idnits 2.17.1 draft-ietf-intarea-frag-fragile-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 19, 2019) is 1770 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC5326' is defined on line 1144, but no explicit reference was found in the text == Outdated reference: A later version (-22) exists of draft-ietf-tsvwg-datagram-plpmtud-08 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-09 == Outdated reference: A later version (-32) exists of draft-ietf-tsvwg-udp-options-07 -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Area WG R. Bonica 3 Internet-Draft Juniper Networks 4 Intended status: Best Current Practice F. Baker 5 Expires: December 21, 2019 Unaffiliated 6 G. Huston 7 APNIC 8 R. Hinden 9 Check Point Software 10 O. Troan 11 Cisco 12 F. Gont 13 SI6 Networks 14 June 19, 2019 16 IP Fragmentation Considered Fragile 17 draft-ietf-intarea-frag-fragile-12 19 Abstract 21 This document describes IP fragmentation and explains how it 22 introduces fragility to Internet communication. 24 This document also proposes alternatives to IP fragmentation and 25 provides recommendations for developers and network operators. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on December 21, 2019. 44 Copyright Notice 46 Copyright (c) 2019 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.1. IP-in-IP Tunnels . . . . . . . . . . . . . . . . . . . . 3 63 2. IP Fragmentation . . . . . . . . . . . . . . . . . . . . . . 3 64 2.1. Links, Paths, MTU and PMTU . . . . . . . . . . . . . . . 3 65 2.2. Fragmentation Procedures . . . . . . . . . . . . . . . . 5 66 2.3. Upper-Layer Reliance on IP Fragmentation . . . . . . . . 6 67 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 7 68 4. Increased Fragility . . . . . . . . . . . . . . . . . . . . . 7 69 4.1. Policy-Based Routing . . . . . . . . . . . . . . . . . . 7 70 4.2. Network Address Translation (NAT) . . . . . . . . . . . . 8 71 4.3. Stateless Firewalls . . . . . . . . . . . . . . . . . . . 9 72 4.4. Equal Cost Multipath, Link Aggregate Groups and Stateless 73 Load-Balancers . . . . . . . . . . . . . . . . . . . . . 9 74 4.5. IPv4 Reassembly Errors at High Data Rates . . . . . . . . 10 75 4.6. Security Vulnerabilities . . . . . . . . . . . . . . . . 11 76 4.7. PMTU Blackholing Due to ICMP Loss . . . . . . . . . . . . 12 77 4.7.1. Transient Loss . . . . . . . . . . . . . . . . . . . 12 78 4.7.2. Incorrect Implementation of Security Policy . . . . . 13 79 4.7.3. Persistent Loss Caused By Anycast . . . . . . . . . . 13 80 4.7.4. Persistent Loss Caused By Unidirectional Routing . . 14 81 4.8. Blackholing Due To Filtering or Loss . . . . . . . . . . 14 82 5. Alternatives to IP Fragmentation . . . . . . . . . . . . . . 15 83 5.1. Transport Layer Solutions . . . . . . . . . . . . . . . . 15 84 5.2. Application Layer Solutions . . . . . . . . . . . . . . . 16 85 6. Applications That Rely on IPv6 Fragmentation . . . . . . . . 17 86 6.1. Domain Name Service (DNS) . . . . . . . . . . . . . . . . 17 87 6.2. Open Shortest Path First (OSPF) . . . . . . . . . . . . . 18 88 6.3. Packet-in-Packet Encapsulations . . . . . . . . . . . . . 18 89 6.4. UDP Applications Enhancing Performance . . . . . . . . . 18 90 7. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 19 91 7.1. For Application and Protocol Developers . . . . . . . . . 19 92 7.2. For System Developers . . . . . . . . . . . . . . . . . . 19 93 7.3. For Middle Box Developers . . . . . . . . . . . . . . . . 19 94 7.4. For ECMP, LAG and Load-Balancer Developers And Operators 20 95 7.5. For Network Operators . . . . . . . . . . . . . . . . . . 20 96 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 97 9. Security Considerations . . . . . . . . . . . . . . . . . . . 21 98 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 99 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 100 11.1. Normative References . . . . . . . . . . . . . . . . . . 21 101 11.2. Informative References . . . . . . . . . . . . . . . . . 23 102 Appendix A. Contributors' Address . . . . . . . . . . . . . . . 26 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 105 1. Introduction 107 Operational experience [Kent] [Huston] [RFC7872] reveals that IP 108 fragmentation introduces fragility to Internet communication. This 109 document describes IP fragmentation and explains the fragility it 110 introduces. It also proposes alternatives to IP fragmentation and 111 provides recommendations for developers and network operators. 113 While this document identifies issues associated with IP 114 fragmentation, it does not recommend deprecation. Legacy protocols 115 that depend upon IP fragmentation SHOULD be updated to remove that 116 dependency. However, some applications and environments (see 117 Section 6) require IP fragmentation. In these cases, the protocol 118 will continue to rely on IP fragmentation, but the designer should to 119 be aware that fragmented packets may result in blackholes; a design 120 should include appropriate safeguards (e.g. PLPMTU). 122 Rather than deprecating IP Fragmentation, this document recommends 123 that upper-layer protocols address the problem of fragmentation at 124 their layer, reducing their reliance on IP fragmentation to the 125 greatest degree possible. 127 1.1. IP-in-IP Tunnels 129 This document acknowledges that in some cases, packets must be 130 fragmented within IP-in-IP tunnels [I-D.ietf-intarea-tunnels]. 131 Therefore, this document makes no additional recommendations 132 regarding IP-in-IP tunnels. 134 2. IP Fragmentation 136 2.1. Links, Paths, MTU and PMTU 138 An Internet path connects a source node to a destination node. A 139 path can contain links and routers. If a path contains more than one 140 link, the links are connected in series and a router connects each 141 link to the next. 143 Internet paths are dynamic. Assume that the path from one node to 144 another contains a set of links and routers. If a link fails, the 145 path can also change so that it includes a different set of links and 146 routers. 148 Each link is constrained by the number of bytes that it can convey in 149 a single IP packet. This constraint is called the link Maximum 150 Transmission Unit (MTU). IPv4 [RFC0791] requires every link to 151 support a specified MTU (see NOTE 1). IPv6 [RFC8200] requires every 152 link to support an MTU of 1280 bytes or greater. These are called 153 the IPv4 and IPv6 minimum link MTU's. 155 Likewise, each Internet path is constrained by the number of bytes 156 that it can convey in a single IP packet. This constraint is called 157 the Path MTU (PMTU). For any given path, the PMTU is equal to the 158 smallest of its link MTU's. Because Internet paths are dynamic, PMTU 159 is also dynamic. 