idnits 2.17.1
draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (July 25, 2020) is 1369 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
== Outdated reference: A later version (-10) exists of
draft-ietf-opsec-ipv6-eh-filtering-06
-- Obsolete informational reference (is this intentional?): RFC 5575
(Obsoleted by RFC 8955)
Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 Operations Working Group (v6ops) F. Gont
3 Internet-Draft SI6 Networks
4 Intended status: Informational N. Hilliard
5 Expires: January 26, 2021 INEX
6 G. Doering
7 SpaceNet AG
8 W. Kumari
9 Google
10 G. Huston
11 APNIC
12 July 25, 2020
14 Operational Implications of IPv6 Packets with Extension Headers
15 draft-gont-v6ops-ipv6-ehs-packet-drops-04
17 Abstract
19 This document summarizes the security and operational implications of
20 IPv6 extension headers, and attempts to analyze reasons why packets
21 with IPv6 extension headers may be dropped in the public Internet.
23 Status of This Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at https://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on January 26, 2021.
40 Copyright Notice
42 Copyright (c) 2020 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (https://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
58 2. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . 3
59 3. Previous Work on IPv6 Extension Headers . . . . . . . . . . . 3
60 4. Security Implications . . . . . . . . . . . . . . . . . . . . 4
61 5. Operational Implications . . . . . . . . . . . . . . . . . . 6
62 5.1. Requirement to process required layer-3/layer-4
63 information . . . . . . . . . . . . . . . . . . . . . . . 6
64 5.2. Route-Processor Protection . . . . . . . . . . . . . . . 8
65 5.3. Inability to Perform Fine-grained Filtering . . . . . . . 9
66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
67 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
68 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
69 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
70 9.1. Normative References . . . . . . . . . . . . . . . . . . 10
71 9.2. Informative References . . . . . . . . . . . . . . . . . 11
72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
74 1. Introduction
76 IPv6 Extension Headers (EHs) allow for the extension of the IPv6
77 protocol, and provide support for core functionality such as IPv6
78 fragmentation. However, common implementation limitations suggest
79 that EHs present a challenge for IPv6 packet routing equipment, and
80 evidence exists that IPv6 packets with EHs may be intentionally
81 dropped in the public Internet in some network deployments.
83 The authors of this document have been involved in numerous
84 discussions about IPv6 extension headers (both within the IETF and in
85 other fora), and have noticed that the security and operational
86 implications associated with IPv6 EHs were unknown to the larger
87 audience participating in these discussions.
89 This document has the following goals:
91 o Raise awareness about the security and operational implications of
92 IPv6 Extension Headers, and presents reasons why some networks
93 intentionally drop packets containing IPv6 Extension Headers.
95 o Highlight areas where current IPv6 support by networking devices
96 maybe sub-optimal, such that the aforementioned support is
97 improved.
99 o Highlight operational issues associated with IPv6 extension
100 headers, such that those issues are considered in IETF
101 standardization efforts.
103 Section 3 of this document summarizes the previous work that has been
104 carried out in the area of IPv6 extension headers. Section 4 briefly
105 discusses the security implications of IPv6 Extension Headers, while
106 Section 5 discusses their operational implications.
108 2. Disclaimer
110 This document analyzes the operational challenges represented by
111 packets that employ IPv6 Extension Headers, and documents some of the
112 operational reasons for which these packets may be dropped in the
113 public Internet. This document IS NOT a recommendation to drop such
114 packets, but rather an analysis of why they're dropped.
116 3. Previous Work on IPv6 Extension Headers
118 Some of the implications of IPv6 Extension Headers have been
119 discussed in IETF circles. For example, [I-D.taylor-v6ops-fragdrop]
120 discusses a rationale for which operators drop IPv6 fragments.
121 [I-D.wkumari-long-headers] discusses possible issues arising from
122 "long" IPv6 header chains. [RFC7045] clarifies how intermediate
123 nodes should deal with IPv6 extension headers.
