idnits 2.17.1 draft-ietf-rtgwg-rfc3682bis-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 581. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 592. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 599. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 605. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 22, 2006) is 6358 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 3392 (Obsoleted by RFC 5492) ** Downref: Normative reference to an Informational RFC: RFC 4272 Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing WG V. Gill 3 Internet-Draft J. Heasley 4 Obsoletes: 3682 (if approved) D. Meyer 5 Intended status: Standards Track P. Savola 6 Expires: May 26, 2007 November 22, 2006 8 The Generalized TTL Security Mechanism (GTSM) 9 draft-ietf-rtgwg-rfc3682bis-07.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on May 26, 2007. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2006). 40 Abstract 42 The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) 43 to verify whether the packet originated within the same link has been 44 used in many recent protocols. This document generalizes this 45 technique. This document obsoletes RFC 3682. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Assumptions Underlying GTSM . . . . . . . . . . . . . . . . . 3 51 2.1. GTSM Negotiation . . . . . . . . . . . . . . . . . . . . . 4 52 2.2. Assumptions on Attack Sophistication . . . . . . . . . . . 4 53 3. GTSM Procedure . . . . . . . . . . . . . . . . . . . . . . . . 5 54 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 55 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 56 5.1. TTL (Hop Limit) Spoofing . . . . . . . . . . . . . . . . . 7 57 5.2. Tunneled Packets . . . . . . . . . . . . . . . . . . . . . 7 58 5.2.1. IP in IP . . . . . . . . . . . . . . . . . . . . . . . 7 59 5.2.2. IP in MPLS . . . . . . . . . . . . . . . . . . . . . . 8 60 5.3. Multi-Hop Protocol Sessions . . . . . . . . . . . . . . . 9 61 6. Applicability Statement . . . . . . . . . . . . . . . . . . . 9 62 6.1. Backwards Compatibility . . . . . . . . . . . . . . . . . 10 63 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 66 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 67 Appendix A. Multihop GTSM . . . . . . . . . . . . . . . . . . . 11 68 Appendix B. Changes Since RFC3682 . . . . . . . . . . . . . . . 12 69 Appendix C. Draft Changelog . . . . . . . . . . . . . . . . . . 12 70 Appendix C.1. Changes between -06 and -07 . . . . . . . . . . . . 12 71 Appendix C.2. Changes between -05 and -06 . . . . . . . . . . . . 12 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 73 Intellectual Property and Copyright Statements . . . . . . . . . . 14 75 1. Introduction 77 The Generalized TTL Security Mechanism (GTSM) is designed to protect 78 a router's IP based control plane from CPU-utilization based attacks. 79 In particular, while cryptographic techniques can protect the router- 80 based infrastructure (e.g., BGP [RFC4271], [RFC4272]) from a wide 81 variety of attacks, many attacks based on CPU overload can be 82 prevented by the simple mechanism described in this document. Note 83 that the same technique protects against other scarce-resource 84 attacks involving a router's CPU, such as attacks against processor- 85 line card bandwidth. 87 GTSM is based on the fact that the vast majority of protocol peerings 88 are established between routers that are adjacent . Thus most 89 protocol peerings are either directly between connected interfaces or 90 at the worst case, are between loopback and loopback, with static 91 routes to loopbacks. Since TTL spoofing is considered nearly 92 impossible, a mechanism based on an expected TTL value can provide a 93 simple and reasonably robust defense from infrastructure attacks 94 based on forged protocol packets from outside the network. Note, 95 however, that GTSM is not a substitute for authentication mechanisms. 96 In particular, it does not secure against insider on-the-wire 97 attacks, such as packet spoofing or replay. 99 Finally, the GTSM mechanism is equally applicable to both TTL (IPv4) 100 and Hop Limit (IPv6), and from the perspective of GTSM, TTL and Hop 101 Limit have identical semantics. As a result, in the remainder of 102 this document the term "TTL" is used to refer to both TTL or Hop 103 Limit (as appropriate). 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 107 document are to be interpreted as described in RFC 2119 [RFC2119]. 109 2. Assumptions Underlying GTSM 111 GTSM is predicated upon the following assumptions: 113 1. The vast majority of protocol peerings are between adjacent 114 routers. 116 2. It is common practice for many service providers to ingress 117 filter (deny) packets that have the provider's loopback addresses 118 as the source IP address. 120 3. Use of GTSM is OPTIONAL, and can be configured on a per-peer 121 (group) basis. 