draft-ietf-opsec-ipv6-eh-filtering-04.txt   draft-ietf-opsec-ipv6-eh-filtering-05.txt 
opsec F. Gont opsec F. Gont
Internet-Draft UTN-FRH / SI6 Networks Internet-Draft UTN-FRH / SI6 Networks
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: May 3, 2018 Huawei Technologies Expires: September 6, 2018 Huawei Technologies
R. Bonica March 5, 2018
Juniper Networks
October 30, 2017
Recommendations on the Filtering of IPv6 Packets Containing IPv6 Recommendations on the Filtering of IPv6 Packets Containing IPv6
Extension Headers Extension Headers
draft-ietf-opsec-ipv6-eh-filtering-04 draft-ietf-opsec-ipv6-eh-filtering-05
Abstract Abstract
It is common operator practice to mitigate security risks by It is common operator practice to mitigate security risks by
enforcing appropriate packet filtering. This document analyzes both enforcing appropriate packet filtering. This document analyzes both
the general security implications of IPv6 Extension Headers and the the general security implications of IPv6 Extension Headers and the
specific security implications of each Extension Header and Option specific security implications of each Extension Header and Option
type. Additionally, it discusses the operational and type. Additionally, it discusses the operational and
interoperability implications of discarding packets based on the IPv6 interoperability implications of discarding packets based on the IPv6
Extension Headers and IPv6 options they contain. Finally, it Extension Headers and IPv6 options they contain. Finally, it
provides advice on the filtering of such IPv6 packets at transit provides advice on the filtering of such IPv6 packets at transit
routers for traffic *not* directed to them, for those cases in which routers for traffic *not* directed to them, for those cases in which
such filtering is deemed as necessary. such filtering is deemed as necessary.
Status of This Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2018. This Internet-Draft will expire on September 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and Conventions Used in This Document . . . . . . 4 2. Terminology and Conventions Used in This Document . . . . . . 4
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Applicability Statement . . . . . . . . . . . . . . . . . 4 2.2. Applicability Statement . . . . . . . . . . . . . . . . . 4
2.3. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4
3. IPv6 Extension Headers . . . . . . . . . . . . . . . . . . . 5 3. IPv6 Extension Headers . . . . . . . . . . . . . . . . . . . . 5
3.1. General Discussion . . . . . . . . . . . . . . . . . . . 5 3.1. General Discussion . . . . . . . . . . . . . . . . . . . . 5
3.2. General Security Implications . . . . . . . . . . . . . . 6 3.2. General Security Implications . . . . . . . . . . . . . . 6
3.3. Summary of Advice on the Handling of IPv6 Packets with 3.3. Summary of Advice on the Handling of IPv6 Packets with
Specific IPv6 Extension Headers . . . . . . . . . . . . . 6 Specific IPv6 Extension Headers . . . . . . . . . . . . . 6
3.4. Advice on the Handling of IPv6 Packets with Specific IPv6 3.4. Advice on the Handling of IPv6 Packets with Specific
Extension Headers . . . . . . . . . . . . . . . . . . . . 7 IPv6 Extension Headers . . . . . . . . . . . . . . . . . . 7
3.5. Advice on the Handling of Packets with Unknown IPv6 3.5. Advice on the Handling of Packets with Unknown IPv6
Extension Headers . . . . . . . . . . . . . . . . . . . . 16 Extension Headers . . . . . . . . . . . . . . . . . . . . 16
4. IPv6 Options . . . . . . . . . . . . . . . . . . . . . . . . 17 4. IPv6 Options . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1. General Discussion . . . . . . . . . . . . . . . . . . . 17 4.1. General Discussion . . . . . . . . . . . . . . . . . . . . 17
4.2. General Security Implications of IPv6 Options . . . . . . 17 4.2. General Security Implications of IPv6 Options . . . . . . 17
4.3. Advice on the Handling of Packets with Specific IPv6 4.3. Advice on the Handling of Packets with Specific IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 17 Options . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.4. Advice on the handling of Packets with Unknown IPv6 4.4. Advice on the handling of Packets with Unknown IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 28 Options . . . . . . . . . . . . . . . . . . . . . . . . . 28
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 29 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
8.1. Normative References . . . . . . . . . . . . . . . . . . 29 8.1. Normative References . . . . . . . . . . . . . . . . . . . 29
8.2. Informative References . . . . . . . . . . . . . . . . . 33 8.2. Informative References . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
1. Introduction 1. Introduction
Recent studies (see e.g. [RFC7872]) suggest that there is widespread Recent studies (see e.g. [RFC7872]) suggest that there is widespread
dropping of IPv6 packets that contain IPv6 Extension Headers (EHs). dropping of IPv6 packets that contain IPv6 Extension Headers (EHs).
In some cases, such packet drops occur at transit routers. While In some cases, such packet drops occur at transit routers. While
some operators "officially" drop packets that contain IPv6 EHs, it is some operators "officially" drop packets that contain IPv6 EHs, it is
possible that some of the measured packet drops be the result of possible that some of the measured packet drops be the result of
improper configuration defaults, or inappropriate advice in this improper configuration defaults, or inappropriate advice in this
area. area.
skipping to change at page 7, line 6 skipping to change at page 6, line 38
decisions in future. decisions in future.
3.3. Summary of Advice on the Handling of IPv6 Packets with Specific 3.3. Summary of Advice on the Handling of IPv6 Packets with Specific
IPv6 Extension Headers IPv6 Extension Headers
This section summarizes the advice provided in Section 3.4, providing This section summarizes the advice provided in Section 3.4, providing
references to the specific sections in which a detailed analysis can references to the specific sections in which a detailed analysis can
be found. be found.
