draft-ietf-6man-deprecate-atomfrag-generation-06.txt   draft-ietf-6man-deprecate-atomfrag-generation-07.txt 
IPv6 maintenance Working Group (6man) F. Gont IPv6 maintenance Working Group (6man) F. Gont
Internet-Draft SI6 Networks / UTN-FRH Internet-Draft SI6 Networks / UTN-FRH
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: October 6, 2016 Huawei Technologies Expires: January 18, 2017 Huawei Technologies
T. Anderson T. Anderson
Redpill Linpro Redpill Linpro
April 4, 2016 July 17, 2016
Generation of IPv6 Atomic Fragments Considered Harmful Generation of IPv6 Atomic Fragments Considered Harmful
draft-ietf-6man-deprecate-atomfrag-generation-06 draft-ietf-6man-deprecate-atomfrag-generation-07
Abstract Abstract
This document discusses the security implications of the generation This document discusses the security implications of the generation
of IPv6 atomic fragments and a number of interoperability issues of IPv6 atomic fragments and a number of interoperability issues
associated with IPv6 atomic fragments, and concludes that the associated with IPv6 atomic fragments, and concludes that the
aforementioned functionality is undesirable, thus documenting the aforementioned functionality is undesirable, thus documenting the
motivation for removing this functionality in the revision of the motivation for removing this functionality in the revision of the
core IPv6 protocol specification. core IPv6 protocol specification.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 6, 2016. This Internet-Draft will expire on January 18, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Security Implications of the Generation of IPv6 Atomic 2. Security Implications of the Generation of IPv6 Atomic
Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Additional Considerations . . . . . . . . . . . . . . . . . . 4 3. Additional Considerations . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 7 8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Small Survey of OSes that Fail to Produce IPv6 Appendix A. Small Survey of OSes that Fail to Produce IPv6
Atomic Fragments . . . . . . . . . . . . . . . . . . 9 Atomic Fragments . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
[RFC2460] specifies the IPv6 fragmentation mechanism, which allows [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
IPv6 packets to be fragmented into smaller pieces such that they can IPv6 packets to be fragmented into smaller pieces such that they can
fit in the Path-MTU to the intended destination(s). fit in the Path-MTU to the intended destination(s).
Section 5 of [RFC2460] states that, when a host receives an ICMPv6 A legacy IPv4/IPv6 translator implementing the Stateless IP/ICMP
"Packet Too Big" message [RFC4443] advertising an MTU smaller than Translation algorithm [RFC6145] may legitimately generate ICMPv6
1280 bytes (the minimum IPv6 MTU), the host is not required to reduce "Packet Too Big" messages [RFC4443] advertising a "Next-Hop MTU"
the assumed Path-MTU, but must simply include a Fragment Header in smaller than 1280 (the minimum IPv6 MTU). Section 5 of [RFC2460]
all subsequent packets sent to that destination. The resulting states that, upon receiving such an ICMPv6 error message, hosts are
packets will thus *not* be actually fragmented into several pieces, not required to reduce the assumed Path-MTU, but must simply include
but rather be "atomic fragments" [RFC6946] (i.e., just include a a Fragment Header in all subsequent packets sent to that destination.
Fragment Header with both the "Fragment Offset" and the "M" flag set The resulting packets will thus *not* be actually fragmented into
to 0). [RFC6946] requires that these atomic fragments be essentially several pieces, but rather be "atomic fragments" [RFC6946] (i.e.,
processed by the destination host as non-fragmented traffic (since just include a Fragment Header with both the "Fragment Offset" and
there are not really any fragments to be reassembled). The goal of the "M" flag set to 0). [RFC6946] requires that these atomic
these atomic fragments is simply to convey an appropriate fragments be essentially processed by the destination host as non-
Identification value to be employed by IPv6/IPv4 translators for the fragmented traffic (since there are not really any fragments to be
resulting IPv4 fragments. reassembled). The goal of these atomic fragments is simply to convey
an appropriate Identification value to be employed by IPv6/IPv4
translators for the resulting IPv4 fragments.
While atomic fragments might seem rather benign, there are scenarios While atomic fragments might seem rather benign, there are scenarios
in which the generation of IPv6 atomic fragments can be leveraged for in which the generation of IPv6 atomic fragments can be leveraged for
performing a number of attacks against the corresponding IPv6 flows. performing a number of attacks against the corresponding IPv6 flows.
Since there are concrete security implications arising from the Since there are concrete security implications arising from the
generation of IPv6 atomic fragments, and there is no real gain in generation of IPv6 atomic fragments, and there is no real gain in
generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
translators generate a Fragment Identification value themselves), we translators generate a Fragment Identification value themselves), we
conclude that this functionality is undesirable. conclude that this functionality is undesirable.
Section 2 briefly discusses the security implications of the Section 2 briefly discusses the security implications of the
generation of IPv6 atomic fragments, and describes a specific Denial generation of IPv6 atomic fragments, and describes a specific Denial
of Service (DoS) attack vector that leverages the widespread of Service (DoS) attack vector that leverages the widespread
filtering of IPv6 fragments in the public Internet. Section 3 filtering of IPv6 fragments in the public Internet. Section 3
skipping to change at page 3, line 27 skipping to change at page 3, line 31
length in [RFC6274] and [RFC7739]. An attacker can leverage the length in [RFC6274] and [RFC7739]. An attacker can leverage the
generation of IPv6 atomic fragments to trigger the use of generation of IPv6 atomic fragments to trigger the use of
fragmentation in an arbitrary IPv6 flow and subsequently perform any fragmentation in an arbitrary IPv6 flow and subsequently perform any
fragmentation-based attack against legacy IPv6 nodes that do not fragmentation-based attack against legacy IPv6 nodes that do not
implement [RFC6946]. implement [RFC6946].
Unfortunately, even nodes that already implement [RFC6946] can be Unfortunately, even nodes that already implement [RFC6946] can be
subject to DoS attacks as a result of the generation of IPv6 atomic subject to DoS attacks as a result of the generation of IPv6 atomic
fragments. Let us assume that Host A is communicating with Server B, fragments. Let us assume that Host A is communicating with Server B,
and that, as a result of the widespread dropping of IPv6 packets that and that, as a result of the widespread dropping of IPv6 packets that
contain extension headers (including fragmentation) contain extension headers (including fragmentation) [RFC7872], some
[I-D.ietf-v6ops-ipv6-ehs-in-real-world], some intermediate node intermediate node filters fragments between Host A and Server B. If
filters fragments between Host A and Server B. If an attacker sends an attacker sends a forged ICMPv6 "Packet Too Big" (PTB) error
a forged ICMPv6 "Packet Too Big" (PTB) error message to server B, message to server B, reporting an MTU smaller than 1280, this will
reporting an MTU smaller than 1280, this will trigger the generation trigger the generation of IPv6 atomic fragments from that moment on
of IPv6 atomic fragments from that moment on (as required by (as required by [RFC2460]). When server B starts sending IPv6 atomic
[RFC2460]). When server B starts sending IPv6 atomic fragments (in fragments (in response to the received ICMPv6 PTB), these packets
response to the received ICMPv6 PTB), these packets will be dropped, will be dropped, since we previously noted that IPv6 packets with
since we previously noted that IPv6 packets with extension headers extension headers were being dropped between Host A and Server B.
were being dropped between Host A and Server B. Thus, this situation Thus, this situation will result in a Denial of Service (DoS)
will result in a Denial of Service (DoS) scenario. scenario.
Another possible scenario is that in which two BGP peers are Another possible scenario is that in which two BGP peers are
employing IPv6 transport, and they implement Access Control Lists employing IPv6 transport, and they implement Access Control Lists
(ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If
the aforementioned BGP peers drop IPv6 fragments but still honor the aforementioned BGP peers drop IPv6 fragments but still honor
received ICMPv6 Packet Too Big error messages, an attacker could received ICMPv6 Packet Too Big error messages, an attacker could
easily attack the peering session by simply sending an ICMPv6 PTB easily attack the peering session by simply sending an ICMPv6 PTB
message with a reported MTU smaller than 1280 bytes. Once the attack message with a reported MTU smaller than 1280 bytes. Once the attack
packet has been sent, it will be the aforementioned routers packet has been sent, the aforementioned routers will themselves be
themselves the ones dropping their own traffic. the ones dropping their own traffic.