124 [I-D.kampanakis-6man-ipv6-eh-parsing] describes how inconsistencies
125 in the way IPv6 packets with extension headers are parsed by
126 different implementations may result in evasion of security controls,
127 and presents guidelines for parsing IPv6 extension headers with the
128 goal of providing a common and consistent parsing methodology for
129 IPv6 implementations. [I-D.ietf-opsec-ipv6-eh-filtering] analyzes
130 the security implications of IPv6 EHs, and the operational
131 implications of dropping packets that employ IPv6 EHs and associated
132 options. [RFC6980] analyzes the security implications of employing
133 IPv6 fragmentation with Neighbor Discovery for IPv6, and formally
134 recommends against such usage. Finally, [RFC7113] discusses how some
135 popular RA-Guard implementations are subject to evasion by means of
136 IPv6 extension headers. [I-D.ietf-intarea-frag-fragile] analyzes the
137 fragility introduced by IP fragmentation.
139 A number of recent RFCs have discussed issues related to IPv6
140 extension headers, specifying updates to a previous revision of the
141 IPv6 standard ([RFC2460]), which have now been incorporated into the
142 current IPv6 core standard ([RFC8200]). Namely,
143 o [RFC5095] discusses the security implications of Routing Header
144 Type 0 (RTH0), and deprecates it.
146 o [RFC5722] analyzes the security implications of overlapping
147 fragments, and provides recommendations in this area.
149 o [RFC7112] discusses the issues arising in a specific fragmentation
150 case where the IPv6 header chain is fragmented into two or more
151 fragments (and formally forbids such fragmentation case).
153 o [RFC6946] discusses a flawed (but common) processing of the so-
154 called IPv6 "atomic fragments", and specified improved processing
155 of such packets.
157 o [RFC8021] deprecates the generation of IPv6 atomic fragments.
159 o [RFC8504] allows hosts to enforce limits on the number of options
160 included in IPv6 EHs.
162 o [RFC7739] discusses the security implications of predictable
163 fragment Identification values, and provides recommendations for
164 the generation of these values.
166 Additionally, [RFC8200] has relaxed the requirement that "all nodes
167 examine and process the Hop-by-Hop Options header" from [RFC2460], by
168 specifying that only to nodes that have been explicitly configured to
169 process the Hop-by-Hop Options header are required to do so.
171 A number of studies have measured the extent to which packets
172 employing IPv6 extension headers are filtered in the public Internet.
173 Some preliminary measurements regarding the extent to which packet
174 containing IPv6 EHs are dropped in the public Internet were presented
175 in [PMTUD-Blackholes], [Gont-IEPG88], [Gont-Chown-IEPG89], and
176 [Linkova-Gont-IEPG90]. [RFC7872] presents more comprehensive results
177 and documents the methodology for obtaining the presented results.
178 [Huston-2017] measures packet drops resulting from IPv6 fragmentation
179 when communicating with DNS servers.
181 4. Security Implications
183 The security implications of IPv6 Extension Headers generally fall
184 into one or more of these categories:
186 o Evasion of security controls
188 o DoS due to processing requirements
190 o DoS due to implementation errors
191 o Extension Header-specific issues
193 Unlike IPv4 packets where the upper-layer protocol can be trivially
194 found by means of the "IHL" ("Internet Header Length") IPv4 header
195 field, the structure of IPv6 packets is more flexible and complex,
196 and may represent a challenge for devices that need to find this
197 information, since locating upper-layer protocol information requires
198 that all IPv6 extension headers be examined. This has presented
199 implementation difficulties, and packet filtering mechanisms that
200 require upper-layer information (even if just the upper layer
201 protocol type) have been found to be trivially evasible by inserting
202 IPv6 Extension Headers between the main IPv6 header and the upper
203 layer protocol. [RFC7113] describes this issue for the RA-Guard
204 case, but the same techniques can be employed to circumvent other
205 IPv6 firewall and packet filtering mechanisms. Additionally,
206 implementation inconsistencies in packet forwarding engines may
207 result in evasion of security controls
208 [I-D.kampanakis-6man-ipv6-eh-parsing] [Atlasis2014] [BH-EU-2014].
210 Packets that use IPv6 Extension Headers may have a negative
211 performance impact on the handling devices. Unless appropriate
212 mitigations are put in place (e.g., packet dropping and/or rate-
213 limiting), an attacker could simply send a large amount of IPv6
214 traffic employing IPv6 Extension Headers with the purpose of
215 performing a Denial of Service (DoS) attack (see Section 5 for
216 further details).
