On Wed, May 17, 2023 at 13:57 Tom Herbert <tom= [email protected]> wrote:
> On Wed, May 17, 2023 at 6:00 AM Fernando Gont <[email protected]> > wrote: > > > > Hi, > > > > I believe we've already covered the topic quite thoroughly in RFC 9098. > > > > But if you want yet another data point, FYI this is instance N++ of a > > DoS based on IPv6 EHs implementation flaws: > > https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death > > > > It should be no surprise what security-minded folks tend to do with IPv6 > > EHs, particularly when there's currently no much reliance on them these > > days. > > Fernando, > > There's an old saying phrased in the form of a question: "What is the > most secure network in the world?". The answer is "One that's turned > off". … > > So, if you want to build a network with maximum security then by all > means drop packets with extension headers; … Maximum security is rarely the objective, I by no means have maximum security at my home. However, I don’t live in the country where some people still don’t even lock there doors. I live in a a city, I have decent deadbolt locks and I use them. Most people want some level of reasonable security for both their home and for their Internet connection as well. The question is blocking or allowing IPv6 extension headers reasonable security? That’s not an easy question to answer. In my opinion, allowing all possible extension header is more akin to living in the country with your doors unlocked. While on the other hand blocking all possible extension headers seems like more than the dead bolt locks security level I have for my home. So, I’m not really happy with the all or nothing approach the two of you seem to be offering for IPv6 extension headers, is there something in between? If not, then maybe that is what we need to be working towards. Thanks -- =============================================== David Farmer Email:[email protected] Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
