draft-ietf-opsec-ipv6-eh-filtering-00.txt   draft-ietf-opsec-ipv6-eh-filtering-01.txt 
opsec F. Gont opsec F. Gont
Internet-Draft UTN-FRH / SI6 Networks Internet-Draft UTN-FRH / SI6 Networks
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: September 10, 2015 Huawei Technologies Expires: January 9, 2017 Huawei Technologies
R. Bonica R. Bonica
Juniper Networks Juniper Networks
March 9, 2015 July 8, 2016
Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension
Headers Headers
draft-ietf-opsec-ipv6-eh-filtering-00.txt draft-ietf-opsec-ipv6-eh-filtering-01
Abstract Abstract
It is common operator practice to mitigate security risks by It is common operator practice to mitigate security risks by
enforcing appropriate packet filtering. This document analyzes both enforcing appropriate packet filtering. This document analyzes both
the general security implications of IPv6 Extension Headers and the the general security implications of IPv6 Extension Headers and the
specific security implications of each Extension Header and Option specific security implications of each Extension Header and Option
type, and provides advice on the filtering of IPv6 packets based on type, and provides advice on the filtering of IPv6 packets based on
the IPv6 Extension Headers and the IPv6 options they contain. the IPv6 Extension Headers and the IPv6 options they contain.
Additionally, it discusses the operational and interoperability Additionally, it discusses the operational and interoperability
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015. This Internet-Draft will expire on January 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 40 skipping to change at page 2, line 40
4.2. General Security Implications of IPv6 Options . . . . . . 15 4.2. General Security Implications of IPv6 Options . . . . . . 15
4.3. Advice on the Handling of Packets with Specific IPv6 4.3. Advice on the Handling of Packets with Specific IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 15 Options . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.4. Advice on the handling of Packets with Unknown IPv6 4.4. Advice on the handling of Packets with Unknown IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 26 Options . . . . . . . . . . . . . . . . . . . . . . . . . 26
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27
6. Security Considerations . . . . . . . . . . . . . . . . . . . 27 6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.1. Normative References . . . . . . . . . . . . . . . . . . 27 8.1. Normative References . . . . . . . . . . . . . . . . . . 27
8.2. Informative References . . . . . . . . . . . . . . . . . 29 8.2. Informative References . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction 1. Introduction
Recent studies (see e.g. [I-D.gont-v6ops-ipv6-ehs-in-real-world]) Recent studies (see e.g. [RFC7872]) suggest that there is widespread
suggest that there is widespread filtering of IPv6 packets that filtering of IPv6 packets that contain IPv6 Extension Headers (EHs).
contain IPv6 Extension Headers (EHs). While some operators While some operators "officially" filter packets that contain IPv6
"officially" filter packets that contain IPv6 EHs, it is possible EHs, it is possible that some of the measured packet drops be the
that some of the measured packet drops be the result of improper result of improper configuration defaults, or inappropriate advice in
configuration defaults, or inappropriate advice in this area. this area.
This document analyzes both the general security implications of IPv6 This document analyzes both the general security implications of IPv6
EHs and the specific security implications of each EH and Option EHs and the specific security implications of each EH and Option
type, and provides advice on the filtering of IPv6 packets based on type, and provides advice on the filtering of IPv6 packets based on
the IPv6 EHs and the IPv6 options they contain. Since various the IPv6 EHs and the IPv6 options they contain. Since various
protocols may use IPv6 EHs (possibly with IPv6 options), discarding protocols may use IPv6 EHs (possibly with IPv6 options), discarding
packets based on the IPv6 EHs or IPv6 options they contain may have packets based on the IPv6 EHs or IPv6 options they contain may have
implications on the proper functioning of such protocols. Thus, this implications on the proper functioning of such protocols. Thus, this
document also attempts to discuss the operational and document also attempts to discuss the operational and
interoperability implications of such filtering policies. This interoperability implications of such filtering policies. This
skipping to change at page 4, line 24 skipping to change at page 4, line 24
o The discard policy for each standard type of EH MUST be o The discard policy for each standard type of EH MUST be
individually configurable. individually configurable.
o The default configuration SHOULD allow all standard IPv6 EHs. o The default configuration SHOULD allow all standard IPv6 EHs.
The advice provided in this document is only meant to guide an The advice provided in this document is only meant to guide an
operator in configuring forwarding devices, and is *not* to be operator in configuring forwarding devices, and is *not* to be
interpreted as advice regarding default configuration settings for interpreted as advice regarding default configuration settings for
network devices. That is, this document provides advice with respect network devices. That is, this document provides advice with respect
to operational configurations, but does not change the implementation to operational configurations, but does not change the implementation
defaults required by [RFC7045] and defaults required by [RFC7045]. We note that the advice provided in
[draft-gont-6man-ipv6-opt-transmit]. We note that the advice this document is *not* meant to be employed by transit routers for
provided in this document is *not* meant to be employed by transit transit traffic, since such devices should not enforce this type of
routers for transit traffic, since such devices should not enforce filtering policy on traffic not directed to them.
this type of filtering policy on traffic not directed to them.
We recommend that a configuration option is made available to govern We recommend that configuration options are made available to govern
the processing of each IPv6 EH type and each IPv6 option type. Such the processing of each IPv6 EH type and each IPv6 option type. Such
configuration options may include the following possible settings: configuration options may include the following possible settings:
o Permit this IPv6 EH or IPv6 Option type o Permit this IPv6 EH or IPv6 Option type
o Discard (and log) packets containing this IPv6 EH or option type o Discard (and log) packets containing this IPv6 EH or option type
o Reject (and log) packets containing this IPv6 EH or option type o Reject (and log) packets containing this IPv6 EH or option type
(where the packet drop is signaled with an ICMPv6 error message) (where the packet drop is signaled with an ICMPv6 error message)
o Rate-limit traffic containing this IPv6 EH or option type o Rate-limit traffic containing this IPv6 EH or option type
o Ignore this IPv6 EH or option type (as if it was not present) and o Ignore this IPv6 EH or option type (as if it was not present) and
forward the packet. We noted that if a packet carries forwarding forward the packet. We note that if a packet carries forwarding
information (e.g., in an IPv6 Routing Header) this might be an information (e.g., in an IPv6 Routing Header) this might be an
inappropriate or undesirable action. inappropriate or undesirable action.
We note that special care needs to be taken when devices log packet We note that special care needs to be taken when devices log packet
drops/rejects. Devices should count the number of packets dropped/ drops/rejects. Devices should count the number of packets dropped/
rejected, but the logging of drop/reject events should be limited so rejected, but the logging of drop/reject events should be limited so
as to not overburden device resources. as to not overburden device resources.
Finally, we note that when discarding packets, it is generally Finally, we note that when discarding packets, it is generally
desirable that the sender be signaled of the packet drop, since this desirable that the sender be signaled of the packet drop, since this
skipping to change at page 5, line 42 skipping to change at page 5, line 42
inspected before giving up. In circumstances where there is such inspected before giving up. In circumstances where there is such
a limitation, it is recommended that implementations discard a limitation, it is recommended that implementations discard
packets if, when trying to determine whether to discard or permit packets if, when trying to determine whether to discard or permit
a packet, the aforementioned limit is encountered. a packet, the aforementioned limit is encountered.
3.2. General Security Implications 3.2. General Security Implications
Depending on the specific device architecture, IPv6 packets that Depending on the specific device architecture, IPv6 packets that
contain IPv6 EHs may cause the corresponding packets to be processed contain IPv6 EHs may cause the corresponding packets to be processed
on the slow path, and hence may be leveraged for the purpose of on the slow path, and hence may be leveraged for the purpose of
Denial of Service (DoS) attacks [Cisco-EH] [FW-Benchmark]. Denial of Service (DoS) attacks
[I-D.gont-v6ops-ipv6-ehs-packet-drops] [Cisco-EH] [FW-Benchmark].
Operators are urged to consider IPv6 EH filtering and IPv6 options Operators are urged to consider IPv6 EH filtering and IPv6 options
handling capabilities of different devices as they make deployment handling capabilities of different devices as they make deployment
decisions in future. decisions in future.
3.3. Advice on the Handling of IPv6 Packets with Specific IPv6 3.3. Advice on the Handling of IPv6 Packets with Specific IPv6
Extension Headers Extension Headers
3.3.1. IPv6 Hop-by-Hop Options (Protocol Number=0) 3.3.1. IPv6 Hop-by-Hop Options (Protocol Number=0)
skipping to change at page 6, line 37 skipping to change at page 6, line 37
o Type 0x07: CALIPSO [RFC5570] o Type 0x07: CALIPSO [RFC5570]
o Type 0x08: SMF_DPD [RFC6621] o Type 0x08: SMF_DPD [RFC6621]
o Type 0x26: Quick-Start [RFC4782] o Type 0x26: Quick-Start [RFC4782]
o Type 0x4D: (Deprecated) o Type 0x4D: (Deprecated)
o Type 0x63: RPL Option [RFC6553] o Type 0x63: RPL Option [RFC6553]
o Type 0x6D: MPL Option [I-D.ietf-roll-trickle-mcast] o Type 0x6D: MPL Option [RFC7731]
o Type 0x8A: Endpoint Identification (Deprecated) o Type 0x8A: Endpoint Identification (Deprecated)
[draft-ietf-nimrod-eid] [draft-ietf-nimrod-eid]
o Type 0xC2: Jumbo Payload [RFC2675] o Type 0xC2: Jumbo Payload [RFC2675]
o Type 0xEE: IPv6 DFF Header [RFC6971] o Type 0xEE: IPv6 DFF Header [RFC6971]
o Type 0x1E: RFC3692-style Experiment [RFC4727] o Type 0x1E: RFC3692-style Experiment [RFC4727]
skipping to change at page 7, line 14 skipping to change at page 7, line 14
o Type 0x9E: RFC3692-style Experiment [RFC4727] o Type 0x9E: RFC3692-style Experiment [RFC4727]
o Type 0xBE: RFC3692-style Experiment [RFC4727] o Type 0xBE: RFC3692-style Experiment [RFC4727]
o Type 0xDE: RFC3692-style Experiment [RFC4727] o Type 0xDE: RFC3692-style Experiment [RFC4727]
o Type 0xFE: RFC3692-style Experiment [RFC4727] o Type 0xFE: RFC3692-style Experiment [RFC4727]
3.3.1.3. Specific Security Implications 3.3.1.3. Specific Security Implications
Since this EH should be processed by all intermediate-systems en Since this EH is required to be processed by all intermediate-systems
route, it can be leveraged to perform Denial of Service attacks en route, it can be leveraged to perform Denial of Service attacks
against the network infrastructure. against the network infrastructure.
NOTE: Ongoing work essentially aims at requiring the Hop-by-Hop
Option EH to be processed only in cases where the intermmediate node
is making use of any functionality provided by such header (see
[I-D.ietf-6man-hbh-header-handling]). However, the deployed base is
likely to reflect the traditional behavior for a while, and hence the
potential security problems of this EH are still of concern.
3.3.1.4. Operational and Interoperability Impact if Blocked 3.3.1.4. Operational and Interoperability Impact if Blocked
Discarding packets containing a Hop-by-Hop Option EH would break any Discarding packets containing a Hop-by-Hop Options EH would break any
of the protocols that rely on it for proper functioning. For of the protocols that rely on it for proper functioning. For
example, it would break RSVP [RFC2205] and multicast deployments, and example, it would break RSVP [RFC2205] and multicast deployments, and
would cause IPv6 jumbograms to be discarded. would cause IPv6 jumbograms to be discarded.
3.3.1.5. Advice 3.3.1.5. Advice
The recommended configuration for the processing of these packets The recommended configuration for the processing of these packets
depends on the features and capabilities of the underlying platform. depends on the features and capabilities of the underlying platform.
On platforms that allow forwarding of packets with HBH Options on the On platforms that allow forwarding of packets with HBH Options on the
fast path, we recommend that packets with a HBH Options EH be fast path, we recommend that packets with a HBH Options EH be
skipping to change at page 9, line 19 skipping to change at page 9, line 25
This EH provides the fragmentation functionality for IPv6. This EH provides the fragmentation functionality for IPv6.
3.3.3.2. Specification 3.3.3.2. Specification
This EH is specified in [RFC2460]. This EH is specified in [RFC2460].
3.3.3.3. Specific Security Implications 3.3.3.3. Specific Security Implications
The security implications of the Fragment Header range from Denial of The security implications of the Fragment Header range from Denial of
Service attacks (e.g. based on flooding a target with IPv6 fragments) Service attacks (e.g. based on flooding a target with IPv6 fragments)
to information leakage attacks to information leakage attacks [RFC7739].
[I-D.ietf-6man-predictable-fragment-id].
3.3.3.4. Operational and Interoperability Impact if Blocked 3.3.3.4. Operational and Interoperability Impact if Blocked
Blocking packets that contain a Fragment Header will break any Blocking packets that contain a Fragment Header will break any
protocol that may rely on fragmentation (e.g., the DNS [RFC1034]). protocol that may rely on fragmentation (e.g., the DNS [RFC1034]).
3.3.3.5. Advice 3.3.3.5. Advice
Intermediate systems should permit packets that contain a Fragment Intermediate systems should permit packets that contain a Fragment
Header. Header.
skipping to change at page 11, line 41 skipping to change at page 11, line 41
o Type 0xBE: RFC3692-style Experiment [RFC4727] o Type 0xBE: RFC3692-style Experiment [RFC4727]
o Type 0xDE: RFC3692-style Experiment [RFC4727] o Type 0xDE: RFC3692-style Experiment [RFC4727]
o Type 0xFE: RFC3692-style Experiment [RFC4727] o Type 0xFE: RFC3692-style Experiment [RFC4727]
3.3.6.3. Specific Security Implications 3.3.6.3. Specific Security Implications
No security implications are known, other than the general No security implications are known, other than the general
implications of IPv6 EHs. implications of IPv6 EHs. For a discussion of possible security
implications of specific options specified for the DO header, please
see the Section 4.3.
3.3.6.4. Operational and Interoperability Impact if Blocked 3.3.6.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain a Destination Options header would Discarding packets that contain a Destination Options header would
break protocols that rely on this EH type for conveying information, break protocols that rely on this EH type for conveying information,
including protocols such as ILNP [RFC6740] and Mobile IPv6 [RFC6275], including protocols such as ILNP [RFC6740] and Mobile IPv6 [RFC6275],
and IPv6 tunnels that employ the Tunnel Encapsulation Limit option. and IPv6 tunnels that employ the Tunnel Encapsulation Limit option.
3.3.6.5. Advice 3.3.6.5. Advice
skipping to change at page 12, line 24 skipping to change at page 12, line 24
The Mobility Header is an EH used by mobile nodes, correspondent The Mobility Header is an EH used by mobile nodes, correspondent
nodes, and home agents in all messaging related to the creation and nodes, and home agents in all messaging related to the creation and
management of bindings in Mobile IPv6. management of bindings in Mobile IPv6.
3.3.7.2. Specification 3.3.7.2. Specification
This EH is specified in [RFC6275]. This EH is specified in [RFC6275].
3.3.7.3. Specific Security Implications 3.3.7.3. Specific Security Implications
TBD. A thorough security assessment of the security implications of the
Mobility Header and related mechanisms can be found in Section 15 of
[RFC6275].
3.3.7.4. Operational and Interoperability Impact if Blocked 3.3.7.4. Operational and Interoperability Impact if Blocked
Discarding packets containing this EH would break Mobile IPv6. Discarding packets containing this EH would break Mobile IPv6.
