Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
"Ackermann, Michael" <MAckermann@bcbsm.com> Thu, 18 May 2023 19:14 UTC
Return-Path: <mackermann@bcbsm.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 082F4C151525 for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 12:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.385
X-Spam-Level:
X-Spam-Status: No, score=-4.385 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=MAckermann@bcbsm.com header.d=bcbsm.com; dkim=pass (1024-bit key) header.d=bcbsm.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m8DgNWwLODHZ for <v6ops@ietfa.amsl.com>; Thu, 18 May 2023 12:14:51 -0700 (PDT)
Received: from mx.z120.zixworks.com (bcbsm.zixworks.com [199.30.235.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95650C14CEFA for <v6ops@ietf.org>; Thu, 18 May 2023 12:14:51 -0700 (PDT)
Received: from 127.0.0.1 (ZixVPM [127.0.0.1]) by Outbound.z120.zixworks.com (Proprietary) with SMTP id A3BACC0DBAB2 for <v6ops@ietf.org>; Thu, 18 May 2023 13:56:52 -0500 (CDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ZIXVPM1670e2ded26; d=bcbsm.com; h=From:To:Subject:Date; b=Or/XOGUqzsg60Pu8w4cm/qVJnowHSn3PJezCM26KGPB8SjEGpgegvZ0e4NHfD763 ftoHVNNWBQ0Qf8CP8qyox1NtodW5G8qOgXtwm2CaUNA9YfeZg4M4coZAfpvekc ls/FyiLMhxB6WFcVPvt8urg97SZKdcPPWhqD6r2k1C+H4=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bcbsm.com; s=ZIXVPM1670e2ded26; t=1684436212; bh=amIWq7v/LB7NA5nalUPG+Yq70o81SSjrgDFMI+sZr3E=; h=From:To:Subject:Date; b=jjAhkSTRsPAgTSEw2C9s3ZYEyzs5dym0KOhpYzxMmMGby+MdYQ3YLd7mbh343uZEo /ymaUhAtEG9fktcIEY7ocOvjKPAO1SfIGBky04b6aFWTFzbyFdZR62c0VT5RjSnOrl JtX0wFPmWyGE1NMTX5uGoe+H9ovnyuMwRDaTZpJ8=
Received: from imsva2.bcbsm.com (inetmta04.bcbsm.com [12.107.172.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.z120.zixworks.com (Proprietary) with ESMTPS id 712A641821F9; Thu, 18 May 2023 13:56:50 -0500 (CDT)
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 08354FE054; Thu, 18 May 2023 14:56:50 -0400 (EDT)
X-IMSS-DKIM-Authentication-Result: imsva2.bcbsm.com; sigcount=0
Received: from imsva2.bcbsm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B1219FE04E; Thu, 18 May 2023 14:56:49 -0400 (EDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (unknown [104.47.55.174]) by imsva2.bcbsm.com (Postfix) with ESMTPS; Thu, 18 May 2023 14:56:49 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NrD8r+YCHdWXg+C+1Z/D/QLi0lp4RQ8OsCQLzNfMfxWwVVzJmToazzPjxLWWTP53U5pX0G72DWM+/WTf2eKJ5d+9Uf9hoPDU7vitjBZy2AJCntXQeRAD+Hn1vnsJzJQrVDksgUeW3vE4Eh8pyzD+tHQQgSCb3JoiEf3HeIWIMJxT9adYRKqRBZtV4038Iqd7I9AELdrRnf6Mu/wM5bZ/k+69vwULLeNpkOq5t/CwTw0xXz6Uh0hZ/NXS0wbXee3PSYh4WdO6BW4QdUlej/WQotizf8ZlUit15E3wNJHU/nyFERmxwgWpEDKakpuiiydc0ZdlRLr0wz4oxQAP+WTBhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kvTbdCHN7In3unVCz+dP0MhpoV51OHMwDUmiCbQ+KPk=; b=PTd9JWXe6znBylW/PGiosACnoLaQ70Ao3VuxOd4eHMew7P0WwaVZlO4xOYvUB87rjR7jhJP47NTToaiB+S9YvaMRUotNWFM/as4IbeXr5xBMmLg7DiK1zWb9WoL6+pSop/dGLeWtn8JiLjvQzIGut0/0UPLKokuJegkdebmwP23Ry33rYeoRFUfQhmfnEMw5+iw6G8zX0pQWSDz9lqsVQvauJPEPRmbqHYcAr88jSB9o4moKaXSi9CToGOWvh5hEGqZOkFW3vszylWPcqN249nPNYlH47XTQ94oalIqq9L0RmKgMsnQ4yd60qxE2swelSjqH/vsjqMiS5dNMbDr42w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bcbsm.com; dmarc=pass action=none header.from=bcbsm.com; dkim=pass header.d=bcbsm.com; arc=none
Received: from CY8PR14MB5954.namprd14.prod.outlook.com (2603:10b6:930:61::22) by SJ0PR14MB6588.namprd14.prod.outlook.com (2603:10b6:a03:4e3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.17; Thu, 18 May 2023 18:56:46 +0000
Received: from CY8PR14MB5954.namprd14.prod.outlook.com ([fe80::528d:c495:aa71:98a5]) by CY8PR14MB5954.namprd14.prod.outlook.com ([fe80::528d:c495:aa71:98a5%6]) with mapi id 15.20.6411.017; Thu, 18 May 2023 18:56:46 +0000