161 For reasons described below, source nodes estimate the PMTU between 162 themselves and destination nodes. A source node can produce 163 extremely conservative PMTU estimates in which: 165 o The estimate for each IPv4 path is equal to the IPv4 minimum link 166 MTU. 168 o The estimate for each IPv6 path is equal to the IPv6 minimum link 169 MTU. 171 While these conservative estimates are guaranteed to be less than or 172 equal to the actual PMTU, they are likely to be much less than the 173 actual PMTU. This may adversely affect upper-layer protocol 174 performance. 176 By executing Path MTU Discovery (PMTUD) [RFC1191] [RFC8201] 177 procedures, a source node can maintain a less conservative estimate 178 of the PMTU between itself and a destination node. In PMTUD, the 179 source node produces an initial PMTU estimate. This initial estimate 180 is equal to the MTU of the first link along the path to the 181 destination node. It can be greater than the actual PMTU. 183 Having produced an initial PMTU estimate, the source node sends non- 184 fragmentable IP packets to the destination node (see NOTE 2). If one 185 of these packets is larger than the actual PMTU, a downstream router 186 will not be able to forward the packet through the next link along 187 the path. Therefore, the downstream router drops the packet and 188 sends an Internet Control Message Protocol (ICMP) [RFC0792] [RFC4443] 189 Packet Too Big (PTB) message to the source node (see NOTE 3). The 190 ICMP PTB message indicates the MTU of the link through which the 191 packet could not be forwarded. The source node uses this information 192 to refine its PMTU estimate. 194 PMTUD produces a running estimate of the PMTU between a source node 195 and a destination node. Because PMTU is dynamic, the PMTU estimate 196 can be larger than the actual PMTU. In order to detect PMTU 197 increases, PMTUD occasionally resets the PMTU estimate to its initial 198 value and repeats the procedure described above. 200 Ideally, PMTUD operates as described above. However, in some 201 scenarios, PMTUD fails. For example: 203 o PMTUD relies on the network's ability to deliver ICMP PTB messages 204 to the source node. If the network cannot deliver ICMP PTB 205 messages to the source node, PMTUD fails. 207 o PMTUD is susceptible to attack because ICMP messages are easily 208 forged [RFC5927] and not authenticated by the receiver. Such 209 attacks can cause PMTUD to produce unnecessarily conservative PMTU 210 estimates. 212 NOTE 1: In IPv4, every host must be capable of receiving a packet 213 whose length is equal to 576 bytes. However, the IPv4 minimum link 214 MTU is not 576. Section 3.2 of RFC 791 explicitly states that the 215 IPv4 minimum link MTU is 68 bytes. But for practical purposes, many 216 network operators consider the IPv4 minimum link MTU to be 576 bytes, 217 to minimize the requirement for fragmentation en route. So, for the 218 purposes of this document, we assume that the IPv4 minimum path MTU 219 is 576 bytes. 221 NOTE 2: A non-fragmentable packet can be fragmented at its source. 222 However, it cannot be fragmented by a downstream node. An IPv4 223 packet whose DF-bit is set to zero is fragmentable. An IPv4 packet 224 whose DF-bit is set to one is non-fragmentable. All IPv6 packets are 225 also non-fragmentable. 227 NOTE 3:: The ICMP PTB message has two instantiations. In ICMPv4 228 [RFC0792], the ICMP PTB message is a Destination Unreachable message 229 with Code equal to (4) fragmentation needed and DF set. This message 230 was augmented by [RFC1191] to indicate the MTU of the link through 231 which the packet could not be forwarded. In ICMPv6 [RFC4443], the 232 ICMP PTB message is a Packet Too Big Message with Code equal to (0). 233 This message also indicates the MTU of the link through which the 234 packet could not be forwarded. 236 2.2. Fragmentation Procedures 238 When an upper-layer protocol submits data to the underlying IP 239 module, and the resulting IP packet's length is greater than the 240 PMTU, the packet is divided into fragments. Each fragment includes 241 an IP header and a portion of the original packet. 243 [RFC0791] describes IPv4 fragmentation procedures. An IPv4 packet 244 whose DF-bit is set to one can be fragmented by the source node, but 245 cannot be fragmented by a downstream router. An IPv4 packet whose 246 DF-bit is set to zero can be fragmented by the source node or by a 247 downstream router. When an IPv4 packet is fragmented, all IP options 248 appear in the first fragment, but only options whose "copy" bit is 249 set to one appear in subsequent fragments. 251 [RFC8200] describes IPv6 fragmentation procedures. An IPv6 packet 252 can be fragmented at the source node only. When an IPv6 packet is 253 fragmented, all extension headers appear in the first fragment, but 254 only per-fragment headers appear in subsequent fragments. Per- 255 fragment headers include the following: 257 o The IPv6 header. 259 o The Hop-by-hop Options header (if present) 261 o The Destination Options header (if present and if it precedes a 262 Routing header) 264 o The Routing Header (if present) 266 o The Fragment Header 268 In both IPv4 and IPv6, the upper-layer header appears in the first 269 fragment only. It does not appear in subsequent fragments. 271 2.3. Upper-Layer Reliance on IP Fragmentation 273 Upper-layer protocols can operate in the following modes: 275 o Do not rely on IP fragmentation. 277 o Rely on IP fragmentation by the source node only. 279 o Rely on IP fragmentation by any node. 281 Upper-layer protocols running over IPv4 can operate in all of the 282 above-mentioned modes. Upper-layer protocols running over IPv6 can 283 operate in the first and second modes only. 285 Upper-layer protocols that operate in the first two modes (above) 286 require access to the PMTU estimate. In order to fulfil this 287 requirement, they can: 289 o Estimate the PMTU to be equal to the IPv4 or IPv6 minimum link 290 MTU. 292 o Access the estimate that PMTUD produced. 294 o Execute PMTUD procedures themselves. 296 o Execute Packetization Layer PMTUD (PLPMTUD) [RFC4821] 297 [I-D.ietf-tsvwg-datagram-plpmtud] procedures. 