On Wed, May 17, 2023 at 6:00 AM Fernando Gont <[email protected]> wrote: > > Hi, > > I believe we've already covered the topic quite thoroughly in RFC 9098. > > But if you want yet another data point, FYI this is instance N++ of a > DoS based on IPv6 EHs implementation flaws: > https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death > > It should be no surprise what security-minded folks tend to do with IPv6 > EHs, particularly when there's currently no much reliance on them these > days.
Fernando, There's an old saying phrased in the form of a question: "What is the most secure network in the world?". The answer is "One that's turned off". The analogy to this for a network is that if we want maximum security, but still connect to the Internet, then only allow the absolute bare minimum set of protocols to be used in the network and always drive to maintain the status quo before any other considerations. So, if you want to build a network with maximum security then by all means drop packets with extension headers; but, also be sure to drop packets containing other protocols that are potentially susceptible to implementation which includes any other transport protocol other than TCP, IP fragmentation, and you probably should consider IPv6 as well since we certainly haven't seen the last of the implementation bugs for that. UDP as a secure protocol is right out! For the remaining "authorized" protocols, which is just TCP over IPv4, immediately drop all TCP packets that are not to or from port 443 because anything else is insecure. Also a TCP implementation could have bugs, so require that users only use a network provider approved TCP stack implementation verified to be bug free and frozen in time that only allows bug fixes (we need to avoid regressions!). Do all this, and I think you might be able to claim to have a secure network connected to the Internet :-) Tom Tom > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