3.3.7.5. Advice 3.3.7.5. Advice
Intermediate systems should permit packets containing this EH. Intermediate systems should permit packets containing this EH.
3.3.8. Host Identity Protocol (Protocol Number=139) 3.3.8. Host Identity Protocol (Protocol Number=139)
skipping to change at page 12, line 50 skipping to change at page 13, line 7
establish and maintain shared IP-layer state, allowing separation of establish and maintain shared IP-layer state, allowing separation of
the identifier and locator roles of IP addresses, thereby enabling the identifier and locator roles of IP addresses, thereby enabling
continuity of communications across IP address changes. continuity of communications across IP address changes.
3.3.8.2. Specification 3.3.8.2. Specification
This EH is specified in [RFC5201]. This EH is specified in [RFC5201].
3.3.8.3. Specific Security Implications 3.3.8.3. Specific Security Implications
TBD. The security implications of the HIP header are discussed in detail
in Section 8 of [RFC6275].
3.3.8.4. Operational and Interoperability Impact if Blocked 3.3.8.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain the Host Identity Protocol would Discarding packets that contain the Host Identity Protocol would
break HIP deployments. break HIP deployments.
3.3.8.5. Advice 3.3.8.5. Advice
Intermediate systems should permit packets that contain a Host Intermediate systems should permit packets that contain a Host
Identity Protocol EH. Identity Protocol EH.
skipping to change at page 13, line 27 skipping to change at page 13, line 32
3.3.9.1. Uses 3.3.9.1. Uses
This EH is employed by the Shim6 [RFC5533] Protocol. This EH is employed by the Shim6 [RFC5533] Protocol.
3.3.9.2. Specification 3.3.9.2. Specification
This EH is specified in [RFC5533]. This EH is specified in [RFC5533].
3.3.9.3. Specific Security Implications 3.3.9.3. Specific Security Implications
TBD. The specific security implications are discussed in detail in
Section 16 of [RFC5533].
3.3.9.4. Operational and Interoperability Impact if Blocked 3.3.9.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this EH will break Shim6. Discarding packets that contain this EH will break Shim6.
3.3.9.5. Advice 3.3.9.5. Advice
Intermediate systems should permit packets containing this EH. Intermediate systems should permit packets containing this EH.
3.3.10. Use for experimentation and testing (Protocol Numbers=253 and 3.3.10. Use for experimentation and testing (Protocol Numbers=253 and
skipping to change at page 15, line 44 skipping to change at page 15, line 44
that contain IPv6 options might need to be processed by an IPv6 that contain IPv6 options might need to be processed by an IPv6
router's general-purpose CPU,and hence could present a DDoS risk to router's general-purpose CPU,and hence could present a DDoS risk to
that router's general-purpose CPU (and thus to the router itself). that router's general-purpose CPU (and thus to the router itself).
For some architectures, a possible mitigation would be to rate-limit For some architectures, a possible mitigation would be to rate-limit
the packets that are to be processed by the general-purpose CPU (see the packets that are to be processed by the general-purpose CPU (see
e.g. [Cisco-EH]). e.g. [Cisco-EH]).
4.3. Advice on the Handling of Packets with Specific IPv6 Options 4.3. Advice on the Handling of Packets with Specific IPv6 Options
The following subsections contain a description of each of the IPv6 The following subsections contain a description of each of the IPv6
options that have so far been specified, a discussion of possible options that have so far been specified, a summary of the security
implications of each of such options, a discussion of possible
interoperability implications if packets containing such options are interoperability implications if packets containing such options are
discarded, and specific advice regarding whether packets containing discarded, and specific advice regarding whether packets containing
these options should be permitted. these options should be permitted.
4.3.1. Pad1 (Type=0x00) 4.3.1. Pad1 (Type=0x00)
4.3.1.1. Uses 4.3.1.1. Uses
This option is used when necessary to align subsequent options and to This option is used when necessary to align subsequent options and to
pad out the containing header to a multiple of 8 octets in length. pad out the containing header to a multiple of 8 octets in length.
skipping to change at page 17, line 23 skipping to change at page 17, line 23
The Jumbo payload option provides the means of specifying payloads The Jumbo payload option provides the means of specifying payloads
larger than 65535 bytes. larger than 65535 bytes.
4.3.3.2. Specification 4.3.3.2. Specification
This option is specified in [RFC2675]. This option is specified in [RFC2675].
4.3.3.3. Specific Security Implications 4.3.3.3. Specific Security Implications
TBD. There are no specific issues arising from this option, except for
improper validity checks of the option and associated packet lengths.
4.3.3.4. Operational and Interoperability Impact if Blocked 4.3.3.4. Operational and Interoperability Impact if Blocked
Discarding packets based on the presence of this option will cause Discarding packets based on the presence of this option will cause
IPv6 jumbograms to be discarded. IPv6 jumbograms to be discarded.
4.3.3.5. Advice 4.3.3.5. Advice
Intermediate systems should discard packets that contain this option. Intermediate systems should discard packets that contain this option.
An operator should permit this option only in specific scenarios in An operator should permit this option only in specific scenarios in
skipping to change at page 17, line 49 skipping to change at page 17, line 50
The RPL Option provides a mechanism to include routing information The RPL Option provides a mechanism to include routing information
with each datagram that an RPL router forwards. with each datagram that an RPL router forwards.
