idnits 2.17.1 draft-ietf-rtgwg-rfc3682bis-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 533. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 544. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 551. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 557. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 28, 2006) is 6450 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 3392 (Obsoleted by RFC 5492) ** Downref: Normative reference to an Informational RFC: RFC 4272 Summary: 6 errors (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing WG V. Gill 3 Internet-Draft J. Heasley 4 Obsoletes: 3682 (if approved) D. Meyer 5 Intended status: Standards Track P. Savola 6 Expires: March 1, 2007 August 28, 2006 8 The Generalized TTL Security Mechanism (GTSM) 9 draft-ietf-rtgwg-rfc3682bis-06.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on March 1, 2007. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) 43 to verify whether the packet originated within the same link has been 44 used in many recent protocols. This document generalizes this 45 technique. This document obsoletes RFC 3682. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Assumptions Underlying GTSM . . . . . . . . . . . . . . . . . 3 51 2.1. GTSM Negotiation . . . . . . . . . . . . . . . . . . . . . 4 52 2.2. Assumptions on Attack Sophistication . . . . . . . . . . . 4 53 3. GTSM Procedure . . . . . . . . . . . . . . . . . . . . . . . . 5 54 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 55 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 56 5.1. TTL (Hop Limit) Spoofing . . . . . . . . . . . . . . . . . 7 57 5.2. Tunneled Packets . . . . . . . . . . . . . . . . . . . . . 7 58 5.2.1. IP in IP . . . . . . . . . . . . . . . . . . . . . . . 8 59 5.2.2. IP in MPLS . . . . . . . . . . . . . . . . . . . . . . 8 60 5.3. Multi-Hop Protocol Sessions . . . . . . . . . . . . . . . 9 61 6. Applicability Statement . . . . . . . . . . . . . . . . . . . 10 62 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 63 8. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 10 64 8.1. Changes between -05 and -06 . . . . . . . . . . . . . . . 10 65 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 66 9.1. Normative References . . . . . . . . . . . . . . . . . . . 11 67 9.2. Informative References . . . . . . . . . . . . . . . . . . 11 68 Appendix A. Multihop GTSM . . . . . . . . . . . . . . . . . . . . 12 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 70 Intellectual Property and Copyright Statements . . . . . . . . . . 13 72 1. Introduction 74 The Generalized TTL Security Mechanism (GTSM) is designed to protect 75 a router's IP based control plane from CPU-utilization based attacks. 76 In particular, while cryptographic techniques can protect the router- 77 based infrastructure (e.g., BGP [RFC4271], [RFC4272]) from a wide 78 variety of attacks, many attacks based on CPU overload can be 79 prevented by the simple mechanism described in this document. Note 80 that the same technique protects against other scarce-resource 81 attacks involving a router's CPU, such as attacks against processor- 82 line card bandwidth. 84 GTSM is based on the fact that the vast majority of protocol peerings 85 are established between routers that are adjacent [PEERING]. Thus 86 most protocol peerings are either directly between connected 87 interfaces or at the worst case, are between loopback and loopback, 88 with static routes to loopbacks. Since TTL spoofing is considered 89 nearly impossible, a mechanism based on an expected TTL value can 90 provide a simple and reasonably robust defense from infrastructure 91 attacks based on forged protocol packets from outside the network. 92 Note, however, that GTSM is not a substitute for authentication 93 mechanisms. In particular, it does not secure against insider on- 94 the-wire attacks, such as packet spoofing or replay. 96 Finally, the GTSM mechanism is equally applicable to both TTL (IPv4) 97 and Hop Limit (IPv6), and from the perspective of GTSM, TTL and Hop 98 Limit have identical semantics. As a result, in the remainder of 99 this document the term "TTL" is used to refer to both TTL or Hop 100 Limit (as appropriate). 102 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 103 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 104 document are to be interpreted as described in RFC 2119 [RFC2119]. 106 2. Assumptions Underlying GTSM 108 GTSM is predicated upon the following assumptions: 110 1. The vast majority of protocol peerings are between adjacent 111 routers [PEERING]. 