The aforementioned attack vector is exacerbated by the following The aforementioned attack vector is exacerbated by the following
factors: factors:
o The attacker does not need to forge the IPv6 Source Address of his o The attacker does not need to forge the IPv6 Source Address of his
attack packets. Hence, deployment of simple BCP38 filters will attack packets. Hence, deployment of simple BCP38 filters will
not help as a counter-measure. not help as a counter-measure.
o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
payload needs to be forged. While one could envision filtering payload needs to be forged. While one could envision filtering
skipping to change at page 4, line 33 skipping to change at page 4, line 36
headers, the ICMPv6 payload might not even contain any useful headers, the ICMPv6 payload might not even contain any useful
information on which to perform validation checks. information on which to perform validation checks.
o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big" o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
error messages, the Destination Cache [RFC4861] is usually updated error messages, the Destination Cache [RFC4861] is usually updated
to reflect that any subsequent packets to such destination should to reflect that any subsequent packets to such destination should
include a Fragment Header. This means that a single ICMPv6 include a Fragment Header. This means that a single ICMPv6
"Packet Too Big" error message might affect multiple communication "Packet Too Big" error message might affect multiple communication
instances (e.g., TCP connections) with such destination. instances (e.g., TCP connections) with such destination.
o As noted in Section 3, SIIT [RFC6145] (including derivative o As noted in Section 3, SIIT (Stateless IP/ICMP Translation
protocols such as Stateful NAT64 [RFC6146]) is the only technology Algorithm) [RFC6145], including derivative protocols such as
which currently makes use of atomic fragments. Unfortunately, an Stateful NAT64 [RFC6146], was the only technology making use of
IPv6 node cannot easily limit its exposure to the aforementioned atomic fragments. Unfortunately, an IPv6 node cannot easily limit
attack vector by only generating IPv6 atomic fragments towards its exposure to the aforementioned attack vector by only
IPv4 destinations behind a stateless translator. This is due to generating IPv6 atomic fragments towards IPv4 destinations behind
the fact that Section 3.3 of [RFC6052] encourages operators to use a stateless translator. This is due to the fact that Section 3.3
a Network-Specific Prefix (NSP) that maps the IPv4 address space of [RFC6052] encourages operators to use a Network-Specific Prefix
into IPv6. When an NSP is being used, IPv6 addresses representing (NSP) that maps the IPv4 address space into IPv6. When an NSP is
IPv4 nodes (reached through a stateless translator) are being used, IPv6 addresses representing IPv4 nodes (reached
indistinguishable from native IPv6 addresses. through a stateless translator) are indistinguishable from native
IPv6 addresses.
3. Additional Considerations 3. Additional Considerations
Besides the security assessment provided in Section 2, it is Besides the security assessment provided in Section 2, it is
interesting to evaluate the pros and cons of having an IPv6-to-IPv4 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
translating router rely on the generation of IPv6 atomic fragments. translating router rely on the generation of IPv6 atomic fragments.
Relying on the generation of IPv6 atomic fragments implies a reliance Relying on the generation of IPv6 atomic fragments implies a reliance
on: on:
skipping to change at page 5, line 38 skipping to change at page 5, line 47
of [RFC6145] note that 57% of the tested web servers failed to of [RFC6145] note that 57% of the tested web servers failed to
produce IPv6 atomic fragments in response to ICMPv6 PTB messages produce IPv6 atomic fragments in response to ICMPv6 PTB messages
reporting an MTU smaller than 1280 bytes. Thus, any protocol reporting an MTU smaller than 1280 bytes. Thus, any protocol
relying on IPv6 atomic fragment generation for proper functioning relying on IPv6 atomic fragment generation for proper functioning
will have interoperability problems with the aforementioned IPv6 will have interoperability problems with the aforementioned IPv6
stacks. stacks.
3. IPv6 atomic fragment generation represents a case in which 3. IPv6 atomic fragment generation represents a case in which
fragmented traffic is produced where otherwise it would not be fragmented traffic is produced where otherwise it would not be
needed. Since there is widespread filtering of IPv6 fragments in needed. Since there is widespread filtering of IPv6 fragments in
the public Internet [I-D.ietf-v6ops-ipv6-ehs-in-real-world], this the public Internet [RFC7872], this would mean that the
would mean that the (unnecessary) use of IPv6 fragmentation might (unnecessary) use of IPv6 fragmentation might result,
result, unnecessarily, in a Denial of Service situation even in unnecessarily, in a Denial of Service situation even in
legitimate cases. legitimate cases.
4. The packet-handling API at the node where the translator is 4. The packet-handling API at the node where the translator is
running may obscure fragmentation-related information. In such running may obscure fragmentation-related information. In such
scenarios, the information conveyed by the Fragment Header may be scenarios, the information conveyed by the Fragment Header may be
unavailable to the translator. [JOOL] discusses a sample unavailable to the translator. [JOOL] discusses a sample
framework (Linux Netfilter) that hinders access to the framework (Linux Netfilter) that hinders access to the
information conveyed in IPv6 atomic fragments. information conveyed in IPv6 atomic fragments.
