idnits 2.17.1 draft-ietf-intarea-frag-fragile-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 30, 2019) is 1694 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC5326' is defined on line 1159, but no explicit reference was found in the text == Outdated reference: A later version (-22) exists of draft-ietf-tsvwg-datagram-plpmtud-08 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-09 == Outdated reference: A later version (-32) exists of draft-ietf-tsvwg-udp-options-07 -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Area WG R. Bonica 3 Internet-Draft Juniper Networks 4 Intended status: Best Current Practice F. Baker 5 Expires: March 2, 2020 Unaffiliated 6 G. Huston 7 APNIC 8 R. Hinden 9 Check Point Software 10 O. Troan 11 Cisco 12 F. Gont 13 SI6 Networks 14 August 30, 2019 16 IP Fragmentation Considered Fragile 17 draft-ietf-intarea-frag-fragile-16 19 Abstract 21 This document describes IP fragmentation and explains how it 22 introduces fragility to Internet communication. 24 This document also proposes alternatives to IP fragmentation and 25 provides recommendations for developers and network operators. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on March 2, 2020. 44 Copyright Notice 46 Copyright (c) 2019 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 63 2. IP Fragmentation . . . . . . . . . . . . . . . . . . . . . . 3 64 2.1. Links, Paths, MTU and PMTU . . . . . . . . . . . . . . . 3 65 2.2. Fragmentation Procedures . . . . . . . . . . . . . . . . 6 66 2.3. Upper-Layer Reliance on IP Fragmentation . . . . . . . . 6 67 3. Increased Fragility . . . . . . . . . . . . . . . . . . . . . 7 68 3.1. Virtual Reassembly . . . . . . . . . . . . . . . . . . . 7 69 3.2. Policy-Based Routing . . . . . . . . . . . . . . . . . . 8 70 3.3. Network Address Translation (NAT) . . . . . . . . . . . . 9 71 3.4. Stateless Firewalls . . . . . . . . . . . . . . . . . . . 9 72 3.5. Equal Cost Multipath, Link Aggregate Groups and Stateless 73 Load-Balancers . . . . . . . . . . . . . . . . . . . . . 10 74 3.6. IPv4 Reassembly Errors at High Data Rates . . . . . . . . 11 75 3.7. Security Vulnerabilities . . . . . . . . . . . . . . . . 11 76 3.8. PMTU Blackholing Due to ICMP Loss . . . . . . . . . . . . 12 77 3.8.1. Transient Loss . . . . . . . . . . . . . . . . . . . 13 78 3.8.2. Incorrect Implementation of Security Policy . . . . . 13 79 3.8.3. Persistent Loss Caused By Anycast . . . . . . . . . . 14 80 3.8.4. Persistent Loss Caused By Unidirectional Routing . . 14 81 3.9. Blackholing Due To Filtering or Loss . . . . . . . . . . 14 82 4. Alternatives to IP Fragmentation . . . . . . . . . . . . . . 15 83 4.1. Transport Layer Solutions . . . . . . . . . . . . . . . . 15 84 4.2. Application Layer Solutions . . . . . . . . . . . . . . . 17 85 5. Applications That Rely on IPv6 Fragmentation . . . . . . . . 17 86 5.1. Domain Name Service (DNS) . . . . . . . . . . . . . . . . 18 87 5.2. Open Shortest Path First (OSPF) . . . . . . . . . . . . . 18 88 5.3. Packet-in-Packet Encapsulations . . . . . . . . . . . . . 18 89 5.4. UDP Applications Enhancing Performance . . . . . . . . . 19 90 6. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 19 91 6.1. For Application and Protocol Developers . . . . . . . . . 19 92 6.2. For System Developers . . . . . . . . . . . . . . . . . . 20 93 6.3. For Middle Box Developers . . . . . . . . . . . . . . . . 20 94 6.4. For ECMP, LAG and Load-Balancer Developers And Operators 20 95 6.5. For Network Operators . . . . . . . . . . . . . . . . . . 21 96 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 97 8. Security Considerations . . . . . . . . . . . . . . . . . . . 21 98 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 99 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 100 10.1. Normative References . . . . . . . . . . . . . . . . . . 22 101 10.2. Informative References . . . . . . . . . . . . . . . . . 23 102 Appendix A. Contributors' Address . . . . . . . . . . . . . . . 26 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 105 1. Introduction 107 Operational experience [Kent] [Huston] [RFC7872] reveals that IP 108 fragmentation introduces fragility to Internet communication. This 109 document describes IP fragmentation and explains the fragility it 110 introduces. It also proposes alternatives to IP fragmentation and 111 provides recommendations for developers and network operators. 113 While this document identifies issues associated with IP 114 fragmentation, it does not recommend deprecation. Legacy protocols 115 that depend upon IP fragmentation would do well to be updated to 116 remove that dependency. However, some applications and environments 117 (see Section 5) require IP fragmentation. In these cases, the 118 protocol will continue to rely on IP fragmentation, but the designer 119 should to be aware that fragmented packets may result in blackholes; 120 a design should include appropriate safeguards. 122 Rather than deprecating IP Fragmentation, this document recommends 123 that upper-layer protocols address the problem of fragmentation at 124 their layer, reducing their reliance on IP fragmentation to the 125 greatest degree possible. 127 1.1. Requirements Language 129 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 130 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 131 "OPTIONAL" in this document are to be interpreted as described in BCP 132 14 [RFC2119] [RFC8174] when, and only when, they appear in all 133 capitals, as shown here. 135 2. IP Fragmentation 137 2.1. Links, Paths, MTU and PMTU 139 An Internet path connects a source node to a destination node. A 140 path may contain links and routers. If a path contains more than one 141 link, the links are connected in series and a router connects each 142 link to the next. 144 Internet paths are dynamic. Assume that the path from one node to 145 another contains a set of links and routers. If a link or a router 146 fails, the path can also change so that it includes a different set 147 of links and routers. 149 Each link is constrained by the number of bytes that it can convey in 150 a single IP packet. This constraint is called the link Maximum 151 Transmission Unit (MTU). IPv4 [RFC0791] requires every link to 152 support at 576 bytes or greater (see NOTE 1). IPv6 [RFC0791] 153 similarly requires every link to support an MTU of 1280 bytes or 154 greater. These are called the IPv4 and IPv6 minimum link MTU's. 156 Some links, and some ways of using links, result in additional 157 variable overhead. For the simple case of tunnels, this document 158 defers to other documents. For other cases, such as MPLS, this 159 document considers the Link MTU to include appropriate allowance for 160 any such overhead. 