> So, I’m not really happy with the all or nothing approach the two of you seem
> to be offering for IPv6 extension headers, > is there something in between?
> If not, then maybe that is what we need to be working towards.
I agree with you. IMHO, I think we need to think about:
- what EHs should be blocked (and by what kind of device)- what EHs should be
encrypted (and at what point)- what EHs should be signed / authenticated (and
at what point)
We have been testing on various cloud implementations and will be sharing those
results with the group soon.
Thanks,
Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360
On Wednesday, May 17, 2023 at 06:16:08 PM PDT, David Farmer
<[email protected]> wrote:
On Wed, May 17, 2023 at 13:57 Tom Herbert
<[email protected]> wrote:
On Wed, May 17, 2023 at 6:00 AM Fernando Gont <[email protected]> wrote:
>
> Hi,
>
> I believe we've already covered the topic quite thoroughly in RFC 9098.
>
> But if you want yet another data point, FYI this is instance N++ of a
> DoS based on IPv6 EHs implementation flaws:
> https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death
>
> It should be no surprise what security-minded folks tend to do with IPv6
> EHs, particularly when there's currently no much reliance on them these
> days.
Fernando,
There's an old saying phrased in the form of a question: "What is the
most secure network in the world?". The answer is "One that's turned
off". …
So, if you want to build a network with maximum security then by all
means drop packets with extension headers; …
Maximum security is rarely the objective, I by no means have maximum security
at my home. However, I don’t live in the country where some people still don’t
even lock there doors. I live in a a city, I have decent deadbolt locks and I
use them.
Most people want some level of reasonable security for both their home and for
their Internet connection as well. The question is blocking or allowing IPv6
extension headers reasonable security? That’s not an easy question to answer.
In my opinion, allowing all possible extension header is more akin to living in
the country with your doors unlocked. While on the other hand blocking all
possible extension headers seems like more than the dead bolt locks security
level I have for my home.
So, I’m not really happy with the all or nothing approach the two of you seem
to be offering for IPv6 extension headers, is there something in between? If
not, then maybe that is what we need to be working towards.
Thanks
--
===============================================
David Farmer Email:[email protected]
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
_______________________________________________
v6ops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/v6ops
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
