| draft-ietf-6man-flow-3697bis-01.txt | draft-ietf-6man-flow-3697bis-02.txt | |||
|---|---|---|---|---|
| 6MAN S. Amante | 6MAN S. Amante | |||
| Internet-Draft Level 3 | Internet-Draft Level 3 | |||
| Obsoletes: 3697 (if approved) B. Carpenter | Obsoletes: 3697 (if approved) B. Carpenter | |||
| Updates: 2205, 2460 (if approved) Univ. of Auckland | Updates: 2205, 2460 (if approved) Univ. of Auckland | |||
| Intended status: Standards Track S. Jiang | Intended status: Standards Track S. Jiang | |||
| Expires: August 30, 2011 Huawei Technologies Co., Ltd | Expires: September 14, 2011 Huawei Technologies Co., Ltd | |||
| J. Rajahalme | J. Rajahalme | |||
| Nokia-Siemens Networks | Nokia-Siemens Networks | |||
| February 26, 2011 | March 13, 2011 | |||
| IPv6 Flow Label Specification | IPv6 Flow Label Specification | |||
| draft-ietf-6man-flow-3697bis-01 | draft-ietf-6man-flow-3697bis-02 | |||
| Abstract | Abstract | |||
| This document specifies the IPv6 Flow Label field and the minimum | This document specifies the IPv6 Flow Label field and the minimum | |||
| requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding | requirements for IPv6 nodes labeling flows, IPv6 nodes forwarding | |||
| labeled packets, and flow state establishment methods. Even when | labeled packets, and flow state establishment methods. Even when | |||
| mentioned as examples of possible uses of the flow labeling, more | mentioned as examples of possible uses of the flow labeling, more | |||
| detailed requirements for specific use cases are out of scope for | detailed requirements for specific use cases are out of scope for | |||
| this document. | this document. | |||
| skipping to change at page 1, line 44 | skipping to change at page 1, line 44 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 30, 2011. | This Internet-Draft will expire on September 14, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 11 | skipping to change at page 3, line 11 | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 | 2. IPv6 Flow Label Specification . . . . . . . . . . . . . . . . 5 | |||
| 3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 7 | 3. Stateless Flow Labeling Requirements . . . . . . . . . . . . . 7 | |||
| 4. Flow State Establishment Requirements . . . . . . . . . . . . 8 | 4. Flow State Establishment Requirements . . . . . . . . . . . . 8 | |||
| 5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 9 | 5. Essential correction to RFC 2205 . . . . . . . . . . . . . . . 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 9 | 6.1. Theft and Denial of Service . . . . . . . . . . . . . . . 8 | |||
| 6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 11 | 6.2. IPsec and Tunneling Interactions . . . . . . . . . . . . . 10 | |||
| 6.3. Security Filtering Interactions . . . . . . . . . . . . . 12 | 6.3. Security Filtering Interactions . . . . . . . . . . . . . 10 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 9. Change log . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 12 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 13 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| A flow is a sequence of packets sent from a particular source to a | A flow is a sequence of packets sent from a particular source to a | |||
| particular unicast, anycast, or multicast destination that a node | particular unicast, anycast, or multicast destination that a node | |||
| desires to label as a flow. A flow could consist of all packets in a | desires to label as a flow. A flow could consist of all packets in a | |||
| specific transport connection or a media stream. However, a flow is | specific transport connection or a media stream. However, a flow is | |||
| not necessarily 1:1 mapped to a transport connection. | not necessarily 1:1 mapped to a transport connection. | |||
| Traditionally, flow classifiers have been based on the 5-tuple of the | Traditionally, flow classifiers have been based on the 5-tuple of the | |||
| skipping to change at page 4, line 41 | skipping to change at page 4, line 41 | |||
| after a packet has been processed. A stateful scenario is one where | after a packet has been processed. A stateful scenario is one where | |||
| a node that sets or processes the flow label value needs to store | a node that sets or processes the flow label value needs to store | |||
| information about the flow, including the flow label value. A | information about the flow, including the flow label value. A | |||
| stateful scenario might also require a signaling mechanism to | stateful scenario might also require a signaling mechanism to | |||
| establish flow state in the network. | establish flow state in the network. | |||
| The flow label can be used most simply in stateless scenarios. This | The flow label can be used most simply in stateless scenarios. This | |||
| specification concentrates on the stateless model and how it can be | specification concentrates on the stateless model and how it can be | |||
| used as a default mechanism. Details of stateful models, signaling, | used as a default mechanism. Details of stateful models, signaling, | |||
| specific flow state establishment methods and their related service | specific flow state establishment methods and their related service | |||
| models are out of scope for this specification. Generic requirements | models are out of scope for this specification. The basic | |||
| enabling co-existence of different models are set forth in Section 4. | requirement for stateful models is set forth in Section 4. | |||
| The associated scaling characteristics (such as nodes involved in | ||||
| state establishment, amount of state maintained by them, and state | ||||
| growth function) will be specific to particular service models. | ||||
| The minimum level of IPv6 flow support consists of labeling the | The minimum level of IPv6 flow support consists of labeling the | |||
| flows. A specific goal is to enable and encourage the use of the | flows. A specific goal is to enable and encourage the use of the | |||
| flow label for various forms of stateless load distribution, | flow label for various forms of stateless load distribution, | |||
| especially across Equal Cost Multi-Path (EMCP) and/or Link | especially across Equal Cost Multi-Path (EMCP) and/or Link | |||
| Aggregation Group (LAG) paths. ECMP and LAG are methods to bond | Aggregation Group (LAG) paths. ECMP and LAG are methods to bond | |||
| together multiple physical links used to procure the required | together multiple physical links used to procure the required | |||
| capacity necessary to carry an offered load greater than the | capacity necessary to carry an offered load greater than the | |||
| bandwidth of an individual physical link. IPv6 source nodes SHOULD | bandwidth of an individual physical link. IPv6 source nodes SHOULD | |||
| be able to label known flows (e.g., TCP connections, application | be able to label known flows (e.g., TCP connections, application | |||
| skipping to change at page 8, line 15 | skipping to change at page 8, line 13 | |||
| principal recommendation is that the source host should set the | principal recommendation is that the source host should set the | |||
| label. | label. | |||
| The preceding rules taken together allow a given network domain to | The preceding rules taken together allow a given network domain to | |||
| include routers that set flow labels on behalf of hosts that do not | include routers that set flow labels on behalf of hosts that do not | |||
| do so. They also recommend that flow labels exported to the Internet | do so. They also recommend that flow labels exported to the Internet | |||
| are always either zero or uniformly distributed. | are always either zero or uniformly distributed. | |||
| 4. Flow State Establishment Requirements | 4. Flow State Establishment Requirements | |||
| This section defines the minimum requirements for stateful methods of | A node that sets the flow label MAY also take part in a flow state | |||
| setting the flow label value. | establishment method that results in assigning specific treatments to | |||
| specific flows, possibly including signaling. Any such method MUST | ||||
| The node that sets the flow label MAY also take part in flow state | NOT disturb nodes taking part in the stateless model just described. | |||
| establishment methods that result in assigning specific treatments to | Further details are not discussed in this document. | |||
| specific flows, possibly including signaling. | ||||
| o In this case, unlike the stateless case, a source node MUST ensure | ||||
| that it does not unintentionally reuse Flow Label values it is | ||||
| currently using or has recently used when creating new flows. | ||||
| Flow Label values previously used with a specific pair of source | ||||
| and destination addresses MUST NOT be assigned to new flows with | ||||
| the same address pair within 120 seconds of the termination of the | ||||
| previous flow. | ||||
| o To avoid accidental Flow Label value reuse, the source node SHOULD | ||||
| select new Flow Label values in a well-defined way and use an | ||||
| initial value that avoids reuse of recently used Flow Label values | ||||
| each time the system restarts. The initial value SHOULD be | ||||
| derived from a previous value stored in non-volatile memory, or in | ||||
| the absence of such history, a randomly generated initial value | ||||
| using techniques that produce good randomness properties SHOULD be | ||||
| used. | ||||
| To enable stateful flow-specific treatment, flow state needs to be | ||||
| established on all or a subset of the IPv6 nodes on the path from the | ||||
| source to the destination(s). The methods for the state | ||||
| establishment, as well as the models for flow-specific treatment will | ||||
| be defined in separate specifications. | ||||
| In stateful mechanisms, nodes keeping dynamic flow state MUST NOT | ||||
