draft-ietf-opsec-ipv6-eh-filtering-05.txt   draft-ietf-opsec-ipv6-eh-filtering-06.txt 
opsec F. Gont opsec F. Gont
Internet-Draft UTN-FRH / SI6 Networks Internet-Draft UTN-FRH / SI6 Networks
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: September 6, 2018 Huawei Technologies Expires: January 3, 2019 Huawei Technologies
March 5, 2018 July 2, 2018
Recommendations on the Filtering of IPv6 Packets Containing IPv6 Recommendations on the Filtering of IPv6 Packets Containing IPv6
Extension Headers Extension Headers
draft-ietf-opsec-ipv6-eh-filtering-05 draft-ietf-opsec-ipv6-eh-filtering-06
Abstract Abstract
It is common operator practice to mitigate security risks by It is common operator practice to mitigate security risks by
enforcing appropriate packet filtering. This document analyzes both enforcing appropriate packet filtering. This document analyzes both
the general security implications of IPv6 Extension Headers and the the general security implications of IPv6 Extension Headers and the
specific security implications of each Extension Header and Option specific security implications of each Extension Header and Option
type. Additionally, it discusses the operational and type. Additionally, it discusses the operational and
interoperability implications of discarding packets based on the IPv6 interoperability implications of discarding packets based on the IPv6
Extension Headers and IPv6 options they contain. Finally, it Extension Headers and IPv6 options they contain. Finally, it
provides advice on the filtering of such IPv6 packets at transit provides advice on the filtering of such IPv6 packets at transit
routers for traffic *not* directed to them, for those cases in which routers for traffic *not* directed to them, for those cases in which
such filtering is deemed as necessary. such filtering is deemed as necessary.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2018. This Internet-Draft will expire on January 3, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology and Conventions Used in This Document . . . . . . 4 2. Terminology and Conventions Used in This Document . . . . . . 3
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Applicability Statement . . . . . . . . . . . . . . . . . 4 2.2. Applicability Statement . . . . . . . . . . . . . . . . . 4
2.3. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4
3. IPv6 Extension Headers . . . . . . . . . . . . . . . . . . . . 5 3. IPv6 Extension Headers . . . . . . . . . . . . . . . . . . . 5
3.1. General Discussion . . . . . . . . . . . . . . . . . . . . 5 3.1. General Discussion . . . . . . . . . . . . . . . . . . . 5
3.2. General Security Implications . . . . . . . . . . . . . . 6 3.2. General Security Implications . . . . . . . . . . . . . . 6
3.3. Summary of Advice on the Handling of IPv6 Packets with 3.3. Summary of Advice on the Handling of IPv6 Packets with
Specific IPv6 Extension Headers . . . . . . . . . . . . . 6 Specific IPv6 Extension Headers . . . . . . . . . . . . . 6
3.4. Advice on the Handling of IPv6 Packets with Specific 3.4. Advice on the Handling of IPv6 Packets with Specific IPv6
IPv6 Extension Headers . . . . . . . . . . . . . . . . . . 7 Extension Headers . . . . . . . . . . . . . . . . . . . . 7
3.5. Advice on the Handling of Packets with Unknown IPv6 3.5. Advice on the Handling of Packets with Unknown IPv6
Extension Headers . . . . . . . . . . . . . . . . . . . . 16 Extension Headers . . . . . . . . . . . . . . . . . . . . 16
4. IPv6 Options . . . . . . . . . . . . . . . . . . . . . . . . . 17 4. IPv6 Options . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1. General Discussion . . . . . . . . . . . . . . . . . . . . 17 4.1. General Discussion . . . . . . . . . . . . . . . . . . . 17
4.2. General Security Implications of IPv6 Options . . . . . . 17 4.2. General Security Implications of IPv6 Options . . . . . . 17
4.3. Advice on the Handling of Packets with Specific IPv6 4.3. Advice on the Handling of Packets with Specific IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 17 Options . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.4. Advice on the handling of Packets with Unknown IPv6 4.4. Advice on the handling of Packets with Unknown IPv6
Options . . . . . . . . . . . . . . . . . . . . . . . . . 28 Options . . . . . . . . . . . . . . . . . . . . . . . . . 29
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 6. Security Considerations . . . . . . . . . . . . . . . . . . . 30
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.1. Normative References . . . . . . . . . . . . . . . . . . . 29 8.1. Normative References . . . . . . . . . . . . . . . . . . 30
8.2. Informative References . . . . . . . . . . . . . . . . . . 33 8.2. Informative References . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35
1. Introduction 1. Introduction
Recent studies (see e.g. [RFC7872]) suggest that there is widespread Recent studies (see e.g. [RFC7872]) suggest that there is widespread
dropping of IPv6 packets that contain IPv6 Extension Headers (EHs). dropping of IPv6 packets that contain IPv6 Extension Headers (EHs).