162 Likewise, each Internet path is constrained by the number of bytes 163 that it can convey in a single IP packet. This constraint is called 164 the Path MTU (PMTU). For any given path, the PMTU is equal to the 165 smallest of its link MTU's. Because Internet paths are dynamic, PMTU 166 is also dynamic. 168 For reasons described below, source nodes estimate the PMTU between 169 themselves and destination nodes. A source node can produce 170 extremely conservative PMTU estimates in which: 172 o The estimate for each IPv4 path is equal to the IPv4 minimum link 173 MTU. 175 o The estimate for each IPv6 path is equal to the IPv6 minimum link 176 MTU. 178 While these conservative estimates are guaranteed to be less than or 179 equal to the actual PMTU, they are likely to be much less than the 180 actual PMTU. This may adversely affect upper-layer protocol 181 performance. 183 By executing Path MTU Discovery (PMTUD) [RFC1191] [RFC8201] 184 procedures, a source node can maintain a less conservative estimate 185 of the PMTU between itself and a destination node. In PMTUD, the 186 source node produces an initial PMTU estimate. This initial estimate 187 is equal to the MTU of the first link along the path to the 188 destination node. It can be greater than the actual PMTU. 190 Having produced an initial PMTU estimate, the source node sends non- 191 fragmentable IP packets to the destination node (see NOTE 2). If one 192 of these packets is larger than the actual PMTU, a downstream router 193 will not be able to forward the packet through the next link along 194 the path. Therefore, the downstream router drops the packet and 195 sends an Internet Control Message Protocol (ICMP) [RFC0792] [RFC4443] 196 Packet Too Big (PTB) message to the source node (see NOTE 3). The 197 ICMP PTB message indicates the MTU of the link through which the 198 packet could not be forwarded. The source node uses this information 199 to refine its PMTU estimate. 201 PMTUD produces a running estimate of the PMTU between a source node 202 and a destination node. Because PMTU is dynamic, the PMTU estimate 203 can be larger than the actual PMTU. In order to detect PMTU 204 increases, PMTUD occasionally resets the PMTU estimate to its initial 205 value and repeats the procedure described above. 207 Ideally, PMTUD operates as described above. However, in some 208 scenarios, PMTUD fails. For example: 210 o PMTUD relies on the network's ability to deliver ICMP PTB messages 211 to the source node. If the network cannot deliver ICMP PTB 212 messages to the source node, PMTUD fails. 214 o PMTUD is susceptible to attack because ICMP messages are easily 215 forged [RFC5927] and not authenticated by the receiver. Such 216 attacks can cause PMTUD to produce unnecessarily conservative PMTU 217 estimates. 219 NOTE 1: In IPv4, every host must be capable of receiving a packet 220 whose length is equal to 576 bytes. However, the IPv4 minimum link 221 MTU is not 576. Section 3.2 of RFC 791 explicitly states that the 222 IPv4 minimum link MTU is 68 bytes. But for practical purposes, many 223 network operators consider the IPv4 minimum link MTU to be 576 bytes, 224 to minimize the requirement for fragmentation en route. So, for the 225 purposes of this document, we assume that the IPv4 minimum link MTU 226 is 576 bytes. 228 NOTE 2: A non-fragmentable packet can be fragmented at its source. 229 However, it cannot be fragmented by a downstream node. An IPv4 230 packet whose DF-bit is set to 0 is fragmentable. An IPv4 packet 231 whose DF-bit is set to 1 is non-fragmentable. All IPv6 packets are 232 also non-fragmentable. 234 NOTE 3: The ICMP PTB message has two instantiations. In ICMPv4 235 [RFC0792], the ICMP PTB message is a Destination Unreachable message 236 with Code equal to 4 fragmentation needed and DF set. This message 237 was augmented by [RFC1191] to indicate the MTU of the link through 238 which the packet could not be forwarded. In ICMPv6 [RFC4443], the 239 ICMP PTB message is a Packet Too Big Message with Code equal to 0. 241 This message also indicates the MTU of the link through which the 242 packet could not be forwarded. 244 2.2. Fragmentation Procedures 246 When an upper-layer protocol submits data to the underlying IP 247 module, and the resulting IP packet's length is greater than the 248 PMTU, the packet is divided into fragments. Each fragment includes 249 an IP header and a portion of the original packet. 251 [RFC0791] describes IPv4 fragmentation procedures. An IPv4 packet 252 whose DF-bit is set to 1 may be fragmented by the source node, but 253 may not be fragmented by a downstream router. An IPv4 packet whose 254 DF-bit is set to 0 may be fragmented by the source node or by a 255 downstream router. When an IPv4 packet is fragmented, all IP options 256 (which are within the IPv4 header) appear in the first fragment, but 257 only options whose "copy" bit is set to 1 appear in subsequent 258 fragments. 260 [RFC8200], notably in section 4.5, describes IPv6 fragmentation 261 procedures. An IPv6 packet may be fragmented only at the source 262 node. When an IPv6 packet is fragmented, all extension headers 263 appear in the first fragment, but only per-fragment headers appear in 264 subsequent fragments. Per-fragment headers include the following: 266 o The IPv6 header. 268 o The Hop-by-hop Options header (if present) 270 o The Destination Options header (if present and if it precedes a 271 Routing header) 273 o The Routing Header (if present) 275 o The Fragment Header 277 In IPv4, the upper-layer header usually appears in the first 278 fragment, due to the sizes of the headers involved; in IPv6, it is 279 required to. 281 2.3. Upper-Layer Reliance on IP Fragmentation 283 Upper-layer protocols can operate in the following modes: 285 o Do not rely on IP fragmentation. 287 o Rely on IP fragmentation by the source node only. 289 o Rely on IP fragmentation by any node. 291 Upper-layer protocols running over IPv4 can operate in all of the 292 above-mentioned modes. Upper-layer protocols running over IPv6 can 293 operate in the first and second modes only. 295 Upper-layer protocols that operate in the first two modes (above) 296 require access to the PMTU estimate. In order to fulfill this 297 requirement, they can: 299 o Estimate the PMTU to be equal to the IPv4 or IPv6 minimum link 300 MTU. 302 o Access the estimate that PMTUD produced. 