draft-ietf-opsec-ipv6-eh-filtering-07.txt   draft-ietf-opsec-ipv6-eh-filtering-08.txt 
opsec F. Gont opsec F. Gont
Internet-Draft SI6 Networks Internet-Draft SI6 Networks
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: July 23, 2021 Huawei Technologies Expires: December 5, 2021 Huawei Technologies
January 19, 2021 June 3, 2021
Recommendations on the Filtering of IPv6 Packets Containing IPv6 Recommendations on the Filtering of IPv6 Packets Containing IPv6
Extension Headers at Transit Routers Extension Headers at Transit Routers
draft-ietf-opsec-ipv6-eh-filtering-07 draft-ietf-opsec-ipv6-eh-filtering-08
Abstract Abstract
This document analyzes the security implications of IPv6 Extension This document analyzes the security implications of IPv6 Extension
Headers and associated IPv6 options. Additionally, it discusses the Headers and associated IPv6 options. Additionally, it discusses the
operational and interoperability implications of discarding packets operational and interoperability implications of discarding packets
based on the IPv6 Extension Headers and IPv6 options they contain. based on the IPv6 Extension Headers and IPv6 options they contain.
Finally, it provides advice on the filtering of such IPv6 packets at Finally, it provides advice on the filtering of such IPv6 packets at
transit routers for traffic *not* directed to them, for those cases transit routers for traffic *not* directed to them, for those cases
where such filtering is deemed as necessary. where such filtering is deemed as necessary.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 23, 2021. This Internet-Draft will expire on December 5, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 39 skipping to change at page 4, line 39
EHs at transit routers for traffic *not* explicitly destined to them, EHs at transit routers for traffic *not* explicitly destined to them,
for cases in which such filtering is deemed as necessary. for cases in which such filtering is deemed as necessary.
2.3. Conventions 2.3. Conventions
This document assumes that nodes comply with the requirements in This document assumes that nodes comply with the requirements in
[RFC7045]. Namely, [RFC7045]. Namely,
o If a forwarding node discards a packet containing a standard IPv6 o If a forwarding node discards a packet containing a standard IPv6
EH, it MUST be the result of a configurable policy and not just EH, it MUST be the result of a configurable policy and not just
the result of a failure to recognise such a header. the result of a failure to recognize such a header.
o The discard policy for each standard type of EH MUST be o The discard policy for each standard type of EH MUST be
individually configurable. individually configurable.
o The default configuration should allow all standard IPv6 EHs. o The default configuration should allow all standard IPv6 EHs.
The advice provided in this document is only meant to guide an The advice provided in this document is only meant to guide an
operator in configuring forwarding devices, and is *not* to be operator in configuring forwarding devices, and is *not* to be
interpreted as advice regarding default configuration settings for interpreted as advice regarding default configuration settings for
network devices. That is, this document provides advice with respect network devices. That is, this document provides advice with respect
skipping to change at page 8, line 29 skipping to change at page 8, line 29
o Type 0x00: Pad1 [RFC8200] o Type 0x00: Pad1 [RFC8200]
o Type 0x01: PadN [RFC8200] o Type 0x01: PadN [RFC8200]
o Type 0x05: Router Alert [RFC2711] o Type 0x05: Router Alert [RFC2711]
o Type 0x07: CALIPSO [RFC5570] o Type 0x07: CALIPSO [RFC5570]
o Type 0x08: SMF_DPD [RFC6621] o Type 0x08: SMF_DPD [RFC6621]
o Type 0x23: RPL Option [I-D.ietf-roll-useofrplinfo] o Type 0x23: RPL Option [RFC9008]
o Type 0x26: Quick-Start [RFC4782] o Type 0x26: Quick-Start [RFC4782]
o Type 0x4D: (Deprecated) o Type 0x4D: (Deprecated)
o Type 0x63: RPL Option [RFC6553] o Type 0x63: RPL Option [RFC6553]
o Type 0x6D: MPL Option [RFC7731] o Type 0x6D: MPL Option [RFC7731]
o Type 0x8A: Endpoint Identification (Deprecated) o Type 0x8A: Endpoint Identification (Deprecated)
skipping to change at page 15, line 9 skipping to change at page 15, line 9
3.4.8.1. Uses 3.4.8.1. Uses
This EH is employed with the Host Identity Protocol (HIP), an This EH is employed with the Host Identity Protocol (HIP), an
experimental protocol that allows consenting hosts to securely experimental protocol that allows consenting hosts to securely
establish and maintain shared IP-layer state, allowing separation of establish and maintain shared IP-layer state, allowing separation of
the identifier and locator roles of IP addresses, thereby enabling the identifier and locator roles of IP addresses, thereby enabling
continuity of communications across IP address changes. continuity of communications across IP address changes.
