idnits 2.17.1 draft-ietf-v6ops-security-overview-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1527. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1504. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1511. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1517. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 420 has weird spacing: '...h items by th...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 18, 2005) is 6857 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-v6ops-natpt-to-exprmntl' is defined on line 1174, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-ipv6-ndproxy' is defined on line 1258, but no explicit reference was found in the text == Unused Reference: 'RFC4038' is defined on line 1345, but no explicit reference was found in the text == Outdated reference: A later version (-05) exists of draft-ietf-ipv6-privacy-addrs-v2-04 == Outdated reference: A later version (-03) exists of draft-ietf-v6ops-natpt-to-exprmntl-01 ** Downref: Normative reference to an Informational draft: draft-ietf-v6ops-natpt-to-exprmntl (ref. 'I-D.ietf-v6ops-natpt-to-exprmntl') == Outdated reference: A later version (-08) exists of draft-ietf-vrrp-ipv6-spec-07 ** Downref: Normative reference to an Informational RFC: RFC 2375 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 2461 (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 2462 (Obsoleted by RFC 4862) ** Obsolete normative reference: RFC 2463 (Obsoleted by RFC 4443) ** Obsolete normative reference: RFC 3041 (Obsoleted by RFC 4941) ** Obsolete normative reference: RFC 3513 (Obsoleted by RFC 4291) ** Obsolete normative reference: RFC 3775 (Obsoleted by RFC 6275) ** Downref: Normative reference to an Informational RFC: RFC 3964 == Outdated reference: A later version (-02) exists of draft-chown-v6ops-port-scanning-implications-01 == Outdated reference: A later version (-12) exists of draft-ietf-dnsop-ipv6-dns-issues-10 == Outdated reference: A later version (-04) exists of draft-ietf-ipv6-ndproxy-03 == Outdated reference: A later version (-06) exists of draft-ietf-v6ops-nap-01 == Outdated reference: A later version (-05) exists of draft-krishnan-ipv6-hopbyhop-00 == Outdated reference: A later version (-03) exists of draft-savola-ipv6-rh-ha-security-02 -- Obsolete informational reference (is this intentional?): RFC 2401 (Obsoleted by RFC 4301) -- Obsolete informational reference (is this intentional?): RFC 2765 (Obsoleted by RFC 6145) -- Obsolete informational reference (is this intentional?): RFC 2766 (Obsoleted by RFC 4966) Summary: 13 errors (**), 0 flaws (~~), 16 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 Operations E. Davies 3 Internet-Draft Consultant 4 Expires: January 19, 2006 S. Krishnan 5 Ericsson 6 P. Savola 7 CSC/Funet 8 July 18, 2005 10 IPv6 Transition/Co-existence Security Considerations 11 draft-ietf-v6ops-security-overview-02.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on January 19, 2006. 38 Copyright Notice 40 Copyright (C) The Internet Society (2005). 42 Abstract 44 The transition from a pure IPv4 network to a network where IPv4 and 45 IPv6 co-exist brings a number of extra security considerations that 46 need to be taken into account when deploying IPv6 and operating the 47 dual-protocol network and the associated transition mechanisms. This 48 document attempts to give an overview of the various issues grouped 49 into three categories: 50 o issues due to the IPv6 protocol itself, 51 o issues due to transition mechanisms, and 52 o issues due to IPv6 deployment. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 57 2. Issues Due to IPv6 Protocol . . . . . . . . . . . . . . . . 4 58 2.1 IPv6 Protocol-specific Issues . . . . . . . . . . . . . . 4 59 2.1.1 Routing Headers and Hosts . . . . . . . . . . . . . . 4 60 2.1.2 Routing Headers for Mobile IPv6 and Other Purposes . . 5 61 2.1.3 Site-scope Multicast Addresses . . . . . . . . . . . . 5 62 2.1.4 ICMPv6 and Multicast . . . . . . . . . . . . . . . . . 6 63 2.1.5 Anycast Traffic Identification and Security . . . . . 7 64 2.1.6 Address Privacy Extensions Interact with DDoS 65 Defenses . . . . . . . . . . . . . . . . . . . . . . . 7 66 2.1.7 Dynamic DNS: Stateless Address Auto-Configuration, 67 Privacy Extensions and SEND . . . . . . . . . . . . . 8 68 2.1.8 Extension Headers . . . . . . . . . . . . . . . . . . 8 69 2.1.9 Fragmentation: Reassembly and Deep Packet Inspection . 10 70 2.1.10 Fragmentation Related DoS Attacks . . . . . . . . . 11 71 2.1.11 Link-Local Addresses and Securing Neighbor 72 Discovery . . . . . . . . . . . . . . . . . . . . . 12 73 2.1.12 Mobile IPv6 . . . . . . . . . . . . . . . . . . . . 13 74 2.2 IPv4-mapped IPv6 Addresses . . . . . . . . . . . . . . . . 14 75 2.3 Increased End-to-End Transparency . . . . . . . . . . . . 15 76 2.3.1 IPv6 Networks without NATs . . . . . . . . . . . . . . 15 77 2.3.2 Enterprise Network Security Model for IPv6 . . . . . . 15 78 3. Issues Due to Transition Mechanisms . . . . . . . . . . . . 17 79 3.1 IPv6 Transition/Co-existence Mechanism-specific Issues . . 17 80 3.2 Automatic Tunneling and Relays . . . . . . . . . . . . . . 17 81 3.3 Tunneling IPv6 Through IPv4 Networks may Break IPv4 82 Network Security Assumptions . . . . . . . . . . . . . . . 18 83 4. Issues Due to IPv6 Deployment . . . . . . . . . . . . . . . 19 84 4.1 IPv6 Service Piloting Done Insecurely . . . . . . . . . . 19 85 4.2 DNS Server Problems . . . . . . . . . . . . . . . . . . . 21 86 4.3 Addressing Schemes and Securing Routers . . . . . . . . . 21 87 4.4 Consequences of Multiple Addresses in IPv6 . . . . . . . . 21 88 4.5 Deploying ICMPv6 . . . . . . . . . . . . . . . . . . . . . 22 89 4.5.1 Problems Resulting from ICMPv6 Transparency . . . . . 22 90 4.6 IPsec Transport Mode . . . . . . . . . . . . . . . . . . . 23 91 4.7 Reduced Functionality Devices . . . . . . . . . . . . . . 23 92 4.8 Operational Factors when Enabling IPv6 in the Network . . 23 93 4.9 Ingress Filtering Issues Due to Privacy Addresses . . . . 24 94 4.10 Security Issues Due to ND Proxies . . . . . . . . . . . 25 95 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 25 96 6. Security Considerations . . . . . . . . . . . . . . . . . . 25 97 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 25 98 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 99 8.1 Normative References . . . . . . . . . . . . . . . . . . . 25 100 8.2 Informative References . . . . . . . . . . . . . . . . . . 27 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 30 102 A. IPv6 Probing/Mapping Considerations . . . . . . . . . . . . 30 103 B. IPv6 Privacy Considerations . . . . . . . . . . . . . . . . 31 104 B.1 Exposing MAC Addresses . . . . . . . . . . . . . . . . . . 31 105 B.2 Exposing Multiple Devices . . . . . . . . . . . . . . . . 32 106 B.3 Exposing the Site by a Stable Prefix . . . . . . . . . . . 32 107 Intellectual Property and Copyright Statements . . . . . . . 33 109 1. Introduction 111 The transition from a pure IPv4 network to a network where IPv4 and 112 IPv6 co-exist brings a number of extra security considerations that 113 need to be taken into account when deploying IPv6 and operating the 114 dual-protocol network with its associated transition mechanisms. 115 This document attempts to give an overview of the various issues 116 grouped into three categories: 117 o issues due to the IPv6 protocol itself, 118 o issues due to transition mechanisms, and 119 o issues due to IPv6 deployment. 121 It is important to understand that we have to be concerned not about 122 replacing IPv4 with IPv6 (in the short term), but with adding IPv6 to 123 be operated in parallel with IPv4 [I-D.savola-v6ops-transarch]. 125 This document also describes two matters which have been wrongly 126 identified as potential security concerns for IPv6 in the past and 127 explains why they are unlikely to cause problems: considerations 128 about probing/mapping IPv6 addresses (Appendix A), and considerations 129 with respect to privacy in IPv6 (Appendix B). 131 2. Issues Due to IPv6 Protocol 133 2.1 IPv6 Protocol-specific Issues 135 There are significant differences between the features of IPv6 and 136 IPv4: some of these specification changes may result in potential 137 security issues. Several of these issues have been discussed in 138 separate drafts but are summarized here to avoid normative references 139 which may not become RFCs. The following specification-related 140 problems have been identified, but this is not necessarily a complete 141 list: 143 2.1.1 Routing Headers and Hosts 145 All IPv6 nodes must be able to process Routing Headers [RFC2460]. 146 This RFC can be interpreted, although it is not clearly stated, to 147 mean that all nodes (including hosts) must have this processing 148 enabled. This can result in hosts forwarding received traffic if 149 there are segments left in the Routing Header when it arrives at the 150 host. 152 A number of potential security issues associated with this behavior 153 were documented in [I-D.savola-ipv6-rh-hosts]. Some of these issues 154 have been resolved (a separate routing header type is now used for 155 Mobile IPv6 [RFC3775] and ICMP Traceback has not been standardized), 156 but two issues remain: 158 o Routing headers can be used to evade access controls based on 159 destination addresses. This could be achieved by sending a packet 160 ostensibly to a publicly accessible host address but with a 161 routing header containing a 'forbidden' address. If the publicly 162 accessible host is processing routing headers it will forward the 163 packet to the destination address in the routing header which 164 would have been forbidden by the packet filters if the address had 165 been in the destination field when the packet was checked. 166 o If the packet source address in the previous case can be spoofed, 167 any host could be used to mediate an anonymous reflection denial- 168 of-service attack by having any publicly accessible host redirect 169 the attack packets. 171 2.1.2 Routing Headers for Mobile IPv6 and Other Purposes 173 In addition to the basic Routing Header (Type 0), which is intended 174 to influence the trajectory of a packet through a network by 175 specifying a sequence of router 'waypoints', Routing Header (Type 2) 176 has been defined as part of the Mobile IPv6 specifications in 177 [RFC3775]. The Type 2 Routing Header is intended for use by hosts to 178 handle 'interface local' forwarding needed when packets are sent to 179 the care-of address of a mobile node which is away from its home 180 address. 182 It is important that nodes treat the different types of routing 183 header appropriately. It should be possible to apply separate 184 filtering rules to the different types of Routing Header. By design, 185 hosts must process Type 2 Routing Headers to support Mobile IPv6 but 186 routers should not: to avoid the issues in Section 2.1.1 it may be 187 desirable to forbid or limit the processing of Type 0 Routing Headers 188 in hosts and some routers. 190 Routing Headers are an extremely powerful and general capability. 191 Alternative future uses of Routing Headers need to be carefully 192 assessed to ensure that they do not open new avenues of attack that 193 can be exploited. 195 2.1.3 Site-scope Multicast Addresses 197 IPv6 supports multicast addresses with site scope which can 198 potentially allow an attacker to identify certain important resources 199 on the site if misused. 201 Particular examples are the 'all routers' (FF05::2) and 'all DHCP 202 servers' (FF05::1:3) addresses defined in [RFC2375]: an attacker that 203 is able to infiltrate a message destined for these addresses on to 204 the site will potentially receive in return information identifying 205 key resources on the site. This information can then be the target 206 of directed attacks ranging from simple flooding to more specific 207 mechanisms designed to subvert the device. 209 Some of these addresses have current legitimate uses within a site. 210 The risk can be minimized by ensuring that all firewalls and site 211 boundary routers are configured to drop packets with site scope 212 destination addresses. Also nodes should not join multicast groups 213 for which there is no legitimate use on the site and site routers 214 should be configured to drop packets directed to these unused 215 addresses. 217 2.1.4 ICMPv6 and Multicast 219 It is possible to launch a denial-of-service (DoS) attack using IPv6 220 which could be amplified by the multicast infrastructure. 222 Unlike ICMP for IPv4, ICMPv6 [RFC2463] allows error notification 223 responses to be sent when certain unprocessable packets are sent to 224 multicast addresses. 226 The cases in which responses are sent are: 227 o The received packet is longer than the next link MTU: 'Packet Too 228 Big' responses are needed to support Path MTU Discovery for 229 multicast traffic. 230 o The received packet contains an unrecognized option in a hop-by- 231 hop or destination options extension header with the first two 232 bits of the option type set to binary '10': 'Parameter Problem' 233 responses are intended to inform the source that some or all of 234 the recipients cannot handle the option in question. 236 If an attacker can craft a suitable packet sent to a multicast 237 destination, it may be possible to elicit multiple responses directed 238 at the victim (the spoofed source of the multicast packet). On the 239 other hand, the use of 'reverse path forwarding' checks to eliminate 240 loops in multicast forwarding automatically limits the range of 241 addresses which can be spoofed. 243 In practice an attack using oversize packets is unlikely to cause 244 much amplification unless the attacker is able to carefully tune the 245 packet size to exploit a network with smaller MTU in the edge than 246 the core. Similarly a packet with an hop-by-hop option would be 247 dropped by the first router. However a packet with an destination 248 option could generate multiple responses. 250 In addition to amplification, this kind of attack would potentially 251 consume large amounts of forwarding state resources in routers on 252 multicast-enabled networks. These attacks are discussed in more 253 detail in [I-D.savola-v6ops-firewalling]. 255 2.1.5 Anycast Traffic Identification and Security 257 IPv6 introduces the notion of anycast addresses and services. 258 Originally the IPv6 standards disallowed using an anycast address as 259 the source address of a packet. Responses from an anycast server 260 would therefore supply a unicast address for the responding server. 261 To avoid exposing knowledge about the internal structure of the 262 network, it is recommended that anycast servers now take advantage of 263 the ability to return responses with the anycast address as the 264 source address if possible. 266 If the server needs to use a unicast address for any reason, it may 267 be desirable to consider using specialized addresses for anycast 268 servers which are not used for any other part of the network to 269 restrict the information exposed. Alternatively operators may wish 270 to restrict the use of anycast services from outside the domain, thus 271 requiring firewalls to filter anycast requests. For this purpose, 272 firewalls need to know which addresses are being used for anycast 273 services: these addresses are arbitrary and not distinguishable from 274 any other IPv6 unicast address by structure or pattern. 276 One particular class of anycast addresses that should be given 277 special attention is the set of Subnet-Router anycast addresses 278 defined in The IPv6 Addressing Architecture [RFC3513]. All routers 279 are required to support these addresses for all subnets for which 280 they have interfaces. For most subnets using global unicast 281 addresses, filtering anycast requests to these addresses can be 282 achieved by dropping packets with the lower 64 bits (the Interface 283 Identifier) set to all zeroes. 285 2.1.6 Address Privacy Extensions Interact with DDoS Defenses 287 The purpose of the privacy extensions for stateless address auto- 288 configuration [RFC3041][I-D.ietf-ipv6-privacy-addrs-v2] is to change 289 the interface identifier (and hence the global scope addresses 290 generated from it) from time to time. By varying the addresses used, 291 eavesdroppers and other information collectors find it more difficult 292 to identify which transactions actually relate to a specific node. 294 A security issue may result from this if the frequency of node 295 address change is sufficiently great to achieve the intended aim of 296 the privacy extensions: with a relatively high rate of change, the 297 observed behavior of the node could look very like that of a 298 compromised node which was the source of a distributed denial of 299 service (DDoS). It would thus be difficult to for any future 300 defenses against DDoS attacks to distinguish between a high rate of 301 change of addresses resulting from genuine use of the privacy 302 extensions and a compromised node being used as the source of a DDoS 303 with 'in-prefix' spoofed source addresses as described in 304 [I-D.dupont-ipv6-rfc3041harmful]. 306 Even if a node is well behaved, the change in the address could make 307 it harder for a security administrator to define a policy rule (e.g. 308 access control list) that takes into account a specific node. 310 2.1.7 Dynamic DNS: Stateless Address Auto-Configuration, Privacy 311 Extensions and SEND 313 The introduction of Stateless Address Auto-Configuration (SLAAC) 314 [RFC2462] with IPv6 provides an additional challenge to the security 315 of Dynamic DNS (DDNS). With manual addressing or the use of DHCP, 316 the number of security associations that need to be maintained to 317 secure access to the DNS server is limited, assuming any necessary 318 updates are carried out by the DHCP server. This is true equally for 319 IPv4 and IPv6. 321 Since SLAAC does not make use of a single and potentially trusted 322 DHCP server, but depends on the node obtaining the address, securing 323 the insertion of updates into DDNS may need a security association 324 between each node and the DDNS server. This is discussed further in 325 [I-D.ietf-dnsop-ipv6-dns-issues]. 327 Using the Privacy Extensions to SLAAC [RFC3041][I-D.ietf-ipv6- 328 privacy-addrs-v2] may significantly increase the rate of updates of 329 DDNS. Even if a node using the Privacy Extensions does not publish 330 its address for 'forward' lookup (as that would effectively 331 compromise the privacy which it is seeking), it may still need to 332 update the reverse DNS records so that reverse routability checks can 333 be carried out. If the rate of change needed to achieve real privacy 334 has to be increased as is mentioned in Section 2.1.6 the update rate 335 for DDNS may be excessive. 337 Similarly, the cryptographically generated addresses used by SEND 338 [RFC3971] are expected to be periodically regenerated in line with 339 recommendations for maximum key lifetimes. This regeneration could 340 also impose a significant extra load on DDNS. 342 2.1.8 Extension Headers 344 A number of issues relating to the specification of IPv6 Extension 345 headers have been identified. Several of these are discussed in 346 [I-D.savola-v6ops-firewalling]. 