draft-ietf-opsec-ip-options-filtering-00.txt   draft-ietf-opsec-ip-options-filtering-01.txt 
Operational Security Capabilities for F. Gont Operational Security Capabilities for F. Gont
IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks IP Network Infrastructure (opsec) UTN-FRH / SI6 Networks
Internet-Draft R. Atkinson Internet-Draft R. Atkinson
Intended status: BCP Consultant Intended status: BCP Consultant
Expires: December 13, 2012 C. Pignataro Expires: June 17, 2013 C. Pignataro
Cisco Cisco
June 11, 2012 December 14, 2012
Recommendations on filtering of IPv4 packets containing IPv4 options Recommendations on filtering of IPv4 packets containing IPv4 options
draft-ietf-opsec-ip-options-filtering-00.txt draft-ietf-opsec-ip-options-filtering-01.txt
Abstract Abstract
This document document provides advice on the filtering of IPv4 This document document provides advice on the filtering of IPv4
packets based on the IPv4 options they contain. Additionally, it packets based on the IPv4 options they contain. Additionally, it
discusses the operational and interoperability implications of discusses the operational and interoperability implications of
dropping packets based on the IP options they contain. dropping packets based on the IP options they contain.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 13, 2012. This Internet-Draft will expire on June 17, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 34 skipping to change at page 2, line 34
4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13 4.10. Reply MTU (Type = 12) (obsolete) . . . . . . . . . . . . . 13
4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 14 4.11. Traceroute (Type = 82) . . . . . . . . . . . . . . . . . . 14
4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14 4.12. DoD Basic Security Option (Type = 130) . . . . . . . . . . 14
4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 16 4.13. DoD Extended Security Option (Type = 133) . . . . . . . . 16
4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 17 4.14. Commercial IP Security Option (CIPSO) (Type = 134) . . . . 17
4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 19 4.15. VISA (Type = 142) . . . . . . . . . . . . . . . . . . . . 19
4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 19 4.16. Extended Internet Protocol (Type = 145) . . . . . . . . . 19
4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 20 4.17. Address Extension (Type = 147) . . . . . . . . . . . . . . 20
4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 20 4.18. Sender Directed Multi-Destination Delivery (Type = 149) . 20
4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 21 4.19. Dynamic Packet State (Type = 151) . . . . . . . . . . . . 21
4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 22 4.20. Upstream Multicast Pkt. (Type = 152) . . . . . . . . . . . 21
4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 22 4.21. Quick-Start (Type = 25) . . . . . . . . . . . . . . . . . 22
4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 23 4.22. RFC3692-style Experiment (Types = 30, 94, 158, and 222) . 23
4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 24 4.23. Other IP Options . . . . . . . . . . . . . . . . . . . . . 24
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
6. Security Considerations . . . . . . . . . . . . . . . . . . . 25 6. Security Considerations . . . . . . . . . . . . . . . . . . . 25
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25
8.2. Informative References . . . . . . . . . . . . . . . . . . 26 8.2. Informative References . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
This document document discusses the filtering of IPv4 packets based This document document discusses the filtering of IPv4 packets based
skipping to change at page 4, line 7 skipping to change at page 4, line 7
The terms "fast path", "slow path", and associated relative terms The terms "fast path", "slow path", and associated relative terms
("faster path" and "slower path") are loosely defined as in Section 2 ("faster path" and "slower path") are loosely defined as in Section 2
of [RFC6398]. of [RFC6398].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. IP Options 2. IP Options
IP options allow for the extension of the Internet Protocol IP options allow for the extension of the Internet Protocol. As
specified in [RFC0791], there are two cases for the format of an
There are two cases for the format of an option: option:
o Case 1: A single byte of option-type. o Case 1: A single byte of option-type.
o Case 2: An option-type byte, an option-length byte, and the actual o Case 2: An option-type byte, an option-length byte, and the actual
option-data bytes. option-data bytes.
IP options of Case 1 have the following syntax: IP options of Case 1 have the following syntax:
+-+-+-+-+-+-+-+-+- - - - - - - - - +-+-+-+-+-+-+-+-+- - - - - - - - -
| option-type | option-data | option-type | option-data
skipping to change at page 19, line 45 skipping to change at page 19, line 45
4.16. Extended Internet Protocol (Type = 145) 4.16. Extended Internet Protocol (Type = 145)
4.16.1. Uses 4.16.1. Uses
The EIP option was introduced by one of the proposals submitted The EIP option was introduced by one of the proposals submitted
during the IPng efforts to address the problem of IPv4 address during the IPng efforts to address the problem of IPv4 address
exhaustion. exhaustion.
