IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 22 May 2023 23:24 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF5EC14CEFE; Mon, 22 May 2023 16:24:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRo4-EQMW_pd; Mon, 22 May 2023 16:24:09 -0700 (PDT)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D23C14CEFC; Mon, 22 May 2023 16:24:09 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-2533ed4f1dcso4549775a91.1; Mon, 22 May 2023 16:24:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684797848; x=1687389848; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=5BEj6c32paxDJxj/SiOm5ofZ69foHh0Ug7P+H+3T+tI=; b=mgRbngaHhDOPC4TJ9fQ1kF77LRGiBuDtsQ1B8k2m66fWvFQs5uXzvcbyQrpgCg4oQd e7oJPB9EkKVW8vxN8n1z9TVhDG3ebqCfsnirJtVefleJqrGr12kQ1ykw6HCLjmr5+uqt VrVg4x5gu/rUvq5Npip7Xn7iwOKP8kEhmxJes1fLcbZvAZ0UpjxpDW3gRUl8rIel815v s9OZeVF0n3PjvVYJTcF4U7cFIYO2raOMSPE6/fFjvLZbEDpYWkP/+QXb0Bb0/3umJjEa rR9LiX3tCnUipvfLaFBZnqys5PGkfTuIktklAg0cqz0dPQuhNIZ3jrIYuOjzdcT+BBSU tynQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684797848; x=1687389848; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5BEj6c32paxDJxj/SiOm5ofZ69foHh0Ug7P+H+3T+tI=; b=Gb3Y8c7c+kTcpRI6vmS6+DsHfnYE2A1DAbWcK5y5kTav5nqaEwfZYI2a5avM9KXwgp jPeV+nB5PDqEazSpQafHIoAXwagYRnLqgop9z2owwHAB5GHVntc3N7c6Zq6DzI2gpq/X GoEzIXlPxBfvDqdNZQXhhTI+6d6zXIH2dYv8QJSBPBrisSykXB1u9vwq3arXnjj8ixmu /8nG+5R1mcCprKJ3LmgL3Rg2UIIqaPSR+T/j9HqAqJY/335fWwlFilOtGQwOMSgrF6w2 1d+m8P6SUiLgSfmBlEnEbv/nlzc1fRVf4ln13ovcOEh5WvTJuCrXsmlDbJ5ZjSln+NWB i+Hw==
X-Gm-Message-State: AC+VfDwuTZO9kyJwZw2ZS6Wb0quNfKcCGgm8jujpcDaUEgdWXbqofEYP EHmudWKEX/zuKXQ4VQg6c8U=
X-Google-Smtp-Source: ACHHUZ4R5JhZgiDByRBvWb8MUaZP4uFPa6VuOVcnIahZ9I6KQ7s43VzBpQja6q/xgjVjeU2dNMGwuQ==
X-Received: by 2002:a17:90a:ead8:b0:252:ad83:5907 with SMTP id ev24-20020a17090aead800b00252ad835907mr11909543pjb.16.1684797848067; Mon, 22 May 2023 16:24:08 -0700 (PDT)
Received: from ?IPV6:2406:e003:1184:f001:abb6:ea4f:cf8e:1d0d? ([2406:e003:1184:f001:abb6:ea4f:cf8e:1d0d]) by smtp.gmail.com with ESMTPSA id t7-20020a17090a3b4700b0025374fedab4sm6915037pjf.22.2023.05.22.16.24.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 22 May 2023 16:24:07 -0700 (PDT)
Message-ID: <a09db86b-6b92-4f54-9547-930d6c873feb@gmail.com>
Date: Tue, 23 May 2023 11:24:01 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Ole Troan <otroan@employees.org>
Cc: Fernando Gont <fernando@gont.com.ar>, IPv6 Operations <v6ops@ietf.org>, 6man WG <ipv6@ietf.org>, opsec@ietf.org
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <F9838657-B1C0-480B-8F78-28A4027ADEF3@employees.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <F9838657-B1C0-480B-8F78-28A4027ADEF3@employees.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vDSWX7JDcn2wkJj3SDtyxfAthNE>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 23:24:10 -0000

