> > Taking into account that stateless ACLs of all router vendors we > > tested (results tb published soon) can be avoided/evaded by adding ~5 > > extension headers to datagrams I fully understand any operator who > > does not want SSH on its devices to be reachable from the Internet > > (over v6 with extension headers) and hence acts in a way similar to > > the one Steinar described. > > There is a big difference between an operator dropping all packets with > EHs that are destined for *his own devices/routers* (I have no problem > with that - your devices, your rules), and an operator that drops > *transit* traffic destined for his customers because his routers cannot > understand/parse/filter its L4/EH payload.
I certainly appreciate this distinction. However, problems arise in practice when customers *ask* for various types of protection - which are most sensibly implemented on border routers. Just to be clear - we don't drop IPsec traffic today (neither IPv6 nor IPv4). > In my opinion, an ISP/IP transit network shouldn't even attempt to > parse the L4/EH payload in customer traffic (except if the customer > asks for it of course), it should just deliver the packets. The problem is - the customer *does* ask for it, in many cases. > > I doubt Steinar loses many customers (due to "application breakage") > > by taking that path. In contrary I expect many of his customers > > valueing the increased level of device & network availability gained > > by eliminating an entire class of attacks. > > The first operator I mentioned above won't lose any customers because > his filtering activities doesn't impact customer traffic. The second > operator would lose my business, at least. And probably others' too, as > business customers might want their site2site IPSEC tunnels to work, > residental customers might want their Xbox One online gaming to work, > and so on. I agree - IPSEC tunnels and Xbox One online gaming need to work. That doesn't mean *all* extension header combinations should be expected to work - and it appears that they often don't. I expect we'll see much more of these discussions in the coming years, as IPv6 traffic grows. And I certainly also expect significant size IPv6 DDoS attacks - at least some of which will probably be based on extension header manipulation. Steinar Haug, AS 2116