4.16.2. Option Specification 4.16.2. Option Specification
Specified in [RFC1385]. This option is in the process of being Specified in [RFC1385]. This option has been formally obsoleted by
formally obsoleted by [I-D.gp-intarea-obsolete-ipv4-options-iana]. [RFC6814].
4.16.3. Threats 4.16.3. Threats
There are no know threats arising from this option, other than the There are no know threats arising from this option, other than the
general security implications of IP options discussed in Section 3. general security implications of IP options discussed in Section 3.
4.16.4. Operational and Interoperability Impact if Blocked 4.16.4. Operational and Interoperability Impact if Blocked
None. None.
skipping to change at page 20, line 24 skipping to change at page 20, line 24
4.17. Address Extension (Type = 147) 4.17. Address Extension (Type = 147)
4.17.1. Uses 4.17.1. Uses
The Address Extension option was introduced by one of the proposals The Address Extension option was introduced by one of the proposals
submitted during the IPng efforts to address the problem of IPv4 submitted during the IPng efforts to address the problem of IPv4
address exhaustion. address exhaustion.
4.17.2. Option Specification 4.17.2. Option Specification
Specified in [RFC1475]. This option is in the process of being Specified in [RFC1475]. This option has been formally obsoleted by
formally obsoleted by [I-D.gp-intarea-obsolete-ipv4-options-iana]. [RFC6814].
4.17.3. Threats 4.17.3. Threats
There are no know threats arising from this option, other than the There are no know threats arising from this option, other than the
general security implications of IP options discussed in Section 3. general security implications of IP options discussed in Section 3.
4.17.4. Operational and Interoperability Impact if Blocked 4.17.4. Operational and Interoperability Impact if Blocked
None. None.
skipping to change at page 21, line 32 skipping to change at page 21, line 32
The Dynamic Packet State option was used to specify specified Dynamic The Dynamic Packet State option was used to specify specified Dynamic
Packet State (DPS) in the context of the differentiated service Packet State (DPS) in the context of the differentiated service
architecture. architecture.
4.19.2. Option Specification 4.19.2. Option Specification
The Dynamic Packet State option was specified in The Dynamic Packet State option was specified in
[I-D.stoica-diffserv-dps]. The aforementioned document was meant to [I-D.stoica-diffserv-dps]. The aforementioned document was meant to
be published as "Experimental", but never made it into an RFC. This be published as "Experimental", but never made it into an RFC. This
option is in the process of being formally obsoleted by option has been formally obsoleted by [RFC6814].
[I-D.gp-intarea-obsolete-ipv4-options-iana].
4.19.3. Threats 4.19.3. Threats
Possible threats include theft of service and Denial of Service. Possible threats include theft of service and Denial of Service.
However, we note that is option has never been widely implemented or However, we note that is option has never been widely implemented or
deployed. deployed.
4.19.4. Operational and Interoperability Impact if Blocked 4.19.4. Operational and Interoperability Impact if Blocked
None. None.
skipping to change at page 22, line 17 skipping to change at page 22, line 14
4.20.1. Uses 4.20.1. Uses
This option was meant to solve the problem of doing upstream This option was meant to solve the problem of doing upstream
forwarding of multicast packets on a multi-access LAN. forwarding of multicast packets on a multi-access LAN.
4.20.2. Option Specification 4.20.2. Option Specification
This option was originally specified in [draft-farinacci-bidir-pim]. This option was originally specified in [draft-farinacci-bidir-pim].
Its use was obsoleted by [RFC5015], which employs a control plane Its use was obsoleted by [RFC5015], which employs a control plane
mechanism to solve the problem of doing upstream forwarding of mechanism to solve the problem of doing upstream forwarding of
multicast packets on a multi-access LAN. This option is in the multicast packets on a multi-access LAN. This option has been
process of being formally obsoleted by formally obsoleted by [RFC6814].
[I-D.gp-intarea-obsolete-ipv4-options-iana].