3.4.8.2. Specification 3.4.8.2. Specification
This EH is specified in [RFC5201]. This EH is specified in [RFC7401].
3.4.8.3. Specific Security Implications 3.4.8.3. Specific Security Implications
The security implications of the HIP header are discussed in detail The security implications of the HIP header are discussed in detail
in Section 8 of [RFC6275]. in Section 8 of [RFC6275].
3.4.8.4. Operational and Interoperability Impact if Blocked 3.4.8.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain the Host Identity Protocol would Discarding packets that contain the Host Identity Protocol would
break HIP deployments. break HIP deployments.
skipping to change at page 20, line 8 skipping to change at page 20, line 8
4.3.4. RPL Option (Type=0x63) 4.3.4. RPL Option (Type=0x63)
4.3.4.1. Uses 4.3.4.1. Uses
The RPL Option provides a mechanism to include routing information The RPL Option provides a mechanism to include routing information
with each datagram that an RPL router forwards. with each datagram that an RPL router forwards.
4.3.4.2. Specification 4.3.4.2. Specification
This option was originally specified in [RFC6553]. It has been This option was originally specified in [RFC6553]. It has been
deprecated by [I-D.ietf-roll-useofrplinfo]. deprecated by [RFC9008].
4.3.4.3. Specific Security Implications 4.3.4.3. Specific Security Implications
Those described in [RFC6553]. Those described in [RFC6553].
4.3.4.4. Operational and Interoperability Impact if Blocked 4.3.4.4. Operational and Interoperability Impact if Blocked
This option is meant to be employed within an RPL instance. As a This option is meant to be employed within an RPL instance. As a
result, discarding packets based on the presence of this option (e.g. result, discarding packets based on the presence of this option (e.g.
at an ISP) will not result in interoperability implications. at an ISP) will not result in interoperability implications.
skipping to change at page 20, line 33 skipping to change at page 20, line 33
4.3.5. RPL Option (Type=0x23) 4.3.5. RPL Option (Type=0x23)
4.3.5.1. Uses 4.3.5.1. Uses
The RPL Option provides a mechanism to include routing information The RPL Option provides a mechanism to include routing information
with each datagram that an RPL router forwards. with each datagram that an RPL router forwards.
4.3.5.2. Specification 4.3.5.2. Specification
This option is specified in [I-D.ietf-roll-useofrplinfo]. This option is specified in [RFC9008].
4.3.5.3. Specific Security Implications 4.3.5.3. Specific Security Implications
Those described in [I-D.ietf-roll-useofrplinfo]. Those described in [RFC9008].
4.3.5.4. Operational and Interoperability Impact if Blocked 4.3.5.4. Operational and Interoperability Impact if Blocked
This option is meant to survive outside of an RPL instance. As a This option is meant to survive outside of an RPL instance. As a
result, discarding packets based on the presence of this option would result, discarding packets based on the presence of this option would
break some use cases for RPL (see [I-D.ietf-roll-useofrplinfo]). break some use cases for RPL (see [RFC9008]).
4.3.5.5. Advice 4.3.5.5. Advice
Intermediate systems should not discard IPv6 packets based on the Intermediate systems should not discard IPv6 packets based on the
presence of this option. presence of this option.
4.3.6. Tunnel Encapsulation Limit (Type=0x04) 4.3.6. Tunnel Encapsulation Limit (Type=0x04)
4.3.6.1. Uses 4.3.6.1. Uses
skipping to change at page 21, line 34 skipping to change at page 21, line 34
4.3.6.5. Advice 4.3.6.5. Advice
Intermediate systems should not discard packets based on the presence Intermediate systems should not discard packets based on the presence
of this option. of this option.
4.3.7. Router Alert (Type=0x05) 4.3.7. Router Alert (Type=0x05)
4.3.7.1. Uses 4.3.7.1. Uses
The Router Alert option [RFC2711] is typically employed for the RSVP The Router Alert option [RFC2711] is employed by a number of
protocol [RFC2205] and the MLD protocol [RFC2710]. protocols, including the Resource reSerVation Protocol (RSVP)
[RFC2205], Multicast Listener Discovery (MLD) [RFC2710] [RFC3810],
Multicast Router Discovery (MRD) [RFC4286], and General Internet
Signaling Transport (GIST) [RFC5971]. Its usage is discussed in
detail in [RFC6398].