348 2.1.8.1 Processing Extension Headers in Middleboxes 350 In IPv4 deep packet inspection techniques are used to implement 351 policing and filtering both as part of routers and in middleboxes 352 such as firewalls. Fully extending these techniques to IPv6 would 353 require inspection of all the extension headers in a packet. This is 354 essential to ensure that policy constraints on the use of certain 355 headers and options are enforced and to remove, at the earliest 356 opportunity, packets containing potentially damaging unknown options. 358 This requirement appears to conflict with Section 4 of the IPv6 359 specification in [RFC2460] which requires that destination options 360 are not processed at all until the packet reaches the appropriate 361 destination (either the final destination or a routing header 362 waypoint). 364 Also [RFC2460] forbids processing the headers other than in the order 365 in which they appear in the packet. 367 A further ambiguity relates to whether an intermediate node should 368 discard a packet which contains a header or destination option which 369 it does not recognize. If the rules above are followed slavishly, it 370 is not (or may not be) legitimate for the intermediate node to 371 discard the packet because it should not be processing those headers 372 or options. 374 [RFC2460] therefore does not appear to take account of the behavior 375 of middleboxes and other non-final destinations which may be 376 inspecting the packet, and thereby potentially limits the security 377 protection of these boxes. 379 2.1.8.2 Processing Extension Header Chains 381 There is a further problem for middleboxes that want to examine the 382 transport headers which are located at the end of the IPv6 header 383 chain. In order to locate the transport header or other protocol 384 data unit, the node has to parse the header chain. 386 The IPv6 specification [RFC2460] does not mandate the use of the 387 Type-Length-Value format with a fixed layout for the start of each 388 header although it is used for the majority of headers currently 389 defined. (Only the Type field is guaranteed in size and offset). 391 A middlebox cannot therefore guarantee to be able to process header 392 chains which may contain headers defined after the box was 393 manufactured. As noted in Section 2.1.8.1, middleboxes ought not to 394 have to know about all header types in use but still need to be able 395 to skip over such headers to find the transport PDU start. This 396 either limits the security which can be applied in firewalls or makes 397 it difficult to deploy new extension header types. 399 At the time of writing, only the Fragment Header does not fully 400 conform to the TLV format used for other extension headers. In 401 practice, many firewalls reconstruct fragmented packets before 402 performing deep packet inspection, so this divergence is less 403 problematic than it might have been, and is at least partially 404 justified because the full header chain is not present in all 405 fragments. 407 Destination Options may also contain unknown options. However, the 408 options are encoded in TLV format so that intermediate nodes can skip 409 over them during processing, unlike the enclosing extension headers. 411 2.1.8.3 Unknown Headers/Destination Options and Security Policy 413 A strict security policy might dictate that packets containing either 414 unknown headers or destination options are discarded by firewalls or 415 other filters. This requires the firewall to process the whole 416 extension header chain which may be currently in conflict with the 417 IPv6 specification as discussed in Section 2.1.8.1. 419 Even if the firewall does inspect the whole header chain, it may not 420 be sensible to discard packets with items by the firewall: the 421 intermediate node has no knowledge of which options and headers are 422 implemented in the destination node. Hence it is highly desirable to 423 make the discard policy configurable. This will avoid firewalls 424 dropping packets with legitimate items that they do not recognize 425 because their hardware or software is not aware of a new definition. 427 2.1.8.4 Excessive Hop-by-Hop Options 429 IPv6 does not limit the number of hop by hop options which can be 430 present in a hop-by-hop option header. The lack of a limit can be 431 used to mount denial of service attacks affecting all nodes on a path 432 as described in [I-D.krishnan-ipv6-hopbyhop]. 434 2.1.8.5 Overuse of Router Alert Option 436 The IPv6 router alert option specifies a hop-by-hop option that, if 437 present, signals the router to take a closer look at the packet. 438 This can be used for denial of service attacks. By sending a large 439 number of packets containing a router alert option an attacker can 440 deplete the processor cycles on the routers available to legitimate 441 traffic. 443 2.1.9 Fragmentation: Reassembly and Deep Packet Inspection 445 The current specifications of IPv6 in [RFC2460] do not mandate any 446 minimum packet size for the fragments of a packet before the last 447 one, except for the need to carry the unfragmentable part in all 448 fragments. 450 The unfragmentable part does not include the transport port numbers 451 so that it is possible that the first fragment does not contain 452 sufficient information to carry out deep packet inspection involving 453 the port numbers. 455 Also the reassembly rules for fragmented packets in [RFC2460] do not 456 mandate behavior which would minimize the effects of overlapping 457 fragments. 459 Depending on the implementation of packet reassembly and the 460 treatment of packet fragments in firewalls and other nodes which use 461 deep packet inspection for traffic filtering, this potentially leaves 462 IPv6 open to the sort of attacks described in [RFC1858] and [RFC3128] 463 for IPv4. 465 There is no reason to allow overlapping packet fragments and overlaps 466 could be prohibited in a future revision of the protocol 467 specification. Some implementations already drop all packets with 468 overlapped fragments. 470 Specifying a minimum size for packet fragments does not help in the 471 same way as it does for IPv4 because IPv6 extension headers can be 472 made to appear very long: an attacker could insert one or more 473 undefined destination options with long lengths and the 'ignore if 474 unknown' bit set. Given the guaranteed minimum MTU of IPv6 it seems 475 reasonable that hosts should be able to ensure that the transport 476 port numbers are in the first fragment in almost all cases and that 477 deep packet inspection should be very suspicious of first fragments 478 that do not contain them. 480 2.1.10 Fragmentation Related DoS Attacks 482 Packet reassembly in IPv6 hosts also opens up the possibility of 483 various fragment-related security attacks. Some of these are 484 analogous to attacks identified for IPv4. Of particular concern is a 485 DoS attack based on sending large numbers of small fragments without 486 a terminating last fragment which would potentially overload the 487 reconstruction buffers and consume large amounts of CPU resources. 489 Mandating the size of packet fragments could reduce the impact of 490 this kind of attack by limiting the rate at which fragments could 491 arrive and limiting the number of fragments which need to be 492 processed. 494 2.1.11 Link-Local Addresses and Securing Neighbor Discovery 496 All IPv6 nodes are required to configure a link-local address on each 497 interface. This address is used to communicate with other nodes 498 directly connected to the link accessed via the interface, especially 499 during the neighbor discovery and auto-configuration processes. 500 Link-local addresses are fundamental to the operation of the Neighbor 501 Discovery Protocol (NDP) [RFC2461] and SLAAC [RFC2462]. NDP also 502 provides the functionality of associating link layer and IP addresses 503 provided by the Address Resolution Protocol (ARP) in IPv4 networks. 505 The standard version of NDP is subject to a number of security 506 threats related to ARP spoofing attacks on IPv4. These threats have 507 been documented in [RFC3756] and mechanisms to combat them specified 508 in SEcure Neighbor Discovery (SEND) [RFC3971]. SEND is an optional 509 mechanism which is particularly applicable to wireless and other 510 environments where it is difficult to physically secure the link. 512 Because the link-local address can, by default, be acquired without 513 external intervention or control, it allows an attacker to commence 514 communication on the link without needing to acquire information 515 about the address prefixes in use or communicate with any authorities 516 on the link. This feature gives a malicious node the opportunity to 517 mount an attack on any other node which is attached to this link; 518 this vulnerability exists in addition to possible direct attacks on 519 NDP. Link-local addresses may also facilitate the unauthorized use 520 of the link bandwidth ('bandwidth theft') to communicate with another 521 unauthorized node on the same link. 523 Link-local addresses allocated from the prefix 169.254.0.0/16 are 524 available in IPv4 as well and procedures for using them are described 525 in [I-D.ietf-zeroconf-ipv4-linklocal] but the security issues were 526 not as pronounced as for IPv6 for the following reasons: 527 o link-local addresses are not mandatory in IPv4 and are primarily 528 intended for isolated or ad hoc networks that cannot acquire a 529 routable IPv4 address by other means, 530 o IPv4 addresses are not universally supported across operating 531 systems, and 532 o the IPv4 link-local address should be removed when a non-link- 533 local address is configured on the interface and will generally 534 not be allocated unless other means of acquiring an address are 535 not available. 