idnits 2.17.1 draft-baker-6man-hbh-header-handling-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC2460, but the abstract doesn't seem to directly say this. It does mention RFC2460 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2460, updated by this document, for RFC5378 checks: 1997-07-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 4, 2015) is 3248 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) == Outdated reference: A later version (-02) exists of draft-ietf-v6ops-ipv6-ehs-in-real-world-00 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 Maintenance F. Baker 3 Internet-Draft Cisco Systems 4 Updates: 2460 (if approved) June 4, 2015 5 Intended status: Standards Track 6 Expires: December 6, 2015 8 IPv6 Hop-by-Hop Header Handling 9 draft-baker-6man-hbh-header-handling-00 11 Abstract 13 This note updates the IPv6 Specification (RFC 2460), specifically 14 commenting on the Hop-by-Hop Options Header (section 4.3) and option 15 format and handling (section 4.2). 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on December 6, 2015. 34 Copyright Notice 36 Copyright (c) 2015 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 53 2. Handling of options in extension headers . . . . . . . . . . 3 54 2.1. Hop-by_hop Options . . . . . . . . . . . . . . . . . . . 3 55 2.2. Changing options in transit . . . . . . . . . . . . . . . 3 56 2.3. Adding headers or options in transit . . . . . . . . . . 4 57 2.4. Interactions with the Security Extension Header . . . . . 4 58 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 59 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 60 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 5 61 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 62 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 64 7.2. Informative References . . . . . . . . . . . . . . . . . 5 65 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 6 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 68 1. Introduction 70 The IPv6 Specification [RFC2460] specifies a number of extension 71 headers. These, and the ordering considerations given, were defined 72 based on experience with IPv4 options. They were, however, prescient 73 with respect to their actual use - the IETF community did not know 74 how they would be used. In at least one case, the Hop-by-Hop option, 75 most if not all implementations implement it by punting to a software 76 path. In the words of [RFC7045], 78 The IPv6 Hop-by-Hop Options header SHOULD be processed by 79 intermediate forwarding nodes as described in [RFC2460]. However, 80 it is to be expected that high-performance routers will either 81 ignore it or assign packets containing it to a slow processing 82 path. Designers planning to use a hop-by-hop option need to be 83 aware of this likely behaviour. 85 Fernando Gont, in his Observations on IPv6 EH Filtering in the Real 86 World [I-D.ietf-v6ops-ipv6-ehs-in-real-world], and the operational 87 community in IPv6 Operations, consider any punt to a software path to 88 be an attack vector. Hence, IPv6 packets containing the Hop-by-Hop 89 Extension Header (and in some cases, any extension header) get 90 dropped in transit. 92 The subject of this document is implementation approaches to obviate 93 or mitigate the attack vector, and updating the Hop-by-Hop option 94 with respect to current issues. 96 1.1. Requirements Language 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 100 document are to be interpreted as described in [RFC2119]. 102 2. Handling of options in extension headers 104 In short, to avoid a punt to a software path, the Hop-by-Hop option 105 SHOULD be implemented in hardware when possible. 107 2.1. Hop-by_hop Options 109 At this writing, there are three defined Hop-by-Hop options: 111 PAD Options: The PAD1 and PADn options [RFC2460] define empty space. 113 Router Alert Option: The IPv6 Router Alert Option [RFC2711] 114 [RFC6398] is intended to force the punting of a datagram to 115 software, in cases in which RSVP or other protocols need that to 116 happen. 118 While this is not true of older hardware, modern hardware (which is 119 to say, microcode) is capable of parsing the Extension Header chain, 120 and can be extended to perform at least a cursory examination of the 121 Hop-by-Hop options. For example, such hardware should be able to 122 identify and skip the PAD1 and PADn options, and punt the Router 123 Alert or other options to software only if configured by software to 124 do so. 126 More generally, in routers that implement a fast path, the processing 127 of the Hop-by-Hop Extension Header (which must be performed by every 128 router a packet transits) MUST be performed in the fast path unless 129 there is a specific reason to punt to a slower path, including that 130 corresponding software exists in the implementation and is configured 131 to process the option. 133 2.2. Changing options in transit 135 Section 4.2 of [RFC2460] explicitly allows for options that may be 136 updated in transit. It is likely that the original authors intended 137 that to be very simple, such as having the originating end system 138 provide the container, and having intermediate systems update it - 139 perhaps performing some calculation, and in any event storing the 140 resulting value. Examples of such a use might be in [XCP] or [RCP]. 142 As a side comment, the Routing Header, which is an extension header 143 rather than a list of options, is treated similarly; when a system is 144 the destination of a packet and not the last one in the Routing 145 Header's list, it swaps the destination address with the indicated 146 address in the list, and updates the hop count and the list depth 147 accordingly. 149 Such options must be marked appropriately (their option type is of 150 the form XX1XXXXX), and are excluded from checksum calculations in AH 151 and ESP. 153 2.3. Adding headers or options in transit 155 Use cases under current consideration take this a step further: a 156 router or middleware process MAY add an extension header, MAY add an 157 option to the header, which may extend the length of the Hop-by-Hop 158 Extension Header, or MAY process such an option in a manner that 159 extends both the length of the option and the Extension Header 160 containing it. The obvious implication is that other equipment in 161 the network may not understand or implement the new option type. As 162 such, the Option Type value of such an option MUST indicate that it 163 is to be skipped by a system that does not understand it. Since, by 164 definition, it is being updated in transit and not included in any AH 165 or ESP integrity check if present, the Option Type MUST also indicate 166 that it may be updated in transit, and so is excluded from AH and ESP 167 processing. By implication, such an Option Type MUST be of the form 168 001XXXXX. 170 2.4. Interactions with the Security Extension Header 172 The interactions with the IP Authentication Header [RFC4302] and IP 173 Encapsulating Security Payload (ESP) [RFC4303], as in the case of 174 existing option uses, is minimally defined. AH and ESP call for the 175 exclusion of mutable data in their calculations by zeroing it out 176 prior to performing the integrity check calculation. However, in the 177 case that network operation has changed the length of the option or 178 the extension header, that may still cause the integrity check to 179 fail. Specifications that define such options SHOULD consider the 180 implications of this for AH and ESP. An option whose insertion would 181 affect the integrity check MUST be removed prior to the integrity 182 check, and as a result the packet restored to its state as originally 183 sent. 185 3. IANA Considerations 187 This memo asks the IANA for no new parameters. 189 4. Security Considerations 191 In general, modification of a datagram in transit is considered very 192 closely from the viewpoint of the End-to-End Principle, which in this 193 context may be summarized as "the network should do nothing that is 194 of concern to the communicating applications or introduces 195 operational issues." The concept of changing the length of an 196 Extension Header or an option contained within it (Section 2.3) is of 197 concern in that context. The obvious concern is around the 198 interaction with AH or ESP, and a less obvious concern relates to 199 Path MTU, which might change if the size of an underlying header 200 changes. Section 2.4 is intended to mitigate that issue. However, 201 some ramifications, such as with Path MTU, may not be completely 202 solvable in the general Internet, but require use cases to be 203 confined to a network or set of consenting networks. 205 5. Privacy Considerations 207 Data formats in this memo reveal no personally identifying 208 information. 210 6. Acknowledgements 212 This note grew out of a discussion among the author, Ole Troan, Mark 213 Townsley, Frank Brockners, and Shwetha Bhandari, and benefited from 214 comments by Brian Carpenter and Joe Touch. 216 7. References 218 7.1. Normative References 220 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 221 Requirement Levels", BCP 14, RFC 2119, March 1997. 223 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 224 (IPv6) Specification", RFC 2460, December 1998. 226 7.2. Informative References 228 [I-D.ietf-v6ops-ipv6-ehs-in-real-world] 229 Gont, F., Linkova, J., Chown, T., and S. LIU, 230 "Observations on IPv6 EH Filtering in the Real World", 231 draft-ietf-v6ops-ipv6-ehs-in-real-world-00 (work in 232 progress), April 2015. 234 [RCP] Dukkipati, N., "Rate Control Protocol (RCP): Congestion 235 control to make flows complete quickly", Stanford 236 University , 2006. 238 [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", 239 RFC 2711, October 1999. 241 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 242 2005. 244 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 245 4303, December 2005. 247 [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and 248 Usage", BCP 168, RFC 6398, October 2011. 250 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing 251 of IPv6 Extension Headers", RFC 7045, December 2013. 253 [XCP] Katabi, D., Handley, M., and C. Rohrs, "Congestion control 254 for high bandwidth-delay product networks", SIGCOMM 255 Symposium proceedings on Communications architectures and 256 protocols , 2002. 258 Appendix A. Change Log 260 Initial Version: June 2015 262 Author's Address 264 Fred Baker 265 Cisco Systems 266 Santa Barbara, California 93117 267 USA 269 Email: fred@cisco.com