4.3.7.2. Specification 4.3.7.2. Specification
This option is specified in [RFC2711]. This option is specified in [RFC2711].
4.3.7.3. Specific Security Implications 4.3.7.3. Specific Security Implications
Since this option causes the contents of the packet to be inspected Since this option causes the contents of the packet to be inspected
by the handling device, this option could be leveraged for performing by the handling device, this option could be leveraged for performing
DoS attacks. DoS attacks. The security implications of the Router Alert option
are discussed in detail in [RFC6398].
4.3.7.4. Operational and Interoperability Impact if Blocked 4.3.7.4. Operational and Interoperability Impact if Blocked
Discarding packets that contain this option would break RSVP and Discarding packets that contain this option would break any protocols
multicast deployments. that rely on them, such as RSVP and multicast deployments. Please
see Section 4.3.7.3 for further details.
4.3.7.5. Advice 4.3.7.5. Advice
Packets containing this option should be permitted in environments Packets containing this option should be permitted in environments
where support for RSVP, multicast routing, or similar protocols is where support for RSVP, multicast routing, or similar protocols is
desired. desired.
4.3.8. Quick-Start (Type=0x26) 4.3.8. Quick-Start (Type=0x26)
4.3.8.1. Uses 4.3.8.1. Uses
skipping to change at page 31, line 32 skipping to change at page 31, line 32
Fernando would also like to thank Brian Carpenter and Ran Atkinson Fernando would also like to thank Brian Carpenter and Ran Atkinson
who, over the years, have answered many questions and provided who, over the years, have answered many questions and provided
valuable comments that have benefited his protocol-related work valuable comments that have benefited his protocol-related work
(including the present document). (including the present document).
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-roll-useofrplinfo]
Robles, I., Richardson, M., and P. Thubert, "Using RPI
Option Type, Routing Header for Source Routes and IPv6-in-
IPv6 encapsulation in the RPL Data Plane", draft-ietf-
roll-useofrplinfo-44 (work in progress), January 2021.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S.
Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1
Functional Specification", RFC 2205, DOI 10.17487/RFC2205, Functional Specification", RFC 2205, DOI 10.17487/RFC2205,
September 1997, <https://www.rfc-editor.org/info/rfc2205>. September 1997, <https://www.rfc-editor.org/info/rfc2205>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <https://www.rfc-editor.org/info/rfc2460>.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473,
December 1998, <https://www.rfc-editor.org/info/rfc2473>. December 1998, <https://www.rfc-editor.org/info/rfc2473>.
[RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms",
RFC 2675, DOI 10.17487/RFC2675, August 1999, RFC 2675, DOI 10.17487/RFC2675, August 1999,
<https://www.rfc-editor.org/info/rfc2675>. <https://www.rfc-editor.org/info/rfc2675>.
[RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast
Listener Discovery (MLD) for IPv6", RFC 2710, Listener Discovery (MLD) for IPv6", RFC 2710,
skipping to change at page 32, line 31 skipping to change at page 32, line 19
[RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option",
RFC 2711, DOI 10.17487/RFC2711, October 1999, RFC 2711, DOI 10.17487/RFC2711, October 1999,
<https://www.rfc-editor.org/info/rfc2711>. <https://www.rfc-editor.org/info/rfc2711>.
[RFC3692] Narten, T., "Assigning Experimental and Testing Numbers [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
Considered Useful", BCP 82, RFC 3692, Considered Useful", BCP 82, RFC 3692,
DOI 10.17487/RFC3692, January 2004, DOI 10.17487/RFC3692, January 2004,
<https://www.rfc-editor.org/info/rfc3692>. <https://www.rfc-editor.org/info/rfc3692>.
[RFC3810] Vida, R., Ed. and L. Costa, Ed., "Multicast Listener
Discovery Version 2 (MLDv2) for IPv6", RFC 3810,
DOI 10.17487/RFC3810, June 2004,
<https://www.rfc-editor.org/info/rfc3810>.
[RFC4286] Haberman, B. and J. Martin, "Multicast Router Discovery",
RFC 4286, DOI 10.17487/RFC4286, December 2005,
<https://www.rfc-editor.org/info/rfc4286>.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302, [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
DOI 10.17487/RFC4302, December 2005, DOI 10.17487/RFC4302, December 2005,
<https://www.rfc-editor.org/info/rfc4302>. <https://www.rfc-editor.org/info/rfc4302>.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, DOI 10.17487/RFC4303, December 2005, RFC 4303, DOI 10.17487/RFC4303, December 2005,
<https://www.rfc-editor.org/info/rfc4303>. <https://www.rfc-editor.org/info/rfc4303>.
[RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, ICMPv6, UDP, and TCP Headers", RFC 4727,
skipping to change at page 33, line 5 skipping to change at page 32, line 50
[RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick-
Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782, Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782,
January 2007, <https://www.rfc-editor.org/info/rfc4782>. January 2007, <https://www.rfc-editor.org/info/rfc4782>.
[RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
of Type 0 Routing Headers in IPv6", RFC 5095, of Type 0 Routing Headers in IPv6", RFC 5095,
DOI 10.17487/RFC5095, December 2007, DOI 10.17487/RFC5095, December 2007,
<https://www.rfc-editor.org/info/rfc5095>. <https://www.rfc-editor.org/info/rfc5095>.
[RFC5201] Moskowitz, R., Nikander, P., Jokela, P., Ed., and T.
Henderson, "Host Identity Protocol", RFC 5201,
DOI 10.17487/RFC5201, April 2008,
<https://www.rfc-editor.org/info/rfc5201>.
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533, Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533,
June 2009, <https://www.rfc-editor.org/info/rfc5533>. June 2009, <https://www.rfc-editor.org/info/rfc5533>.
[RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common
Architecture Label IPv6 Security Option (CALIPSO)", Architecture Label IPv6 Security Option (CALIPSO)",
RFC 5570, DOI 10.17487/RFC5570, July 2009, RFC 5570, DOI 10.17487/RFC5570, July 2009,
<https://www.rfc-editor.org/info/rfc5570>. <https://www.rfc-editor.org/info/rfc5570>.
[RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet
Signalling Transport", RFC 5971, DOI 10.17487/RFC5971,
October 2010, <https://www.rfc-editor.org/info/rfc5971>.
[RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility
Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July
2011, <https://www.rfc-editor.org/info/rfc6275>. 2011, <https://www.rfc-editor.org/info/rfc6275>.
[RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October
2011, <https://www.rfc-editor.org/info/rfc6398>. 2011, <https://www.rfc-editor.org/info/rfc6398>.
[RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J.,
Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
skipping to change at page 34, line 35 skipping to change at page 34, line 30
[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
of IPv6 Extension Headers", RFC 7045, of IPv6 Extension Headers", RFC 7045,
DOI 10.17487/RFC7045, December 2013, DOI 10.17487/RFC7045, December 2013,
<https://www.rfc-editor.org/info/rfc7045>. <https://www.rfc-editor.org/info/rfc7045>.
[RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of
Oversized IPv6 Header Chains", RFC 7112, Oversized IPv6 Header Chains", RFC 7112,
DOI 10.17487/RFC7112, January 2014, DOI 10.17487/RFC7112, January 2014,
<https://www.rfc-editor.org/info/rfc7112>. <https://www.rfc-editor.org/info/rfc7112>.
[RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
Henderson, "Host Identity Protocol Version 2 (HIPv2)",
RFC 7401, DOI 10.17487/RFC7401, April 2015,
<https://www.rfc-editor.org/info/rfc7401>.
[RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power [RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power
and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731, and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731,
February 2016, <https://www.rfc-editor.org/info/rfc7731>. February 2016, <https://www.rfc-editor.org/info/rfc7731>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", STD 86, RFC 8200, (IPv6) Specification", STD 86, RFC 8200,
skipping to change at page 35, line 10 skipping to change at page 35, line 10
[RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J.,
Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header
(SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020,
<https://www.rfc-editor.org/info/rfc8754>. <https://www.rfc-editor.org/info/rfc8754>.
[RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O.,
and F. Gont, "IP Fragmentation Considered Fragile", and F. Gont, "IP Fragmentation Considered Fragile",
BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020,
<https://www.rfc-editor.org/info/rfc8900>. <https://www.rfc-editor.org/info/rfc8900>.
[RFC9008] Robles, M., Richardson, M., and P. Thubert, "Using RPI
Option Type, Routing Header for Source Routes, and IPv6-
in-IPv6 Encapsulation in the RPL Data Plane", RFC 9008,
DOI 10.17487/RFC9008, April 2021,
<https://www.rfc-editor.org/info/rfc9008>.
9.2. Informative References 9.2. Informative References
[Biondi2007] [Biondi2007]
Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", Biondi, P. and A. Ebalard, "IPv6 Routing Header Security",
CanSecWest 2007 Security Conference, 2007, CanSecWest 2007 Security Conference, 2007,
<http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>. <http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf>.