From: "Ackermann, Michael" <MAckermann@bcbsm.com>
To: Xipengxiao <xipengxiao@huawei.com>, "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Nick Buraglio <buraglio@forwardingplane.net>
CC: Andrew Campling <andrew.campling@419.consulting>, Fernando Gont <fgont@si6networks.com>, V6 Ops List <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>, opsec WG <opsec@ietf.org>
Thread-Topic: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Thread-Index: AQHZiZiKTqHLc+NJE0K4VubqhHJcIq9gI9AwgAAeUICAABvE4A==
Date: Thu, 18 May 2023 18:56:46 +0000
Message-ID: <CY8PR14MB5954F08D0D2AA8F7F4BC91B2D77F9@CY8PR14MB5954.namprd14.prod.outlook.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com> <CAGB08_djDtrFRY37ZTH_draGLTxM3vO7bMfT6YyyKFrTH_Tx5w@mail.gmail.com> <1200504588.3592661.1684421597958@mail.yahoo.com> <CY8PR14MB5954B196CEB67EB9BE5F3396D77F9@CY8PR14MB5954.namprd14.prod.outlook.com> <2cc515e94b7547d99c84ed86985bb7f8@huawei.com>
In-Reply-To: <2cc515e94b7547d99c84ed86985bb7f8@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CY8PR14MB5954:EE_|SJ0PR14MB6588:EE_
x-ms-office365-filtering-correlation-id: 11b39579-3d2b-4826-38a7-08db57d1a0fa
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2221t2F4z3XG0j/sKA7+5cZfYyIjnhIHA3DnjPaivB4xVAK1MdAG/gI0EIJpvJHGugtDF2S4wkq9TtgwhVEYKYcoAGCufYkgxDcuakMMdjJmU0Q7SyJOVHxE8E3pWYRBGVYxnoRRPosreN0TbTB/V1LHvoW+NcDjP0BhA3fGks50ZG4PoQNswhMHmWu4KqfXYHRjy70HMTH+M7rHxVhgLmDvbMk6qjfyuZ03bV/5YLGnXKEOtbem/nSWxnrnf2aOVtijWFZMObvvanht1SrhCH0xa9+71DLkERKH2rRlCNpoHIoHtFaa7RDNh0h0qgOxurw2EpLZTa4V0QCsbht+IgMqaklsxsahT2hEq+JtWi5cSAGM/k5P+31ErF2viEQedh7Xgaokd9EKAfaHkInoCdtppgSbNGiE7/81L7WIyTEY0SAjBIps37e0BrsWdaLuQQQFpfyxSZk/eSBgQYJGX9xGBnbpwRZyDzjV5P82EerQqzRDPT8XZxaVREaXH/4HWLbFCKPOB+3exUdDUCTI+jn0RAg3d1eqJLGWyHOuaGFbEJjq78fFP7D3LgKEPpg8NRpfxkHSIeKzvGJhk4vPeC031/zCmk5rvcTG+p1oTfhzzQ4ll/qmRUffAbaWTN9ZJMXaevsP4ph7xjYfzvZagb2f0QrxQIGiObiPbTs/jL4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY8PR14MB5954.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(346002)(376002)(366004)(136003)(39860400002)(451199021)(7696005)(83380400001)(55236004)(186003)(966005)(71200400001)(110136005)(66446008)(54906003)(478600001)(6506007)(9686003)(26005)(21615005)(53546011)(8936002)(8676002)(52536014)(5660300002)(122000001)(40140700001)(33656002)(38100700002)(41300700001)(66556008)(66946007)(66476007)(64756008)(55016003)(76116006)(2906002)(4326008)(316002)(38070700005)(7066003)(166002)(86362001)(66899021)(221023011); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oqwjxFLgbaRe3w6yDCDQc0zXQMnXWl8VjoNhIJ+IQ65C61etzc7rQmsGvNV2RCpvyw8fUaAqz/jnDqDq8OerjQcy/n3r2x1zsvwbXfEKcYbFpA29y6nBxJt9srEMrWkrJ0oj+y1nmDKQjd2ul1PY9HDIGUoFN3sjIbtG4h108Mg8DRuANdSNrvHsMtuXXign/eJfMghbnuu3iXqaarDCdsKRHYUGMnnEdM4RoBGCBep/EDGAWwtSSsU7/2r25DvnCkkfDCRpfQM9r1y5bPV2D27UnM95FOX91Mx96oEEl9bE77Se4+zu7/MdjssilQT64vguNnf/2AXjPvF0A8h7e/VK/x9T1cs1WmgOm3guysnnd1JfvHNF9NmfzNX2ASod5u2FGrlAu245TfNWGehZWRW0veNGQcmn7gW3P4bTqdF5Z8mTBGiVXhF0JsTB1VNGA3x8fd+3OIT5mf4op5c06DSrAvs/5vVdEWTf2co4Ar/MZ3C2l79O21xYV+6IvSWMW+ZNhUBTdVYdOcUCzumgWWXYelLt2TCVgPeoQjZXO/TqHzFDtL4vNy38g5tG85o6v+DMdJe/Ls3vnr3/jNyO+8v71OATds+IsNAKWrG8C6Z/hn185CW6HT4YroOhOfgv4kWbbIfsCfXBAHQa0LKiGlHZJR6B0wiZgElQvfgQ2kyn9fLiVccbetjh3C7myiqpQEzTqpC5bCYPepuXpyjwNAtdtW4meVpvEHtLgKV+0Jtu0gBa22vRCydOEFpLqndGPaedgMdkqquFVFX+0easEV5Hm1t2PLgYm0nHR59x7FGCHZ1rTqpiZZRnGnfUStw2N5DxBEf4O8bedNymv9McTGytVfzXlruM8NDJvOrli/bCiSY0KMrrGqIF1xzVVHMUdXLWT9ZHjKyzQEWipTFZi65L6knl8RSJYi7ByDM+VwRJ2KOwYNszYWO25yt9sIbJ1s0e5U29CntDNjcQdqCEDwkjLfxJCz3VUbRSQparryp38yCYxKyNG2J2z+zEIV24Iw0ejX41DAzFtWdOsjd62MYhYS02+34/Ax7yOb/xj8EBdSEUjyzx0OlYUwPXhJzNwtccP5B0He2HI4zqvmZDND7SjovflJMZ51KRXrAJtd7eJ//1z/JUYJwnojX0FSm8wErKqpSyMVAoUxm+9pgtd164ThAEMWXHyLwt7lLFSwiwawTw+FvuuECUXyqEmo3V7vGBZrOD+cWOBQPJL3g2XPK7Rh7bktIrX3tUDXkhtAbxlg47NPSGHf+ct5MiPtQvE/o6S32B0F7aZgEzw4s0jgVQvjn1+Ka0BNavoiA74FXDTvdqm8VLqFdztiPhfbhx8rgkHuB8+IfOReaTu8mQ1ajcpP33nUvm8vobxvA+ys/0aNCpl988Uw8sdUa0CyhwxTXrzyAfGPncVsPQ1GoQaIY0pXUBdCtvQBPYga7nyWC/4tgiXO4sRRLV1AJ/PCwT4HHZAAS8Bu8aBcbIb/wT41JZ8vNykjrDIfIoxjUitlHbmw7N4vY6N6Bvw0nFqwnsE+W6Oc7EFWj+m6AaIve6MaUfkVXiZevVocNLA0uvCpXbf1WCWeRSk3kDNuIWw0Pl