304 o Execute PMTUD procedures themselves. 306 o Execute Packetization Layer PMTUD (PLPMTUD) [RFC4821] 307 [I-D.ietf-tsvwg-datagram-plpmtud] procedures. 309 According to PLPMTUD procedures, the upper-layer protocol maintains a 310 running PMTU estimate. It does so by sending probe packets of 311 various sizes to its upper-layer peer and receiving acknowledgements. 312 This strategy differs from PMTUD in that it relies on acknowledgement 313 of received messages, as opposed to ICMP PTB messages concerning 314 dropped messages. Therefore, PLPMTUD does not rely on the network's 315 ability to deliver ICMP PTB messages to the source. 317 3. Increased Fragility 319 This section explains how IP fragmentation introduces fragility to 320 Internet communication. 322 3.1. Virtual Reassembly 324 Virtual reassembly is a procedure in which a device conceptually 325 reassembles a packet, forwards its fragments, and discards the 326 reassembled copy. In A+P and CGN, virtual reassembly is required in 327 order to correctly translate fragment addresses. It could be useful 328 to address the problems in Section 3.2, Section 3.3, Section 3.4, and 329 Section 3.5. 331 Virtual reassembly in the network is problematic, however, because it 332 is computationally expensive and because it holds state for 333 indeterminate periods of time, is prone to errors and, is prone to 334 attacks (Section 3.7). 336 One of the benefits of fragmenting at the source, as IPv6 does, is 337 that there is no question of temporary state or involved processes as 338 required in virtual fragmentation. The sender has the entire 339 message, and is fragmenting it as needed - and can apply that 340 knowledge consistently across the fragments it produces. It is 341 better than virtual fragmentation in that sense. 343 3.2. Policy-Based Routing 345 IP Fragmentation causes problems for routers that implement policy- 346 based routing. 348 When a router receives a packet, it identifies the next-hop on route 349 to the packet's destination and forwards the packet to that next-hop. 350 In order to identify the next-hop, the router interrogates a local 351 data structure called the Forwarding Information Base (FIB). 353 Normally, the FIB contains destination-based entries that map a 354 destination prefix to a next-hop. Policy-based routing allows 355 destination-based and policy-based entries to coexist in the same 356 FIB. A policy-based FIB entry maps multiple fields, drawn from 357 either the IP or transport-layer header, to a next-hop. 359 +-------+--------------+-----------------+------------+-------------+ 360 | Entry | Type | Dest. Prefix | Next Hdr / | Next-Hop | 361 | | | | Dest. Port | | 362 +-------+--------------+-----------------+------------+-------------+ 363 | | | | | | 364 | 1 | Destination- | 2001:db8::1/128 | Any / Any | 2001:db8::2 | 365 | | based | | | | 366 | | | | | | 367 | 2 | Policy- | 2001:db8::1/128 | TCP / 80 | 2001:db8::3 | 368 | | based | | | | 369 +-------+--------------+-----------------+------------+-------------+ 371 Table 1: Policy-Based Routing FIB 373 Assume that a router maintains the FIB in Table 1. The first FIB 374 entry is destination-based. It maps a destination prefix 375 2001:db8::1/128 to a next-hop 2001:db8::2. The second FIB entry is 376 policy-based. It maps the same destination prefix 2001:db8::1/128 377 and a destination port ( TCP / 80 ) to a different next-hop 378 (2001:db8::3). The second entry is more specific than the first. 380 When the router receives the first fragment of a packet that is 381 destined for TCP port 80 on 2001:db8::1, it interrogates the FIB. 382 Both FIB entries satisfy the query. The router selects the second 383 FIB entry because it is more specific and forwards the packet to 384 2001:db8::3. 386 When the router receives the second fragment of the packet, it 387 interrogates the FIB again. This time, only the first FIB entry 388 satisfies the query, because the second fragment contains no 389 indication that the packet is destined for TCP port 80. Therefore, 390 the router selects the first FIB entry and forwards the packet to 391 2001:db8::2. 393 Policy-based routing is also known as filter-based-forwarding. 395 3.3. Network Address Translation (NAT) 397 IP fragmentation causes problems for Network Address Translation 398 (NAT) devices. When a NAT device detects a new, outbound flow, it 399 maps that flow's source port and IP address to another source port 400 and IP address. Having created that mapping, the NAT device 401 translates: 403 o The Source IP Address and Source Port on each outbound packet. 405 o The Destination IP Address and Destination Port on each inbound 406 packet. 408 A+P [RFC6346] and Carrier Grade NAT (CGN) [RFC6888] are two common 409 NAT strategies. In both approaches the NAT device must virtually 410 reassemble fragmented packets in order to translate and forward each 411 fragment. (See NOTE 1.) 413 3.4. Stateless Firewalls 415 As discussed in more detail in Section 3.7, IP fragmentation causes 416 problems for stateless firewalls whose rules include TCP and UDP 417 ports. Because port information is only available in the first 418 fragment and not available in the subsequent fragments the firewall 419 is limited to the following options: 421 o Accept all trailing subsequent, possibly admitting certain classes 422 of attack. 424 o Block all subsequent fragments, possibly blocking legitimate 425 traffic. 427 Neither option is attractive. 429 3.5. Equal Cost Multipath, Link Aggregate Groups and Stateless Load- 430 Balancers 432 IP fragmentation causes problems for Equal Cost Multipath (ECMP), 433 Link Aggregate Groups (LAG) and other stateless load-distribution 434 technologies. In order to assign a packet or packet fragment to a 435 link, an intermediate node executes a hash (i.e., load-distributing) 436 algorithm. The following paragraphs describe a commonly deployed 437 hash algorithm. 439 If the packet or packet fragment contains a transport-layer header, 440 the algorithm accepts the following 5-tuple as input: 442 o IP Source Address. 444 o IP Destination Address. 446 o IPv4 Protocol or IPv6 Next Header. 448 o transport-layer source port. 450 o transport-layer destination port. 452 If the packet or packet fragment does not contain a transport-layer 453 header, the algorithm accepts only the following 3-tuple as input: 455 o IP Source Address. 457 o IP Destination Address. 459 o IPv4 Protocol or IPv6 Next Header. 