idnits 2.17.1 draft-irtf-rrg-ilnp-noncev6-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (10 July 2012) is 4280 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'RFC4984' is mentioned on line 104, but not defined == Missing Reference: 'RFC2780' is mentioned on line 500, but not defined == Unused Reference: 'ILNP-ADV' is defined on line 558, but no explicit reference was found in the text == Unused Reference: 'ILNP-ARP' is defined on line 562, but no explicit reference was found in the text == Unused Reference: 'ILNP-ICMPv4' is defined on line 569, but no explicit reference was found in the text == Unused Reference: 'ILNP-v4OPTS' is defined on line 573, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) Summary: 2 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft RJ Atkinson 3 draft-irtf-rrg-ilnp-noncev6-06.txt Consultant 4 Expires: 10 JAN 2013 SN Bhatti 5 Category: Experimental U. St Andrews 6 10 July 2012 8 IPv6 Nonce Destination Option for ILNPv6 9 draft-irtf-rrg-ilnp-noncev6-06.txt 11 Status of this Memo 13 Distribution of this memo is unlimited. 15 Copyright (c) 2012 IETF Trust and the persons identified as the 16 document authors. All rights reserved. 18 This document is subject to BCP 78 and the IETF Trust's Legal 19 Provisions Relating to IETF Documents 20 (http://trustee.ietf.org/license-info) in effect on the date 21 of publication of this document. Please review these documents 22 carefully, as they describe your rights and restrictions with 23 respect to this document. Code Components extracted from this 24 document must include Simplified BSD License text as described 25 in Section 4.e of the Trust Legal Provisions and are provided 26 without warranty as described in the Simplified BSD License. 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 This document may contain material from IETF Documents or 32 IETF Contributions published or made publicly available 33 before November 10, 2008. The person(s) controlling the 34 copyright in some of this material may not have granted the 35 IETF Trust the right to allow modifications of such material 36 outside the IETF Standards Process. Without obtaining an 37 adequate license from the person(s) controlling the copyright 38 in such materials, this document may not be modified outside the 39 IETF Standards Process, and derivative works of it may not be 40 created outside the IETF Standards Process, except to format it 41 for publication as an RFC or to translate it into languages other 42 than English. This document may not be modified, and derivative 43 works of it may not be created, except to publish it as an RFC or 44 to translate it into languages other than English. 46 Internet-Drafts are working documents of the Internet 47 Engineering Task Force (IETF), its areas, and its working 48 groups. Note that other groups may also distribute working 49 documents as Internet-Drafts. 51 Internet-Drafts are draft documents valid for a maximum of six 52 months and may be updated, replaced, or obsoleted by other 53 documents at any time. It is inappropriate to use 54 Internet-Drafts as reference material or to cite them other 55 than as "work in progress." 57 The list of current Internet-Drafts can be accessed at 58 http://www.ietf.org/1id-abstracts.html 60 The list of Internet-Draft Shadow Directories can be accessed at 61 http://www.ietf.org/shadow.html 63 This document is not on the IETF standards-track and does not 64 specify any level of standard. This document merely provides 65 information for the Internet community. 67 This document is part of the ILNP document set, which has had 68 extensive review within the IRTF Routing Research Group. ILNP is 69 one of the recommendations made by the RG Chairs. Separately, 70 various refereed research papers on ILNP have also been published 71 during this decade. So the ideas contained herein have had much 72 broader review than the IRTF Routing RG. The views in this 73 document were considered controversial by the Routing RG, but the 74 RG reached a consensus that the document still should be 75 published. The Routing RG has had remarkably little consensus on 76 anything, so virtually all Routing RG outputs are considered 77 controversial. 