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| EH type | Filtering policy | Reference | | EH type | Filtering policy | Reference |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| IPv6 Hop-by-Hop Options | Drop or Ignore | Section 3.4.1 | | IPv6 Hop-by-Hop Options | Drop or Ignore | Section 3.4.1 |
| (Proto=0) | | | | (Proto=0) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Routing Header for IPv6 | Drop only RTH0, | Section 3.4.2 | | Routing Header for IPv6 | Drop only RTH0, | Section 3.4.2 |
| (Proto=43) | Permit other RH | | | (Proto=43) | Permit other RH | |
| | Types | | | | Types | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Fragment Header for IPv6 | Permit | Section 3.4.3 | | Fragment Header for IPv6 | Permit | Section 3.4.3 |
| (Proto=44) | | | | (Proto=44) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Encapsulating Security | Permit | Section 3.4.4 | | Encapsulating Security | Permit | Section 3.4.4 |
| Payload (Proto=50) | | | | Payload (Proto=50) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Authentication Header | Permit | Section 3.4.5 | +----------------------------+---------------------+----------------+
| Authentication Header | Permit | Section 3.4.5 |
| (Proto=51) | | | | (Proto=51) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Destination Options for | Permit | Section 3.4.6 | | Destination Options for | Permit | Section 3.4.6 |
| IPv6 (Proto=60) | | | | IPv6 (Proto=60) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Mobility Header | Permit | Section 3.4.7 | | Mobility Header | Permit | Section 3.4.7 |
| (Proto=135) | | | | (Proto=135) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Host Identity Protocol | Permit | Section 3.4.8 | | Host Identity Protocol | Permit | Section 3.4.8 |
| (Proto=139) | | | | (Proto=139) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Shim6 Protocol (Proto=140) | Permit | Section 3.4.9 | | Shim6 Protocol (Proto=140) | Permit | Section 3.4.9 |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
| Use for experimentation | Drop | Section 3.4.10 | | Use for experimentation | Drop | Section 3.4.10 |
| and testing (Proto=253 and | | | | and testing (Proto=253 and | | |
| 254) | | | | 254) | | |
+----------------------------+---------------------+----------------+ +----------------------------+---------------------+----------------+
Table 1: Summary of Advice on the Handling of IPv6 Packets with Table 1: Summary of Advice on the Handling of IPv6 Packets with
Specific IPv6 Extension Headers Specific IPv6 Extension Headers
3.4. Advice on the Handling of IPv6 Packets with Specific IPv6 3.4. Advice on the Handling of IPv6 Packets with Specific IPv6
Extension Headers Extension Headers
skipping to change at page 8, line 19 skipping to change at page 8, line 4
Hop-by-Hop Options header. However, even before the publication of Hop-by-Hop Options header. However, even before the publication of
[RFC8200] a number of implementations already provided the option of [RFC8200] a number of implementations already provided the option of
ignoring this header unless explicitly configured to examine it. ignoring this header unless explicitly configured to examine it.
3.4.1.2. Specification 3.4.1.2. Specification
This EH is specified in [RFC8200]. At the time of this writing, the This EH is specified in [RFC8200]. At the time of this writing, the
following options have been specified for the Hop-by-Hop Options EH: following options have been specified for the Hop-by-Hop Options EH:
o Type 0x00: Pad1 [RFC8200] o Type 0x00: Pad1 [RFC8200]
o Type 0x01: PadN [RFC8200] o Type 0x01: PadN [RFC8200]
o Type 0x05: Router Alert [RFC2711] o Type 0x05: Router Alert [RFC2711]
o Type 0x07: CALIPSO [RFC5570] o Type 0x07: CALIPSO [RFC5570]
o Type 0x08: SMF_DPD [RFC6621] o Type 0x08: SMF_DPD [RFC6621]
o Type 0x23: RPL Option [I-D.ietf-roll-useofrplinfo]
o Type 0x26: Quick-Start [RFC4782] o Type 0x26: Quick-Start [RFC4782]
o Type 0x4D: (Deprecated) o Type 0x4D: (Deprecated)
o Type 0x63: RPL Option [RFC6553] o Type 0x63: RPL Option [RFC6553]
o Type 0x6D: MPL Option [RFC7731] o Type 0x6D: MPL Option [RFC7731]
o Type 0x8A: Endpoint Identification (Deprecated) o Type 0x8A: Endpoint Identification (Deprecated)
[draft-ietf-nimrod-eid] [draft-ietf-nimrod-eid]
skipping to change at page 15, line 27 skipping to change at page 15, line 14
3.4.9.1. Uses 3.4.9.1. Uses
This EH is employed by the Shim6 [RFC5533] Protocol. This EH is employed by the Shim6 [RFC5533] Protocol.
3.4.9.2. Specification 3.4.9.2. Specification
This EH is specified in [RFC5533]. This EH is specified in [RFC5533].
3.4.9.3. Specific Security Implications 3.4.9.3. Specific Security Implications
The specific security implications are discussed in detail in The specific security implications are discussed in detail in Section
Section 16 of [RFC5533]. 16 of [RFC5533].
3.4.9.4. Operational and Interoperability Impact if Blocked 3.4.9.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this EH will break Shim6. Discarding packets that contain this EH will break Shim6.
3.4.9.5. Advice 3.4.9.5. Advice
Intermediate systems should permit packets containing this EH. Intermediate systems should permit packets containing this EH.
3.4.10. Use for experimentation and testing (Protocol Numbers=253 and 3.4.10. Use for experimentation and testing (Protocol Numbers=253 and
skipping to change at page 19, line 46 skipping to change at page 19, line 25
4.3.4. RPL Option (Type=0x63) 4.3.4. RPL Option (Type=0x63)
4.3.4.1. Uses 4.3.4.1. Uses
The RPL Option provides a mechanism to include routing information The RPL Option provides a mechanism to include routing information
with each datagram that an RPL router forwards. with each datagram that an RPL router forwards.
4.3.4.2. Specification 4.3.4.2. Specification
This option is specified in [RFC6553]. This option was originally specified in [RFC6553]. It has been
deprecated by [I-D.ietf-roll-useofrplinfo].
4.3.4.3. Specific Security Implications 4.3.4.3. Specific Security Implications
Those described in [RFC6553]. Those described in [RFC6553].
4.3.4.4. Operational and Interoperability Impact if Blocked 4.3.4.4. Operational and Interoperability Impact if Blocked
This option is meant to be employed within an RPL instance. As a This option is meant to be employed within an RPL instance. As a
result, discarding packets based on the presence of this option (e.g. result, discarding packets based on the presence of this option (e.g.
at an ISP) will not result in interoperability implications. at an ISP) will not result in interoperability implications.
4.3.4.5. Advice 4.3.4.5. Advice
Non-RPL routers should discard packets that contain an RPL option. Non-RPL routers should discard packets that contain an RPL option.
4.3.5. Tunnel Encapsulation Limit (Type=0x04) 4.3.5. RPL Option (Type=0x23)
4.3.5.1. Uses 4.3.5.1. Uses
The RPL Option provides a mechanism to include routing information
with each datagram that an RPL router forwards.
4.3.5.2. Specification
This option is specified in [I-D.ietf-roll-useofrplinfo].