299 According to PLPMTUD procedures, the upper-layer protocol maintains a 300 running PMTU estimate. It does so by sending probe packets of 301 various sizes to its upper-layer peer and receiving acknowledgements. 302 This strategy differs from PMTUD in that it relies on acknowledgement 303 of received messages, as opposed to ICMP PTB messages concerning 304 dropped messages. Therefore, PLPMTUD does not rely on the network's 305 ability to deliver ICMP PTB messages to the source. 307 3. Requirements Language 309 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 310 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 311 "OPTIONAL" in this document are to be interpreted as described in BCP 312 14 [RFC2119] [RFC8174] when, and only when, they appear in all 313 capitals, as shown here. 315 4. Increased Fragility 317 This section explains how IP fragmentation introduces fragility to 318 Internet communication. 320 4.1. Policy-Based Routing 322 IP Fragmentation causes problems for routers that implement policy- 323 based routing. 325 When a router receives a packet, it identifies the next-hop on route 326 to the packet's destination and forwards the packet to that next-hop. 327 In order to identify the next-hop, the router interrogates a local 328 data structure called the Forwarding Information Base (FIB). 330 Normally, the FIB contains destination-based entries that map a 331 destination prefix to a next-hop. Policy-based routing allows 332 destination-based and policy-based entries to coexist in the same 333 FIB. A policy-based FIB entry maps multiple fields, drawn from 334 either the IP or transport-layer header, to a next-hop. 336 +-------+--------------+-----------------+------------+-------------+ 337 | Entry | Type | Dest. Prefix | Next Hdr / | Next-Hop | 338 | | | | Dest. Port | | 339 +-------+--------------+-----------------+------------+-------------+ 340 | | | | | | 341 | 1 | Destination- | 2001:db8::1/128 | Any / Any | 2001:db8::2 | 342 | | based | | | | 343 | | | | | | 344 | 2 | Policy- | 2001:db8::1/128 | TCP / 80 | 2001:db8::3 | 345 | | based | | | | 346 +-------+--------------+-----------------+------------+-------------+ 348 Table 1: Policy-Based Routing FIB 350 Assume that a router maintains the FIB in Table 1. The first FIB 351 entry is destination-based. It maps the a destination prefix 352 (2001:db8::1/128) to a next-hop (2001:db8::2). The second FIB entry 353 is policy-based. It maps the same destination prefix 354 (2001:db8::1/128) and a destination port ( TCP / 80 ) to a different 355 next-hop (2001:db8::3). The second entry is more specific than the 356 first. 358 When the router receives the first fragment of a packet that is 359 destined for TCP port 80 on 2001:db8::1, it interrogates the FIB. 360 Both FIB entries satisfy the query. The router selects the second 361 FIB entry because it is more specific and forwards the packet to 362 2001:db8::3. 364 When the router receives the second fragment of the packet, it 365 interrogates the FIB again. This time, only the first FIB entry 366 satisfies the query, because the second fragment contains no 367 indication that the packet is destined for TCP port 80. Therefore, 368 the router selects the first FIB entry and forwards the packet to 369 2001:db8::2. 371 Policy-based routing is also known as filter-based-forwarding. 373 4.2. Network Address Translation (NAT) 375 IP fragmentation causes problems for Network Address Translation 376 (NAT) devices. When a NAT device detects a new, outbound flow, it 377 maps that flow's source port and IP address to another source port 378 and IP address. Having created that mapping, the NAT device 379 translates: 381 o The Source IP Address and Source Port on each outbound packet. 383 o The Destination IP Address and Destination Port on each inbound 384 packet. 386 A+P [RFC6346] and Carrier Grade NAT (CGN) [RFC6888] are two common 387 NAT strategies. In both approaches the NAT device must virtually 388 reassemble fragmented packets in order to translate and forward each 389 fragment. (See NOTE 1.) 391 Virtual reassembly in the network is problematic, because it is 392 computationally expensive and because it is prone to attacks 393 (Section 4.6). 395 NOTE 1: Virtual reassembly is a procedure in which a device 396 reassembles a packet, forwards its fragments, and discards the 397 reassembled copy. In A+P and CGN, virtual reassembly is required in 398 order to correctly translate fragment addresses. 400 4.3. Stateless Firewalls 402 As discussed in more detail in Section 4.6, IP fragmentation causes 403 problems for stateless firewalls whose rules include TCP and UDP 404 ports. Because port information is not available in the trailing 405 fragments the firewall is limited to the following options: 407 o Accept all trailing fragments, possibly admitting certain classes 408 of attack. 410 o Block all trailing fragments, possibly blocking legitimate 411 traffic. 413 Neither option is attractive. 415 4.4. Equal Cost Multipath, Link Aggregate Groups and Stateless Load- 416 Balancers 418 IP fragmentation causes problems for Equal Cost Multipath (ECMP), 419 Link Aggregate Groups (LAG) and other stateless load-balancing 420 technologies. In order to assign a packet or packet fragment to a 421 link, an intermediate node executes a hash (i.e., load-balancing) 422 algorithm. The following paragraphs describe a commonly deployed 423 hash algorithm. 425 If the packet or packet fragment contains a transport-layer header, 426 the algorithm accepts the following 5-tuple as input: 428 o IP Source Address. 430 o IP Destination Address. 432 o IPv4 Protocol or IPv6 Next Header. 434 o transport-layer source port. 436 o transport-layer destination port. 438 If the packet or packet fragment does not contain a transport-layer 439 header, the algorithm accepts only the following 3-tuple as input: 441 o IP Source Address. 443 o IP Destination Address. 445 o IPv4 Protocol or IPv6 Next Header. 447 Therefore, non-fragmented packets belonging to a flow can be assigned 448 to one link while fragmented packets belonging to the same flow can 449 be divided between that link and another. This can cause suboptimal 450 load-balancing. 