rfc9098xml2.original.xml   rfc9098.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<?rfc toc="yes" ?>
<?rfc toc="yes"?> <rfc ipr="trust200902" category="info" docName="draft-ietf-v6ops-ipv6-ehs-packet
<?rfc tocompact="yes"?> -drops-08" number="9098" obsoletes="" updates="" submissionType="IETF" xml:lang=
<?rfc tocdepth="2"?> "en" tocInclude="true" tocDepth="2" symRefs="true" sortRefs="true" version="3" c
<?rfc symrefs="yes" ?> onsensus="true" xmlns:xi="http://www.w3.org/2001/XInclude">
<?rfc sortrefs="yes"?>
<?rfc strict="no" ?>
<rfc
ipr="trust200902"
category="info"
docName="draft-ietf-v6ops-ipv6-ehs-packet-drops-08">
<front> <front>
<title abbrev="IPv6 Extension Headers">Operational Implications of IPv6 Pack ets with Extension Headers</title> <title abbrev="IPv6 Extension Headers">Operational Implications of IPv6 Pack ets with Extension Headers</title>
<seriesInfo name="RFC" value="9098"/>
<author fullname="Fernando Gont" initials="F." surname="Gont"> <author fullname="Fernando Gont" initials="F." surname="Gont">
<organization abbrev="SI6 Networks">SI6 Networks</organization> <organization abbrev="SI6 Networks">SI6 Networks</organization>
<address> <address>
<postal> <postal>
<street>Segurola y Habana 4310, 7mo Piso</street> <street>Segurola y Habana 4310, 7mo Piso</street>
<city>Villa Devoto</city> <city>Villa Devoto</city>
<region>Ciudad Autonoma de Buenos Aires</region> <region>Ciudad Autonoma de Buenos Aires</region>
<country>Argentina</country> <country>Argentina</country>
</postal> </postal>
<email>fgont@si6networks.com</email> <email>fgont@si6networks.com</email>
<uri>https://www.si6networks.com</uri> <uri>https://www.si6networks.com</uri>
skipping to change at line 31 skipping to change at line 21
<organization abbrev="SI6 Networks">SI6 Networks</organization> <organization abbrev="SI6 Networks">SI6 Networks</organization>
<address> <address>
<postal> <postal>
<street>Segurola y Habana 4310, 7mo Piso</street> <street>Segurola y Habana 4310, 7mo Piso</street>
<city>Villa Devoto</city> <city>Villa Devoto</city>
<region>Ciudad Autonoma de Buenos Aires</region> <region>Ciudad Autonoma de Buenos Aires</region>
<country>Argentina</country> <country>Argentina</country>
</postal> </postal>
<email>fgont@si6networks.com</email> <email>fgont@si6networks.com</email>
<uri>https://www.si6networks.com</uri> <uri>https://www.si6networks.com</uri>
</address> </address>
</author> </author>
<author fullname="Nick Hilliard" initials="N" surname="Hilliard"> <author fullname="Nick Hilliard" initials="N" surname="Hilliard">
<organization>INEX</organization> <organization>INEX</organization>
<address> <address>
<postal> <postal>
<street>4027 Kingswood Road</street> <street>4027 Kingswood Road</street>
<city>Dublin</city> <city>Dublin</city>
<code>24</code> <code>24</code>
<country>IE</country> <country>Ireland</country>
</postal> </postal>
<email>nick@inex.ie</email> <email>nick@inex.ie</email>
</address> </address>
</author> </author>
<author fullname="Gert Doering" initials="G" surname="Doering"> <author fullname="Gert Doering" initials="G" surname="Doering">
<organization>SpaceNet AG</organization> <organization>SpaceNet AG</organization>
<address> <address>
<postal> <postal>
<street>Joseph-Dollinger-Bogen 14</street> <street>Joseph-Dollinger-Bogen 14</street>
<city>Muenchen</city> <city>Muenchen</city>
<code>D-80807</code> <code>D-80807</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<email>gert@space.net</email> <email>gert@space.net</email>
skipping to change at line 59 skipping to change at line 47
<address> <address>
<postal> <postal>
<street>Joseph-Dollinger-Bogen 14</street> <street>Joseph-Dollinger-Bogen 14</street>
<city>Muenchen</city> <city>Muenchen</city>
<code>D-80807</code> <code>D-80807</code>
<country>Germany</country> <country>Germany</country>
</postal> </postal>
<email>gert@space.net</email> <email>gert@space.net</email>
</address> </address>
</author> </author>
<author fullname="Warren Kumari" initials="W." surname="Kumari"> <author fullname="Warren Kumari" initials="W." surname="Kumari">
<organization>Google</organization> <organization>Google</organization>
<address> <address>
<postal> <postal>
<street>1600 Amphitheatre Parkway</street> <street>1600 Amphitheatre Parkway</street>
<city>Mountain View</city>
<city>Mountain View, CA</city> <region>CA</region>