| assume packets arriving 120 seconds or more after the previous packet | ||||
| of a flow still belong to the same flow, unless a flow state | ||||
| establishment method in use defines a longer flow state lifetime or | ||||
| the flow state has been explicitly refreshed within the lifetime | ||||
| duration. | ||||
| To enable co-existence of different methods in IPv6 nodes, the | ||||
| methods MUST meet the following basic requirements: | ||||
| o The method MUST provide the means for flow state clean-up from the | ||||
| IPv6 nodes providing the flow-specific treatment. Signaling based | ||||
| methods where the source node is involved are free to specify flow | ||||
| state lifetimes longer than the default 120 seconds. | ||||
| o Flow state establishment methods MUST be able to recover from the | ||||
| case where the requested flow state cannot be supported. | ||||
| 5. Essential correction to RFC 2205 | 5. Essential correction to RFC 2205 | |||
| [RFC2460] reduced the size of the flow label field from 24 to 20 | [RFC2460] reduced the size of the flow label field from 24 to 20 | |||
| bits. The references to a 24 bit flow label field on pages 87 and 88 | bits. The references to a 24 bit flow label field on pages 87 and 88 | |||
| of [RFC2205] are updated accordingly. | of [RFC2205] are updated accordingly. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This section considers security issues raised by the use of the Flow | This section considers security issues raised by the use of the Flow | |||
| skipping to change at page 9, line 40 | skipping to change at page 8, line 47 | |||
| The flow label is not protected in any way and can be forged by an | The flow label is not protected in any way and can be forged by an | |||
| on-path attacker. On the other hand, a uniformly distributed pseudo- | on-path attacker. On the other hand, a uniformly distributed pseudo- | |||
| random flow label cannot be readily guessed by an off-path attacker; | random flow label cannot be readily guessed by an off-path attacker; | |||
| see [I-D.gont-6man-flowlabel-security] for further discussion. | see [I-D.gont-6man-flowlabel-security] for further discussion. | |||
| 6.1. Theft and Denial of Service | 6.1. Theft and Denial of Service | |||
| Since the mapping of network traffic to flow-specific treatment is | Since the mapping of network traffic to flow-specific treatment is | |||
| triggered by the IP addresses and Flow Label value of the IPv6 | triggered by the IP addresses and Flow Label value of the IPv6 | |||
| header, an adversary may be able to obtain better service by | header, an adversary may be able to obtain unintended service by | |||
| modifying the IPv6 header or by injecting packets with false | modifying the IPv6 header or by injecting packets with false | |||
| addresses and/or labels. Taken to its limits, such theft-of-service | addresses and/or labels. Theft of service is not further discussed | |||
| becomes a denial-of-service attack when the modified or injected | in this document, since it can only be analysed for specific stateful | |||
| methods of using the flow label. However, a denial of service attack | ||||
| becomes possible in the stateless model when the modified or injected | ||||
| traffic depletes the resources available to forward it and other | traffic depletes the resources available to forward it and other | |||
| traffic streams. A curiosity is that if a DoS attack were undertaken | traffic streams. If a DoS attack were undertaken against a given | |||
| against a given Flow Label (or set of Flow Labels), then traffic | Flow Label (or set of Flow Labels), then traffic containing an | |||
| containing an affected Flow Label might well experience worse-than- | affected Flow Label might well experience worse-than-best-effort | |||
| best-effort network performance. | network performance. | |||
| Note that since the treatment of IP headers by nodes is typically | Note that since the treatment of IP headers by nodes is typically | |||
| unverified, there is no guarantee that flow labels sent by a node are | unverified, there is no guarantee that flow labels sent by a node are | |||
| set according to the recommendations in this document. Therefore, | set according to the recommendations in this document. A man-in-the- | |||
| any assumptions made by the network about header fields such as flow | middle or injected-traffic denial of service attack specifically | |||
| labels should be limited to the extent that the upstream nodes are | directed at flow label handling would involve setting unusual flow | |||
| explicitly trusted. | labels. For example, an attacker could set all flow labels reaching | |||
| a given router to the same arbitrary non-zero value, or could perform | ||||
| rapid cycling of flow label values such that the packets of a given | ||||
| flow will each have a different value. Either of these attacks would | ||||
