EH has no problems in the closed domain. If it is needed then it would be tested, activated, and supported. Security risk and potential performance penalty would be properly managed. Never-ever open Internet would permit many EHs. Because every feature activated has an associated cost for the above mentioned procedures. You are fighting ghosts. It is not harmful, just useless. Ed/ -----Original Message----- From: v6ops [mailto:[email protected]] On Behalf Of Jen Linkova Sent: Thursday, May 18, 2023 2:08 PM To: David Farmer <[email protected]> Cc: Tom Herbert <[email protected]>; [email protected]; Fernando Gont <[email protected]>; V6 Ops List <[email protected]>; opsec WG <[email protected]> Subject: Re: [v6ops] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
On Thu, May 18, 2023 at 11:15 AM David Farmer <[email protected]> wrote: > Most people want some level of reasonable security for both their home and > for their Internet connection as well. The question is blocking or allowing > IPv6 extension headers reasonable security? That’s not an easy question to > answer. > > In my opinion, allowing all possible extension header is more akin to living > in the country with your doors unlocked. While on the other hand blocking all > possible extension headers seems like more than the dead bolt locks security > level I have for my home. > > So, I’m not really happy with the all or nothing approach the two of you seem > to be offering for IPv6 extension headers, is there something in between? If > not, then maybe that is what we need to be working towards. I think EHs are almost the same from the filtering PoV as any other L4 protocol. Would I allow all of them? Probably no (unless my policy for the given device or network is "permit any any". Would I allow one I need? Most likely yes. If an EH is dropped it means either that EH is not used in this network, or it's used, smth gets broken but nobody has complained yet. So we need to make a use case for EH, make it attractive enough and make the failure mode unpleasant enough for users to complain. -- SY, Jen Linkova aka Furry _______________________________________________ v6ops mailing list [email protected] https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
