IETF Logo Mail Archive

Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 23:04 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0E7C14F721 for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 16:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XSr_RaQh2wph for <v6ops@ietfa.amsl.com>; Mon, 22 May 2023 16:04:01 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB4E7C14CEE3 for <v6ops@ietf.org>; Mon, 22 May 2023 16:04:01 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1ae51b07338so46433085ad.0 for <v6ops@ietf.org>; Mon, 22 May 2023 16:04:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684796641; x=1687388641; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=aqDrP/Ku2G0NFY8nP7WOcpgerakKSVSHtVCghRaxzY8=; b=Yu7n5lXttvzhPWYtCyF8pu243GekS4JNOcbbJmu9D0RH7zkipGTQBerxCuNw98HV8a ayoSSwgryk6MfjEhvmg2nhJN73jsKlO6tb4orhV67TVaZH2jQX9YrDmvthhc3kz8QPej GREYs+EdLmeLIJ7LyPURXXoNmYZL5Va+8PG1qbFjj+Goe6wFh70fxujgt+5F2bSMd14C n9I4lBOV2WCIt7q24X3gSEVA0s5xdCMbbZ5CAYi9aJYczU3s42xEoNVlFzH+witUI0UP /ph8kBGD7ttUpj5FyBBmgLKVBhZxBk/I/G7knZWBaaTS2GjRZnEL6+ut10h6t1boW28s qfQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684796641; x=1687388641; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aqDrP/Ku2G0NFY8nP7WOcpgerakKSVSHtVCghRaxzY8=; b=bQ5LqvuehNLiVlByCvteyGqYhLcomlxGBrs3CsiTS03eTECGuaON0PuZZTksGunb5J OU8unjoSinSg3e5LfkdQc+24XmvQ+dWAQEXvVN0kHpSO1i8YTx7bOe9be40Vv4QdvP+O hTFaa/XCYhHF/aOH4ANgFlv8XAVdsunxd3HJQunEjszQ8mwoS+xQnw92EmwWqxUNdd4X fek61VcC+tuja4nvWP4xV409qT+j7A7e1+srvA/v5ELyAQ+7RhI31Cf02mtFFcGN7WYc 47MhnDuWDPKSNif/FaLzXGbd8V7WoulIZpkYOM3RYz+JqWBVWtkN0+7/EGH5PCHhZ1K2 Ltsg==
X-Gm-Message-State: AC+VfDwu2DLI3ncye37tKoE86WFDXjJCzqeKB8lPv35RA1q2J7enYIMH H3nhS4/VRomSCGZ1/z3oi8e069AVlHCn8LE1M5PPig==
X-Google-Smtp-Source: ACHHUZ4MG/xnsTRTocNUCtIP9OJqxSRuih3Bomc3P+fXFU5GY/5CEbQe1ijcHfXtPSZ6OPC6okVKbodnI/qTqJDeCmc=
X-Received: by 2002:a17:903:188:b0:1ae:4fbd:f626 with SMTP id z8-20020a170903018800b001ae4fbdf626mr15181236plg.52.1684796640731; Mon, 22 May 2023 16:04:00 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com> <2341.1684770818@localhost> <CAN-Dau04XOL0Afyrb-msE5OHX2c9KFuYt2N5san9mqq8k1BW3w@mail.gmail.com> <4d2abda3-19a1-4afb-85f6-95ddb9fc9043@gont.com.ar>
In-Reply-To: <4d2abda3-19a1-4afb-85f6-95ddb9fc9043@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 16:03:45 -0700
Message-ID: <CALx6S34kizt4GrNsGHsObHdkJ9v4GOxP3FmVxKjVn=2fRYaO4g@mail.gmail.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: David Farmer <farmer=40umn.edu@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vwFEkPJ3Z0r82GINKvGPFwZOsyQ>
Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 23:04:05 -0000

On Mon, May 22, 2023 at 12:29 PM Fernando Gont <fernando@gont.com.ar> wrote:
>
> Hi, David,
>
> On 22/5/23 18:05, David Farmer wrote:
> [...]
> >
> >     I think that many of us are still reeling from default configuration of
> >     certain "firewalls" that banks seemed like, which dropped packets
> >     containing
> >     ECN, and TCP options, and made it very very difficult to deploy new
> >     things.
> >     Even when at the IETF standards level... (so "innovation with
> >     permission")
> >
> >
> > So, I think we need "permissionless innovation" at the Internet level.
> > Nevertheless, that doesn't mean "innovation with permission" isn't
> > appropriate in some or even many situations. For example, in a situation
> > involving public safety, like a nuclear reactor or a missile control
> > system. We can all agree that "permissionless innovation" isn't
> > necessarily appropriate in situations like these.
>
> For the Security guy, the "nuclear reactor" is the infrastructure that,
> if compromised or DoS, causes clients to complain, money to be lost, and
> eventually, staff to be fired.
>

Fernando,

That's the viewpoint for a Network Security guy, but as a Host
Security guy, network policy ostensibly put in place to protect the
host is irrelevant. The reason should be obvious, unless there was a
network security policy consistently implemented across all networks,
we, host developers and application developers, can't count on it and
it really doesn't help securing the host. In fact it's more likely
that these inconsistent policies are counter productive since we have
to insert hacks to try to work around network secure policies which
themselves could create issues (for instance, think about the hacks we
need to do to try to keep an anonymous stateful firewall in the path
from arbitrarily evicting our connection from its cache).

Tom

> Yes, I love to play with EHs.... in a lab. :-)
>
> Thanks,
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar
> PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email