In some cases, such packet drops occur at transit routers. While In some cases, such packet drops occur at transit routers. While
some operators "officially" drop packets that contain IPv6 EHs, it is some operators "officially" drop packets that contain IPv6 EHs, it is
possible that some of the measured packet drops be the result of possible that some of the measured packet drops be the result of
improper configuration defaults, or inappropriate advice in this improper configuration defaults, or inappropriate advice in this
area. area.
skipping to change at page 6, line 37 skipping to change at page 7, line 5
handling capabilities of different devices as they make deployment handling capabilities of different devices as they make deployment
decisions in future. decisions in future.
3.3. Summary of Advice on the Handling of IPv6 Packets with Specific 3.3. Summary of Advice on the Handling of IPv6 Packets with Specific
IPv6 Extension Headers IPv6 Extension Headers
This section summarizes the advice provided in Section 3.4, providing This section summarizes the advice provided in Section 3.4, providing
references to the specific sections in which a detailed analysis can references to the specific sections in which a detailed analysis can
be found. be found.
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
| EH type | Filtering policy | Reference | | EH type | Filtering policy | Reference |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
| IPv6 Hop-by-Hop Options | Drop or Ignore | Section 3.4.1 | | IPv6 Hop-by-Hop Options | Drop or Ignore | Section 3.4.1 |
| (Proto=0) | | | | (Proto=0) | | |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
| Routing Header for IPv6 | Drop only RTH0, | Section 3.4.2 | | Routing Header for IPv6 | Drop only RTH0 and | Section 3.4.2 |
| (Proto=43) | Permit other RH | | | (Proto=43) | RTH1. Permit other RH | |
| | Types | | | | Types | |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
| Fragment Header for IPv6 | Permit | Section 3.4.3 | | Fragment Header for IPv6 | Permit | Section 3.4.3 |
| (Proto=44) | | | | (Proto=44) | | |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
| Encapsulating Security | Permit | Section 3.4.4 | | Encapsulating Security | Permit | Section 3.4.4 |
| Payload (Proto=50) | | | | Payload (Proto=50) | | |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
+----------------------------+---------------------+----------------+ | Authentication Header | Permit | Section 3.4.5 |
| Authentication Header | Permit | Section 3.4.5 | | (Proto=51) | | |
| (Proto=51) | | | +--------------------------+-----------------------+----------------+
+----------------------------+---------------------+----------------+ | Destination Options for | Permit | Section 3.4.6 |
| Destination Options for | Permit | Section 3.4.6 | | IPv6 (Proto=60) | | |
| IPv6 (Proto=60) | | | +--------------------------+-----------------------+----------------+
+----------------------------+---------------------+----------------+ | Mobility Header | Permit | Section 3.4.7 |
| Mobility Header | Permit | Section 3.4.7 | | (Proto=135) | | |
| (Proto=135) | | | +--------------------------+-----------------------+----------------+
+----------------------------+---------------------+----------------+ | Host Identity Protocol | Permit | Section 3.4.8 |
| Host Identity Protocol | Permit | Section 3.4.8 | | (Proto=139) | | |
| (Proto=139) | | | +--------------------------+-----------------------+----------------+
+----------------------------+---------------------+----------------+ | Shim6 Protocol | Permit | Section 3.4.9 |
| Shim6 Protocol (Proto=140) | Permit | Section 3.4.9 | | (Proto=140) | | |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
| Use for experimentation | Drop | Section 3.4.10 | | Use for experimentation | Drop | Section 3.4.10 |
| and testing (Proto=253 and | | | | and testing (Proto=253 | | |
| 254) | | | | and 254) | | |
+----------------------------+---------------------+----------------+ +--------------------------+-----------------------+----------------+
Table 1: Summary of Advice on the Handling of IPv6 Packets with Table 1: Summary of Advice on the Handling of IPv6 Packets with
Specific IPv6 Extension Headers Specific IPv6 Extension Headers
3.4. Advice on the Handling of IPv6 Packets with Specific IPv6 3.4. Advice on the Handling of IPv6 Packets with Specific IPv6
Extension Headers Extension Headers
3.4.1. IPv6 Hop-by-Hop Options (Protocol Number=0) 3.4.1. IPv6 Hop-by-Hop Options (Protocol Number=0)
3.4.1.1. Uses 3.4.1.1. Uses
The Hop-by-Hop Options header is used to carry optional information The Hop-by-Hop Options header is used to carry optional information
that may be examined by every node along a packet's delivery path. that may be examined by every node along a packet's delivery path.