123 4. The peer routers both implement GTSM. 125 5. The router supports a method to use separate resource pools 126 (e.g., queues, processing quotas) for differently classified 127 traffic. 129 Note that this document does not prescribe further restrictions that 130 a router may apply to the packets not matching the GTSM filtering 131 rules, such as dropping packets that do not match any configured 132 protocol session and rate-limiting the rest. This document also does 133 not suggest the actual means of resource separation, as those are 134 hardware and implementation-specific. 136 The possibility of DoS attack prevention, however, is based on the 137 assumption that packet classification and separation of their paths 138 is done before they go through a scarce resource in the system. In 139 practice, this means that, the closer GTSM processing is done to the 140 line-rate hardware, the more resistant the system is to the DoS 141 attacks. 143 2.1. GTSM Negotiation 145 This document assumes that, when used with existing protocols, GTSM 146 will be manually configured between protocol peers. That is, no 147 automatic GTSM capability negotiation, such as is envisioned by RFC 148 3392 [RFC3392] is assumed or defined. 150 If a new protocol is designed with built-in GTSM support, then it is 151 recommended that procedures are always used for sending and 152 validating received protocol packets (GTSM is always on, see for 153 example [RFC2461]). If, however, dynamic negotiation of GTSM support 154 is necessary, protocol messages used for such negotiation MUST be 155 authenticated using other security mechanisms to prevent DoS attacks. 157 Also note that this specification does not offer a generic GTSM 158 capability negotiation mechanism, so messages of the protocol 159 augmented with the GTSM behavior will need to be used if dynamic 160 negotiation is deemed necessary. 162 2.2. Assumptions on Attack Sophistication 164 Throughout this document, we assume that potential attackers have 165 evolved in both sophistication and access to the point that they can 166 send control traffic to a protocol session, and that this traffic 167 appears to be valid control traffic (i.e., has the source/destination 168 of configured peer routers). 170 We also assume that each router in the path between the attacker and 171 the victim protocol speaker decrements TTL properly (clearly, if 172 either the path or the adjacent peer is compromised, then there are 173 worse problems to worry about). 175 Since the vast majority of peerings are between adjacent routers, we 176 can set the TTL on the protocol packets to 255 (the maximum possible 177 for IP) and then reject any protocol packets that come in from 178 configured peers which do NOT have an inbound TTL of 255. 180 GTSM can be disabled for applications such as route-servers and other 181 multi-hop peerings. In the event that an attack comes in from a 182 compromised multi-hop peering, that peering can be shut down. 184 3. GTSM Procedure 186 If GTSM is not built into the protocol and used as an additional 187 feature (e.g., for BGP, LDP, or MSDP), it SHOULD NOT be enabled by 188 default. 190 If GTSM is enabled for a protocol session, the following steps are 191 added to the IP packet sending and reception procedures: 193 Sending protocol packets: 195 The TTL field in all IP packets used for transmission of 196 messages associated with GTSM-enabled protocol sessions MUST be 197 set to 255. This also applies to related error handling 198 messages such as TCP RSTs or ICMP errors. 200 On some architectures, the TTL of control plane originated 201 traffic is under some configurations decremented in the 202 forwarding plane. The TTL of GTSM-enabled sessions MUST NOT be 203 decremented. 205 Receiving protocol packets: 207 The GTSM packet identification step associates each received 208 packet addressed to the router's control plane with one of the 209 following three trustworthiness categories: 211 + Unknown: these are packets that cannot be associated with 212 any registered GTSM-enabled session, and hence GTSM cannot 213 make any judgement on the level of risk associated with 214 them. 216 + Trusted: these are packets that have been identified as 217 belonging to one of the GTSM-enabled sessions, and their TTL 218 values are within the expected range. 220 + Dangerous: these are packets that have been identified as 221 belonging to one of the GTSM-enabled sessions, but their TTL 222 values are NOT within the expected range, and hence GTSM 223 believes there is a risk that the packets have been spoofed. 225 The exact policies applied to packets of different 226 classifications are not postulated in this document and are 227 expected to be configurable. Configurability is likely 228 necessary particular with the treatment of related messages 229 such as ICMP errors and TCP RSTs. It should be noted that 230 fragmentation may restrict the amount of information available 231 to the classification. 