On 22-May-23 22:03, Ole Troan wrote:
> It depends on your position in the network.
> 
> A) Transit AS:
> Should transparently pass all traffic and not look beyond the 40-byte IPv6 header.
> 
> With the exception of NH=0.
> Let’s have that discussion if there ever is a HBH option with “transit AS applicability”.
> 
> B) Limited Domain
> 
> C) Modern application
> With modern applications, it has become blurry where the application ends and the network starts.
> Where the “application” is disaggregated, embeds a custom network stack for it’s purpose.
> Has a set of IP addresses representing the “service”, but those addresses does in no way represent an interface on a host.
> That “cluster” of services is only going to support the functions that the application needs.
> An EH would essentially be a side channel here.
> 
> D) Enterprises
> What Fernando says.
> 
> It’s somewhat ironic that 25 years in, this debate is still hypothetical.
> “What if we ever got an EH that has Internet wide applicability”

Actually, we do: SHIM6. It failed to deploy for two main reasons:

1. Folks are blocking IPv6 extension headers. (For world-wide testing of SHIM6, we had to bypass firewalls at both sites involved.)

2. Some operators disliked SHIM6 precisely because it gave end-hosts control over path selection, thereby potentially bypassing traffic engineering. (For world-wide testing of SHIM6, we had to persuade ops people to install source routes.)

    Brian

> (and for the sake of argument I’ve rebranded ESP to a tunnel encap).
> 
> O.
> 
>> On 21 May 2023, at 23:28, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>
>> On 21-May-23 21:33, Fernando Gont wrote:
>>> Hi, Tom,
>>> On 18/5/23 15:27, Tom Herbert wrote:
>>> [....]
>>>>>>
>>>>>> So, I’m not really happy with the all or nothing approach the two of you
>>>>>> seem to be offering for IPv6 extension headers, is there something in
>>>>>> between? If not, then maybe that is what we need to be working towards.
>>>>>
>>>>> FWIW, I[m not arguing for a blank "block all", but rather "just allow
>>>>> the ones you really need" -- which is a no brainer.
>>>>
>>>> Fernando,
>>>>
>>>> I'm not sure how that's a no brainer, who decides "the ones you really
>>>> need"?
>>> Typically. whoever runs the destination AS or network. Or the transit
>>> AS, if the packets will affect the transit AS.
>>
>> And there's the problem. The operator of a large network cannot possibly
>> know which extension headers every host on the network needs. It's
>> called permissionless innovation, and is supposed to be one of the main
>> success factors for the Internet.
>>
>>>> If everyone independently makes that decision then we wind up
>>>> with an Internet that can't evolve and is perpetually stuck in the
>>>> status quo.
>>> Well, yes, there's no big brother making decisions about mine or your
>>> networks' policies.... hence everyone makes decisions independently.
>>
>>  From the point of view of hosts, there is an anonymous Big Brother, the
>> moment that any upstream operator blocks a wanted extension header.
>>
>>> (IN a way that's why QUIC runs on top of UDP ... although in the case of
>>> QUIC, I bet it has more to do with NATs thatn with explicit firewalling)
>>
>> It's to do with *any* barrier to IP layer transparency. This is a very
>> basic tussle in the architecture.
>>
>>    Brian
>>
>>>>> The list you need
>>>>> is, maybe Frag and, say, IPsec at the global level? (from the pov of
>>>>> most orgs).
>>>>>
>>>>> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD).
>>>>>
>>>> It might be productive if you suggested a more concrete direction
>>>> here. Maybe a proposed BCP suggesting the EHs that you believe should
>>>> be universally blocked and the rationalization for that and why the
>>>> problems with them can't be fixed.
>>> Are your referring to the "transit AS" case, the "dest AS/network" case,
>>> or both?
>>> In any case, my comment was simply a two-liner email comment, as opposed
>>> to full-fledged advice.
>>> Thanks!
>>> Regards,
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
>

v2.23.0 | Report a Bug | By Email