It is expected that nodes will examine the Hop-by-Hop Options header It is expected that nodes will examine the Hop-by-Hop Options header
if explicitly configured to do so. if explicitly configured to do so.
NOTE: [RFC2460] required that all nodes examined and processed the NOTE: [RFC2460] required that all nodes examined and processed the
Hop-by-Hop Options header. However, even before the publication of Hop-by-Hop Options header. However, even before the publication of
[RFC8200] a number of implementations already provided the option of [RFC8200] a number of implementations already provided the option of
skipping to change at page 10, line 29 skipping to change at page 10, line 46
o Type 255: Reserved o Type 255: Reserved
3.4.2.3. Specific Security Implications 3.4.2.3. Specific Security Implications
The security implications of RHT0 have been discussed in detail in The security implications of RHT0 have been discussed in detail in
[Biondi2007] and [RFC5095]. [Biondi2007] and [RFC5095].
3.4.2.4. Operational and Interoperability Impact if Blocked 3.4.2.4. Operational and Interoperability Impact if Blocked
Blocking packets containing a RHT0 or RTH1 has no operational Blocking packets containing a RHT0 or RTH1 has no operational
implications. However, blocking packets employing other routing implications, since both have been deprecated. However, blocking
header types will break the protocols that rely on them. packets employing other routing header types will break the protocols
that rely on them.
3.4.2.5. Advice 3.4.2.5. Advice
Intermediate systems should discard packets containing a RHT0 or Intermediate systems should discard packets containing a RHT0 or
RHT1. RHT2 and RHT3 should be permitted, as required by [RFC7045]. RHT1. Other routing header types should be permitted, as required by
Other routing header types should be discarded. [RFC7045].
3.4.3. Fragment Header for IPv6 (Protocol Number=44) 3.4.3. Fragment Header for IPv6 (Protocol Number=44)
3.4.3.1. Uses 3.4.3.1. Uses
This EH provides the fragmentation functionality for IPv6. This EH provides the fragmentation functionality for IPv6.
3.4.3.2. Specification 3.4.3.2. Specification
This EH is specified in [RFC8200]. This EH is specified in [RFC8200].
skipping to change at page 15, line 14 skipping to change at page 15, line 32
3.4.9.1. Uses 3.4.9.1. Uses
This EH is employed by the Shim6 [RFC5533] Protocol. This EH is employed by the Shim6 [RFC5533] Protocol.
3.4.9.2. Specification 3.4.9.2. Specification
This EH is specified in [RFC5533]. This EH is specified in [RFC5533].
3.4.9.3. Specific Security Implications 3.4.9.3. Specific Security Implications
The specific security implications are discussed in detail in Section The specific security implications are discussed in detail in
16 of [RFC5533]. Section 16 of [RFC5533].
3.4.9.4. Operational and Interoperability Impact if Blocked 3.4.9.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this EH will break Shim6. Discarding packets that contain this EH will break Shim6.
3.4.9.5. Advice 3.4.9.5. Advice
Intermediate systems should permit packets containing this EH. Intermediate systems should permit packets containing this EH.
3.4.10. Use for experimentation and testing (Protocol Numbers=253 and 3.4.10. Use for experimentation and testing (Protocol Numbers=253 and
skipping to change at page 29, line 31 skipping to change at page 30, line 20
of such IPv6 packets in those cases where the drops result from of such IPv6 packets in those cases where the drops result from
improper configuration defaults, or inappropriate advice in this improper configuration defaults, or inappropriate advice in this
area. area.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Ron Bonica for his work on earlier The authors would like to thank Ron Bonica for his work on earlier
versions of this document. versions of this document.