537 These vulnerabilities can be mitigated in several ways. A general 538 solution will require 539 o authenticating the link layer connectivity, for example by using 540 IEEE 802.1x functionality, port-based MAC address security 541 (locking), or physical security, and 543 o using SEcure Neighbor Discovery (SEND) to create a 544 cryptographically generated link-local address as described in 545 [RFC3971] which is tied to the authenticated link layer address. 546 This solution would be particularly appropriate in wireless LAN 547 deployments where it is difficult to physically secure the 548 infrastructure 550 In wired environments, where the physical infrastructure is 551 reasonably secure, it may be sufficient to ignore communication 552 requests originating from a link-local address for other than local 553 network management purposes. This requires that nodes should only 554 accept packets with link-local addresses for a limited set of 555 protocols including NDP, MLD and other functions of ICMPv6. 557 2.1.11.1 Securing Router Advertisements 559 As part of the Neighbor Discovery process, routers on a link 560 advertise their capabilities in Router Advertisement messages. The 561 version of NDP defined in [RFC2461] does not protect the integrity of 562 these messages or validate the assertions made in the messages with 563 the result that any node which connects to the link can maliciously 564 claim to offer routing services which it will not fulfill, and 565 advertise inappropriate prefixes and parameters. These threats have 566 been documented in [RFC3756]. 568 SEND [RFC3971] can be used to provide verification that routers are 569 authorized to provide the services they advertise through a 570 certificate-based mechanism. This capability of SEND is also 571 particularly appropriate for wireless environments where clients are 572 reliant on the assertions of the routers rather than a physically 573 secured connection. 575 2.1.12 Mobile IPv6 577 Mobile IPv6 offers significantly enhanced security compared with 578 Mobile IPv4 especially when using optimized routing and care-of 579 addresses. Return routability checks are used to provide relatively 580 robust assurance that the different addresses which a mobile node 581 uses as it moves through the network do indeed all refer to the same 582 node. The threats and solutions are described in [RFC3775] and a 583 more extensive discussion of the security aspects of the design can 584 be found in [I-D.ietf-mip6-ro-sec]. 586 2.1.12.1 Obsolete Home Address Option in Mobile IPv6 588 The Home Address option specified in early drafts of Mobile IPv6 589 would have allowed a trivial source spoofing attack: hosts were 590 required to substitute the source address of incoming packets with 591 the address in the option, thereby potentially evading checks on the 592 packet source address. This is discussed at greater length in 593 [I-D.savola-ipv6-rh-ha-security]. The version of Mobile IPv6 as 594 standardized in [RFC3775] has removed this issue by ensuring that the 595 Home Address destination option is only processed if there is a 596 corresponding binding cache entry and securing Binding Update 597 messages. 599 A number of pre-standard implementations of Mobile IPv6 were 600 available which implemented this obsolete and insecure option: care 601 should be taken to avoid running such obsolete systems. 603 2.2 IPv4-mapped IPv6 Addresses 605 Overloaded functionality is always a double-edged sword: it may yield 606 some deployment benefits, but often also incurs the price which comes 607 with ambiguity. 609 One example of such is IPv4-mapped IPv6 addresses: a representation 610 of an IPv4 address as an IPv6 address inside an operating system. 611 Since the original specification, the use of IPv4-mapped addresses 612 has been extended to a transition mechanism, Stateless IP/ICMP 613 Translation algorithm (SIIT) [RFC2765], where they are potentially 614 used in the addresses of packets on the wire. 616 Therefore, it becomes difficult to unambiguously discern whether an 617 IPv4 mapped address is really an IPv4 address represented in the IPv6 618 address format *or* an IPv6 address received from the wire (which may 619 be subject to address forgery, etc.). 621 In addition, special cases like these, while giving deployment 622 benefits in some areas, require a considerable amount of code 623 complexity (e.g. in the implementations of bind() system calls and 624 reverse DNS lookups) which is probably undesirable. Some of these 625 issues are discussed in [I-D.cmetz-v6ops-v4mapped-api-harmful] and 626 [I-D.itojun-v6ops-v4mapped-harmful]. 628 In practice, although the packet translation mechanisms of SIIT are 629 specified for use in the Network Address Translator - Protocol 630 Translator (NAT-PT) [RFC2765], NAT-PT uses a mechanism different from 631 IPv4-mapped IPv6 addresses for communicating embedded IPv4 addresses 632 in IPv6 addresses. Also SIIT is not recommended for use as a 633 standalone transition mechanism. Given the issues that have been 634 identified, it seems appropriate that mapped addresses should not be 635 used on the wire. However, changing application behavior by 636 deprecating the use of mapped addresses in the operating system 637 interface would have significant impact on application porting 638 methods [RFC4038]and needs further study. 640 2.3 Increased End-to-End Transparency 642 One of the major design aims of IPv6 has been to maintain the 643 original IP architectural concept of end-to-end transparency. 644 Transparency can help foster technological innovation in areas such 645 as peer-to-peer communication but maintaining the security of the 646 network at the same time requires some modifications in the network 647 architecture. Ultimately, it is also likely to need changes in the 648 security model as compared with the norms for IPv4 networks. 650 2.3.1 IPv6 Networks without NATs 652 The necessity of introducing Network Address Translators (NATs) into 653 IPv4 networks, resulting from a shortage of IPv4 addresses, has 654 removed the end-to-end transparency of most IPv4 connections: the use 655 of IPv6 would restore this transparency. However, the use of NATs, 656 and the associated private addressing schemes, has become 657 inappropriately linked to the provision of security in enterprise 658 networks. The restored end-to-end transparency of IPv6 networks can 659 therefore be seen as a threat by poorly informed enterprise network 660 managers. Some seem to want to limit the end-to-end capabilities of 661 IPv6, for example by deploying private, local addressing and 662 translators, even when it is not necessary because of the abundance 663 of IPv6 addresses. 665 Recommendations for designing an IPv6 network to meet the perceived 666 security and connectivity requirements implicit in the current usage 667 of IPv4 NATs whilst maintaining the advantages of IPv6 end-to-end 668 transparency are described in IPv6 Network Architecture Protection 669 [I-D.ietf-v6ops-nap]. 671 2.3.2 Enterprise Network Security Model for IPv6 673 The favored model for enterprise network security in IPv4 stresses 674 the use of a security perimeter policed by autonomous firewalls and 675 incorporating the NATs. Both perimeter firewalls and NATs introduce 676 asymmetry and reduce the transparency of communications through these 677 perimeters. The symmetric bidirectionality and transparency which 678 are extolled as virtues of IPv6 may seem to be at odds with this 679 model. Consequently network managers may even see them as 680 undesirable attributes, in conflict with their need to control 681 threats to and attacks on the networks they administer. 683 It is worth noting that IPv6 does not *require* end-to-end 684 connectivity. It merely provides end-to-end addressability; the 685 connectivity can still be controlled using firewalls (or other 686 mechanisms), and it is indeed wise to do so. 688 A number of matters indicate that IPv6 networks should migrate 689 towards an improved security model, which will increase the overall 690 security of the network but facilitate end-to-end communication: 691 o Increased usage of end-to-end security especially at the network 692 layer. IPv6 mandates the provision of IPsec capability in all 693 nodes and increasing usage of end-to-end security is a challenge 694 to current autonomous firewalls that are unable to perform deep 695 packet inspection on encrypted packets. It is also incompatible 696 with NATs because they modify the packets, even when packets are 697 only authenticated rather than encrypted. 698 o Acknowledgement that over-reliance on the perimeter model is 699 potentially dangerous. An attacker who can penetrate today's 700 perimeters will have free rein within the perimeter, in many 701 cases. Also a successful attack will generally allow the attacker 702 to capture information or resources and make use of them. 703 o Development of mechanisms such as 'Trusted Computing' which will 704 increase the level of trust which network managers are able to 705 place on hosts. 706 o Development of centralized security policy repositories and secure 707 distribution mechanisms which, in conjunction with trusted hosts, 708 will allow network managers to place more reliance on security 709 mechanisms at the end points. The mechanisms are likely to 710 include end-node firewalling and intrusion detection systems as 711 well as secure protocols that allow end points to influence the 712 behavior of perimeter security devices. 713 o Review of the role of perimeter devices with increased emphasis on 714 intrusion detection, network resource protection and coordination 715 to thwart distributed denial of service attacks. 