draft-ietf-opsec-ipv6-eh-filtering-02.txt   draft-ietf-opsec-ipv6-eh-filtering-03.txt 
opsec F. Gont opsec F. Gont
Internet-Draft UTN-FRH / SI6 Networks Internet-Draft UTN-FRH / SI6 Networks
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: May 4, 2017 Huawei Technologies Expires: January 4, 2018 Huawei Technologies
R. Bonica R. Bonica
Juniper Networks Juniper Networks
October 31, 2016 July 3, 2017
Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Recommendations on the Filtering of IPv6 Packets Containing IPv6
Headers Extension Headers
draft-ietf-opsec-ipv6-eh-filtering-02 draft-ietf-opsec-ipv6-eh-filtering-03
Abstract Abstract
It is common operator practice to mitigate security risks by It is common operator practice to mitigate security risks by
enforcing appropriate packet filtering. This document analyzes both enforcing appropriate packet filtering. This document analyzes both
the general security implications of IPv6 Extension Headers and the the general security implications of IPv6 Extension Headers and the
specific security implications of each Extension Header and Option specific security implications of each Extension Header and Option
type. Additionally, it discusses the operational and type. Additionally, it discusses the operational and
interoperability implications of discarding packets based on the IPv6 interoperability implications of discarding packets based on the IPv6
Extension Headers and IPv6 options they contain. Finally, it Extension Headers and IPv6 options they contain. Finally, it
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 4, 2017. This Internet-Draft will expire on January 4, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 42 skipping to change at page 2, line 42
4.2. General Security Implications of IPv6 Options . . . . . . 17 4.2. General Security Implications of IPv6 Options . . . . . . 17
4.3. Advice on the Handling of Packets with Specific IPv6 4.3. Advice on the Handling of Packets with Specific IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 17 Options . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.4. Advice on the handling of Packets with Unknown IPv6 4.4. Advice on the handling of Packets with Unknown IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 28 Options . . . . . . . . . . . . . . . . . . . . . . . . . 28
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 29 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 29
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
8.1. Normative References . . . . . . . . . . . . . . . . . . 29 8.1. Normative References . . . . . . . . . . . . . . . . . . 29
8.2. Informative References . . . . . . . . . . . . . . . . . 32 8.2. Informative References . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
Recent studies (see e.g. [RFC7872]) suggest that there is widespread Recent studies (see e.g. [RFC7872]) suggest that there is widespread
dropping of IPv6 packets that contain IPv6 Extension Headers (EHs). dropping of IPv6 packets that contain IPv6 Extension Headers (EHs).
In some cases, such packet drops occur at transit routers. While In some cases, such packet drops occur at transit routers. While
some operators "officially" drop packets that contain IPv6 EHs, it is some operators "officially" drop packets that contain IPv6 EHs, it is
possible that some of the measured packet drops be the result of possible that some of the measured packet drops be the result of
improper configuration defaults, or inappropriate advice in this improper configuration defaults, or inappropriate advice in this
skipping to change at page 23, line 26 skipping to change at page 23, line 26
Forwarding (SMF) for unique packet identification for IPv6 I-DPD, and Forwarding (SMF) for unique packet identification for IPv6 I-DPD, and
as a mechanism to guarantee non-collision of hash values for as a mechanism to guarantee non-collision of hash values for
different packets when H-DPD is used. different packets when H-DPD is used.
4.3.9.2. Specification 4.3.9.2. Specification
This option is specified in [RFC6621]. This option is specified in [RFC6621].
4.3.9.3. Specific Security Implications 4.3.9.3. Specific Security Implications
TBD. None. The use of identifiers is subject to the security and privacy
considerations discussed in [I-D.gont-predictable-numeric-ids].
4.3.9.4. Operational and Interoperability Impact if Blocked 4.3.9.4. Operational and Interoperability Impact if Blocked
TBD. Dropping packets containing this option within a MANET domain would
break SMF. However, dropping such packets at the border of such
domain would have no negative impact.
4.3.9.5. Advice 4.3.9.5. Advice
TBD. Intermediate system should discard packets that contain this option.
4.3.10. Home Address (Type=0xC9) 4.3.10. Home Address (Type=0xC9)
4.3.10.1. Uses 4.3.10.1. Uses
The Home Address option is used by a Mobile IPv6 node while away from The Home Address option is used by a Mobile IPv6 node while away from
home, to inform the recipient of the mobile node's home address. home, to inform the recipient of the mobile node's home address.
4.3.10.2. Specification 4.3.10.2. Specification
skipping to change at page 26, line 47 skipping to change at page 26, line 47
This option is specified in [RFC7731], and is meant to be included This option is specified in [RFC7731], and is meant to be included
only in Hop-by-Hop Option headers. only in Hop-by-Hop Option headers.
4.3.15.3. Specific Security Implications 4.3.15.3. Specific Security Implications
Those described in [RFC7731]. Those described in [RFC7731].
4.3.15.4. Operational and Interoperability Impact if Blocked 4.3.15.4. Operational and Interoperability Impact if Blocked
TBD. Dropping packets that contain an MPL option within an MPL network
would break the Multicast Protocol for Low power and Lossy Networks
(MPL). However, dropping such packets at the border of such networks
will have no negative impact.
4.3.15.5. Advice 4.3.15.5. Advice
TBD. Intermediate systems should not discard packets based on the presence
of this option. However, since this option has been specified for
the Hop-by-Hop Options, such systems should consider the discussion
in Section 3.4.1.
4.3.16. IP_DFF (Type=0xEE) 4.3.16. IP_DFF (Type=0xEE)
4.3.16.1. Uses 4.3.16.1. Uses
This option is employed with the (Experimental) Depth-First This option is employed with the (Experimental) Depth-First
Forwarding (DFF) in Unreliable Networks. Forwarding (DFF) in Unreliable Networks.
4.3.16.2. Specification 4.3.16.2. Specification
This option is specified in [RFC6971]. This option is specified in [RFC6971].
4.3.16.3. Specific Security Implications 4.3.16.3. Specific Security Implications
Those specified in [RFC6971]. Those specified in [RFC6971].
4.3.16.4. Operational and Interoperability Impact if Blocked 4.3.16.4. Operational and Interoperability Impact if Blocked
TBD. Dropping packets containing this option within a routing domain that
is running DFF would break DFF. However, droping such packets at the
border of such domains will have no security implications.
4.3.16.5. Advice 4.3.16.5. Advice
TBD. Intermediate systems that do not operate within a routing domain that
is running DFF should discard packets containing this option.
4.3.17. RFC3692-style Experiment (Types = 0x1E, 0x3E, 0x5E, 0x7E, 0x9E, 4.3.17. RFC3692-style Experiment (Types = 0x1E, 0x3E, 0x5E, 0x7E, 0x9E,
0xBE, 0xDE, 0xFE) 0xBE, 0xDE, 0xFE)
4.3.17.1. Uses 4.3.17.1. Uses
These options can be employed for performing RFC3692-style These options can be employed for performing RFC3692-style
experiments. It is only appropriate to use these values in experiments. It is only appropriate to use these values in
explicitly configured experiments; they must not be shipped as explicitly configured experiments; they must not be shipped as
defaults in implementations. defaults in implementations.
skipping to change at page 33, line 6 skipping to change at page 33, line 13
February 2016, <http://www.rfc-editor.org/info/rfc7731>. February 2016, <http://www.rfc-editor.org/info/rfc7731>.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference, 2007, CanSecWest 2007 Security Conference, 2007,
<http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>. <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
[Cisco-EH] [Cisco-EH]
Cisco Systems, , "IPv6 Extension Headers Review and Cisco Systems, "IPv6 Extension Headers Review and
Considerations", Whitepaper. October 2006, Considerations", Whitepaper. October 2006,
<http://www.cisco.com/en/US/technologies/tk648/tk872/ <http://www.cisco.com/en/US/technologies/tk648/tk872/
technologies_white_paper0900aecd8054d37d.pdf>. technologies_white_paper0900aecd8054d37d.pdf>.
[draft-ietf-nimrod-eid] [draft-ietf-nimrod-eid]
Lynn, C., "Endpoint Identifier Destination Option", IETF Lynn, C., "Endpoint Identifier Destination Option", IETF
Internet Draft, draft-ietf-nimrod-eid-00.txt, November Internet Draft, draft-ietf-nimrod-eid-00.txt, November
1995. 1995.
[FW-Benchmark] [FW-Benchmark]
Zack, E., "Firewall Security Assessment and Benchmarking Zack, E., "Firewall Security Assessment and Benchmarking
IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
Berlin, Germany. June 30, 2013, Berlin, Germany. June 30, 2013,
<http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack- <http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-
ipv6hackers1-firewall-security-assessment-and- ipv6hackers1-firewall-security-assessment-and-
benchmarking.pdf>. benchmarking.pdf>.
[I-D.gont-predictable-numeric-ids]
Gont, F. and I. Arce, "Security and Privacy Implications
of Numeric Identifiers Employed in Network Protocols",
draft-gont-predictable-numeric-ids-01 (work in progress),
July 2017.
[I-D.gont-v6ops-ipv6-ehs-packet-drops] [I-D.gont-v6ops-ipv6-ehs-packet-drops]
Gont, F., Hilliard, N., Doering, G., (Will), S., and W. Gont, F., Hilliard, N., Doering, G., (Will), S., and W.
Kumari, "Operational Implications of IPv6 Packets with Kumari, "Operational Implications of IPv6 Packets with
Extension Headers", draft-gont-v6ops-ipv6-ehs-packet- Extension Headers", draft-gont-v6ops-ipv6-ehs-packet-
drops-03 (work in progress), March 2016. drops-03 (work in progress), March 2016.
[I-D.ietf-6man-hbh-header-handling] [I-D.ietf-6man-hbh-header-handling]
Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options
Extension Header", draft-ietf-6man-hbh-header-handling-03 Extension Header", draft-ietf-6man-hbh-header-handling-03
(work in progress), March 2016. (work in progress), March 2016.
skipping to change at page 33, line 47 skipping to change at page 34, line 11
Version 6 (IPv6) Parameters", December 2013, Version 6 (IPv6) Parameters", December 2013,
<http://www.iana.org/assignments/ipv6-parameters/ <http://www.iana.org/assignments/ipv6-parameters/
ipv6-parameters.xhtml>. ipv6-parameters.xhtml>.
[IANA-PROTOCOLS] [IANA-PROTOCOLS]
Internet Assigned Numbers Authority, "Protocol Numbers", Internet Assigned Numbers Authority, "Protocol Numbers",
2014, <http://www.iana.org/assignments/protocol-numbers/ 2014, <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[NIMROD-DOC] [NIMROD-DOC]
Nimrod Documentation Page, , Nimrod Documentation Page,
"http://ana-3.lcs.mit.edu/~jnc/nimrod/". "http://ana-3.lcs.mit.edu/~jnc/nimrod/".
[RFC3871] Jones, G., Ed., "Operational Security Requirements for [RFC3871] Jones, G., Ed., "Operational Security Requirements for
Large Internet Service Provider (ISP) IP Network Large Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September
2004, <http://www.rfc-editor.org/info/rfc3871>. 2004, <http://www.rfc-editor.org/info/rfc3871>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
March 2011, <http://www.rfc-editor.org/info/rfc6192>. March 2011, <http://www.rfc-editor.org/info/rfc6192>.
 End of changes. 16 change blocks. 
17 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/