draft-ietf-v6ops-ipv6-ehs-in-real-world-00.txt   draft-ietf-v6ops-ipv6-ehs-in-real-world-01.txt 
IPv6 Operations Working Group (v6ops) F. Gont IPv6 Operations Working Group (v6ops) F. Gont
Internet-Draft SI6 Networks / UTN-FRH Internet-Draft SI6 Networks / UTN-FRH
Intended status: Informational J. Linkova Intended status: Informational J. Linkova
Expires: October 23, 2015 Google Expires: April 17, 2016 Google
T. Chown T. Chown
University of Southampton University of Southampton
W. Liu W. Liu
Huawei Technologies Huawei Technologies
April 21, 2015 October 15, 2015
Observations on IPv6 EH Filtering in the Real World Observations on the Dropping of Packets with IPv6 Extension Headers in
draft-ietf-v6ops-ipv6-ehs-in-real-world-00 the Real World
draft-ietf-v6ops-ipv6-ehs-in-real-world-01
Abstract Abstract
This document presents real-world data regarding the extent to which This document presents real-world data regarding the extent to which
packets with IPv6 extension headers are filtered in the Internet (as packets with IPv6 extension headers are dropped in the Internet (as
measured in August 2014), and where in the network such filtering measured in August 2014), and where in the network such dropping
occurs. The aforementioned results serve as a problem statement that occurs. The aforementioned results serve as a problem statement that
is expected to trigger operational advice on the filtering of IPv6 is expected to trigger operational advice on the filtering of IPv6
packets carrying IPv6 Extension Headers, so that the situation packets carrying IPv6 Extension Headers, so that the situation
improves over time. This document also explains how the improves over time. This document also explains how the
aforementioned results were obtained, such that the corresponding aforementioned results were obtained, such that the corresponding
measurements can be reproduced by other members of the community. measurements can be reproduced by other members of the community.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 43 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 23, 2015. This Internet-Draft will expire on April 17, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 31
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Support of IPv6 Extension Headers in the Internet . . . . . . 3 2. Support of IPv6 Extension Headers in the Internet . . . . . . 3
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Normative References . . . . . . . . . . . . . . . . . . 7 6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. Reproducing Our Experiment . . . . . . . . . . . . . 9 Appendix A. Reproducing Our Experiment . . . . . . . . . . . . . 9
A.1. Obtaining the List of Domain Names . . . . . . . . . . . 9 A.1. Obtaining the List of Domain Names . . . . . . . . . . . 10
A.2. Obtaining AAAA Resource Records . . . . . . . . . . . . . 10 A.2. Obtaining AAAA Resource Records . . . . . . . . . . . . . 10
A.3. Filtering the IPv6 Address Datasets . . . . . . . . . . . 10 A.3. Filtering the IPv6 Address Datasets . . . . . . . . . . . 10
A.4. Performing Measurements with Each IPv6 Address Dataset . 11 A.4. Performing Measurements with Each IPv6 Address Dataset . 11
A.5. Obtaining Statistics from our Measurements . . . . . . . 12 A.5. Obtaining Statistics from our Measurements . . . . . . . 12
Appendix B. Measurements Caveats . . . . . . . . . . . . . . . . 13 Appendix B. Measurements Caveats . . . . . . . . . . . . . . . . 13
B.1. Isolating the Dropping Node . . . . . . . . . . . . . . . 13 B.1. Isolating the Dropping Node . . . . . . . . . . . . . . . 13
B.2. Obtaining the Responsible Organization for the Packet B.2. Obtaining the Responsible Organization for the Packet
Drops . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Drops . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Appendix C. Troubleshooting Packet Drops due to IPv6 Extension Appendix C. Troubleshooting Packet Drops due to IPv6 Extension
Headers . . . . . . . . . . . . . . . . . . . . . . 15 Headers . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
IPv6 Extension Headers (EHs) allow for the extension of the IPv6 IPv6 Extension Headers (EHs) allow for the extension of the IPv6
protocol, and provide support for core functionality such as IPv6 protocol, and provide support for core functionality such as IPv6
fragmentation. While packets employing IPv6 Extension Headers have fragmentation. While packets employing IPv6 Extension Headers have
been suspected to be dropped in some IPv6 deployments, there was not been suspected to be dropped in some IPv6 deployments, there was not
much concrete data on the topic. Some preliminary measurements have much concrete data on the topic. Some preliminary measurements have
been presented in [PMTUD-Blackholes], [Gont-IEPG88] and been presented in [PMTUD-Blackholes], [Gont-IEPG88] and
[Gont-Chown-IEPG89], whereas [Linkova-Gont-IEPG90] presents more [Gont-Chown-IEPG89], whereas [Linkova-Gont-IEPG90] presents more
comprehensive results on which this document is based. comprehensive results on which this document is based.
