Re: [OPSEC] [IPv6] [v6ops] [EXTERNAL] Re: Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Fri, 26 May 2023 08:04:48 -0700 


On 25/5/23 23:13, Brian E Carpenter wrote:
[....]



It's perfectly fine if a host chooses to block incoming packets for any 
reason whatever, including unknown extension headers. That's quite 
consistent with the *network* allowing permissionless innovation.



The problem arises when any upstream intermediate node drops a packet 
because it doesn't like it for some reason. There, you immediately 
create the tussle between transparency and security, and I strore is no universal way of avoiding that tussle. Not 
every new feature has backing from Google.


Since you mention Google... rumor has it that they block EHs. :-)




The ISP has its own concerns, to protect its network, but I, in my 
enterprise or household, have different concerns. I'm not going to 
trust the ISP's security mechanisms to provide my own security needs.



Honestly don’t see how IPv6 is going to change that. Over time, 
perhaps, some specific extensions used out in the wild will be seen as 
crucially important to my enterprise or household, and maybe those 
will not be blocked. But "trust me, you must accept all these EHs"? 
More likely, those potential innovations will go unused and maybe will 
eventually be implemented in a different way.



A well-implemented host will not be troubled by unkown extension headers 
or options.



Search for IPv6-related CVE's, and you'll probably find that the vast 
majority of them are associated with EHs.



IPv4 options were already a issue at the time -- and it just became much 
worse with EHs.




If my "smart" TV isn't capable of ignoring unkown extension 
headers, its vendor will have to give me my money back. I don't want my 
ISP or my CE router to block any extension header.


You might care. How many other would care?





Security evolved as it did, over IPv4, for a reason, methinks.



There is really no difference between the story of IPv4 options and IPv6 
extension headers, except that extensibility was a sales argument for 
IPv6, so naturally people have tried to use them. 



The sales argument also argued that the packet structure led to improved 
packet processing performance. -- which has not been well connected with 
reality, though! :-)


Thanks!

Cheers,
--
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec





























					Reply via email to