Content-Type: multipart/alternative; boundary="_000_CY8PR14MB5954F08D0D2AA8F7F4BC91B2D77F9CY8PR14MB5954namp_"
MIME-Version: 1.0
X-OriginatorOrg: bcbsm.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY8PR14MB5954.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 11b39579-3d2b-4826-38a7-08db57d1a0fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2023 18:56:46.3322 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6f56d3fa-5682-4261-b169-bc0d615da17c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rgsXDk066yo+SiMJoLOrl/wR9CQKUDiNFzVxEmAXhzF0MCgTjWGjqw8Ab14J8d+fLkQfOpN8GS9vspWVLdCJug==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR14MB6588
X-TM-AS-GCONF: 00
X-VPM-HOST: vmvpm01.z120.zixworks.com
X-VPM-GROUP-ID: 74ca4cee-f900-43fd-88a5-19646d987c95
X-VPM-MSG-ID: 086f792d-2e2a-4b5e-ab1e-9dba4a66d871
X-VPM-ENC-REGIME: TLS,Plaintext
X-VPM-IS-HYBRID: 0
X-VPM: TLS Sent
X-VPM-TLS-SENDER: vmvpm01.z120.zixworks.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/pvEAaiqqIwuXhO4XprLnZDG24ms>
Subject: Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2023 19:14:58 -0000
XiPeng Great suggestions & info on all counts. This is why you are in charge! 😊 Regards to the default policy(s) for EHs. If we adopt the policy “Only allow the ones you really need”, I am concerned that most of us at Enterprises don’t understand EHs enough to make that determination. So we may be better served to understand the ones we DON’T need or that could have negative impact. I am hopeful that an effective BCP, could perhaps accomplish both. That way if an organization prefers implicit deny vs implicit allow, both could be accomplished. And good question about creating a new use case document or updating older ones. In general, I would prefer to have as few separate docs as possible, but it depends on what the gaps are. I would like hear from Nalini and others on this. Like Nick, I think Brian’s book is great and am already suggesting it to anyone that will listen. And finally, the Worldwide IPv6 portal sounds good, if done and promoted properly. It would be very helpful to have one entry point for those who do not know where or how to start. Is ISOC responsible for it’s structure and content? Once again, great thoughts. Thanks! Mike From: Xipengxiao <xipengxiao@huawei.com> Sent: Thursday, May 18, 2023 1:03 PM To: Ackermann, Michael <MAckermann@bcbsm.com>; nalini.elkins@insidethestack.com; Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>; Nick Buraglio <buraglio@forwardingplane.net> Cc: Andrew Campling <andrew.campling@419.consulting>; Fernando Gont <fgont@si6networks.com>; V6 Ops List <v6ops@ietf.org>; 6man@ietf.org; opsec WG <opsec@ietf.org> Subject: RE: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) [External email] Hi Mike, Yes, we have been trying to work towards an IPv6 BCP, via “side meeting” discussions, “operational presentation” case sharing, etc. The EH recommendation can be part of it. But I suspect that this will boil down to what Fernando already said: "just allow the ones you really need". Another 2 things are discussed/requested in this thread: * From Nalini: a “use case” document for EH: should we create a new document, or just add use cases to 6man-eh-limits (or other existing documents)? * From Nick: an IPv6 portal, "where is a place I can learn more about X (in IPv6)" * Nick recommended Brian’s book https://github.com/becarpenter/book6/blob/main/Contents.md. I think it’s possible. But putting too much content into Brian’s book will delay its publication, and possibly make it too big to read. * An alternative is the ISOC IPv6 portal: https://www.internetsociety.org/deploy360/ipv6/. This portal already links to useful documents in RIPE, APNIC, etc. It can link to Brian’s book and other useful documents too. The documents there are dated in 2012-2015. ISOC has agreed to work with us to update it. I think we can work together with ISOC to make this the worldwide entry point for IPv6. What do you folks think? Regards, XiPeng From: Ackermann, Michael <MAckermann@bcbsm.com<mailto:MAckermann@bcbsm.com>> Sent: Thursday, May 18, 2023 5:23 PM To: nalini.elkins@insidethestack.com<mailto:nalini.elkins@insidethestack.com>; Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:tom=40herbertland.com@dmarc.ietf.org>>; Nick Buraglio <buraglio@forwardingplane.net<mailto:buraglio@forwardingplane.net>>; Xipengxiao <xipengxiao@huawei.com<mailto:xipengxiao@huawei.com>> Cc: Andrew Campling <andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>>; Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>>; V6 Ops List <v6ops@ietf.org<mailto:v6ops@ietf.org>>; 6man@ietf.org<mailto:6man@ietf.org>; opsec WG <opsec@ietf.org<mailto:opsec@ietf.org>> Subject: RE: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) This message was sent securely using Zix®<http://www.zixcorp.com/get-started/> +1 This would be very helpful for enterprises! And for Xipeng, Would not such a BCP be VERY consistent with the “Side Meeting” efforts of V6OPS? Thanks all Mike From: ipv6 <ipv6-bounces@ietf.org<mailto:ipv6-bounces@ietf.org>> On Behalf Of nalini.elkins@insidethestack.com<mailto:nalini.elkins@insidethestack.com> Sent: Thursday, May 18, 2023 10:53 AM To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:tom=40herbertland.com@dmarc.ietf.org>>; Nick Buraglio <buraglio@forwardingplane.net<mailto:buraglio@forwardingplane.net>> Cc: Andrew Campling <andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>>; Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>>; V6 Ops List <v6ops@ietf.org<mailto:v6ops@ietf.org>>; 6man@ietf.org<mailto:6man@ietf.org>; opsec WG <opsec@ietf.org<mailto:opsec@ietf.org>> Subject: Re: [IPv6] [v6ops] [OPSEC] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) [External email] Nick, > neither really have use cases I think a use cases document is a great idea! Although, IMHO one of the points of extension headers is that they can be used to extend the protocol for purposes which we cannot think of today! Thanks, Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com<http://www.insidethestack.com> (831) 659-8360 On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio <buraglio@forwardingplane.net<mailto:buraglio@forwardingplane.net>> wrote: Is there any document that details the current operational best practices or explains the EH options and use cases in a succinct document? I didn't find one (although I did not look terribly hard). If not, that sounds like an opportunity to work through them and create one, perhaps? Nalani has a deep dive study here https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ but I wasn't able to find a list with some use cases akin to the ND considerations draft here https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/ RFC7045 has