The authors of this document would like to thank (in alphabetical The authors of this document would like to thank (in alphabetical
order) Mikael Abrahamsson, Brian Carpenter, Mike Heard, Bob Hinden, order) Mikael Abrahamsson, Brian Carpenter, Darren Dukes, Mike Heard,
Jen Linkova, Carlos Pignataro, Maria Ines Robles, Donald Smith, Bob Hinden, Jen Linkova, Carlos Pignataro, Maria Ines Robles, Donald
Pascal Thubert, Ole Troan, Gunter Van De Velde, and Eric Vyncke, for Smith, Pascal Thubert, Ole Troan, Gunter Van De Velde, and Eric
providing valuable comments on earlier versions of this document. Vyncke, for providing valuable comments on earlier versions of this
document.
This document borrows some text and analysis from [RFC7126], authored This document borrows some text and analysis from [RFC7126], authored
by Fernando Gont, Randall Atkinson, and Carlos Pignataro. by Fernando Gont, Randall Atkinson, and Carlos Pignataro.
Fernando Gont would like to thank Eric Vyncke for his guidance.
8. References 8. References
8.1. Normative References 8.1. Normative References
[draft-gont-6man-ipv6-opt-transmit]
Gont, F., Liu, W., and R. Bonica, "Transmission and
Processing of IPv6 Options", IETF Internet Draft, work in
progress, August 2014.
[I-D.ietf-roll-useofrplinfo] [I-D.ietf-roll-useofrplinfo]
Robles, I., Richardson, M., and P. Thubert, "When to use Robles, I., Richardson, M., and P. Thubert, "When to use
RFC 6553, 6554 and IPv6-in-IPv6", RFC 6553, 6554 and IPv6-in-IPv6", draft-ietf-roll-
draft-ietf-roll-useofrplinfo-22 (work in progress), useofrplinfo-23 (work in progress), May 2018.
March 2018.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, DOI 10.17487/RFC2205, Functional Specification", RFC 2205, DOI 10.17487/RFC2205,
September 1997, <https://www.rfc-editor.org/info/rfc2205>. September 1997, <https://www.rfc-editor.org/info/rfc2205>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <https://www.rfc-editor.org/info/rfc2460>. December 1998, <https://www.rfc-editor.org/info/rfc2460>.
skipping to change at page 30, line 41 skipping to change at page 31, line 32
[RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast
Listener Discovery (MLD) for IPv6", RFC 2710, Listener Discovery (MLD) for IPv6", RFC 2710,
DOI 10.17487/RFC2710, October 1999, DOI 10.17487/RFC2710, October 1999,
<https://www.rfc-editor.org/info/rfc2710>. <https://www.rfc-editor.org/info/rfc2710>.
[RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option",
RFC 2711, DOI 10.17487/RFC2711, October 1999, RFC 2711, DOI 10.17487/RFC2711, October 1999,
<https://www.rfc-editor.org/info/rfc2711>. <https://www.rfc-editor.org/info/rfc2711>.
[RFC3692] Narten, T., "Assigning Experimental and Testing Numbers [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
Considered Useful", BCP 82, RFC 3692, DOI 10.17487/ Considered Useful", BCP 82, RFC 3692,
RFC3692, January 2004, DOI 10.17487/RFC3692, January 2004,
<https://www.rfc-editor.org/info/rfc3692>. <https://www.rfc-editor.org/info/rfc3692>.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
DOI 10.17487/RFC4302, December 2005, DOI 10.17487/RFC4302, December 2005,
<https://www.rfc-editor.org/info/rfc4302>. <https://www.rfc-editor.org/info/rfc4302>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005, RFC 4303, DOI 10.17487/RFC4303, December 2005,
<https://www.rfc-editor.org/info/rfc4303>. <https://www.rfc-editor.org/info/rfc4303>.
[RFC4304] Kent, S., "Extended Sequence Number (ESN) Addendum to [RFC4304] Kent, S., "Extended Sequence Number (ESN) Addendum to
IPsec Domain of Interpretation (DOI) for Internet Security IPsec Domain of Interpretation (DOI) for Internet Security
Association and Key Management Protocol (ISAKMP)", Association and Key Management Protocol (ISAKMP)",
RFC 4304, DOI 10.17487/RFC4304, December 2005, RFC 4304, DOI 10.17487/RFC4304, December 2005,
<https://www.rfc-editor.org/info/rfc4304>. <https://www.rfc-editor.org/info/rfc4304>.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, DOI 10.17487/ ICMPv6, UDP, and TCP Headers", RFC 4727,
RFC4727, November 2006, DOI 10.17487/RFC4727, November 2006,
<https://www.rfc-editor.org/info/rfc4727>. <https://www.rfc-editor.org/info/rfc4727>.