452 [RFC6438] offers a partial solution to this problem for IPv6 devices 453 only. According to [RFC6438]: 455 "At intermediate routers that perform load distribution, the hash 456 algorithm used to determine the outgoing component-link in an ECMP 457 and/or LAG toward the next hop MUST minimally include the 3-tuple 458 {dest addr, source addr, flow label} and MAY also include the 459 remaining components of the 5-tuple." 461 If the algorithm includes only the 3-tuple {dest addr, source addr, 462 flow label}, it will assign all fragments belonging to a packet to 463 the same link. (See [RFC6437] and [RFC7098]). 465 In order to avoid the problem described above, implementations SHOULD 466 implement the recommendations provided in Section 7.4 of this 467 document. 469 4.5. IPv4 Reassembly Errors at High Data Rates 471 IPv4 fragmentation is not sufficiently robust for use under some 472 conditions in today's Internet. At high data rates, the 16-bit IP 473 identification field is not large enough to prevent frequent 474 incorrectly assembled IP fragments, and the TCP and UDP checksums are 475 insufficient to prevent the resulting corrupted datagrams from being 476 delivered to higher protocol layers. [RFC4963] describes some easily 477 reproduced experiments demonstrating the problem, and discusses some 478 of the operational implications of these observations. 480 These reassembly issues are not easily reproducible in IPv6 because 481 the IPv6 identification field is 32 bits long. 483 4.6. Security Vulnerabilities 485 Security researchers have documented several attacks that exploit IP 486 fragmentation. The following are examples: 488 o Overlapping fragment attacks [RFC1858][RFC3128][RFC5722] 490 o Resource exhaustion attacks (such as the Rose Attack, 491 https://web.archive.org/web/20110723091910/ 492 http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm) 494 o Attacks based on predictable fragment identification values 495 [RFC7739] 497 o Evasion of Network Intrusion Detection Systems (NIDS) [Ptacek1998] 499 In the overlapping fragment attack, an attacker constructs a series 500 of packet fragments. The first fragment contains an IP header, a 501 transport-layer header, and some transport-layer payload. This 502 fragment complies with local security policy and is allowed to pass 503 through a stateless firewall. A second fragment, having a non-zero 504 offset, overlaps with the first fragment. The second fragment also 505 passes through the stateless firewall. When the packet is 506 reassembled, the transport layer header from the first fragment is 507 overwritten by data from the second fragment. The reassembled packet 508 does not comply with local security policy. Had it traversed the 509 firewall in one piece, the firewall would have rejected it. 511 A stateless firewall cannot protect against the overlapping fragment 512 attack. However, destination nodes can protect against the 513 overlapping fragment attack by implementing the procedures described 514 in RFC 1858, RFC 3128 and RFC 8200. These reassembly procedures 515 detect the overlap and discard the packet. 517 The fragment reassembly algorithm is a stateful procedure in an 518 otherwise stateless protocol. Therefore, it can be exploited by 519 resource exhaustion attacks. An attacker can construct a series of 520 fragmented packets, with one fragment missing from each packet so 521 that the reassembly is impossible. Thus, this attack causes resource 522 exhaustion on the destination node, possibly denying reassembly 523 services to other flows. This type of attack can be mitigated by 524 flushing fragment reassembly buffers when necessary, at the expense 525 of possibly dropping legitimate fragments. 527 Each IP fragment contains an "Identification" field that destination 528 nodes use to reassemble fragmented packets. Many implementations set 529 the Identification field to a predictable value, thus making it easy 530 for an attacker to forge malicious IP fragments that would cause the 531 reassembly procedure for legitimate packets to fail. 533 NIDS aims at identifying malicious activity by analyzing network 534 traffic. Ambiguity in the possible result of the fragment reassembly 535 process may allow an attacker to evade these systems. Many of these 536 systems try to mitigate some of these evasion techniques (e.g. By 537 computing all possible outcomes of the fragment reassembly process, 538 at the expense of increased processing requirements). 540 4.7. PMTU Blackholing Due to ICMP Loss 542 As mentioned in Section 2.3, upper-layer protocols can be configured 543 to rely on PMTUD. Because PMTUD relies upon the network to deliver 544 ICMP PTB messages, those protocols also rely on the networks to 545 deliver ICMP PTB messages. 547 According to [RFC4890], ICMP PTB messages must not be filtered. 548 However, ICMP PTB delivery is not reliable. It is subject to both 549 transient and persistent loss. 551 Transient loss of ICMP PTB messages can cause transient PMTU black 552 holes. When the conditions contributing to transient loss abate, the 553 network regains its ability to deliver ICMP PTB messages and 554 connectivity between the source and destination nodes is restored. 555 Section 4.7.1 of this document describes conditions that lead to 556 transient loss of ICMP PTB messages. 558 Persistent loss of ICMP PTB messages can cause persistent black 559 holes. Section 4.7.2, Section 4.7.3, and Section 4.7.4 of this 560 document describe conditions that lead to persistent loss of ICMP PTB 561 messages. 563 The problem described in this section is specific to PMTUD. It does 564 not occur when the upper-layer protocol obtains its PMTU estimate 565 from PLPMTUD or from any other source. 567 4.7.1. Transient Loss 569 The following factors can contribute to transient loss of ICMP PTB 570 messages: 572 o Network congestion. 574 o Packet corruption. 576 o Transient routing loops. 578 o ICMP rate limiting. 580 The effect of rate limiting may be severe, as RFC 4443 recommends 581 strict rate limiting of IPv6 traffic. 583 4.7.2. Incorrect Implementation of Security Policy 585 Incorrect implementation of security policy can cause persistent loss 586 of ICMP PTB messages. 588 Assume that a Customer Premise Equipment (CPE) router implements the 589 following zone-based security policy: 591 o Allow any traffic to flow from the inside zone to the outside 592 zone. 594 o Do not allow any traffic to flow from the outside zone to the 595 inside zone unless it is part of an existing flow (i.e., it was 596 elicited by an outbound packet). 