4.3.5.3. Specific Security Implications
Those described in [I-D.ietf-roll-useofrplinfo].
4.3.5.4. Operational and Interoperability Impact if Blocked
This option is meant to survive outside of an RPL instance. As a
result, discarding packets based on the presence of this option would
break some use cases for RPL (see [I-D.ietf-roll-useofrplinfo]).
4.3.5.5. Advice
Intermediate systems should not discard IPv6 packets based on the
presence of this option.
4.3.6. Tunnel Encapsulation Limit (Type=0x04)
4.3.6.1. Uses
The Tunnel Encapsulation Limit option can be employed to specify how The Tunnel Encapsulation Limit option can be employed to specify how
many further levels of nesting the packet is permitted to undergo. many further levels of nesting the packet is permitted to undergo.
4.3.5.2. Specification 4.3.6.2. Specification
This option is specified in [RFC2473]. This option is specified in [RFC2473].
4.3.5.3. Specific Security Implications 4.3.6.3. Specific Security Implications
Those described in [RFC2473]. Those described in [RFC2473].
4.3.5.4. Operational and Interoperability Impact if Blocked 4.3.6.4. Operational and Interoperability Impact if Blocked
Discarding packets based on the presence of this option could result Discarding packets based on the presence of this option could result
in tunnel traffic being discarded. in tunnel traffic being discarded.
4.3.5.5. Advice 4.3.6.5. Advice
Intermediate systems should not discard packets based on the presence Intermediate systems should not discard packets based on the presence
of this option. of this option.
4.3.6. Router Alert (Type=0x05) 4.3.7. Router Alert (Type=0x05)
4.3.6.1. Uses 4.3.7.1. Uses
The Router Alert option [RFC2711] is typically employed for the RSVP The Router Alert option [RFC2711] is typically employed for the RSVP
protocol [RFC2205] and the MLD protocol [RFC2710]. protocol [RFC2205] and the MLD protocol [RFC2710].
4.3.6.2. Specification 4.3.7.2. Specification
This option is specified in [RFC2711]. This option is specified in [RFC2711].
4.3.6.3. Specific Security Implications 4.3.7.3. Specific Security Implications
Since this option causes the contents of the packet to be inspected Since this option causes the contents of the packet to be inspected
by the handling device, this option could be leveraged for performing by the handling device, this option could be leveraged for performing
DoS attacks. DoS attacks.
4.3.6.4. Operational and Interoperability Impact if Blocked 4.3.7.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this option would break RSVP and Discarding packets that contain this option would break RSVP and
multicast deployments. multicast deployments.
4.3.6.5. Advice 4.3.7.5. Advice
Intermediate systems should discard packets that contain this option. Intermediate systems should discard packets that contain this option.
Only in specific environments where support for RSVP, multicast Only in specific environments where support for RSVP, multicast
routing, or similar protocols is desired, should this option be routing, or similar protocols is desired, should this option be
permitted. permitted.
4.3.7. Quick-Start (Type=0x26) 4.3.8. Quick-Start (Type=0x26)
4.3.7.1. Uses 4.3.8.1. Uses
This IP Option is used in the specification of Quick-Start for TCP This IP Option is used in the specification of Quick-Start for TCP
and IP, which is an experimental mechanism that allows transport and IP, which is an experimental mechanism that allows transport
protocols, in cooperation with routers, to determine an allowed protocols, in cooperation with routers, to determine an allowed
sending rate at the start and, at times, in the middle of a data sending rate at the start and, at times, in the middle of a data
transfer (e.g., after an idle period) [RFC4782]. transfer (e.g., after an idle period) [RFC4782].
4.3.7.2. Specification 4.3.8.2. Specification
This option is specified in [RFC4782], on the "Experimental" track. This option is specified in [RFC4782], on the "Experimental" track.
4.3.7.3. Specific Security Implications 4.3.8.3. Specific Security Implications
Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two Section 9.6 of [RFC4782] notes that Quick-Start is vulnerable to two
kinds of attacks: kinds of attacks:
o attacks to increase the routers' processing and state load, and, o attacks to increase the routers' processing and state load, and,
o attacks with bogus Quick-Start Requests to temporarily tie up o attacks with bogus Quick-Start Requests to temporarily tie up
available Quick-Start bandwidth, preventing routers from approving available Quick-Start bandwidth, preventing routers from approving
Quick-Start Requests from other connections. Quick-Start Requests from other connections.
We note that if routers in a given environment do not implement and We note that if routers in a given environment do not implement and
enable the Quick-Start mechanism, only the general security enable the Quick-Start mechanism, only the general security
implications of IP options (discussed in Section 4.2) would apply. implications of IP options (discussed in Section 4.2) would apply.
4.3.7.4. Operational and Interoperability Impact if Blocked 4.3.8.4. Operational and Interoperability Impact if Blocked
The Quick-Start functionality would be disabled, and additional The Quick-Start functionality would be disabled, and additional
delays in TCP's connection establishment (for example) could be delays in TCP's connection establishment (for example) could be
introduced. (Please see Section 4.7.2 of [RFC4782].) We note, introduced. (Please see Section 4.7.2 of [RFC4782].) We note,
however, that Quick-Start has been proposed as a mechanism that could however, that Quick-Start has been proposed as a mechanism that could
be of use in controlled environments, and not as a mechanism that be of use in controlled environments, and not as a mechanism that
would be intended or appropriate for ubiquitous deployment in the would be intended or appropriate for ubiquitous deployment in the
global Internet [RFC4782]. global Internet [RFC4782].
4.3.7.5. Advice 4.3.8.5. Advice
Intermediate systems should not discard IPv6 packets based on the Intermediate systems should not discard IPv6 packets based on the
presence of this option. presence of this option.
4.3.8. CALIPSO (Type=0x07) 4.3.9. CALIPSO (Type=0x07)
4.3.8.1. Uses 4.3.9.1. Uses
This option is used for encoding explicit packet Sensitivity Labels This option is used for encoding explicit packet Sensitivity Labels
on IPv6 packets. It is intended for use only within Multi-Level on IPv6 packets. It is intended for use only within Multi-Level
Secure (MLS) networking environments that are both trusted and Secure (MLS) networking environments that are both trusted and
trustworthy. trustworthy.
4.3.8.2. Specification 4.3.9.2. Specification
This option is specified in [RFC5570]. This option is specified in [RFC5570].
4.3.8.3. Specific Security Implications 4.3.9.3. Specific Security Implications
Presence of this option in a packet does not by itself create any Presence of this option in a packet does not by itself create any
specific new threat. Packets with this option ought not normally be specific new threat. Packets with this option ought not normally be
seen on the global public Internet. seen on the global public Internet.
4.3.8.4. Operational and Interoperability Impact if Blocked 4.3.9.4. Operational and Interoperability Impact if Blocked
If packets with this option are discarded or if the option is If packets with this option are discarded or if the option is
stripped from the packet during transmission from source to stripped from the packet during transmission from source to
destination, then the packet itself is likely to be discarded by the destination, then the packet itself is likely to be discarded by the
receiver because it is not properly labeled. In some cases, the receiver because it is not properly labeled. In some cases, the
receiver might receive the packet but associate an incorrect receiver might receive the packet but associate an incorrect
sensitivity label with the received data from the packet whose sensitivity label with the received data from the packet whose
CALIPSO was stripped by an intermediate router or firewall. CALIPSO was stripped by an intermediate router or firewall.
Associating an incorrect sensitivity label can cause the received Associating an incorrect sensitivity label can cause the received
information either to be handled as more sensitive than it really is information either to be handled as more sensitive than it really is
("upgrading") or as less sensitive than it really is ("downgrading"), ("upgrading") or as less sensitive than it really is ("downgrading"),
either of which is problematic. either of which is problematic.
4.3.8.5. Advice 4.3.9.5. Advice
Intermediate systems that do not operate in Multi-Level Secure (MLS) Intermediate systems that do not operate in Multi-Level Secure (MLS)
networking environments should discard packets that contain this networking environments should discard packets that contain this
option. option.
4.3.9. SMF_DPD (Type=0x08) 4.3.10. SMF_DPD (Type=0x08)
4.3.9.1. Uses 4.3.10.1. Uses
This option is employed in the (experimental) Simplified Multicast This option is employed in the (experimental) Simplified Multicast
Forwarding (SMF) for unique packet identification for IPv6 I-DPD, and Forwarding (SMF) for unique packet identification for IPv6 I-DPD, and
as a mechanism to guarantee non-collision of hash values for as a mechanism to guarantee non-collision of hash values for
different packets when H-DPD is used. different packets when H-DPD is used.
4.3.9.2. Specification 4.3.10.2. Specification
This option is specified in [RFC6621]. This option is specified in [RFC6621].
4.3.9.3. Specific Security Implications 4.3.10.3. Specific Security Implications
None. The use of identifiers is subject to the security and privacy None. The use of identifiers is subject to the security and privacy
considerations discussed in [I-D.gont-predictable-numeric-ids]. considerations discussed in [I-D.gont-predictable-numeric-ids].
4.3.9.4. Operational and Interoperability Impact if Blocked 4.3.10.4. Operational and Interoperability Impact if Blocked
Dropping packets containing this option within a MANET domain would Dropping packets containing this option within a MANET domain would
break SMF. However, dropping such packets at the border of such break SMF. However, dropping such packets at the border of such
domain would have no negative impact. domain would have no negative impact.
4.3.9.5. Advice 4.3.10.5. Advice
Intermediate system should discard packets that contain this option. Intermediate system should discard packets that contain this option.
4.3.10. Home Address (Type=0xC9) 4.3.11. Home Address (Type=0xC9)
4.3.10.1. Uses 4.3.11.1. Uses
The Home Address option is used by a Mobile IPv6 node while away from The Home Address option is used by a Mobile IPv6 node while away from
home, to inform the recipient of the mobile node's home address. home, to inform the recipient of the mobile node's home address.
4.3.10.2. Specification 4.3.11.2. Specification
This option is specified in [RFC6275]. This option is specified in [RFC6275].
4.3.10.3. Specific Security Implications 4.3.11.3. Specific Security Implications
No (known) additional security implications than those described in No (known) additional security implications than those described in
[RFC6275]. [RFC6275].
4.3.10.4. Operational and Interoperability Impact if Blocked 4.3.11.4. Operational and Interoperability Impact if Blocked
Discarding IPv6 packets based on the presence of this option will Discarding IPv6 packets based on the presence of this option will
break Mobile IPv6. break Mobile IPv6.
4.3.10.5. Advice 4.3.11.5. Advice
Intermediate systems should not discard IPv6 packets based on the Intermediate systems should not discard IPv6 packets based on the
presence of this option. presence of this option.
4.3.11. Endpoint Identification (Type=0x8A) 4.3.12. Endpoint Identification (Type=0x8A)
4.3.11.1. Uses 4.3.12.1. Uses
The Endpoint Identification option was meant to be used with the The Endpoint Identification option was meant to be used with the
Nimrod routing architecture [NIMROD-DOC], but has never seen Nimrod routing architecture [NIMROD-DOC], but has never seen
widespread deployment. widespread deployment.
4.3.11.2. Specification 4.3.12.2. Specification
This option is specified in [NIMROD-DOC]. This option is specified in [NIMROD-DOC].
4.3.11.3. Specific Security Implications 4.3.12.3. Specific Security Implications
Undetermined. Undetermined.
4.3.11.4. Operational and Interoperability Impact if Blocked 4.3.12.4. Operational and Interoperability Impact if Blocked
None. None.
4.3.11.5. Advice 4.3.12.5. Advice
Intermediate systems should discard packets that contain this option. Intermediate systems should discard packets that contain this option.
4.3.12. ILNP Nonce (Type=0x8B) 4.3.13. ILNP Nonce (Type=0x8B)
4.3.12.1. Uses 4.3.13.1. Uses
This option is employed by Identifier-Locator Network Protocol for This option is employed by Identifier-Locator Network Protocol for
IPv6 (ILNPv6) for providing protection against off-path attacks for IPv6 (ILNPv6) for providing protection against off-path attacks for
packets when ILNPv6 is in use, and as a signal during initial packets when ILNPv6 is in use, and as a signal during initial
network-layer session creation that ILNPv6 is proposed for use with network-layer session creation that ILNPv6 is proposed for use with
this network-layer session, rather than classic IPv6. this network-layer session, rather than classic IPv6.
4.3.12.2. Specification 4.3.13.2. Specification
This option is specified in [RFC6744]. This option is specified in [RFC6744].
4.3.12.3. Specific Security Implications 4.3.13.3. Specific Security Implications
Those described in [RFC6744]. Those described in [RFC6744].
4.3.12.4. Operational and Interoperability Impact if Blocked 4.3.13.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this option will break INLPv6 Discarding packets that contain this option will break INLPv6
deployments. deployments.
4.3.12.5. Advice 4.3.13.5. Advice
Intermediate systems should not discard packets based on the presence Intermediate systems should not discard packets based on the presence
of this option. of this option.
4.3.13. Line-Identification Option (Type=0x8C) 4.3.14. Line-Identification Option (Type=0x8C)
4.3.13.1. Uses 4.3.14.1. Uses
This option is used by an Edge Router to identify the subscriber This option is used by an Edge Router to identify the subscriber
premises in scenarios where several subscriber premises may be premises in scenarios where several subscriber premises may be
logically connected to the same interface of an Edge Router. logically connected to the same interface of an Edge Router.
4.3.13.2. Specification 4.3.14.2. Specification
This option is specified in [RFC6788]. This option is specified in [RFC6788].
4.3.13.3. Specific Security Implications 4.3.14.3. Specific Security Implications
Those described in [RFC6788]. Those described in [RFC6788].
4.3.13.4. Operational and Interoperability Impact if Blocked 4.3.14.4. Operational and Interoperability Impact if Blocked
Since this option is meant to be employed in Router Solicitation Since this option is meant to be employed in Router Solicitation
messages, discarding packets based on the presence of this option at messages, discarding packets based on the presence of this option at
intermediate systems will result in no interoperability implications. intermediate systems will result in no interoperability implications.
4.3.13.5. Advice 4.3.14.5. Advice
Intermediate devices should discard packets that contain this option. Intermediate devices should discard packets that contain this option.
4.3.14. Deprecated (Type=0x4D) 4.3.15. Deprecated (Type=0x4D)
4.3.15.1. Uses
4.3.14.1. Uses
No information has been found about this option type. No information has been found about this option type.
4.3.14.2. Specification 4.3.15.2. Specification
No information has been found about this option type. No information has been found about this option type.
4.3.14.3. Specific Security Implications 4.3.15.3. Specific Security Implications
No information has been found about this option type, and hence it No information has been found about this option type, and hence it
has been impossible to perform the corresponding security assessment. has been impossible to perform the corresponding security assessment.
4.3.14.4. Operational and Interoperability Impact if Blocked 4.3.15.4. Operational and Interoperability Impact if Blocked
Unknown. Unknown.
4.3.14.5. Advice 4.3.15.5. Advice
Intermediate systems should discard packets that contain this option. Intermediate systems should discard packets that contain this option.
4.3.15. MPL Option (Type=0x6D) 4.3.16. MPL Option (Type=0x6D)
4.3.15.1. Uses 4.3.16.1. Uses
This option is used with the Multicast Protocol for Low power and This option is used with the Multicast Protocol for Low power and
Lossy Networks (MPL), that provides IPv6 multicast forwarding in Lossy Networks (MPL), that provides IPv6 multicast forwarding in
constrained networks. constrained networks.
4.3.15.2. Specification 4.3.16.2. Specification
This option is specified in [RFC7731], and is meant to be included This option is specified in [RFC7731], and is meant to be included
only in Hop-by-Hop Option headers. only in Hop-by-Hop Option headers.
4.3.15.3. Specific Security Implications 4.3.16.3. Specific Security Implications
Those described in [RFC7731]. Those described in [RFC7731].
4.3.15.4. Operational and Interoperability Impact if Blocked 4.3.16.4. Operational and Interoperability Impact if Blocked
Dropping packets that contain an MPL option within an MPL network Dropping packets that contain an MPL option within an MPL network
would break the Multicast Protocol for Low power and Lossy Networks would break the Multicast Protocol for Low power and Lossy Networks
(MPL). However, dropping such packets at the border of such networks (MPL). However, dropping such packets at the border of such networks
will have no negative impact. will have no negative impact.
4.3.15.5. Advice 4.3.16.5. Advice
Intermediate systems should not discard packets based on the presence Intermediate systems should not discard packets based on the presence
of this option. However, since this option has been specified for of this option. However, since this option has been specified for
the Hop-by-Hop Options, such systems should consider the discussion the Hop-by-Hop Options, such systems should consider the discussion
in Section 3.4.1. in Section 3.4.1.
4.3.16. IP_DFF (Type=0xEE) 4.3.17. IP_DFF (Type=0xEE)
4.3.16.1. Uses 4.3.17.1. Uses
This option is employed with the (Experimental) Depth-First This option is employed with the (Experimental) Depth-First
Forwarding (DFF) in Unreliable Networks. Forwarding (DFF) in Unreliable Networks.
4.3.16.2. Specification 4.3.17.2. Specification
This option is specified in [RFC6971]. This option is specified in [RFC6971].
4.3.16.3. Specific Security Implications 4.3.17.3. Specific Security Implications
Those specified in [RFC6971]. Those specified in [RFC6971].
4.3.16.4. Operational and Interoperability Impact if Blocked 4.3.17.4. Operational and Interoperability Impact if Blocked
Dropping packets containing this option within a routing domain that Dropping packets containing this option within a routing domain that
is running DFF would break DFF. However, droping such packets at the is running DFF would break DFF. However, droping such packets at the
border of such domains will have no security implications. border of such domains will have no security implications.
4.3.16.5. Advice 4.3.17.5. Advice
Intermediate systems that do not operate within a routing domain that Intermediate systems that do not operate within a routing domain that
is running DFF should discard packets containing this option. is running DFF should discard packets containing this option.
4.3.17. RFC3692-style Experiment (Types = 0x1E, 0x3E, 0x5E, 0x7E, 0x9E, 4.3.18. RFC3692-style Experiment (Types = 0x1E, 0x3E, 0x5E, 0x7E, 0x9E,
0xBE, 0xDE, 0xFE) 0xBE, 0xDE, 0xFE)
4.3.17.1. Uses 4.3.18.1. Uses
These options can be employed for performing RFC3692-style These options can be employed for performing RFC3692-style
experiments. It is only appropriate to use these values in experiments. It is only appropriate to use these values in
explicitly configured experiments; they must not be shipped as explicitly configured experiments; they must not be shipped as
defaults in implementations. defaults in implementations.
4.3.17.2. Specification 4.3.18.2. Specification
Specified in RFC 4727 [RFC4727] in the context of RFC3692-style Specified in RFC 4727 [RFC4727] in the context of RFC3692-style
experiments. experiments.
