idnits 2.17.1 draft-bonica-6man-deprecate-router-alert-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. -- The draft header indicates that this document updates RFC2711, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2711, updated by this document, for RFC5378 checks: 1996-11-19) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (30 December 2021) is 847 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 6man R. Bonica 3 Internet-Draft Juniper Networks 4 Updates: RFC 2711 (if approved) 30 December 2021 5 Intended status: Standards Track 6 Expires: 3 July 2022 8 Deprecation Of The IPv6 Router Alert Option 9 draft-bonica-6man-deprecate-router-alert-00 11 Abstract 13 This document deprecates the IPv6 Router Alert Option. Protocols 14 that use the Router Alert Option may continue to do so. However, 15 protocols standardized in the future must not use the Router Alert 16 Option. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on 3 July 2022. 35 Copyright Notice 37 Copyright (c) 2021 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 42 license-info) in effect on the date of publication of this document. 43 Please review these documents carefully, as they describe your rights 44 and restrictions with respect to this document. Code Components 45 extracted from this document must include Revised BSD License text as 46 described in Section 4.e of the Trust Legal Provisions and are 47 provided without warranty as described in the Revised BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 53 3. Updates To RFC 2711 . . . . . . . . . . . . . . . . . . . . . 4 54 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 55 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 56 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 57 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 59 7.2. Informative References . . . . . . . . . . . . . . . . . 6 60 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 62 1. Introduction 64 Figure 1 models an Internet router. The router has a forwarding 65 plane and a control plane. 67 --------------------------------------------------- 68 | | 69 | CONTROL PLANE | 70 | (OSPF, ISIS, BGP) | 71 | | 72 | (FIB Read-Write) | 73 --------------------------------------------------- 74 | / \ 75 | FIB updates and | Messages addressed 76 | routing protocol | to the router and 77 | messages to | messages that contain 78 | other nodes | the Router Alert Option 79 \ / | 80 --------------------------------------------------- 81 | | 82 | FORWARDING PLANE | 83 | (IPv6) | 84 | | 85 | (FIB Read-Only) | 86 --------------------------------------------------- 88 Figure 1: An Internet Router 90 IPv6 [RFC8200] operates on the forwarding plane. It: 92 * Accepts a packet. 94 * Determines the packet's next hop. 96 * Forwards the packet to its next hop. 98 IPv6 determines a packet's next hop by searching the Forwarding 99 Information Base (FIB) for an entry that best matches the packet's 100 destination address. Therefore, IPv6 requires read-only access to 101 the FIB. 103 Routing protocols (e.g., OSPF, IS-IS, BGP) operate on a router's 104 control plane. They create and maintain the FIB by exchanging 105 routing protocol messages with other nodes. Therefore, the control 106 plane requires read-write access to the FIB. 108 The forwarding and control planes communicate with one another as 109 follows: 111 * The control plane sends FIB updates to the forwarding plane so it 112 can maintain a read-only FIB copy. 114 * The control plane sends routing protocol messages through the 115 forwarding plane to other nodes. 117 * The forwarding plane sends routing protocol messages received from 118 other nodes and addressed to the router to the control plane. 120 * The forwarding plane sends messages that are not addressed to the 121 router but include the IPv6 Router Alert Option [RFC2711] to the 122 control plane. The control plane inspects these messages and 123 returns them to the forwarding plane so that they can continue on 124 to their ultimate destination. 