113 2. It is common practice for many service providers to ingress 114 filter (deny) packets that have the provider's loopback addresses 115 as the source IP address. 117 3. Use of GTSM is OPTIONAL, and can be configured on a per-peer 118 (group) basis. 120 4. The peer routers both implement GTSM. 122 5. The router supports a method to use separate resource pools 123 (e.g., queues, processing quotas) for differently classified 124 traffic. 126 Note that this document does not prescribe further restrictions that 127 a router may apply to the packets not matching the GTSM filtering 128 rules, such as dropping packets that do not match any configured 129 protocol session and rate-limiting the rest. This document also does 130 not suggest the actual means of resource separation, as those are 131 hardware and implementation-specific. 133 The possibility of DoS attack prevention, however, is based on the 134 assumption that packet classification and separation of their paths 135 is done before they go through a scarce resource in the system. In 136 practice, this means that, the closer GTSM processing is done to the 137 line-rate hardware, the more resistant the system is to the DoS 138 attacks. 140 2.1. GTSM Negotiation 142 This document assumes that, when used with existing protocols, GTSM 143 will be manually configured between protocol peers. That is, no 144 automatic GTSM capability negotiation, such as is envisioned by RFC 145 3392 [RFC3392] is assumed or defined. 147 If a new protocol is designed with built-in GTSM support, then it is 148 recommended that procedures are always used for sending and 149 validating received protocol packets (GTSM is always on, see for 150 example [RFC2461]). If, however, dynamic negotiation of GTSM support 151 is necessary, protocol messages used for such negotiation MUST be 152 authenticated using other security mechanisms to prevent DoS attacks. 154 Also note that this specification does not offer a generic GTSM 155 capability negotiation mechanism, so messages of the protocol 156 augmented with the GTSM behavior will need to be used if dynamic 157 negotiation is deemed necessary. 159 2.2. Assumptions on Attack Sophistication 161 Throughout this document, we assume that potential attackers have 162 evolved in both sophistication and access to the point that they can 163 send control traffic to a protocol session, and that this traffic 164 appears to be valid control traffic (i.e., has the source/destination 165 of configured peer routers). 167 We also assume that each router in the path between the attacker and 168 the victim protocol speaker decrements TTL properly (clearly, if 169 either the path or the adjacent peer is compromised, then there are 170 worse problems to worry about). 172 Since the vast majority of peerings are between adjacent routers, we 173 can set the TTL on the protocol packets to 255 (the maximum possible 174 for IP) and then reject any protocol packets that come in from 175 configured peers which do NOT have an inbound TTL of 255. 177 GTSM can be disabled for applications such as route-servers and other 178 large diameter multi-hop peerings. In the event that an the attack 179 comes in from a compromised multi-hop peering, that peering can be 180 shut down (a method to reduce exposure to multi-hop attacks is 181 outlined below). 183 3. GTSM Procedure 185 If GTSM is not built into the protocol and used as an additional 186 feature (e.g., for BGP, LDP, or MSDP), it SHOULD NOT be enabled by 187 default. 189 If GTSM is enabled for a protocol session, the following steps are 190 added to the IP packet sending and reception procedures: 192 Sending protocol packets: 194 The TTL field in all IP packets used for transmission of 195 messages associated with GTSM-enabled protocol sessions MUST be 196 set to 255. This also related error handling messages such as 197 TCP RSTs or ICMP errors. 199 On some architectures, the TTL of control plane originated 200 traffic is under some configurations decremented in the 201 forwarding plane. The TTL of GTSM-enabled sessions MUST NOT be 202 decremented. 204 Receiving protocol packets: 206 The GTSM packet identification step associates each received 207 packet addressed to the router's control plane with one of the 208 following three trustworthiness categories: 210 + Unknown: these are packets that cannot be associated with 211 any registered GTSM-enabled session, and hence GTSM cannot 212 make any judgement on the level of risk associated with 213 them. 215 + Trusted: these are packets that have been identified as 216 belonging to one of the GTSM-enabled sessions, and their TTL 217 values are within the expected range. 