598 When a correct implementation of the above-mentioned security policy 599 receives an ICMP PTB message, it examines the ICMP PTB payload in 600 order to determine whether the original packet (i.e., the packet that 601 elicited the ICMP PTB message) belonged to an existing flow. If the 602 original packet belonged to an existing flow, the implementation 603 allows the ICMP PTB to flow from the outside zone to the inside zone. 604 If not, the implementation discards the ICMP PTB message. 606 When a incorrect implementation of the above-mentioned security 607 policy receives an ICMP PTB message, it discards the packet because 608 its source address is not associated with an existing flow. 610 The security policy described above is implemented incorrectly on 611 many consumer CPE routers. 613 4.7.3. Persistent Loss Caused By Anycast 615 Anycast can cause persistent loss of ICMP PTB messages. Consider the 616 example below: 618 A DNS client sends a request to an anycast address. The network 619 routes that DNS request to the nearest instance of that anycast 620 address (i.e., a DNS Server). The DNS server generates a response 621 and sends it back to the DNS client. While the response does not 622 exceed the DNS server's PMTU estimate, it does exceed the actual 623 PMTU. 625 A downstream router drops the packet and sends an ICMP PTB message 626 the packet's source (i.e., the anycast address). The network routes 627 the ICMP PTB message to the anycast instance closest to the 628 downstream router. That anycast instance may not be the DNS server 629 that originated the DNS response. It may be another DNS server with 630 the same anycast address. The DNS server that originated the 631 response may never receive the ICMP PTB message and may never update 632 its PMTU estimate. 634 4.7.4. Persistent Loss Caused By Unidirectional Routing 636 Unidirectional routing can cause persistent loss of ICMP PTB 637 messages. Consider the example below: 639 A source node sends a packet to a destination node. All intermediate 640 nodes maintain a route to the destination node, but do not maintain a 641 route to the source node. In this case, when an intermediate node 642 encounters an MTU issue, it cannot send an ICMP PTB message to the 643 source node. 645 4.8. Blackholing Due To Filtering or Loss 647 In RFC 7872, researchers sampled Internet paths to determine whether 648 they would convey packets that contain IPv6 extension headers. 649 Sampled paths terminated at popular Internet sites (e.g., popular 650 web, mail and DNS servers). 652 The study revealed that at least 28% of the sampled paths did not 653 convey packets containing the IPv6 Fragment extension header. In 654 most cases, fragments were dropped in the destination autonomous 655 system. In other cases, the fragments were dropped in transit 656 autonomous systems. 658 Another recent study [Huston] confirmed this finding. It reported 659 that 37% of sampled endpoints used IPv6-capable DNS resolvers that 660 were incapable of receiving a fragmented IPv6 response. 662 It is difficult to determine why network operators drop fragments. 663 Possible causes follow: 665 o Hardware inability to process fragmented packets. 667 o Failure to change vendor defaults. 669 o Unintentional misconfiguration. 671 o Intentional configuration (e.g., network operators consciously 672 chooses to drop IPv6 fragments in order to address the issues 673 raised in Section 4.1 through Section 4.7, above.) 675 5. Alternatives to IP Fragmentation 677 5.1. Transport Layer Solutions 679 The Transport Control Protocol (TCP) [RFC0793]) can be operated in a 680 mode that does not require IP fragmentation. 682 Applications submit a stream of data to TCP. TCP divides that stream 683 of data into segments, with no segment exceeding the TCP Maximum 684 Segment Size (MSS). Each segment is encapsulated in a TCP header and 685 submitted to the underlying IP module. The underlying IP module 686 prepends an IP header and forwards the resulting packet. 688 If the TCP MSS is sufficiently small, the underlying IP module never 689 produces a packet whose length is greater than the actual PMTU. 690 Therefore, IP fragmentation is not required. 692 TCP offers the following mechanisms for MSS management: 694 o Manual configuration 696 o PMTUD 698 o PLPMTUD 700 Manual configuration is always applicable. If the MSS is configured 701 to a sufficiently low value, the IP layer will never produce a packet 702 whose length is greater than the protocol minimum link MTU. However, 703 manual configuration prevents TCP from taking advantage of larger 704 link MTU's. 706 Upper-layer protocols can implement PMTUD in order to discover and 707 take advantage of larger path MTUs. However, as mentioned in 708 Section 2.1, PMTUD relies upon the network to deliver ICMP PTB 709 messages. Therefore, PMTUD can only provide an estimate of the PMTU 710 in environments where the risk of ICMP PTB loss is acceptable (e.g., 711 known to not be filtered). 713 By contrast, PLPMTUD does not rely upon the network's ability to 714 deliver ICMP PTB messages. It utilises probe messages sent as TCP 715 segments to determine whether the probed PMTU can be successfully 716 used across the network path. In PLPMTUD, probing is separated from 717 congestion control, so that loss of a TCP probe segment does not 718 cause a reduction of the congestion control window. [RFC4821] 719 defines PLPMTUD procedures for TCP. 721 While TCP will never knowingly cause the underlying IP module to emit 722 a packet that is larger than the PMTU estimate, it can cause the 723 underlying IP module to emit a packet that is larger than the actual 724 PMTU. For example, if routing changes and as a result the PMTU 725 becomes smaller, TCP will not know until the ICMP PTB message 726 arrives. If this occurs, the packet is dropped, the PMTU estimate is 727 updated, the segment is divided into smaller segments and each 728 smaller segment is submitted to the underlying IP module. 730 The Datagram Congestion Control Protocol (DCCP) [RFC4340] and the 731 Stream Control Transport Protocol (SCTP) [RFC4960] also can be 732 operated in a mode that does not require IP fragmentation. They both 733 accept data from an application and divide that data into segments, 734 with no segment exceeding a maximum size. 736 DCCP offers manual configuration, PMTUD, and PLPMTUD as mechanisms 737 for managing that maximum size. Datagram protocols can also 738 implement PLPMTUD to estimate the PMTU 739 via[I-D.ietf-tsvwg-datagram-plpmtud]. This proposes procedures for 740 performing PLPMTUD with UDP, UDP-Options, SCTP, QUIC and other 741 datagram protocols. 