461 Therefore, non-fragmented packets belonging to a flow can be assigned 462 to one link while fragmented packets belonging to the same flow can 463 be divided between that link and another. This can cause suboptimal 464 load-distribution. 466 [RFC6438] offers a partial solution to this problem for IPv6 devices 467 only. According to [RFC6438]: 469 "At intermediate routers that perform load balancing, the hash 470 algorithm used to determine the outgoing component-link in an ECMP 471 and/or LAG toward the next hop MUST minimally include the 3-tuple 472 {dest addr, source addr, flow label} and MAY also include the 473 remaining components of the 5-tuple." 474 If the algorithm includes only the 3-tuple {dest addr, source addr, 475 flow label}, it will assign all fragments belonging to a packet to 476 the same link. (See [RFC6437] and [RFC7098]). 478 In order to avoid the problem described above, implementations SHOULD 479 implement the recommendations provided in Section 6.4 of this 480 document. 482 3.6. IPv4 Reassembly Errors at High Data Rates 484 IPv4 fragmentation is not sufficiently robust for use under some 485 conditions in today's Internet. At high data rates, the 16-bit IP 486 identification field is not large enough to prevent duplicate IDs 487 resulting in frequent incorrectly assembled IP fragments, and the TCP 488 and UDP checksums are insufficient to prevent the resulting corrupted 489 datagrams from being delivered to higher protocol layers. [RFC4963] 490 describes some easily reproduced experiments demonstrating the 491 problem, and discusses some of the operational implications of these 492 observations. 494 These reassembly issues do not occur as frequently in IPv6 because 495 the IPv6 identification field is 32 bits long. 497 3.7. Security Vulnerabilities 499 Security researchers have documented several attacks that exploit IP 500 fragmentation. The following are examples: 502 o Overlapping fragment attacks [RFC1858][RFC3128][RFC5722] 504 o Resource exhaustion attacks 506 o Attacks based on predictable fragment identification values 507 [RFC7739] 509 o Evasion of Network Intrusion Detection Systems (NIDS) [Ptacek1998] 511 In the overlapping fragment attack, an attacker constructs a series 512 of packet fragments. The first fragment contains an IP header, a 513 transport-layer header, and some transport-layer payload. This 514 fragment complies with local security policy and is allowed to pass 515 through a stateless firewall. A second fragment, having a non-zero 516 offset, overlaps with the first fragment. The second fragment also 517 passes through the stateless firewall. When the packet is 518 reassembled, the transport layer header from the first fragment is 519 overwritten by data from the second fragment. The reassembled packet 520 does not comply with local security policy. Had it traversed the 521 firewall in one piece, the firewall would have rejected it. 523 A stateless firewall cannot protect against the overlapping fragment 524 attack. However, destination nodes can protect against the 525 overlapping fragment attack by implementing the procedures described 526 in RFC 1858, RFC 3128 and RFC 8200. These reassembly procedures 527 detect the overlap and discard the packet. 529 The fragment reassembly algorithm is a stateful procedure in an 530 otherwise stateless protocol. Therefore, it can be exploited by 531 resource exhaustion attacks. An attacker can construct a series of 532 fragmented packets, with one fragment missing from each packet so 533 that the reassembly is impossible. Thus, this attack causes resource 534 exhaustion on the destination node, possibly denying reassembly 535 services to other flows. This type of attack can be mitigated by 536 flushing fragment reassembly buffers when necessary, at the expense 537 of possibly dropping legitimate fragments. 539 Each IP fragment contains an "Identification" field that destination 540 nodes use to reassemble fragmented packets. Some implementations set 541 the Identification field to a predictable value, thus making it easy 542 for an attacker to forge malicious IP fragments that would cause the 543 reassembly procedure for legitimate packets to fail. 545 NIDS aims at identifying malicious activity by analyzing network 546 traffic. Ambiguity in the possible result of the fragment reassembly 547 process may allow an attacker to evade these systems. Many of these 548 systems try to mitigate some of these evasion techniques (e.g. By 549 computing all possible outcomes of the fragment reassembly process, 550 at the expense of increased processing requirements). 552 3.8. PMTU Blackholing Due to ICMP Loss 554 As mentioned in Section 2.3, upper-layer protocols can be configured 555 to rely on PMTUD. Because PMTUD relies upon the network to deliver 556 ICMP PTB messages, those protocols also rely on the networks to 557 deliver ICMP PTB messages. 559 According to [RFC4890], ICMPv6 PTB messages must not be filtered. 560 However, ICMP PTB delivery is not reliable. It is subject to both 561 transient and persistent loss. 563 Transient loss of ICMP PTB messages can cause transient PMTU black 564 holes. When the conditions contributing to transient loss abate, the 565 network regains its ability to deliver ICMP PTB messages and 566 connectivity between the source and destination nodes is restored. 567 Section 3.8.1 of this document describes conditions that lead to 568 transient loss of ICMP PTB messages. 570 Persistent loss of ICMP PTB messages can cause persistent black 571 holes. Section 3.8.2, Section 3.8.3, and Section 3.8.4 of this 572 document describe conditions that lead to persistent loss of ICMP PTB 573 messages. 575 The problem described in this section is specific to PMTUD. It does 576 not occur when the upper-layer protocol obtains its PMTU estimate 577 from PLPMTUD or from any other source. 579 3.8.1. Transient Loss 581 The following factors can contribute to transient loss of ICMP PTB 582 messages: 584 o Network congestion. 586 o Packet corruption. 588 o Transient routing loops. 590 o ICMP rate limiting. 592 The effect of rate limiting may be severe, as RFC 4443 recommends 593 strict rate limiting of ICMPv6 traffic. 595 3.8.2. Incorrect Implementation of Security Policy 597 Incorrect implementation of security policy can cause persistent loss 598 of ICMP PTB messages. 