126 Many routers maintain separation between forwarding and control plane 127 hardware. The forwarding plain is implemented on high-performance 128 Application Specific Integrated Circuits (ASIC) and Network 129 Processors (NP), while the control plane is implemented on general- 130 purpose processors. Therefore, the forwarding plane can process many 131 more packets per second than the control plane. Given this 132 difference in packet-handling capabilities, a router's control plane 133 is more susceptible to a Denial-of-Service (DoS) attack than the 134 router's forwarding plane. 136 [RFC6192] demonstrates how a network operator can deploy Access 137 Control Lists (ACL) that protect the control plane from DoS attack. 138 These ACLs are effective and efficient when they select packets based 139 upon information that can be found in a fixed position in the packet 140 header. However, they become less effective and less efficient when 141 they must parse an IPv6 Hop-by-hop Options extension header, 142 searching for the Router Alert Option. Therefore, many network 143 operators drop or severely rate limit packets that contain the IPv6 144 Hop-by-hop Options extension header. 146 [RFC6398] identifies security considerations associated with the 147 Router Alert Option. It provides the following recommendations: 149 * "Network operators SHOULD actively protect themselves against 150 externally generated IP Router Alert packets." 152 * "Applications and protocols SHOULD NOT be deployed with a 153 dependency on processing of the Router Alert Option (as currently 154 specified) across independent administrative domains in the 155 Internet." 157 * "Router implementations of the IP Router Alert Option SHOULD offer 158 the configuration option to simply ignore the presence of "IP 159 Router Alert" in IPv4 and IPv6 packets." 161 * "A router implementation SHOULD forward within the "fast path" 162 (subject to all normal policies and forwarding rules) a packet 163 carrying the IP Router Alert Option containing a next level 164 protocol that is not a protocol of interest to that router." 166 NOTE: In RFC 6398, the terms "fast path" and "control plane 167 components" are used synonymously. 169 Network operators can address all of the security considerations 170 raised in RFC 6398 by configuring their routers to ignore the Router 171 Alert Option. However, such configuration may not be possible if 172 protocol designers continue to design protocols that use the Router 173 Alert Option. Alternatively, network operators will be required to 174 deploy the operationally complex and computationally expensive ACLs 175 described in RFC 6192. Therefore, this document deprecates the IPv6 176 Router Alert Option. 178 2. Requirements Language 180 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 181 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 182 "OPTIONAL" in this document are to be interpreted as described in BCP 183 14 [RFC2119] [RFC8174] when, and only when, they appear in all 184 capitals, as shown here. 186 3. Updates To RFC 2711 188 This document deprecates the IPv6 Router Alert Option. Protocols 189 that use the Router Alert Option MAY continue to do so. However, 190 protocols standardized in the future MUST NOT use the Router Alert 191 Option. 193 Table 1 contains a list of protocols that use the IPv6 Router Alert 194 Option. There are no known IPv6 implementations of MPLS PING. 195 Neither INTSERV nor NSIS are widely deployed. All NSIS protocols are 196 EXPERIMENTAL. 198 +====================+============+==========================+ 199 | Protocol | References | Application | 200 +====================+============+==========================+ 201 | Multicast Listener | [RFC3810] | IPv6 Multicast | 202 | Discovery Version | | | 203 | 2 (MLDv2) | | | 204 +--------------------+------------+--------------------------+ 205 +--------------------+------------+--------------------------+ 206 | Multicast Router | [RFC4286] | IPv6 Multicast | 207 | Discovery (MRD) | | | 208 +--------------------+------------+--------------------------+ 209 +--------------------+------------+--------------------------+ 210 | MPLS PING | [RFC8029] | MPLS OAM | 211 +--------------------+------------+--------------------------+ 212 +--------------------+------------+--------------------------+ 213 | Resource | [RFC3175] | Integrated Services | 214 | Reservation | [RFC5946] | (INTSERV) [RFC1633] (Not | 215 | Protocol (RSVP) | [RFC6016] | Traffic engineering or | 216 | | [RFC6401] | MPLS signaling) | 217 +--------------------+------------+--------------------------+ 218 +--------------------+------------+--------------------------+ 219 | Next Steps In | [RFC5979] | NSIS [RFC4080] | 220 | Signaling (NSIS) | [RFC5971] | | 221 +--------------------+------------+--------------------------+ 223 Table 1: Protocols That Use The IPv6 Router Alert Option 225 4. Security Considerations 227 This document extends the security considerations provided in RFC 228 2711, RFC 6192 and RFC 6398. 230 5. IANA Considerations 232 IANA is requested to mark the Router Alert Option as Deprecated in 233 the Destination Options and Hop-by-hop Options Registry ( 234 https://www.iana.org/assignments/ipv6-parameters/ 235 ipv6-parameters.xhtml#ipv6-parameters-2) and add a pointer to this 236 document. 238 6. Acknowledgements 240 Thanks to Bob Hinden for his review of this document. 242 7. References 244 7.1. Normative References 246 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 247 Requirement Levels", BCP 14, RFC 2119, 248 DOI 10.17487/RFC2119, March 1997, 249 . 251 [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", 252 RFC 2711, DOI 10.17487/RFC2711, October 1999, 253 . 255 [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and 256 Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October 257 2011, . 259 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 260 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 261 May 2017, . 263 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 264 (IPv6) Specification", STD 86, RFC 8200, 265 DOI 10.17487/RFC8200, July 2017, 266 . 268 7.2. Informative References 270 [RFC1633] Braden, R., Clark, D., and S. Shenker, "Integrated 271 Services in the Internet Architecture: an Overview", 272 RFC 1633, DOI 10.17487/RFC1633, June 1994, 273 . 275 [RFC3175] Baker, F., Iturralde, C., Le Faucheur, F., and B. Davie, 276 "Aggregation of RSVP for IPv4 and IPv6 Reservations", 277 RFC 3175, DOI 10.17487/RFC3175, September 2001, 278 . 280 [RFC3810] Vida, R., Ed. and L. Costa, Ed., "Multicast Listener 281 Discovery Version 2 (MLDv2) for IPv6", RFC 3810, 282 DOI 10.17487/RFC3810, June 2004, 283 . 285 [RFC4080] Hancock, R., Karagiannis, G., Loughney, J., and S. Van den 286 Bosch, "Next Steps in Signaling (NSIS): Framework", 287 RFC 4080, DOI 10.17487/RFC4080, June 2005, 288 . 290 [RFC4286] Haberman, B. and J. Martin, "Multicast Router Discovery", 291 RFC 4286, DOI 10.17487/RFC4286, December 2005, 292 . 294 [RFC5946] Le Faucheur, F., Manner, J., Narayanan, A., Guillou, A., 295 and H. Malik, "Resource Reservation Protocol (RSVP) 296 Extensions for Path-Triggered RSVP Receiver Proxy", 297 RFC 5946, DOI 10.17487/RFC5946, October 2010, 298 . 300 [RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet 301 Signalling Transport", RFC 5971, DOI 10.17487/RFC5971, 302 October 2010, . 304 [RFC5979] Shen, C., Schulzrinne, H., Lee, S., and J. Bang, "NSIS 305 Operation over IP Tunnels", RFC 5979, 306 DOI 10.17487/RFC5979, March 2011, 307 . 309 [RFC6016] Davie, B., Le Faucheur, F., and A. Narayanan, "Support for 310 the Resource Reservation Protocol (RSVP) in Layer 3 VPNs", 311 RFC 6016, DOI 10.17487/RFC6016, October 2010, 312 . 314 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the 315 Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, 316 March 2011, . 318 [RFC6401] Le Faucheur, F., Polk, J., and K. Carlberg, "RSVP 319 Extensions for Admission Priority", RFC 6401, 320 DOI 10.17487/RFC6401, October 2011, 321 . 323 [RFC8029] Kompella, K., Swallow, G., Pignataro, C., Ed., Kumar, N., 324 Aldrin, S., and M. Chen, "Detecting Multiprotocol Label 325 Switched (MPLS) Data-Plane Failures", RFC 8029, 326 DOI 10.17487/RFC8029, March 2017, 327 . 329 Author's Address 330 Ron Bonica 331 Juniper Networks 332 2251 Corporate Park Drive 333 Herndon, Virginia 20171 334 United States of America 336 Email: rbonica@juniper.net