We note that SIIT essentially employs the Fragment Header of IPv6 We note that SIIT essentially employs the Fragment Header of IPv6
atomic fragments to signal the translator how to set the DF bit of atomic fragments to signal the translator how to set the DF bit of
IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a
Fragment Header, and is otherwise set to 1 when the IPv6 packet does Fragment Header, and is otherwise set to 1 when the IPv6 packet does
not contain an IPv6 Fragment Header). Additionally, the translator not contain an IPv6 Fragment Header). Additionally, the translator
will employ the low-order 16-bits of the IPv6 Fragment Identification will employ the low-order 16-bits of the IPv6 Fragment Identification
for setting the IPv4 Fragment Identification. At least in theory, for setting the IPv4 Fragment Identification. At least in theory,
this is expected to reduce the IPv4 Identification collision rate in this is expected to reduce the IPv4 Identification collision rate in
the following specific scenario: the following specific scenario:
1. An IPv6 node communicates with an IPv4 node (through SIIT) 1. An IPv6 node communicates with an IPv4 node (through SIIT).
2. The IPv4 node is located behind an IPv4 link with an MTU smaller 2. The IPv4 node is located behind an IPv4 link with an MTU smaller
than 1260 bytes than 1260 bytes. An IPv4 Path MTU of 1260 corresponds to an IPv6
Path MTU of 1280, due to an option-less IPv4 header being 20
bytes shorter than the IPv6 header.
3. ECMP routing [RFC2992] with more than one translator is employed 3. ECMP routing [RFC2992] with more than one translator is employed
for e.g., redundancy purposes for e.g., redundancy purposes.
In such a scenario, if each translator were to select the IPv4 In such a scenario, if each translator were to select the IPv4
Identification on its own (rather than selecting the IPv4 Identification on its own (rather than selecting the IPv4
Identification from the low-order 16-bits of the Fragment Identification from the low-order 16-bits of the Fragment
Identification of IPv6 atomic fragments), this could possibly lead to Identification of IPv6 atomic fragments), this could possibly lead to
IPv4 Identification collisions. However, since a number of IPv4 Identification collisions. However, since a number of
implementations set the IPv6 Fragment Identification according to the implementations set the IPv6 Fragment Identification according to the
output of a Pseudo-Random Number Generator (PRNG) (see Appendix B of output of a Pseudo-Random Number Generator (PRNG) (see Appendix B of
[RFC7739]) and the translator only employs the low-order 16-bits of [RFC7739]) and the translator only employs the low-order 16-bits of
such value, it is very unlikely that relying on the Fragment such value, it is very unlikely that relying on the Fragment
Identification of the IPv6 atomic fragment will result in a reduced Identification of the IPv6 atomic fragment will result in a reduced
IPv4 Identification collision rate (when compared to the case where IPv4 Identification collision rate (when compared to the case where
the translator selects each IPv4 Identification on its own). the translator selects each IPv4 Identification on its own).
Besides, because of the limited sized of the IPv4 identification
field, it is nevertheless virtually impossible to guarantee
uniqueness of the IPv4 identification values without artificially
limiting the data rate of fragmented traffic [RFC6864] [RFC4963].
Finally, we note that [RFC6145] is currently the only "consumer" of [RFC6145] was the only "consumer" of IPv6 atomic fragments, and it
IPv6 atomic fragments, and it correctly and diligently notes (in correctly and diligently noted (in Section 6) the possible
Section 6) the possible interoperability problems of relying on IPv6 interoperability problems of relying on IPv6 atomic fragments,
atomic fragments, proposing as a workaround that leads to more robust proposing a workaround that led to more robust behavior and
behavior and simplified code. simplified code. [RFC6145] has been obsoleted by [RFC7915], such
that SIIT does not rely on IPv6 atomic fragments.
4. IANA Considerations Finally, we believe that IPv4 links with an MTU smaller than 1260
bytes are very uncommonly found in the modern Internet. At the same
time, we note that the sole purpose of IPv6 atomic fragments is to
make such links compatible with IPv4/IPv6 translation. We surmise,
therefore, that IPv6 atomic fragments are useful in only a minuscule
number of "real world" situations.
