IETF Logo Mail Archive

Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Bob Natale <RNATALE@mitre.org> Mon, 22 May 2023 15:17 UTC

Return-Path: <RNATALE@mitre.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7817AC15107F; Mon, 22 May 2023 08:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWB7ywkVNsww; Mon, 22 May 2023 08:17:07 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 081F2C151095; Mon, 22 May 2023 08:17:06 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 8C5561720011; Mon, 22 May 2023 11:17:05 -0400 (EDT)
Received: from smtpxrhmv1.mitre.org (unknown [192.52.194.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtpvmsrv1.mitre.org (Postfix) with ESMTPS id BCA61172001D; Mon, 22 May 2023 11:17:04 -0400 (EDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02lp2108.outbound.protection.outlook.com [104.47.64.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpxrhmv1.mitre.org (Postfix) with ESMTPS id 94840413DC9; Mon, 22 May 2023 11:17:04 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=je8l1XTJrthXQ2Uay1gf4jTQYEE9h8oZIy68HDTOYMiJa9XF8CVoalaX+ovM7KTqW9oUc0+OjjtNqaSkPNW8Jqd7kznyuGUpKOcxA2TrqTXYR8PujZQoRrUWMfYlfgV3kZ0RtD7i/eeCMI3nisUFMJgCpJeuNqI8yFnL2ZV8QRGTjMkskt5JMT6sF9/taGz8q5Qv30eIqw18cRGorzSQ7BzT1I+JTGYQUKaGxUL/9RzfUEc0qWXcmSJXzgYYD74Wfnz3vSgGOVS0Yk74iNK3fiRBNrmZ/V6ixPYI0EL7zehFoColrSGT2eAyrFrXiBvtpYQl5vLS1cLzfoIvmizVqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wOsGUnIDWr+BgEM6/eEjAdqpTUxaV5kr3GZbQXZ4LPk=; b=W5a1nKXqAmrXDfWhgTPZ8E87HmRLJa2PsN/s57BVpY9FpLbxKQblYNVA3B3KrtgROeq53QFJ4QK3Ppv+AQ477qDOxXfXqxHVUstg6AJGR6ZbU++E8uFOGA+bhFyy7DafwZFn1AEZIMKldxsj4J8sKZRMpYajYK2MrR8pRfqWdPHKTjqLjXi8M+Mxr4E0TiAsRRbTy4ucoB7b5EqhOMyY13ZqHHNAzx/UBvU6oBeAvynxhJn6tW4ny3BPZRhwGoYiVpi7CDCL/f8QH4lqkkQxPu73fNkPVXNtCMIUQ1UCZr9/MXeAv9G9DnXsw8Bih9OnCW2OI986hSKG2mTY5cJZQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from MN2PR09MB4716.namprd09.prod.outlook.com (2603:10b6:208:216::19) by PH8PR09MB9389.namprd09.prod.outlook.com (2603:10b6:510:18b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Mon, 22 May 2023 15:17:01 +0000
Received: from MN2PR09MB4716.namprd09.prod.outlook.com ([fe80::303a:412d:814:e674]) by MN2PR09MB4716.namprd09.prod.outlook.com ([fe80::303a:412d:814:e674%5]) with mapi id 15.20.6411.028; Mon, 22 May 2023 15:17:01 +0000
From: Bob Natale <RNATALE@mitre.org>
To: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Nick Buraglio <buraglio@forwardingplane.net>
CC: Fernando Gont <fgont@si6networks.com>, "6man@ietf.org" <6man@ietf.org>, V6 Ops List <v6ops@ietf.org>, opsec WG <opsec@ietf.org>
Thread-Topic: [EXT] Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Thread-Index: AQHZjLgs3ZX834DZ3kWcw64uleu9B69mXLOAgAAKH+A=
Date: Mon, 22 May 2023 15:17:01 +0000
Message-ID: <MN2PR09MB471680B16CD3A2DD9D895D59A8439@MN2PR09MB4716.namprd09.prod.outlook.com>
