idnits 2.17.1
draft-ietf-v6ops-ipv6-ehs-packet-drops-07.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Line 186 has weird spacing: '... length var...'
-- The document date (June 9, 2021) is 1052 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
== Outdated reference: A later version (-10) exists of
draft-ietf-opsec-ipv6-eh-filtering-07
-- Obsolete informational reference (is this intentional?): RFC 2460
(Obsoleted by RFC 8200)
-- Obsolete informational reference (is this intentional?): RFC 5575
(Obsoleted by RFC 8955)
Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 Operations Working Group (v6ops) F. Gont
3 Internet-Draft SI6 Networks
4 Intended status: Informational N. Hilliard
5 Expires: December 11, 2021 INEX
6 G. Doering
7 SpaceNet AG
8 W. Kumari
9 Google
10 G. Huston
11 APNIC
12 W. Liu
13 Huawei Technologies
14 June 9, 2021
16 Operational Implications of IPv6 Packets with Extension Headers
17 draft-ietf-v6ops-ipv6-ehs-packet-drops-07
19 Abstract
21 This document summarizes the operational implications of IPv6
22 extension headers specified in the IPv6 protocol specification
23 (RFC8200), and attempts to analyze reasons why packets with IPv6
24 extension headers are often dropped in the public Internet.
26 Status of This Memo
28 This Internet-Draft is submitted in full conformance with the
29 provisions of BCP 78 and BCP 79.
31 Internet-Drafts are working documents of the Internet Engineering
32 Task Force (IETF). Note that other groups may also distribute
33 working documents as Internet-Drafts. The list of current Internet-
34 Drafts is at https://datatracker.ietf.org/drafts/current/.
36 Internet-Drafts are draft documents valid for a maximum of six months
37 and may be updated, replaced, or obsoleted by other documents at any
38 time. It is inappropriate to use Internet-Drafts as reference
39 material or to cite them other than as "work in progress."
41 This Internet-Draft will expire on December 11, 2021.
43 Copyright Notice
45 Copyright (c) 2021 IETF Trust and the persons identified as the
46 document authors. All rights reserved.
48 This document is subject to BCP 78 and the IETF Trust's Legal
49 Provisions Relating to IETF Documents
50 (https://trustee.ietf.org/license-info) in effect on the date of
51 publication of this document. Please review these documents
52 carefully, as they describe your rights and restrictions with respect
53 to this document. Code Components extracted from this document must
54 include Simplified BSD License text as described in Section 4.e of
55 the Trust Legal Provisions and are provided without warranty as
56 described in the Simplified BSD License.
58 Table of Contents
60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
61 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
62 3. Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . 3
63 4. Background Information . . . . . . . . . . . . . . . . . . . 3
64 5. Previous Work on IPv6 Extension Headers . . . . . . . . . . . 5
65 6. Packet Forwarding Engine Constraints . . . . . . . . . . . . 7
66 6.1. Recirculation . . . . . . . . . . . . . . . . . . . . . . 8
67 7. Requirement to Process Layer-3/layer-4 information in
68 Intermediate Systems . . . . . . . . . . . . . . . . . . . . 8
69 7.1. ECMP and Hash-based Load-Sharing . . . . . . . . . . . . 8
70 7.2. Enforcing infrastructure ACLs . . . . . . . . . . . . . . 9
71 7.3. DDoS Management and Customer Requests for Filtering . . . 10
72 7.4. Network Intrusion Detection and Prevention . . . . . . . 10
73 7.5. Firewalling . . . . . . . . . . . . . . . . . . . . . . . 11
74 8. Operational and Security Implications . . . . . . . . . . . . 12
75 8.1. Inability to Find Layer-4 Information . . . . . . . . . . 12
76 8.2. Route-Processor Protection . . . . . . . . . . . . . . . 12
77 8.3. Inability to Perform Fine-grained Filtering . . . . . . . 12
78 8.4. Security Concerns Associated with IPv6 Extension Headers 12
79 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
80 10. Security Considerations . . . . . . . . . . . . . . . . . . . 14
81 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
82 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
83 12.1. Normative References . . . . . . . . . . . . . . . . . . 14
84 12.2. Informative References . . . . . . . . . . . . . . . . . 15
85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
87 1. Introduction
89 IPv6 Extension Headers (EHs) allow for the extension of the IPv6
90 protocol, and provide support for core functionality such as IPv6
91 fragmentation. However, common implementation limitations suggest
92 that EHs present a challenge for IPv6 packet routing equipment and
93 middle-boxes, and evidence exists that IPv6 packets with EHs are
94 intentionally dropped in the public Internet in some circumstances.
