This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices

Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tore Anderson tore at fud.no
Wed Jun 17 21:12:18 CEST 2015

Hi Enno,

* Enno Rey

> On Wed, Jun 17, 2015 at 08:18:09PM +0200, Tore Anderson wrote:
> > First, your customers might have a perfectly valid reason to send or
> > receive IPv6 headers with IPv6 extension header chains you
> > apparantly will drop at your border. FWIW, if I found out that my
> > upstream arbitrarily dropped packets because they found them
> > "interesting", breaking my applications
> 
> that brings us directly to the core of the debate: break "exactly
> which application?"

Well, ESP at least. And, by extension, any protocol that might be
carried inside ESP, so pretty much all of them.

> Taking into account that stateless ACLs of all router vendors we
> tested (results tb published soon) can be avoided/evaded by adding ~5
> extension headers to datagrams I fully understand any operator who
> does not want SSH on its devices to be reachable from the Internet
> (over v6 with extension headers) and hence acts in a way similar to
> the one Steinar described.

There is a big difference between an operator dropping all packets with
EHs that are destined for *his own devices/routers* (I have no problem
with that - your devices, your rules), and an operator that drops
*transit* traffic destined for his customers because his routers cannot
understand/parse/filter its L4/EH payload.

In my opinion, an ISP/IP transit network shouldn't even attempt to
parse the L4/EH payload in customer traffic (except if the customer
asks for it of course), it should just deliver the packets.

> I doubt Steinar loses many customers (due to "application breakage")
> by taking that path. In contrary I expect many of his customers
> valueing the increased level of device & network availability gained
> by eliminating an entire class of attacks.

The first operator I mentioned above won't lose any customers because
his filtering activities doesn't impact customer traffic. The second
operator would lose my business, at least. And probably others' too, as
business customers might want their site2site IPSEC tunnels to work,
residental customers might want their Xbox One online gaming to work,
and so on.

Tore

Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ipv6-wg Archives ]