On Thu, May 18, 2023 at 11:15 AM David Farmer <farmer=40umn....@dmarc.ietf.org> wrote: > Most people want some level of reasonable security for both their home and > for their Internet connection as well. The question is blocking or allowing > IPv6 extension headers reasonable security? That’s not an easy question to > answer. > > In my opinion, allowing all possible extension header is more akin to living > in the country with your doors unlocked. While on the other hand blocking all > possible extension headers seems like more than the dead bolt locks security > level I have for my home. > > So, I’m not really happy with the all or nothing approach the two of you seem > to be offering for IPv6 extension headers, is there something in between? If > not, then maybe that is what we need to be working towards.
I think EHs are almost the same from the filtering PoV as any other L4 protocol. Would I allow all of them? Probably no (unless my policy for the given device or network is "permit any any". Would I allow one I need? Most likely yes. If an EH is dropped it means either that EH is not used in this network, or it's used, smth gets broken but nobody has complained yet. So we need to make a use case for EH, make it attractive enough and make the failure mode unpleasant enough for users to complain. -- SY, Jen Linkova aka Furry _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
