| draft-ietf-6man-deprecate-atomfrag-generation-03.txt | draft-ietf-6man-deprecate-atomfrag-generation-04.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Updates: 2460 (if approved) W. Liu | Intended status: Informational W. Liu | |||
| Intended status: Standards Track Huawei Technologies | Expires: May 29, 2016 Huawei Technologies | |||
| Expires: January 5, 2016 T. Anderson | T. Anderson | |||
| Redpill Linpro | Redpill Linpro | |||
| July 4, 2015 | November 26, 2015 | |||
| Deprecating the Generation of IPv6 Atomic Fragments | Deprecation of the Generation of IPv6 Atomic Fragments | |||
| draft-ietf-6man-deprecate-atomfrag-generation-03 | draft-ietf-6man-deprecate-atomfrag-generation-04 | |||
| Abstract | Abstract | |||
| The core IPv6 specification requires that when a host receives an | RFC2460 requires that when a host receives an ICMPv6 "Packet Too Big" | |||
| ICMPv6 "Packet Too Big" message reporting an MTU smaller than 1280 | message reporting an MTU smaller than 1280 bytes, the host includes a | |||
| bytes, the host includes a Fragment Header in all subsequent packets | Fragment Header in all subsequent packets sent to that destination, | |||
| sent to that destination, without reducing the assumed Path-MTU. The | without reducing the assumed Path-MTU. The simplicity with which | |||
| simplicity with which ICMPv6 "Packet Too Big" messages can be forged, | ICMPv6 "Packet Too Big" messages can be forged, coupled with the | |||
| coupled with the widespread filtering of IPv6 fragments, results in | widespread filtering of IPv6 fragments, results in an attack vector | |||
| an attack vector that can be leveraged for Denial of Service | that can be leveraged for Denial of Service purposes. This document | |||
| purposes. This document briefly discusses the aforementioned attack | briefly discusses the aforementioned attack vector, and why the | |||
| vector, and formally updates RFC2460 such that generation of IPv6 | aforementioned functionality is undesirable. | |||
| atomic fragments is deprecated, thus eliminating the aforementioned | ||||
| attack vector. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 5, 2016. | This Internet-Draft will expire on May 29, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 20 | skipping to change at page 2, line 17 | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3 | 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3 | |||
| 4. Additional Considerations . . . . . . . . . . . . . . . . . . 5 | 4. Additional Considerations . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 6 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | ||||
| Appendix A. Small Survey of OSes that Fail to Produce IPv6 | Appendix A. Small Survey of OSes that Fail to Produce IPv6 | |||
| Atomic Fragments . . . . . . . . . . . . . . . . . . 9 | Atomic Fragments . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC2460] specifies the IPv6 fragmentation mechanism, which allows | [RFC2460] specifies the IPv6 fragmentation mechanism, which allows | |||
| IPv6 packets to be fragmented into smaller pieces such that they fit | IPv6 packets to be fragmented into smaller pieces such that they fit | |||
| in the Path-MTU to the intended destination(s). | in the Path-MTU to the intended destination(s). | |||
| Section 5 of [RFC2460] states that, when a host receives an ICMPv6 | Section 5 of [RFC2460] states that, when a host receives an ICMPv6 | |||
| "Packet Too Big" message [RFC4443] advertising an MTU smaller than | "Packet Too Big" message [RFC4443] advertising an MTU smaller than | |||
| 1280 bytes (the minimum IPv6 MTU), the host is not required to reduce | 1280 bytes (the minimum IPv6 MTU), the host is not required to reduce | |||
| the assumed Path-MTU, but must simply include a Fragment Header in | the assumed Path-MTU, but must simply include a Fragment Header in | |||
| all subsequent packets sent to that destination. The resulting | all subsequent packets sent to that destination. The resulting | |||
| packets will thus *not* be actually fragmented into several pieces, | packets will thus *not* be actually fragmented into several pieces, | |||
| but rather just include a Fragment Header with both the "Fragment | but rather just include a Fragment Header with both the "Fragment | |||
| Offset" and the "M" flag set to 0 (we refer to these packets as | Offset" and the "M" flag set to 0 (we refer to these packets as | |||
| "atomic fragments"). As required by [RFC6946], these atomic | "atomic fragments"). As required by [RFC6946], these atomic | |||
| fragments are essentially processed by the destination host as non- | fragments are essentially processed by the destination host as non- | |||
| fragment traffic (since there are not really any fragments to be | fragmented traffic (since there are not really any fragments to be | |||
| reassembled). The goal of these atomic fragments has been to convey | reassembled). The goal of these atomic fragments has been to convey | |||
| an appropriate Fragment Identification value to be employed by IPv6/ | an appropriate Fragment Identification value to be employed by IPv6/ | |||