| cause a stateless load distribution algorithm to perform badly and | ||||
| would cause a stateful mechanism to behave incorrectly. For this | ||||
| reason, stateless mechanisms should not use the flow label alone to | ||||
| control load distribution, and stateful mechanisms should include | ||||
| explicit methods to detect and ignore suspect flow label values. | ||||
| Since flows are identified by the 3-tuple of the Flow Label and the | Since flows are identified by the 3-tuple of the Flow Label and the | |||
| Source and Destination Address, the risk of theft or denial of | Source and Destination Address, the risk of denial of service | |||
| service introduced by the Flow Label is closely related to the risk | introduced by the Flow Label is closely related to the risk of denial | |||
| of theft or denial of service by address spoofing. An adversary who | of service by address spoofing. An adversary who is in a position to | |||
| is in a position to forge an address is also likely to be able to | forge an address is also likely to be able to forge a label, and vice | |||
| forge a label, and vice versa. | versa. | |||
| There are two issues with different properties: Spoofing of the Flow | There are two issues with different properties: Spoofing of the Flow | |||
| Label only, and spoofing of the whole 3-tuple, including Source and | Label only, and spoofing of the whole 3-tuple, including Source and | |||
| Destination Address. | Destination Address. | |||
| The former can be done inside a node which is using or transmitting | The former can be done inside a node which is using or transmitting | |||
| the correct source address. The ability to spoof a Flow Label | the correct source address. The ability to spoof a Flow Label | |||
| typically implies being in a position to also forge an address, but | typically implies being in a position to also forge an address, but | |||
| in many cases, spoofing an address may not be interesting to the | in many cases, spoofing an address may not be interesting to the | |||
| spoofer, especially if the spoofer's goal is theft of service, rather | spoofer, especially if the spoofer's goal is theft of service, rather | |||
| than denial of service. | than denial of service. | |||
| The latter can be done by a host which is not subject to ingress | The latter can be done by a host which is not subject to ingress | |||
| filtering [RFC2827] or by an intermediate router. Due to its | filtering [RFC2827] or by an intermediate router. Due to its | |||
| properties, such is typically useful only for denial of service. In | properties, this is typically useful only for denial of service. In | |||
| the absence of ingress filtering, almost any third party could | the absence of ingress filtering, almost any third party could | |||
| instigate such an attack. | instigate such an attack. | |||
| In the presence of ingress filtering, forging a non-zero Flow Label | In the presence of ingress filtering, forging a non-zero Flow Label | |||
| on packets that originated with a zero label, or modifying or | on packets that originated with a zero label, or modifying or | |||
| clearing a label, could only occur if an intermediate system such as | clearing a label, could only occur if an intermediate system such as | |||
| a router was compromised, or through some other form of man-in-the- | a router was compromised, or through some other form of man-in-the- | |||
| middle attack. However, the risk is limited to traffic receiving | middle attack. | |||
| better or worse quality of service than intended. For example, if | ||||
| Flow Labels are altered or cleared at random, flow classification | ||||
| will no longer happen as intended, and the altered packets will | ||||
| receive default treatment. If a complete 3-tuple is forged, the | ||||
| altered packets will be classified into the forged flow and will | ||||
| receive the corresponding quality of service; this will create a | ||||
| denial of service attack subtly different from one where only the | ||||
| addresses are forged. Because it is limited to a single flow | ||||
| definition, e.g., to a limited amount of bandwidth, such an attack | ||||
| will be more specific and at a finer granularity than a normal | ||||
| address-spoofing attack. | ||||
| Since flows are identified by the complete 3-tuple, ingress filtering | ||||
| [RFC2827] will, as noted above, mitigate part of the risk. If the | ||||
| source address of a packet is validated by ingress filtering, there | ||||
| can be a degree of trust that the packet has not transited a | ||||
| compromised router, to the extent that ISP infrastructure may be | ||||
| trusted. However, this gives no assurance that another form of man- | ||||
| in-the-middle attack has not occurred. | ||||
| A man-in-the-middle denial of service attack specifically directed at | ||||
| flow label handling would involve setting unusual flow labels. For | ||||
| example, an attacker could set all flow labels reaching a given | ||||