233 However, by default, the implementations: 235 + SHOULD ensure that packets classified as Dangerous do not 236 compete for resources with packets classified as Trusted or 237 Unknown. 239 + MUST NOT drop (as part of GTSM processing) packets 240 classified as Trusted or Unknown. 242 + MAY drop packets classified as Dangerous. 244 4. Acknowledgments 246 The use of the TTL field to protect BGP originated with many 247 different people, including Paul Traina and Jon Stewart. Ryan 248 McDowell also suggested a similar idea. Steve Bellovin, Jay 249 Borkenhagen, Randy Bush, Alfred Hoenes, Vern Paxon, Robert Raszuk and 250 Alex Zinin also provided useful feedback on earlier versions of this 251 document. David Ward provided insight on the generalization of the 252 original BGP-specific idea. Alex Zinin, Alia Atlas, and John Scudder 253 provided significant amount of feedback for the newer versions of the 254 document. 256 5. Security Considerations 258 GTSM is a simple procedure that protects single hop protocol 259 sessions, except in those cases in which the peer has been 260 compromised. In particular, it does not protect against the wide 261 range of on-the-wire attacks; protection from these attacks requires 262 more rigorous security mechanisms. 264 5.1. TTL (Hop Limit) Spoofing 266 The approach described here is based on the observation that a TTL 267 (or Hop Limit) value of 255 is non-trivial to spoof, since as the 268 packet passes through routers towards the destination, the TTL is 269 decremented by one per router. As a result, when a router receives a 270 packet, it may not be able to determine if the packet's IP address is 271 valid, but it can determine how many router hops away it is (again, 272 assuming none of the routers in the path are compromised in such a 273 way that they would reset the packet's TTL). 275 Note, however, that while engineering a packet's TTL such that it has 276 a particular value when sourced from an arbitrary location is 277 difficult (but not impossible), engineering a TTL value of 255 from 278 non-directly connected locations is not possible (again, assuming 279 none of the directly connected neighbors are compromised, the packet 280 hasn't been tunneled to the decapsulator, and the intervening routers 281 are operating in accordance with RFC 791 [RFC0791]). 283 5.2. Tunneled Packets 285 The security of any tunneling technique depends heavily on 286 authentication at the tunnel endpoints, as well as how the tunneled 287 packets are protected in flight. Such mechanisms are, however, 288 beyond the scope of this memo. 290 An exception to the observation that a packet with TTL of 255 is 291 difficult to spoof may occur when a protocol packet is tunneled and 292 the tunnel is not integrity-protected (i.e., the lower layer is 293 compromised). 295 When the protocol packet is tunneled directly to the protocol peer 296 (the protocol peer is the decapsulator), the GTSM provides no added 297 protection as the security depends entirely on the integrity of the 298 tunnel. 300 When the protocol packet is tunneled to the penultimate hop which 301 then forwards the packet to a directly connected protocol peer, TTL 302 is decremented as described below except in some myriad Bump-in-the- 303 Wire (BITW) cases [BITW]. 305 In IP-in-MPLS cases described below, the TTL is always decremented by 306 at least one. 308 5.2.1. IP in IP 310 Protocol packets may be tunneled over IP directly to a protocol peer, 311 or to a decapsulator (tunnel endpoint) that then forwards the packet 312 to a directly connected protocol peer (e.g., in IP-in-IP [RFC2003], 313 GRE [RFC2784], or various forms of IPv6-in-IPv4 [RFC4213]). These 314 cases are depicted below. 316 Peer router ---------- Tunnel endpoint router and peer 317 TTL=255 [tunnel] [TTL=255 at ingress] 318 [TTL=255 at egress] 320 Peer router -------- Tunnel endpoint router ----- On-link peer 321 TTL=255 [tunnel] [TTL=255 at ingress] [TTL=254 at ingress] 322 [TTL=254 at egress] 324 In the first case, in which the encapsulated packet is tunneled 325 directly to the protocol peer, the encapsulated packet's TTL can be 326 set to an arbitrary value. 328 In the second case, in which the encapsulated packet is tunneled to a 329 decapsulator (tunnel endpoint) which then forwards it to a directly 330 connected protocol peer, RFC 2003 specifies the following behavior: 332 When encapsulating a datagram, the TTL in the inner IP 333 header is decremented by one if the tunneling is being 334 done as part of forwarding the datagram; otherwise, the 335 inner header TTL is not changed during encapsulation. If 336 the resulting TTL in the inner IP header is 0, the 337 datagram is discarded and an ICMP Time Exceeded message 338 SHOULD be returned to the sender. An encapsulator MUST 339 NOT encapsulate a datagram with TTL = 0. 