| IPv4 translators for the resulting IPv4 fragments. | IPv4 translators for the resulting IPv4 fragments. | |||
| While atomic fragments might seem rather benign, there are scenarios | While atomic fragments might seem rather benign, there are scenarios | |||
| in which the generation of IPv6 atomic fragments can introduce an | in which the generation of IPv6 atomic fragments can introduce an | |||
| attack vector that can be exploited for denial of service purposes. | attack vector that can be exploited for denial of service purposes. | |||
| Since there are concrete security implications arising from the | Since there are concrete security implications arising from the | |||
| generation of IPv6 atomic fragments, and there is no real gain in | generation of IPv6 atomic fragments, and there is no real gain in | |||
| generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 | generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 | |||
| translators generate a Fragment Identification value themselves), | translators generate a Fragment Identification value themselves), we | |||
| this document formally updates [RFC2460], forbidding the generation | conclude that this functionality is undesirable. | |||
| of IPv6 atomic fragments, such that the aforementioned attack vector | ||||
| is eliminated. | ||||
| Section 3 describes some possible attack scenarios. Section 4 | Section 3 describes some possible attack scenarios. Section 4 | |||
| provides additional considerations regarding the usefulness of | provides additional considerations regarding the usefulness of | |||
| generating IPv6 atomic fragments. Section 5 formally updates RFC2460 | generating IPv6 atomic fragments. | |||
| such that this attack vector is eliminated. | ||||
| 2. Terminology | 2. Terminology | |||
| IPv6 atomic fragments | IPv6 atomic fragments | |||
| IPv6 packets that contain a Fragment Header with the Fragment | IPv6 packets that contain a Fragment Header with the Fragment | |||
| Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]). | Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]). | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| skipping to change at page 3, line 48 | skipping to change at page 3, line 42 | |||
| a forged ICMPv6 "Packet Too Big" (PTB) error message to server B, | a forged ICMPv6 "Packet Too Big" (PTB) error message to server B, | |||
| reporting an MTU smaller than 1280, this will trigger the generation | reporting an MTU smaller than 1280, this will trigger the generation | |||
| of IPv6 atomic fragments from that moment on (as required by | of IPv6 atomic fragments from that moment on (as required by | |||
| [RFC2460]). When server B starts sending IPv6 atomic fragments (in | [RFC2460]). When server B starts sending IPv6 atomic fragments (in | |||
| response to the received ICMPv6 PTB), these packets will be dropped, | response to the received ICMPv6 PTB), these packets will be dropped, | |||
| since we previously noted that packets with IPv6 EHs were being | since we previously noted that packets with IPv6 EHs were being | |||
| dropped between Host A and Server B. Thus, this situation will | dropped between Host A and Server B. Thus, this situation will | |||
| result in a Denial of Service (DoS) scenario. | result in a Denial of Service (DoS) scenario. | |||
| Another possible scenario is that in which two BGP peers are | Another possible scenario is that in which two BGP peers are | |||
| employing IPv6 transport, and they implement ACLs to drop IPv6 | employing IPv6 transport, and they implement Access Control Lists | |||
| fragments (to avoid control-plane attacks). If the aforementioned | (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If | |||
| BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet | the aforementioned BGP peers drop IPv6 fragments but still honor | |||
| Too Big error messages, an attacker could easily attack the peering | received ICMPv6 Packet Too Big error messages, an attacker could | |||
| session by simply sending an ICMPv6 PTB message with a reported MTU | easily attack the peering session by simply sending an ICMPv6 PTB | |||
| smaller than 1280 bytes. Once the attack packet has been sent, it | message with a reported MTU smaller than 1280 bytes. Once the attack | |||
| will be the aforementioned routers themselves the ones dropping their | packet has been sent, it will be the aforementioned routers | |||
| own traffic. | themselves the ones dropping their own traffic. | |||
| The aforementioned attack vector is exacerbated by the following | The aforementioned attack vector is exacerbated by the following | |||
| factors: | factors: | |||
| o The attacker does not need to forge the IPv6 Source Address of his | o The attacker does not need to forge the IPv6 Source Address of his | |||
| attack packets. Hence, deployment of simple BCP38 filters will | attack packets. Hence, deployment of simple BCP38 filters will | |||
| not help as a counter-measure. | not help as a counter-measure. | |||