717 Several of the technologies required to support an enhanced security 718 model are still under development, including secure protocols to 719 allow end points to control firewalls: the complete security model 720 utilizing these technologies is now emerging but still requires some 721 development. 723 In the meantime, initial deployments will need to make use of similar 724 firewalling and intrusion detection techniques to IPv4 which may 725 limit end-to-end transparency temporarily, but should be prepared to 726 use the new security model as it develops and avoid the use of NATs 727 by the use of the architectural techniques described in [I-D.ietf- 728 v6ops-nap]. In particular, using NAT-PT [RFC2766] as a general 729 purpose transition mechanism should be avoided as it is likely to 730 limit the exploitation of end-to-end security and other IPv6 731 capabilities in future as explained in [I-D.ietf-v6ops-natpt-to- 732 exprmntl]. 734 3. Issues Due to Transition Mechanisms 736 3.1 IPv6 Transition/Co-existence Mechanism-specific Issues 738 The more complicated the IPv6 transition/co-existence becomes, the 739 greater the danger that security issues will be introduced either 740 o in the mechanisms themselves, 741 o in the interaction between mechanisms, or 742 o by introducing unsecured paths through multiple mechanisms. 743 These issues may or may not be readily apparent. Hence it would be 744 desirable to keep the mechanisms simple, as few in number as possible 745 and built from as small pieces as possible to simplify analysis. 747 One case where such security issues have been analyzed in detail is 748 the 6to4 tunneling mechanism [RFC3964]. 750 As tunneling has been proposed as a model for several more cases than 751 are currently being used, its security properties should be analyzed 752 in more detail. There are some generic dangers to tunneling: 754 o it may be easier to avoid ingress filtering checks 755 o it is possible to attack the tunnel interface: several IPv6 756 security mechanisms depend on checking that Hop Limit equals 255 757 on receipt and that link-local addresses are used. Sending such 758 packets to the tunnel interface is much easier than gaining access 759 to a physical segment and sending them there. 760 o automatic tunneling mechanisms are typically particularly 761 dangerous as there is no pre-configured association between end 762 points. Accordingly, at the receiving end of the tunnel packets 763 have to be accepted and decapsulated from any source. 764 Consequently, special care should be taken when specifying 765 automatic tunneling techniques. 767 3.2 Automatic Tunneling and Relays 769 Two mechanisms have been (or are being) specified which use automatic 770 tunneling and are intended for use outside a single domain. These 771 mechanisms encapsulate the IPv6 packet directly in an IPv4 packet in 772 the case of 6to4 [RFC3056] or in an IPv4 UDP packet in the case of 773 Teredo [I-D.huitema-v6ops-teredo]. In each case packets can be sent 774 and received by any similarly equipped nodes in the IPv4 Internet. 776 As mentioned in Section 3.1, a major vulnerability in such approaches 777 is that receiving nodes must allow decapsulation of traffic sourced 778 from anywhere in the Internet. This kind of decapsulation function 779 must be extremely well secured because of the wide range of potential 780 sources. 782 An even more difficult problem is how these mechanisms are able to 783 establish communication with native IPv6 nodes or between the 784 automatic tunneling mechanisms: such connectivity requires the use of 785 some kind of "relay". These relays could be deployed in various 786 locations such as: 787 o all native IPv6 nodes, 788 o native IPv6 sites, 789 o in IPv6-enabled ISPs, or 790 o just somewhere in the Internet. 792 Given that a relay needs to trust all the sources (e.g., in the 6to4 793 case, all 6to4 routers) which are sending it traffic, there are 794 issues in achieving this trust and at the same time scaling the relay 795 system to avoid overloading a small number of relays. 797 As authentication of such a relay service is very difficult to 798 achieve, and particularly so in some of the possible deployment 799 models, relays provide a potential vehicle for address spoofing, 800 (reflected) Denial-of-Service attacks, and other threats. 802 Threats related to 6to4 and measures to combat them are discussed in 803 [RFC3964]. [I-D.huitema-v6ops-teredo] incorporates extensive 804 discussion of the threats to Teredo and measures to combat them. 806 3.3 Tunneling IPv6 Through IPv4 Networks May Break IPv4 Network 807 Security Assumptions 809 NATs and firewalls have been deployed extensively in the IPv4 810 Internet, as discussed in Section 2.3. Operators who deploy them 811 typically have some security/operational requirements in mind (e.g. a 812 desire to block inbound connection attempts), which may or may not be 813 misguided. 815 The addition of tunneling can change the security model which such 816 deployments are seeking to enforce. IPv6-over-IPv4 tunneling using 817 protocol 41 is typically either explicitly allowed, or disallowed 818 implicitly. Tunneling IPv6 over IPv4 encapsulated in UDP constitutes 819 a more difficult problem as UDP must usually be allowed to pass 820 through NATs and firewalls. Consequently, using UDP implies the 821 ability to punch holes in NAT's and firewalls although, depending on 822 the implementation, this ability may be limited or only achieved in a 823 stateful manner. In practice, the mechanisms have been explicitly 824 designed to traverse both NATs and firewalls in a similar fashion. 826 One possible view is that use of tunneling is especially questionable 827 in home/SOHO environments where the level of expertise in network 828 administration is typically not very high; in these environments the 829 hosts may not be as tightly managed as in others (e.g., network 830 services might be enabled unnecessarily), leading to possible 831 security break-ins or other vulnerabilities. 833 Holes can be punched both intentionally and unintentionally. In 834 cases where the administrator or user makes an explicit decision to 835 create the hole, this is less of a problem, although (for example) 836 some enterprises might want to block IPv6 tunneling explicitly if 837 employees were able to create such holes without reference to 838 administrators. On the other hand, if a hole is punched 839 transparently, it is likely that a proportion of users will not 840 understand the consequences: this will very probably result in a 841 serious threat sooner or later. 843 When deploying tunneling solutions, especially tunneling solutions 844 which are automatic and/or can be enabled easily by users who do not 845 understand the consequences, care should be taken not to compromise 846 the security assumptions held by the users. 848 For example, NAT traversal should not be performed by default unless 849 there is a firewall producing a similar by-default security policy to 850 that provided by IPv4 NAT. IPv6-in-IPv4 (protocol 41) tunneling is 851 less of a problem, as it is easier to block if necessary; however, if 852 the host is protected in IPv4, the IPv6 side should be protected as 853 well. 855 As has been shown in Appendix A, it is relatively easy to determine 856 the IPv6 address corresponding to an IPv4 address in tunneling 857 deployments. It is therefore vital NOT to rely on "security by 858 obscurity" i.e., assuming that nobody is able to guess or determine 859 the IPv6 address of the host especially when using automatic 860 tunneling transition mechanisms. 862 4. Issues Due to IPv6 Deployment 864 4.1 IPv6 Service Piloting Done Insecurely 866 In many cases, IPv6 service piloting is done in a manner which is 867 less secure than can be achieved for an IPv4 production service. For 868 example, hosts and routers might not be protected by IPv6 firewalls, 869 even if the corresponding IPv4 service is fully protected by 870 firewalls as described in [I-D.ietf-v6ops-v6onbydefault]. This is 871 particularly critical where IPv6 capabilities are turned on by 872 default in new equipment or new releases of operating systems: 873 network managers may not be fully aware of the security exposure that 874 this creates. 876 The other possible alternative, in some instances, is that no service 877 piloting is permitted because IPv6 firewalls and other security 878 capabilities, such as intrusion detection systems may not be widely 879 available. Consequently, IPv6 deployment suffers and expertise 880 accumulates less rapidly. 882 These problems may be partly due to the relatively slow development 883 and deployment of IPv6-capable firewall equipment, but there is also 884 a lack of information: actually, there are quite a few IPv6 packet 885 filters and firewalls already in existence, which could be used for 886 provide sufficient access controls, but network administrators may 887 not be aware of them yet and there is a lack of documented 888 operational practice. 890 However, there appears to be a real lack in the area of 'personal 891 firewalls'. Also enterprise firewalls are at an early stage of 892 development and may not provide all the capabilities needed to 893 implement the necessary IPv6 filtering rules. The same devices that 894 support and are used for IPv4 today are often expected to also become 895 IPv6-capable -- even though this is not really required and the 896 equipment may not have the requisite hardware capabilities to support 897 fast packet filtering for IPv6. That is, IPv4 access could be 898 filtered by one firewall, and when IPv6 access is added, it could be 899 protected by another firewall; they don't have to be the same box, 900 and even their models don't have to be the same. 902 A lesser factor may be that some design decisions in the IPv6 903 protocol make it more difficult for firewalls to be implemented and 904 work in all cases and to be fully future proof (e.g. when new 905 extension headers are used) as discussed in Section 2.1.8: it is 906 significantly more difficult for intermediate nodes to process the 907 IPv6 header chains than IPv4 packets. 