79 Abstract 81 The Identifier-Locator Network Protocol (ILNP) is an 82 experimental, evolutionary enhancement to IP. ILNP has multiple 83 instantiations. This document describes an experimental Nonce 84 Destination Option used only with ILNP for IPv6 (ILNPv6). This 85 document is a product of the IRTF Routing RG. 87 Table of Contents 89 1. Introduction ...............................................2 90 2. Syntax......................................................3 91 3. Transport Protocol Effects..................................5 92 4. Location Changes............................................5 93 5. Implementation Considerations...............................6 94 6. Backwards Compatibility.....................................6 95 7. Security Considerations ....................................8 96 8. IANA Considerations ........................................9 97 9. References .................................................9 99 1. INTRODUCTION 101 At present, the Internet research and development community are 102 exploring various approaches to evolving the Internet 103 Architecture to solve a variety of issues including, but not 104 limited to, scalability of inter-domain routing [RFC4984]. A wide 105 range of other issues (e.g. site multi-homing, node multi-homing, 106 site/subnet mobility, node mobility) are also active concerns at 107 present. Several different classes of evolution are being 108 considered by the Internet research & development community. One 109 class is often called "Map and Encapsulate", where traffic would 110 be mapped and then tunnelled through the inter-domain core of the 111 Internet. Another class being considered is sometimes known as 112 "Identifier/Locator Split". This document relates to a proposal 113 that is in the latter class of evolutionary approaches. 115 This document describes a new option for the IPv6 Destination 116 Options header that is used with the Identifier Locator Network 117 Protocol for IPv6 (ILNPv6). ILNPv6 is an experimental protocol 118 that is backwards compatible with, and incrementally upgradable 119 from, IPv6. This option is ONLY used in ILNPv6 sessions and is 120 never used with classic IPv6 sessions. 122 The Nonce option for the IPv6 Destination Options Header that is 123 described in this document provides two functions. First, it 124 provides protection against off-path attacks for packets when 125 ILNPv6 is in use. Second, it provides a signal during initial 126 network-layer session creation that ILNPv6 is proposed for use 127 with this network-layer session, rather than classic IPv6. This 128 last function is particularly important for ensuring that ILNP 129 is both incrementally deployable and backwards compatible with 130 IPv6. Consequently, this option MUST NOT be used except by an 131 ILNPv6-capable node. 133 Further, each Nonce value is unidirectional. Since packets often 134 travel asymmetric paths between two correspondents, having 135 separate Nonces for each direction limits the number of on-path 136 nodes that can easily learn an ILNP session's nonce. So a 137 typical TCP session will have 2 different nonce values in use: 138 one nonce is used from Local Node to the Correspondent Node and 139 a different nonce is used from the Correspondent Node to the 140 Local Node. 142 1.1 ILNP Document Roadmap 143 The Identifier-Locator Network Protocol (ILNP), is described in 144 the ILNP Architecture [ILNP-ARCH] document, which should be read 145 first. ILNP can have multiple instantiations. [ILNP-ENG] 146 discusses engineering and implementation aspects common to all 147 ILNP instantiations. [ILNP-DNS] defines new Domain Name System 148 (DNS) resource records for ILNP. [ILNP-ICMPv6] defines a new 149 ICMPv6 Locator Update message for use with ILNPv6. Other 150 documents describe ILNP for IPv4 (ILNPv4). 152 1.2 Terminology 154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL 155 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and 156 "OPTIONAL" in this document are to be interpreted as described 157 in RFC 2119. [RFC2119] 159 2. Syntax 161 The Nonce Option is carried within an IPv6 Destination Option 162 Header. Section 4 of [RFC2460] provides much more information 163 on the various options and optional headers used with IPv6. 