600 For example assume that a Customer Premise Equipment (CPE) router 601 implements the following zone-based security policy: 603 o Allow any traffic to flow from the inside zone to the outside 604 zone. 606 o Do not allow any traffic to flow from the outside zone to the 607 inside zone unless it is part of an existing flow (i.e., it was 608 elicited by an outbound packet). 610 When a correct implementation of the above-mentioned security policy 611 receives an ICMP PTB message, it examines the ICMP PTB payload in 612 order to determine whether the original packet (i.e., the packet that 613 elicited the ICMP PTB message) belonged to an existing flow. If the 614 original packet belonged to an existing flow, the implementation 615 allows the ICMP PTB to flow from the outside zone to the inside zone. 616 If not, the implementation discards the ICMP PTB message. 618 When an incorrect implementation of the above-mentioned security 619 policy receives an ICMP PTB message, it discards the packet because 620 its source address is not associated with an existing flow. 622 The security policy described above has been implemented incorrectly 623 on many consumer CPE routers. 625 3.8.3. Persistent Loss Caused By Anycast 627 Anycast can cause persistent loss of ICMP PTB messages. Consider the 628 example below: 630 A DNS client sends a request to an anycast address. The network 631 routes that DNS request to the nearest instance of that anycast 632 address (i.e., a DNS Server). The DNS server generates a response 633 and sends it back to the DNS client. While the response does not 634 exceed the DNS server's PMTU estimate, it does exceed the actual 635 PMTU. 637 A downstream router drops the packet and sends an ICMP PTB message 638 the packet's source (i.e., the anycast address). The network routes 639 the ICMP PTB message to the anycast instance closest to the 640 downstream router. That anycast instance may not be the DNS server 641 that originated the DNS response. It may be another DNS server with 642 the same anycast address. The DNS server that originated the 643 response may never receive the ICMP PTB message and may never update 644 its PMTU estimate. 646 3.8.4. Persistent Loss Caused By Unidirectional Routing 648 Unidirectional routing can cause persistent loss of ICMP PTB 649 messages. Consider the example below: 651 A source node sends a packet to a destination node. All intermediate 652 nodes maintain a route to the destination node, but do not maintain a 653 route to the source node. In this case, when an intermediate node 654 encounters an MTU issue, it cannot send an ICMP PTB message to the 655 source node. 657 3.9. Blackholing Due To Filtering or Loss 659 In RFC 7872, researchers sampled Internet paths to determine whether 660 they would convey packets that contain IPv6 extension headers. 661 Sampled paths terminated at popular Internet sites (e.g., popular 662 web, mail and DNS servers). 664 The study revealed that at least 28% of the sampled paths did not 665 convey packets containing the IPv6 Fragment extension header. In 666 most cases, fragments were dropped in the destination autonomous 667 system. In other cases, the fragments were dropped in transit 668 autonomous systems. 670 Another study [Huston] confirmed this finding. It reported that 37% 671 of sampled endpoints used IPv6-capable DNS resolvers that were 672 incapable of receiving a fragmented IPv6 response. 674 It is difficult to determine why network operators drop fragments. 675 Possible causes follow: 677 o Hardware inability to process fragmented packets. 679 o Failure to change vendor defaults. 681 o Unintentional misconfiguration. 683 o Intentional configuration (e.g., network operators consciously 684 chooses to drop IPv6 fragments in order to address the issues 685 raised in Section 3.2 through Section 3.8, above.) 687 4. Alternatives to IP Fragmentation 689 4.1. Transport Layer Solutions 691 The Transport Control Protocol (TCP) [RFC0793]) can be operated in a 692 mode that does not require IP fragmentation. 694 Applications submit a stream of data to TCP. TCP divides that stream 695 of data into segments, with no segment exceeding the TCP Maximum 696 Segment Size (MSS). Each segment is encapsulated in a TCP header and 697 submitted to the underlying IP module. The underlying IP module 698 prepends an IP header and forwards the resulting packet. 700 If the TCP MSS is sufficiently small, the underlying IP module never 701 produces a packet whose length is greater than the actual PMTU. 702 Therefore, IP fragmentation is not required. 704 TCP offers the following mechanisms for MSS management: 706 o Manual configuration 708 o PMTUD 710 o PLPMTUD 712 Manual configuration is always applicable. If the MSS is configured 713 to a sufficiently low value, the IP layer will never produce a packet 714 whose length is greater than the protocol minimum link MTU. However, 715 manual configuration prevents TCP from taking advantage of larger 716 link MTU's. 718 Upper-layer protocols can implement PMTUD in order to discover and 719 take advantage of larger path MTUs. However, as mentioned in 720 Section 2.1, PMTUD relies upon the network to deliver ICMP PTB 721 messages. Therefore, PMTUD can only provide an estimate of the PMTU 722 in environments where the risk of ICMP PTB loss is acceptable (e.g., 723 known to not be filtered). 725 By contrast, PLPMTUD does not rely upon the network's ability to 726 deliver ICMP PTB messages. It utilises probe messages sent as TCP 727 segments to determine whether the probed PMTU can be successfully 728 used across the network path. In PLPMTUD, probing is separated from 729 congestion control, so that loss of a TCP probe segment does not 730 cause a reduction of the congestion control window. [RFC4821] 731 defines PLPMTUD procedures for TCP. 733 While TCP will never knowingly cause the underlying IP module to emit 734 a packet that is larger than the PMTU estimate, it can cause the 735 underlying IP module to emit a packet that is larger than the actual 736 PMTU. For example, if routing changes and as a result the PMTU 737 becomes smaller, TCP will not know until the ICMP PTB message 738 arrives. If this occurs, the packet is dropped, the PMTU estimate is 739 updated, the segment is divided into smaller segments and each 740 smaller segment is submitted to the underlying IP module. 742 The Datagram Congestion Control Protocol (DCCP) [RFC4340] and the 743 Stream Control Transport Protocol (SCTP) [RFC4960] also can be 744 operated in a mode that does not require IP fragmentation. They both 745 accept data from an application and divide that data into segments, 746 with no segment exceeding a maximum size. 748 DCCP offers manual configuration, PMTUD, and PLPMTUD as mechanisms 749 for managing that maximum size. Datagram protocols can also 750 implement PLPMTUD to estimate the PMTU 751 via[I-D.ietf-tsvwg-datagram-plpmtud]. This proposes procedures for 752 performing PLPMTUD with UDP, UDP-Options, SCTP, QUIC and other 753 datagram protocols. 