On Thu, May 25, 2023 at 1:34 PM Manfredi (US), Albert E <[email protected]> wrote: > > -----Original Message----- > From: Tom Herbert <[email protected]> > > > It's more than a preference to have host security, it is an absolute > > requirement that each host provides security for its applications and > > users. This requirement applies to SmartTVs, SmartPhones, home computers, > > and pretty much all the several billion end user devices connected to the > > Internet. No host device would ever assume that the network consistently > > provides any adequate level of security, for real security we need to > > assume that the host is the first and last line of defense (i.e. zero trust > > model). > > I could not agree more, Tom. So, as Fernando and others have said, the > impulse is to block everything coming in from the Internet that you figure > you don't need **right now**. Such as weird complicated header extensions. > > The ISP has its own concerns, to protect its network, but I, in my enterprise > or household, have different concerns. I'm not going to trust the ISP's > security mechanisms to provide my own security needs. > > Honestly don’t see how IPv6 is going to change that. Over time, perhaps, some > specific extensions used out in the wild will be seen as crucially important > to my enterprise or household, and maybe those will not be blocked. But > "trust me, you must accept all these EHs"? More likely, those potential > innovations will go unused and maybe will eventually be implemented in a > different way.
Bert, It's your prerogative to block all EH on your home router. But not everyone does that. And even if you do, when you leave home and connect to WIFI at the local coffee shop do you verify that the network provider for the coffee shop has properly blocked the extension headers that are "insecure"? Have you verified that your mobile carrier properly blocks EH, or whatever carrier you connect to when roaming? Or for that matter, when you attend IETF do you demand that the NOC team blocks extension headers? (I don't believe that they are blocked, but it would be quite ironic if they were :-) ). As Johnson Yu said, the security of the entire network depends on the weakest part within it. If we extrapolate that logic to Internet scale, then the security of the Internet depends on the weakest part; so if extension headers really are the threat that some are making them out to be, then we need more than ad hoc secuity policies applied across the Internet with no consistency. Tom > > Security evolved as it did, over IPv4, for a reason, methinks. > > Bert _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
