On Thu, May 18, 2023 at 6:10 AM Fernando Gont <[email protected]> wrote: > > HI, Tom, > > On 17/5/23 19:56, Tom Herbert wrote: > > > > > Fernando, > > > > There's an old saying phrased in the form of a question: "What is the > > most secure network in the world?". The answer is "One that's turned > > off". > > It is not about "most secure network", but rather about unnecessary risk. > > Go look the CVEs for IPv6 EHs. Then go enable them in your network, and > when you get DoSed, you tell your manager that while thr feature wasn't > needed, and you were aware about the long track of CVEs associated with > the feature, you leave it if enabled "for the good of the Internet".
I'm a developer, so it's more likely I have to explain to my manager why we have to put in a bunch hacks to in the networking stack to work around ad hoc, arbitrary, and inconsistent "security policies" of a few networks; I have to explain why we can't easily deploy a new transport protocol because some marketing manager at a network provider decided that TCP is necessary and sufficient for all purposes; I have to explain why we're trying to encrypt the hell out of packets, including transport layer headers, to keep network devices from meddling in protocol layers they're not supposed to be. > > That line of thought would have never thought with anybody I have worked > for in a security role. > Your viewpoint is clearly from that of a network operator for one network, my viewpoint is that of someone trying to develop applications that need to work across the whole Internet. Security has a different meaning in that regard, I need to worry about security of the host stack. As I've pointed out on this list before, I have never, not even once, seem code that relies on the network to provide security, and not even a single comment praising the network for providing security for the host-- to the contrary there's a whole bunch of hacks and comments about work arounds for non standard practices in the network. So instead of randomly disabling features in networks when we find implementation bugs, my motivation is to fix the bug! > > > So, if you want to build a network with maximum security then by all > > means drop packets with extension headers; but, also be sure to drop > > packets containing other protocols that are potentially susceptible to > > implementation which includes any other transport protocol other than > > TCP, IP fragmentation, and you probably should consider IPv6 as well > > since we certainly haven't seen the last of the implementation bugs > > for that. UDP as a secure protocol is right out! For the remaining > > "authorized" protocols, which is just TCP over IPv4, immediately drop > > all TCP packets that are not to or from port 443 because anything else > > is insecure. Also a TCP implementation could have bugs, so require > > that users only use a network provider approved TCP stack > > implementation verified to be bug free and frozen in time that only > > allows bug fixes (we need to avoid regressions!). > > There's 20/30+ additional years of experience and tests of IPv4 and TCP > implementations than with these IPv6 features. And there are still security issues being found with those protocols. Recently, there have been a whole bunch of DoS and security issues discovered with caches. Look at CVEs for those. Tom > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