96 This document has the following goals:
98 o Raise awareness about the operational and security implications of
99 IPv6 Extension Headers specified in [RFC8200], and present reasons
100 why some networks resort to intentionally dropping packets
101 containing IPv6 Extension Headers.
103 o Highlight areas where current IPv6 support by networking devices
104 maybe sub-optimal, such that the aforementioned support is
105 improved.
107 o Highlight operational issues associated with IPv6 extension
108 headers, such that those issues are considered in IETF
109 standardization efforts.
111 Section 4 provides background information about the IPv6 packet
112 structure and associated implications. Section 5 of this document
113 summarizes the previous work that has been carried out in the area of
114 IPv6 extension headers. Section 6 discusses packet forwarding engine
115 constraints in contemporary routers. Section 7 discusses why
116 intermediate systems may need to access Layer-4 information to make a
117 forwarding decision. Finally, Section 8 discusses the operational
118 implications of IPv6 EHs.
120 2. Terminology
122 This document uses the term "intermediate system" to describe both
123 routers and middle-boxes, when there is no need to distinguish
124 between the two and where the important issue is that the device
125 being discussed forwards packets.
127 3. Disclaimer
129 This document analyzes the operational challenges represented by
130 packets that employ IPv6 Extension Headers, and documents some of the
131 operational reasons why these packets are often dropped in the public
132 Internet. This document is not a recommendation to drop such
133 packets, but rather an analysis of why they are currently dropped.
135 4. Background Information
137 It is useful to compare the basic structure of IPv6 packets against
138 that of IPv4 packets, and analyze the implications of the two
139 different packet structures.
141 IPv4 packets have a variable-length header size, that allows for the
142 use of IPv4 "options" -- optional information that may be of use by
143 nodes processing IPv4 packets. The IPv4 header length is specified
144 in the IHL header field of the mandatory IPv4 header, and must be in
145 the range from 20 octets (the minimum IPv4 header size) to 60 octets
146 (accommodating at most 40 octets of options). The upper-layer
147 protocol type is specified via the "Protocol" field of the mandatory
148 IPv4 header.
150 Protocol, IHL
151 +--------+
152 | |
153 | v
154 +------//-----+------------------------+
155 | | |
156 | IPv4 | Upper-Layer |
157 | Header | Protocol |
158 | | |
159 +-----//------+------------------------+
161 variable length
162 <------------->
164 Figure 1: IPv4 Packet Structure
166 IPv6 took a different approach to the IPv6 packet structure. Rather
167 than employing a variable-length header as IPv4 does, IPv6 employs a
168 linked-list-like packet structure, where a mandatory fixed-length
169 IPv6 header is followed by an arbitrary number of optional extension
170 headers, with the upper-layer header being the last header in the
171 IPv6 header chain. Each extension header typically specifies its
172 length (unless it is implicit from the extension header type), and
173 the "next header" type that follows in the IPv6 header chain.
175 NH NH, EH-length NH, EH-length
176 +-------+ +------+ +-------+
177 | | | | | |
178 | v | v | v
179 +-------------+-------------+-//-+---------------+--------------+
180 | | | | | |
181 | IPv6 | Ext. | | Ext. | Upper-Layer |
182 | header | Header | | Header | Protocol |
183 | | | | | |
184 +-------------+-------------+-//-+---------------+--------------+
186 fixed length variable number of EHs & length
187 <------------> <-------------------------------->
189 Figure 2: IPv6 Packet Structure
191 This packet structure has the following implications:
193 o [RFC8200] requires the entire IPv6 header chain to be contained in
194 the first fragment of a packet, therefore limiting the IPv6
195 extension header chain to the size of the path MTU.
197 o Other than the path MTU constraints, there are no other limits to
198 the number of IPv6 EHs that may be present in a packet.
199 Therefore, there is no upper-limit regarding "how deep into the
200 IPv6 packet" the upper-layer may be found.
202 o The only way for a node to obtain the upper-layer protocol type or
203 find the upper-layer protocol header is to parse and process the
204 entire IPv6 header chain, in sequence, starting from the mandatory
205 IPv6 header, until the last header in the IPv6 header chain is
206 found.
208 5. Previous Work on IPv6 Extension Headers
210 Some of the operational and security implications of IPv6 Extension
211 Headers have been discussed at the IETF:
213 o [I-D.taylor-v6ops-fragdrop] discusses a rationale for which
214 operators drop IPv6 fragments.
216 o [I-D.wkumari-long-headers] discusses possible issues arising from
217 "long" IPv6 header chains.
219 o [I-D.kampanakis-6man-ipv6-eh-parsing] describes how
220 inconsistencies in the way IPv6 packets with extension headers are
221 parsed by different implementations could result in evasion of
222 security controls, and presents guidelines for parsing IPv6
223 extension headers with the goal of providing a common and
224 consistent parsing methodology for IPv6 implementations.
