| draft-ietf-6man-oversized-header-chain-07.txt | draft-ietf-6man-oversized-header-chain-08.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Updates: 2460 (if approved) V. Manral | Updates: 2460 (if approved) V. Manral | |||
| Intended status: Standards Track Hewlett-Packard Corp. | Intended status: Standards Track Hewlett-Packard Corp. | |||
| Expires: March 14, 2014 R. Bonica | Expires: April 5, 2014 R. Bonica | |||
| Juniper Networks | Juniper Networks | |||
| September 10, 2013 | October 2, 2013 | |||
| Implications of Oversized IPv6 Header Chains | Implications of Oversized IPv6 Header Chains | |||
| draft-ietf-6man-oversized-header-chain-07 | draft-ietf-6man-oversized-header-chain-08 | |||
| Abstract | Abstract | |||
| The IPv6 specification allows IPv6 header chains of an arbitrary | The IPv6 specification allows IPv6 header chains of an arbitrary | |||
| size. The specification also allows options which can in turn extend | size. The specification also allows options which can in turn extend | |||
| each of the headers. In those scenarios in which the IPv6 header | each of the headers. In those scenarios in which the IPv6 header | |||
| chain or options are unusually long and packets are fragmented, or | chain or options are unusually long and packets are fragmented, or | |||
| scenarios in which the fragment size is very small, the first | scenarios in which the fragment size is very small, the first | |||
| fragment of a packet may fail to include the entire IPv6 header | fragment of a packet may fail to include the entire IPv6 header | |||
| chain. This document discusses the interoperability and security | chain. This document discusses the interoperability and security | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 14, 2014. | This Internet-Draft will expire on April 5, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 7, line 15 | skipping to change at page 7, line 15 | |||
| 4. Motivation | 4. Motivation | |||
| Many forwarding devices implement stateless firewalls. A stateless | Many forwarding devices implement stateless firewalls. A stateless | |||
| firewall enforces a forwarding policy on packet-by-packet basis. In | firewall enforces a forwarding policy on packet-by-packet basis. In | |||
| order to enforce its forwarding policy, the stateless firewall may | order to enforce its forwarding policy, the stateless firewall may | |||
| need to glean information from both the IPv6 and upper-layer headers. | need to glean information from both the IPv6 and upper-layer headers. | |||
| For example, assume that a stateless firewall discards all traffic | For example, assume that a stateless firewall discards all traffic | |||
| received from an interface unless it destined for a particular TCP | received from an interface unless it destined for a particular TCP | |||
| port on a particular IPv6 address. When this firewall is presented | port on a particular IPv6 address. When this firewall is presented | |||
| with a fragmented packet, and the entire header chain is contained | with a fragmented packet that is destined for a different TCP port, | |||
| within the first fragment, the firewall discards the first fragment | and the entire header chain is contained within the first fragment, | |||
| and allows subsequent fragments to pass. Because the first fragment | the firewall discards the first fragment and allows subsequent | |||
| was discarded, the packet cannot be reassembled at the destination. | fragments to pass. Because the first fragment was discarded, the | |||
| Insomuch as the packet cannot be reassembled, the forwarding policy | packet cannot be reassembled at the destination. Insomuch as the | |||
| is enforced. | packet cannot be reassembled, the forwarding policy is enforced. | |||
| However, when the firewall is presented with a fragmented packet and | However, when the firewall is presented with a fragmented packet and | |||
| the header chain spans multiple fragments, the first fragment does | the header chain spans multiple fragments, the first fragment does | |||
| not contain enough information for the firewall to enforce its | not contain enough information for the firewall to enforce its | |||
| forwarding policy. Lacking sufficient information, the stateless | forwarding policy. Lacking sufficient information, the stateless | |||
| firewall either forwards or discards that fragment. Regardless of | firewall either forwards or discards that fragment. Regardless of | |||
| the action that it takes, it may fail to enforce its forwarding | the action that it takes, it may fail to enforce its forwarding | |||
| policy. | policy. | |||
| 5. Updates to RFC 2460 | 5. Updates to RFC 2460 | |||
| When a host fragments a IPv6 datagram, it MUST include the entire | When a host fragments a IPv6 datagram, it MUST include the entire | |||
| header chain in the first fragment. | header chain in the first fragment. | |||
| A host that receives a first-fragment that does not satisfy the | A host that receives a first-fragment that does not satisfy the | |||
| above-stated requirement SHOULD discard that packet, and also MAY | above- stated requirement SHOULD discard the packet (e.g., including | |||
| send an ICMPv6 error message to the source address of the offending | a configuration option that allows such fragments to be accepted for | |||