165 More than one option might be inside the IPv6 Destination Option 166 Header, however at most 1 Nonce Option exists in a given IPv6 167 packet. 169 A system that receives a packet containing more than one Nonce 170 option SHOULD discard the packet as "Authentication Failed" 171 (instead of passing the packet up to the appropriate 172 transport-layer protocol or to ICMP) and SHOULD log the event, 173 including the Source Locator, Source Identifier, Destination 174 Locator, Destination Identifier, upper-layer protocol (e.g. OSPF, 175 TCP, UDP) if any, and transport-layer port numbers (if any), 176 as a security fault in accordance with local logging policies. 178 As of this writing, IPv6 Destination Option Headers, and the 179 options carried by such headers, are extremely uncommon in the 180 deployed Internet. So, it is expected that this Nonce Option 181 commonly would be the only IPv6 Destination Option present in a 182 given IPv6 packet. If a CALIPSO label option [RFC5570] is also 183 present in the same IPv6 Destination Option Header, the CALIPSO 184 option SHOULD precede the Nonce option. The Nonce option SHOULD 185 precede other possible options in the same IPv6 Destination 186 Option Header. 188 In the diagram below, we show not only the Nonce Option, but also 189 the IPv6 Destination Option Header that carries the Nonce Option. 191 0 1 2 3 192 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 194 | Next Header | Hdr Ext Len | Option Type | Option Length | 195 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 / Nonce Value / 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 199 Next Header: 8-bit selector. Identifies the type of header 200 immediately following the Destination Options 201 header. Uses the same values as the IPv4 202 Protocol field [RFC2460]. 204 Hdr Ext Len: 8-bit unsigned integer. Length of the 205 Destination Options header in 8-octet units, 206 not including the first 8 octets. 208 Option Type: This contains the value XXX. This is the 209 first octet of the Nonce Option itself. 211 Option Length: This indicates the length in 8-bit octets of 212 the Nonce Value field of the Nonce Option. 213 This value must be selected so that the 214 enveloping IPv6 Destination Option complies 215 with the IPv6 header alignment rules. Common 216 values are 4 (when the Nonce Value is 217 32-bits), and 12 (when the Nonce value is 218 96-bits). 220 Nonce Value: An unpredictable cryptographically random value 221 used to prevent off-path attacks on an ILNP 222 session [RFC4086]. This field has variable 223 length, with the length indicated by the 224 Option Length field preceding it. Note that 225 the overall IPv6 IPv6 Destination Option MUST 226 comply with IPv6 header alignment rules. 227 Implementations MUST support sending and 228 receiving 32-bit and 96-bit Nonce values. 230 3. Transport Protocol Effects 232 When the initial packet(s) of an IPv6 session contain this Nonce 233 Destination Option, then ILNPv6 is in use for that network-layer 234 session. (NOTE: Backwards compatibility and incremental 235 deployment are discussed in more detail in Section 6 below.) 237 When a network-layer session is using ILNPv6, then the 238 transport-layer pseudo-header calculations MUST set to zero the 239 high-order 64-bits ("Locator" or "Routing Prefix") of each IPv6 240 address. This has the effect that the transport-layer is no 241 longer aware of the topological network location of either node 242 in that transport-layer session. 244 The preceding rule applies not only to unicast ILNPv6 sessions, 245 but also to multicast or anycast ILNPv6 sessions. 247 4. Location Changes 249 When a node has a change in its Locator set that causes all 250 previously valid Locators to become invalid, the node MUST send 251 an ICMP Locator Update message (containing the Nonce Option with 252 the appropriate nonce value) to each of its correspondents 253 []ILNP-ARCH] [ILNP-ICMPv6]. 255 In the deployed Internet, packets sometimes arrive at a 256 destination out of order. A receiving node MUST drop a packet 257 arriving from a correspondent if the Source Locator of the 258 received packet is not in the receiving node's Identifier Locator 259 Communication Cache's (ILCC's) Set of Correspondent Locator(s) 260 UNLESS that packet contains a Nonce Option with the appropriate 261 nonce value for that Source Identifier and Destination Identifier 262 pair. This is done to reduce the risk of ILNP session hijacking 263 or ILNP session interference attacks. 265 Hence, the node that has had all previously valid Locators become 266 invalid MUST include the Nonce Option with the appropriate nonce 267 value in all packets (data or otherwise) to all correspondents 268 for at least 3 round-trip times for each correspondent. (NB: An 269 implementation need not actually calculate RTT values; it could 270 just use a fixed timer with a time long enough to cover the 271 longest RTT path, such as 1 minute.) This 'gratuitous 272 authentication' ensures that the correspondent can authenticate 273 any received packet, even if the ICMP Locator Update control 274 message arrives and is processed AFTER some other packet using 275 the new Source Locator(s). If an ILNP session is using IP 276 Security, then, of course, IP Security SHOULD continue to be used 277 even if one or more participating nodes change location. Because 278 IP Security for ILNP [ILNP-ENG] binds only to the Identifiers, 279 and not to the Locators in the packet, changes in Locator value 280 have no impact on IP Security for ILNP sessions. 282 As mobility and multi-homing are functionally equivalent for 283 ILNP, this section applies equally to either situation, and also 284 to any other situation in which a node's set of Locators might 285 change over time. 287 5. Implementation Considerations 289 Implementers may use any internal implementation they wish, 290 PROVIDED that the externally visible behaviour is the same as 291 this implementation approach. 293 5.1 ILNP Communication Cache 295 As described in [ILNP-ENG], ILNP nodes maintain an Identifier-Locator 296 Communication Cache (ILCC) that contains several variables for 297 each correspondent. The ILNP Nonce value is an important part of 298 that cache. 300 5.2 Mode Indicator 302 To support ILNP, and to retain needed incremental deployability 303 and backwards compatibility, the network layer needs a (logical) 304 mode bit in the Transport Control Block (or equivalent for one's 305 implementation) to track which IP sessions are using traditional 306 IPv6 and which IP sessions are using ILNPv6. 308 If a given transport-layer session is using ILNP, then an entry 309 corresponding to the network-layer components of that 310 transport-layer session also will exist in the ILNP Communication 311 Cache. Multiple transport-layer sessions between a given pair of 312 nodes normally share a single entry in the ILNP Communication 313 Cache, provided their network-layer details (e.g. Identifiers, 314 Nonces) are identical. Because two different ILNP nodes at two 315 different locations might share the same Identifier value, it is 316 important for an ILNP implementation to use the ILNP Nonce values 317 to distinguish between different ILNP nodes that happen to be 318 using the (some of) the same Identifier value(s). 320 5.3 IP Security 322 Whether or not ILNP is in use, the IPsec subsystem MUST maintain 323 an IPsec Security Association Database (SAD) and also MUST 324 maintain information about which IPsec Selectors apply to traffic 325 received by or sent from the local node [RFC4301]. By combining 326 the information in the IPsec SAD, of what IPsec Selectors apply, 327 and the information in the ILCC, an implementation has sufficient 328 knowledge to apply IPsec properly to both received and 329 transmitted packets. 331 6. Backwards Compatibility 333 This option MUST NOT be present in an IPv6 packet unless the 334 packet is part of an ILNPv6 session. As is explained below in 335 more detail, the presence or absence of this option from the 336 initial packets of a new IPv6 session is an important indication 337 of whether the session is using classic IPv6 or ILNPv6. 339 ILNPv6 nodes MUST include this option in the first few packets 340 of each ILNPv6 session, MUST include this option in all ICMP 341 messages generated by endpoints participating in an ILNPv6 342 session, and MAY include this option in any and all packets of an 343 ILNPv6 session. It is recommended that this option be included 344 in all packets of the ILNPv6 session if the packet loss for that 345 session is known to be much higher than normal. 347 If a node supports ILNP and the node wishes to be able to receive 348 incoming new ILNP sessions, then that node's fully-qualified 349 domain name SHOULD have one or more NID records and also one or 350 more Locator (e.g. L64 or LP) records associated with it in the 351 DNS [ILNP-DNS]. 353 When a host ("initiator") initiates a new IP session with a 354 correspondent ("responder"), it normally will perform a DNS 355 lookup to determine the address(es) of the responder. A host 356 that has been enhanced to support the Identifier/Locator Split 357 operating mode SHOULD look for Node Identifier ("NID") and 358 Locator ("L64") records in any received DNS replies. DNS servers 359 that support Identifier and Locator (i.e., L64 or LP) records 360 might include them (when they exist) as additional data in all 361 DNS replies to DNS queries for DNS A or AAAA records associated 362 with a specified DNS Fully-Qualified Domain Name (FQDN). 364 If the initiator supports ILNP, and from DNS data learns that the 365 responder also supports ILNP, then the initiator SHOULD attempt 366 to use ILNP for new sessions with that responder. In such cases, 367 the initiator MUST generate an unpredictable, cryptographically 368 random, ILNP Nonce value, MUST store that ILNP Nonce value in the 369 local ILCC, and MUST include the ILNP Nonce Destination Option in 370 its initial packet(s) to the responder. The IETF has provided 371 advice on generating cryptographically random numbers, such as 372 this nonce value [RFC4086]. 374 If the responder supports ILNP and receives initial packet(s) 375 containing the ILNP Nonce Destination Option, the responder will 376 thereby learn that the initiator supports ILNP and the responder 377 also will use ILNP for this new IP session. 379 If the responder supports ILNP and receives initial IP packet(s) 380 NOT containing the Nonce Destination Option, the responder will 381 thereby learn that the initiator does NOT support ILNP and the 382 responder will use classic IPv6 for this new IP session. 384 If the responder does not support ILNP and receives initial 385 packet(s) containing the ILNP Nonce Destination Option, the 386 responder MUST drop the packet and MUST send an ICMP "Parameter 387 Problem" error message back to the initiator [RFC4443]. Indeed, 388 it is not expected that this behaviour will need to be coded into 389 non-ILNP nodes, as this is the normal behaviour for nodes 390 receiving unknown option headers. 392 If the initiator EITHER does not receive a response from the 393 responder in a timely manner (e.g. within the applicable TCP 394 timeout for a TCP session), and also does not receive an ICMP 395 Unreachable error message for that packet, OR if the initiator 396 receives an ICMP Parameter Problem error message for that packet, 397 then the initiator infers that the responder is not able to 398 support ILNP. In this case, the initiator should try again to 399 create the new IP session, but this time use classic IPv6 and 400 hence MUST NOT include the ILNP Nonce Destination Option. 402 7. Security Considerations 404 The ILNPv6 Nonce Destination Option is used ONLY for ILNPv6 405 sessions, because this option is part of the backwards- 406 compatibility and incremental-deployment approach for the 407 Identifier-Locator Network Protocol (ILNP). This option 408 MUST NOT be used with classic IPv6 sessions. 410 The ILNPv6 Nonce Destination Option only seeks to provide 411 protection against off-path attacks on an IP session. Ordinary 412 IPv6 is vulnerable to on-path attacks unless IP Security is in 413 use [CA-1995-01] [RFC4301]. This option exists to provide non- 414 cryptographic protection for ILNP sessions, protection equivalent 415 to the security of IP sessions that do NOT use IPsec. 417 When ILNPv6 is in use, the ILNP Nonce Destination Option MUST be 418 included in any ICMP control messages (e.g. ICMP Unreachable, 419 ICMP Locator Update) sent by participants in that ILNPv6 session, 420 even if IP Security also is in use for that ILNPv6 session. Note that 421 certain ICMP messages, for example a "Path Too Big" message, 422 might be generated by transit devices that are not aware of the 423 ILNP Nonce in use for that ILNPv6 session and hence are not able to 424 include the ILNP Nonce. Again, this also is true of classic IPv6 425 in the same operational situations, so this does not create a new 426 security issue. 428 For ILNPv6 sessions, any ICMP control messages received from a 429 participant in that ILNPv6 session that lack a Nonce Destination 430 Option MUST be discarded as forgeries. This security event 431 SHOULD be logged in accordance with local security logging 432 policies, including details of the received packet (i.e. Source 433 Locator, Source Identifier, Destination Locator, Destination 434 Identifier, upper-layer protocol (e.g. TCP, UDP, OSPF) if any, 435 transport-layer port numbers if any, and the date and time the 436 packet was received). 438 For ILNPv6 sessions, ICMP control messages received from a 439 participant in that ILNPv6 session that have a Nonce Destination 440 Option, but do NOT have the correct nonce value inside the Nonce 441 Destination Option, MUST be discarded as forgeries. This 442 security event SHOULD be logged as described above. 444 Of course, longer nonce values provide greater resistance to 445 random guessing of the nonce value. However, ILNPv6 sessions 446 operating in higher risk environments SHOULD also use the 447 cryptographic authentication provided by IP Security for ILNP 448 [ILNP-ENG] [RFC4301]. Use of IP Security for ILNP for an ILNPv6 449 session does not eliminate the need for the ILNPv6 Nonce Option 450 to be included as described here or as described in [ILNP- 451 ICMPv6]. 453 As a performance optimisation, it is suggested that when both the 454 Nonce Option and IP Security are present in a packet and the 455 Nonce Option has not been encrypted, that the Nonce Option value 456 be checked for validity before beginning IP Security processing. 457 This minimises the ability of an off-path attacker to force the 458 recipient to perform expensive cryptographic computations on 459 received control packets. 461 For environments with data at differing Sensitivity Levels 462 operating over common infrastructure (e.g. when the IPv6 CALIPSO 463 is deployed), it is recommended that the ILNP Nonce Option be 464 encrypted by using ESP Transport-Mode or ESP Tunnel-Mode in order 465 to reduce the covert channel bandwidth potential created by the 466 Nonce Option, and to prevent a node at one sensitivity level from 467 attacking a ILNP session at a different sensitivity level 468 [RFC5570]. Further, Multi-Level Secure (MLS) systems SHOULD use 469 different nonce values for ILNP sessions having different 470 Sensitivity Levels [RFC5570]. Also, an MLS implementation of 471 ILNP will also store the Sensitivity Label information associated 472 with each ILNP session in the implementation's ILCC. When the 473 Nonce option and the CALIPSO option are present in the same IPv6 474 Destination Options Header, the CALIPSO option SHOULD appear 475 before the Nonce option. 477 In all cases, the ILNP Nonce Value MUST be unpredictable and 478 cryptographically random. [RFC4086] provides concrete advice on 479 how to generate a suitable nonce value. 481 As this is an option within the IPv6 Destination Option Header, 482 rather than an option within the IPv6 Hop-by-Hop Option Header, 483 the presence of this option in an IPv6 packet ought not disturb 484 routers along the path an IP packet containing this option 485 happens to travel. Further, many deployed modern IP routers 486 (both IPv4 and IPv6) have been explicitly configured to ignore 487 all IP options, even including the "Router Alert" option, when 488 forwarding packets not addressed to the router itself. Reports 489 indicate this has been done to preclude use of IP options as a 490 (Distributed) Denial-of-Service (D)DOS attack vector on backbone 491 routers. 493 As the Nonce is used in the checksum of all AH protected packets, 494 as an implementation hint, it would seem sensible to include the 495 Nonce value from the ILCC for that ILNP session. 497 8. IANA Considerations 499 Subject to IESG Approval, and consistent with the procedures of 500 [RFC2780], IANA is requested to assign a new IPv6 Destination 501 Option Type value (replacing XXX, in Section 2 above). 503 The Nonce Option MUST NOT change in transit and MUST be included 504 in IP Authentication Header calculations. 506 Further, if an end system receives an IPv6 packet containing this 507 option, but does not recognise this option, the end system MUST 508 discard the packet and, regardless of whether or not the received 509 packet's Destination Address was a multicast address, send an 510 ICMPv6 Parameter Problem, Code 2 ("Unrecognised IPv6 Option 511 Encountered"), message to the received packet's Source IPv6 512 Address, pointing to the unrecognised Option Type. 514 9. References 516 9.1. Normative References 518 [RFC2119] Bradner, S., "Key words for use in RFCs to 519 Indicate Requirement Levels", BCP 14, RFC 2119, 520 March 1997. 522 [RFC2460] S. Deering & R. Hinden, "Internet Protocol 523 Version 6 Specification", RFC 2460, 524 December 1998. 526 [RFC4301] S. Kent & K. Seo, "Security Architecture for 527 the Internet Protocol", RFC 4301, December 2005. 529 [RFC4443] A. Conta, S. Deering, M. Gupta, Ed., 530 "Internet Control Message Protocol (ICMPv6) 531 for IPv6 Specification", RFC 4443, March 2006. 533 [ILNP-ARCH] R.J. Atkinson & S.N. Bhatti, 534 "ILNP Architectural Description", 535 draft-irtf-rrg-ilnp-arch, 10 July 2012. 537 [ILNP-ENG] R.J. Atkinson & S.N. Bhatti, 538 "ILNP Engineering and Implementation Considerations", 539 draft-irtf-rrg-ilnp-eng, 10 July 2012. 541 [ILNP-ICMPv6] R.J. Atkinson & S.N. Bhatti, 542 "ICMPv6 Locator Update message" 543 draft-irtf-rrg-ilnp-icmpv6, 10 July 2012. 545 9.2. Informative References 547 [CA-1995-01] US CERT, "CERT Advisory 1995-01", Pittsburgh, 548 PA, USA, 1995. 550 [RFC4086] D. Eastlake 3rd, J. Schiller, & S. Crocker, 551 "Randomness Requirements for Security", 552 RFC 4086, June 2005. 554 [RFC5570] M. StJohns, R. Atkinson, and G. Thomas, "Common 555 Architecture Label IPv6 Security Option (CALIPSO)", 556 RFC 5570, July 2009. 558 [ILNP-ADV] R.J. Atkinson & S.N. Bhatti, 559 "Optional Advanced Deployment Scenarios for ILNP", 560 draft-irtf-rrg-ilnp-adv, 10 July 2012. 562 [ILNP-ARP] R.J. Atkinson & S.N. Bhatti, "ARP Extension for 563 ILNPv4", draft-irtf-rrg-ilnp-arp, 10 July 2012. 565 [ILNP-DNS] R.J. Atkinson, S.N. Bhatti, & S Rose, 566 "DNS Resource Records for ILNP", 567 draft-irtf-rrg-ilnp-dns, 10 July 2012. 569 [ILNP-ICMPv4] R.J. Atkinson & S.N. Bhatti, 570 "ICMPv4 Locator Update message" 571 draft-irtf-rrg-ilnp-icmpv4, 10 July 2012. 573 [ILNP-v4OPTS] R.J. Atkinson & S.N. Bhatti, 574 "IPv4 Options for ILNP", 575 draft-irtf-rrg-ilnp-v4opts, 10 July 2012. 577 ACKNOWLEDGEMENTS 579 Steve Blake, Stephane Bortzmeyer, Mohamed Boucadair, Noel 580 Chiappa, Wes George, Steve Hailes, Joel Halpern, Mark Handley, 581 Volker Hilt, Paul Jakma, Dae-Young Kim, Tony Li, Yakov Rehkter, 582 Bruce Simpson, Robin Whittle and John Wroclawski (in alphabetical 583 order) provided review and feedback on earlier versions of this 584 document. Steve Blake provided an especially thorough review of 585 an early version of the entire ILNP document set, which was 586 extremely helpful. We also wish to thank the anonymous reviewers 587 of the various ILNP papers for their feedback. 589 Roy Arends provided expert guidance on technical and procedural 590 aspects of DNS issues. 592 RFC EDITOR NOTE 594 This section is to be removed prior to publication. 596 Please note that this document is written in British English, so 597 British English spelling is used throughout. This is consistent 598 with existing practice in several other RFCs, for example 599 RFC-5887. 601 This document tries to be very careful with history, in the 602 interest of correctly crediting ideas to their earliest 603 identifiable author(s). So in several places the first published 604 RFC about a topic is cited rather than the most recent published 605 RFC about that topic. 607 Authors' Addresses: 609 RJ Atkinson 610 Consultant 611 San Jose, CA 612 95125 USA 614 rja.lists@gmail.com 616 SN Bhatti 617 School of Computer Science 618 University of St Andrews 619 North Haugh, St Andrews 620 Fife, Scotland, UK 621 KY16 9SX 622 Expires: 10 JAN 2013