4.3.17.3. Specific Security Implications 4.3.18.3. Specific Security Implications
The specific security implications will depend on the specific use of The specific security implications will depend on the specific use of
these options. these options.
4.3.17.4. Operational and Interoperability Impact if Blocked 4.3.18.4. Operational and Interoperability Impact if Blocked
For obvious reasons, discarding packets that contain these options For obvious reasons, discarding packets that contain these options
limits the ability to perform legitimate experiments across IPv6 limits the ability to perform legitimate experiments across IPv6
routers. routers.
4.3.17.5. Advice 4.3.18.5. Advice
Intermediate systems should discard packets that contain these Intermediate systems should discard packets that contain these
options. Only in specific environments where RFC3692-style options. Only in specific environments where RFC3692-style
experiments are meant to be performed should these options be experiments are meant to be performed should these options be
permitted. permitted.
4.4. Advice on the handling of Packets with Unknown IPv6 Options 4.4. Advice on the handling of Packets with Unknown IPv6 Options
We refer to IPv6 options that have not been assigned an IPv6 option We refer to IPv6 options that have not been assigned an IPv6 option
type in the corresponding registry ([IANA-IPV6-PARAM]) as "unknown type in the corresponding registry ([IANA-IPV6-PARAM]) as "unknown
skipping to change at page 29, line 27 skipping to change at page 29, line 27
This document provides advice on the filtering of IPv6 packets that This document provides advice on the filtering of IPv6 packets that
contain IPv6 EHs (and possibly IPv6 options) at IPv6 transit routers. contain IPv6 EHs (and possibly IPv6 options) at IPv6 transit routers.
It is meant to improve the current situation of widespread dropping It is meant to improve the current situation of widespread dropping
of such IPv6 packets in those cases where the drops result from of such IPv6 packets in those cases where the drops result from
improper configuration defaults, or inappropriate advice in this improper configuration defaults, or inappropriate advice in this
area. area.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Ron Bonica for his work on earlier
versions of this document.
The authors of this document would like to thank (in alphabetical The authors of this document would like to thank (in alphabetical
order) Mikael Abrahamsson, Brian Carpenter, Mike Heard, Bob Hinden, order) Mikael Abrahamsson, Brian Carpenter, Mike Heard, Bob Hinden,
Jen Linkova, Carlos Pignataro, Donald Smith, Ole Troan, Gunter Van De Jen Linkova, Carlos Pignataro, Maria Ines Robles, Donald Smith,
Velde, and Eric Vyncke, for providing valuable comments on earlier Pascal Thubert, Ole Troan, Gunter Van De Velde, and Eric Vyncke, for
versions of this document. providing valuable comments on earlier versions of this document.
This document borrows some text an analysis from [RFC7126], authored This document borrows some text and analysis from [RFC7126], authored
by Fernando Gont, Randall Atkinson, and Carlos Pignataro. by Fernando Gont, Randall Atkinson, and Carlos Pignataro.
8. References 8. References
8.1. Normative References 8.1. Normative References
[draft-gont-6man-ipv6-opt-transmit] [I-D.ietf-roll-useofrplinfo]
Gont, F., Liu, W., and R. Bonica, "Transmission and Robles, I., Richardson, M., and P. Thubert, "When to use
Processing of IPv6 Options", IETF Internet Draft, work in RFC 6553, 6554 and IPv6-in-IPv6",
progress, August 2014. draft-ietf-roll-useofrplinfo-22 (work in progress),
March 2018.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
DOI 10.17487/RFC2119, March 1997, RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, DOI 10.17487/RFC2205, Functional Specification", RFC 2205, DOI 10.17487/RFC2205,
September 1997, <https://www.rfc-editor.org/info/rfc2205>. September 1997, <https://www.rfc-editor.org/info/rfc2205>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <https://www.rfc-editor.org/info/rfc2460>. December 1998, <https://www.rfc-editor.org/info/rfc2460>.
skipping to change at page 30, line 32 skipping to change at page 30, line 41
[RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast
Listener Discovery (MLD) for IPv6", RFC 2710, Listener Discovery (MLD) for IPv6", RFC 2710,
DOI 10.17487/RFC2710, October 1999, DOI 10.17487/RFC2710, October 1999,
<https://www.rfc-editor.org/info/rfc2710>. <https://www.rfc-editor.org/info/rfc2710>.
[RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option",
RFC 2711, DOI 10.17487/RFC2711, October 1999, RFC 2711, DOI 10.17487/RFC2711, October 1999,
<https://www.rfc-editor.org/info/rfc2711>. <https://www.rfc-editor.org/info/rfc2711>.
[RFC3692] Narten, T., "Assigning Experimental and Testing Numbers [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
Considered Useful", BCP 82, RFC 3692, Considered Useful", BCP 82, RFC 3692, DOI 10.17487/
DOI 10.17487/RFC3692, January 2004, RFC3692, January 2004,
<https://www.rfc-editor.org/info/rfc3692>. <https://www.rfc-editor.org/info/rfc3692>.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
DOI 10.17487/RFC4302, December 2005, DOI 10.17487/RFC4302, December 2005,
<https://www.rfc-editor.org/info/rfc4302>. <https://www.rfc-editor.org/info/rfc4302>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005, RFC 4303, DOI 10.17487/RFC4303, December 2005,
<https://www.rfc-editor.org/info/rfc4303>. <https://www.rfc-editor.org/info/rfc4303>.
[RFC4304] Kent, S., "Extended Sequence Number (ESN) Addendum to [RFC4304] Kent, S., "Extended Sequence Number (ESN) Addendum to
IPsec Domain of Interpretation (DOI) for Internet Security IPsec Domain of Interpretation (DOI) for Internet Security
Association and Key Management Protocol (ISAKMP)", Association and Key Management Protocol (ISAKMP)",
RFC 4304, DOI 10.17487/RFC4304, December 2005, RFC 4304, DOI 10.17487/RFC4304, December 2005,
<https://www.rfc-editor.org/info/rfc4304>. <https://www.rfc-editor.org/info/rfc4304>.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, ICMPv6, UDP, and TCP Headers", RFC 4727, DOI 10.17487/
DOI 10.17487/RFC4727, November 2006, RFC4727, November 2006,
<https://www.rfc-editor.org/info/rfc4727>. <https://www.rfc-editor.org/info/rfc4727>.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782, Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782,
January 2007, <https://www.rfc-editor.org/info/rfc4782>. January 2007, <https://www.rfc-editor.org/info/rfc4782>.
[RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
of Type 0 Routing Headers in IPv6", RFC 5095, of Type 0 Routing Headers in IPv6", RFC 5095,
DOI 10.17487/RFC5095, December 2007, DOI 10.17487/RFC5095, December 2007,
<https://www.rfc-editor.org/info/rfc5095>. <https://www.rfc-editor.org/info/rfc5095>.
skipping to change at page 31, line 34 skipping to change at page 31, line 40
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533, Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533,
June 2009, <https://www.rfc-editor.org/info/rfc5533>. June 2009, <https://www.rfc-editor.org/info/rfc5533>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009, RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
[RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility
Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July Support in IPv6", RFC 6275, DOI 10.17487/RFC6275,
2011, <https://www.rfc-editor.org/info/rfc6275>. July 2011, <https://www.rfc-editor.org/info/rfc6275>.
[RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398,
2011, <https://www.rfc-editor.org/info/rfc6398>. October 2011, <https://www.rfc-editor.org/info/rfc6398>.
[RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J.,
Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
JP., and R. Alexander, "RPL: IPv6 Routing Protocol for JP., and R. Alexander, "RPL: IPv6 Routing Protocol for
Low-Power and Lossy Networks", RFC 6550, Low-Power and Lossy Networks", RFC 6550, DOI 10.17487/
DOI 10.17487/RFC6550, March 2012, RFC6550, March 2012,
<https://www.rfc-editor.org/info/rfc6550>. <https://www.rfc-editor.org/info/rfc6550>.
[RFC6553] Hui, J. and JP. Vasseur, "The Routing Protocol for Low- [RFC6553] Hui, J. and JP. Vasseur, "The Routing Protocol for Low-
Power and Lossy Networks (RPL) Option for Carrying RPL Power and Lossy Networks (RPL) Option for Carrying RPL
Information in Data-Plane Datagrams", RFC 6553, Information in Data-Plane Datagrams", RFC 6553,
DOI 10.17487/RFC6553, March 2012, DOI 10.17487/RFC6553, March 2012,
<https://www.rfc-editor.org/info/rfc6553>. <https://www.rfc-editor.org/info/rfc6553>.
[RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6 [RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6
Routing Header for Source Routes with the Routing Protocol Routing Header for Source Routes with the Routing Protocol
skipping to change at page 32, line 22 skipping to change at page 32, line 28
RFC 6621, DOI 10.17487/RFC6621, May 2012, RFC 6621, DOI 10.17487/RFC6621, May 2012,
<https://www.rfc-editor.org/info/rfc6621>. <https://www.rfc-editor.org/info/rfc6621>.
[RFC6740] Atkinson, RJ. and SN. Bhatti, "Identifier-Locator Network [RFC6740] Atkinson, RJ. and SN. Bhatti, "Identifier-Locator Network
Protocol (ILNP) Architectural Description", RFC 6740, Protocol (ILNP) Architectural Description", RFC 6740,
DOI 10.17487/RFC6740, November 2012, DOI 10.17487/RFC6740, November 2012,
<https://www.rfc-editor.org/info/rfc6740>. <https://www.rfc-editor.org/info/rfc6740>.
[RFC6744] Atkinson, RJ. and SN. Bhatti, "IPv6 Nonce Destination [RFC6744] Atkinson, RJ. and SN. Bhatti, "IPv6 Nonce Destination
Option for the Identifier-Locator Network Protocol for Option for the Identifier-Locator Network Protocol for
IPv6 (ILNPv6)", RFC 6744, DOI 10.17487/RFC6744, November IPv6 (ILNPv6)", RFC 6744, DOI 10.17487/RFC6744,
2012, <https://www.rfc-editor.org/info/rfc6744>. November 2012, <https://www.rfc-editor.org/info/rfc6744>.
[RFC6788] Krishnan, S., Kavanagh, A., Varga, B., Ooghe, S., and E. [RFC6788] Krishnan, S., Kavanagh, A., Varga, B., Ooghe, S., and E.
Nordmark, "The Line-Identification Option", RFC 6788, Nordmark, "The Line-Identification Option", RFC 6788,
DOI 10.17487/RFC6788, November 2012, DOI 10.17487/RFC6788, November 2012,
<https://www.rfc-editor.org/info/rfc6788>. <https://www.rfc-editor.org/info/rfc6788>.
[RFC6971] Herberg, U., Ed., Cardenas, A., Iwao, T., Dow, M., and S. [RFC6971] Herberg, U., Ed., Cardenas, A., Iwao, T., Dow, M., and S.
Cespedes, "Depth-First Forwarding (DFF) in Unreliable Cespedes, "Depth-First Forwarding (DFF) in Unreliable
Networks", RFC 6971, DOI 10.17487/RFC6971, June 2013, Networks", RFC 6971, DOI 10.17487/RFC6971, June 2013,
<https://www.rfc-editor.org/info/rfc6971>. <https://www.rfc-editor.org/info/rfc6971>.
[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
of IPv6 Extension Headers", RFC 7045, of IPv6 Extension Headers", RFC 7045, DOI 10.17487/
DOI 10.17487/RFC7045, December 2013, RFC7045, December 2013,
<https://www.rfc-editor.org/info/rfc7045>. <https://www.rfc-editor.org/info/rfc7045>.
[RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of
Oversized IPv6 Header Chains", RFC 7112, Oversized IPv6 Header Chains", RFC 7112, DOI 10.17487/
DOI 10.17487/RFC7112, January 2014, RFC7112, January 2014,
<https://www.rfc-editor.org/info/rfc7112>. <https://www.rfc-editor.org/info/rfc7112>.
[RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power [RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power
and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731, and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731,
February 2016, <https://www.rfc-editor.org/info/rfc7731>. February 2016, <https://www.rfc-editor.org/info/rfc7731>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/
DOI 10.17487/RFC8200, July 2017, RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>. <https://www.rfc-editor.org/info/rfc8200>.
[draft-gont-6man-ipv6-opt-transmit]
Gont, F., Liu, W., and R. Bonica, "Transmission and
Processing of IPv6 Options", IETF Internet Draft, work in
progress, August 2014.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference, 2007, CanSecWest 2007 Security Conference, 2007,
<http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>. <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
[Cisco-EH] [Cisco-EH]
Cisco Systems, "IPv6 Extension Headers Review and Cisco Systems, "IPv6 Extension Headers Review and
Considerations", Whitepaper. October 2006, Considerations", Whitepaper. October 2006, <http://
<http://www.cisco.com/en/US/technologies/tk648/tk872/ www.cisco.com/en/US/technologies/tk648/tk872/
technologies_white_paper0900aecd8054d37d.pdf>. technologies_white_paper0900aecd8054d37d.pdf>.