4.20.3. Threats 4.20.3. Threats
TBD. TBD.
4.20.4. Operational and Interoperability Impact if Blocked 4.20.4. Operational and Interoperability Impact if Blocked
None. None.
4.20.5. Advice 4.20.5. Advice
skipping to change at page 25, line 7 skipping to change at page 24, line 47
Copy Class Number Value Name Reference Copy Class Number Value Name Reference
---- ----- ------ ----- ------------------------------- ------------ ---- ----- ------ ----- ------------------------------- ------------
0 0 10 10 ZSU - Experimental Measurement [ZSu] 0 0 10 10 ZSU - Experimental Measurement [ZSu]
1 2 13 205 FINN - Experimental Flow Control [Finn] 1 2 13 205 FINN - Experimental Flow Control [Finn]
0 0 15 15 ENCODE - ??? [VerSteeg] 0 0 15 15 ENCODE - ??? [VerSteeg]
1 0 16 144 IMITD - IMI Traffic Descriptor [Lee] 1 0 16 144 IMITD - IMI Traffic Descriptor [Lee]
1 0 22 150 - Unassigned (Released 18 Oct. 2005) 1 0 22 150 - Unassigned (Released 18 Oct. 2005)
5. IANA Considerations 5. IANA Considerations
The "IP OPTION NUMBERS" registry [IANA-IP] contains the list of the This document has no actions for IANA.
currently assigned IP option numbers. This registry also denotes an
obsoleted IP Option Number by marking it with a single asterisk
("*"). The Stream Identifier Option (Type = 136) is obsolete (see
Section 4.6 and should therefore be marked as such.
[[ IANA is requested to mark it as such, please remove this note upon
publication. ]] [[ IANA is also requested to fix the "Expermental"
typo. ]]
6. Security Considerations 6. Security Considerations
This document provides advice on the filtering of IP packets that This document provides advice on the filtering of IP packets that
contain IP options. Dropping such packets can help to mitigate the contain IP options. Dropping such packets can help to mitigate the
security issues that arise from use of different IP options. security issues that arise from use of different IP options.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Panos Kampanakis and Donald Smith for The authors would like to thank Panos Kampanakis and Donald Smith for
skipping to change at page 25, line 42 skipping to change at page 25, line 30
Fernando Gont would like to thank UK CPNI (formerly NISCC) for their Fernando Gont would like to thank UK CPNI (formerly NISCC) for their
continued support. continued support.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981. September 1981.
[RFC1108] Kent, S., "U.S", RFC 1108, November 1991.
[RFC1122] Braden, R., "Requirements for Internet Hosts - [RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989. Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
November 1990. November 1990.
[RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi-
Destination Delivery", RFC 1770, March 1995.
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", [RFC1812] Baker, F., "Requirements for IP Version 4 Routers",
RFC 1812, June 1995. RFC 1812, June 1995.
[RFC2113] Katz, D., "IP Router Alert Option", RFC 2113, [RFC2113] Katz, D., "IP Router Alert Option", RFC 2113,
February 1997. February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006. ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, January 2007.
[RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano, [RFC5015] Handley, M., Kouvelas, I., Speakman, T., and L. Vicisano,
"Bidirectional Protocol Independent Multicast (BIDIR- "Bidirectional Protocol Independent Multicast (BIDIR-
PIM)", RFC 5015, October 2007. PIM)", RFC 5015, October 2007.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference <http:// CanSecWest 2007 Security Conference <http://
www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007. www.secdev.org/conf/IPv6_RH_security-csw07.pdf>, 2007.
skipping to change at page 27, line 17 skipping to change at page 26, line 43
Reference, Release 12.2 - IP Security Options Commands", Reference, Release 12.2 - IP Security Options Commands",
<http://www.cisco.com/en/US/docs/ios/12_2/security/ <http://www.cisco.com/en/US/docs/ios/12_2/security/
command/reference/srfipso.html>. command/reference/srfipso.html>.
[FIPS1994] [FIPS1994]
FIPS, "Standard Security Label for Information Transfer", FIPS, "Standard Security Label for Information Transfer",
Federal Information Processing Standards Publication. FIP Federal Information Processing Standards Publication. FIP
PUBS 188, <http://csrc.nist.gov/publications/fips/ PUBS 188, <http://csrc.nist.gov/publications/fips/
fips188/fips188.pdf>, 1994. fips188/fips188.pdf>, 1994.