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CWXP265MB515321A0E0A91CD66260C26CC27F9@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CALx6S35py1b6EyS3UeT8JvgwN-w8wBtprCn9OJSCS-nvfQ_L-A@mail.gmail.com> <CAGB08_djDtrFRY37ZTH_draGLTxM3vO7bMfT6YyyKFrTH_Tx5w@mail.gmail.com> <17955_1684421652_64663C14_17955_115_1_1200504588.3592661.1684421597958@mail.yahoo.com> <MN2PR09MB471666DBA6479BB3076B3E55A8439@MN2PR09MB4716.namprd09.prod.outlook.com> <6274_1684766311_646B7E66_6274_128_1_1029391748.856548.1684766307360@mail.yahoo.com>
In-Reply-To: <6274_1684766311_646B7E66_6274_128_1_1029391748.856548.1684766307360@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mitre.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR09MB4716:EE_|PH8PR09MB9389:EE_
x-ms-office365-filtering-correlation-id: e624dba6-0762-424f-0287-08db5ad797af
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: z1r3HmjYc44Pn6pMWQjUZY0wMX3ljBbqndJ1eCnRGD1dqiMMiIuJ0zkRn7F2Wapc5py/Y37uJ3OSWs5DfLKp5XSxBEKrcWeIEEsJQopKxeOFDl9a7wze7FjyRzvcNZeuSPQJLNC9pL/LdGo64Fx1n7y3oRvMYATvxa6krLwytZYBfS7a3GY2tHyoB7RKpwrZRr0Df57wU9jJnztj5mMKtqys99L/KtbOTCxw06+WnfEUkay90HaC3cwC+WrAPCCQjhjZmX0lCGzPuqO2EAmmb7e5uhGo7r5TSLUdPblBD/Zk9oMYiKJcIqjIlkzyQ3R0IbHWw7ttF0gVFlpm9gG8PqueV62S39kmj4HT+n3HgHaTPUjPbVGkfZLSmM1vr0wQr3WajuU8//ukdDv+r5/p4qrwNTTpIhLhKMbOlT6cPb2+OVtz7r4FDm9ap5rH+pXUNmg/KjE4zjrGJ4VIM68UAuUaI52eVsLKZS4+5GBFIqiqad+9bwugMHGFr+hC74Zf5zBBf/gkhjiylbiOSSdVvYNQWtE7+s9invipms/FqjD5Cr7dex93b4h4exUqh0TpgDqDGQMFcnNOHtch19gRB8MxlbQ6gjR/RJeaZwY1aGCC2Y3YAR1tuw2W2S9x8XCO
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR09MB4716.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(366004)(451199021)(66574015)(83380400001)(186003)(2906002)(4326008)(66476007)(76116006)(66446008)(64756008)(66946007)(66556008)(7696005)(110136005)(54906003)(71200400001)(498600001)(53546011)(52536014)(21615005)(5660300002)(9686003)(26005)(6506007)(966005)(8676002)(8936002)(55016003)(166002)(38070700005)(38100700002)(122000001)(86362001)(33656002)(40140700001)(66899021)(221023011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Mw6Srs4/lKfEtyTsinhDruMBL4FdA8FcnW169gTNOFW7aag+k9YweDS8irnYemFxcMkC/YLhx49JrfTgccAwR/o+yNAZmOdfUilMdtco+qwQXtpi0M/Hli174bDl/QxxxCFtFL/KgYlsGOVaOF867H4wtE8jwESxSe9s06siDeui0Y2keZpErBwE4RmH5AWFhUXKCPJstlaYhRuvb2ornNOj+EJl/v+3fahG72kMJbP3ISABakJrBNQuz7dQBIJp2W6YzkHYskp7Yz5AxY1jv+s4voq0oY/HdwvHkhoxMfLJIremLWa+t7V5W1FVjFIhNSBDRtUVDfff4/QABaqXlQTC5ZI1Tj/YqLESGvdoE8ceDPrG2swO7A5vfW7zQLD/aimaWAJWQux+yp9Q4JGFEYm+kICjishtCS3IrsK7fvIqt8aeSb4hJ5GkNXdxadnGapq1rQsp0EWwsgvqse1EqpOqco8cDVipNCQkmdpHI+zDTPqdQePCODG74zMV0vexOZhU7xk3lSgcOiVBcPwbDpyhR6pxvcn2OyZjXJOYH9Ijx1MvOfYoZQtujBFxTi0XmURb1ERcRCVGdKKR+upS6mdCxAiOkmruWEgO+XK+r0ZqlIcED6aK2C+Xkn1IwR4pIX6EUCGoFEEH1MI3l53eUyvMQQUl8KPY1nfHnEUkIdk7fJ8HDYN7yQ7l9GVRWrTjl/PbMPpWso62Mma/I2odS4AJ+wMvZQp6FYGN4UK7px4h2iRpjkKNoncsVvjfj2GVRRB4QqXecV0vCFw3A6OB+g0N1Ma9mC1P0NqkDwoyyFRs0WfxvKYtx9WyKnG9pmNkvwRhrzB3cpMs7ecP4urMDaAjAnBprVRhab26aTnUTBwhgfb3bj9VSpQjwVeWKt6/yTdxJilmqf+wmv4HXAFWqX5QtLtriYGcruU1ZOzTospsiksQWZqyO+Ihs7/IWUU+waizcpbfw/fII5jD01RUk9aoCJr/FLqY+g6pWWa1sec+wGm4sHLQe9PnuYXlnPHVbhi8ljW9Pj5+BiFMi6uj9Szgx3zYef8VbuCOPH+dX4RnBcMr+1mEx/AP/Xegg2txgR9mPmEhqcUJc2MgrhP+tAv2Lm1VEYEk/DsD9L9AgM7FXCutGx4ejguenIcUgr9o4I3pb+8fRfV+K/Vfj7rUdy+fi7+hvaugj+sVYq0we4/CKr1tfxagfsI/ltpQAPW8lbj9+VJr87a3LPGv3xKdA2zc4aXsJWyek9oyiRZGcN8cJg4VHwCSxmzvzyoN0HkbfGKXAEPyyXEwe4XHgxwoJ5fURO7xbbiInpjq548KLbPOIsZ1JDWADD6GvyrcbSuBWoWnARz5mMqpA3Sp5BEh9ucHcI0e6KusFLIhaFxoE0bouZRDVwfXQFSI1lzjiVQFNmWf57ZnT8eWg6YA1I18Wa0LSf4yCePeLzHUb5f7pGFdILbdIwWIbAg8ws4ADTvz6xfPmyp5aKd6nq7Ei3iEUIhs0fySdNpVN75OKuo6O8PRNYr3XQTiix4MluNaavpB9CDNLpWZB4pbXFD16/UJFcvWhRnhR3zaKdJJqXNKatg=
Content-Type: multipart/alternative; boundary="_000_MN2PR09MB471680B16CD3A2DD9D895D59A8439MN2PR09MB4716namp_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: IPi3mAnyBIknoli+oYBeqkBpuwWAKLExXAbzyVdRIOx2TPry9HJ5Ea46DYuBeGyvd3eD1DmV6gblYB0rMyEBS9Z6ecI5hh+5SLvfSIe9thH9Xdhn7baQdJjaAZ0OD4fNAtnp/n4jWk2+hrLXk4XDv3loZh3U9ZXmTvr5kxVUZjrSnj8Ptk6T0vl/Ij5mKpRgcwgInbPJX2YG7jmPp6cfoGpwAkeW5ZC5yjU+oeXxZBsSQUd59rQ86S7WikXyWN7EZTkOXDXZt9ISNtnsyhwkeIGdObB2zDnkH0gFRxlGu6AqBHRROMMQ1mdKUAFI9KBxC7NAt6R7xQhH6jiyigRhkoAioPtoX3gvpf4BV1+YgxEkojrD2+KKmtgpU5wiPKgFPcdcPyO+b94CR34PGkK7qHAz3cWwTnNVvs3PO/g8iOWuyWOxvCX0AkeXeA4TI4PZSR/i9ADbv3tUPn9QcXDnys0a9iseXvOoEO4OvxP5rpIkFmwvM+eh2QUyODYaU3MszlF5iShSAySXqBnmmKrAC7RyXNAcIV0BSxccRlvNifaKMliLdVtpGHM4VQAYGA5BNTt3K5Q7A3AFCzYT2jhRoBRelDFsb+f7ehRQzZ5fP1MUsQ4ItVlkGFkd/55m+x8ohPLzu+znY1zAB0nt3pKuYuGWsNa5gD9JIwufI+T3GrmjFi3N7g8QD5r1lKdCC2M3zxRx8YcOSQQKE1rh71v6xBjWa5Zd04lNPbBBf8BQcURdlsyOPrDnG681EuWEHTS/8wTQ5chnvi0RkEtQe7wJg8CJgH+Dlosh/HNi68X9N97jVAzCgpSEya3bGcvI4E+Ch3nciKtEHXGQoJWug0xYebvhC/j6c3ApC58Oh6NAbhNPxh7G23Rz6K2mc0ERYHFT2DgLllljq1f6JQr6yPow4ki9MenZG7gx9PAeiKWvTZzcfzPVaj3kLlwys08nvvUygHN1NMHq2l/7APWfvDqFMg==
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR09MB4716.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e624dba6-0762-424f-0287-08db5ad797af
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2023 15:17:01.2163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR09MB9389
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:mime-version; s=mZkevYdL; bh=wOsGUnIDWr+BgEM6/eEjAdqpTUxaV5kr3GZbQXZ4LPk=; b=TyirfEOtAudveBC7fWQrY3bDxyC/ELhXpeFhgr3h7QegMVQXi8XAIRwMe9MmjmuaEDLm5tVH36TPYzxijuVzItHrwnfHc9QT2J5Of2Sivntnyldvpafa6rNK+Xjb8Mt8qMr5N5pYueT0GzTPfJdYSLtiq6K3KgFjMOOG4FhhJPQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ut6FJ5hJWhhWRU-KFEOyriw1Z0M>
Subject: Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 15:17:12 -0000