909 A similar argument, which is often quoted as hindering IPv6 910 deployment, has been the lack of Intrusion Detection Systems (IDS). 911 It is not clear whether this is more of an excuse than a real reason. 913 An additional problem is the limited implementation of high 914 availability capabilities supporting IPv6. In particular, 915 development of the IPv6 version of the Virtual Router Redundancy 916 Protocol (VRRP) [I-D.ietf-vrrp-ipv6-spec] has lagged the development 917 of the main IPv6 protocol although alternatives may be available for 918 some environments. 920 Actually, some providers are fully ready to offer IPv6 services (e.g. 921 web) today, but because that would (or, at least, might) result in 922 problems for many of their customers or users who are, by default, 923 using active dual-stack systems the services are not turned on: as a 924 compromise, the services are often published under a separate domain 925 or subdomain, and are, in practice, not much used as a consequence. 927 4.2 DNS Server Problems 929 Some DNS server implementations have flaws that severely affect DNS 930 queries for IPv6 addresses as discussed in [RFC4074]. These flaws 931 can be used for DoS attacks affecting both IPv4 and IPv6 by inducing 932 caching DNS servers to believe that a domain is broken and causing 933 the server to block access to all requests for the domain for a 934 precautionary period. 936 4.3 Addressing Schemes and Securing Routers 938 Whilst in general terms brute force scanning of IPv6 subnets is 939 essentially impossible due to the enormously larger address space of 940 IPv6 and the 64 bit interface identifiers (see Appendix A), this will 941 be obviated if administrators do not take advantage of the large 942 space to use unguessable interface identifiers. 944 Because the unmemorability of complete IPv6 addresses there is a 945 temptation for administrators to use small integers as interface 946 identifiers when manually configuring them, as might happen on point- 947 to-point links. Such allocations make it easy for an attacker to 948 find active nodes that they can then port scan. 950 To make use of the larger address space properly, administrators 951 should be very careful when entering IPv6 addresses in their 952 configurations (e.g. Access Control List), since numerical IPv6 953 addresses are more prone to human error than IPv4 due to their length 954 and unmemorability. 956 It is also essential to ensure that the management interfaces of 957 routers are well secured as the router will usually contain a 958 significant cache of neighbor addresses in its neighbor cache. 960 4.4 Consequences of Multiple Addresses in IPv6 962 One positive consequence of IPv6 is that nodes which do not require 963 global access can communicate locally just by the use of a link-local 964 address (if very local access is sufficient) or across the site by 965 using a Unique Local Address (ULA). In either case it is easy to 966 ensure that access outside the assigned domain of activity can be 967 controlled by simple filters (which may be the default for link- 968 locals). However, the security hazards of using link-local addresses 969 for non-management purposes as documented in Section 2.1.11 should be 970 borne in mind. 972 On the other hand, the possibility that a node or interface can have 973 multiple global scope addresses makes access control filtering both 974 on ingress and egress more complex and requires higher maintenance 975 levels. 977 The addresses could be from the same network prefix (for example, 978 privacy mechanisms [RFC3041][I-D.ietf-ipv6-privacy-addrs-v2] will 979 periodically create new addresses taken from the same prefix and two 980 or more of these may be active at the same time), or from different 981 prefixes (for example, when a network is multihomed or is 982 implementing anycast services). In either case, it is possible that 983 a single host could be using several different addresses with 984 different prefixes. It would be desirable that the Security 985 Administrator should be able to identify that the same host is behind 986 all these addresses. 988 4.5 Deploying ICMPv6 990 In IPv4 it is commonly accepted that some filtering of ICMP packets 991 by firewalls is essential to maintain security. Because of the 992 extended use that is made of ICMPv6 [RFC2461] with a multitude of 993 functions, the simple set of dropping rules that are usually applied 994 in IPv4 need to be significantly developed for IPv6. The blanket 995 dropping of all ICMP messages that is used in some very strict 996 environments is simply not possible for IPv6. 998 In an IPv6 firewall, policy needs to allow some messages through the 999 firewall but also has to permit certain messages to and from the 1000 firewall, especially those with link-local sources on links to which 1001 the firewall is attached. These messages must be permitted to ensure 1002 that Neighbor Discovery [RFC2462], Multicast Listener Discovery 1003 [RFC2710], [RFC3810] and Stateless Address Configuration [RFC2463] 1004 work as expected. 1006 Recommendations for filtering ICMPv6 messages can be found in 1007 [I-D.davies-v6ops-icmpv6-filtering-bcp]. 1009 4.5.1 Problems Resulting from ICMPv6 Transparency 1011 As described in Section 4.5, certain ICMPv6 error packets need to be 1012 passed through a firewall in both directions. This means that some 1013 ICMPv6 error packets can be exchanged between inside and outside 1014 without any filtering. 1016 Using this feature, malicious users can communicate between the 1017 inside and outside of a firewall bypassing the administrator's 1018 inspection (proxy, firewall etc.). For example in might be possible 1019 to carry out a covert conversation through the payload of ICMPv6 1020 error messages or tunnel inappropriate encapsulated IP packets in 1021 ICMPv6 error messages. This problem can be alleviated by filtering 1022 ICMPv6 errors using a stateful packet inspection mechanism to ensure 1023 that the packet carried as a payload is associated with legitimate 1024 traffic to or from the protected network. 1026 4.6 IPsec Transport Mode 1028 IPsec provides security to end-to-end communications at the network 1029 layer (layer 3). The security features available include access 1030 control, connectionless integrity, data origin authentication, 1031 protection against replay attacks, confidentiality, and limited 1032 traffic flow confidentiality (see [RFC2401] section 2.1). IPv6 1033 mandates the implementation of IPsec in all conforming nodes, making 1034 the usage of IPsec to secure end-to-end communication possible in a 1035 way which is generally not available to IPv4. 1037 To secure IPv6 end-to-end communications, IPsec transport mode would 1038 generally be the solution of choice. However, use of these IPsec 1039 security features can result in novel problems for network 1040 administrators and decrease the effectiveness of perimeter firewalls 1041 because of the increased prevalence of encrypted packets on which the 1042 firewalls cannot perform deep packet inspection and filtering. 1044 One example of such problems is the lack of security solutions in the 1045 middlebox, including effective content-filtering, ability to provide 1046 DoS prevention based on the expected TCP protocol behavior, and 1047 intrusion detection. Future solutions to this problem are discussed 1048 in Section 2.3.2. Another example is an IPsec-based DoS (e.g., 1049 sending malformed ESP/AH packets) which can be especially detrimental 1050 to software-based IPsec implementations. 1052 4.7 Reduced Functionality Devices 1054 With the deployment of IPv6 we can expect the attachment of a very 1055 large number of new IPv6-enabled devices with scarce resources and 1056 low computing capacity. The resource limitations are generally 1057 because of a market requirement for cost reduction. Some such 1058 devices may not be able even to perform the minimum set of functions 1059 required to protect themselves (e.g. 'personal' firewall, automatic 1060 firmware update, enough CPU power to endure DoS attacks). This means 1061 a different security scheme may be necessary for such embedded 1062 devices. 1064 4.8 Operational Factors when Enabling IPv6 in the Network 1066 There are a number of reasons which make it essential to take 1067 particular care when enabling IPv6 in the network equipment: 1069 Initially, IPv6-enabled router software may be less stable than 1070 current IPv4-only implementations and there is less experience with 1071 configuring IPv6 routing, which can result in disruptions to the IPv6 1072 routing environment and (IPv6) network outages. 1074 IPv6 processing may not happen at (near) line speed (or at a 1075 comparable performance level to IPv4 in the same equipment). A high 1076 level of IPv6 traffic (even legitimate, e.g. Network News Transport 1077 Protocol, NNTP) could easily overload IPv6 processing especially when 1078 it is software-based without the hardware support typical in high-end 1079 routers. This may potentially have deleterious knock-on effects on 1080 IPv4 processing, affecting availability of both services. 1081 Accordingly, if people don't feel confident enough in the IPv6 1082 capabilities of their equipment, they will be reluctant to enable it 1083 in their "production" networks. 