I wonder if part of the issue here is that insufficient attention is being given to operational security matters and too much weight is given to privacy in protocol development, irrespective of the security implications (which is of course ultimately detrimental to security anyway)?
Andrew From: OPSEC <opsec-boun...@ietf.org> on behalf of Fernando Gont <fg...@si6networks.com> Sent: Thursday, May 18, 2023 2:19 pm To: David Farmer <far...@umn.edu>; Tom Herbert <tom=40herbertland....@dmarc.ietf.org> Cc: 6...@ietf.org <6...@ietf.org>; V6 Ops List <v6...@ietf.org>; opsec WG <opsec@ietf.org> Subject: Re: [OPSEC] [IPv6] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS) Hi, David, On 18/5/23 02:14, David Farmer wrote: > > > On Wed, May 17, 2023 at 13:57 Tom Herbert > <tom=40herbertland....@dmarc.ietf.org > <mailto:40herbertland....@dmarc.ietf.org>> wrote: [...] > > Maximum security is rarely the objective, I by no means have maximum > security at my home. However, I don’t live in the country where some > people still don’t even lock there doors. I live in a a city, I have > decent deadbolt locks and I use them. > [....] > > So, I’m not really happy with the all or nothing approach the two of you > seem to be offering for IPv6 extension headers, is there something in > between? If not, then maybe that is what we need to be working towards. FWIW, I[m not arguing for a blank "block all", but rather "just allow the ones you really need" -- which is a no brainer. The list you need is, maybe Frag and, say, IPsec at the global level? (from the pov of most orgs). (yeah... HbH and the like are mostly fine for the local link (e.g. MLD). Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec