draft-ietf-6man-icmp-limits-04.txt   draft-ietf-6man-icmp-limits-05.txt 
INTERNET-DRAFT T. Herbert INTERNET-DRAFT T. Herbert
Intended Status: Standard Intel Intended Status: Standard Intel
Expires: February 2020 Expires: March 2020
August 6, 2019 September 10, 2019
ICMPv6 errors for discarding packets due to processing limits ICMPv6 errors for discarding packets due to processing limits
draft-ietf-6man-icmp-limits-04 draft-ietf-6man-icmp-limits-05
Abstract Abstract
Network nodes may discard packets if they are unable to process Network nodes may discard packets if they are unable to process
protocol headers of packets due to processing constraints or limits. protocol headers of packets due to processing constraints or limits.
When such packets are dropped, the sender receives no indication so When such packets are dropped, the sender receives no indication so
it cannot take action to address the cause of discarded packets. This it cannot take action to address the cause of discarded packets. This
specification defines ICMPv6 errors that can be sent by a node that specification defines several new ICMPv6 errors that can be sent by a
discards packets because it is unable to process the protocol node that discards packets because it is unable to process the
headers. A node that receives such an ICMPv6 error may be able to protocol headers. A node that receives such an ICMPv6 error may be
modify what it sends in future packets to avoid subsequent packet able to modify what it sends in future packets to avoid subsequent
discards. packet discards.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as
Internet-Drafts. Internet-Drafts.
skipping to change at page 2, line 24 skipping to change at page 2, line 24
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Extension header limits . . . . . . . . . . . . . . . . . . 4 1.1 Extension header limits . . . . . . . . . . . . . . . . . . 4
1.2 Aggregate header limits . . . . . . . . . . . . . . . . . . 5 1.2 Aggregate header limits . . . . . . . . . . . . . . . . . . 5
2 ICMPv6 errors for extension header limits . . . . . . . . . . . 5 2 ICMPv6 errors for extension header limits . . . . . . . . . . . 5
2.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Unrecognized Next Header type encountered (code 1) . . . . . 6 2.2 Unrecognized Next Header type encountered (code 1) . . . . . 6
2.3 Extension header too big (code 4) . . . . . . . . . . . . . 6 2.3 Extension header too big (code TBA) . . . . . . . . . . . . 6
2.4 Extension header chain too long (code 5) . . . . . . . . . . 7 2.4 Extension header chain too long (code TBA) . . . . . . . . . 7
2.5 Too many options in extension header (code 6) . . . . . . . 7 2.5 Too many options in extension header (code TBA) . . . . . . 7
2.6 Option too big (code 7) . . . . . . . . . . . . . . . . . . 7 2.6 Option too big (code TBA) . . . . . . . . . . . . . . . . . 7
3 ICMPv6 error for aggregate header limits . . . . . . . . . . . 8 3 ICMPv6 error for aggregate header limits . . . . . . . . . . . 8
3.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.2 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1 Priority of reporting . . . . . . . . . . . . . . . . . . . 9 4.1 Priority of reporting . . . . . . . . . . . . . . . . . . . 10
4.2 Host response . . . . . . . . . . . . . . . . . . . . . . . 10 4.2 Host response . . . . . . . . . . . . . . . . . . . . . . . 10
5 Applicability and use cases . . . . . . . . . . . . . . . . . . 11 5 Applicability and use cases . . . . . . . . . . . . . . . . . . 11
5.1 Nonconformant packet discard . . . . . . . . . . . . . . . . 11 5.1 Nonconformant packet discard . . . . . . . . . . . . . . . . 11
5.2 Reliability of ICMP . . . . . . . . . . . . . . . . . . . . 11 5.2 Reliability of ICMP . . . . . . . . . . . . . . . . . . . . 12
5.3 Processing limits . . . . . . . . . . . . . . . . . . . . . 11 5.3 Processing limits . . . . . . . . . . . . . . . . . . . . . 12
5.3.1 Long headers and header chains . . . . . . . . . . . . . 11 5.3.1 Long headers and header chains . . . . . . . . . . . . . 12
5.3.2 At end nodes . . . . . . . . . . . . . . . . . . . . . . 12 5.3.2 At end hosts . . . . . . . . . . . . . . . . . . . . . . 12
5.3.3 At intermediate nodes . . . . . . . . . . . . . . . . . 12 5.3.3 At intermediate nodes . . . . . . . . . . . . . . . . . 13
6 Security Considerations . . . . . . . . . . . . . . . . . . . . 12 6 Security Considerations . . . . . . . . . . . . . . . . . . . . 13
7 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 14 7 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 13
7.1 Parameter Problem codes . . . . . . . . . . . . . . . . . . 14 7.1 Parameter Problem codes . . . . . . . . . . . . . . . . . . 13
7.2 Destination Unreachable codes . . . . . . . . . . . . . . . 14 7.2 Destination Unreachable codes . . . . . . . . . . . . . . . 13
7.3 ICMP Extension Object Classes and Class Sub-types . . . . . 14
8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 14 8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 14
9 References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 9 References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1 Normative References . . . . . . . . . . . . . . . . . . . 14 9.1 Normative References . . . . . . . . . . . . . . . . . . . 14
9.2 Informative References . . . . . . . . . . . . . . . . . . 15 9.2 Informative References . . . . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
1 Introduction 1 Introduction
This document specifies ICMPv6 errors that can be sent when a node This document specifies several new ICMPv6 errors that can be sent
discards a packet due to it being unable to process the necessary when a node discards a packet due to it being unable to process the
protocol headers because of processing constraints or limits. New necessary protocol headers because of processing constraints or
ICMPv6 code points are defined as an update to [RFC4443]. Five of the limits. New ICMPv6 code points are defined as an update to [RFC4443].
errors are specific to processing of extension headers; another error Five of the errors are specific to processing of extension headers;
is used when the aggregate protocol headers in a packet exceed the another error is used when the aggregate protocol headers in a packet
processing limits of a node. exceed the processing limits of a node.
1.1 Extension header limits 1.1 Extension header limits
In IPv6, optional internet-layer information is carried in one or In IPv6, optional internet-layer information is carried in one or
more IPv6 Extension Headers [RFC8200]. Extension Headers are placed more IPv6 Extension Headers [RFC8200]. Extension Headers are placed
between the IPv6 header and the Upper-Layer Header in a packet. The between the IPv6 header and the Upper-Layer Header in a packet. The
term "Header Chain" refers collectively to the IPv6 header, Extension term "Header Chain" refers collectively to the IPv6 header, Extension
Headers, and Upper-Layer Headers occurring in a packet. Individual Headers, and Upper-Layer Headers occurring in a packet. Individual
extension headers may have a length of 2048 octets and must fit into extension headers may have a maximum length of 2048 octets and must
one MTU. Destination Options and Hop-by-Hop Options contain a list of fit into a single packet. Destination Options and Hop-by-Hop Options
options in Type-length-value (TLV) format. Each option includes a contain a list of options in Type-length-value (TLV) format. Each
length of the data field in octets: the minimum size of an option option includes a length of the data field in octets: the minimum
(non-pad type) is two octets and the maximum size is 257 octets. The size of an option (non-pad type) is two octets and the maximum size
number of options in an extension header is only limited by the is 257 octets. The number of options in an extension header is only
length of the extension header and MTU. Options may be skipped over limited by the length of the extension header and the Path MTU from
by a receiver if they are unknown and the Option Type indicates to the source to the destination. Options may be skipped over by a
skip (first two high order bits are 00). receiver if they are unknown and the Option Type indicates to skip
(first two high order bits are 00).
Per [RFC8200], except for Hop by Hop options, extension headers are Per [RFC8200], except for Hop by Hop options, extension headers are
not examined or processed by intermediate nodes. Many intermediate not examined or processed by intermediate nodes. Many intermediate
nodes, however, do examine extension header for various purposes. For nodes, however, do examine extension header for various purposes. For
instance, a node may examine all extension headers to locate the instance, a node may examine all extension headers to locate the
transport header of a packet in order to implement transport layer transport header of a packet in order to implement transport layer
filtering or to track connections to implement a stateful firewall. filtering or to track connections to implement a stateful firewall.
Destination hosts are expected to process all extension headers and Destination hosts are expected to process all extension headers and
options in Hop-by-Hop and Destination Options. options in Hop-by-Hop and Destination Options.
Due to the variable lengths, high maximum lengths, or potential for Due to the variable lengths, high maximum lengths, or potential for
Denial of Service attack of extension headers, many devices impose Denial of Service attack of extension headers, many devices impose
operational limits on extension headers in packets they process. operational limits on extension headers in packets they process.