[draft-ietf-nimrod-eid]
Lynn, C., "Endpoint Identifier Destination Option", IETF
Internet Draft, draft-ietf-nimrod-eid-00.txt, November
1995.
[FW-Benchmark] [FW-Benchmark]
Zack, E., "Firewall Security Assessment and Benchmarking Zack, E., "Firewall Security Assessment and Benchmarking
IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
Berlin, Germany. June 30, 2013, Berlin, Germany. June 30, 2013, <http://
<http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack- www.ipv6hackers.org/meetings/ipv6-hackers-1/
ipv6hackers1-firewall-security-assessment-and- zack-ipv6hackers1-firewall-security-assessment-and-
benchmarking.pdf>. benchmarking.pdf>.
[I-D.gont-predictable-numeric-ids] [I-D.gont-predictable-numeric-ids]
Gont, F. and I. Arce, "Security and Privacy Implications Gont, F. and I. Arce, "Security and Privacy Implications
of Numeric Identifiers Employed in Network Protocols", of Numeric Identifiers Employed in Network Protocols",
draft-gont-predictable-numeric-ids-01 (work in progress), draft-gont-predictable-numeric-ids-02 (work in progress),
July 2017. February 2018.
[I-D.gont-v6ops-ipv6-ehs-packet-drops] [I-D.gont-v6ops-ipv6-ehs-packet-drops]
Gont, F., Hilliard, N., Doering, G., (Will), S., and W. Gont, F., Hilliard, N., Doering, G., (Will), S., and W.
Kumari, "Operational Implications of IPv6 Packets with Kumari, "Operational Implications of IPv6 Packets with
Extension Headers", draft-gont-v6ops-ipv6-ehs-packet- Extension Headers",
drops-03 (work in progress), March 2016. draft-gont-v6ops-ipv6-ehs-packet-drops-03 (work in
progress), March 2016.
[I-D.ietf-6man-hbh-header-handling] [I-D.ietf-6man-hbh-header-handling]
Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options
Extension Header", draft-ietf-6man-hbh-header-handling-03 Extension Header", draft-ietf-6man-hbh-header-handling-03
(work in progress), March 2016. (work in progress), March 2016.
[IANA-IPV6-PARAM] [IANA-IPV6-PARAM]
Internet Assigned Numbers Authority, "Internet Protocol Internet Assigned Numbers Authority, "Internet Protocol
Version 6 (IPv6) Parameters", December 2013, Version 6 (IPv6) Parameters", December 2013, <http://
<http://www.iana.org/assignments/ipv6-parameters/ www.iana.org/assignments/ipv6-parameters/
ipv6-parameters.xhtml>. ipv6-parameters.xhtml>.
[IANA-PROTOCOLS] [IANA-PROTOCOLS]
Internet Assigned Numbers Authority, "Protocol Numbers", Internet Assigned Numbers Authority, "Protocol Numbers",
2014, <http://www.iana.org/assignments/protocol-numbers/ 2014, <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[NIMROD-DOC] [NIMROD-DOC]
Nimrod Documentation Page, Nimrod Documentation Page,
"http://ana-3.lcs.mit.edu/~jnc/nimrod/". "http://ana-3.lcs.mit.edu/~jnc/nimrod/".
[RFC3871] Jones, G., Ed., "Operational Security Requirements for [RFC3871] Jones, G., Ed., "Operational Security Requirements for
Large Internet Service Provider (ISP) IP Network Large Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September Infrastructure", RFC 3871, DOI 10.17487/RFC3871,
2004, <https://www.rfc-editor.org/info/rfc3871>. September 2004, <https://www.rfc-editor.org/info/rfc3871>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
March 2011, <https://www.rfc-editor.org/info/rfc6192>. March 2011, <https://www.rfc-editor.org/info/rfc6192>.
[RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations
on Filtering of IPv4 Packets Containing IPv4 Options", on Filtering of IPv4 Packets Containing IPv4 Options",
BCP 186, RFC 7126, DOI 10.17487/RFC7126, February 2014, BCP 186, RFC 7126, DOI 10.17487/RFC7126, February 2014,
<https://www.rfc-editor.org/info/rfc7126>. <https://www.rfc-editor.org/info/rfc7126>.
[RFC7739] Gont, F., "Security Implications of Predictable Fragment [RFC7739] Gont, F., "Security Implications of Predictable Fragment
Identification Values", RFC 7739, DOI 10.17487/RFC7739, Identification Values", RFC 7739, DOI 10.17487/RFC7739,
February 2016, <https://www.rfc-editor.org/info/rfc7739>. February 2016, <https://www.rfc-editor.org/info/rfc7739>.
[RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
"Observations on the Dropping of Packets with IPv6 "Observations on the Dropping of Packets with IPv6
Extension Headers in the Real World", RFC 7872, Extension Headers in the Real World", RFC 7872,
DOI 10.17487/RFC7872, June 2016, DOI 10.17487/RFC7872, June 2016,
<https://www.rfc-editor.org/info/rfc7872>. <https://www.rfc-editor.org/info/rfc7872>.
[draft-ietf-nimrod-eid]
Lynn, C., "Endpoint Identifier Destination Option", IETF
Internet Draft, draft-ietf-nimrod-eid-00.txt,
November 1995.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
UTN-FRH / SI6 Networks UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fgont@si6networks.com Email: fgont@si6networks.com
skipping to change at page 35, line 4 skipping to change at page 35, line 16
Fernando Gont Fernando Gont
UTN-FRH / SI6 Networks UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fgont@si6networks.com Email: fgont@si6networks.com
URI: http://www.si6networks.com URI: http://www.si6networks.com
Will(Shucheng) Liu Will(Shucheng) Liu
Huawei Technologies Huawei Technologies
Bantian, Longgang District Bantian, Longgang District
Shenzhen 518129 Shenzhen 518129
P.R. China P.R. China
Email: liushucheng@huawei.com Email: liushucheng@huawei.com
Ronald P. Bonica
Juniper Networks
2251 Corporate Park Drive
Herndon, VA 20171
US
Phone: 571 250 5819
Email: rbonica@juniper.net
 End of changes. 129 change blocks. 
177 lines changed or deleted 214 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/