743 Currently, User Data Protocol (UDP) [RFC0768] lacks a fragmentation 744 mechanism of its own and relies on IP fragmentation. However, 745 [I-D.ietf-tsvwg-udp-options] proposes a fragmentation mechanism for 746 UDP. 748 5.2. Application Layer Solutions 750 [RFC8085] recognizes that IP fragmentation reduces the reliability of 751 Internet communication. It also recognizes that UDP lacks a 752 fragmentation mechanism of its own and relies on IP fragmentation. 753 Therefore, [RFC8085] offers the following advice regarding 754 applications the run over the UDP. 756 "An application SHOULD NOT send UDP datagrams that result in IP 757 packets that exceed the Maximum Transmission Unit (MTU) along the 758 path to the destination. Consequently, an application SHOULD either 759 use the path MTU information provided by the IP layer or implement 760 Path MTU Discovery (PMTUD) itself to determine whether the path to a 761 destination will support its desired message size without 762 fragmentation." 764 RFC 8085 continues: 766 "Applications that do not follow the recommendation to do PMTU/ 767 PLPMTUD discovery SHOULD still avoid sending UDP datagrams that would 768 result in IP packets that exceed the path MTU. Because the actual 769 path MTU is unknown, such applications SHOULD fall back to sending 770 messages that are shorter than the default effective MTU for sending 771 (EMTU_S in [RFC1122]). For IPv4, EMTU_S is the smaller of 576 bytes 772 and the first-hop MTU. For IPv6, EMTU_S is 1280 bytes [RFC8200]. 773 The effective PMTU for a directly connected destination (with no 774 routers on the path) is the configured interface MTU, which could be 775 less than the maximum link payload size. Transmission of minimum- 776 sized UDP datagrams is inefficient over paths that support a larger 777 PMTU, which is a second reason to implement PMTU discovery." 779 RFC 8085 assumes that for IPv4, an EMTU_S of 576 is sufficiently 780 small is sufficiently small to be supported by most current Internet 781 paths, even though the IPv4 minimum link MTU is 68 bytes. 783 This advice applies equally to any application that runs directly 784 over IP. 786 6. Applications That Rely on IPv6 Fragmentation 788 The following applications rely on IPv6 fragmentation: 790 o DNS [RFC1035] 792 o OSPFv3 [RFC2328][RFC5340] 794 o Packet-in-packet encapsulations 796 Each of these applications relies on IPv6 fragmentation to a varying 797 degree. In some cases, that reliance is essential, and cannot be 798 broken without fundamentally changing the protocol. In other cases, 799 that reliance is incidental, and most implementations already take 800 appropriate steps to avoid fragmentation. 802 This list is not comprehensive, and other protocols that rely on IP 803 fragmentation may exist. They are not specifically considered in the 804 context of this document. 806 6.1. Domain Name Service (DNS) 808 DNS relies on UDP for efficiency, and the consequence is the use of 809 IP fragmentation for large responses, as permitted by the DNS EDNS(0) 810 options in the query. It is possible to mitigate the issue of 811 fragmentation-based packet loss by having queries use smaller EDNS(0) 812 UDP buffer sizes, or by having the DNS server limit the size of its 813 UDP responses to some self-imposed maximum packet size that may be 814 less than the preferred EDNS(0) UDP Buffer Size. In both cases, 815 large responses are truncated in the DNS, signalling to the client to 816 re-query using TCP to obtain the complete response. However, the 817 operational issue of the partial level of support for DNS over TCP, 818 particularly in the case where IPv6 transport is being used, becomes 819 a limiting factor of the efficacy of this approach [Damas]. 821 Larger DNS responses can normally be avoided by aggressively pruning 822 the Additional section of DNS responses. One scenario where such 823 pruning is ineffective is in the use of DNSSEC, where large key sizes 824 act to increase the response size to certain DNS queries. There is 825 no effective response to this situation within the DNS other than 826 using smaller cryptographic keys and adoption of DNSSEC 827 administrative practices that attempt to keep DNS response as short 828 as possible. 830 6.2. Open Shortest Path First (OSPF) 832 OSPF implementations can emit messages large enough to cause 833 fragmentation. However, in order to optimize performance, most OSPF 834 implementations restrict their maximum message size to a value that 835 will not cause fragmentation. 837 6.3. Packet-in-Packet Encapsulations 839 In this document, packet-in-packet encapsulations include IP-in-IP 840 [RFC2003], Generic Routing Encapsulation (GRE) [RFC2784], GRE-in-UDP 841 [RFC8086] and Generic Packet Tunneling in IPv6 [RFC2473]. [RFC4459] 842 describes fragmentation issues associated with all of the above- 843 mentioned encapsulations. 845 The fragmentation strategy described for GRE in [RFC7588] has been 846 deployed for all of the above-mentioned encapsulations. This 847 strategy does not rely on IP fragmentation except in one corner case. 848 (see Section 3.3.2.2 of RFC 7588 and Section 7.1 of RFC 2473). 849 Section 3.3 of [RFC7676] further describes this corner case. 851 See [I-D.ietf-intarea-tunnels] for further discussion. 853 6.4. UDP Applications Enhancing Performance 855 Some UDP applications rely on IP fragmentation to achieve acceptable 856 levels of performance. These applications use UDP datagram sizes 857 that are larger than the path MTU so that more data can be conveyed 858 between the application and the kernel in a single system call. 860 To pick one example, the Licklider Transmission Protocol (LTP), 861 [RFC5326]which is in current use on the International Space Station 862 (ISS), uses UDP datagram sizes larger than the path MTU to achieve 863 acceptable levels of performance even though this invokes IP 864 fragmentation. More generally, SNMP and video applications may 865 transmit an application-layer quantum of data, depending on the 866 network layer to fragment and reassemble as needed. 