341 Hence the inner IP packet header's TTL, as seen by the decapsulator, 342 can be set to an arbitrary value (in particular, 255), however as the 343 decapsulator forwards the protocol packet to the peer, TTL will be 344 decremented. 346 5.2.2. IP in MPLS 348 Protocol packets may also be tunneled over MPLS to a protocol peer 349 which either the penultimate hop (when the penultimate hop popping 350 (PHP) is employed [RFC3032]) or the final hop These cases are 351 depicted below. 353 Peer router -------- Penultimate Hop (PH) and peer 354 TTL=255 [tunnel] [TTL=255 at ingress] 355 [TTL<=254 at egress] 357 Peer router -------- Penultimate Hop -------- On-link peer 358 TTL=255 [tunnel] [TTL=255 at ingress] [TTL <=254 at ingress] 359 [TTL<=254 at egress] 361 TTL handling for these cases is described in RFC 3032. RFC 3032 362 states that when the IP packet is first labeled: 364 ... the TTL field of the label stack entry MUST BE set to the 365 value of the IP TTL field. (If the IP TTL field needs to be 366 decremented, as part of the IP processing, it is assumed that 367 this has already been done.) 369 When the label is popped: 371 When a label is popped, and the resulting label stack is empty, 372 then the value of the IP TTL field SHOULD BE replaced with the 373 outgoing TTL value, as defined above. In IPv4 this also 374 requires modification of the IP header checksum. 376 where the definition of "outgoing TTL" is: 378 The "incoming TTL" of a labeled packet is defined to be the 379 value of the TTL field of the top label stack entry when the 380 packet is received. 382 The "outgoing TTL" of a labeled packet is defined to be the 383 larger of: 385 a) one less than the incoming TTL, 386 b) zero. 388 In either of these cases, the minimum value by which the TTL could be 389 decremented would be one (the network operator prefers to hide its 390 infrastructure by decrementing the TTL by the minimum number of LSP 391 hops, one, rather than decrementing the TTL as it traverses its MPLS 392 domain). As a result, the maximum TTL value at egress from the MPLS 393 cloud is 254 (255-1), and as a result the check described in section 394 3 will fail. 396 5.3. Multi-Hop Protocol Sessions 398 While GTSM could possibly offer some small though difficult to 399 quantify degree of protection when used with multi-hop protocol 400 sessions (see Appendix A), we do not specify GTSM for multi-hop 401 scenarios due to simplicity, lack of deployment and implementation. 403 6. Applicability Statement 405 GTSM is only applicable to environments with inherently limited 406 topologies (and is most effective in those cases where protocol peers 407 are directly connected). In particular, its application should be 408 limited to those cases in which protocol peers are directly 409 connected. 411 Experimentation on GTSM's applicability and security properties is 412 needed in multi-hop scenarios. The multi-hop scenarios where GTSM 413 might be applicable is expected to have the following 414 characteristics: the topology between peers is fairly static and well 415 known, and in which the intervening network (between the peers) is 416 trusted. 418 6.1. Backwards Compatibility 420 RFC 3682 did not specify how to handle "related messages" such as TCP 421 RSTs or ICMP errors. This specification mandates setting and 422 verifying TTL=255 of those as well as the main protocol packets. 424 Setting TTL=255 in related messages does not cause issues for RFC 425 3682 implementations. 427 Requiring TTL=255 in related messages may have impact with RFC 3682 428 implementations, depending on which default TTL the implementation 429 uses for originated packets; some implementations are known to use 430 255, while 64 or other values are also used. Related messages from 431 the latter category of RFC 3682 implementations would be discarded. 432 This is not believed to be a significant problem because protocols do 433 not depend on related messages (e.g., typically having a protocol 434 exchange for closing the session instead of doing a TCP-RST), and 435 indeed the delivery of related messages is not reliable. As such, 436 related messages typically provide an optimization to shorten a 437 protocol keepalive timeout. Regardless of these issues, given that 438 related messages provide a significant attack vector to e.g., reset 439 protocol sessions, making this further restriction seems sensible. 441 7. IANA Considerations 443 This document requires no action from IANA. 445 8. References 447 8.1. Normative References 449 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 450 September 1981. 452 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 453 October 1996. 455 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 456 Requirement Levels", BCP 14, RFC 2119, March 1997. 458 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 459 Discovery for IP Version 6 (IPv6)", RFC 2461, 460 December 1998. 