[Cisco-EH] [Cisco-EH]
Cisco Systems, "IPv6 Extension Headers Review and Cisco Systems, "IPv6 Extension Headers Review and
Considerations", Whitepaper. October 2006, Considerations", Whitepaper. October 2006,
skipping to change at page 35, line 41 skipping to change at page 35, line 47
1995. 1995.
[FW-Benchmark] [FW-Benchmark]
Zack, E., "Firewall Security Assessment and Benchmarking Zack, E., "Firewall Security Assessment and Benchmarking
IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
Berlin, Germany. June 30, 2013, Berlin, Germany. June 30, 2013,
<http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack- <http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-
ipv6hackers1-firewall-security-assessment-and- ipv6hackers1-firewall-security-assessment-and-
benchmarking.pdf>. benchmarking.pdf>.
[I-D.ietf-6man-hbh-header-handling]
Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options
Extension Header", draft-ietf-6man-hbh-header-handling-03
(work in progress), March 2016.
[I-D.ietf-v6ops-ipv6-ehs-packet-drops] [I-D.ietf-v6ops-ipv6-ehs-packet-drops]
Gont, F., Hilliard, N., Doering, G., Kumari, W., Huston, Gont, F., Hilliard, N., Doering, G., Kumari, W., Huston,
G., and W. LIU, "Operational Implications of IPv6 Packets G., and W. (. Liu, "Operational Implications of IPv6
with Extension Headers", draft-ietf-v6ops-ipv6-ehs-packet- Packets with Extension Headers", draft-ietf-v6ops-ipv6-
drops-03 (work in progress), January 2021. ehs-packet-drops-06 (work in progress), April 2021.
[I-D.irtf-pearg-numeric-ids-generation] [I-D.irtf-pearg-numeric-ids-generation]
Gont, F. and I. Arce, "On the Generation of Transient Gont, F. and I. Arce, "On the Generation of Transient
Numeric Identifiers", draft-irtf-pearg-numeric-ids- Numeric Identifiers", draft-irtf-pearg-numeric-ids-
generation-06 (work in progress), January 2021. generation-07 (work in progress), February 2021.
[IANA-IPV6-PARAM] [IANA-IPV6-PARAM]
Internet Assigned Numbers Authority, "Internet Protocol Internet Assigned Numbers Authority, "Internet Protocol
Version 6 (IPv6) Parameters", December 2013, Version 6 (IPv6) Parameters", December 2013,
<http://www.iana.org/assignments/ipv6-parameters/ <http://www.iana.org/assignments/ipv6-parameters/
ipv6-parameters.xhtml>. ipv6-parameters.xhtml>.
[IANA-PROTOCOLS] [IANA-PROTOCOLS]
Internet Assigned Numbers Authority, "Protocol Numbers", Internet Assigned Numbers Authority, "Protocol Numbers",
2014, <http://www.iana.org/assignments/protocol-numbers/ 2014, <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[NIMROD-DOC] [NIMROD-DOC]
Nimrod Documentation Page, Nimrod Documentation Page,
"http://ana-3.lcs.mit.edu/~jnc/nimrod/". "http://ana-3.lcs.mit.edu/~jnc/nimrod/".
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <https://www.rfc-editor.org/info/rfc2460>.
[RFC3871] Jones, G., Ed., "Operational Security Requirements for [RFC3871] Jones, G., Ed., "Operational Security Requirements for
Large Internet Service Provider (ISP) IP Network Large Internet Service Provider (ISP) IP Network
Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September
2004, <https://www.rfc-editor.org/info/rfc3871>. 2004, <https://www.rfc-editor.org/info/rfc3871>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
March 2011, <https://www.rfc-editor.org/info/rfc6192>. March 2011, <https://www.rfc-editor.org/info/rfc6192>.
[RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations
skipping to change at page 37, line 16 skipping to change at page 37, line 16
Fernando Gont Fernando Gont
SI6 Networks SI6 Networks
Segurola y Habana 4310, 7mo Piso Segurola y Habana 4310, 7mo Piso
Villa Devoto, Ciudad Autonoma de Buenos Aires Villa Devoto, Ciudad Autonoma de Buenos Aires
Argentina Argentina
Email: fgont@si6networks.com Email: fgont@si6networks.com
URI: https://www.si6networks.com URI: https://www.si6networks.com
Will(Shucheng) Liu Will (Shucheng) Liu
Huawei Technologies Huawei Technologies
Bantian, Longgang District Bantian, Longgang District
Shenzhen 518129 Shenzhen 518129
P.R. China P.R. China
Email: liushucheng@huawei.com Email: liushucheng@huawei.com
 End of changes. 25 change blocks. 
41 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/