868 7. Recommendations 870 7.1. For Application and Protocol Developers 872 Developers SHOULD NOT develop new protocols or applications that rely 873 on IP fragmentation. When a new protocol or application is deployed 874 in an environment that does not fully support IP fragmentation, it 875 SHOULD operate correctly, either in its default configuration or in a 876 specified alternative configuration. 878 Developers MAY develop new protocols or applications that rely on IP 879 fragmentation if the protocol or application is to be run only in 880 environments where IP fragmentation is known to be supported. 882 Legacy protocols that depend upon IP fragmentation SHOULD be updated 883 to break that dependency. However, in some cases, there may be no 884 viable alternative to IP fragmentation (e.g., IPSEC tunnel mode, IP- 885 in-IP encapsulation). In these cases, the protocol will continue to 886 rely on IP fragmentation but should only be used in environments 887 where IP fragmentation is known to be supported. 889 Protocols may be able to avoid IP fragmentation by using a 890 sufficiently small MTU (e.g. The protocol minimum link MTU), 891 disabling IP fragmentation, and ensuring that the transport protocol 892 in use adapts its segment size to the MTU. Other protocols may 893 deploy a sufficiently reliable PMTU discovery mechanism 894 (e.g.,PLMPTUD). 896 UDP applications SHOULD abide by the recommendations stated in 897 Section 3.2 of [RFC8085]. 899 7.2. For System Developers 901 Software libraries SHOULD include provision for PLPMTUD for each 902 supported transport protocol. 904 7.3. For Middle Box Developers 906 Middle boxes should process IP fragments in a manner that is 907 consistent with [RFC0791] and [RFC8200]. In many cases, middle boxes 908 must maintain state in order to achieve this goal. 910 Price and performance considerations frequently motivate network 911 operators to deploy stateless middle boxes. These stateless middle 912 boxes may perform sub-optimally, process IP fragments in a manner 913 that is not compliant with RFC 791 or RFC 8200, or even discard IP 914 fragments completely. Such behaviors are NOT RECOMMENDED. If a 915 middleboxes implements non-standard behavior with respect to IP 916 fragmentation, then that behavior MUST be clearly documented. 918 7.4. For ECMP, LAG and Load-Balancer Developers And Operators 920 In their default configuration, when the IPv6 Flow Label is not equal 921 to zero, IPv6 devices that implement Equal-Cost Multipath (ECMP) 922 Routing as described in OSPF [RFC2328] and other routing protocols, 923 Link Aggregation Grouping (LAG) [RFC7424], or other load-balancing 924 technologies SHOULD accept only the following fields as input to 925 their hash algorithm: 927 o IP Source Address. 929 o IP Destination Address. 931 o Flow Label. 933 Operators SHOULD deploy these devices in their default configuration. 935 These recommendations are similar to those presented in [RFC6438] and 936 [RFC7098]. They differ in that they specify a default configuration. 938 7.5. For Network Operators 940 Operators MUST ensure proper PMTUD operation in their network, 941 including making sure the network generates PTB packets when dropping 942 packets too large compared to outgoing interface MTU. However, 943 implementations MAY rate limit ICMP messages as per [RFC1812] and 944 [RFC4443]. 946 As per RFC 4890, network operators MUST NOT filter ICMPv6 PTB 947 messages unless they are known to be forged or otherwise 948 illegitimate. As stated in Section 4.7, filtering ICMPv6 PTB packets 949 causes PMTUD to fail. Many upper-layer protocols rely on PMTUD. 951 As per RFC 8200, network operators MUST NOT deploy IPv6 links whose 952 MTU is less than 1280 bytes. 954 Network operators SHOULD NOT filter IP fragments if they are known to 955 have originated at a domain name server or be destined for a domain 956 name server. This is because domain name services are critical to 957 operation of the Internet. 959 8. IANA Considerations 961 This document makes no request of IANA. 963 9. Security Considerations 965 This document mitigates some of the security considerations 966 associated with IP fragmentation by discouraging its use. It does 967 not introduce any new security vulnerabilities, because it does not 968 introduce any new alternatives to IP fragmentation. Instead, it 969 recommends well-understood alternatives. 971 10. Acknowledgements 973 Thanks to Mikael Abrahamsson, Brian Carpenter, Silambu Chelvan, 974 Lorenzo Colitti, Gorry Fairhurst, Mike Heard, Tom Herbert, Tatuya 975 Jinmei, Jen Linkova, Paolo Lucente, Manoj Nayak, Eric Nygren, Fred 976 Templin and Joe Touch for their comments. 978 11. References 980 11.1. Normative References 982 [I-D.ietf-tsvwg-datagram-plpmtud] 983 Fairhurst, G., Jones, T., Tuexen, M., Ruengeler, I., and 984 T. Voelker, "Packetization Layer Path MTU Discovery for 985 Datagram Transports", draft-ietf-tsvwg-datagram-plpmtud-08 986 (work in progress), June 2019. 988 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 989 DOI 10.17487/RFC0768, August 1980, 990 . 992 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 993 DOI 10.17487/RFC0791, September 1981, 994 . 996 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 997 RFC 792, DOI 10.17487/RFC0792, September 1981, 998 . 1000 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1001 RFC 793, DOI 10.17487/RFC0793, September 1981, 1002 . 1004 [RFC1035] Mockapetris, P., "Domain names - implementation and 1005 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1006 November 1987, . 1008 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 1009 DOI 10.17487/RFC1191, November 1990, 1010 . 1012 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1013 Requirement Levels", BCP 14, RFC 2119, 1014 DOI 10.17487/RFC2119, March 1997, 1015 . 1017 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1018 Control Message Protocol (ICMPv6) for the Internet 1019 Protocol Version 6 (IPv6) Specification", STD 89, 1020 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1021 . 1023 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1024 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1025 . 1027 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, 1028 "IPv6 Flow Label Specification", RFC 6437, 1029 DOI 10.17487/RFC6437, November 2011, 1030 . 1032 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 1033 for Equal Cost Multipath Routing and Link Aggregation in 1034 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 1035 . 