462 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 463 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 464 March 2000. 466 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 467 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 468 Encoding", RFC 3032, January 2001. 470 [RFC3392] Chandra, R. and J. Scudder, "Capabilities Advertisement 471 with BGP-4", RFC 3392, November 2002. 473 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms 474 for IPv6 Hosts and Routers", RFC 4213, October 2005. 476 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 477 Protocol 4 (BGP-4)", RFC 4271, January 2006. 479 [RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", 480 RFC 4272, January 2006. 482 8.2. Informative References 484 [BITW] "Thread: 'IP-in-IP, TTL decrementing when forwarding and 485 BITW' on int-area list, Message-ID: 486 ", 487 June 2006, . 490 Appendix A. Multihop GTSM 492 NOTE: This is a non-normative part of the specification. 494 The main applicability of GTSM is for directly connected peers. GTSM 495 could be used for non-directly connected sessions as well, where the 496 recipient would check that the TTL is within "TrustRadius" (e.g., 1) 497 of 255 instead of 255. As such deployment is expected to have a more 498 limited applicability and different security implications, it is not 499 specified in this document. 501 Appendix B. Changes Since RFC3682 503 o New text on GTSM applicability and use in new and existing 504 protocols. 506 o Explicitly require that related messages (e.g., TCP RSTs, ICMP 507 errors) must also be sent and checked to have TTL=255. See 508 Section 6.1 for discussion on backwards compatibility. 510 o Clarifications relating to security with tunneling. 512 o A significant number of editorial improvements and clarifications. 514 Appendix C. Draft Changelog 516 NOTE to the RFC-editor: please remove this section before 517 publication. 519 Appendix C.1. Changes between -06 and -07 521 o Be more reserved about multi-hop security properties in section 522 'Multi-Hop Protocol Sessions'. 524 o Clarify IP-in-IP tunnel decapsulation/forwarding as decrementing 525 TTL. 527 o Add text on related messages backwards compatibility. 529 o Editorial updates. 531 Appendix C.2. Changes between -05 and -06 533 o Clarify the assumptions wrt. resource separation and protection 534 based on comments from Alex Zinin. 536 o Rewrite the GTSM procedure based on text from Alex Zinin. 538 o Reduce TrustRadius and multi-hop scenarios to a mention in an 539 Appendix. 541 o Describe TCP-RST, ICMP error and "related messages" handling. 543 o Update the tunneling security considerations text. 545 o Editorial updates (e.g., shortening the abstract). 547 Authors' Addresses 549 Vijay Gill 551 Email: vijay@umbc.edu 553 John Heasley 555 Email: heas@shrubbery.net 557 David Meyer 559 Email: dmm@1-4-5.net 561 Pekka Savola 562 Espoo 563 Finland 565 Email: psavola@funet.fi 567 Full Copyright Statement 569 Copyright (C) The IETF Trust (2006). 571 This document is subject to the rights, licenses and restrictions 572 contained in BCP 78, and except as set forth therein, the authors 573 retain all their rights. 575 This document and the information contained herein are provided on an 576 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 577 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 578 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 579 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 580 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 581 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 583 Intellectual Property 585 The IETF takes no position regarding the validity or scope of any 586 Intellectual Property Rights or other rights that might be claimed to 587 pertain to the implementation or use of the technology described in 588 this document or the extent to which any license under such rights 589 might or might not be available; nor does it represent that it has 590 made any independent effort to identify any such rights. Information 591 on the procedures with respect to rights in RFC documents can be 592 found in BCP 78 and BCP 79. 594 Copies of IPR disclosures made to the IETF Secretariat and any 595 assurances of licenses to be made available, or the result of an 596 attempt made to obtain a general license or permission for the use of 597 such proprietary rights by implementers or users of this 598 specification can be obtained from the IETF on-line IPR repository at 599 http://www.ietf.org/ipr. 601 The IETF invites any interested party to bring to its attention any 602 copyrights, patents or patent applications, or other proprietary 603 rights that may cover technology that may be required to implement 604 this standard. Please address the information to the IETF at 605 ietf-ipr@ietf.org. 607 Acknowledgment 609 Funding for the RFC Editor function is provided by the IETF 610 Administrative Support Activity (IASA).