[RFC7045] discusses the requirements of intermediate nodes that [RFC7045] discusses the requirements of intermediate nodes that
discard packets because of unrecognized extension headers. [RFC8504] discard packets because of unrecognized extension headers. [RFC8504]
discusses limits that may be applied to the number of options in Hop- discusses limits that may be applied to the number of options in Hop-
by-Hop or Destination Options extension headers. Both intermediate by-Hop Options or Destination Options extension headers. Both
nodes and end hosts may apply limits to extension header processing. intermediate nodes and end hosts may apply limits to extension header
When a limit is exceeded, the typical behavior is to silently discard processing. When a limit is exceeded, the typical behavior is to
the packet. silently discard the packet.
This specification defines four Parameter Problem codes and extends This specification defines four Parameter Problem codes and extends
the applicably of an existing code that may be sent by a node that the applicably of an existing code that may be sent by a node that
discards a packet due to processing limits of extension headers being discards a packet due to processing limits of extension headers being
exceeded. A source host that receives an ICMPv6 error may modify its exceeded. A source host that receives an ICMPv6 error may modify its
use of extension headers in subsequent packets sent to the use of extension headers in subsequent packets sent to the
destination in order to avoid further occurrences of packets being destination in order to avoid further occurrences of packets being
discarded. discarded.
1.2 Aggregate header limits 1.2 Aggregate header limits
Many hardware devices implement a parsing buffer of a fixed size to Some hardware devices implement a parsing buffer of a fixed size to
process packets. The parsing buffer is expected to contain all the process packets. The parsing buffer is expected to contain all the
headers (often up to a transport layer header for filtering) that a headers (often up to a transport layer header for filtering) that a
device needs to examine. If the aggregate length of headers in a device needs to examine. If the aggregate length of headers in a
packet exceeds the size of the parsing buffer, a device will either packet exceeds the size of the parsing buffer, a device will either
discard the packet or defer processing to a software slow path. In discard the packet or defer processing to a software slow path. In
any case, no indication of a problem is sent back to the sender. any case, no indication of a problem is sent back to the sender.
This document defines one code for ICMPv6 Destination Unreachable This document defines one code for ICMPv6 Destination Unreachable
that is sent by a node that is unable to process the headers of a that is sent by a node that is unable to process the headers of a
packet due to the aggregate size of the packet headers exceeding a packet due to the aggregate size of the packet headers exceeding a
skipping to change at page 5, line 38 skipping to change at page 5, line 38
occurrences of packets being discarded or relegated to a slow path. occurrences of packets being discarded or relegated to a slow path.
2 ICMPv6 errors for extension header limits 2 ICMPv6 errors for extension header limits
Four new codes are defined for the Parameter Problem type and Four new codes are defined for the Parameter Problem type and
applicability of one existing code is extended for ICMPv6 errors for applicability of one existing code is extended for ICMPv6 errors for
extension header limits. extension header limits.
2.1 Format 2.1 Format
The format of the ICMPv6 message for an extension header limit The format of the ICMPv6 Parameter Problem message [RFC4443] for an
exceeded error is: extension header limit exceeded error is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum | | Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Pointer | | Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| As much of invoking packet | | As much of invoking packet |
+ as possible without the ICMPv6 packet + + as possible without the ICMPv6 packet +
skipping to change at page 6, line 16 skipping to change at page 6, line 16
Destination Address Destination Address
Copied from the Source Address field of the invoking packet. Copied from the Source Address field of the invoking packet.
ICMPv6 Fields: ICMPv6 Fields:
Type Type
4 (Parameter Problem type) 4 (Parameter Problem type)
Code (pertinent to this specification) Code (pertinent to this specification)
1 - Unrecognized Next Header type encountered 1 - Unrecognized Next Header type encountered
4 - Extension header too big TBA - Extension header too big
5 - Extension header chain too long TBA - Extension header chain too long
6 - Too many options in extension header TBA - Too many options in extension header
7 - Option too big TBA - Option too big
Pointer Pointer
Identifies the octet offset within the invoking packet where Identifies the octet offset within the invoking packet where
the problem occurred. the problem occurred.
The pointer will point beyond the end of the ICMPv6 packet if The pointer will point beyond the end of the ICMPv6 packet if
the field having a problem is beyond what can fit in the the field having a problem is beyond what can fit in the
maximum size of an ICMPv6 error message. maximum size of an ICMPv6 error message.
2.2 Unrecognized Next Header type encountered (code 1) 2.2 Unrecognized Next Header type encountered (code 1)
skipping to change at page 6, line 48 skipping to change at page 6, line 48
packet because it encounters a Next Header type that is unknown in packet because it encounters a Next Header type that is unknown in
its examination. The ICMPv6 Pointer field is set to the offset of the its examination. The ICMPv6 Pointer field is set to the offset of the
unrecognized next header value within the original packet. unrecognized next header value within the original packet.
Note that when the original sender receives the ICMPv6 error it can Note that when the original sender receives the ICMPv6 error it can
differentiate between the message being sent by a destination host, differentiate between the message being sent by a destination host,
per [RFC4443], and an error sent by an intermediate host based on per [RFC4443], and an error sent by an intermediate host based on
matching the source address of the ICMPv6 packet and the destination matching the source address of the ICMPv6 packet and the destination
address of the packet in the ICMPv6 data. address of the packet in the ICMPv6 data.
2.3 Extension header too big (code 4) 2.3 Extension header too big (code TBA)
An ICMPv6 Parameter Problem with code for "extension header too big" An ICMPv6 Parameter Problem with code for "extension header too big"
SHOULD be sent when a node discards a packet because the size of an SHOULD be sent when a node discards a packet because the size of an
extension header exceeds its processing limit. The ICMPv6 Pointer extension header exceeds its processing limit. The ICMPv6 Pointer
field is set to the offset of the first octet in the extension header field is set to the offset of the first octet in the extension header
that exceeds the limit. that exceeds the limit.
2.4 Extension header chain too long (code 5) 2.4 Extension header chain too long (code TBA)
An ICMPv6 Parameter Problem with code for "extension header chain too An ICMPv6 Parameter Problem with code for "extension header chain too
long" SHOULD be sent when a node discards a packet with an extension long" SHOULD be sent when a node discards a packet with an extension
header chain that exceeds its processing limits. header chain that exceeds its processing limits.
There are two different limits that might be applied: a limit on the There are two different limits that might be applied: a limit on the
total size in octets of the header chain, and a limit on the number total size in octets of the header chain, and a limit on the number
of extension headers in the chain. This error code is used in both of extension headers in the chain. This error code is used in both
cases. In the case that the size limit is exceeded, the ICMPv6 cases. In the case that the size limit is exceeded, the ICMPv6
Pointer is set to first octet beyond the limit. In the case that the Pointer is set to first octet beyond the limit. In the case that the
number of extension headers is exceeded, the ICMPv6 Pointer is set to number of extension headers is exceeded, the ICMPv6 Pointer is set to
the offset of first octet of the first extension header that is the offset of first octet of the first extension header that is
beyond the limit. beyond the limit.
2.5 Too many options in extension header (code 6) 2.5 Too many options in extension header (code TBA)
An ICMPv6 Parameter Problem with code for "too many options in An ICMPv6 Parameter Problem with code for "too many options in
extension header" SHOULD be sent when a node discards a packet with extension header" SHOULD be sent when a node discards a packet with
an extension header that has a number of options that exceed the an extension header that has a number of options that exceed the
processing limits of the node. This code is applicable for processing limits of the node. This code is applicable for
Destination options and Hop-by-Hop options. The ICMPv6 Pointer field Destination options and Hop-by-Hop options. The ICMPv6 Pointer field
is set to the first octet of the first option that exceeds the limit. is set to the first octet of the first option that exceeds the limit.
2.6 Option too big (code 7) 2.6 Option too big (code TBA)
An ICMPv6 Parameter Problem with code for "option too big" is sent in An ICMPv6 Parameter Problem with code for "option too big" is sent in
two different cases: when the length of an individual option exceeds two different cases: when the length of an individual Hop-by-Hop or
a limit, or when the length or number of consecutive padding options Destination option exceeds a limit, or when the length or number of
exceeds a limit. consecutive Hop-by-Hop or Destination padding options exceeds a
limit. In the case that the length of an option exceeds a processing
If a packet is discarded because the length of a Hop-by-Hop or limit, the ICMPv6 Pointer field is set to the offset of the first
Destination option exceeds a processing limit, a node SHOULD send an octet of the option that exceeds the limit. In the cases that the
ICMPv6 Parameter Problem with code equal to 7. The ICMPv6 Pointer length or number of padding options exceeds a limit, the ICMPv6
field is set to the offset of the first octet of the option that
exceeds the limit.
If a packet is discarded because the length or number of consecutive
padding options (PAD1 and PADN) exceeds a limit, a node SHOULD send
and an ICMPv6 Parameter Problem with code equal to 7. The ICMPv6
Pointer field is set to the offset of first octet of the padding Pointer field is set to the offset of first octet of the padding
option that exceeds the limit. option that exceeds the limit.
Possible limits related to padding include: Possible limits related to padding include:
* The number of consecutive PAD1 options in destination options or * The number of consecutive PAD1 options in destination options or
hop-by-hop options is limited to seven octets [RFC8504]. hop-by-hop options is limited to seven octets [RFC8504].
* The length of a PADN options in destination options or hop-by- * The length of a PADN options in destination options or hop-by-
hop options is limited seven octets [RFC8504]. hop options is limited seven octets [RFC8504].
skipping to change at page 8, line 25 skipping to change at page 8, line 17
to seven octets. to seven octets.
3 ICMPv6 error for aggregate header limits 3 ICMPv6 error for aggregate header limits
One code is defined for Destination Unreachable type for aggregate One code is defined for Destination Unreachable type for aggregate
header limits. header limits.
3.1 Format 3.1 Format
The error for aggregate header limits employs a multi-part ICMPv6 The error for aggregate header limits employs a multi-part ICMPv6
message format as defined in [RFC4884]. The extended structure message format as defined in [RFC4884]. An ICMP extension structure
contains a pointer to the first octet beyond the limit. contains one ICMP extension object which contains a Pointer field.
The format of the ICMPv6 message for an aggregate header limit The format of the ICMPv6 message for an aggregate header limit
exceeded is: exceeded is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\
| Type | Code | Checksum | | Type | Code | Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I
| unused | Length | unused | | Length | Unused | C
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ M
| Internet Header + leading octets of original datagram | | Original Datagram | P
| | ~ Internet Header + leading octets of original datagram ~ |
| // | | | |
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Reserved | Checksum |\
| Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ E
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Class-Num | C-Type | X
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ T
| Pointer | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/
IPv6 Fields: IPv6 Fields:
Destination Address Destination Address
Copied from the Source Address field of the invoking packet. Copied from the Source Address field of the invoking packet.
ICMPv6 Fields: ICMPv6 Fields:
Type Type
1 (Destination Unreachable type) 1 - Destination Unreachable type
Code (pertinent to this specification) Code (pertinent to this specification)
8 - Headers too long TBA - Headers too long
Length Length
Length of the "original datagram" measured in 64 bit words Length of the padded Original Datagram field Measured in 64-bit
words. The ICMP extension structure immediately follows the
padded original datagram.
Original Datagram
As much of invoking packet as possible without exceeding the
minimum ICMPv6 packet minus twelve bytes (for the ICMP
extension structure and the ICMP extension object) and any
necessary padding. The Original Datagram field MUST be zero
padded to the nearest 64-bit boundary [RFC4884]. If the
original datagram did not contain 128 octets, the Original
Datagram field MUST be zero padded to 128 octets.
ICMP Extension Fields:
Version
2 - per [RFC4884]
Reserved
0
Checksum
The one's complement checksum of the ICMP extension [RFC4884]
Length
8 - length of the object header and Pointer field
Class-Num
TBA - Extended Information class
C-Type
TBA - Pointer sub-type
Pointer Pointer
Identifies the octet offset within the invoking packet where a Identifies the octet offset within the invoking packet where a
limit was exceeded. limit was exceeded.
The pointer will point beyond the end of the original datagram The pointer will point beyond the end of the original datagram
if the field exceeding the limit is beyond what can fit in the if the field exceeding the limit is beyond what can fit in the
maximum size of an ICMPv6 error message. maximum size of an ICMPv6 error message with the ICMP
extension.
3.2 Usage 3.2 Usage
An ICMPv6 Destination Unreachable error with code for "headers too An ICMPv6 Destination Unreachable error with code for "headers
long" SHOULD be sent when a node discards a packet because the too long" SHOULD be sent when a node discards a packet because
aggregate length of headers in the packet exceeds the processing the aggregate length of headers in the packet exceeds the
limits of the node. The Pointer in the extended ICMPv6 structure is processing limits of the node. The Pointer in the extended
set to the offset of the first octet that exceeds the limit. ICMPv6 structure is set to the offset of the first octet that
exceeds the limit.
4 Operation 4 Operation
Nodes that send or receive ICMPv6 errors due to header processing Nodes that send or receive ICMPv6 errors due to header
limits MUST generally comply with ICMPv6 processing as specified in processing limits MUST comply with ICMPv6 processing as
[RFC4443]. specified in [RFC4443].
