On Mon, May 22, 2023 at 4:29 AM Andrew Campling <andrew.campling@419.consulting> wrote: > > On 21-May-23 10:29 PM, Brian E Carpenter wrote: > > > And there's the problem. The operator of a large network cannot possibly > > know which extension headers every host on the network needs. It's called > > permissionless innovation, and is supposed to be one of the main success > > factors for the Internet. > > I think the problem with this approach, which I'm interpreting as "allow > everything", is that people responsible for the security of public, and > especially private, networks need to consider whether any such innovations > might introduce new vulnerabilities. Remember that, for example, CISOs > looking after the security of some enterprises may fall foul of regulatory > obligations if they cannot show that their networks are as secure as is > practical. > > More generally, anyone operating zero trust principles would surely only > allow those features that they deem necessary, selected extension headers in > this case. This would seem consistent with the point that Fernando made > earlier in the thread. > Andrew,
Enterprises are private networks and can enforce whatever security policies they want. The problem is in public networks where the service provider acts as "anonymous big brother" to enforce its concept of security to "protect" the users. While I'm sure they'd like us to think that they are acting for the benefit of the users and it's for the "good of the Internet", the reality is that having a patchwork of random security policies across the Internet is counterproductive, and, frankly, some of these policies are driven more by localized business interests rather than the users' best interests. As a host and networking stack developer, I view the network and these arbitrary inconsistent security policies as the problem not as the solution to application and host security. The best tool developers have is to encrypt as much of the packet as possible to keep network providers from meddling in protocol layers they shouldn't be, but unfortunately that isn't applicable to all protocols like EH for instance (although, given that IPsec was on Fernando's approved list of extension headers, I suppose we could hide all the extension headers we want in IPsec :-) ) Tom > Andrew > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > i...@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec