Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 22 May 2023 23:24 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF5EC14CEFE; Mon, 22 May 2023 16:24:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRo4-EQMW_pd; Mon, 22 May 2023 16:24:09 -0700 (PDT)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D23C14CEFC; Mon, 22 May 2023 16:24:09 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-2533ed4f1dcso4549775a91.1; Mon, 22 May 2023 16:24:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684797848; x=1687389848; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=5BEj6c32paxDJxj/SiOm5ofZ69foHh0Ug7P+H+3T+tI=; b=mgRbngaHhDOPC4TJ9fQ1kF77LRGiBuDtsQ1B8k2m66fWvFQs5uXzvcbyQrpgCg4oQd e7oJPB9EkKVW8vxN8n1z9TVhDG3ebqCfsnirJtVefleJqrGr12kQ1ykw6HCLjmr5+uqt VrVg4x5gu/rUvq5Npip7Xn7iwOKP8kEhmxJes1fLcbZvAZ0UpjxpDW3gRUl8rIel815v s9OZeVF0n3PjvVYJTcF4U7cFIYO2raOMSPE6/fFjvLZbEDpYWkP/+QXb0Bb0/3umJjEa rR9LiX3tCnUipvfLaFBZnqys5PGkfTuIktklAg0cqz0dPQuhNIZ3jrIYuOjzdcT+BBSU tynQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684797848; x=1687389848; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5BEj6c32paxDJxj/SiOm5ofZ69foHh0Ug7P+H+3T+tI=; b=Gb3Y8c7c+kTcpRI6vmS6+DsHfnYE2A1DAbWcK5y5kTav5nqaEwfZYI2a5avM9KXwgp jPeV+nB5PDqEazSpQafHIoAXwagYRnLqgop9z2owwHAB5GHVntc3N7c6Zq6DzI2gpq/X GoEzIXlPxBfvDqdNZQXhhTI+6d6zXIH2dYv8QJSBPBrisSykXB1u9vwq3arXnjj8ixmu /8nG+5R1mcCprKJ3LmgL3Rg2UIIqaPSR+T/j9HqAqJY/335fWwlFilOtGQwOMSgrF6w2 1d+m8P6SUiLgSfmBlEnEbv/nlzc1fRVf4ln13ovcOEh5WvTJuCrXsmlDbJ5ZjSln+NWB i+Hw==
X-Gm-Message-State: AC+VfDwuTZO9kyJwZw2ZS6Wb0quNfKcCGgm8jujpcDaUEgdWXbqofEYP EHmudWKEX/zuKXQ4VQg6c8U=
X-Google-Smtp-Source: ACHHUZ4R5JhZgiDByRBvWb8MUaZP4uFPa6VuOVcnIahZ9I6KQ7s43VzBpQja6q/xgjVjeU2dNMGwuQ==
X-Received: by 2002:a17:90a:ead8:b0:252:ad83:5907 with SMTP id ev24-20020a17090aead800b00252ad835907mr11909543pjb.16.1684797848067; Mon, 22 May 2023 16:24:08 -0700 (PDT)
Received: from ?IPV6:2406:e003:1184:f001:abb6:ea4f:cf8e:1d0d? ([2406:e003:1184:f001:abb6:ea4f:cf8e:1d0d]) by smtp.gmail.com with ESMTPSA id t7-20020a17090a3b4700b0025374fedab4sm6915037pjf.22.2023.05.22.16.24.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 22 May 2023 16:24:07 -0700 (PDT)
Message-ID: <a09db86b-6b92-4f54-9547-930d6c873feb@gmail.com>
Date: Tue, 23 May 2023 11:24:01 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Ole Troan <otroan@employees.org>
Cc: Fernando Gont <fernando@gont.com.ar>, IPv6 Operations <v6ops@ietf.org>, 6man WG <ipv6@ietf.org>, opsec@ietf.org
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <F9838657-B1C0-480B-8F78-28A4027ADEF3@employees.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <F9838657-B1C0-480B-8F78-28A4027ADEF3@employees.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vDSWX7JDcn2wkJj3SDtyxfAthNE>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 23:24:10 -0000
On 22-May-23 22:03, Ole Troan wrote: > It depends on your position in the network. > > A) Transit AS: > Should transparently pass all traffic and not look beyond the 40-byte IPv6 header. > > With the exception of NH=0. > Let’s have that discussion if there ever is a HBH option with “transit AS applicability”. > > B) Limited Domain > > C) Modern application > With modern applications, it has become blurry where the application ends and the network starts. > Where the “application” is disaggregated, embeds a custom network stack for it’s purpose. > Has a set of IP addresses representing the “service”, but those addresses does in no way represent an interface on a host. > That “cluster” of services is only going to support the functions that the application needs. > An EH would essentially be a side channel here. > > D) Enterprises > What Fernando says. > > It’s somewhat ironic that 25 years in, this debate is still hypothetical. > “What if we ever got an EH that has Internet wide applicability” Actually, we do: SHIM6. It failed to deploy for two main reasons: 1. Folks are blocking IPv6 extension headers. (For world-wide testing of SHIM6, we had to bypass firewalls at both sites involved.) 2. Some operators disliked SHIM6 precisely because it gave end-hosts control over path selection, thereby potentially bypassing traffic engineering. (For world-wide testing of SHIM6, we had to persuade ops people to install source routes.) Brian > (and for the sake of argument I’ve rebranded ESP to a tunnel encap). > > O. > >> On 21 May 2023, at 23:28, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: >> >> On 21-May-23 21:33, Fernando Gont wrote: >>> Hi, Tom, >>> On 18/5/23 15:27, Tom Herbert wrote: >>> [....] >>>>>> >>>>>> So, I’m not really happy with the all or nothing approach the two of you >>>>>> seem to be offering for IPv6 extension headers, is there something in >>>>>> between? If not, then maybe that is what we need to be working towards. >>>>> >>>>> FWIW, I[m not arguing for a blank "block all", but rather "just allow >>>>> the ones you really need" -- which is a no brainer. >>>> >>>> Fernando, >>>> >>>> I'm not sure how that's a no brainer, who decides "the ones you really >>>> need"? >>> Typically. whoever runs the destination AS or network. Or the transit >>> AS, if the packets will affect the transit AS. >> >> And there's the problem. The operator of a large network cannot possibly >> know which extension headers every host on the network needs. It's >> called permissionless innovation, and is supposed to be one of the main >> success factors for the Internet. >> >>>> If everyone independently makes that decision then we wind up >>>> with an Internet that can't evolve and is perpetually stuck in the >>>> status quo. >>> Well, yes, there's no big brother making decisions about mine or your >>> networks' policies.... hence everyone makes decisions independently. >> >> From the point of view of hosts, there is an anonymous Big Brother, the >> moment that any upstream operator blocks a wanted extension header. >> >>> (IN a way that's why QUIC runs on top of UDP ... although in the case of >>> QUIC, I bet it has more to do with NATs thatn with explicit firewalling) >> >> It's to do with *any* barrier to IP layer transparency. This is a very >> basic tussle in the architecture. >> >> Brian >> >>>>> The list you need >>>>> is, maybe Frag and, say, IPsec at the global level? (from the pov of >>>>> most orgs). >>>>> >>>>> (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). >>>>> >>>> It might be productive if you suggested a more concrete direction >>>> here. Maybe a proposed BCP suggesting the EHs that you believe should >>>> be universally blocked and the rationalization for that and why the >>>> problems with them can't be fixed. >>> Are your referring to the "transit AS" case, the "dest AS/network" case, >>> or both? >>> In any case, my comment was simply a two-liner email comment, as opposed >>> to full-fledged advice. >>> Thanks! >>> Regards, >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops > > >
- [v6ops] Why folks are blocking IPv6 extension hea… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ted Lemon
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Jen Linkova
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Vasilenko Eduard
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Dale W. Carder
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Nick Buraglio
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Xipengxiao
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Michael McBride
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ackermann, Michael
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Ole Troan
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Haisheng Yu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Andrew Campling
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Bob Natale
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXT] Re: [OPSEC] [IPv6] Why folks ar… Bob Natale
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Trøan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… David Farmer
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Ole Troan
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… nalini.elkins@insidethestack.com
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Fernando Gont
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Tom Herbert
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… Michael Richardson
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Brian E Carpenter
- Re: [v6ops] [IPv6] Why folks are blocking IPv6 ex… hsyu
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Vasilenko Eduard
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Arnaud Taddei
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… nalini.elkins@insidethestack.com
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Bob Natale
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Haisheng Yu
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Ole Troan
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Warren Kumari
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Fernando Gont
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Clark Gaylord
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Tom Herbert
- Re: [v6ops] [IPv6] [OPSEC] Why folks are blocking… Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Brian E Carpenter
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Brian E Carpenter
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Manfredi (US), Albert E
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Andrew Alston
- Re: [v6ops] [EXTERNAL] Re: [IPv6] [OPSEC] Why fol… Tom Herbert
- Re: [v6ops] [OPSEC] [EXTERNAL] Re: [IPv6] Why fol… Andrew Campling
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Tom Herbert
- Re: [v6ops] [IPv6] [EXTERNAL] Re: [OPSEC] Why fol… Mike Simpson
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Haisheng Yu
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Nick Hilliard
- Re: [v6ops] [IPv6] [OPSEC] [EXTERNAL] Re: Why fol… Fernando Gont
- Re: [v6ops] [OPSEC] [IPv6] [EXTERNAL] Re: Why fol… Bob Natale