4.1 Priority of reporting 4.1 Priority of reporting
More than one ICMPv6 error may be applicable to report for a packet. More than one ICMPv6 error may be applicable to report for a
For instance, the number of extension headers in a packet might packet. For instance, the number of extension headers in a
exceed a limit and the aggregate length of protocol headers might packet might exceed a limit and the aggregate length of
also exceed a limit. Only one ICMPv6 error SHOULD be sent for a protocol headers might also exceed a limit. Only one ICMPv6
packet, so a priority is defined to determine which error to report. error SHOULD be sent for a packet, so a priority is defined to
determine which error to report.
The RECOMMENDED reporting priority of ICMPv6 errors for processing The RECOMMENDED reporting priority of ICMPv6 errors for
limits is from highest to lowest priority: processing limits is from highest to lowest priority:
1) Real error (existing codes) 1) Real error (existing codes)
2) "Unrecognized Next Header type" encountered by an intermediate 2) "Unrecognized Next Header type" encountered by an intermediate
node node
3) "Extension header too big" 3) "Extension header too big"
4) "Option too big" for length or number of consecutive padding 4) "Option too big" for length or number of consecutive padding
options exceeding a limit options exceeding a limit
skipping to change at page 10, line 26 skipping to change at page 11, line 4
8) "Extension header chain too long" for size of an extension 8) "Extension header chain too long" for size of an extension
header chain exceeding a limit header chain exceeding a limit
9) "Headers too long" 9) "Headers too long"
4.2 Host response 4.2 Host response
When a source host receives an ICMPv6 error for a processing limit When a source host receives an ICMPv6 error for a processing limit
being exceeded, it SHOULD verify the ICMPv6 error is valid and take being exceeded, it SHOULD verify the ICMPv6 error is valid and take
an appropriate action. appropriate action as suggested below.
The general validations for ICMP as described in [RFC4443] are The general validations for ICMP as described in [RFC4443] are
applicable. The packet in the ICMP data SHOULD be validated to match applicable. The packet in the ICMP data SHOULD be validated to match
the upper layer process or connection that generated the original the upper layer process or connection that generated the original
packet. Other validation checks that are specific to the upper layers packet. Other validation checks that are specific to the upper layers
may be performed and are out of the scope of this specification. may be performed and are out of the scope of this specification.
The ICMPv6 error SHOULD be logged with sufficient detail for The ICMPv6 error SHOULD be logged with sufficient detail for
debugging packet loss. The details of the error, including the debugging packet loss. The details of the error, including the
addresses and the offending extension header or data, should be addresses and the offending extension header or data, should be
skipping to change at page 10, line 50 skipping to change at page 11, line 28
A host MAY modify its usage of protocol headers in subsequent packets A host MAY modify its usage of protocol headers in subsequent packets
to avoid repeated occurrences of the same error. to avoid repeated occurrences of the same error.
For ICMPv6 errors caused by extension header limits being exceeded: For ICMPv6 errors caused by extension header limits being exceeded:
* An error SHOULD be reported to an application if the application * An error SHOULD be reported to an application if the application
enabled extension headers for its traffic. In response, the enabled extension headers for its traffic. In response, the
application may terminate communications if extension headers application may terminate communications if extension headers
are required, stop using extension headers in packets to the are required, stop using extension headers in packets to the
destination indicated by the ICMPv6 error, or attempt modify its destination indicated by the ICMPv6 error, or attempt to modify
use of extension headers or headers to avoid further packet its use of extension headers or headers to avoid further packet
discards. discards.
* A host system SHOULD take appropriate action if it is * A host system SHOULD take appropriate action if it is creating
automatically inserting extension headers into packets on behalf packets with extension headers on behalf of the application. If
of the application. If the offending extension header is not the offending extension header is not required for
required for communication, the host may either stop sending it communication, the host may either stop sending it or otherwise
or otherwise modify its use in subsequent packets sent to the modify its use in subsequent packets sent to the destination
destination indicated in the ICMPv6 error. indicated in the ICMPv6 error.
