HI, Tom,
On 17/5/23 19:56, Tom Herbert wrote:
Fernando,
There's an old saying phrased in the form of a question: "What is the
most secure network in the world?". The answer is "One that's turned
off".
It is not about "most secure network", but rather about unnecessary risk.
Go look the CVEs for IPv6 EHs. Then go enable them in your network, and
when you get DoSed, you tell your manager that while thr feature wasn't
needed, and you were aware about the long track of CVEs associated with
the feature, you leave it if enabled "for the good of the Internet".
That line of thought would have never thought with anybody I have worked
for in a security role.
So, if you want to build a network with maximum security then by all
means drop packets with extension headers; but, also be sure to drop
packets containing other protocols that are potentially susceptible to
implementation which includes any other transport protocol other than
TCP, IP fragmentation, and you probably should consider IPv6 as well
since we certainly haven't seen the last of the implementation bugs
for that. UDP as a secure protocol is right out! For the remaining
"authorized" protocols, which is just TCP over IPv4, immediately drop
all TCP packets that are not to or from port 443 because anything else
is insecure. Also a TCP implementation could have bugs, so require
that users only use a network provider approved TCP stack
implementation verified to be bug free and frozen in time that only
allows bug fixes (we need to avoid regressions!).
There's 20/30+ additional years of experience and tests of IPv4 and TCP
implementations than with these IPv6 features.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