4.3.4.2. Specification 4.3.4.2. Specification
This option is specified in [RFC6553]. This option is specified in [RFC6553].
4.3.4.3. Specific Security Implications 4.3.4.3. Specific Security Implications
TBD. Those described in [RFC6553].
4.3.4.4. Operational and Interoperability Impact if Blocked 4.3.4.4. Operational and Interoperability Impact if Blocked
This option is meant to be employed within an RPL instance. As a This option is meant to be employed within an RPL instance. As a
result, discarding packets based on the presence of this option (e.g. result, discarding packets based on the presence of this option (e.g.
at an ISP) will not result in interoperability implications. at an ISP) will not result in interoperability implications.
4.3.4.5. Advice 4.3.4.5. Advice
Non-RPL routers should discard packets that contain an RPL option. Non-RPL routers should discard packets that contain an RPL option.
skipping to change at page 18, line 28 skipping to change at page 18, line 28
The Tunnel Encapsulation Limit option can be employed to specify how The Tunnel Encapsulation Limit option can be employed to specify how
many further levels of nesting the packet is permitted to undergo. many further levels of nesting the packet is permitted to undergo.
4.3.5.2. Specification 4.3.5.2. Specification
This option is specified in [RFC2473]. This option is specified in [RFC2473].
4.3.5.3. Specific Security Implications 4.3.5.3. Specific Security Implications
TBD. Those described in [RFC2473].
4.3.5.4. Operational and Interoperability Impact if Blocked 4.3.5.4. Operational and Interoperability Impact if Blocked
Discarding packets based on the presence of this option could result Discarding packets based on the presence of this option could result
in tunnel traffic being discarded. in tunnel traffic being discarded.
4.3.5.5. Advice 4.3.5.5. Advice
Intermediate systems should not discard packets based on the presence Intermediate systems should not discard packets based on the presence
of this option. of this option.
skipping to change at page 21, line 49 skipping to change at page 21, line 49
The Home Address option is used by a Mobile IPv6 node while away from The Home Address option is used by a Mobile IPv6 node while away from
home, to inform the recipient of the mobile node's home address. home, to inform the recipient of the mobile node's home address.
4.3.10.2. Specification 4.3.10.2. Specification
This option is specified in [RFC6275]. This option is specified in [RFC6275].
4.3.10.3. Specific Security Implications 4.3.10.3. Specific Security Implications
TBD. No (known) additional security implications than those described in
[RFC6275].
4.3.10.4. Operational and Interoperability Impact if Blocked 4.3.10.4. Operational and Interoperability Impact if Blocked
Discarding IPv6 packets based on the presence of this option will Discarding IPv6 packets based on the presence of this option will
break Mobile IPv6. break Mobile IPv6.
4.3.10.5. Advice 4.3.10.5. Advice
Intermediate systems should not discard IPv6 packets based on the Intermediate systems should not discard IPv6 packets based on the
presence of this option. presence of this option.
skipping to change at page 23, line 11 skipping to change at page 23, line 11
packets when ILNPv6 is in use, and as a signal during initial packets when ILNPv6 is in use, and as a signal during initial
network-layer session creation that ILNPv6 is proposed for use with network-layer session creation that ILNPv6 is proposed for use with
this network-layer session, rather than classic IPv6. this network-layer session, rather than classic IPv6.
4.3.12.2. Specification 4.3.12.2. Specification
This option is specified in [RFC6744]. This option is specified in [RFC6744].
4.3.12.3. Specific Security Implications 4.3.12.3. Specific Security Implications
TBD. Those described in [RFC6744].
4.3.12.4. Operational and Interoperability Impact if Blocked 4.3.12.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this option will break INLPv6 Discarding packets that contain this option will break INLPv6
deployments. deployments.
4.3.12.5. Advice 4.3.12.5. Advice
Intermediate systems should not discard packets based on the presence Intermediate systems should not discard packets based on the presence
of this option. of this option.
skipping to change at page 23, line 37 skipping to change at page 23, line 37
This option is used by an Edge Router to identify the subscriber This option is used by an Edge Router to identify the subscriber
premises in scenarios where several subscriber premises may be premises in scenarios where several subscriber premises may be
logically connected to the same interface of an Edge Router. logically connected to the same interface of an Edge Router.
4.3.13.2. Specification 4.3.13.2. Specification
This option is specified in [RFC6788]. This option is specified in [RFC6788].
4.3.13.3. Specific Security Implications 4.3.13.3. Specific Security Implications
TBD. Those described in [RFC6788].
4.3.13.4. Operational and Interoperability Impact if Blocked 4.3.13.4. Operational and Interoperability Impact if Blocked
Since this option is meant to be employed in Router Solicitation Since this option is meant to be employed in Router Solicitation
messages, discarding packets based on the presence of this option at messages, discarding packets based on the presence of this option at
intermediate systems will result in no interoperability implications. intermediate systems will result in no interoperability implications.