5 Applicability and use cases 5 Applicability and use cases
5.1 Nonconformant packet discard 5.1 Nonconformant packet discard
The ICMP errors defined in this specification may be applicable to The ICMP errors defined in this specification may be applicable to
scenarios for which a node is dropping packets outside the auspices scenarios for which a node is dropping packets outside the auspices
of any standard specification. For instance, an intermediate node of any standard specification. For instance, an intermediate node
might send a "Headers too long" code in the case that it drops a might send a "Headers too long" code in the case that it drops a
packet because it is unable to parse deep enough to extract transport packet because it is unable to parse deep enough to extract transport
skipping to change at page 11, line 46 skipping to change at page 12, line 25
ICMP, it is assumed that the errors defined in this document are only ICMP, it is assumed that the errors defined in this document are only
best effort to be delivered. No protocol should be implemented that best effort to be delivered. No protocol should be implemented that
relies on reliable delivery of ICMP messages. If necessary, relies on reliable delivery of ICMP messages. If necessary,
alternative or additional mechanisms may used to augment the alternative or additional mechanisms may used to augment the
processes used to to deduce the reason that packets are being processes used to to deduce the reason that packets are being
discarded. Such alternative mechanisms are out of scope of this discarded. Such alternative mechanisms are out of scope of this
specification. specification.
5.3 Processing limits 5.3 Processing limits
This sections discusses the trends and motivations of processing This section discusses the trends and motivations of processing
limits that warrant ICMP errors. limits that warrant ICMP errors.
5.3.1 Long headers and header chains 5.3.1 Long headers and header chains
Historically, packet headers have been relatively simple and The trend towards longer and more complex headers and header chains
straightforward. For instance, the majority of packets in the needing to be processed by end nodes, as well as intermediate nodes,
Internet are plain TCP or UDP carried in IPv4 or IPv6. The trend is driven by:
towards more complex headers, and hence the need to process longer
headers, is driven by:
* Increasing prevalence of deep packet inspection in middleboxes. * Increasing prevalence of deep packet inspection in middleboxes.
In particular, many intermediate nodes now parse into network In particular, many intermediate nodes now parse network layer
layer encapsulation protocols. encapsulation protocols or transport layer protocols.
* Deployment of routing headers. For instance, [SRH] defines an * Deployment of routing headers. For instance, [SRH] defines an
extension header format that includes a list of IPv6 addresses extension header format that includes a list of IPv6 addresses
which may consume a considerable number of bytes. which may consume a considerable number of bytes.
* Development of In-situ OAM headers that allow a rich set of * Development of In-situ OAM headers that allow a rich set of
measurements to be gathered in the data path at the cost of measurements to be gathered in the data path at the cost of
additional header overhead which may be significant [IOAM]. additional header overhead which may be significant [IOAM].
* Other emerging use cases of Hop-by-Hop options. * Other emerging use cases of Hop-by-Hop and Destination options.
5.3.2 At end nodes 5.3.2 At end hosts
End node hosts may implement limits on processing extension headers End hosts may implement limits on processing extension headers as
as described in [RFC8504]. Host implementations are usually software described in [RFC8504]. Host implementations are usually software
stacks that typically don't have inherent processing limitations. stacks that typically don't have inherent processing limitations.
Limits imposed by a software stack are more likely to be for denial Limits imposed by a software stack are more likely to be for denial
of service mitigation or performance. of service mitigation or performance.
5.3.3 At intermediate nodes 5.3.3 At intermediate nodes
Hardware devices that process packet headers may have limits as to Hardware devices that process packet headers may have limits as to
how many headers or bytes of headers they can process. For instance, how many headers or bytes of headers they can process. For instance,
a middlebox hardware implementation might have a parsing buffer that a middlebox hardware implementation might have a parsing buffer that
contains some number of bytes of packet headers to process. Parsing contains some number of bytes of packet headers to process. Parsing
buffers typically have a fixed size such as sixty-four, 128, or 256 buffers typically have a fixed size such as sixty-four, 128, or 256
bytes. In addition, hardware implementations (and some software bytes. In addition, hardware implementations (and some software
implementations) often don't have loop constructs. So for instance, implementations) often don't have loop constructs. Processing of a
processing of a TLV list might be implemented as an unrolled loop so TLV list might be implemented as an unrolled loop so that the number
that the number of TLVs that can be processed is limited. For of TLVs that can be processed is limited.
instance, an implementation might unroll a TLV parsing loop to
process at most eight TLVs.
6 Security Considerations 6 Security Considerations
The security considerations for ICMPv6 described in [RFC4443] are The security considerations for ICMPv6 described in [RFC4443] are
applicable. The ICMP errors described in this document MAY be applicable. The ICMP errors described in this document MAY be
filtered by firewalls in accordance with [RFC4890]. filtered by firewalls in accordance with [RFC4890].