755 Currently, User Datagram Protocol (UDP) [RFC0768] lacks a 756 fragmentation mechanism of its own and relies on IP fragmentation. 757 However, [I-D.ietf-tsvwg-udp-options] proposes a fragmentation 758 mechanism for UDP. 760 4.2. Application Layer Solutions 762 [RFC8085] recognizes that IP fragmentation reduces the reliability of 763 Internet communication. It also recognizes that UDP lacks a 764 fragmentation mechanism of its own and relies on IP fragmentation. 765 Therefore, [RFC8085] offers the following advice regarding 766 applications the run over the UDP. 768 "An application SHOULD NOT send UDP datagrams that result in IP 769 packets that exceed the Maximum Transmission Unit (MTU) along the 770 path to the destination. Consequently, an application SHOULD either 771 use the path MTU information provided by the IP layer or implement 772 Path MTU Discovery (PMTUD) itself to determine whether the path to a 773 destination will support its desired message size without 774 fragmentation." 776 RFC 8085 continues: 778 "Applications that do not follow the recommendation to do PMTU/ 779 PLPMTUD discovery SHOULD still avoid sending UDP datagrams that would 780 result in IP packets that exceed the path MTU. Because the actual 781 path MTU is unknown, such applications SHOULD fall back to sending 782 messages that are shorter than the default effective MTU for sending 783 (EMTU_S in [RFC1122]). For IPv4, EMTU_S is the smaller of 576 bytes 784 and the first-hop MTU. For IPv6, EMTU_S is 1280 bytes [RFC8200]. 785 The effective PMTU for a directly connected destination (with no 786 routers on the path) is the configured interface MTU, which could be 787 less than the maximum link payload size. Transmission of minimum- 788 sized UDP datagrams is inefficient over paths that support a larger 789 PMTU, which is a second reason to implement PMTU discovery." 791 RFC 8085 assumes that for IPv4, an EMTU_S of 576 is sufficiently 792 small to be supported by most current Internet paths, even though the 793 IPv4 minimum link MTU is 68 bytes. 795 This advice applies equally to any application that runs directly 796 over IP. 798 5. Applications That Rely on IPv6 Fragmentation 800 The following applications rely on IPv6 fragmentation: 802 o DNS [RFC1035] 804 o OSPFv3 [RFC2328][RFC5340] 806 o Packet-in-packet encapsulations 807 Each of these applications relies on IPv6 fragmentation to a varying 808 degree. In some cases, that reliance is essential, and cannot be 809 broken without fundamentally changing the protocol. In other cases, 810 that reliance is incidental, and most implementations already take 811 appropriate steps to avoid fragmentation. 813 This list is not comprehensive, and other protocols that rely on IP 814 fragmentation may exist. They are not specifically considered in the 815 context of this document. 817 5.1. Domain Name Service (DNS) 819 DNS relies on UDP for efficiency, and the consequence is the use of 820 IP fragmentation for large responses, as permitted by the DNS EDNS0 821 options in the query. It is possible to mitigate the issue of 822 fragmentation-based packet loss by having queries use smaller EDNS0 823 UDP buffer sizes, or by having the DNS server limit the size of its 824 UDP responses to some self-imposed maximum packet size that may be 825 less than the preferred EDNS0 UDP Buffer Size. In both cases, large 826 responses are truncated in the DNS, signaling to the client to re- 827 query using TCP to obtain the complete response. However, the 828 operational issue of the partial level of support for DNS over TCP, 829 particularly in the case where IPv6 transport is being used, becomes 830 a limiting factor of the efficacy of this approach [Damas]. 832 Larger DNS responses can normally be avoided by aggressively pruning 833 the Additional section of DNS responses. One scenario where such 834 pruning is ineffective is in the use of DNSSEC, where large key sizes 835 act to increase the response size to certain DNS queries. There is 836 no effective response to this situation within the DNS other than 837 using smaller cryptographic keys and adoption of DNSSEC 838 administrative practices that attempt to keep DNS response as short 839 as possible. 841 5.2. Open Shortest Path First (OSPF) 843 OSPF implementations can emit messages large enough to cause 844 fragmentation. However, in order to optimize performance, most OSPF 845 implementations restrict their maximum message size to a value that 846 will not cause fragmentation. 848 5.3. Packet-in-Packet Encapsulations 850 In this document, packet-in-packet encapsulations include IP-in-IP 851 [RFC2003], Generic Routing Encapsulation (GRE) [RFC2784], GRE-in-UDP 852 [RFC8086] and Generic Packet Tunneling in IPv6 [RFC2473]. [RFC4459] 853 describes fragmentation issues associated with all of the above- 854 mentioned encapsulations. 856 The fragmentation strategy described for GRE in [RFC7588] has been 857 deployed for all of the above-mentioned encapsulations. This 858 strategy does not rely on IP fragmentation except in one corner case. 859 (see Section 3.3.2.2 of RFC 7588 and Section 7.1 of RFC 2473). 860 Section 3.3 of [RFC7676] further describes this corner case. 862 See [I-D.ietf-intarea-tunnels] for further discussion. 864 5.4. UDP Applications Enhancing Performance 866 Some UDP applications rely on IP fragmentation to achieve acceptable 867 levels of performance. These applications use UDP datagram sizes 868 that are larger than the path MTU so that more data can be conveyed 869 between the application and the kernel in a single system call. 871 To pick one example, the Licklider Transmission Protocol (LTP), 872 [RFC5326]which is in current use on the International Space Station 873 (ISS), uses UDP datagram sizes larger than the path MTU to achieve 874 acceptable levels of performance even though this invokes IP 875 fragmentation. More generally, SNMP and video applications may 876 transmit an application-layer quantum of data, depending on the 877 network layer to fragment and reassemble as needed. 