4.3.13.5. Advice 4.3.13.5. Advice
Intermediate devices should discard packets that contain this option. Intermediate devices should discard packets that contain this option.
skipping to change at page 24, line 38 skipping to change at page 24, line 38
4.3.15. MPL Option (Type=0x6D) 4.3.15. MPL Option (Type=0x6D)
4.3.15.1. Uses 4.3.15.1. Uses
This option is used with the Multicast Protocol for Low power and This option is used with the Multicast Protocol for Low power and
Lossy Networks (MPL), that provides IPv6 multicast forwarding in Lossy Networks (MPL), that provides IPv6 multicast forwarding in
constrained networks. constrained networks.
4.3.15.2. Specification 4.3.15.2. Specification
This option is specified in [I-D.ietf-roll-trickle-mcast], and is This option is specified in [RFC7731], and is meant to be included
meant to be included only in Hop-by-Hop Option headers. only in Hop-by-Hop Option headers.
4.3.15.3. Specific Security Implications 4.3.15.3. Specific Security Implications
TBD. Those described in [RFC7731].
4.3.15.4. Operational and Interoperability Impact if Blocked 4.3.15.4. Operational and Interoperability Impact if Blocked
TBD. TBD.
4.3.15.5. Advice 4.3.15.5. Advice
TBD. TBD.
4.3.16. IP_DFF (Type=0xEE) 4.3.16. IP_DFF (Type=0xEE)
skipping to change at page 25, line 22 skipping to change at page 25, line 22
This option is employed with the (Experimental) Depth-First This option is employed with the (Experimental) Depth-First
Forwarding (DFF) in Unreliable Networks. Forwarding (DFF) in Unreliable Networks.
4.3.16.2. Specification 4.3.16.2. Specification
This option is specified in [RFC6971]. This option is specified in [RFC6971].
4.3.16.3. Specific Security Implications 4.3.16.3. Specific Security Implications
TBD. Those specified in [RFC6971].
4.3.16.4. Operational and Interoperability Impact if Blocked 4.3.16.4. Operational and Interoperability Impact if Blocked
TBD. TBD.
4.3.16.5. Advice 4.3.16.5. Advice
TBD. TBD.
4.3.17. RFC3692-style Experiment (Types = 0x1E, 0x3E, 0x5E, 0x7E, 0x9E, 4.3.17. RFC3692-style Experiment (Types = 0x1E, 0x3E, 0x5E, 0x7E, 0x9E,
skipping to change at page 27, line 30 skipping to change at page 27, line 30
Carlos Pignataro, Donald Smith, and Gunter Van De Velde, for Carlos Pignataro, Donald Smith, and Gunter Van De Velde, for
providing valuable comments on earlier versions of this document. providing valuable comments on earlier versions of this document.
This document borrows some text an analysis from [RFC7126], authored This document borrows some text an analysis from [RFC7126], authored
by Fernando Gont, Randall Atkinson, and Carlos Pignataro. by Fernando Gont, Randall Atkinson, and Carlos Pignataro.
8. References 8. References
8.1. Normative References 8.1. Normative References
[draft-gont-6man-ipv6-opt-transmit]
Gont, F., Liu, W., and R. Bonica, "Transmission and
Processing of IPv6 Options", IETF Internet Draft, work in
progress, August 2014.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, September 1997. Functional Specification", RFC 2205, DOI 10.17487/RFC2205,
September 1997, <http://www.rfc-editor.org/info/rfc2205>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <http://www.rfc-editor.org/info/rfc2460>.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, December 1998. IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473,
December 1998, <http://www.rfc-editor.org/info/rfc2473>.
[RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms",
RFC 2675, August 1999. RFC 2675, DOI 10.17487/RFC2675, August 1999,
<http://www.rfc-editor.org/info/rfc2675>.
[RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast
Listener Discovery (MLD) for IPv6", RFC 2710, October Listener Discovery (MLD) for IPv6", RFC 2710,
1999. DOI 10.17487/RFC2710, October 1999,
<http://www.rfc-editor.org/info/rfc2710>.
[RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option",
RFC 2711, October 1999. RFC 2711, DOI 10.17487/RFC2711, October 1999,
<http://www.rfc-editor.org/info/rfc2711>.
[RFC3692] Narten, T., "Assigning Experimental and Testing Numbers [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
Considered Useful", BCP 82, RFC 3692, January 2004. Considered Useful", BCP 82, RFC 3692,
DOI 10.17487/RFC3692, January 2004,
<http://www.rfc-editor.org/info/rfc3692>.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
2005. DOI 10.17487/RFC4302, December 2005,
<http://www.rfc-editor.org/info/rfc4302>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
4303, December 2005. RFC 4303, DOI 10.17487/RFC4303, December 2005,
<http://www.rfc-editor.org/info/rfc4303>.
[RFC4304] Kent, S., "Extended Sequence Number (ESN) Addendum to [RFC4304] Kent, S., "Extended Sequence Number (ESN) Addendum to
IPsec Domain of Interpretation (DOI) for Internet Security IPsec Domain of Interpretation (DOI) for Internet Security
Association and Key Management Protocol (ISAKMP)", RFC Association and Key Management Protocol (ISAKMP)",
4304, December 2005. RFC 4304, DOI 10.17487/RFC4304, December 2005,
<http://www.rfc-editor.org/info/rfc4304>.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006. ICMPv6, UDP, and TCP Headers", RFC 4727,
DOI 10.17487/RFC4727, November 2006,
<http://www.rfc-editor.org/info/rfc4727>.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, January 2007. Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782,
January 2007, <http://www.rfc-editor.org/info/rfc4782>.
[RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
of Type 0 Routing Headers in IPv6", RFC 5095, December of Type 0 Routing Headers in IPv6", RFC 5095,
2007. DOI 10.17487/RFC5095, December 2007,
<http://www.rfc-editor.org/info/rfc5095>.
[RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., Ed., and T.
"Host Identity Protocol", RFC 5201, April 2008. Henderson, "Host Identity Protocol", RFC 5201,
DOI 10.17487/RFC5201, April 2008,
<http://www.rfc-editor.org/info/rfc5201>.
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, June 2009. Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533,
June 2009, <http://www.rfc-editor.org/info/rfc5533>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", RFC Architecture Label IPv6 Security Option (CALIPSO)",
5570, July 2009. RFC 5570, DOI 10.17487/RFC5570, July 2009,
<http://www.rfc-editor.org/info/rfc5570>.
[RFC6275] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility
in IPv6", RFC 6275, July 2011. Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July
2011, <http://www.rfc-editor.org/info/rfc6275>.
[RFC6398] Le Faucheur, F., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, October 2011. Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October
2011, <http://www.rfc-editor.org/info/rfc6398>.
[RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J.,
Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
Alexander, "RPL: IPv6 Routing Protocol for Low-Power and JP., and R. Alexander, "RPL: IPv6 Routing Protocol for
Lossy Networks", RFC 6550, March 2012. Low-Power and Lossy Networks", RFC 6550,
DOI 10.17487/RFC6550, March 2012,
<http://www.rfc-editor.org/info/rfc6550>.
[RFC6553] Hui, J. and JP. Vasseur, "The Routing Protocol for Low- [RFC6553] Hui, J. and JP. Vasseur, "The Routing Protocol for Low-
Power and Lossy Networks (RPL) Option for Carrying RPL Power and Lossy Networks (RPL) Option for Carrying RPL
Information in Data-Plane Datagrams", RFC 6553, March Information in Data-Plane Datagrams", RFC 6553,
2012. DOI 10.17487/RFC6553, March 2012,
<http://www.rfc-editor.org/info/rfc6553>.
[RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6 [RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6
Routing Header for Source Routes with the Routing Protocol Routing Header for Source Routes with the Routing Protocol
for Low-Power and Lossy Networks (RPL)", RFC 6554, March for Low-Power and Lossy Networks (RPL)", RFC 6554,
2012. DOI 10.17487/RFC6554, March 2012,
<http://www.rfc-editor.org/info/rfc6554>.
[RFC6621] Macker, J., "Simplified Multicast Forwarding", RFC 6621, [RFC6621] Macker, J., Ed., "Simplified Multicast Forwarding",
May 2012. RFC 6621, DOI 10.17487/RFC6621, May 2012,
<http://www.rfc-editor.org/info/rfc6621>.
[RFC6740] Atkinson,, RJ., "Identifier-Locator Network Protocol [RFC6740] Atkinson, RJ. and SN. Bhatti, "Identifier-Locator Network
(ILNP) Architectural Description", RFC 6740, November Protocol (ILNP) Architectural Description", RFC 6740,
2012. DOI 10.17487/RFC6740, November 2012,
<http://www.rfc-editor.org/info/rfc6740>.
[RFC6744] Atkinson,, RJ., "IPv6 Nonce Destination Option for the [RFC6744] Atkinson, RJ. and SN. Bhatti, "IPv6 Nonce Destination
Identifier-Locator Network Protocol for IPv6 (ILNPv6)", Option for the Identifier-Locator Network Protocol for
RFC 6744, November 2012. IPv6 (ILNPv6)", RFC 6744, DOI 10.17487/RFC6744, November
2012, <http://www.rfc-editor.org/info/rfc6744>.
[RFC6788] Krishnan, S., Kavanagh, A., Varga, B., Ooghe, S., and E. [RFC6788] Krishnan, S., Kavanagh, A., Varga, B., Ooghe, S., and E.
Nordmark, "The Line-Identification Option", RFC 6788, Nordmark, "The Line-Identification Option", RFC 6788,
November 2012. DOI 10.17487/RFC6788, November 2012,
<http://www.rfc-editor.org/info/rfc6788>.
[RFC6971] Herberg, U., Cardenas, A., Iwao, T., Dow, M., and S. [RFC6971] Herberg, U., Ed., Cardenas, A., Iwao, T., Dow, M., and S.
Cespedes, "Depth-First Forwarding (DFF) in Unreliable Cespedes, "Depth-First Forwarding (DFF) in Unreliable
Networks", RFC 6971, June 2013. Networks", RFC 6971, DOI 10.17487/RFC6971, June 2013,
<http://www.rfc-editor.org/info/rfc6971>.
[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
of IPv6 Extension Headers", RFC 7045, December 2013. of IPv6 Extension Headers", RFC 7045,
DOI 10.17487/RFC7045, December 2013,
<http://www.rfc-editor.org/info/rfc7045>.
[RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of
Oversized IPv6 Header Chains", RFC 7112, January 2014. Oversized IPv6 Header Chains", RFC 7112,
DOI 10.17487/RFC7112, January 2014,
<http://www.rfc-editor.org/info/rfc7112>.