218 NOTE:
219 In the most trivial case, a packet that includes a Hop-by-Hop
220 Options header might go through the slow forwarding path, and be
221 processed by the router's CPU. Another possible case might be
222 that in which a router that has been configured to enforce an ACL
223 based on upper-layer information (e.g., upper layer protocol or
224 TCP Destination Port), needs to process the entire IPv6 header
225 chain (in order to find the required information), causing the
226 packet to be processed in the slow path [Cisco-EH-Cons]. We note
227 that, for obvious reasons, the aforementioned performance issues
228 may affect other devices such as firewalls, Network Intrusion
229 Detection Systems (NIDS), etc. [Zack-FW-Benchmark]. The extent
230 to which these devices are affected is typically implementation-
231 dependent.
233 IPv6 implementations, like all other software, tend to mature with
234 time and wide-scale deployment. While the IPv6 protocol itself has
235 existed for over 20 years, serious bugs related to IPv6 Extension
236 Header processing continue to be discovered. Because there is
237 currently little operational reliance on IPv6 Extension headers, the
238 corresponding code paths are rarely exercised, and there is the
239 potential for bugs that still remain to be discovered in some
240 implementations.
242 IPv6 Fragment Headers are employed to allow fragmentation of IPv6
243 packets. While many of the security implications of the
244 fragmentation / reassembly mechanism are known from the IPv4 world,
245 several related issues have crept into IPv6 implementations. These
246 range from denial of service attacks to information leakage, as
247 discussed in [RFC7739], [Bonica-NANOG58] and [Atlasis2012]).
249 5. Operational Implications
251 5.1. Requirement to process required layer-3/layer-4 information
253 Intermediate systems and middleboxes that need to find the layer-4
254 header must process the entire IPv6 extension header chain. When
255 such devices are unable to obtain the required information, they may
256 simply drop the corresponding packets. The following subsections
257 discuss some of reasons for which such layer-4 information may be
258 needed by an intermediate systems or middlebox, and why packets
259 containing IPv6 extension headers may represent a challenge in such
260 scenarios.
262 5.1.1. Packet Forwarding Engine Constraints
264 Most modern routers use dedicated hardware (e.g. ASICs or NPUs) to
265 determine how to forward packets across their internal fabrics (see
266 [IEPG94-Scudder] and [APNIC-Scudder] for details). One of the common
267 methods of handling next-hop lookup is to send a small portion of the
268 ingress packet to a lookup engine with specialised hardware (e.g.
269 ternary CAM or RLDRAM) to determine the packet's next-hop. Technical
270 constraints mean that there is a trade-off between the amount of data
271 sent to the lookup engine and the overall performance of the lookup
272 engine. If more data is sent, the lookup engine can inspect further
273 into the packet, but the overall performance of the system will be
274 reduced. If less data is sent, the overall performance of the router
275 will be increased but the packet lookup engine may not be able to
276 inspect far enough into a packet to determine how it should be
277 handled.
279 NOTE:
280 For example, current high-end routers can use up to 192 bytes of
281 header (Cisco ASR9000 Typhoon) or 384 bytes of header (Juniper MX
282 Trio)
284 If a hardware forwarding engine on a modern router cannot make a
285 forwarding decision about a packet because critical information is
286 not sent to the look-up engine, then the router will normally drop
287 the packet. Historically, some packet forwarding engines punted
288 packets of this form to the control plane for more in-depth analysis,
289 but this is unfeasible on most current router architectures as a
290 result of the vast difference between the hardware forwarding
291 capacity of the router and processing capacity of the control plane
292 and the size of the management link which connects the control plane
293 to the forwarding plane.
295 If an IPv6 header chain is sufficiently long that its header exceeds
296 the packet look-up capacity of the router, then it may be dropped due
297 to hardware inability to determine how it should be handled.
299 5.1.2. ECMP and Hash-based Load-Sharing
301 In the case of ECMP (equal cost multi path) load sharing, the router
302 on the sending side of the link needs to make a decision regarding
303 which of the links to use for a given packet. Since round-robin
304 usage of the links is usually avoided in order to prevent packet
305 reordering, forwarding engines need to use a mechanism which will
306 consistently forward the same data streams down the same forwarding
307 paths. Most forwarding engines achieve this by calculating a simple
308 hash using an n-tuple gleaned from a combination of layer-2 through
309 to layer-4 packet header information. This n-tuple will typically
310 use the src/dst MAC address, src/dst IP address, and if possible
311 further layer-4 src/dst port information. As layer-4 port
312 information increases the entropy of the hash, it is normally highly
313 desirable to use it where possible.