226 o [I-D.ietf-opsec-ipv6-eh-filtering] analyzes the security
227 implications of IPv6 EHs, and the operational implications of
228 dropping packets that employ IPv6 EHs and associated options.
230 o [RFC7113] discusses how some popular RA-Guard implementations are
231 subject to evasion by means of IPv6 extension headers.
233 o [RFC8900] analyzes the fragility introduced by IP fragmentation.
235 A number of recent RFCs have discussed issues related to IPv6
236 extension headers, specifying updates to a previous revision of the
237 IPv6 standard [RFC2460], many of which have now been incorporated
238 into the current IPv6 core standard [RFC8200] or the IPv6 Node
239 Requirements [RFC8504]. Namely,
240 o [RFC5095] discusses the security implications of Routing Header
241 Type 0 (RTH0), and deprecates it.
243 o [RFC5722] analyzes the security implications of overlapping
244 fragments, and provides recommendations in this area.
246 o [RFC7045] clarifies how intermediate nodes should deal with IPv6
247 extension headers.
249 o [RFC7112] discusses the issues arising in a specific fragmentation
250 case where the IPv6 header chain is fragmented into two or more
251 fragments (and formally forbids such fragmentation).
253 o [RFC6946] discusses a flawed (but common) processing of the so-
254 called IPv6 "atomic fragments", and specified improved processing
255 of such packets.
257 o [RFC8021] deprecates the generation of IPv6 atomic fragments.
259 o [RFC8504] clarifies processing rules for packets with extension
260 headers, and also allows hosts to enforce limits on the number of
261 options included in IPv6 EHs.
263 o [RFC7739] discusses the security implications of predictable
264 fragment Identification values, and provides recommendations for
265 the generation of these values.
267 o [RFC6980] analyzes the security implications of employing IPv6
268 fragmentation with Neighbor Discovery for IPv6, and formally
269 recommends against such usage.
271 Additionally, [RFC8200] has relaxed the requirement that "all nodes
272 examine and process the Hop-by-Hop Options header" from [RFC2460], by
273 specifying that only nodes that have been explicitly configured to
274 process the Hop-by-Hop Options header are required to do so.
276 A number of studies have measured the extent to which packets
277 employing IPv6 extension headers are dropped in the public Internet:
279 o [PMTUD-Blackholes] and [Linkova-Gont-IEPG90] presented some
280 preliminary measurements regarding the extent to which packet
281 containing IPv6 EHs are dropped in the public Internet.
283 o [RFC7872] presents more comprehensive results and documents the
284 methodology used to obtain these results.
286 o [Huston-2017] and [Huston-2020] measured packet drops resulting
287 from IPv6 fragmentation when communicating with DNS servers.
289 6. Packet Forwarding Engine Constraints
291 Most contemporary carrier-grade routers use dedicated hardware, e.g.
292 application-specific integrated circuits (ASICs) or network
293 processing units (NPUs), to determine how to forward packets across
294 their internal fabrics (see [IEPG94-Scudder] and [APNIC-Scudder] for
295 details). One of the common methods of handling next-hop lookup is
296 to send a small portion of the ingress packet to a lookup engine with
297 specialised hardware, e.g. ternary content-addressable memory (TCAM)
298 or reduced latency dynamic random-access memory (RLDRAM), to
299 determine the packet's next-hop. Technical constraints mean that
300 there is a trade-off between the amount of data sent to the lookup
301 engine and the overall packet forwarding rate of the lookup engine.
302 If more data is sent, the lookup engine can inspect further into the
303 packet, but the overall packet forwarding rate of the system will be
304 reduced. If less data is sent, the overall packet forwarding rate of
305 the router will be increased but the packet lookup engine may not be
306 able to inspect far enough into a packet to determine how it should
307 be handled.
309 NOTE:
310 For example, some contemporary high-end routers are known to
311 inspect up to 192 bytes, while others are known to parse up to 384
312 bytes of header.
314 If a hardware forwarding engine on a contemporary router cannot make
315 a forwarding decision about a packet because critical information is
316 not sent to the look-up engine, then the router will normally drop
317 the packet. Section 7 discusses some of the reasons for which a
318 contemporary router might need to access layer-4 information to make
319 a forwarding decision.
321 Historically, some packet forwarding engines punted packets of this
322 form to the control plane for more in-depth analysis, but this is
323 unfeasible on most contemporary router architectures as a result of
324 the vast difference between the hardware forwarding capacity of the
325 router and processing capacity of the control plane and the size of
326 the management link which connects the control plane to the
327 forwarding plane. Other platforms may have a separate software
328 forwarding plane that is distinct both from the hardware forwarding
329 plane and the control plane. However, the limited CPU resources of
330 this software-based forwarding plane, as well as the limited
331 bandwidth of the associated link results in similar throughput
332 constraints.