4. Conclusions
Taking all of the above considerations into account, we recommend
that IPv6 atomic fragments be deprecated.
In particular:
o IPv4/IPv6 translators should be updated to not generate ICMPv6
Packet Too Big errors containing a Path MTU value smaller than the
minimum IPv6 MTU of 1280 bytes. This will ensure that current
IPv6 nodes will never have a legitimate need to start generating
IPv6 atomic fragments.
o The recommendation in the previous bullet ensures there no longer
are any valid reasons for ICMPv6 Packet Too Big errors containing
a Path MTU value smaller than the minimum IPv6 MTU to exist. IPv6
nodes should therefore be updated to ignore them as invalid.
We note that these recommendations have been incorporated in
[I-D.ietf-6man-rfc1981bis], [I-D.ietf-6man-rfc2460bis] and [RFC7915].
5. IANA Considerations
There are no IANA registries within this document. There are no IANA registries within this document.
5. Security Considerations 6. Security Considerations
This document briefly discusses the security implications of the This document briefly discusses the security implications of the
generation of IPv6 atomic fragments, and describes a specific Denial generation of IPv6 atomic fragments, and describes a specific Denial
of Service (DoS) attack vector that leverages the widespread of Service (DoS) attack vector that leverages the widespread
filtering of IPv6 fragments in the public Internet. It concludes filtering of IPv6 fragments in the public Internet. It concludes
that the generation of IPv6 atomic fragments is an undesirable that the generation of IPv6 atomic fragments is an undesirable
feature, and documents the motivation for removing this functionality feature, and documents the motivation for removing this functionality
from [I-D.ietf-6man-rfc2460bis]. from [I-D.ietf-6man-rfc2460bis].
6. Acknowledgements 7. Acknowledgements
The authors would like to thank (in alphabetical order) Congxiao Bao, The authors would like to thank (in alphabetical order) Congxiao Bao,
Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Bob Hinden, Alberto Carlos Jesus Bernardos Cano, Bob Briscoe, Brian Carpenter, Tatuya
Leiva, Xing Li, Jeroen Massar, Erik Nordmark, Qiong Sun, Ole Troan, Jinmei, Bob Hinden, Alberto Leiva, Ted Lemon, Xing Li, Jeroen Massar,
and Tina Tsou, for providing valuable comments on earlier versions of Erik Nordmark, Qiong Sun, Ole Troan, Tina Tsou, and Bernie Volz, for
this document. providing valuable comments on earlier versions of this document.
Fernando Gont would like to thank Jan Zorz / Go6 Lab Fernando Gont would like to thank Jan Zorz / Go6 Lab
<http://go6lab.si/>, and Jared Mauch / NTT America, for providing <http://go6lab.si/>, and Jared Mauch / NTT America, for providing
access to systems and networks that were employed to produce some of access to systems and networks that were employed to produce some of
tests that resulted in the publication of this document. the tests that resulted in the publication of this document.
Additionally, he would like to thank SixXS <https://www.sixxs.net> Additionally, he would like to thank SixXS <https://www.sixxs.net>
for providing IPv6 connectivity. for providing IPv6 connectivity.
7. References 8. References
7.1. Normative References 8.1. Normative References
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <http://www.rfc-editor.org/info/rfc2460>. December 1998, <http://www.rfc-editor.org/info/rfc2460>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", RFC 4443, Protocol Version 6 (IPv6) Specification", RFC 4443,
DOI 10.17487/RFC4443, March 2006, DOI 10.17487/RFC4443, March 2006,
<http://www.rfc-editor.org/info/rfc4443>. <http://www.rfc-editor.org/info/rfc4443>.
skipping to change at page 7, line 47 skipping to change at page 8, line 47
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
DOI 10.17487/RFC4861, September 2007, DOI 10.17487/RFC4861, September 2007,
<http://www.rfc-editor.org/info/rfc4861>. <http://www.rfc-editor.org/info/rfc4861>.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
<http://www.rfc-editor.org/info/rfc6145>. <http://www.rfc-editor.org/info/rfc6145>.
7.2. Informative References [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont,
"IP/ICMP Translation Algorithm", RFC 7915,
DOI 10.17487/RFC7915, June 2016,
<http://www.rfc-editor.org/info/rfc7915>.
[RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field",
RFC 6864, DOI 10.17487/RFC6864, February 2013,
<http://www.rfc-editor.org/info/rfc6864>.
