither IPv6
nor IPv4). 

> In my opinion, an ISP/IP transit network shouldn't even attempt to
> parse the L4/EH payload in customer traffic (except if the customer
> asks for it of course), it should just deliver the packets.

The problem is - the customer *does* ask for it, in many cases.

> > I doubt Steinar loses many customers (due to "application breakage")
> > by taking that path. In contrary I expect many of his customers
> > valueing the increased level of device & network availability gained
> > by eliminating an entire class of attacks.
> The first operator I mentioned above won't lose any customers because
> his filtering activities doesn't impact customer traffic. The second
> operator would lose my business, at least. And probably others' too, as
> business customers might want their site2site IPSEC tunnels to work,
> residental customers might want their Xbox One online gaming to work,
> and so on.

I agree - IPSEC tunnels and Xbox One online gaming need to work. That
doesn't mean *all* extension header combinations should be expected
to work - and it appears that they often don't.

I expect we'll see much more of these discussions in the coming years,
as IPv6 traffic grows. And I certainly also expect significant size
IPv6 DDoS attacks - at least some of which will probably be based on
extension header manipulation.

Steinar Haug, AS 2116