Thanks for the feedback, Nalini. I believe that Ole’s subsequent comment captured my concern and position in more precise technical terms:

Ole:
> Now for EHs in general. Their functionality of providing a separate signalling channel independent of the application… it might be time that we accept that this was a bad idea. Which deployment status has confirmed.

Learning,
BobN

From: nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com>
Sent: Monday, May 22, 2023 10:38 AM
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>; Nick Buraglio <buraglio@forwardingplane.net>; Bob Natale <RNATALE@mitre.org>
Cc: Fernando Gont <fgont@si6networks.com>; 6man@ietf.org; V6 Ops List <v6ops@ietf.org>; opsec WG <opsec@ietf.org>
Subject: [EXT] Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Bob,

I am not sure of what you are saying.

> New uses should require protocol updates via the standard process or new protocols

Of course, protocol updates will go through the IETF process.  All I am saying is that sitting here in 2023, we cannot tell what "new uses" will be found in 2033.   I would expect that someone who has a new option will submit it to the IETF as an internet draft, etc.

Hope that is more clear.

Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com<http://www.insidethestack.com>
(831) 659-8360


On Monday, May 22, 2023 at 07:17:49 AM PDT, Bob Natale <rnatale@mitre.org<mailto:rnatale@mitre.org>> wrote:



From way up in the nose-bleed section for lurkers:

> Although, IMHO one of the points of extension headers is that they can be used to extend the protocol for purposes which we cannot think of today!



Something tells me that’s a bad idea for Internet-grade (and similar) standard protocols … just sounds “looser” (i.e., congenitally riskier and ultimately “messier”) than defined options or profiles. New uses should require protocol updates via the standard process or new protocols. Is that an utterly naïve position and the Internet cannot live without protocols that do not include undefined “extensions” for purposes we cannot think of at the time the protocols are standardized?