219 + Dangerous: these are packets that have been identified as 220 belonging to one of the GTSM-enabled sessions, but their TTL 221 values are NOT within the expected range, and hence GTSM 222 believes there is a risk that the packets have been spoofed. 224 The exact policies applied to packets of different 225 classifications are not postulated in this document and are 226 expected to be configurable. Configurability is likely 227 necessary particular with the treatment of related messages 228 such as ICMP errors and TCP RSTs. It should be noted that 229 fragmentation may restrict the amount of information available 230 to the classification. 232 However, by default, the implementations: 234 + SHOULD ensure that packets classified as Dangerous do not 235 compete for resources with packets classified as Trusted or 236 Unknown. 238 + MUST NOT drop (as part of GTSM processing) packets 239 classified as Trusted or Unknown. 241 + MAY drop packets classified as Dangerous. 243 4. Acknowledgments 245 The use of the TTL field to protect BGP originated with many 246 different people, including Paul Traina and Jon Stewart. Ryan 247 McDowell also suggested a similar idea. Steve Bellovin, Jay 248 Borkenhagen, Randy Bush, Alfred Hoenes, Vern Paxon, Robert Raszuk and 249 Alex Zinin also provided useful feedback on earlier versions of this 250 document. David Ward provided insight on the generalization of the 251 original BGP-specific idea. Alex Zinin and Alia Atlas provided 252 significant amount of feedback for the newer versions of the 253 document. 255 5. Security Considerations 257 GTSM is a simple procedure that protects single hop protocol 258 sessions, except in those cases in which the peer has been 259 compromised. In particular, it does not protect against the wide 260 range of on-the-wire attacks; protection from these attacks requires 261 more rigorous security mechanisms. 263 5.1. TTL (Hop Limit) Spoofing 265 The approach described here is based on the observation that a TTL 266 (or Hop Limit) value of 255 is non-trivial to spoof, since as the 267 packet passes through routers towards the destination, the TTL is 268 decremented by one. As a result, when a router receives a packet, it 269 may not be able to determine if the packet's IP address is valid, but 270 it can determine how many router hops away it is (again, assuming 271 none of the routers in the path are compromised in such a way that 272 they would reset the packet's TTL). 274 Note, however, that while engineering a packet's TTL such that it has 275 a particular value when sourced from an arbitrary location is 276 difficult (but not impossible), engineering a TTL value of 255 from 277 non-directly connected locations is not possible (again, assuming 278 none of the directly connected neighbors are compromised, the packet 279 hasn't been tunneled to the decapsulator, and the intervening routers 280 are operating in accordance with RFC 791 [RFC0791]). 282 5.2. Tunneled Packets 284 The security of any tunneling technique depends heavily on 285 authentication at the tunnel endpoints, as well as how the tunneled 286 packets are protected in flight. Such mechanisms are, however, 287 beyond the scope of this memo. 289 An exception to the observation that a packet with TTL of 255 is 290 difficult to spoof may occur when a protocol packet is tunneled and 291 the tunnel is not integrity-protected (i.e., the lower layer is 292 compromised). 294 When the protocol packet is tunneled directly to the protocol peer 295 (the protocol peer is the decapsulator), the GTSM provides no added 296 protection as the security depends entirely on the integrity of the 297 tunnel. 299 When the protocol packet is tunneled to the penultimate hop which 300 then forwards the packet to a directly connected protocol peer, TTL 301 is decremented as described below except in some myriad Bump-in-the- 302 Wire (BITW) cases [BITW]. 304 In IP-in-MPLS cases described below, the TTL is always decremented by 305 at least one. 307 5.2.1. IP in IP 309 Protocol packets may be tunneled over IP directly to a protocol peer, 310 or to a decapsulator (tunnel endpoint) that then forwards the packet 311 to a directly connected protocol peer (e.g., in IP-in-IP [RFC2003], 312 GRE [RFC2784], or various forms of IPv6-in-IPv4 [RFC4213]). These 313 cases are depicted below. 