334 If an IPv6 header chain is sufficiently long that it exceeds the
335 packet look-up capacity of the router, the router might be unable to
336 determine how the packet should be handled, and thus could resort to
337 dropping the packet.
339 6.1. Recirculation
341 Although TLV chains are amenable to iterative processing on
342 architectures that have packet look-up engines with deep inspection
343 capabilities, some packet forwarding engines manage IPv6 Extension
344 Header chains using recirculation. This approach processes Extension
345 Headers one at a time: when processing on one Extension Header is
346 completed, the packet is looped back through the processing engine
347 again. This recirculation process continues repeatedly until there
348 are no more Extension Headers left to be processed.
350 Recirculation is typically used on packet forwarding engines with
351 limited look-up capability, because it allows arbitrarily long header
352 chains to be processed without the complexity and cost associated
353 with packet forwarding engines which have deep look-up capabilities.
354 However, recirculation can impact the forwarding capacity of
355 hardware, as each packet will pass through the processing engine
356 multiple times. Depending on configuration, the type of packets
357 being processed, and the hardware capabilities of the packet
358 forwarding engine, this could impact data-plane throughput
359 performance on the router.
361 7. Requirement to Process Layer-3/layer-4 information in Intermediate
362 Systems
364 The following subsections discuss some of the reasons for which
365 intermediate systems may need to process Layer-3/layer-4 information
366 to make a forwarding decision.
368 7.1. ECMP and Hash-based Load-Sharing
370 In the case of equal cost multi-path (ECMP) load sharing, the
371 intermediate system needs to make a decision regarding which of its
372 interfaces to use to forward a given packet. Since round-robin usage
373 of the links is usually avoided to prevent packet reordering,
374 forwarding engines need to use a mechanism that will consistently
375 forward the same data streams down the same forwarding paths. Most
376 forwarding engines achieve this by calculating a simple hash using an
377 n-tuple gleaned from a combination of layer-2 through to layer-4
378 packet header information. This n-tuple will typically use the src/
379 dst MAC address, src/dst IP address, and if possible further layer-4
380 src/dst port information.
382 In the IPv6 world, flows are expected to be identified by means of
383 the IPv6 Flow Label [RFC6437]. Thus, ECMP and Hash-based Load-
384 Sharing should be possible without the need to process the entire
385 IPv6 header chain to obtain upper-layer information to identify
386 flows. [RFC7098] discusses how the IPv6 Flow Label can used to
387 enhance layer 3/4 load distribution and balancing for large server
388 farms.
390 Historically, many IPv6 implementations failed to set the Flow Label,
391 and hash-based ECMP/load-sharing devices also did not employ the Flow
392 Label for performing their task. While support of [RFC6437] is
393 currently widespread for current versions of all popular host
394 implementations, there is still only marginal usage of the IPv6 Flow
395 Label for ECMP and load balancing [Cunha-2020]. A contributing
396 factor could be the issues that have been found in host
397 implementations and middle-boxes [Jaeggli-2018].
399 Clearly, widespread support of [RFC6437] would relieve intermediate
400 systems from having to process the entire IPv6 header chain, making
401 Flow Label-based ECMP and Load-Sharing [RFC6438] feasible.
403 If an intermediate system cannot determine consistent n-tuples for
404 calculating flow hashes, data streams are more likely to end up being
405 distributed unequally across ECMP and load-shared links. This may
406 lead to packet drops or reduced performance.
408 7.2. Enforcing infrastructure ACLs
410 Infrastructure ACLs (iACLs) drop unwanted packets destined to a
411 network's infrastructure. Typically, iACLs are deployed because
412 external direct access to a network's infrastructure addresses is
413 operationally unnecessary, and can be used for attacks of different
414 sorts against router control planes. To this end, traffic usually
415 needs to be differentiated on the basis of layer-3 or layer-4
416 criteria to achieve a useful balance of protection and functionality.
417 For example, an infrastructure may be configured with the following
418 policy:
420 o Permit some amount of ICMP echo (ping) traffic towards a router's
421 addresses for troubleshooting.
423 o Permit BGP sessions on the shared network of an exchange point
424 (potentially differentiating between the amount of packets/seconds
425 permitted for established sessions and connection establishment),
426 but do not permit other traffic from the same peer IP addresses.
428 If a forwarding router cannot determine consistent n-tuples for
429 calculating flow hashes, data streams are more likely to end up being
430 distributed unequally across ECMP and load-shared links. This may
431 lead to packet drops or reduced performance.