1085 Sometimes essential features may be missing from early releases of 1086 vendors' software; an example is provision of software enabling IPv6 1087 telnet/SSH access (e.g., to the configuration application of a 1088 router), but without the ability to turn it off or limit access to 1089 it! 1091 Sometimes the default IPv6 configuration is insecure. For example, 1092 in one vendor's implementation, if you have restricted IPv4 telnet to 1093 only a few hosts in the configuration, you need to be aware that IPv6 1094 telnet will be automatically enabled, that the configuration commands 1095 used previously do not block IPv6 telnet, IPv6 telnet is open to the 1096 world by default, and that you have to use a separate command to also 1097 lock down the IPv6 telnet access. 1099 Many operator networks have to run interior routing protocols for 1100 both IPv4 and IPv6. It is possible to run the both in one routing 1101 protocol, or have two separate routing protocols; either approach has 1102 its tradeoffs [RFC4029]. If multiple routing protocols are used, one 1103 should note that this causes double the amount of processing when 1104 links flap or recalculation is otherwise needed -- which might more 1105 easily overload the router's CPU, causing slightly slower convergence 1106 time. 1108 4.9 Ingress Filtering Issues Due to Privacy Addresses 1110 [RFC3041][I-D.ietf-ipv6-privacy-addrs-v2] describes a method for 1111 creating temporary addresses on IPv6 nodes to address privacy issues 1112 created by the use of a constant identifier. In a network, which 1113 implements such a mechanism, with a large number of nodes, new 1114 temporary addresses may be created at a fairly high rate. This might 1115 make it hard for ingress filtering mechanisms to distinguish between 1116 legitimately changing temporary addresses and spoofed source 1117 addresses, which are "in-prefix" (They use a topologically correct 1118 prefix and non-existent interface ID). This can be addressed by 1119 using finer grained access control mechanisms on the network egress 1120 point. 1122 4.10 Security Issues Due to ND Proxies 1124 In order to span a single subnet over multiple physical links, a new 1125 capability is being introduced in IPv6 to proxy Neighbor Discovery 1126 messages. This node will be called an NDProxy (see [I-D.ietf-ipv6- 1127 ndproxy]. NDProxies are susceptible to the same security issues as 1128 the ones faced by hosts using unsecured Neighbor Discovery or ARP. 1129 These proxies may process unsecured messages, and update the neighbor 1130 cache as a result of such processing, thus allowing a malicious node 1131 to divert or hijack traffic. This may undermine the advantages of 1132 using SEND [RFC3971]. 1134 To resolve the security issues introduced by NDProxies, SEND needs to 1135 be extended to be NDProxy aware. 1137 5. IANA Considerations 1139 This memo does not contain any actions for IANA. 1141 6. Security Considerations 1143 This memo attempts to give an overview of security considerations of 1144 the different aspects of IPv6, particularly as they relate to the 1145 transition to a network in which IPv4- and IPv6-based communications 1146 need to coexist. 1148 7. Acknowledgements 1150 Alain Durand, Alain Baudot, Luc Beloeil, Andras Kis-Szabo, Alvaro 1151 Vives, Janos Mohacsi and Mark Smith provided feedback to improve this 1152 memo. Satoshi Kondo, Shinsuke Suzuki and Alvaro Vives provided 1153 additional inputs in cooperation with the Deployment Working Group of 1154 the Japanese IPv6 Promotion Council and the Euro6IX IST co-funded 1155 project, together with inputs from Jordi Palet, Brian Carpenter, and 1156 Peter Bieringer. Michael Wittsend and Michael Cole discussed issues 1157 relating to probing/mapping and privacy. 1159 8. References 1161 8.1 Normative References 1163 [I-D.huitema-v6ops-teredo] 1164 Huitema, C., "Teredo: Tunneling IPv6 over UDP through 1165 NATs", draft-huitema-v6ops-teredo-05 (work in progress), 1166 April 2005. 1168 [I-D.ietf-ipv6-privacy-addrs-v2] 1169 Narten, T., "Privacy Extensions for Stateless Address 1170 Autoconfiguration in IPv6", 1171 draft-ietf-ipv6-privacy-addrs-v2-04 (work in progress), 1172 May 2005. 1174 [I-D.ietf-v6ops-natpt-to-exprmntl] 1175 Aoun, C. and E. Davies, "Reasons to Move NAT-PT to 1176 Experimental", draft-ietf-v6ops-natpt-to-exprmntl-01 (work 1177 in progress), July 2005. 1179 [I-D.ietf-vrrp-ipv6-spec] 1180 Hinden, R., "Virtual Router Redundancy Protocol for IPv6", 1181 draft-ietf-vrrp-ipv6-spec-07 (work in progress), 1182 October 2004. 1184 [RFC2375] Hinden, R. and S. Deering, "IPv6 Multicast Address 1185 Assignments", RFC 2375, July 1998. 1187 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1188 (IPv6) Specification", RFC 2460, December 1998. 1190 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 1191 Discovery for IP Version 6 (IPv6)", RFC 2461, 1192 December 1998. 1194 [RFC2462] Thomson, S. and T. Narten, "IPv6 Stateless Address 1195 Autoconfiguration", RFC 2462, December 1998. 1197 [RFC2463] Conta, A. and S. Deering, "Internet Control Message 1198 Protocol (ICMPv6) for the Internet Protocol Version 6 1199 (IPv6) Specification", RFC 2463, December 1998. 1201 [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast 1202 Listener Discovery (MLD) for IPv6", RFC 2710, 1203 October 1999. 1205 [RFC3041] Narten, T. and R. Draves, "Privacy Extensions for 1206 Stateless Address Autoconfiguration in IPv6", RFC 3041, 1207 January 2001. 1209 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 1210 via IPv4 Clouds", RFC 3056, February 2001. 1212 [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 1213 (IPv6) Addressing Architecture", RFC 3513, April 2003. 1215 [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support 1216 in IPv6", RFC 3775, June 2004. 1218 [RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery 1219 Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. 1221 [RFC3964] Savola, P. and C. Patel, "Security Considerations for 1222 6to4", RFC 3964, December 2004. 1224 8.2 Informative References 1226 [FNAT] Bellovin, S., "Technique for Counting NATted Hosts", Proc. 1227 Second Internet Measurement Workshop , November 2002, 1228 . 1230 [I-D.chown-v6ops-port-scanning-implications] 1231 Chown, T., "IPv6 Implications for TCP/UDP Port Scanning", 1232 draft-chown-v6ops-port-scanning-implications-01 (work in 1233 progress), July 2004. 1235 [I-D.cmetz-v6ops-v4mapped-api-harmful] 1236 Metz, C. and J. Hagino, "IPv4-Mapped Address API 1237 Considered Harmful", 1238 draft-cmetz-v6ops-v4mapped-api-harmful-01 (work in 1239 progress), October 2003. 1241 [I-D.davies-v6ops-icmpv6-filtering-bcp] 1242 Davies, E. and J. Mohacsi, "Best Current Practice for 1243 Filtering ICMPv6 Messages in Firewalls", 1244 draft-davies-v6ops-icmpv6-filtering-bcp-00 (work in 1245 progress), July 2005. 1247 [I-D.dupont-ipv6-rfc3041harmful] 1248 Dupont, F. and P. Savola, "RFC 3041 Considered Harmful", 1249 draft-dupont-ipv6-rfc3041harmful-05 (work in progress), 1250 June 2004. 1252 [I-D.ietf-dnsop-ipv6-dns-issues] 1253 Durand, A., Ihren, J., and P. Savola, "Operational 1254 Considerations and Issues with IPv6 DNS", 1255 draft-ietf-dnsop-ipv6-dns-issues-10 (work in progress), 1256 October 2004. 1258 [I-D.ietf-ipv6-ndproxy] 1259 Thaler, D., "Neighbor Discovery Proxies (ND Proxy)", 1260 draft-ietf-ipv6-ndproxy-03 (work in progress), July 2005. 1262 [I-D.ietf-mip6-ro-sec] 1263 Nikander, P., "Mobile IP version 6 Route Optimization 1264 Security Design Background", draft-ietf-mip6-ro-sec-03 1265 (work in progress), May 2005. 1267 [I-D.ietf-v6ops-nap] 1268 Velde, G., "IPv6 Network Architecture Protection", 1269 draft-ietf-v6ops-nap-01 (work in progress), June 2005. 1271 [I-D.ietf-v6ops-v6onbydefault] 1272 Roy, S., Durand, A., and J. Paugh, "Issues with Dual Stack 1273 IPv6 on by Default", draft-ietf-v6ops-v6onbydefault-03 1274 (work in progress), July 2004. 1276 [I-D.ietf-zeroconf-ipv4-linklocal] 1277 Aboba, B., "Dynamic Configuration of Link-Local IPv4 1278 Addresses", draft-ietf-zeroconf-ipv4-linklocal-17 (work in 1279 progress), July 2004. 1281 [I-D.itojun-v6ops-v4mapped-harmful] 1282 Metz, C. and J. Hagino, "IPv4-Mapped Addresses on the Wire 1283 Considered Harmful", 1284 draft-itojun-v6ops-v4mapped-harmful-02 (work in progress), 1285 October 2003. 1287 [I-D.krishnan-ipv6-hopbyhop] 1288 Krishnan, S., "Arrangement of Hop-by-Hop options", 1289 draft-krishnan-ipv6-hopbyhop-00 (work in progress), 1290 June 2004. 1292 [I-D.savola-ipv6-rh-ha-security] 1293 Savola, P., "Security of IPv6 Routing Header and Home 1294 Address Options", draft-savola-ipv6-rh-ha-security-02 1295 (work in progress), March 2002. 1297 [I-D.savola-ipv6-rh-hosts] 1298 Savola, P., "Note about Routing Header Processing on IPv6 1299 Hosts", draft-savola-ipv6-rh-hosts-00 (work in progress), 1300 February 2002. 1302 [I-D.savola-v6ops-firewalling] 1303 Savola, P., "Firewalling Considerations for IPv6", 1304 draft-savola-v6ops-firewalling-02 (work in progress), 1305 October 2003. 1307 [I-D.savola-v6ops-transarch] 1308 Savola, P., "A View on IPv6 Transition Architecture", 1309 draft-savola-v6ops-transarch-03 (work in progress), 1310 January 2004. 1312 [I-D.schild-v6ops-guide-v4mapping] 1313 Schild, C., "Guide to Mapping IPv4 to IPv6 Subnets", 1314 draft-schild-v6ops-guide-v4mapping-00 (work in progress), 1315 January 2004. 1317 [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security 1318 Considerations for IP Fragment Filtering", RFC 1858, 1319 October 1995. 1321 [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the 1322 Internet Protocol", RFC 2401, November 1998. 1324 [RFC2765] Nordmark, E., "Stateless IP/ICMP Translation Algorithm 1325 (SIIT)", RFC 2765, February 2000. 1327 [RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address 1328 Translation - Protocol Translation (NAT-PT)", RFC 2766, 1329 February 2000. 