315 Peer router ---------- Tunnel endpoint router and peer 316 TTL=255 [tunnel] [TTL=255 at ingress] 317 [TTL=255 at egress] 319 Peer router -------- Tunnel endpoint router ----- On-link peer 320 TTL=255 [tunnel] [TTL=255 at ingress] [TTL=254 at ingress] 321 [TTL=254 at egress] 323 In the first case, in which the encapsulated packet is tunneled 324 directly to the protocol peer, the encapsulated packet's TTL can be 325 set arbitrary value. In the second case, in which the encapsulated 326 packet is tunneled to a decapsulator (tunnel endpoint) which then 327 forwards it to a directly connected protocol peer, RFC 2003 specifies 328 the following behavior: 330 When encapsulating a datagram, the TTL in the inner IP 331 header is decremented by one if the tunneling is being 332 done as part of forwarding the datagram; otherwise, the 333 inner header TTL is not changed during encapsulation. If 334 the resulting TTL in the inner IP header is 0, the 335 datagram is discarded and an ICMP Time Exceeded message 336 SHOULD be returned to the sender. An encapsulator MUST 337 NOT encapsulate a datagram with TTL = 0. 339 Hence the inner IP packet header's TTL, as seen by the decapsulator, 340 can be set to an arbitrary value (in particular, 255). As a result, 341 it may not be possible to deliver the protocol packet to the peer 342 with a TTL of 255. 344 5.2.2. IP in MPLS 346 Protocol packets may also be tunneled over MPLS to a protocol peer 347 which either the penultimate hop (when the penultimate hop popping 348 (PHP) is employed [RFC3032]), or one hop beyond the penultimate hop. 349 These cases are depicted below. 351 Peer router -------- Penultimate Hop (PH) and peer 352 TTL=255 [tunnel] [TTL=255 at ingress] 353 [TTL<=254 at egress] 355 Peer router -------- Penultimate Hop -------- On-link peer 356 TTL=255 [tunnel] [TTL=255 at ingress] [TTL <=254 at ingress] 357 [TTL<=254 at egress] 359 TTL handling for these cases is described in RFC 3032. RFC 3032 360 states that when the IP packet is first labeled: 362 ... the TTL field of the label stack entry MUST BE set to the 363 value of the IP TTL field. (If the IP TTL field needs to be 364 decremented, as part of the IP processing, it is assumed that 365 this has already been done.) 367 When the label is popped: 369 When a label is popped, and the resulting label stack is empty, 370 then the value of the IP TTL field SHOULD BE replaced with the 371 outgoing TTL value, as defined above. In IPv4 this also 372 requires modification of the IP header checksum. 374 where the definition of "outgoing TTL" is: 376 The "incoming TTL" of a labeled packet is defined to be the 377 value of the TTL field of the top label stack entry when the 378 packet is received. 380 The "outgoing TTL" of a labeled packet is defined to be the 381 larger of: 383 a) one less than the incoming TTL, 384 b) zero. 386 In either of these cases, the minimum value by which the TTL could be 387 decremented would be one (the network operator prefers to hide its 388 infrastructure by decrementing the TTL by the minimum number of LSP 389 hops, one, rather than decrementing the TTL as it traverses its MPLS 390 domain). As a result, the maximum TTL value at egress from the MPLS 391 cloud is 254 (255-1), and as a result the check described in section 392 3 will fail. 394 5.3. Multi-Hop Protocol Sessions 396 While GTSM could possibly offer a slightly more limited security 397 properties also when used with multi-hop protocol sessions (see 398 Appendix A), we do not specify GTSM for multi-hop scenarios due to 399 simplicity, lack of deployment and implementation. 401 6. Applicability Statement 403 GTSM is only applicable to environments with inherently limited 404 topologies (and is most effective in those cases where protocol peers 405 are directly connected). In particular, its application should be 406 limited to those cases in which protocol peers are directly 407 connected. 409 Experimentation on GTSM's applicability and security properties is 410 needed in multi-hop scenarios. The multi-hop scenarios where GTSM 411 might be applicable is expected to have the following 412 characteristics: the topology between peers is fairly static and well 413 known, and in which the intervening network (between the peers) is 414 trusted. 416 7. IANA Considerations 418 This document requires no action from IANA. 420 8. Changelog 422 NOTE to the RFC-editor: please remove this section before 423 publication. 