I wonder if part of the issue here is that insufficient attention is being given to operational security matters and too much weight is given to privacy in protocol development, irrespective of the security implications (which is of course ultimately detrimental to security anyway)?
Andrew From: OPSEC <[email protected]> on behalf of Fernando Gont <[email protected]> Sent: Thursday, May 18, 2023 2:19 pm To: David Farmer <[email protected]>; Tom Herbert <[email protected]> Cc: [email protected] <[email protected]>; V6 Ops List <[email protected]>; opsec WG <[email protected]> Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) Hi, David, On 18/5/23 02:14, David Farmer wrote: > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > <[email protected] > <mailto:[email protected]>> wrote: [...] > > Maximum security is rarely the objective, I by no means have maximum > security at my home. However, I don’t live in the country where some > people still don’t even lock there doors. I live in a a city, I have > decent deadbolt locks and I use them. > [....] > > So, I’m not really happy with the all or nothing approach the two of you > seem to be offering for IPv6 extension headers, is there something in > between? If not, then maybe that is what we need to be working towards. FWIW, I[m not arguing for a blank "block all", but rather "just allow the ones you really need" -- which is a no brainer. The list you need is, maybe Frag and, say, IPsec at the global level? (from the pov of most orgs). (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