This document presents real-world data regarding the extent to which This document presents real-world data regarding the extent to which
packets containing IPv6 Extension Headers are filtered in the packets containing IPv6 Extension Headers are dropped in the
Internet, as measured in August 2014 (pending operational advice in Internet, as measured in August 2014 (pending operational advice in
this area). The results presented in this document indicate that in this area). The results presented in this document indicate that in
the scenarios where the corresponding measurements were performed, the scenarios where the corresponding measurements were performed,
the use of IPv6 extension headers can lead to packet drops. We note the use of IPv6 extension headers can lead to packet drops. We note
that, in particular, packet drops occurring at transit networks are that, in particular, packet drops occurring at transit networks are
undesirable, and it is hoped and expected that this situation will undesirable, and it is hoped and expected that this situation will
improve over time. improve over time.
2. Support of IPv6 Extension Headers in the Internet 2. Support of IPv6 Extension Headers in the Internet
skipping to change at page 7, line 14 skipping to change at page 7, line 14
3. IANA Considerations 3. IANA Considerations
There are no IANA registries within this document. The RFC-Editor There are no IANA registries within this document. The RFC-Editor
can remove this section before publication of this document as an can remove this section before publication of this document as an
RFC. RFC.
4. Security Considerations 4. Security Considerations
This document presents real-world data regarding the extent to which This document presents real-world data regarding the extent to which
IPv6 packets employing extension headers are filtered in the IPv6 packets employing extension headers are dropped in the Internet.
Internet. As such, this document does not introduce any new security As such, this document does not introduce any new security issues.
issues.
5. Acknowledgements 5. Acknowledgements
The authors would like to thank (in alphabetical order) Mikael The authors would like to thank (in alphabetical order) Mikael
Abrahamsson, Mark Andrews, Fred Baker, Brian Carpenter, Gert Doering, Abrahamsson, Mark Andrews, Fred Baker, Brian Carpenter, Gert Doering,
C. M. Heard, Nick Hilliard, Joel Jaeggli, Tatuya Jinmei, Merike C. M. Heard, Nick Hilliard, Joel Jaeggli, Tatuya Jinmei, Merike
Kaeo, Warren Kumari, Mark Smith, Ole Troan, and Eric Vyncke, for Kaeo, Warren Kumari, Ted Lemon, Mark Smith, Ole Troan, and Eric
providing valuable comments on earlier versions of this document. Vyncke, for providing valuable comments on earlier versions of this
Additionally, the authors would like to thank participants of the document. Additionally, the authors would like to thank participants
v6ops and opsec working groups for their valuable input on the topics of the v6ops and opsec working groups for their valuable input on the
discussed in this document. topics discussed in this document.
The authors would like to thank Fred Baker for his guidance in The authors would like to thank Fred Baker for his guidance in
improving this document. improving this document.
Fernando Gont would like to thank Jan Zorz / Go6 Lab Fernando Gont would like to thank Jan Zorz / Go6 Lab
<http://go6lab.si/>, and Jared Mauch / NTT America, for providing <http://go6lab.si/>, and Jared Mauch / NTT America, for providing
access to systems and networks that were employed to produce some of access to systems and networks that were employed to produce some of
the measurement results presented in this document. Additionally, he the measurement results presented in this document. Additionally, he
would like to thank SixXS <https://www.sixxs.net> for providing IPv6 would like to thank SixXS <https://www.sixxs.net> for providing IPv6
connectivity. connectivity.