| router to the same arbitrary non-zero value, or could perform rapid | ||||
| cycling of flow label values such that the packets of a given flow | ||||
| will each have a different value. Either of these attacks would | ||||
| cause a stateless load distribution algorithm to perform badly and | ||||
| would cause a stateful mechanism to behave incorrectly. For this | ||||
| reason, stateless mechanisms should not use the flow label alone to | ||||
| control load distribution, and stateful mechanisms should include | ||||
| explicit methods to detect and ignore suspect flow label values. | ||||
| 6.2. IPsec and Tunneling Interactions | 6.2. IPsec and Tunneling Interactions | |||
| The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303] | The IPsec protocol, as defined in [RFC4301], [RFC4302], [RFC4303] | |||
| does not include the IPv6 header's Flow Label in any of its | does not include the IPv6 header's Flow Label in any of its | |||
| cryptographic calculations (in the case of tunnel mode, it is the | cryptographic calculations (in the case of tunnel mode, it is the | |||
| outer IPv6 header's Flow Label that is not included). Hence | outer IPv6 header's Flow Label that is not included). Hence | |||
| modification of the Flow Label by a network node has no effect on | modification of the Flow Label by a network node has no effect on | |||
| IPsec end-to-end security, because it cannot cause any IPsec | IPsec end-to-end security, because it cannot cause any IPsec | |||
| integrity check to fail. As a consequence, IPsec does not provide | integrity check to fail. As a consequence, IPsec does not provide | |||
| skipping to change at page 13, line 7 | skipping to change at page 11, line 35 | |||
| Contributors to the development of RFC 3697 included Ran Atkinson, | Contributors to the development of RFC 3697 included Ran Atkinson, | |||
| Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert | Steve Blake, Jim Bound, Francis Dupont, Robert Elz, Tony Hain, Robert | |||
| Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas | Hancock, Bob Hinden, Christian Huitema, Frank Kastenholz, Thomas | |||
| Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael | Narten, Charles Perkins, Pekka Savola, Hesham Soliman, Michael | |||
| Thomas, Margaret Wasserman, and Alex Zinin. | Thomas, Margaret Wasserman, and Alex Zinin. | |||
| This document was produced using the xml2rfc tool [RFC2629]. | This document was produced using the xml2rfc tool [RFC2629]. | |||
| 9. Change log | 9. Change log | |||
| draft-ietf-6man-flow-3697bis-02: update to remove most text about | ||||
| stateful methods, 2011-03-13 | ||||
| draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial | draft-ietf-6man-flow-3697bis-01: update after resolving 11 initial | |||
| issues, 2011-02-26 | issues, 2011-02-26 | |||
| draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697 | draft-ietf-6man-flow-3697bis-00: original version, built from RFC3697 | |||
| and draft-ietf-6man-flow-update-01, 2011-01-31 | and draft-ietf-6man-flow-update-01, 2011-01-31 | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [I-D.gont-6man-flowlabel-security] | [I-D.gont-6man-flowlabel-security] | |||
| Gont, F., "Security Assessment of the IPv6 Flow Label", | Gont, F., "Security Assessment of the IPv6 Flow Label", | |||
| draft-gont-6man-flowlabel-security-01 (work in progress), | draft-gont-6man-flowlabel-security-01 (work in progress), | |||
| November 2010. | November 2010. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| skipping to change at page 13, line 37 | skipping to change at page 12, line 26 | |||
| Functional Specification", RFC 2205, September 1997. | Functional Specification", RFC 2205, September 1997. | |||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, December 1998. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [I-D.ietf-6man-flow-update] | [I-D.ietf-6man-flow-update] | |||
| Amante, S., Carpenter, B., and S. Jiang, "Rationale for | Amante, S., Carpenter, B., and S. Jiang, "Rationale for | |||
| update to the IPv6 flow label specification", | update to the IPv6 flow label specification", | |||
| draft-ietf-6man-flow-update-02 (work in progress), | draft-ietf-6man-flow-update-03 (work in progress), | |||
| January 2011. | February 2011. | |||
| [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, | [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, | |||
| June 1999. | June 1999. | |||
| [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", BCP 38, RFC 2827, May 2000. | Address Spoofing", BCP 38, RFC 2827, May 2000. | |||
| [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, | [RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, | |||
| "IPv6 Flow Label Specification", RFC 3697, March 2004. | "IPv6 Flow Label Specification", RFC 3697, March 2004. | |||
| End of changes. 17 change blocks. | ||||
| 116 lines changed or deleted | 56 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||