433 If a network cannot deploy infrastructure ACLs, then the security of
434 the network may be compromised due to having more potential attack
435 vectors open.
437 7.3. DDoS Management and Customer Requests for Filtering
439 The case of customer DDoS protection and edge-to-core customer
440 protection filters is similar in nature to the iACL protection.
441 Similar to iACL protection, layer-4 ACLs generally need to be applied
442 as close to the edge of the network as possible, even though the
443 intent is usually to protect the customer edge rather than the
444 provider core. Application of layer-4 DDoS protection to a network
445 edge is often automated using Flowspec [RFC5575].
447 For example, a web site that normally only handled traffic on TCP
448 ports 80 and 443 could be subject to a volumetric DDoS attack using
449 NTP and DNS packets with randomised source IP address, thereby
450 rendering traditional [RFC5635] source-based real-time black hole
451 mechanisms useless. In this situation, DDoS protection ACLs could be
452 configured to block all UDP traffic at the network edge without
453 impairing the web server functionality in any way. Thus, being able
454 to block arbitrary protocols at the network edge can avoid DDoS-
455 related problems both in the provider network and on the customer
456 edge link.
458 7.4. Network Intrusion Detection and Prevention
460 Network Intrusion Detection Systems (NIDS) examine network traffic
461 and try to identify traffic patterns that can be correlated to
462 network-based attacks. These systems generally inspect application-
463 layer traffic (if possible), but at the bare minimum inspect layer-4
464 flows. When attack activity is inferred, the operator is notified of
465 the potential intrusion attempt.
467 Network Intrusion Prevention Systems (IPS) operate similarly to
468 NIDS's, but they can also prevent intrusions by reacting to detected
469 attack attempts by e.g., triggering packet filtering policies at
470 firewalls and other devices.
472 Use of extension headers can be problematic for NIDS/IPS, since:
474 o Extension headers increase the complexity of resulting traffic,
475 and the associated work and system requirements to process it.
477 o Use of unknown extension headers can prevent an NIDS/IPS from
478 processing layer-4 information.
480 o Use of IPv6 fragmentation requires a stateful fragment-reassembly
481 operation, even for decoy traffic employing forged source
482 addresses (see e.g., [nmap]).
484 As a result, in order to increase the efficiency or effectiveness of
485 these systems, packets employing IPv6 extension headers are often
486 dropped at the network ingress point(s) of networks that deploy these
487 systems.
489 7.5. Firewalling
491 Firewalls enforce security policies by means of packet filtering.
492 These systems usually inspect layer-3 and layer-4 traffic, but can
493 often also examine application-layer traffic flows.
495 As with NIDS/IPS (Section 7.4), use of IPv6 extension headers can
496 represent a challenge to network firewalls, since:
498 o Extension headers increase the complexity of resulting traffic,
499 and the associated work and system requirements to process it, as
500 outlined in [Zack-FW-Benchmark].
502 o Use of unknown extension headers can prevent firewalls from
503 processing layer-4 information.
505 o Use of IPv6 fragmentation requires a stateful fragment-reassembly
506 operation, even for decoy traffic employing forged source
507 addresses (see e.g., [nmap]).
509 Additionally, a common firewall filtering policy is the so-called
510 "default deny", where all traffic is blocked (by default), and only
511 expected traffic is added to an "allow/accept list".
513 As a result, packets employing IPv6 extension headers are often
514 dropped by network firewalls, either because of the challenges
515 represented by extension headers or because the use of IPv6 extension
516 headers has not been explicitly allowed.
518 Note that although the data presented in [Zack-FW-Benchmark] were
519 several years old at the time of publication of this document, many
520 contemporary firewalls use comparable hardware and software
521 architecture, and consequently the conclusions of this benchmark are
522 still relevant, despite its age.
524 8. Operational and Security Implications
526 8.1. Inability to Find Layer-4 Information
528 As discussed in Section 7, intermediate systems that need to find the
529 layer-4 header must process the entire IPv6 extension header chain.
530 When such devices are unable to obtain the required information, the
531 forwarding device has the option to drop the packet unconditionally,
532 forward the packet unconditionally, or process the packet outside the
533 normal forwarding path. Forwarding packets unconditionally will
534 usually allow for the circumvention of security controls (see e.g.,
535 Section 7.5), while processing packets outside of the normal
536 forwarding path will usually open the door to DoS attacks (see e.g.,
537 Section 6). Thus, in these scenarios, devices often simply resort to
538 dropping such packets unconditionally.
540 8.2. Route-Processor Protection
542 Most contemporary carrier-grade routers have a fast hardware-assisted
543 forwarding plane and a loosely coupled control plane, connected
544 together with a link that has much less capacity than the forwarding
545 plane could handle. Traffic differentiation cannot be performed by
546 the control plane, because this would overload the internal link
547 connecting the forwarding plane to the control plane.
549 The Hop-by-Hop Options header has been particularly challenging since
550 in most circumstances, the corresponding packet is punted to the
551 control plane for processing. As a result, many operators drop IPv6
552 packets containing this extension header [RFC7872]. [RFC6192]
553 provides advice regarding protection of a router's control plane.
555 8.3. Inability to Perform Fine-grained Filtering
557 Some intermediate systems do not have support for fine-grained
558 filtering of IPv6 extension headers. For example, an operator that
559 wishes to drop packets containing Routing Header Type 0 (RHT0), may
560 only be able to filter on the extension header type (Routing Header).
561 This could result in an operator enforcing a more coarse filtering
562 policy (e.g., "drop all packets containing a Routing Header" vs.
563 "only drop packets that contain a Routing Header Type 0").
565 8.4. Security Concerns Associated with IPv6 Extension Headers
567 The security implications of IPv6 Extension Headers generally fall
568 into one or more of these categories:
570 o Evasion of security controls
571 o DoS due to processing requirements
573 o DoS due to implementation errors
575 o Extension Header-specific issues
577 Unlike IPv4 packets where the upper-layer protocol can be trivially
578 found by means of the "IHL" ("Internet Header Length") IPv4 header
579 field, the structure of IPv6 packets is more flexible and complex.
580 This can represent a challenge for devices that need to find this
581 information, since locating upper-layer protocol information requires
582 that all IPv6 extension headers be examined. In turn, this presents
583 implementation difficulties, since some packet filtering mechanisms
584 that require upper-layer information (even if just the upper layer
585 protocol type) can be trivially circumvented by inserting IPv6
586 Extension Headers between the main IPv6 header and the upper layer
587 protocol. [RFC7113] describes this issue for the RA-Guard case, but
588 the same techniques could be employed to circumvent other IPv6
589 firewall and packet filtering mechanisms. Additionally,
590 implementation inconsistencies in packet forwarding engines can
591 result in evasion of security controls
592 [I-D.kampanakis-6man-ipv6-eh-parsing] [Atlasis2014] [BH-EU-2014].
594 Sometimes packets with IPv6 Extension Headers can impact throughput
595 performance on intermediate systems. Unless appropriate mitigations
596 are put in place (e.g., packet dropping and/or rate-limiting), an
597 attacker could simply send a large amount of IPv6 traffic employing
598 IPv6 Extension Headers with the purpose of performing a Denial of
599 Service (DoS) attack (see Section 6.1 and Section 8 for further
600 details).
602 NOTE:
603 In the most trivial case, a packet that includes a Hop-by-Hop
604 Options header might go through the slow forwarding path, to be
605 processed by the router's CPU. Alternatively, a router configured
606 to enforce an ACL based on upper-layer information (e.g., upper
607 layer protocol or TCP Destination Port) may need to process the
608 entire IPv6 header chain in order to find the required
609 information, thereby causing the packet to be processed in the
610 slow path [Cisco-EH-Cons]. We note that, for obvious reasons, the
611 aforementioned performance issues can affect other devices such as
612 firewalls, Network Intrusion Detection Systems (NIDS), etc.
613 [Zack-FW-Benchmark]. The extent to which performance is affected
614 on these devices is implementation-dependent.
616 IPv6 implementations, like all other software, tend to mature with
617 time and wide-scale deployment. While the IPv6 protocol itself has
618 existed for over 20 years, serious bugs related to IPv6 Extension
619 Header processing continue to be discovered (see e.g., [Cisco-Frag],
620 [Microsoft-SA], and [FreeBSD-SA]). Because there is currently little
621 operational reliance on IPv6 Extension headers, the corresponding
622 code paths are rarely exercised, and there is the potential for bugs
623 that still remain to be discovered in some implementations.
625 IPv6 Fragment Headers are employed to allow fragmentation of IPv6
626 packets. While many of the security implications of the
627 fragmentation / reassembly mechanism are known from the IPv4 world,
628 several related issues have crept into IPv6 implementations. These
629 range from denial of service attacks to information leakage, as
630 discussed in [RFC7739], [Bonica-NANOG58] and [Atlasis2012]).
632 9. IANA Considerations
634 This document has no IANA actions.
636 10. Security Considerations
638 The security implications of IPv6 extension headers are discussed in
639 Section 8.4. This document does not introduce any new security
640 issues.