[draft-gont-6man-ipv6-opt-transmit] [RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power
Gont, F., Liu, W., and R. Bonica, "Transmission and and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731,
Processing of IPv6 Options", IETF Internet Draft, work in February 2016, <http://www.rfc-editor.org/info/rfc7731>.
progress, August 2014.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference, 2007, CanSecWest 2007 Security Conference, 2007,
<http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>. <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
[Cisco-EH] [Cisco-EH]
Cisco Systems, , "IPv6 Extension Headers Review and Cisco Systems, , "IPv6 Extension Headers Review and
Considerations", Whitepaper. October 2006, Considerations", Whitepaper. October 2006,
<http://www.cisco.com/en/US/technologies/tk648/tk872/ <http://www.cisco.com/en/US/technologies/tk648/tk872/
technologies_white_paper0900aecd8054d37d.pdf>. technologies_white_paper0900aecd8054d37d.pdf>.
[draft-ietf-nimrod-eid]
Lynn, C., "Endpoint Identifier Destination Option", IETF
Internet Draft, draft-ietf-nimrod-eid-00.txt, November
1995.
[FW-Benchmark] [FW-Benchmark]
Zack, E., "Firewall Security Assessment and Benchmarking Zack, E., "Firewall Security Assessment and Benchmarking
IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
Berlin, Germany. June 30, 2013, Berlin, Germany. June 30, 2013,
<http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack- <http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-
ipv6hackers1-firewall-security-assessment-and- ipv6hackers1-firewall-security-assessment-and-
benchmarking.pdf>. benchmarking.pdf>.
[I-D.gont-v6ops-ipv6-ehs-in-real-world] [I-D.gont-v6ops-ipv6-ehs-packet-drops]
Gont, F., Linkova, J., Chown, T., and W. Will, Gont, F., Hilliard, N., Doering, G., (Will), S., and W.
"Observations on IPv6 EH Filtering in the Real World", Kumari, "Operational Implications of IPv6 Packets with
draft-gont-v6ops-ipv6-ehs-in-real-world-02 (work in Extension Headers", draft-gont-v6ops-ipv6-ehs-packet-
progress), March 2015. drops-03 (work in progress), March 2016.
[I-D.ietf-6man-predictable-fragment-id]
Gont, F., "Security Implications of Predictable Fragment
Identification Values", draft-ietf-6man-predictable-
fragment-id-02 (work in progress), December 2014.
[I-D.ietf-roll-trickle-mcast] [I-D.ietf-6man-hbh-header-handling]
Hui, J. and R. Kelsey, "Multicast Protocol for Low power Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options
and Lossy Networks (MPL)", draft-ietf-roll-trickle- Extension Header", draft-ietf-6man-hbh-header-handling-03
mcast-11 (work in progress), November 2014. (work in progress), March 2016.
[IANA-IPV6-PARAM] [IANA-IPV6-PARAM]
Internet Assigned Numbers Authority, "Internet Protocol Internet Assigned Numbers Authority, "Internet Protocol
Version 6 (IPv6) Parameters", December 2013, Version 6 (IPv6) Parameters", December 2013,
<http://www.iana.org/assignments/ipv6-parameters/ <http://www.iana.org/assignments/ipv6-parameters/
ipv6-parameters.xhtml>. ipv6-parameters.xhtml>.
[IANA-PROTOCOLS] [IANA-PROTOCOLS]
Internet Assigned Numbers Authority, "Protocol Numbers", Internet Assigned Numbers Authority, "Protocol Numbers",
2014, <http://www.iana.org/assignments/protocol-numbers/ 2014, <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[NIMROD-DOC] [NIMROD-DOC]
Nimrod Documentation Page, , Nimrod Documentation Page, ,
"http://ana-3.lcs.mit.edu/~jnc/nimrod/", . "http://ana-3.lcs.mit.edu/~jnc/nimrod/".
[RFC3871] Jones, G., "Operational Security Requirements for Large [RFC3871] Jones, G., Ed., "Operational Security Requirements for
Internet Service Provider (ISP) IP Network Large Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, September 2004. Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September
2004, <http://www.rfc-editor.org/info/rfc3871>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
March 2011, <http://www.rfc-editor.org/info/rfc6192>.
[RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations
on Filtering of IPv4 Packets Containing IPv4 Options", BCP on Filtering of IPv4 Packets Containing IPv4 Options",
186, RFC 7126, February 2014. BCP 186, RFC 7126, DOI 10.17487/RFC7126, February 2014,
<http://www.rfc-editor.org/info/rfc7126>.
[draft-ietf-nimrod-eid] [RFC7739] Gont, F., "Security Implications of Predictable Fragment
Lynn, C., "Endpoint Identifier Destination Option", IETF Identification Values", RFC 7739, DOI 10.17487/RFC7739,
Internet Draft, draft-ietf-nimrod-eid-00.txt, November February 2016, <http://www.rfc-editor.org/info/rfc7739>.
1995.
[RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
"Observations on the Dropping of Packets with IPv6
Extension Headers in the Real World", RFC 7872,
DOI 10.17487/RFC7872, June 2016,
<http://www.rfc-editor.org/info/rfc7872>.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
UTN-FRH / SI6 Networks UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
 End of changes. 74 change blocks. 
124 lines changed or deleted 188 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/