879 6. Recommendations 881 6.1. For Application and Protocol Developers 883 Developers SHOULD NOT develop new protocols or applications that rely 884 on IP fragmentation. When a new protocol or application is deployed 885 in an environment that does not fully support IP fragmentation, it 886 SHOULD operate correctly, either in its default configuration or in a 887 specified alternative configuration. 889 While there may be controlled environments where IP fragmentation 890 works reliably, this is a deployment issue and can not be known to 891 someone developing a new protocol or application. It is not 892 recommended that new protocols or applications be developed that rely 893 on IP fragmentation. Protocols and applications that rely on IP 894 fragmentation will fail to work on the Internet. 896 Legacy protocols that depend upon IP fragmentation SHOULD be updated 897 to break that dependency. However, in some cases, there may be no 898 viable alternative to IP fragmentation (e.g., IPSEC tunnel mode, IP- 899 in-IP encapsulation). In these cases, the protocol will continue to 900 rely on IP fragmentation but should only be used in environments 901 where IP fragmentation is known to be supported. 903 Protocols may be able to avoid IP fragmentation by using a 904 sufficiently small MTU (e.g. The protocol minimum link MTU), 905 disabling IP fragmentation, and ensuring that the transport protocol 906 in use adapts its segment size to the MTU. Other protocols may 907 deploy a sufficiently reliable PMTU discovery mechanism 908 (e.g.,PLMPTUD). 910 UDP applications SHOULD abide by the recommendations stated in 911 Section 3.2 of [RFC8085]. 913 6.2. For System Developers 915 Software libraries SHOULD include provision for PLPMTUD for each 916 supported transport protocol. 918 6.3. For Middle Box Developers 920 Middle boxes, which are systems that "transparently" perform policy 921 functions on passing traffic but do not participate in the routing 922 system, should process IP fragments in a manner that is consistent 923 with [RFC0791] and [RFC8200]. In many cases, middle boxes must 924 maintain state in order to achieve this goal. 926 Price and performance considerations frequently motivate network 927 operators to deploy stateless middle boxes. These stateless middle 928 boxes may perform sub-optimally, process IP fragments in a manner 929 that is not compliant with RFC 791 or RFC 8200, or even discard IP 930 fragments completely. Such behaviors are NOT RECOMMENDED. If a 931 middleboxes implements non-standard behavior with respect to IP 932 fragmentation, then that behavior MUST be clearly documented. 934 6.4. For ECMP, LAG and Load-Balancer Developers And Operators 936 In their default configuration, when the IPv6 Flow Label is not equal 937 to zero, IPv6 devices that implement Equal-Cost Multipath (ECMP) 938 Routing as described in OSPF [RFC2328] and other routing protocols, 939 Link Aggregation Grouping (LAG) [RFC7424], or other load-distribution 940 technologies SHOULD accept only the following fields as input to 941 their hash algorithm: 943 o IP Source Address. 945 o IP Destination Address. 947 o Flow Label. 949 Operators SHOULD deploy these devices in their default configuration. 951 These recommendations are similar to those presented in [RFC6438] and 952 [RFC7098]. They differ in that they specify a default configuration. 954 6.5. For Network Operators 956 Operators MUST ensure proper PMTUD operation in their network, 957 including making sure the network generates PTB packets when dropping 958 packets too large compared to outgoing interface MTU. However, 959 implementations MAY rate limit the generation of ICMP messages as per 960 [RFC1812] and [RFC4443]. 962 As per RFC 4890, network operators MUST NOT filter ICMPv6 PTB 963 messages unless they are known to be forged or otherwise 964 illegitimate. As stated in Section 3.8, filtering ICMPv6 PTB packets 965 causes PMTUD to fail. Many upper-layer protocols rely on PMTUD. 967 As per RFC 8200, network operators MUST NOT deploy IPv6 links whose 968 MTU is less than 1280 bytes. 970 Network operators SHOULD NOT filter IP fragments if they are known to 971 have originated at a domain name server or be destined for a domain 972 name server. This is because domain name services are critical to 973 operation of the Internet. 975 7. IANA Considerations 977 This document makes no request of IANA. 979 8. Security Considerations 981 This document mitigates some of the security considerations 982 associated with IP fragmentation by discouraging its use. It does 983 not introduce any new security vulnerabilities, because it does not 984 introduce any new alternatives to IP fragmentation. Instead, it 985 recommends well-understood alternatives. 987 9. Acknowledgements 989 Thanks to Mikael Abrahamsson, Brian Carpenter, Silambu Chelvan, Joel 990 Halpern, Lorenzo Colitti, Gorry Fairhurst, Mike Heard, Tom Herbert, 991 Tatuya Jinmei, Suresh Krishnan, Jen Linkova, Paolo Lucente, Manoj 992 Nayak, Eric Nygren, Fred Templin and Joe Touch for their comments. 994 10. References 995 10.1. Normative References 997 [I-D.ietf-tsvwg-datagram-plpmtud] 998 Fairhurst, G., Jones, T., Tuexen, M., Ruengeler, I., and 999 T. Voelker, "Packetization Layer Path MTU Discovery for 1000 Datagram Transports", draft-ietf-tsvwg-datagram-plpmtud-08 1001 (work in progress), June 2019. 1003 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI 1004 10.17487/RFC0768, August 1980, . 1007 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 1008 10.17487/RFC0791, September 1981, . 1011 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1012 RFC 792, DOI 10.17487/RFC0792, September 1981, 1013 . 1015 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 1016 793, DOI 10.17487/RFC0793, September 1981, 1017 . 1019 [RFC1035] Mockapetris, P., "Domain names - implementation and 1020 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 1021 November 1987, . 1023 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 1024 DOI 10.17487/RFC1191, November 1990, . 1027 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1028 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 1029 RFC2119, March 1997, . 1032 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1033 Control Message Protocol (ICMPv6) for the Internet 1034 Protocol Version 6 (IPv6) Specification", STD 89, RFC 1035 4443, DOI 10.17487/RFC4443, March 2006, . 1038 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1039 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1040 . 1042 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, 1043 "IPv6 Flow Label Specification", RFC 6437, DOI 10.17487/ 1044 RFC6437, November 2011, . 