642 11. Acknowledgements
644 The authors would like to thank (in alphabetical order) Mikael
645 Abrahamsson, Fred Baker, Dale W. Carder, Brian Carpenter, Tim Chown,
646 Owen DeLong, Gorry Fairhurst, Guillermo Gont, Tom Herbert, Lee
647 Howard, Tom Petch, Sander Steffann, Eduard Vasilenko, Eric Vyncke,
648 Rob Wilton, Jingrong Xie, and Andrew Yourtchenko, for providing
649 valuable comments on earlier versions of this document.
651 Fernando Gont would like to thank Jan Zorz / Go6 Lab
652 , Jared Mauch, and Sander Steffann
653 , for providing access to systems and networks
654 that were employed to perform experiments and measurements involving
655 packets with IPv6 Extension Headers.
657 12. References
659 12.1. Normative References
661 [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
662 of Type 0 Routing Headers in IPv6", RFC 5095,
663 DOI 10.17487/RFC5095, December 2007,
664 .
666 [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments",
667 RFC 5722, DOI 10.17487/RFC5722, December 2009,
668 .
670 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
671 RFC 6946, DOI 10.17487/RFC6946, May 2013,
672 .
674 [RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation
675 with IPv6 Neighbor Discovery", RFC 6980,
676 DOI 10.17487/RFC6980, August 2013,
677 .
679 [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of
680 Oversized IPv6 Header Chains", RFC 7112,
681 DOI 10.17487/RFC7112, January 2014,
682 .
684 [RFC8021] Gont, F., Liu, W., and T. Anderson, "Generation of IPv6
685 Atomic Fragments Considered Harmful", RFC 8021,
686 DOI 10.17487/RFC8021, January 2017,
687 .
689 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
690 (IPv6) Specification", STD 86, RFC 8200,
691 DOI 10.17487/RFC8200, July 2017,
692 .
694 [RFC8504] Chown, T., Loughney, J., and T. Winters, "IPv6 Node
695 Requirements", BCP 220, RFC 8504, DOI 10.17487/RFC8504,
696 January 2019, .
698 12.2. Informative References
700 [APNIC-Scudder]
701 Scudder, J., "Modern router architecture and IPv6", APNIC
702 Blog, June 4, 2020, .
705 [Atlasis2012]
706 Atlasis, A., "Attacking IPv6 Implementation Using
707 Fragmentation", BlackHat Europe 2012. Amsterdam,
708 Netherlands. March 14-16, 2012,
709 .
712 [Atlasis2014]
713 Atlasis, A., "A Novel Way of Abusing IPv6 Extension
714 Headers to Evade IPv6 Security Devices", May 2014,
715 .
718 [BH-EU-2014]
719 Atlasis, A., Rey, E., and R. Schaefer, "Evasion of High-
720 End IDPS Devices at the IPv6 Era", BlackHat Europe 2014,
721 2014, .
724 [Bonica-NANOG58]
725 Bonica, R., "IPV6 FRAGMENTATION: The Case For
726 Deprecation", NANOG 58. New Orleans, Louisiana, USA. June
727 3-5, 2013, .
730 [Cisco-EH-Cons]
731 Cisco, "IPv6 Extension Headers Review and Considerations",
732 October 2006,
733 .
736 [Cisco-Frag]
737 Cisco, "Cisco IOS XR Software Crafted IPv6 Packet Denial
738 of Service Vulnerability", June 2015,
739 .
742 [Cunha-2020]
743 Cunha, I., "IPv4 vs IPv6 load balancing in Internet
744 routes", NPS/CAIDA 2020 Virtual IPv6 Workshop, 2020,
745 .
748 [FreeBSD-SA]
749 FreeBSD, "FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6:
750 IPv6 Hop-by-Hop options use-after-free bug", September
751 2020, .
754 [Huston-2017]
755 Huston, G., "Dealing with IPv6 fragmentation in the
756 DNS", APNIC Blog, 2017,
757 .
760 [Huston-2020]
761 Huston, G., "Measurement of IPv6 Extension Header
762 Support", NPS/CAIDA 2020 Virtual IPv6 Workshop, 2020,
763 .
766 [I-D.ietf-opsec-ipv6-eh-filtering]
767 Gont, F. and W. Liu, "Recommendations on the Filtering of
768 IPv6 Packets Containing IPv6 Extension Headers at Transit
769 Routers", draft-ietf-opsec-ipv6-eh-filtering-07 (work in
770 progress), January 2021.
772 [I-D.kampanakis-6man-ipv6-eh-parsing]
773 Kampanakis, P., "Implementation Guidelines for parsing
774 IPv6 Extension Headers", draft-kampanakis-6man-ipv6-eh-
775 parsing-01 (work in progress), August 2014.