315 We note that in the IPv6 world, flows are expected to be identified
316 by means of the IPv6 Flow Label [RFC6437]. Thus, ECMP and Hash-based
317 Load-Sharing would be possible without the need to process the entire
318 IPv6 header chain to obtain upper-layer information to identify
319 flows. However, we note that for a long time many IPv6
320 implementations failed to set the Flow Label, and ECMP and Hash-based
321 Load-Sharing devices also did not employ the Flow Label for
322 performing their task.
324 Clearly, widespread support of [RFC6437] would relieve middle-boxes
325 from having to process the entire IPv6 header chain, making Flow
326 Label-based ECMP and Hash-based Load-Sharing [RFC6438] feasible.
328 While support of [RFC6437] is currently widespread for all popular
329 host implementations, there is no existing data regarding the extent
330 to which the Flow Label has superseded the use of transport protocol
331 port numbers for ECMP.
333 5.1.3. Enforcing infrastructure ACLs
335 Generally speaking, infrastructure ACLs (iACLs) drop unwanted packets
336 destined to parts of a provider's infrastructure, because they are
337 not operationally needed and can be used for attacks of different
338 sorts against the router's control plane. Some traffic needs to be
339 differentiated depending on layer-3 or layer-4 criteria to achieve a
340 useful balance of protection and functionality, for example:
342 o Permit some amount of ICMP echo (ping) traffic towards the
343 router's addresses for troubleshooting.
345 o Permit BGP sessions on the shared network of an exchange point
346 (potentially differentiating between the amount of packets/seconds
347 permitted for established sessions and connection establishment),
348 but do not permit other traffic from the same peer IP addresses.
350 5.1.4. DDoS Management and Customer Requests for Filtering
352 The case of customer DDoS protection and edge-to-core customer
353 protection filters is similar in nature to the infrastructure ACL
354 protection. Similar to infrastructure ACL protection, layer-4 ACLs
355 generally need to be applied as close to the edge of the network as
356 possible, even though the intent is usually to protect the customer
357 edge rather than the provider core. Application of layer-4 DDoS
358 protection to a network edge is often automated using Flowspec
359 [RFC5575].
361 For example, a web site which normally only handled traffic on TCP
362 ports 80 and 443 could be subject to a volumetric DDoS attack using
363 NTP and DNS packets with randomised source IP address, thereby
364 rendering traditional [RFC5635] source-based real-time black hole
365 mechanisms useless. In this situation, DDoS protection ACLs could be
366 configured to block all UDP traffic at the network edge without
367 impairing the web server functionality in any way. Thus, being able
368 to block arbitrary protocols at the network edge can avoid DDoS-
369 related problems both in the provider network and on the customer
370 edge link.
372 5.2. Route-Processor Protection
374 Most modern routers have a fast hardware-assisted forwarding plane
375 and a loosely coupled control plane, connected together with a link
376 that has much less capacity than the forwarding plane could handle.
377 Traffic differentiation cannot be done by the control plane side,
378 because this would overload the internal link connecting the
379 forwarding plane to the control plane.
381 The Hop-by-Hop Options header has been particularly challenging
382 since, in most (if not all) implementations, it has typically caused
383 the corresponding packet to be punted to a software path. As a
384 result, operators usually drop IPv6 packets containing this extension
385 header. Please see [RFC6192] for advice regarding protection of the
386 router control plane.
388 5.3. Inability to Perform Fine-grained Filtering
390 Some router implementations lack fine-grained filtering of IPv6
391 extension headers. For example, an operator may want to drop packets
392 containing Routing Header Type 0 (RHT0) but may only be able to
393 filter on the extension header type (Routing Header). As a result,
394 the operator may end up enforcing a more coarse filtering policy
395 (e.g. "drop all packets containing a Routing Header" vs. "only drop
396 packets that contain a Routing Header Type 0").
