| draft-ietf-6man-oversized-header-chain-04.txt | draft-ietf-6man-oversized-header-chain-05.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Updates: 2460 (if approved) V. Manral | Updates: 2460 (if approved) V. Manral | |||
| Intended status: Standards Track Hewlett-Packard Corp. | Intended status: Standards Track Hewlett-Packard Corp. | |||
| Expires: February 14, 2014 R. Bonica | Expires: March 4, 2014 R. Bonica | |||
| Juniper Networks | Juniper Networks | |||
| August 13, 2013 | August 31, 2013 | |||
| Implications of Oversized IPv6 Header Chains | Implications of Oversized IPv6 Header Chains | |||
| draft-ietf-6man-oversized-header-chain-04 | draft-ietf-6man-oversized-header-chain-05 | |||
| Abstract | Abstract | |||
| The IPv6 specification allows IPv6 header chains of an arbitrary | The IPv6 specification allows IPv6 header chains of an arbitrary | |||
| size. The specification also allows options which can in turn extend | size. The specification also allows options which can in turn extend | |||
| each of the headers. In those scenarios in which the IPv6 header | each of the headers. In those scenarios in which the IPv6 header | |||
| chain or options are unusually long and packets are fragmented, or | chain or options are unusually long and packets are fragmented, or | |||
| scenarios in which the fragment size is very small, the first | scenarios in which the fragment size is very small, the first | |||
| fragment of a packet may fail to include the entire IPv6 header | fragment of a packet may fail to include the entire IPv6 header | |||
| chain. This document discusses the interoperability and security | chain. This document discusses the interoperability and security | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 14, 2014. | This Internet-Draft will expire on March 4, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 5, line 13 | skipping to change at page 5, line 13 | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 3. Terminology | 3. Terminology | |||
| For the purposes of this document, the terms Extension Header, Header | For the purposes of this document, the terms Extension Header, Header | |||
| Chain, First Fragment, and Upper-layer Header are used as follows: | Chain, First Fragment, and Upper-layer Header are used as follows: | |||
| Extension Header: | Extension Header: | |||
| Extension Headers are defined in Section 4 of [RFC2460]. | Extension Headers are defined in Section 4 of [RFC2460]. | |||
| Currently, six extension header types are defined. [RFC2460] | [IANA-PROTO] provides a list of assigned Internet Protocol Numbers | |||
| defines the Hop-by-Hop, Routing, Fragment and Destination Options | and designates which of those protocol numbers also represent | |||
| extension header types. [RFC4302] defines the Authentication | extension headers. | |||
| Header (AH) type and [RFC4303] defines the Encapsulating Security | ||||
| Payload (ESP) header type. | ||||
| First Fragment: | First Fragment: | |||
| An IPv6 fragment with fragment offset equal to 0. | An IPv6 fragment with fragment offset equal to 0. | |||
| IPv6 Header Chain: | IPv6 Header Chain: | |||
| The header chain contains an initial IPv6 header, zero or more | The header chain contains an initial IPv6 header, zero or more | |||
| IPv6 extension headers, and optionally, a single upper-layer | IPv6 extension headers, and optionally, a single upper-layer | |||
| header. If an upper-layer header is present, it terminates the | header. If an upper-layer header is present, it terminates the | |||
| header chain. | header chain. | |||
| The first member of the header chain is always an IPv6 header. | The first member of the header chain is always an IPv6 header. | |||
| For a subsequent header to qualify as a member of the header | For a subsequent header to qualify as a member of the header | |||
| chain, it must be referenced by the "Next Header" field of the | chain, it must be referenced by the "Next Header" field of the | |||
| previous member of the header chain. However, if a second IPv6 | previous member of the header chain. However, if a second IPv6 | |||
| header appears in the header chain, as is the case when IPv6 is | header appears in the header chain, as is the case when IPv6 is | |||
| tunneled over IPv6, the second IPv6 header is considered to be an | tunneled over IPv6, the second IPv6 header is considered to be an | |||
| upper-layer header and terminates the header chain. Likewise, if | upper-layer header and terminates the header chain. Likewise, if | |||
| an ESP header appears in the header chain it is considered to be | an Encapsulating Security Payload (ESP) header appears in the | |||
| an upper-layer header and it terminates the header chain. | header chain it is considered to be an upper-layer header and it | |||
| terminates the header chain. | ||||
| Upper-layer Header: | Upper-layer Header: | |||
| In the general case, the upper-layer header is the first member of | In the general case, the upper-layer header is the first member of | |||
| the header chain that is neither an IPv6 header nor an IPv6 | the header chain that is neither an IPv6 header nor an IPv6 | |||
| extension header. However, if either an ESP header, or a second | extension header. However, if either an ESP header, or a second | |||
| IPv6 header occur in the header chain, they are considered to be | IPv6 header occur in the header chain, they are considered to be | |||
