On 26-May-23 08:33, Manfredi (US), Albert E wrote:
-----Original Message-----
From: Tom Herbert <t...@herbertland.com>
It's more than a preference to have host security, it is an absolute
requirement that each host provides security for its applications and users.
This requirement applies to SmartTVs, SmartPhones, home computers, and pretty
much all the several billion end user devices connected to the Internet. No
host device would ever assume that the network consistently provides any
adequate level of security, for real security we need to assume that the host
is the first and last line of defense (i.e. zero trust model).
I could not agree more, Tom. So, as Fernando and others have said, the impulse
is to block everything coming in from the Internet that you figure you don't
need **right now**. Such as weird complicated header extensions.
It's perfectly fine if a host chooses to block incoming packets for any reason
whatever, including unknown extension headers. That's quite consistent with the
*network* allowing permissionless innovation.
The problem arises when any upstream intermediate node drops a packet because
it doesn't like it for some reason. There, you immediately create the tussle
between transparency and security, and I strongly suspect that there is no
universal way of avoiding that tussle. Not every new feature has backing from
Google.
The ISP has its own concerns, to protect its network, but I, in my enterprise
or household, have different concerns. I'm not going to trust the ISP's
security mechanisms to provide my own security needs.
Honestly don’t see how IPv6 is going to change that. Over time, perhaps, some specific
extensions used out in the wild will be seen as crucially important to my enterprise or
household, and maybe those will not be blocked. But "trust me, you must accept all
these EHs"? More likely, those potential innovations will go unused and maybe will
eventually be implemented in a different way.
A well-implemented host will not be troubled by unkown extension headers or options. If
my "smart" TV isn't capable of ignoring unkown extension headers, its vendor
will have to give me my money back. I don't want my ISP or my CE router to block any
extension headers.
Security evolved as it did, over IPv4, for a reason, methinks.
There is really no difference between the story of IPv4 options and IPv6 extension
headers, except that extensibility was a sales argument for IPv6, so naturally
people have tried to use them. And it would be exactly the same for IPvN where
N>6.
Brian
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec