idnits 2.17.1 draft-baker-6man-hbh-header-handling-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC2460, but the abstract doesn't seem to directly say this. It does mention RFC2460 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2460, updated by this document, for RFC5378 checks: 1997-07-30) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 6, 2015) is 3210 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) == Outdated reference: A later version (-02) exists of draft-ietf-v6ops-ipv6-ehs-in-real-world-00 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 Maintenance F. Baker 3 Internet-Draft Cisco Systems 4 Updates: 2460,7045 (if approved) July 6, 2015 5 Intended status: Standards Track 6 Expires: January 7, 2016 8 IPv6 Hop-by-Hop Header Handling 9 draft-baker-6man-hbh-header-handling-02 11 Abstract 13 This note updates the IPv6 Specification (RFC 2460), specifically 14 commenting on the Hop-by-Hop Options Header (section 4.3) and option 15 format and handling (section 4.2). 17 It also updates RFC 7045, which noted that RFC 2460 is widely 18 violated in this respect, but merely legitimized this situation with 19 a SHOULD. The present document tries to address the issue more 20 fundamentally. 22 It tries to address the issue. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on January 7, 2016. 41 Copyright Notice 43 Copyright (c) 2015 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 60 2. Handling of options in extension headers . . . . . . . . . . 3 61 2.1. Hop-by_hop Options . . . . . . . . . . . . . . . . . . . 3 62 2.2. Changing options in transit . . . . . . . . . . . . . . . 3 63 2.3. Adding headers or options in transit . . . . . . . . . . 4 64 2.4. Interactions with the Security Extension Header . . . . . 4 65 3. Interoperation with RFC 2460 . . . . . . . . . . . . . . . . 4 66 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 67 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 68 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 70 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 72 8.2. Informative References . . . . . . . . . . . . . . . . . 6 73 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 7 74 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 76 1. Introduction 78 The IPv6 Specification [RFC2460] specifies a number of extension 79 headers. These, and the ordering considerations given, were defined 80 based on experience with IPv4 options. They were, however, prescient 81 with respect to their actual use - the IETF community did not know 82 how they would be used. In at least one case, the Hop-by-Hop option, 83 most if not all implementations implement it by punting to a software 84 path. In the words of [RFC7045], 86 The IPv6 Hop-by-Hop Options header SHOULD be processed by 87 intermediate forwarding nodes as described in [RFC2460]. However, 88 it is to be expected that high-performance routers will either 89 ignore it or assign packets containing it to a slow processing 90 path. Designers planning to use a Hop-by-Hop option need to be 91 aware of this likely behaviour. 93 Fernando Gont, in his Observations on IPv6 EH Filtering in the Real 94 World [I-D.ietf-v6ops-ipv6-ehs-in-real-world], and the operational 95 community in IPv6 Operations, consider any punt to a software path to 96 be an attack vector. Hence, IPv6 packets containing the Hop-by-Hop 97 Extension Header (and in some cases, any extension header) get 98 dropped in transit. 100 The subject of this document is implementation approaches to obviate 101 or mitigate the attack vector, and updating the Hop-by-Hop option 102 with respect to current issues. 104 1.1. Requirements Language 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 108 document are to be interpreted as described in [RFC2119]. 110 2. Handling of options in extension headers 112 Packets containing the Hop-by-Hop option SHOULD be processed at the 113 same rate as packets that do not. 115 If a hop-by-hop header option is not implemented in a given system 116 (such as, for example, an interface that is not configured for RSVP 117 receiving an RSVP Alert Option), the option MUST be skipped. 119 2.1. Hop-by_hop Options 121 At this writing, there are three defined Hop-by-Hop options: 123 PAD Options: The PAD1 and PADn options [RFC2460] define empty space. 125 Router Alert Option: The IPv6 Router Alert Option [RFC2711] 126 [RFC6398] is intended to force the punting of a datagram to 127 software, in cases in which RSVP or other protocols need that to 128 happen. 130 While this is not true of older hardware, modern hardware is capable 131 of parsing the Extension Header chain, and can be extended to perform 132 at least a cursory examination of the Hop-by-Hop options. For 133 example, such hardware should be able to identify and skip the PAD1 134 and PADn options, and perform more complicated processing only if 135 configured by software to do so. 137 2.2. Changing options in transit 139 Section 4.2 of [RFC2460] explicitly allows for options that may be 140 updated in transit. It is likely that the original authors intended 141 that to be very simple, such as having the originating end system 142 provide the container, and having intermediate systems update it - 143 perhaps performing some calculation, and in any event storing the 144 resulting value. Examples of such a use might be in [XCP] or [RCP]. 146 As a side comment, the Routing Header, which is an extension header 147 rather than a list of options, is treated similarly; when a system is 148 the destination of a packet and not the last one in the Routing 149 Header's list, it swaps the destination address with the indicated 150 address in the list, and updates the hop count and the list depth 151 accordingly. 153 Such options must be marked appropriately (their option type is of 154 the form XX1XXXXX), and are excluded from checksum calculations in AH 155 and ESP. 157 2.3. Adding headers or options in transit 159 Use cases under current consideration take this a step further: a 160 router or middleware process MAY add an extension header, MAY add an 161 option to the header, which may extend the length of the Hop-by-Hop 162 Extension Header, or MAY process such an option in a manner that 163 extends both the length of the option and the Extension Header 164 containing it. The obvious implication is that other equipment in 165 the network may not understand or implement the new option type. As 166 such, the Option Type value of such an option MUST indicate that it 167 is to be skipped by a system that does not understand it. Since, by 168 definition, it is being updated in transit and not included in any AH 169 or ESP integrity check if present, the Option Type MUST also indicate 170 that it may be updated in transit, and so is excluded from AH and ESP 171 processing. By implication, such an Option Type MUST be of the form 172 001XXXXX. 174 2.4. Interactions with the Security Extension Header 176 The interactions with the IP Authentication Header [RFC4302] and IP 177 Encapsulating Security Payload (ESP) [RFC4303], as in the case of 178 existing option uses, is minimally defined. AH and ESP call for the 179 exclusion of mutable data in their calculations by zeroing it out 180 prior to performing the integrity check calculation. However, in the 181 case that network operation has changed the length of the option or 182 the extension header, that may still cause the integrity check to 183 fail. Specifications that define such options SHOULD consider the 184 implications of this for AH and ESP. An option whose insertion would 185 affect the integrity check MUST be removed prior to the integrity 186 check, and as a result the packet restored to its state as originally 187 sent. 189 3. Interoperation with RFC 2460 191 There are four possible modes of interaction with routers that don't 192 implement the Hop-By-Hop Option in the fast path: 194 1. Presume that they cannot handle the Hop-By-Hop option at close to 195 wire speed, and that's OK. 197 2. Presume that they will drop traffic containing Hop-By-Hop 198 options. 200 3. Presume that they can handle the Hop-By-Hop option at or close to 201 wire speed, and are configured to do so. 203 4. Presume that they don't exist, perhaps because older routers are 204 configured to ignore all Hop-by-Hop options. 206 If the first model actually works in a given network, it may be 207 acceptable in that domain. It is not a model that will work in the 208 general Internet, however. 210 The second model (which is most probable at this writing) is a 211 description of the general Internet in 2015. 213 The third and fourth models, if applicable in a given context, are 214 what one might hope for. Vendors are in a position to either have an 215 option to ignore the Hop-By-Hop header in older equipment, or add 216 such an option in upgraded software. 218 4. IANA Considerations 220 This memo asks the IANA for no new parameters. 222 5. Security Considerations 224 In general, modification of a datagram in transit is considered very 225 closely from the viewpoint of the End-to-End Principle, which in this 226 context may be summarized as "the network should do nothing that is 227 of concern to the communicating applications or introduces 228 operational issues." The concept of changing the length of an 229 Extension Header or an option contained within it (Section 2.3) is of 230 concern in that context. The obvious concern is around the 231 interaction with AH or ESP, and a less obvious concern relates to 232 Path MTU, which might change if the size of an underlying header 233 changes. Section 2.4 is intended to mitigate that issue. However, 234 some ramifications, such as with Path MTU, may not be completely 235 solvable in the general Internet, but require use cases to be 236 confined to a network or set of consenting networks. 238 6. Privacy Considerations 240 Data formats in this memo reveal no personally identifying 241 information. 243 7. Acknowledgements 245 This note grew out of a discussion among the author, Ole Troan, Mark 246 Townsley, Frank Brockners, and Shwetha Bhandari, and benefited from 247 comments by Dennis Ferguson, Brian Carpenter, and Joe Touch. 249 8. References 251 8.1. Normative References 253 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 254 Requirement Levels", BCP 14, RFC 2119, March 1997. 256 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 257 (IPv6) Specification", RFC 2460, December 1998. 259 8.2. Informative References 261 [I-D.ietf-v6ops-ipv6-ehs-in-real-world] 262 Gont, F., Linkova, J., Chown, T., and S. LIU, 263 "Observations on IPv6 EH Filtering in the Real World", 264 draft-ietf-v6ops-ipv6-ehs-in-real-world-00 (work in 265 progress), April 2015. 267 [RCP] Dukkipati, N., "Rate Control Protocol (RCP): Congestion 268 control to make flows complete quickly", Stanford 269 University , 2006. 271 [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", 272 RFC 2711, October 1999. 274 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 275 2005. 277 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 278 4303, December 2005. 280 [RFC6398] Le Faucheur, F., "IP Router Alert Considerations and 281 Usage", BCP 168, RFC 6398, October 2011. 283 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing 284 of IPv6 Extension Headers", RFC 7045, December 2013. 286 [XCP] Katabi, D., Handley, M., and C. Rohrs, "Congestion control 287 for high bandwidth-delay product networks", SIGCOMM 288 Symposium proceedings on Communications architectures and 289 protocols , 2002. 291 Appendix A. Change Log 293 Initial Version: June 2015 295 Author's Address 297 Fred Baker 298 Cisco Systems 299 Santa Barbara, California 93117 300 USA 302 Email: fred@cisco.com