| o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 | o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 | |||
| payload needs to be forged. While one could envision filtering | payload needs to be forged. While one could envision filtering | |||
| skipping to change at page 6, line 36 | skipping to change at page 6, line 26 | |||
| relying on the Fragment ID of the IPv6 atomic fragment will result in | relying on the Fragment ID of the IPv6 atomic fragment will result in | |||
| a reduced Fragment ID collision rate (when compared to the case where | a reduced Fragment ID collision rate (when compared to the case where | |||
| the translator selects each IPv4 Fragment ID on its own). | the translator selects each IPv4 Fragment ID on its own). | |||
| Finally, we note that [RFC6145] is currently the only "consumer" of | Finally, we note that [RFC6145] is currently the only "consumer" of | |||
| IPv6 atomic fragments, and it correctly and diligently notes (in | IPv6 atomic fragments, and it correctly and diligently notes (in | |||
| Section 6) the possible interoperability problems of relying on IPv6 | Section 6) the possible interoperability problems of relying on IPv6 | |||
| atomic fragments, proposing as a workaround that leads to more robust | atomic fragments, proposing as a workaround that leads to more robust | |||
| behavior and simplified code. | behavior and simplified code. | |||
| 5. Updating RFC2460 | 5. IANA Considerations | |||
| The following text from Section 5 of [RFC2460]: | ||||
| "In response to an IPv6 packet that is sent to an IPv4 destination | ||||
| (i.e., a packet that undergoes translation from IPv6 to IPv4), the | ||||
| originating IPv6 node may receive an ICMP Packet Too Big message | ||||
| reporting a Next-Hop MTU less than 1280. In that case, the IPv6 | ||||
| node is not required to reduce the size of subsequent packets to | ||||
| less than 1280, but must include a Fragment header in those | ||||
| packets so that the IPv6-to-IPv4 translating router can obtain a | ||||
| suitable Identification value to use in resulting IPv4 fragments. | ||||
| Note that this means the payload may have to be reduced to 1232 | ||||
| octets (1280 minus 40 for the IPv6 header and 8 for the Fragment | ||||
| header), and smaller still if additional extension headers are | ||||
| used." | ||||
| is formally replaced with: | ||||
| "An IPv6 node that receives an ICMPv6 Packet Too Big error message | ||||
| that reports a Next-Hop MTU smaller than 1280 bytes (the minimum | ||||
| IPv6 MTU) MUST NOT include a Fragment header in subsequent packets | ||||
| sent to the corresponding destination. That is, IPv6 nodes MUST | ||||
| NOT generate IPv6 atomic fragments." | ||||
| 6. IANA Considerations | ||||
| There are no IANA registries within this document. The RFC-Editor | There are no IANA registries within this document. The RFC-Editor | |||
| can remove this section before publication of this document as an | can remove this section before publication of this document as an | |||
| RFC. | RFC. | |||
| 7. Security Considerations | 6. Security Considerations | |||
| This document describes a Denial of Service (DoS) attack vector that | This document describes a Denial of Service (DoS) attack vector that | |||
| leverages the widespread filtering of IPv6 fragments in the public | leverages the widespread filtering of IPv6 fragments in the public | |||
| Internet by means of ICMPv6 PTB error messages. Additionally, it | Internet by means of ICMPv6 PTB error messages. It concludes that | |||
| formally updates [RFC2460] such that this attack vector is | the generation of IPv6 atomic fragments is an undesirable feature. | |||
| eliminated. | ||||
| 8. Acknowledgements | 7. Acknowledgements | |||
| The authors would like to thank (in alphabetical order) Alberto | The authors would like to thank (in alphabetical order) Alberto | |||
| Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar, | Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar, | |||
| and Erik Nordmark, for providing valuable comments on earlier | Erik Nordmark, and Ole Troan, for providing valuable comments on | |||
| versions of this document. | earlier versions of this document. | |||
| Fernando Gont would like to thank Fernando Gont would like to thank | Fernando Gont would like to thank Fernando Gont would like to thank | |||
| Jan Zorz / Go6 Lab <http://go6lab.si/>, and Jared Mauch / NTT | Jan Zorz / Go6 Lab <http://go6lab.si/>, and Jared Mauch / NTT | |||
| America, for providing access to systems and networks that were | America, for providing access to systems and networks that were | |||
| employed to produce some of tests that resulted in the publication of | employed to produce some of tests that resulted in the publication of | |||
| this document. Additionally, he would like to thank SixXS | this document. Additionally, he would like to thank SixXS | |||
| <https://www.sixxs.net> for providing IPv6 connectivity. | <https://www.sixxs.net> for providing IPv6 connectivity. | |||
| 9. References | 8. References | |||