Lurking with a bit of vertigo now 😊,

BobN



From: OPSEC <opsec-bounces@ietf.org<mailto:opsec-bounces@ietf.org>> On Behalf Of nalini.elkins@insidethestack.com<mailto:nalini.elkins@insidethestack.com>
Sent: Thursday, May 18, 2023 10:53 AM
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:tom=40herbertland.com@dmarc.ietf.org>>; Nick Buraglio <buraglio@forwardingplane.net<mailto:buraglio@forwardingplane.net>>
Cc: Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>>; 6man@ietf.org<mailto:6man@ietf.org>; V6 Ops List <v6ops@ietf.org<mailto:v6ops@ietf.org>>; opsec WG <opsec@ietf.org<mailto:opsec@ietf.org>>
Subject: [EXT] Re: [OPSEC] [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)



Nick,



> neither really have use cases



I think a use cases document is a great idea!  Although, IMHO one of the points of extension headers is that they can be used to extend the protocol for purposes which we cannot think of today!



Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com<http://www.insidethestack.com>
(831) 659-8360





On Thursday, May 18, 2023 at 07:49:50 AM PDT, Nick Buraglio <buraglio@forwardingplane.net<mailto:buraglio@forwardingplane.net>> wrote:





Is there any document that details the current operational best practices or explains the EH options and use cases in a succinct document? I didn't find one (although I did not look terribly hard). If not, that sounds like an opportunity to work through them and create one, perhaps?

Nalani has a deep dive study here https://www.ietf.org/archive/id/draft-elkins-v6ops-eh-deepdive-fw-01.html and https://datatracker.ietf.org/doc/draft-elkins-v6ops-eh-deepdive-cdn/ but I wasn't able to find a list with some use cases akin to the ND considerations draft here https://datatracker.ietf.org/doc/draft-ietf-v6ops-nd-considerations/

RFC7045 has a decent, and RFC2460 explains what they are but neither really have use cases.



nb



On Thu, May 18, 2023 at 9:33 AM Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>> wrote:

On Thu, May 18, 2023 at 7:24 AM Andrew Campling
<andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>> wrote:
>
> I wonder if part of the issue here is that insufficient attention is being given to operational security matters and too much weight is given to privacy in protocol development, irrespective of the security implications (which is of course ultimately detrimental to security anyway)?

Andrew,

There is work being done to address the protocol "bugs" of extension
headers. See 6man-hbh-processing and 6man-eh-limits for instance.

Tom

>
> Andrew
>
>
> From: OPSEC <opsec-bounces@ietf.org<mailto:opsec-bounces@ietf.org>> on behalf of Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>>
> Sent: Thursday, May 18, 2023 2:19 pm
> To: David Farmer <farmer@umn.edu<mailto:farmer@umn.edu>>; Tom Herbert <tom=40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>>
> Cc: 6man@ietf.org<mailto:6man@ietf.org> <6man@ietf.org<mailto:6man@ietf.org>>; V6 Ops List <v6ops@ietf.org<mailto:v6ops@ietf.org>>; opsec WG <opsec@ietf.org<mailto:opsec@ietf.org>>
> Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
>
> Hi, David,
>
> On 18/5/23 02:14, David Farmer wrote:
> >
> >
> > On Wed, May 17, 2023 at 13:57 Tom Herbert
> > <tom=40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>
> > <mailto:40herbertland.com@dmarc.ietf.org<mailto:40herbertland.com@dmarc.ietf.org>>> wrote:
> [...]
> >
> > Maximum security is rarely the objective, I by no means have maximum
> > security at my home. However, I don’t live in the country where some
> > people still don’t even lock there doors. I live in a a city, I have
> > decent deadbolt locks and I use them.
> >
> [....]
> >
> > So, I’m not really happy with the all or nothing approach the two of you
> > seem to be offering for IPv6 extension headers, is there something in
> > between? If not, then maybe that is what we need to be working towards.
>
> FWIW, I[m not arguing for a blank "block all", but rather "just allow
> the ones you really need" -- which is a no brainer. The list you need
> is, maybe Frag and, say, IPsec at the global level? (from the pov of
> most orgs).
>
> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com<mailto:fgont@si6networks.com>
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org<mailto:OPSEC@ietf.org>
> https://www.ietf.org/mailman/listinfo/opsec

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email