1331 [RFC3128] Miller, I., "Protection Against a Variant of the Tiny 1332 Fragment Attack (RFC 1858)", RFC 3128, June 2001. 1334 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor 1335 Discovery (ND) Trust Models and Threats", RFC 3756, 1336 May 2004. 1338 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 1339 Neighbor Discovery (SEND)", RFC 3971, March 2005. 1341 [RFC4029] Lind, M., Ksinant, V., Park, S., Baudot, A., and P. 1342 Savola, "Scenarios and Analysis for Introducing IPv6 into 1343 ISP Networks", RFC 4029, March 2005. 1345 [RFC4038] Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E. 1346 Castro, "Application Aspects of IPv6 Transition", 1347 RFC 4038, March 2005. 1349 [RFC4074] Morishita, Y. and T. Jinmei, "Common Misbehavior Against 1350 DNS Queries for IPv6 Addresses", RFC 4074, May 2005. 1352 Authors' Addresses 1354 Elwyn B. Davies 1355 Consultant 1356 Soham, Cambs 1357 UK 1359 Phone: +44 7889 488 335 1360 Email: elwynd@dial.pipex.com 1362 Suresh Krishnan 1363 Ericsson 1364 8400 Decarie Blvd. 1365 Town of Mount Royal, QC H4P 2N2 1366 Canada 1368 Phone: +1 514-345-7900 1369 Email: suresh.krishnan@ericsson.com 1371 Pekka Savola 1372 CSC/Funet 1374 Email: psavola@funet.fi 1376 Appendix A. IPv6 Probing/Mapping Considerations 1378 One school of thought wants the IPv6 numbering topology (either at 1379 network or node level) [I-D.schild-v6ops-guide-v4mapping] to match 1380 IPv4 as exactly as possible, whereas others see IPv6 as giving more 1381 flexibility to the address plans, not wanting to constrain the design 1382 of IPv6 addressing. Mirroring the address plans may also be seen as 1383 a security threat because an IPv6 deployment may have different 1384 security properties from IPv4. 1386 Given the relatively immature state of IPv6 network security, if an 1387 attacker knows the IPv4 address of the node and believes it to be 1388 dual-stacked with IPv4 and IPv6, he might want to try to probe the 1389 corresponding IPv6 address, based on the assumption that the security 1390 defenses might be lower. This might be the case particularly for 1391 nodes which are behind a NAT in IPv4, but globally addressable in 1392 IPv6. Naturally, this is not a concern if similar and adequate 1393 security policies are in place. 1395 On the other hand, brute-force scanning or probing of addresses is 1396 computationally infeasible due to the large search space of interface 1397 identifiers on most IPv6 subnets (somewhat less than 64 bits wide, 1398 depending on how identifiers are chosen), always provided that 1399 identifiers are chosen at random out of the available space, as 1400 discussed in [I-D.chown-v6ops-port-scanning-implications]. 1402 For example, automatic tunneling mechanisms typically use 1403 deterministic methods for generating IPv6 addresses, so probing/ 1404 port-scanning an IPv6 node is simplified. The IPv4 address is 1405 embedded at least in 6to4, Teredo and ISATAP addresses. 1406 Additionally, it is possible (in the case of 6to4 in particular) to 1407 learn the address behind the prefix; for example, Microsoft 6to4 1408 implementation uses the address 2002:V4ADDR::V4ADDR while older Linux 1409 and FreeBSD implementations default to 2002:V4ADDR::1. This could 1410 also be used as one way to identify an implementation and hence 1411 target any specific weaknesses. 1413 One proposal has been to randomize the addresses or subnet identifier 1414 in the address of the 6to4 router. This does not really help, as the 1415 6to4 router (whether a host or a router) will return an ICMPv6 Hop 1416 Limit Exceeded message, revealing the IP address. Hosts behind the 1417 6to4 router can use methods such as RFC 3041 addresses to conceal 1418 themselves, though. 1420 To conclude, it seems that when an automatic tunneling mechanism is 1421 being used, given an IPv4 address, the corresponding IPv6 address 1422 could possibly be guessed with relative ease. This has significant 1423 implications if the IPv6 security policy is less adequate than that 1424 for IPv4. 1426 Appendix B. IPv6 Privacy Considerations 1428 The generation of IPv6 addresses of IPv6 addresses from MAC addresses 1429 potentially allows the behavior of users to be tracked in a way which 1430 may infringe their privacy. [RFC3041] specifies mechanisms which can 1431 be used to reduce the risk of infringement. It has also been claimed 1432 that IPv6 harms the privacy of the user, either by exposing the MAC 1433 address, or by exposing the number of nodes connected to a site. 1435 B.1 Exposing MAC Addresses 1437 Using stateless address autoconfiguration results in the MAC address 1438 being incorporated in an EUI64 that exposes the model of network 1439 card. The concern has been that a user might not want to expose the 1440 details of the system to outsiders, e.g., fearing a resulting 1441 burglary if a thief identifies expensive equipment from the vendor 1442 identifier embedded in MAC addresses. 1444 In most cases, this seems completely unfounded. First, such an 1445 address must be learned somehow -- this is a non-trivial process; the 1446 addresses are visible e.g., in web site access logs, but the chances 1447 that a random web site owner is collecting this kind of information 1448 (or whether it would be of any use) are quite slim. Being able to 1449 eavesdrop the traffic to learn such addresses (e.g., by the 1450 compromise of DSL or Cable modem physical media) seems also quite 1451 far-fetched. Further, using RFC 3041 addresses for such purposes is 1452 straightforward if worried about the risk. Second, the burglar would 1453 have to be able to map the IP address to the physical location; 1454 typically this would only be possible with information from the 1455 private customer database of the ISP and, for large sites, the 1456 administrative records of the site. 1458 B.2 Exposing Multiple Devices 1460 Another concern that has been aired involves the user wanting to 1461 conceal the presence of a large number of computers or other devices 1462 connected to a network; NAT can "hide" all this equipment behind a 1463 single address, but is not perfect either [FNAT]. 1465 One practical reason why some administrators may find this desirable 1466 is being able to thwart certain ISPs' business models. These models 1467 require payment based on the number of connected computers, rather 1468 than the connectivity as a whole. 1470 Similar feasibility issues as described above apply. To a degree, 1471 the number of machines present could be obscured by the sufficiently 1472 frequent re-use of RFC 3041 addresses -- that is, if during a short 1473 period, dozens of generated addresses seem to be in use, it's 1474 difficult to estimate whether they are generated by just one host or 1475 multiple hosts. 1477 B.3 Exposing the Site by a Stable Prefix 1479 When an ISP provides IPv6 connectivity to its customers, it delegates 1480 a fixed global routing prefix (usually a /48) to them. 1482 Due to this fixed allocation, it is easier to correlate the global 1483 routing prefix to a network site. In case of consumer users, this 1484 correlation leads to a privacy issue, since a site is often 1485 equivalent to an individual or a family in such a case. That is, 1486 some users might be concerned about being able to be tracked based on 1487 their /48 allocation if it is static [I-D.dupont-ipv6- 1488 rfc3041harmful]. 1490 This problem remains unsolved even when a user changes his/her 1491 interface ID or subnet ID, because malicious users can still discover 1492 this binding. This problem can be solved by untraceable IPv6 1493 addresses as described in [I-D.ietf-v6ops-nap]. 1495 Intellectual Property Statement 1497 The IETF takes no position regarding the validity or scope of any 1498 Intellectual Property Rights or other rights that might be claimed to 1499 pertain to the implementation or use of the technology described in 1500 this document or the extent to which any license under such rights 1501 might or might not be available; nor does it represent that it has 1502 made any independent effort to identify any such rights. Information 1503 on the procedures with respect to rights in RFC documents can be 1504 found in BCP 78 and BCP 79. 1506 Copies of IPR disclosures made to the IETF Secretariat and any 1507 assurances of licenses to be made available, or the result of an 1508 attempt made to obtain a general license or permission for the use of 1509 such proprietary rights by implementers or users of this 1510 specification can be obtained from the IETF on-line IPR repository at 1511 http://www.ietf.org/ipr. 1513 The IETF invites any interested party to bring to its attention any 1514 copyrights, patents or patent applications, or other proprietary 1515 rights that may cover technology that may be required to implement 1516 this standard. Please address the information to the IETF at 1517 ietf-ipr@ietf.org. 1519 Disclaimer of Validity 1521 This document and the information contained herein are provided on an 1522 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1523 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1524 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1525 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1526 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1527 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1529 Copyright Statement 1531 Copyright (C) The Internet Society (2005). This document is subject 1532 to the rights, licenses and restrictions contained in BCP 78, and 1533 except as set forth therein, the authors retain all their rights. 1535 Acknowledgment 1537 Funding for the RFC Editor function is currently provided by the 1538 Internet Society.