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782, Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782,
January 2007, <https://www.rfc-editor.org/info/rfc4782>. January 2007, <https://www.rfc-editor.org/info/rfc4782>.
[RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
of Type 0 Routing Headers in IPv6", RFC 5095, of Type 0 Routing Headers in IPv6", RFC 5095,
DOI 10.17487/RFC5095, December 2007, DOI 10.17487/RFC5095, December 2007,
<https://www.rfc-editor.org/info/rfc5095>. <https://www.rfc-editor.org/info/rfc5095>.
skipping to change at page 31, line 40 skipping to change at page 32, line 34
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533, Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533,
June 2009, <https://www.rfc-editor.org/info/rfc5533>. June 2009, <https://www.rfc-editor.org/info/rfc5533>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009, RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
[RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility
Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July
July 2011, <https://www.rfc-editor.org/info/rfc6275>. 2011, <https://www.rfc-editor.org/info/rfc6275>.
[RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October
October 2011, <https://www.rfc-editor.org/info/rfc6398>. 2011, <https://www.rfc-editor.org/info/rfc6398>.
[RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J.,
Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
JP., and R. Alexander, "RPL: IPv6 Routing Protocol for JP., and R. Alexander, "RPL: IPv6 Routing Protocol for
Low-Power and Lossy Networks", RFC 6550, DOI 10.17487/ Low-Power and Lossy Networks", RFC 6550,
RFC6550, March 2012, DOI 10.17487/RFC6550, March 2012,
<https://www.rfc-editor.org/info/rfc6550>. <https://www.rfc-editor.org/info/rfc6550>.
[RFC6553] Hui, J. and JP. Vasseur, "The Routing Protocol for Low- [RFC6553] Hui, J. and JP. Vasseur, "The Routing Protocol for Low-
Power and Lossy Networks (RPL) Option for Carrying RPL Power and Lossy Networks (RPL) Option for Carrying RPL
Information in Data-Plane Datagrams", RFC 6553, Information in Data-Plane Datagrams", RFC 6553,
DOI 10.17487/RFC6553, March 2012, DOI 10.17487/RFC6553, March 2012,
<https://www.rfc-editor.org/info/rfc6553>. <https://www.rfc-editor.org/info/rfc6553>.
[RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6 [RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6
Routing Header for Source Routes with the Routing Protocol Routing Header for Source Routes with the Routing Protocol
skipping to change at page 32, line 28 skipping to change at page 33, line 22
RFC 6621, DOI 10.17487/RFC6621, May 2012, RFC 6621, DOI 10.17487/RFC6621, May 2012,
<https://www.rfc-editor.org/info/rfc6621>. <https://www.rfc-editor.org/info/rfc6621>.
[RFC6740] Atkinson, RJ. and SN. Bhatti, "Identifier-Locator Network [RFC6740] Atkinson, RJ. and SN. Bhatti, "Identifier-Locator Network
Protocol (ILNP) Architectural Description", RFC 6740, Protocol (ILNP) Architectural Description", RFC 6740,
DOI 10.17487/RFC6740, November 2012, DOI 10.17487/RFC6740, November 2012,
<https://www.rfc-editor.org/info/rfc6740>. <https://www.rfc-editor.org/info/rfc6740>.
[RFC6744] Atkinson, RJ. and SN. Bhatti, "IPv6 Nonce Destination [RFC6744] Atkinson, RJ. and SN. Bhatti, "IPv6 Nonce Destination
Option for the Identifier-Locator Network Protocol for Option for the Identifier-Locator Network Protocol for
IPv6 (ILNPv6)", RFC 6744, DOI 10.17487/RFC6744, IPv6 (ILNPv6)", RFC 6744, DOI 10.17487/RFC6744, November
November 2012, <https://www.rfc-editor.org/info/rfc6744>. 2012, <https://www.rfc-editor.org/info/rfc6744>.