425 8.1. Changes between -05 and -06 427 o Clarify the assumptions wrt. resource separation and protection 428 based on comments from Alex Zinin. 430 o Rewrite the GTSM procedure based on text from Alex Zinin. 432 o Reduce TrustRadius and multi-hop scenarios to a mention in an 433 Appendix. 435 o Describe TCP-RST, ICMP error and "related messages" handling. 437 o Update the tunneling security considerations text. 439 o Editorial updates (e.g., shortening the abstract). 441 9. References 442 9.1. Normative References 444 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 445 September 1981. 447 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 448 October 1996. 450 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 451 Requirement Levels", BCP 14, RFC 2119, March 1997. 453 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 454 Discovery for IP Version 6 (IPv6)", RFC 2461, 455 December 1998. 457 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 458 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 459 March 2000. 461 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 462 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 463 Encoding", RFC 3032, January 2001. 465 [RFC3392] Chandra, R. and J. Scudder, "Capabilities Advertisement 466 with BGP-4", RFC 3392, November 2002. 468 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms 469 for IPv6 Hosts and Routers", RFC 4213, October 2005. 471 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 472 Protocol 4 (BGP-4)", RFC 4271, January 2006. 474 [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", 475 RFC 4272, January 2006. 477 9.2. Informative References 479 [BITW] "Thread: 'IP-in-IP, TTL decrementing when forwarding and 480 BITW' on int-area list, Message-ID: 481 ", 482 June 2006, . 485 [PEERING] "Empirical data gathered from the Sprint and AOL 486 backbones", October 2002. 488 Appendix A. Multihop GTSM 490 NOTE: This is a non-normative part of the specification. 492 The main applicability of GTSM is for directly connected peers. GTSM 493 could be used for non-directly connected sessions as well, where the 494 recipient would check that the TTL is within "TrustRadius" (e.g., 1) 495 of 255 instead of 255. As such deployment is expected to have a more 496 limited applicability and different security implications, it is not 497 specified in this document. 499 Authors' Addresses 501 Vijay Gill 503 Email: vijay@umbc.edu 505 John Heasley 507 Email: heas@shrubbery.net 509 David Meyer 511 Email: dmm@1-4-5.net 513 Pekka Savola 514 Espoo 515 Finland 517 Email: psavola@funet.fi 519 Full Copyright Statement 521 Copyright (C) The Internet Society (2006). 523 This document is subject to the rights, licenses and restrictions 524 contained in BCP 78, and except as set forth therein, the authors 525 retain all their rights. 527 This document and the information contained herein are provided on an 528 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 529 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 530 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 531 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 532 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 533 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 535 Intellectual Property 537 The IETF takes no position regarding the validity or scope of any 538 Intellectual Property Rights or other rights that might be claimed to 539 pertain to the implementation or use of the technology described in 540 this document or the extent to which any license under such rights 541 might or might not be available; nor does it represent that it has 542 made any independent effort to identify any such rights. Information 543 on the procedures with respect to rights in RFC documents can be 544 found in BCP 78 and BCP 79. 546 Copies of IPR disclosures made to the IETF Secretariat and any 547 assurances of licenses to be made available, or the result of an 548 attempt made to obtain a general license or permission for the use of 549 such proprietary rights by implementers or users of this 550 specification can be obtained from the IETF on-line IPR repository at 551 http://www.ietf.org/ipr. 553 The IETF invites any interested party to bring to its attention any 554 copyrights, patents or patent applications, or other proprietary 555 rights that may cover technology that may be required to implement 556 this standard. Please address the information to the IETF at 557 ietf-ipr@ietf.org. 559 Acknowledgment 561 Funding for the RFC Editor function is provided by the IETF 562 Administrative Support Activity (IASA).