draft-ietf-intarea-gre-ipv6-13.txt   draft-ietf-intarea-gre-ipv6-14.txt 
Intarea Working Group C. Pignataro Intarea Working Group C. Pignataro
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track R. Bonica Intended status: Standards Track R. Bonica
Expires: February 14, 2016 Juniper Networks Expires: March 4, 2016 Juniper Networks
S. Krishnan S. Krishnan
Ericsson Ericsson
August 13, 2015 September 1, 2015
IPv6 Support for Generic Routing Encapsulation (GRE) IPv6 Support for Generic Routing Encapsulation (GRE)
draft-ietf-intarea-gre-ipv6-13 draft-ietf-intarea-gre-ipv6-14
Abstract Abstract
Generic Routing Encapsulation (GRE) can be used to carry any network- Generic Routing Encapsulation (GRE) can be used to carry any network-
layer payload protocol over any network-layer delivery protocol. layer payload protocol over any network-layer delivery protocol.
Currently, GRE procedures are specified for IPv4, used as either the Currently, GRE procedures are specified for IPv4, used as either the
payload or delivery protocol. However, GRE procedures are not payload or delivery protocol. However, GRE procedures are not
specified for IPv6. specified for IPv6.
This document specifies GRE procedures for IPv6, used as either the This document specifies GRE procedures for IPv6, used as either the
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 14, 2016. This Internet-Draft will expire on March 4, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
2.1. Checksum Present . . . . . . . . . . . . . . . . . . . . 3 2.1. Checksum Present . . . . . . . . . . . . . . . . . . . . 3
3. IPv6 as GRE Payload . . . . . . . . . . . . . . . . . . . . . 4 3. IPv6 as GRE Payload . . . . . . . . . . . . . . . . . . . . . 4
3.1. GRE Protocol Type Considerations . . . . . . . . . . . . 4 3.1. GRE Protocol Type Considerations . . . . . . . . . . . . 4
3.2. MTU Considerations . . . . . . . . . . . . . . . . . . . 4 3.2. MTU Considerations . . . . . . . . . . . . . . . . . . . 4
3.3. Fragmentation Considerations . . . . . . . . . . . . . . 5 3.3. Fragmentation Considerations . . . . . . . . . . . . . . 5
4. IPv6 as GRE Delivery Protocol . . . . . . . . . . . . . . . . 6 4. IPv6 as GRE Delivery Protocol . . . . . . . . . . . . . . . . 6
4.1. Next Header Considerations . . . . . . . . . . . . . . . 6 4.1. Next Header Considerations . . . . . . . . . . . . . . . 6
4.2. Checksum Considerations . . . . . . . . . . . . . . . . . 6 4.2. Checksum Considerations . . . . . . . . . . . . . . . . . 6
4.3. MTU Considerations . . . . . . . . . . . . . . . . . . . 7 4.3. MTU Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
Generic Routing Encapsulation (GRE) [RFC2784] [RFC2890] can be used Generic Routing Encapsulation (GRE) [RFC2784] [RFC2890] can be used
to carry any network-layer payload protocol over any network-layer to carry any network-layer payload protocol over any network-layer
delivery protocol. Currently, GRE procedures are specified for IPv4 delivery protocol. Currently, GRE procedures are specified for IPv4
[RFC0791], used as either the payload or delivery protocol. However, [RFC0791], used as either the payload or delivery protocol. However,
GRE procedures are not specified for IPv6 [RFC2460]. GRE procedures are not specified for IPv6 [RFC2460].
This document specifies GRE procedures for IPv6, used as either the This document specifies GRE procedures for IPv6, used as either the
skipping to change at page 6, line 46 skipping to change at page 6, line 46
delivered to a node other than the intended GRE egress node. delivered to a node other than the intended GRE egress node.
Depending upon the state and configuration of that node, it will Depending upon the state and configuration of that node, it will
either: either:
a. Drop the packet a. Drop the packet
b. De-encapsulate the payload and forward it to its intended b. De-encapsulate the payload and forward it to its intended
destination destination
c. De-encapsulate the payload and forward it to a node other than c. De-encapsulate the payload and forward it to a node other than
its intended destination. For example, the payload might be its intended destination.
intended for a node on one VPN, but delivered to an identically
numbered node in another VPN.