[I-D.gp-intarea-obsolete-ipv4-options-iana]
Pignataro, C. and F. Gont, "Formally Obsoleting some
Historic IPv4 Options",
draft-gp-intarea-obsolete-ipv4-options-iana-00 (work in
progress), February 2012.
[I-D.stoica-diffserv-dps] [I-D.stoica-diffserv-dps]
Stoica, I., Zhang, H., Baker, F., and Y. Bernet, "Per Hop Stoica, I., Zhang, H., Baker, F., and Y. Bernet, "Per Hop
Behaviors Based on Dynamic Packet State", Behaviors Based on Dynamic Packet State",
draft-stoica-diffserv-dps-02 (work in progress), draft-stoica-diffserv-dps-02 (work in progress),
October 2002. October 2002.
[IANA-IP] Internet Assigned Numbers Authority, "IP OPTION NUMBERS", [IANA-IP] Internet Assigned Numbers Authority, "IP OPTION NUMBERS",
April 2011, April 2011,
<http://www.iana.org/assignments/ip-parameters>. <http://www.iana.org/assignments/ip-parameters>.
skipping to change at page 28, line 22 skipping to change at page 27, line 43
OpenBSD, "OpenBSD Security Advisory: IP Source Routing OpenBSD, "OpenBSD Security Advisory: IP Source Routing
Problem", 1998, Problem", 1998,
<http://www.openbsd.org/advisories/sourceroute.txt>. <http://www.openbsd.org/advisories/sourceroute.txt>.
[RFC1038] St. Johns, M., "Draft revised IP security option", [RFC1038] St. Johns, M., "Draft revised IP security option",
RFC 1038, January 1988. RFC 1038, January 1988.
[RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP
MTU discovery options", RFC 1063, July 1988. MTU discovery options", RFC 1063, July 1988.
[RFC1108] Kent, S., "U.S", RFC 1108, November 1991.
[RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385, [RFC1385] Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385,
November 1992. November 1992.
[RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393, [RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393,
January 1993. January 1993.
[RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475, [RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475,
June 1993. June 1993.
[RFC1770] Graff, C., "IPv4 Option for Sender Directed Multi-
Destination Delivery", RFC 1770, March 1995.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, September 1997. Functional Specification", RFC 2205, September 1997.
[RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec
Configuration Policy Information Model", RFC 3585, Configuration Policy Information Model", RFC 3585,
August 2003. August 2003.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, January 2007.
[RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C. [RFC4807] Baer, M., Charlet, R., Hardaker, W., Story, R., and C.
Wang, "IPsec Security Policy Database Configuration MIB", Wang, "IPsec Security Policy Database Configuration MIB",
RFC 4807, March 2007. RFC 4807, March 2007.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
RFC 4949, August 2007. RFC 4949, August 2007.
[RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the [RFC5350] Manner, J. and A. McDonald, "IANA Considerations for the
IPv4 and IPv6 Router Alert Options", RFC 5350, IPv4 and IPv6 Router Alert Options", RFC 5350,
September 2008. September 2008.
skipping to change at page 29, line 11 skipping to change at page 28, line 40
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, July 2009. RFC 5570, July 2009.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, March 2011.
[RFC6398] Le Faucheur, F., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, October 2011. Usage", BCP 168, RFC 6398, October 2011.
[RFC6814] Pignataro, C. and F. Gont, "Formally Deprecating Some IPv4
Options", RFC 6814, November 2012.
[SELinux2008] [SELinux2008]
Security Enhanced Linux, "http://www.nsa.gov/selinux/". Security Enhanced Linux, "http://www.nsa.gov/selinux/".
[Solaris2008] [Solaris2008]
Solaris Trusted Extensions - Labeled Security for Absolute Solaris Trusted Extensions - Labeled Security for Absolute
Protection, "http://www.sun.com/software/solaris/ds/ Protection, "http://www.sun.com/software/solaris/ds/
trusted_extensions.jsp#3", 2008. trusted_extensions.jsp#3", 2008.
[draft-farinacci-bidir-pim] [draft-farinacci-bidir-pim]
Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees Estrin, D. and D. Farinacci, "Bi-Directional Shared Trees
 End of changes. 20 change blocks. 
41 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/