| 9.1. Normative References | 8.1. Normative References | |||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, | |||
| December 1998, <http://www.rfc-editor.org/info/rfc2460>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <http://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet | |||
| Message Protocol (ICMPv6) for the Internet Protocol | Control Message Protocol (ICMPv6) for the Internet | |||
| Version 6 (IPv6) Specification", RFC 4443, March 2006. | Protocol Version 6 (IPv6) Specification", RFC 4443, | |||
| DOI 10.17487/RFC4443, March 2006, | ||||
| <http://www.rfc-editor.org/info/rfc4443>. | ||||
| [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU | [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU | |||
| Discovery", RFC 4821, March 2007. | Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, | |||
| <http://www.rfc-editor.org/info/rfc4821>. | ||||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| September 2007. | DOI 10.17487/RFC4861, September 2007, | |||
| <http://www.rfc-editor.org/info/rfc4861>. | ||||
| [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation | [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation | |||
| Algorithm", RFC 6145, April 2011. | Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, | |||
| <http://www.rfc-editor.org/info/rfc6145>. | ||||
| 9.2. Informative References | 8.2. Informative References | |||
| [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC | [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", | |||
| 2923, September 2000. | RFC 2923, DOI 10.17487/RFC2923, September 2000, | |||
| <http://www.rfc-editor.org/info/rfc2923>. | ||||
| [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path | [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path | |||
| Algorithm", RFC 2992, November 2000. | Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, | |||
| <http://www.rfc-editor.org/info/rfc2992>. | ||||
| [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. | [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, | |||
| DOI 10.17487/RFC5927, July 2010, | ||||
| <http://www.rfc-editor.org/info/rfc5927>. | ||||
| [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. | [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. | |||
| Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, | Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, | |||
| October 2010. | DOI 10.17487/RFC6052, October 2010, | |||
| <http://www.rfc-editor.org/info/rfc6052>. | ||||
| [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful | [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful | |||
| NAT64: Network Address and Protocol Translation from IPv6 | NAT64: Network Address and Protocol Translation from IPv6 | |||
| Clients to IPv4 Servers", RFC 6146, April 2011. | Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, | |||
| April 2011, <http://www.rfc-editor.org/info/rfc6146>. | ||||
| [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC | [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", | |||
| 6946, May 2013. | RFC 6946, DOI 10.17487/RFC6946, May 2013, | |||
| <http://www.rfc-editor.org/info/rfc6946>. | ||||
| [I-D.ietf-6man-predictable-fragment-id] | [I-D.ietf-6man-predictable-fragment-id] | |||
| Gont, F., "Security Implications of Predictable Fragment | Gont, F., "Security Implications of Predictable Fragment | |||
| Identification Values", draft-ietf-6man-predictable- | Identification Values", draft-ietf-6man-predictable- | |||
| fragment-id-08 (work in progress), June 2015. | fragment-id-10 (work in progress), October 2015. | |||
| [I-D.ietf-v6ops-ipv6-ehs-in-real-world] | [I-D.ietf-v6ops-ipv6-ehs-in-real-world] | |||
| Gont, F., Linkova, J., Chown, T., and S. LIU, | Gont, F., Linkova, J., Chown, T., and S. LIU, | |||
| "Observations on IPv6 EH Filtering in the Real World", | "Observations on the Dropping of Packets with IPv6 | |||
| draft-ietf-v6ops-ipv6-ehs-in-real-world-00 (work in | Extension Headers in the Real World", draft-ietf-v6ops- | |||
| progress), April 2015. | ipv6-ehs-in-real-world-01 (work in progress), October | |||
| 2015. | ||||
| [Morbitzer] | [Morbitzer] | |||
| Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. | Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. | |||
| Thesis number: 670. Department of Computing Science, | Thesis number: 670. Department of Computing Science, | |||
| Radboud University Nijmegen. August 2013, | Radboud University Nijmegen. August 2013, | |||
| <https://www.ru.nl/publish/pages/578936/ | <https://www.ru.nl/publish/pages/578936/ | |||
| m_morbitzer_masterthesis.pdf>. | m_morbitzer_masterthesis.pdf>. | |||
| Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic | Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic | |||
| Fragments | Fragments | |||
| [This section will probably be removed from this document before it | [This section will probably be removed from this document before it | |||
| is published as an RFC]. | is published as an RFC]. | |||
| End of changes. 35 change blocks. | ||||
| 99 lines changed or deleted | 84 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||