777 [I-D.taylor-v6ops-fragdrop]
778 Jaeggli, J., Colitti, L., Kumari, W., Vyncke, E., Kaeo,
779 M., and T. Taylor, "Why Operators Filter Fragments and
780 What It Implies", draft-taylor-v6ops-fragdrop-02 (work in
781 progress), December 2013.
783 [I-D.wkumari-long-headers]
784 Kumari, W., Jaeggli, J., Bonica, R. P., and J. Linkova,
785 "Operational Issues Associated With Long IPv6 Header
786 Chains", draft-wkumari-long-headers-03 (work in progress),
787 June 2015.
789 [IEPG94-Scudder]
790 Petersen, B. and J. Scudder, "Modern Router Architecture
791 for Protocol Designers", IEPG 94. Yokohama, Japan.
792 November 1, 2015, .
795 [Jaeggli-2018]
796 Jaeggli, J., "IPv6 flow label: misuse in hashing", APNIC
797 Blog, 2018, .
800 [Linkova-Gont-IEPG90]
801 Linkova, J. and F. Gont, "IPv6 Extension Headers in the
802 Real World v2.0", IEPG 90. Toronto, ON, Canada. July 20,
803 2014, .
806 [Microsoft-SA]
807 Microsoft, "Windows TCP/IP Remote Code Execution
808 Vulnerability (CVE-2021-24094)", February 2021,
809 .
812 [nmap] Fyodor, "Dealing with IPv6 fragmentation in the
813 DNS", Firewall/IDS Evasion and Spoofing,
814 .
816 [PMTUD-Blackholes]
817 De Boer, M. and J. Bosma, "Discovering Path MTU black
818 holes on the Internet using RIPE Atlas", July 2012,
819 .
822 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
823 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
824 December 1998, .
826 [RFC5575] Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J.,
827 and D. McPherson, "Dissemination of Flow Specification
828 Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009,
829 .
831 [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole
832 Filtering with Unicast Reverse Path Forwarding (uRPF)",
833 RFC 5635, DOI 10.17487/RFC5635, August 2009,
834 .
836 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
837 Router Control Plane", RFC 6192, DOI 10.17487/RFC6192,
838 March 2011, .
840 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme,
841 "IPv6 Flow Label Specification", RFC 6437,
842 DOI 10.17487/RFC6437, November 2011,
843 .
845 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
846 for Equal Cost Multipath Routing and Link Aggregation in
847 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011,
848 .
850 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
851 of IPv6 Extension Headers", RFC 7045,
852 DOI 10.17487/RFC7045, December 2013,
853 .
855 [RFC7098] Carpenter, B., Jiang, S., and W. Tarreau, "Using the IPv6
856 Flow Label for Load Balancing in Server Farms", RFC 7098,
857 DOI 10.17487/RFC7098, January 2014,
858 .
860 [RFC7113] Gont, F., "Implementation Advice for IPv6 Router
861 Advertisement Guard (RA-Guard)", RFC 7113,
862 DOI 10.17487/RFC7113, February 2014,
863 .
865 [RFC7739] Gont, F., "Security Implications of Predictable Fragment
866 Identification Values", RFC 7739, DOI 10.17487/RFC7739,
867 February 2016, .
869 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
870 "Observations on the Dropping of Packets with IPv6
871 Extension Headers in the Real World", RFC 7872,
872 DOI 10.17487/RFC7872, June 2016,
873 .
875 [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O.,
876 and F. Gont, "IP Fragmentation Considered Fragile",
877 BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020,
878 .
880 [Zack-FW-Benchmark]
881 Zack, E., "Firewall Security Assessment and Benchmarking
882 IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1,
883 Berlin, Germany. June 30, 2013,
884 .
888 Authors' Addresses
890 Fernando Gont
891 SI6 Networks
892 Segurola y Habana 4310, 7mo Piso
893 Villa Devoto, Ciudad Autonoma de Buenos Aires
894 Argentina
896 Email: fgont@si6networks.com
897 URI: https://www.si6networks.com
898 Nick Hilliard
899 INEX
900 4027 Kingswood Road
901 Dublin 24
902 IE
904 Email: nick@inex.ie
906 Gert Doering
907 SpaceNet AG
908 Joseph-Dollinger-Bogen 14
909 Muenchen D-80807
910 Germany
912 Email: gert@space.net
914 Warren Kumari
915 Google
916 1600 Amphitheatre Parkway
917 Mountain View, CA 94043
918 US
920 Email: warren@kumari.net
922 Geoff Huston
924 Email: gih@apnic.net
925 URI: http://www.apnic.net
927 Will (Shucheng) Liu
928 Huawei Technologies
929 Bantian, Longgang District
930 Shenzhen 518129
931 P.R. China
933 Email: liushucheng@huawei.com