| packet (subject to the rules for ICMPv6 errors specified in | backwards compatibility) and SHOULD send an ICMPv6 error message to | |||
| [RFC4443]). | the source address of the offending packet (subject to the rules for | |||
| ICMPv6 errors specified in [RFC4443]). | ||||
| Likewise, an intermediate system (e.g. router, firewall) that | Likewise, an intermediate system (e.g. router, firewall) that | |||
| receives an IPv6 first-fragment that does not satisfy the above- | receives an IPv6 first-fragment that does not satisfy the above- | |||
| stated requirements MAY discard that packet, and MAY send an ICMPv6 | stated requirements MAY discard that packet, and MAY send an ICMPv6 | |||
| error message to the source address of the offending packet (subject | error message to the source address of the offending packet (subject | |||
| to the rules for ICMPv6 error messages specified in [RFC4443]). | to the rules for ICMPv6 error messages specified in [RFC4443]). | |||
| Intermediate systems having this capability SHOULD support | Intermediate systems having this capability SHOULD support | |||
| configuration (e.g. enable/disable) of whether such packets are | configuration (e.g. enable/disable) of whether such packets are | |||
| dropped or not by the intermediate system. | dropped or not by the intermediate system. | |||
| If a host or intermediate system discards a first-fragment because it | If a host or intermediate system discards a first-fragment because it | |||
| does not satisfy the above-stated requirements, and sends an ICMPv6 | does not satisfy the above-stated requirements, and sends an ICMPv6 | |||
| error message due to the discard, then the ICMPv6 error message MUST | error message due to the discard, then the ICMPv6 error message MUST | |||
| be Type 4 ("Parameter Problem") and MUST use Code TBD ("First- | be Type 4 ("Parameter Problem") and MUST use Code TBD ("First- | |||
| fragment has incomplete IPv6 Header Chain"). The Pointer field | fragment has incomplete IPv6 Header Chain"). The Pointer field | |||
| contained by the ICMPv6 Parameter Problem message MUST be set to | contained by the ICMPv6 Parameter Problem message MUST be set to | |||
| zero. | zero. Whether a host or intermediate system originates this ICMP | |||
| message, its format is identical. | ||||
| As a result of the above mentioned requirements, a packet's header | As a result of the above mentioned requirements, a packet's header | |||
| chain length cannot exceed the Path MTU associated with its | chain length cannot exceed the Path MTU associated with its | |||
| destination. Hosts MAY discover the Path MTU, using procedures such | destination. Hosts MAY discover the Path MTU, using procedures such | |||
| as those defined in [RFC1981] and [RFC4821]. However, if a host does | as those defined in [RFC1981] and [RFC4821]. However, if a host does | |||
| not discover the Path MTU, it MUST limit the header chain length to | not discover the Path MTU, it MUST limit the header chain length to | |||
| 1280 bytes. Limiting the header chain length to 1280 bytes ensures | 1280 bytes. Limiting the header chain length to 1280 bytes ensures | |||
| that the header chain length does not exceed the IPv6 minimum MTU. | that the header chain length does not exceed the IPv6 minimum MTU | |||
| [RFC2460]. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to add a the following entry to the "Reason Code" | IANA is requested to add a the following entry to the "Reason Code" | |||
| registry for ICMPv6 "Type 4 - Parameter Problem" messages: | registry for ICMPv6 "Type 4 - Parameter Problem" messages: | |||
| CODE NAME/DESCRIPTION | CODE NAME/DESCRIPTION | |||
| TBD IPv6 first-fragment has incomplete IPv6 header chain | TBD IPv6 first-fragment has incomplete IPv6 header chain | |||
| 7. Security Considerations | 7. Security Considerations | |||
| skipping to change at page 12, line 28 | skipping to change at page 12, line 28 | |||
| [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | |||
| Message Protocol (ICMPv6) for the Internet Protocol | Message Protocol (ICMPv6) for the Internet Protocol | |||
| Version 6 (IPv6) Specification", RFC 4443, March 2006. | Version 6 (IPv6) Specification", RFC 4443, March 2006. | |||
| [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU | [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU | |||
| Discovery", RFC 4821, March 2007. | Discovery", RFC 4821, March 2007. | |||
| [I-D.ietf-6man-ext-transmit] | [I-D.ietf-6man-ext-transmit] | |||
| Carpenter, B. and S. Jiang, "Transmission and Processing | Carpenter, B. and S. Jiang, "Transmission and Processing | |||
| of IPv6 Extension Headers", | of IPv6 Extension Headers", | |||
| draft-ietf-6man-ext-transmit-03 (work in progress), | draft-ietf-6man-ext-transmit-04 (work in progress), | |||
| August 2013. | September 2013. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", BCP 38, RFC 2827, May 2000. | Address Spoofing", BCP 38, RFC 2827, May 2000. | |||
| [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | |||
| Networks", BCP 84, RFC 3704, March 2004. | Networks", BCP 84, RFC 3704, March 2004. | |||
| End of changes. 9 change blocks. | ||||
| 18 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||