398 6. IANA Considerations
400 There are no IANA registries within this document. The RFC-Editor
401 can remove this section before publication of this document as an
402 RFC.
404 7. Security Considerations
406 The security implications of IPv6 extension headers are discussed in
407 Section 4. This document does not introduce any new security issues.
409 8. Acknowledgements
411 The authors would like to thank (in alphabetical order) Mikael
412 Abrahamsson, Fred Baker, Brian Carpenter, Tom Herbert, Lee Howard,
413 Sander Steffann, Eric Vyncke, and Andrew Yourtchenko, for providing
414 valuable comments on earlier versions of this document.
415 Additionally, the authors would like to thank participants of the
416 v6ops working group for their valuable input on the topics that led
417 to the publication of this document.
419 Fernando Gont would like to thank Jan Zorz / Go6 Lab
420 , Jared Mauch, and Sander Steffann
421 , for providing access to systems and networks
422 that were employed to perform experiments and measurements involving
423 packets with IPv6 Extension Headers.
425 9. References
427 9.1. Normative References
429 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
430 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
431 December 1998, .
433 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
434 of Type 0 Routing Headers in IPv6", RFC 5095,
435 DOI 10.17487/RFC5095, December 2007,
436 .
438 [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments",
439 RFC 5722, DOI 10.17487/RFC5722, December 2009,
440 .
442 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
443 RFC 6946, DOI 10.17487/RFC6946, May 2013,
444 .
446 [RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation
447 with IPv6 Neighbor Discovery", RFC 6980,
448 DOI 10.17487/RFC6980, August 2013,
449 .
451 [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of
452 Oversized IPv6 Header Chains", RFC 7112,
453 DOI 10.17487/RFC7112, January 2014,
454 .
456 [RFC8021] Gont, F., Liu, W., and T. Anderson, "Generation of IPv6
457 Atomic Fragments Considered Harmful", RFC 8021,
458 DOI 10.17487/RFC8021, January 2017,
459 .
461 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
462 (IPv6) Specification", STD 86, RFC 8200,
463 DOI 10.17487/RFC8200, July 2017,
464 .
466 [RFC8504] Chown, T., Loughney, J., and T. Winters, "IPv6 Node
467 Requirements", BCP 220, RFC 8504, DOI 10.17487/RFC8504,
468 January 2019, .
470 9.2. Informative References
472 [APNIC-Scudder]
473 Scudder, J., "Modern router architecture and IPv6", APNIC
474 Blog, June 4, 2020, .
477 [Atlasis2012]
478 Atlasis, A., "Attacking IPv6 Implementation Using
479 Fragmentation", BlackHat Europe 2012. Amsterdam,
480 Netherlands. March 14-16, 2012,
481 .
484 [Atlasis2014]
485 Atlasis, A., "A Novel Way of Abusing IPv6 Extension
486 Headers to Evade IPv6 Security Devices", May 2014,
487 .
490 [BH-EU-2014]
491 Atlasis, A., Rey, E., and R. Schaefer, "Evasion of High-
492 End IDPS Devices at the IPv6 Era", BlackHat Europe 2014,
493 2014, .
496 [Bonica-NANOG58]
497 Bonica, R., "IPv6 Extension Headers in the Real World
498 v2.0", NANOG 58. New Orleans, Louisiana, USA. June 3-5,
499 2013, .
502 [Cisco-EH-Cons]
503 Cisco, "IPv6 Extension Headers Review and Considerations",
504 October 2006,
505 .
508 [Gont-Chown-IEPG89]
509 Gont, F. and T. Chown, "A Small Update on the Use of IPv6
510 Extension Headers", IEPG 89. London, UK. March 2, 2014,
511 .
514 [Gont-IEPG88]
515 Gont, F., "Fragmentation and Extension header Support in
516 the IPv6 Internet", IEPG 88. Vancouver, BC, Canada.
517 November 13, 2013, .
520 [Huston-2017]
521 Huston, G., "Dealing with IPv6 fragmentation in the
522 DNS", APNIC Blog, 2017,
523 .
526 [I-D.ietf-intarea-frag-fragile]
527 Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O.,
528 and F. Gont, "IP Fragmentation Considered Fragile", draft-
529 ietf-intarea-frag-fragile-17 (work in progress), September
530 2019.