[RFC6788] Krishnan, S., Kavanagh, A., Varga, B., Ooghe, S., and E. [RFC6788] Krishnan, S., Kavanagh, A., Varga, B., Ooghe, S., and E.
Nordmark, "The Line-Identification Option", RFC 6788, Nordmark, "The Line-Identification Option", RFC 6788,
DOI 10.17487/RFC6788, November 2012, DOI 10.17487/RFC6788, November 2012,
<https://www.rfc-editor.org/info/rfc6788>. <https://www.rfc-editor.org/info/rfc6788>.
[RFC6971] Herberg, U., Ed., Cardenas, A., Iwao, T., Dow, M., and S. [RFC6971] Herberg, U., Ed., Cardenas, A., Iwao, T., Dow, M., and S.
Cespedes, "Depth-First Forwarding (DFF) in Unreliable Cespedes, "Depth-First Forwarding (DFF) in Unreliable
Networks", RFC 6971, DOI 10.17487/RFC6971, June 2013, Networks", RFC 6971, DOI 10.17487/RFC6971, June 2013,
<https://www.rfc-editor.org/info/rfc6971>. <https://www.rfc-editor.org/info/rfc6971>.
[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
of IPv6 Extension Headers", RFC 7045, DOI 10.17487/ of IPv6 Extension Headers", RFC 7045,
RFC7045, December 2013, DOI 10.17487/RFC7045, December 2013,
<https://www.rfc-editor.org/info/rfc7045>. <https://www.rfc-editor.org/info/rfc7045>.
[RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of
Oversized IPv6 Header Chains", RFC 7112, DOI 10.17487/ Oversized IPv6 Header Chains", RFC 7112,
RFC7112, January 2014, DOI 10.17487/RFC7112, January 2014,
<https://www.rfc-editor.org/info/rfc7112>. <https://www.rfc-editor.org/info/rfc7112>.
[RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power [RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power
and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731, and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731,
February 2016, <https://www.rfc-editor.org/info/rfc7731>. February 2016, <https://www.rfc-editor.org/info/rfc7731>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/ (IPv6) Specification", STD 86, RFC 8200,
RFC8200, July 2017, DOI 10.17487/RFC8200, July 2017,
<https://www.rfc-editor.org/info/rfc8200>. <https://www.rfc-editor.org/info/rfc8200>.
[draft-gont-6man-ipv6-opt-transmit]
Gont, F., Liu, W., and R. Bonica, "Transmission and
Processing of IPv6 Options", IETF Internet Draft, work in
progress, August 2014.
8.2. Informative References 8.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference, 2007, CanSecWest 2007 Security Conference, 2007,
<http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>. <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
[Cisco-EH] [Cisco-EH]
Cisco Systems, "IPv6 Extension Headers Review and Cisco Systems, "IPv6 Extension Headers Review and
Considerations", Whitepaper. October 2006, <http:// Considerations", Whitepaper. October 2006,
www.cisco.com/en/US/technologies/tk648/tk872/ <http://www.cisco.com/en/US/technologies/tk648/tk872/
technologies_white_paper0900aecd8054d37d.pdf>. technologies_white_paper0900aecd8054d37d.pdf>.
[draft-ietf-nimrod-eid]
Lynn, C., "Endpoint Identifier Destination Option", IETF
Internet Draft, draft-ietf-nimrod-eid-00.txt, November
1995.
[FW-Benchmark] [FW-Benchmark]
Zack, E., "Firewall Security Assessment and Benchmarking Zack, E., "Firewall Security Assessment and Benchmarking
IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
Berlin, Germany. June 30, 2013, <http:// Berlin, Germany. June 30, 2013,
www.ipv6hackers.org/meetings/ipv6-hackers-1/ <http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-
zack-ipv6hackers1-firewall-security-assessment-and- ipv6hackers1-firewall-security-assessment-and-
benchmarking.pdf>. benchmarking.pdf>.
[I-D.gont-predictable-numeric-ids] [I-D.gont-predictable-numeric-ids]
Gont, F. and I. Arce, "Security and Privacy Implications Gont, F. and I. Arce, "Security and Privacy Implications
of Numeric Identifiers Employed in Network Protocols", of Numeric Identifiers Employed in Network Protocols",
draft-gont-predictable-numeric-ids-02 (work in progress), draft-gont-predictable-numeric-ids-02 (work in progress),
February 2018. February 2018.