| upper layer headers and they terminate the header chain. | upper layer headers and they terminate the header chain. | |||
| Neither the upper-layer payload, nor any protocol data following | Neither the upper-layer payload, nor any protocol data following | |||
| skipping to change at page 8, line 25 | skipping to change at page 8, line 25 | |||
| Likewise, an intermediate system (e.g. router, firewall) that | Likewise, an intermediate system (e.g. router, firewall) that | |||
| receives an IPv6 first-fragment that does not satisfy the above- | receives an IPv6 first-fragment that does not satisfy the above- | |||
| stated requirements MAY discard that packet, and MAY send an ICMPv6 | stated requirements MAY discard that packet, and MAY send an ICMPv6 | |||
| error message to the source address of the offending packet (subject | error message to the source address of the offending packet (subject | |||
| to the rules for ICMPv6 error messages specified in [RFC4443]). | to the rules for ICMPv6 error messages specified in [RFC4443]). | |||
| Intermediate systems having this capability SHOULD support | Intermediate systems having this capability SHOULD support | |||
| configuration (e.g. enable/disable) of whether such packets are | configuration (e.g. enable/disable) of whether such packets are | |||
| dropped or not by the intermediate system. | dropped or not by the intermediate system. | |||
| If a host or intermediate system discards an first-fragment because | If a host or intermediate system discards a first-fragment because it | |||
| it does not satisfy the above-stated requirements, and sends an | does not satisfy the above-stated requirements, and sends an ICMPv6 | |||
| ICMPv6 error message due to the discard, then the ICMPv6 error | error message due to the discard, then the ICMPv6 error message MUST | |||
| message MUST be Type 4 ("Parameter Problem") and MUST use Code TBD | be Type 4 ("Parameter Problem") and MUST use Code TBD ("First- | |||
| ("First-fragment has incomplete IPv6 Header Chain"). | fragment has incomplete IPv6 Header Chain"). The Pointer field | |||
| contained by the ICMPv6 Parameter Problem message MUST be set to | ||||
| zero. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to add a the following entry to the "Reason Code" | IANA is requested to add a the following entry to the "Reason Code" | |||
| registry for ICMPv6 "Type 4 - Parameter Problem" messages: | registry for ICMPv6 "Type 4 - Parameter Problem" messages: | |||
| CODE NAME/DESCRIPTION | CODE NAME/DESCRIPTION | |||
| TBD IPv6 first-fragment has incomplete IPv6 header chain | TBD IPv6 first-fragment has incomplete IPv6 header chain | |||
| 7. Security Considerations | 7. Security Considerations | |||
| skipping to change at page 11, line 12 | skipping to change at page 11, line 12 | |||
| forged illegal packets with the victim/target's IPv6 address as the | forged illegal packets with the victim/target's IPv6 address as the | |||
| IPv6 Source Address of the illegal packet [RFC2827] [RFC3704]. | IPv6 Source Address of the illegal packet [RFC2827] [RFC3704]. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| The authors of this document would like to thank Ran Atkinson for | The authors of this document would like to thank Ran Atkinson for | |||
| contributing text and ideas that were incorporated into this | contributing text and ideas that were incorporated into this | |||
| document. | document. | |||
| The authors would like to thank (in alphabetical order) Ran Atkinson, | The authors would like to thank (in alphabetical order) Ran Atkinson, | |||
| Fred Baker, Brian Carpenter, Dominik Elsbroek, Bill Jouris, Suresh | Fred Baker, Brian Carpenter, Dominik Elsbroek, Mike Heard, Bill | |||
| Krishnan, Dave Thaler, and Eric Vyncke, for providing valuable | Jouris, Suresh Krishnan, Dave Thaler, Ole Troan, and Eric Vyncke, for | |||
| comments on earlier versions of this document. | providing valuable comments on earlier versions of this document. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, December 1998. | |||
| [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, | ||||
| December 2005. | ||||
| [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", | ||||
| RFC 4303, December 2005. | ||||
| [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | |||
| Message Protocol (ICMPv6) for the Internet Protocol | Message Protocol (ICMPv6) for the Internet Protocol | |||
| Version 6 (IPv6) Specification", RFC 4443, March 2006. | Version 6 (IPv6) Specification", RFC 4443, March 2006. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", BCP 38, RFC 2827, May 2000. | Address Spoofing", BCP 38, RFC 2827, May 2000. | |||
| [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | |||
| Networks", BCP 84, RFC 3704, March 2004. | Networks", BCP 84, RFC 3704, March 2004. | |||
| [IANA-PROTO] | ||||
| Internet Assigned Numbers Authority, "Protocol Numbers", | ||||
| February 2013, <http://www.iana.org/assignments/ | ||||
| protocol-numbers/protocol-numbers.txt>. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Fernando Gont | Fernando Gont | |||
| SI6 Networks / UTN-FRH | SI6 Networks / UTN-FRH | |||
| Evaristo Carriego 2644 | Evaristo Carriego 2644 | |||
| Haedo, Provincia de Buenos Aires 1706 | Haedo, Provincia de Buenos Aires 1706 | |||
| Argentina | Argentina | |||
| Phone: +54 11 4650 8472 | Phone: +54 11 4650 8472 | |||
| Email: fgont@si6networks.com | Email: fgont@si6networks.com | |||
| End of changes. 10 change blocks. | ||||
| 25 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||