8.2. Informative References
[RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000,
<http://www.rfc-editor.org/info/rfc2992>. <http://www.rfc-editor.org/info/rfc2992>.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
DOI 10.17487/RFC5927, July 2010, DOI 10.17487/RFC5927, July 2010,
<http://www.rfc-editor.org/info/rfc5927>. <http://www.rfc-editor.org/info/rfc5927>.
[RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
Errors at High Data Rates", RFC 4963,
DOI 10.17487/RFC4963, July 2007,
<http://www.rfc-editor.org/info/rfc4963>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
DOI 10.17487/RFC6052, October 2010, DOI 10.17487/RFC6052, October 2010,
<http://www.rfc-editor.org/info/rfc6052>. <http://www.rfc-editor.org/info/rfc6052>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <http://www.rfc-editor.org/info/rfc6146>. April 2011, <http://www.rfc-editor.org/info/rfc6146>.
skipping to change at page 8, line 31 skipping to change at page 9, line 46
<http://www.rfc-editor.org/info/rfc6274>. <http://www.rfc-editor.org/info/rfc6274>.
[RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
RFC 6946, DOI 10.17487/RFC6946, May 2013, RFC 6946, DOI 10.17487/RFC6946, May 2013,
<http://www.rfc-editor.org/info/rfc6946>. <http://www.rfc-editor.org/info/rfc6946>.
[RFC7739] Gont, F., "Security Implications of Predictable Fragment [RFC7739] Gont, F., "Security Implications of Predictable Fragment
Identification Values", RFC 7739, DOI 10.17487/RFC7739, Identification Values", RFC 7739, DOI 10.17487/RFC7739,
February 2016, <http://www.rfc-editor.org/info/rfc7739>. February 2016, <http://www.rfc-editor.org/info/rfc7739>.
[I-D.ietf-v6ops-ipv6-ehs-in-real-world] [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
Gont, F., Linkova, J., Chown, T., and S. LIU,
"Observations on the Dropping of Packets with IPv6 "Observations on the Dropping of Packets with IPv6
Extension Headers in the Real World", draft-ietf-v6ops- Extension Headers in the Real World", RFC 7872,
ipv6-ehs-in-real-world-02 (work in progress), December DOI 10.17487/RFC7872, June 2016,
2015. <http://www.rfc-editor.org/info/rfc7872>.
[I-D.ietf-6man-rfc2460bis] [I-D.ietf-6man-rfc2460bis]
Deering, S. and B. Hinden, "Internet Protocol, Version 6 Deering, D. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", draft-ietf-6man-rfc2460bis-04 (work (IPv6) Specification", draft-ietf-6man-rfc2460bis-05 (work
in progress), March 2016. in progress), June 2016.
[I-D.ietf-6man-rfc1981bis]
<>, J., <>, S., <>, J., and R. Hinden, "Path MTU Discovery
for IP version 6", draft-ietf-6man-rfc1981bis-02 (work in
progress), April 2016.
[Morbitzer] [Morbitzer]
Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
Thesis number: 670. Department of Computing Science, Thesis number: 670. Department of Computing Science,
Radboud University Nijmegen. August 2013, Radboud University Nijmegen. August 2013,
<http://www.ru.nl/publish/pages/769526/ <http://www.ru.nl/publish/pages/769526/
m_morbitzer_masterthesis.pdf>. m_morbitzer_masterthesis.pdf>.
[JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6", [JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6",
April 2015, <https://github.com/NICMx/Jool/wiki/ April 2015, <https://github.com/NICMx/Jool/wiki/
skipping to change at page 9, line 27 skipping to change at page 10, line 48
The following Operating Systems fail to generate IPv6 atomic The following Operating Systems fail to generate IPv6 atomic
fragments in response to ICMPv6 PTB messages that report an MTU fragments in response to ICMPv6 PTB messages that report an MTU
smaller than 1280 bytes: smaller than 1280 bytes:
o FreeBSD 8.0 o FreeBSD 8.0
o Linux kernel 2.6.32 o Linux kernel 2.6.32
o Linux kernel 3.2 o Linux kernel 3.2
o Linux kernel current
o Mac OS X 10.6.7 o Mac OS X 10.6.7
o NetBSD 5.1 o NetBSD 5.1
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
SI6 Networks / UTN-FRH SI6 Networks / UTN-FRH
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
 End of changes. 30 change blocks. 
83 lines changed or deleted 139 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/