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
793, September 1981. RFC 793, DOI 10.17487/RFC0793, September 1981,
<http://www.rfc-editor.org/info/rfc793>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <http://www.rfc-editor.org/info/rfc2460>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Message Protocol (ICMPv6) for the Internet Protocol Control Message Protocol (ICMPv6) for the Internet
Version 6 (IPv6) Specification", RFC 4443, March 2006. Protocol Version 6 (IPv6) Specification", RFC 4443,
DOI 10.17487/RFC4443, March 2006,
<http://www.rfc-editor.org/info/rfc4443>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007. DOI 10.17487/RFC4861, September 2007,
<http://www.rfc-editor.org/info/rfc4861>.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, April 2011. Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
<http://www.rfc-editor.org/info/rfc6145>.
[RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
6946, May 2013. RFC 6946, DOI 10.17487/RFC6946, May 2013,
<http://www.rfc-editor.org/info/rfc6946>.
6.2. Informative References 6.2. Informative References
[blackhole6]
blackhole6, , "blackhole6 tool manual page",
<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
[Gont-Chown-IEPG89] [Gont-Chown-IEPG89]
Gont, F. and T. Chown, "A Small Update on the Use of IPv6 Gont, F. and T. Chown, "A Small Update on the Use of IPv6
Extension Headers", IEPG 89. London, UK. March 2, 2014, Extension Headers", IEPG 89. London, UK. March 2, 2014,
<http://www.iepg.org/2014-03-02-ietf89/ <http://www.iepg.org/2014-03-02-ietf89/
fgont-iepg-ietf89-eh-update.pdf>. fgont-iepg-ietf89-eh-update.pdf>.
[Gont-IEPG88] [Gont-IEPG88]
Gont, F., "Fragmentation and Extension header Support in Gont, F., "Fragmentation and Extension header Support in
the IPv6 Internet", IEPG 88. Vancouver, BC, Canada. the IPv6 Internet", IEPG 88. Vancouver, BC, Canada.
November 13, 2013, <http://www.iepg.org/2013-11-ietf88/ November 13, 2013, <http://www.iepg.org/2013-11-ietf88/
fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>. fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>.
[IANA-PORT-NUMBERS] [IANA-PORT-NUMBERS]
IANA, "Service Name and Transport Protocol Port Number IANA, "Service Name and Transport Protocol Port Number
Registry", <http://www.iana.org/assignments/ Registry", <http://www.iana.org/assignments/
service-names-port-numbers/ service-names-port-numbers/
service-names-port-numbers.txt>. service-names-port-numbers.txt>.
[IPv6-Toolkit] [IPv6-Toolkit]
"SI6 Networks' IPv6 Toolkit", "SI6 Networks' IPv6 Toolkit",
<http://www.si6networks.com/tools/ipv6toolkit>. <http://www.si6networks.com/tools/ipv6toolkit>.
[Linkova-Gont-IEPG90] [Linkova-Gont-IEPG90]
Linkova, J. and F. Gont, "IPv6 Extension Headers in the Linkova, J. and F. Gont, "IPv6 Extension Headers in the
Real World v2.0", IEPG 90. Toronto, ON, Canada. July 20, Real World v2.0", IEPG 90. Toronto, ON, Canada. July 20,
2014, <http://www.iepg.org/2014-07-20-ietf90/ 2014, <http://www.iepg.org/2014-07-20-ietf90/
iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>. iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>.
[path6] path6, , "path6 tool manual page",
<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
[PMTUD-Blackholes] [PMTUD-Blackholes]
De Boer, M. and J. Bosma, "Discovering Path MTU black De Boer, M. and J. Bosma, "Discovering Path MTU black
holes on the Internet using RIPE Atlas", July 2012, holes on the Internet using RIPE Atlas", July 2012,
<http://www.nlnetlabs.nl/downloads/publications/ <http://www.nlnetlabs.nl/downloads/publications/
pmtu-black-holes-msc-thesis.pdf>. pmtu-black-holes-msc-thesis.pdf>.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
DOI 10.17487/RFC5927, July 2010,
<http://www.rfc-editor.org/info/rfc5927>.
[RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation [RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation
with IPv6 Neighbor Discovery", RFC 6980, August 2013. with IPv6 Neighbor Discovery", RFC 6980,
DOI 10.17487/RFC6980, August 2013,
<http://www.rfc-editor.org/info/rfc6980>.
[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
of IPv6 Extension Headers", RFC 7045, December 2013. of IPv6 Extension Headers", RFC 7045,
DOI 10.17487/RFC7045, December 2013,
<http://www.rfc-editor.org/info/rfc7045>.
[RFC7113] Gont, F., "Implementation Advice for IPv6 Router [RFC7113] Gont, F., "Implementation Advice for IPv6 Router
Advertisement Guard (RA-Guard)", RFC 7113, February 2014. Advertisement Guard (RA-Guard)", RFC 7113,
DOI 10.17487/RFC7113, February 2014,
<http://www.rfc-editor.org/info/rfc7113>.
[RFC7123] Gont, F. and W. Liu, "Security Implications of IPv6 on [RFC7123] Gont, F. and W. Liu, "Security Implications of IPv6 on
IPv4 Networks", RFC 7123, February 2014. IPv4 Networks", RFC 7123, DOI 10.17487/RFC7123, February
2014, <http://www.rfc-editor.org/info/rfc7123>.
[blackhole6]
blackhole6, , "blackhole6 tool manual page",
<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
[path6] path6, , "path6 tool manual page",
<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
Appendix A. Reproducing Our Experiment Appendix A. Reproducing Our Experiment
This section describes, step by step, how to reproduce the experiment This section describes, step by step, how to reproduce the experiment
with which we obtained the results presented in this document. Each with which we obtained the results presented in this document. Each
subsection represents one step in the experiment. The tools employed subsection represents one step in the experiment. The tools employed
for the experiment are traditional UNIX-like tools (such as gunzip), for the experiment are traditional UNIX-like tools (such as gunzip),
and the SI6 Networks' IPv6 Toolkit [IPv6-Toolkit]. and the SI6 Networks' IPv6 Toolkit [IPv6-Toolkit].
A.1. Obtaining the List of Domain Names A.1. Obtaining the List of Domain Names
skipping to change at page 14, line 25 skipping to change at page 14, line 38
enabled traceroute" ("2001:db8:4:1000::1" in our case), as "M+1", enabled traceroute" ("2001:db8:4:1000::1" in our case), as "M+1",
etc. etc.
Based on traceroute information above, which node is the one actually Based on traceroute information above, which node is the one actually
dropping the EH-enabled packets will depend on whether the dropping dropping the EH-enabled packets will depend on whether the dropping
node filters packets before making the forwarding decision, or after node filters packets before making the forwarding decision, or after
making the forwarding decision. If the former, the dropping node making the forwarding decision. If the former, the dropping node
will be M+1. If the latter, the dropping node will be "M". will be M+1. If the latter, the dropping node will be "M".
Throughout this document (and our measurements), we assume that those Throughout this document (and our measurements), we assume that those
nodes filtering packets that carry IPv6 EHs apply their filtering nodes dropping packets that carry IPv6 EHs apply their filtering
policy, and only then, if necessary, forward the packets. Thus, in policy, and only then, if necessary, forward the packets. Thus, in
our example above the last responding node to the EH-enabled our example above the last responding node to the EH-enabled
traceroute ("M") is "2001:db8:4:4000::1", and therefore we assume the traceroute ("M") is "2001:db8:4:4000::1", and therefore we assume the
dropping node to be "2001:db8:4:1000::1" ("M+1"). dropping node to be "2001:db8:4:1000::1" ("M+1").
Additionally, we note that when isolating the dropping node we assume Additionally, we note that when isolating the dropping node we assume
that both the EH-enabled and the EH-free traceroutes result in the that both the EH-enabled and the EH-free traceroutes result in the
same paths. However, this might not be the case. same paths. However, this might not be the case.
B.2. Obtaining the Responsible Organization for the Packet Drops B.2. Obtaining the Responsible Organization for the Packet Drops
 End of changes. 28 change blocks. 
44 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/