1047 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 1048 for Equal Cost Multipath Routing and Link Aggregation in 1049 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 1050 . 1052 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1053 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1054 March 2017, . 1056 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1057 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1058 May 2017, . 1060 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1061 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/ 1062 RFC8200, July 2017, . 1065 [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., 1066 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1067 DOI 10.17487/RFC8201, July 2017, . 1070 10.2. Informative References 1072 [Damas] Damas, J. and G. Huston, "Measuring ATR", April 2018, 1073 . 1075 [Huston] Huston, G., "IPv6, Large UDP Packets and the DNS 1076 http://www.potaroo.net/ispcol/2017-08/xtn-hdrs.html", 1077 August 2017. 1079 [I-D.ietf-intarea-tunnels] 1080 Touch, J. and M. Townsley, "IP Tunnels in the Internet 1081 Architecture", draft-ietf-intarea-tunnels-09 (work in 1082 progress), July 2018. 1084 [I-D.ietf-tsvwg-udp-options] 1085 Touch, J., "Transport Options for UDP", draft-ietf-tsvwg- 1086 udp-options-07 (work in progress), March 2019. 1088 [Kent] Kent, C. and J. Mogul, ""Fragmentation Considered 1089 Harmful", In Proc. SIGCOMM '87 Workshop on Frontiers in 1090 Computer Communications Technology, DOI 1091 10.1145/55483.55524", August 1987, 1092 . 1095 [Ptacek1998] 1096 Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial 1097 of Service: Eluding Network Intrusion Detection", 1998, 1098 . 1100 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1101 Communication Layers", STD 3, RFC 1122, DOI 10.17487/ 1102 RFC1122, October 1989, . 1105 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1106 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1107 . 1109 [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security 1110 Considerations for IP Fragment Filtering", RFC 1858, DOI 1111 10.17487/RFC1858, October 1995, . 1114 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, DOI 1115 10.17487/RFC2003, October 1996, . 1118 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, DOI 10.17487/ 1119 RFC2328, April 1998, . 1122 [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 1123 IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, 1124 December 1998, . 1126 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 1127 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 1128 DOI 10.17487/RFC2784, March 2000, . 1131 [RFC3128] Miller, I., "Protection Against a Variant of the Tiny 1132 Fragment Attack (RFC 1858)", RFC 3128, DOI 10.17487/ 1133 RFC3128, June 2001, . 1136 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1137 Congestion Control Protocol (DCCP)", RFC 4340, DOI 1138 10.17487/RFC4340, March 2006, . 1141 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 1142 Network Tunneling", RFC 4459, DOI 10.17487/RFC4459, April 1143 2006, . 1145 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1146 ICMPv6 Messages in Firewalls", RFC 4890, DOI 10.17487/ 1147 RFC4890, May 2007, . 1150 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1151 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1152 . 1154 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 1155 Errors at High Data Rates", RFC 4963, DOI 10.17487/ 1156 RFC4963, July 2007, . 1159 [RFC5326] Ramadas, M., Burleigh, S., and S. Farrell, "Licklider 1160 Transmission Protocol - Specification", RFC 5326, DOI 1161 10.17487/RFC5326, September 2008, . 1164 [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF 1165 for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008, 1166 . 1168 [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments", 1169 RFC 5722, DOI 10.17487/RFC5722, December 2009, 1170 . 1172 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, DOI 1173 10.17487/RFC5927, July 2010, . 1176 [RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to 1177 the IPv4 Address Shortage", RFC 6346, DOI 10.17487/ 1178 RFC6346, August 2011, . 1181 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1182 A., and H. Ashida, "Common Requirements for Carrier-Grade 1183 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1184 April 2013, . 1186 [RFC7098] Carpenter, B., Jiang, S., and W. Tarreau, "Using the IPv6 1187 Flow Label for Load Balancing in Server Farms", RFC 7098, 1188 DOI 10.17487/RFC7098, January 2014, . 1191 [RFC7424] Krishnan, R., Yong, L., Ghanwani, A., So, N., and B. 1192 Khasnabish, "Mechanisms for Optimizing Link Aggregation 1193 Group (LAG) and Equal-Cost Multipath (ECMP) Component Link 1194 Utilization in Networks", RFC 7424, DOI 10.17487/RFC7424, 1195 January 2015, . 1197 [RFC7588] Bonica, R., Pignataro, C., and J. Touch, "A Widely 1198 Deployed Solution to the Generic Routing Encapsulation 1199 (GRE) Fragmentation Problem", RFC 7588, DOI 10.17487/ 1200 RFC7588, July 2015, . 1203 [RFC7676] Pignataro, C., Bonica, R., and S. Krishnan, "IPv6 Support 1204 for Generic Routing Encapsulation (GRE)", RFC 7676, DOI 1205 10.17487/RFC7676, October 2015, . 1208 [RFC7739] Gont, F., "Security Implications of Predictable Fragment 1209 Identification Values", RFC 7739, DOI 10.17487/RFC7739, 1210 February 2016, . 1212 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, 1213 "Observations on the Dropping of Packets with IPv6 1214 Extension Headers in the Real World", RFC 7872, DOI 1215 10.17487/RFC7872, June 2016, . 1218 [RFC8086] Yong, L., Ed., Crabbe, E., Xu, X., and T. Herbert, "GRE- 1219 in-UDP Encapsulation", RFC 8086, DOI 10.17487/RFC8086, 1220 March 2017, . 1222 Appendix A. Contributors' Address 1223 Authors' Addresses 1225 Ron Bonica 1226 Juniper Networks 1227 2251 Corporate Park Drive 1228 Herndon, Virginia 20171 1229 USA 1231 Email: rbonica@juniper.net 1233 Fred Baker 1234 Unaffiliated 1235 Santa Barbara, California 93117 1236 USA 1238 Email: FredBaker.IETF@gmail.com 1240 Geoff Huston 1241 APNIC 1242 6 Cordelia St 1243 Brisbane, 4101 QLD 1244 Australia 1246 Email: gih@apnic.net 1248 Robert M. Hinden 1249 Check Point Software 1250 959 Skyway Road 1251 San Carlos, California 94070 1252 USA 1254 Email: bob.hinden@gmail.com 1256 Ole Troan 1257 Cisco 1258 Philip Pedersens vei 1 1259 N-1366 Lysaker 1260 Norway 1262 Email: ot@cisco.com 1263 Fernando Gont 1264 SI6 Networks 1265 Evaristo Carriego 2644 1266 Haedo, Provincia de Buenos Aires 1267 Argentina 1269 Email: fgont@si6networks.com