Arnaud,
First, nice to hear from you.
Next, I think blocking EH without nuance or care is throwing out the baby with
the bathwater.
IMHO, if we have problems with EH because people have not carefully considered
their use. I think if we do not make IPv6 an extensible and flexible
protocol, we will be looking at creating a new version - IPv8? IPv10? before
we know it.
There are many problems with, for example, some TCP packets, and we do not say
"just block TCP".
Thanks,
Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360
On Thursday, May 25, 2023 at 12:23:02 AM PDT, Arnaud Taddei
<[email protected]> wrote:
Ok Eduard I recognise a bit of the epidermic reaction (after all I am half
latin blood) and missed the telco context because I see the drama in enterprise
context every single day!
Now ironically the example I took below was a telco!
But I buy your point … all good
On 25 May 2023, at 07:58, Vasilenko Eduard
<[email protected]> wrote:
Hi Arnaud,It is a good point that Enterprises have much more serious attention
to security. But Telco is not so much paranoid about security.The last
initiative in this WG is about “to push Telco to tolerate all EHs”. The context
of this discussion is more about Telco. > The additional cost you can find
ways to write them offIn the majority of cases “No”. Because tests could not be
free, support could not be free either. Performance penalty may be close to
Zero (only a small loss of bandwidth) – depending on the EH type (maybe a 2x
drop of performance because of recirculation). > the ‘additional cost’ and the
’security risk’ are not symmetric at all.Yes, it is an apple and orange
comparison. But both exist, and both may be discussed. Ed/From: Arnaud Taddei
[mailto:[email protected]]
Sent: Thursday, May 25, 2023 8:47 AM
To: Vasilenko Eduard <[email protected]>
Cc: Fernando Gont <[email protected]>; Manfredi (US), Albert E
<[email protected]>; IPv6 Operations <[email protected]>; 6man
<[email protected]>; [email protected]
Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6
extension headers? (Episode 1000 and counting) (Linux DoS) +1 just that the
‘additional cost’ and the ’security risk’ are not symmetric at all. The
additional cost you can find ways to write them off The security risk is much
more damaging because it is a compliancy risk (think DORA for the FSI in EU), a
reputation risk that is now captured by credit rating agencies, a revenue risk,
a stock rating agencies (your stock will drop), insurance ratings, etc. and 1)
it is getting substantial and 2) it is even existential with a few examples
that some organizations literally lost e.g. an MNO of €1.3B and 30 years of
existence (only survived by 1 backup link), etc
On 25 May 2023, at 07:21, Vasilenko Eduard
<[email protected]> wrote: IMHO: Fernando comes
here with a good example (EH DoS). Security is a good reason to block EHs.
But for business, every feature should be tested, supported, and somebody
should pay an additional performance penalty.
I am not sure which reason is bigger: additional cost or security risk. It
depends on the organization type.
Ed/
-----Original Message-----
From: OPSEC [mailto:[email protected]] On Behalf Of Arnaud Taddei
Sent: Thursday, May 25, 2023 8:12 AM
To: Fernando Gont <[email protected]>
Cc: Manfredi (US), Albert E <[email protected]>; IPv6 Operations
<[email protected]>; 6man <[email protected]>; [email protected]
Subject: Re: [OPSEC] [EXTERNAL] Re: [IPv6] [v6ops] Why folks are blocking IPv6
extension headers? (Episode 1000 and counting) (Linux DoS)
Would like to support Fernando again, and not just because I have a Sony TV
too.
Cybersecurity is in such a bad state that I can only plea for a sense of
realism and pragmatism vs dogmatism to get real solutions at hand to the
defenders practitioners
If not I will ask people here to consider spending a week in a Security
Operation Center when there is a Ransomware breaking up
Fernando’s paper intentions will be appreciated by the defenders
On 25 May 2023, at 03:07, Fernando Gont <[email protected]> wrote:
On 25/5/23 02:01, Manfredi (US), Albert E wrote:
-----Original Message-----
From: ipv6 <[email protected]> On Behalf Of Fernando Gont
Given the amount of things that get connected to the Net (smart bulbs,
refrigerators, etc.) -- and that will super-likely never receive security
updates, you may have to **rely on your own network**.
For instance, I wouldn't have my smart TV "defend itself".
Agreed, "on your own network." >From the viewpoint of a household, whatever
network defense has to be behind that household's router, for it to be
credible, and preferably right in each host. Yeah, some IoT devices may not be
updated regularly.
So, that's why people block them at the edge.
(just the messenger)
The ISP has to worry about protecting that ISP's own network.
That's e.g. where RFC9098 comes in, with notes on why they are dropped in
places other than the edge network.
Households have to be responsible for protecting their household's
network. (And connected TVs do get regular software updates, as a
matter of fact.)
I guess it all depends on the TV? e.g., I for one I'm not planning to throw it
out just because Sony decided to quit pushing updates (which were never
automatic for my set).
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
_______________________________________________
OPSEC mailing list
[email protected]
https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.ietf.org/mailman/listinfo/ops&source=gmail-imap&ust=1685596906000000&usg=AOvVaw1SaRszq_Trn0SZdoxCGfAf
ec&source=gmail-imap&ust=1685581681000000&usg=AOvVaw2CR1KLp2V-YO9ZOvhw
rWtn
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for the
use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are not
the intended recipient or the person responsible for delivering the e-mail to
the intended recipient, you are hereby notified that any use, copying,
distributing, dissemination, forwarding, printing, or copying of this e-mail is
strictly prohibited. If you received this e-mail in error, please return the
e-mail to the sender, delete it from your computer, and destroy any printed
copy of it.
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for the
use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are not
the intended recipient or the person responsible for delivering the e-mail to
the intended recipient, you are hereby notified that any use, copying,
distributing, dissemination, forwarding, printing, or copying of this e-mail is
strictly prohibited. If you received this e-mail in error, please return the
e-mail to the sender, delete it from your computer, and destroy any printed
copy of it.
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for the
use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are not
the intended recipient or the person responsible for delivering the e-mail to
the intended recipient, you are hereby notified that any use, copying,
distributing, dissemination, forwarding, printing, or copying of this e-mail is
strictly prohibited. If you received this e-mail in error, please return the
e-mail to the sender, delete it from your computer, and destroy any printed
copy of it._______________________________________________
v6ops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/v6ops
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