a decent, and RFC2460 explains what they are but neither really have use cases. nb On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>> wrote: On Thu, May 18, 2023 at 7:24 AM Andrew Campling <andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>> wrote: > > I wonder if part of the issue here is that insufficient attention is being given to operational security matters and too much weight is given to privacy in protocol development, irrespective of the security implications (which is of course ultimately detrimental to security anyway)? Andrew, There is work being done to address the protocol "bugs" of extension headers. See 6man-hbh-processing and 6man-eh-limits for instance. Tom > > Andrew > > > From: OPSEC <opsec-bounces@ietf.org<mailto:opsec-bounces@ietf.org>> on behalf of Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>> > Sent: Thursday, May 18, 2023 2:19 pm > To: David Farmer <farmer@umn.edu<mailto:farmer@umn.edu>>; Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>> > Cc: 6man@ietf.org<mailto:6man@ietf.org> <6man@ietf.org<mailto:6man@ietf.org>>; V6 Ops List <v6ops@ietf.org<mailto:v6ops@ietf.org>>; opsec WG <opsec@ietf.org<mailto:opsec@ietf.org>> > Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) > > Hi, David, > > On 18/5/23 02:14, David Farmer wrote: > > > > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > > <tom=40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org> > > <mailto:40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>>> wrote: > [...] > > > > Maximum security is rarely the objective, I by no means have maximum > > security at my home. However, I don’t live in the country where some > > people still don’t even lock there doors. I live in a a city, I have > > decent deadbolt locks and I use them. > > > [....] > > > > So, I’m not really happy with the all or nothing approach the two of you > > seem to be offering for IPv6 extension headers, is there something in > > between? If not, then maybe that is what we need to be working towards. > > FWIW, I[m not arguing for a blank "block all", but rather "just allow > the ones you really need" -- which is a no brainer. The list you need > is, maybe Frag and, say, IPsec at the global level? (from the pov of > most orgs). > > (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com<mailto:fgont@si6networks.com> > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org<mailto:OPSEC@ietf.org> > https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ v6ops mailing list v6ops@ietf.org<mailto:v6ops@ietf.org> https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ v6ops mailing list v6ops@ietf.org<mailto:v6ops@ietf.org> https://www.ietf.org/mailman/listinfo/v6ops The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. This message was secured by Zix<http://www.zixcorp.com>®. The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. This message was secured by Zix(R).
- [v6ops] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Michael McBride
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ole Troan
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Bob Natale
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks ar… Bob Natale
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Trøan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… hsyu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Andrew Alston
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Mike Simpson
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Haisheng Yu
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Nick Hilliard
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] [EXTERNAL] Re: Why fol… Bob Natale