1037 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1038 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1039 March 2017, . 1041 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1042 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1043 May 2017, . 1045 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1046 (IPv6) Specification", STD 86, RFC 8200, 1047 DOI 10.17487/RFC8200, July 2017, 1048 . 1050 [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., 1051 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1052 DOI 10.17487/RFC8201, July 2017, 1053 . 1055 11.2. Informative References 1057 [Damas] Damas, J. and G. Huston, "Measuring ATR", April 2018, 1058 . 1060 [Huston] Huston, G., "IPv6, Large UDP Packets and the DNS 1061 (http://www.potaroo.net/ispcol/2017-08/xtn-hdrs.html)", 1062 August 2017. 1064 [I-D.ietf-intarea-tunnels] 1065 Touch, J. and M. Townsley, "IP Tunnels in the Internet 1066 Architecture", draft-ietf-intarea-tunnels-09 (work in 1067 progress), July 2018. 1069 [I-D.ietf-tsvwg-udp-options] 1070 Touch, J., "Transport Options for UDP", draft-ietf-tsvwg- 1071 udp-options-07 (work in progress), March 2019. 1073 [Kent] Kent, C. and J. Mogul, ""Fragmentation Considered 1074 Harmful", In Proc. SIGCOMM '87 Workshop on Frontiers in 1075 Computer Communications Technology, DOI 1076 10.1145/55483.55524", August 1987, 1077 . 1080 [Ptacek1998] 1081 Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial 1082 of Service: Eluding Network Intrusion Detection", 1998, 1083 . 1085 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1086 Communication Layers", STD 3, RFC 1122, 1087 DOI 10.17487/RFC1122, October 1989, 1088 . 1090 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1091 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1092 . 1094 [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security 1095 Considerations for IP Fragment Filtering", RFC 1858, 1096 DOI 10.17487/RFC1858, October 1995, 1097 . 1099 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 1100 DOI 10.17487/RFC2003, October 1996, 1101 . 1103 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, 1104 DOI 10.17487/RFC2328, April 1998, 1105 . 1107 [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 1108 IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, 1109 December 1998, . 1111 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 1112 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 1113 DOI 10.17487/RFC2784, March 2000, 1114 . 1116 [RFC3128] Miller, I., "Protection Against a Variant of the Tiny 1117 Fragment Attack (RFC 1858)", RFC 3128, 1118 DOI 10.17487/RFC3128, June 2001, 1119 . 1121 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1122 Congestion Control Protocol (DCCP)", RFC 4340, 1123 DOI 10.17487/RFC4340, March 2006, 1124 . 1126 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 1127 Network Tunneling", RFC 4459, DOI 10.17487/RFC4459, April 1128 2006, . 1130 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1131 ICMPv6 Messages in Firewalls", RFC 4890, 1132 DOI 10.17487/RFC4890, May 2007, 1133 . 1135 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1136 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1137 . 1139 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 1140 Errors at High Data Rates", RFC 4963, 1141 DOI 10.17487/RFC4963, July 2007, 1142 . 1144 [RFC5326] Ramadas, M., Burleigh, S., and S. Farrell, "Licklider 1145 Transmission Protocol - Specification", RFC 5326, 1146 DOI 10.17487/RFC5326, September 2008, 1147 . 1149 [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF 1150 for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008, 1151 . 1153 [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments", 1154 RFC 5722, DOI 10.17487/RFC5722, December 2009, 1155 . 1157 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, 1158 DOI 10.17487/RFC5927, July 2010, 1159 . 1161 [RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to 1162 the IPv4 Address Shortage", RFC 6346, 1163 DOI 10.17487/RFC6346, August 2011, 1164 . 1166 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1167 A., and H. Ashida, "Common Requirements for Carrier-Grade 1168 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1169 April 2013, . 1171 [RFC7098] Carpenter, B., Jiang, S., and W. Tarreau, "Using the IPv6 1172 Flow Label for Load Balancing in Server Farms", RFC 7098, 1173 DOI 10.17487/RFC7098, January 2014, 1174 . 1176 [RFC7424] Krishnan, R., Yong, L., Ghanwani, A., So, N., and B. 1177 Khasnabish, "Mechanisms for Optimizing Link Aggregation 1178 Group (LAG) and Equal-Cost Multipath (ECMP) Component Link 1179 Utilization in Networks", RFC 7424, DOI 10.17487/RFC7424, 1180 January 2015, . 1182 [RFC7588] Bonica, R., Pignataro, C., and J. Touch, "A Widely 1183 Deployed Solution to the Generic Routing Encapsulation 1184 (GRE) Fragmentation Problem", RFC 7588, 1185 DOI 10.17487/RFC7588, July 2015, 1186 . 1188 [RFC7676] Pignataro, C., Bonica, R., and S. Krishnan, "IPv6 Support 1189 for Generic Routing Encapsulation (GRE)", RFC 7676, 1190 DOI 10.17487/RFC7676, October 2015, 1191 . 1193 [RFC7739] Gont, F., "Security Implications of Predictable Fragment 1194 Identification Values", RFC 7739, DOI 10.17487/RFC7739, 1195 February 2016, . 1197 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, 1198 "Observations on the Dropping of Packets with IPv6 1199 Extension Headers in the Real World", RFC 7872, 1200 DOI 10.17487/RFC7872, June 2016, 1201 . 1203 [RFC8086] Yong, L., Ed., Crabbe, E., Xu, X., and T. Herbert, "GRE- 1204 in-UDP Encapsulation", RFC 8086, DOI 10.17487/RFC8086, 1205 March 2017, . 1207 Appendix A. Contributors' Address 1209 Authors' Addresses 1211 Ron Bonica 1212 Juniper Networks 1213 2251 Corporate Park Drive 1214 Herndon, Virginia 20171 1215 USA 1217 Email: rbonica@juniper.net 1219 Fred Baker 1220 Unaffiliated 1221 Santa Barbara, California 93117 1222 USA 1224 Email: FredBaker.IETF@gmail.com 1226 Geoff Huston 1227 APNIC 1228 6 Cordelia St 1229 Brisbane, 4101 QLD 1230 Australia 1232 Email: gih@apnic.net 1234 Robert M. Hinden 1235 Check Point Software 1236 959 Skyway Road 1237 San Carlos, California 94070 1238 USA 1240 Email: bob.hinden@gmail.com 1241 Ole Troan 1242 Cisco 1243 Philip Pedersens vei 1 1244 N-1366 Lysaker 1245 Norway 1247 Email: ot@cisco.com 1249 Fernando Gont 1250 SI6 Networks 1251 Evaristo Carriego 2644 1252 Haedo, Provincia de Buenos Aires 1253 Argentina 1255 Email: fgont@si6networks.com