532 [I-D.ietf-opsec-ipv6-eh-filtering]
533 Gont, F. and W. LIU, "Recommendations on the Filtering of
534 IPv6 Packets Containing IPv6 Extension Headers", draft-
535 ietf-opsec-ipv6-eh-filtering-06 (work in progress), July
536 2018.
538 [I-D.kampanakis-6man-ipv6-eh-parsing]
539 Kampanakis, P., "Implementation Guidelines for parsing
540 IPv6 Extension Headers", draft-kampanakis-6man-ipv6-eh-
541 parsing-01 (work in progress), August 2014.
543 [I-D.taylor-v6ops-fragdrop]
544 Jaeggli, J., Colitti, L., Kumari, W., Vyncke, E., Kaeo,
545 M., and T. Taylor, "Why Operators Filter Fragments and
546 What It Implies", draft-taylor-v6ops-fragdrop-02 (work in
547 progress), December 2013.
549 [I-D.wkumari-long-headers]
550 Kumari, W., Jaeggli, J., Bonica, R., and J. Linkova,
551 "Operational Issues Associated With Long IPv6 Header
552 Chains", draft-wkumari-long-headers-03 (work in progress),
553 June 2015.
555 [IEPG94-Scudder]
556 Petersen, B. and J. Scudder, "Modern Router Architecture
557 for Protocol Designers", IEPG 94. Yokohama, Japan.
558 November 1, 2015, .
561 [Linkova-Gont-IEPG90]
562 Linkova, J. and F. Gont, "IPv6 Extension Headers in the
563 Real World v2.0", IEPG 90. Toronto, ON, Canada. July 20,
564 2014, .
567 [PMTUD-Blackholes]
568 De Boer, M. and J. Bosma, "Discovering Path MTU black
569 holes on the Internet using RIPE Atlas", July 2012,
570 .
573 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
574 and D. McPherson, "Dissemination of Flow Specification
575 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
576 .
578 [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole
579 Filtering with Unicast Reverse Path Forwarding (uRPF)",
580 RFC 5635, DOI 10.17487/RFC5635, August 2009,
581 .
583 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
584 Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
585 March 2011, .
587 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme,
588 "IPv6 Flow Label Specification", RFC 6437,
589 DOI 10.17487/RFC6437, November 2011,
590 .
592 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
593 for Equal Cost Multipath Routing and Link Aggregation in
594 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011,
595 .
597 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
598 of IPv6 Extension Headers", RFC 7045,
599 DOI 10.17487/RFC7045, December 2013,
600 .
602 [RFC7113] Gont, F., "Implementation Advice for IPv6 Router
603 Advertisement Guard (RA-Guard)", RFC 7113,
604 DOI 10.17487/RFC7113, February 2014,
605 .
607 [RFC7739] Gont, F., "Security Implications of Predictable Fragment
608 Identification Values", RFC 7739, DOI 10.17487/RFC7739,
609 February 2016, .
611 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
612 "Observations on the Dropping of Packets with IPv6
613 Extension Headers in the Real World", RFC 7872,
614 DOI 10.17487/RFC7872, June 2016,
615 .
617 [Zack-FW-Benchmark]
618 Zack, E., "Firewall Security Assessment and Benchmarking
619 IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
620 Berlin, Germany. June 30, 2013,
621 .
625 Authors' Addresses
627 Fernando Gont
628 SI6 Networks
629 Segurola y Habana 4310, 7mo Piso
630 Villa Devoto, Ciudad Autonoma de Buenos Aires
631 Argentina
633 Email: fgont@si6networks.com
634 URI: https://www.si6networks.com
636 Nick Hilliard
637 INEX
638 4027 Kingswood Road
639 Dublin 24
640 IE
642 Email: nick@inex.ie
644 Gert Doering
645 SpaceNet AG
646 Joseph-Dollinger-Bogen 14
647 Muenchen D-80807
648 Germany
650 Email: gert@space.net
651 Warren Kumari
652 Google
653 1600 Amphitheatre Parkway
654 Mountain View, CA 94043
655 US
657 Email: warren@kumari.net
659 Geoff Huston
661 Email: gih@apnic.net
662 URI: http://www.apnic.net