Behaviors a) and b) are acceptable. Behavior c) is not acceptable. Behaviors a) and b) are acceptable. Behavior c) is not acceptable.
However, behavior c) is possible only when the payload destination
address is not globally unique and the GRE egress node provides Behavior c) is possible only when the following conditions are true:
disambiguating context to that address.
1. The intended GRE egress node is a Virtual Private Network (VPN)
Provider Edge (PE) router.
2. The node to which the GRE delivery packet is mistakenly delivered
is also a VPN PE router.
3. VPNs are attached to both of the above-mentioned nodes. At least
two of these VPN's number hosts from non-unique (e.g., [RFC1918])
address space.
4. The intended GRE egress node maintains state that causes it to
decapsulate the packet and forward the payload to its intended
destination
5. The node to which the GRE delivery packet is mistakenly delivered
maintains state that causes it to decapsulate the packet and
forward the payload to an identically numbered host in another
VPN.
While the failure scenario described above is extremely unlikely, a
single misdelivered packet can adversely impact applications running
on the node to which the packet is misdelivered. Furthermore,
leaking packets across VPN boundaries also constitutes a security
breach. The risk associated with behavior c) could be mitigated with
end-to-end authentication of the payload.
Before deploying GRE over IPv6, network operators should consider the Before deploying GRE over IPv6, network operators should consider the
likelihood of behavior c) in their network. GRE over IPv6 MUST NOT likelihood of behavior c) in their network. GRE over IPv6 MUST NOT
be deployed other than where the network operator deems the risk be deployed other than where the network operator deems the risk
associated with behavior c) to be acceptable. associated with behavior c) to be acceptable.
The risk associated with behavior c) could be mitigated with end-to-
end authentication of the payload.
4.3. MTU Considerations 4.3. MTU Considerations
By default, the GRE ingress node cannot fragment the IPv6 delivery By default, the GRE ingress node cannot fragment the IPv6 delivery
header. However, implementations MAY support an optional header. However, implementations MAY support an optional
configuration in which the GRE ingress node can fragment the IPv6 configuration in which the GRE ingress node can fragment the IPv6
delivery header. delivery header.
Also by default, the GRE egress node cannot reassemble the IPv6 Also by default, the GRE egress node cannot reassemble the IPv6
delivery header. However, implementations MAY support an optional delivery header. However, implementations MAY support an optional
configuration in which the GRE egress node can reassemble the IPv6 configuration in which the GRE egress node can reassemble the IPv6
skipping to change at page 9, line 27 skipping to change at page 9, line 45
DOI 10.17487/RFC4443, March 2006, DOI 10.17487/RFC4443, March 2006,
<http://www.rfc-editor.org/info/rfc4443>. <http://www.rfc-editor.org/info/rfc4443>.
8.2. Informative References 8.2. Informative References
[I-D.ietf-opsec-v6] [I-D.ietf-opsec-v6]
Chittimaneni, K., Kaeo, M., and E. Vyncke, "Operational Chittimaneni, K., Kaeo, M., and E. Vyncke, "Operational
Security Considerations for IPv6 Networks", draft-ietf- Security Considerations for IPv6 Networks", draft-ietf-
opsec-v6-06 (work in progress), March 2015. opsec-v6-06 (work in progress), March 2015.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<http://www.rfc-editor.org/info/rfc1918>.
[RFC4942] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/ [RFC4942] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/
Co-existence Security Considerations", RFC 4942, Co-existence Security Considerations", RFC 4942,
DOI 10.17487/RFC4942, September 2007, DOI 10.17487/RFC4942, September 2007,
<http://www.rfc-editor.org/info/rfc4942>. <http://www.rfc-editor.org/info/rfc4942>.
[RFC6169] Krishnan, S., Thaler, D., and J. Hoagland, "Security [RFC6169] Krishnan, S., Thaler, D., and J. Hoagland, "Security
Concerns with IP Tunneling", RFC 6169, Concerns with IP Tunneling", RFC 6169,
DOI 10.17487/RFC6169, April 2011, DOI 10.17487/RFC6169, April 2011,
<http://www.rfc-editor.org/info/rfc6169>. <http://www.rfc-editor.org/info/rfc6169>.
 End of changes. 10 change blocks. 
15 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/