In some circumstances, the sending of ICMP errors might conceptually In some circumstances, the sending of ICMP errors might conceptually
be exploited for denial of service attack or as a means to covertly be exploited for denial of service attack or as a means to covertly
deduce processing capabilities of nodes as a precursor to denial of deduce processing capabilities of nodes. As such, an implementation
service attack. As such, an implementation SHOULD allow configurable SHOULD allow configurable policy to withhold sending of the ICMP
policy to withhold sending of the ICMP errors described in this errors described in this specification in environments where security
specification in environments where security of ICMP errors is a of ICMP errors is a concern.
concern.
7 IANA Considerations 7 IANA Considerations
7.1 Parameter Problem codes 7.1 Parameter Problem codes
IANA is requested to assign the following codes for ICMPv6 type 4 IANA is requested to assign the following codes for ICMPv6 type 4
"Parameter Problem": "Parameter Problem" [IANA-ICMPV6]:
4 - Extension header too big * Extension header too big
5 - Extension header chain too long * Extension header chain too long
6 - Too many options in extension header * Too many options in extension header
7 - Option too big * Option too big
7.2 Destination Unreachable codes 7.2 Destination Unreachable codes
IANA is requested to assign the following codes for ICMPv6 type 1 IANA is requested to assign the following code for ICMPv6 type 1
"Destination Unreachable": "Destination Unreachable" [IANA-ICMPV6]:
8 - Headers too long * Headers too long
7.3 ICMP Extension Object Classes and Class Sub-types
IANA is requested to assign the following Class value in the "ICMP
Extension Object Classes and Class Sub-types" registry [IANA-
ICMPEXT]:
* Extended information
IANA is requested to assign the following Sub-type within the
aforementioned "Extended information" ICMP extension object class:
* Pointer
8 Acknowledgments 8 Acknowledgments
The author would like to thank Ron Bonica, Bob Hinden, Nick Hilliard, The author would like to thank Ron Bonica, Bob Hinden, Nick Hilliard,
Michael Richardson, Mark Smith, and Suresh Krishnan for their Michael Richardson, Mark Smith, and Suresh Krishnan for their
comments and suggestions that improved this document. comments and suggestions that improved this document.
9 References 9 References
9.1 Normative References 9.1 Normative References
skipping to change at page 15, line 10 skipping to change at page 15, line 10
[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing of [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing of
IPv6 Extension Headers", RFC 7045, DOI 10.17487/RFC7045, IPv6 Extension Headers", RFC 7045, DOI 10.17487/RFC7045,
December 2013, <http://www.rfc-editor.org/info/rfc7045>. December 2013, <http://www.rfc-editor.org/info/rfc7045>.
[RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, [RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro,
"Extended ICMP to Support Multi-Part Messages", RFC 4884, "Extended ICMP to Support Multi-Part Messages", RFC 4884,
DOI 10.17487/RFC4884, April 2007, <https://www.rfc- DOI 10.17487/RFC4884, April 2007, <https://www.rfc-
editor.org/info/rfc4884>. editor.org/info/rfc4884>.
[IANA-ICMPV6] "Internet Control Message Protocol version 6 (ICMPv6)
Parameters", <https://www.iana.org/assignments/icmpv6-
parameters/icmpv6-parameters.xhtml#icmpv6-parameters-codes-
2>
[IANA-ICMPEXT] ICMP Extension Object Classes and Class Sub-types,
<https://www.iana.org/assignments/icmp-parameters/icmp-
parameters.xhtml#icmp-parameters-ext-classes>
9.2 Informative References 9.2 Informative References
[RFC8504] Chown, T., Loughney, J., and T. Winters, "IPv6 Node [RFC8504] Chown, T., Loughney, J., and T. Winters, "IPv6 Node
Requirements", BCP 220, RFC 8504, DOI 10.17487/RFC8504, Requirements", BCP 220, RFC 8504, DOI 10.17487/RFC8504,
January 2019, <https://www.rfc-editor.org/info/rfc8504>. January 2019, <https://www.rfc-editor.org/info/rfc8504>.
[RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering
ICMPv6 Messages in Firewalls", RFC 4890, DOI ICMPv6 Messages in Firewalls", RFC 4890, DOI
10.17487/RFC4890, May 2007, <https://www.rfc- 10.17487/RFC4890, May 2007, <https://www.rfc-
editor.org/info/rfc4890>. editor.org/info/rfc4890>.
 End of changes. 47 change blocks. 
141 lines changed or deleted 191 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/