--- 1/draft-ietf-6man-oversized-header-chain-07.txt	2013-10-02 12:14:26.581522675 -0700
+++ 2/draft-ietf-6man-oversized-header-chain-08.txt	2013-10-02 12:14:26.601523170 -0700
@@ -1,21 +1,21 @@
 
 IPv6 maintenance Working Group (6man)                            F. Gont
 Internet-Draft                                    SI6 Networks / UTN-FRH
 Updates: 2460 (if approved)                                    V. Manral
 Intended status: Standards Track                   Hewlett-Packard Corp.
-Expires: March 14, 2014                                        R. Bonica
+Expires: April 5, 2014                                         R. Bonica
                                                         Juniper Networks
-                                                      September 10, 2013
+                                                         October 2, 2013
 
               Implications of Oversized IPv6 Header Chains
-               draft-ietf-6man-oversized-header-chain-07
+               draft-ietf-6man-oversized-header-chain-08
 
 Abstract
 
    The IPv6 specification allows IPv6 header chains of an arbitrary
    size.  The specification also allows options which can in turn extend
    each of the headers.  In those scenarios in which the IPv6 header
    chain or options are unusually long and packets are fragmented, or
    scenarios in which the fragment size is very small, the first
    fragment of a packet may fail to include the entire IPv6 header
    chain.  This document discusses the interoperability and security
@@ -31,21 +31,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on March 14, 2014.
+   This Internet-Draft will expire on April 5, 2014.
 
 Copyright Notice
 
    Copyright (c) 2013 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -155,70 +155,73 @@
 4.  Motivation
 
    Many forwarding devices implement stateless firewalls.  A stateless
    firewall enforces a forwarding policy on packet-by-packet basis.  In
    order to enforce its forwarding policy, the stateless firewall may
    need to glean information from both the IPv6 and upper-layer headers.
 
    For example, assume that a stateless firewall discards all traffic
    received from an interface unless it destined for a particular TCP
    port on a particular IPv6 address.  When this firewall is presented
-   with a fragmented packet, and the entire header chain is contained
-   within the first fragment, the firewall discards the first fragment
-   and allows subsequent fragments to pass.  Because the first fragment
-   was discarded, the packet cannot be reassembled at the destination.
-   Insomuch as the packet cannot be reassembled, the forwarding policy
-   is enforced.
+   with a fragmented packet that is destined for a different TCP port,
+   and the entire header chain is contained within the first fragment,
+   the firewall discards the first fragment and allows subsequent
+   fragments to pass.  Because the first fragment was discarded, the
+   packet cannot be reassembled at the destination.  Insomuch as the
+   packet cannot be reassembled, the forwarding policy is enforced.
 
    However, when the firewall is presented with a fragmented packet and
    the header chain spans multiple fragments, the first fragment does
    not contain enough information for the firewall to enforce its
    forwarding policy.  Lacking sufficient information, the stateless
    firewall either forwards or discards that fragment.  Regardless of
    the action that it takes, it may fail to enforce its forwarding
    policy.
 
 5.  Updates to RFC 2460
 
    When a host fragments a IPv6 datagram, it MUST include the entire
    header chain in the first fragment.
 
    A host that receives a first-fragment that does not satisfy the
-   above-stated requirement SHOULD discard that packet, and also MAY
-   send an ICMPv6 error message to the source address of the offending
-   packet (subject to the rules for ICMPv6 errors specified in
-   [RFC4443]).
+   above- stated requirement SHOULD discard the packet (e.g., including
+   a configuration option that allows such fragments to be accepted for
+   backwards compatibility) and SHOULD send an ICMPv6 error message to
+   the source address of the offending packet (subject to the rules for
+   ICMPv6 errors specified in [RFC4443]).
 
    Likewise, an intermediate system (e.g. router, firewall) that
    receives an IPv6 first-fragment that does not satisfy the above-
    stated requirements MAY discard that packet, and MAY send an ICMPv6
    error message to the source address of the offending packet (subject
    to the rules for ICMPv6 error messages specified in [RFC4443]).
    Intermediate systems having this capability SHOULD support
    configuration (e.g. enable/disable) of whether such packets are
    dropped or not by the intermediate system.
 
    If a host or intermediate system discards a first-fragment because it
    does not satisfy the above-stated requirements, and sends an ICMPv6
    error message due to the discard, then the ICMPv6 error message MUST
    be Type 4 ("Parameter Problem") and MUST use Code TBD ("First-
    fragment has incomplete IPv6 Header Chain").  The Pointer field
    contained by the ICMPv6 Parameter Problem message MUST be set to
-   zero.
+   zero.  Whether a host or intermediate system originates this ICMP
+   message, its format is identical.
 
    As a result of the above mentioned requirements, a packet's header
    chain length cannot exceed the Path MTU associated with its
    destination.  Hosts MAY discover the Path MTU, using procedures such
    as those defined in [RFC1981] and [RFC4821].  However, if a host does
    not discover the Path MTU, it MUST limit the header chain length to
    1280 bytes.  Limiting the header chain length to 1280 bytes ensures
-   that the header chain length does not exceed the IPv6 minimum MTU.
+   that the header chain length does not exceed the IPv6 minimum MTU
+   [RFC2460].
 
 6.  IANA Considerations
 
    IANA is requested to add a the following entry to the "Reason Code"
    registry for ICMPv6 "Type 4 - Parameter Problem" messages:
 
       CODE     NAME/DESCRIPTION
        TBD     IPv6 first-fragment has incomplete IPv6 header chain
 
 7.  Security Considerations
@@ -273,22 +276,22 @@
    [RFC4443]  Conta, A., Deering, S., and M. Gupta, "Internet Control
               Message Protocol (ICMPv6) for the Internet Protocol
               Version 6 (IPv6) Specification", RFC 4443, March 2006.
 
    [RFC4821]  Mathis, M. and J. Heffner, "Packetization Layer Path MTU
               Discovery", RFC 4821, March 2007.
 
    [I-D.ietf-6man-ext-transmit]
               Carpenter, B. and S. Jiang, "Transmission and Processing
               of IPv6 Extension Headers",
-              draft-ietf-6man-ext-transmit-03 (work in progress),
-              August 2013.
+              draft-ietf-6man-ext-transmit-04 (work in progress),
+              September 2013.
 
 9.2.  Informative References
 
    [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
               Defeating Denial of Service Attacks which employ IP Source
               Address Spoofing", BCP 38, RFC 2827, May 2000.
 
    [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
               Networks", BCP 84, RFC 3704, March 2004.