[I-D.gont-v6ops-ipv6-ehs-packet-drops] [I-D.gont-v6ops-ipv6-ehs-packet-drops]
Gont, F., Hilliard, N., Doering, G., (Will), S., and W. Gont, F., Hilliard, N., Doering, G., (Will), S., and W.
Kumari, "Operational Implications of IPv6 Packets with Kumari, "Operational Implications of IPv6 Packets with
Extension Headers", Extension Headers", draft-gont-v6ops-ipv6-ehs-packet-
draft-gont-v6ops-ipv6-ehs-packet-drops-03 (work in drops-03 (work in progress), March 2016.
progress), March 2016.
[I-D.ietf-6man-hbh-header-handling] [I-D.ietf-6man-hbh-header-handling]
Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options
Extension Header", draft-ietf-6man-hbh-header-handling-03 Extension Header", draft-ietf-6man-hbh-header-handling-03
(work in progress), March 2016. (work in progress), March 2016.
[IANA-IPV6-PARAM] [IANA-IPV6-PARAM]
Internet Assigned Numbers Authority, "Internet Protocol Internet Assigned Numbers Authority, "Internet Protocol
Version 6 (IPv6) Parameters", December 2013, <http:// Version 6 (IPv6) Parameters", December 2013,
www.iana.org/assignments/ipv6-parameters/ <http://www.iana.org/assignments/ipv6-parameters/
ipv6-parameters.xhtml>. ipv6-parameters.xhtml>.
[IANA-PROTOCOLS] [IANA-PROTOCOLS]
Internet Assigned Numbers Authority, "Protocol Numbers", Internet Assigned Numbers Authority, "Protocol Numbers",
2014, <http://www.iana.org/assignments/protocol-numbers/ 2014, <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[NIMROD-DOC] [NIMROD-DOC]
Nimrod Documentation Page, Nimrod Documentation Page,
"http://ana-3.lcs.mit.edu/~jnc/nimrod/". "http://ana-3.lcs.mit.edu/~jnc/nimrod/".
[RFC3871] Jones, G., Ed., "Operational Security Requirements for [RFC3871] Jones, G., Ed., "Operational Security Requirements for
Large Internet Service Provider (ISP) IP Network Large Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, DOI 10.17487/RFC3871, Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September
September 2004, <https://www.rfc-editor.org/info/rfc3871>. 2004, <https://www.rfc-editor.org/info/rfc3871>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
March 2011, <https://www.rfc-editor.org/info/rfc6192>. March 2011, <https://www.rfc-editor.org/info/rfc6192>.
[RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations
on Filtering of IPv4 Packets Containing IPv4 Options", on Filtering of IPv4 Packets Containing IPv4 Options",
BCP 186, RFC 7126, DOI 10.17487/RFC7126, February 2014, BCP 186, RFC 7126, DOI 10.17487/RFC7126, February 2014,
<https://www.rfc-editor.org/info/rfc7126>. <https://www.rfc-editor.org/info/rfc7126>.
[RFC7739] Gont, F., "Security Implications of Predictable Fragment [RFC7739] Gont, F., "Security Implications of Predictable Fragment
Identification Values", RFC 7739, DOI 10.17487/RFC7739, Identification Values", RFC 7739, DOI 10.17487/RFC7739,
February 2016, <https://www.rfc-editor.org/info/rfc7739>. February 2016, <https://www.rfc-editor.org/info/rfc7739>.
[RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
"Observations on the Dropping of Packets with IPv6 "Observations on the Dropping of Packets with IPv6
Extension Headers in the Real World", RFC 7872, Extension Headers in the Real World", RFC 7872,
DOI 10.17487/RFC7872, June 2016, DOI 10.17487/RFC7872, June 2016,
<https://www.rfc-editor.org/info/rfc7872>. <https://www.rfc-editor.org/info/rfc7872>.
[draft-ietf-nimrod-eid]
Lynn, C., "Endpoint Identifier Destination Option", IETF
Internet Draft, draft-ietf-nimrod-eid-00.txt,
November 1995.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
UTN-FRH / SI6 Networks UTN-FRH / SI6 Networks
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fgont@si6networks.com Email: fgont@si6networks.com
 End of changes. 38 change blocks. 
122 lines changed or deleted 123 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/