<code>94043</code> <code>94043</code>
<country>US</country> <country>US</country>
</postal> </postal>
<email>warren@kumari.net</email> <email>warren@kumari.net</email>
</address> </address>
</author> </author>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization abbrev="APNIC"/> <organization abbrev="APNIC"/>
<address> <address>
<email>gih@apnic.net</email> <email>gih@apnic.net</email>
<uri>http://www.apnic.net</uri> <uri>https://www.apnic.net</uri>
</address> </address>
</author> </author>
<author fullname="Will (Shucheng) Liu" initials="W." surname="Liu"> <author fullname="Will (Shucheng) Liu" initials="W." surname="Liu">
<organization>Huawei Technologies</organization> <organization>Huawei Technologies</organization>
<address> <address>
<postal> <postal>
<street>Bantian, Longgang District</street> <street>Bantian, Longgang District</street>
<city>Shenzhen</city> <city>Shenzhen</city>
<code>518129</code> <code>518129</code>
<country>P.R. China</country> <country>China</country>
</postal> </postal>
<email>liushucheng@huawei.com</email> <email>liushucheng@huawei.com</email>
</address> </address>
</author> </author>
<date month="September" year="2021"/>
<date/>
<area>Operations and Management</area> <area>Operations and Management</area>
<workgroup>IPv6 Operations Working Group (v6ops)</workgroup> <workgroup>IPv6 Operations Working Group (v6ops)</workgroup>
<abstract> <abstract>
<t> <t>
This document summarizes the operational implications of IPv6 extension headers This document summarizes the operational implications of IPv6 extension headers
specified in the IPv6 protocol specification (RFC8200), and attempts to analyze specified in the IPv6 protocol specification (RFC 8200) and attempts to analyze
reasons why packets with IPv6 extension headers are often dropped in the public reasons why packets with IPv6 extension headers are often dropped in the public
Internet. Internet.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="intro" numbered="true" toc="default">
<section title="Introduction" anchor="intro"> <name>Introduction</name>
<t> <t>
IPv6 Extension Headers (EHs) allow for the extension of the IPv6 protocol, and p IPv6 extension headers (EHs) allow for the extension of the IPv6 protocol and pr
rovide support for core functionality such as IPv6 fragmentation. However, commo ovide support for core functionality such as IPv6 fragmentation. However, common
n implementation limitations suggest that EHs present a challenge for IPv6 packe implementation limitations suggest that EHs present a challenge for IPv6 packet
t routing equipment and middle-boxes, and evidence exists that IPv6 packets with routing equipment and middleboxes, and evidence exists that IPv6 packets with E
EHs are intentionally dropped in the public Internet in some circumstances. Hs are intentionally dropped in the public Internet in some circumstances.
</t> </t>
<t>This document has the following goals:
<t>This document has the following goals:
<list style="symbols">
<t>Raise awareness about the operational and security implications of IPv6 Exten
sion Headers specified in <xref target="RFC8200"/>, and present reasons why some
networks resort to intentionally dropping packets containing IPv6 Extension Hea
ders.</t>
<t>Highlight areas where current IPv6 support by networking devices maybe sub-op
timal, such that the aforementioned support is improved.</t>
<t>Highlight operational issues associated with IPv6 extension headers, such tha
t those issues are considered in IETF standardization efforts.</t>
</list>
</t> </t>
<ul spacing="normal">
<t> <li>Raise awareness about the operational and security implications of I
<xref target="background"/> provides background information about the IPv6 packe Pv6 extension headers specified in <xref target="RFC8200" format="default"/> and
t structure and associated implications. <xref target="previous-work"/> of this present reasons why some networks resort to intentionally dropping packets cont
document summarizes the previous work that has been carried out in the area of I aining IPv6 extension headers.</li>
Pv6 extension headers. <xref target="pfe-constraints"/> discusses packet forward <li>Highlight areas where current IPv6 support by networking devices may
ing engine constraints in contemporary routers. <xref target="inability"/> discu be suboptimal, such that the aforementioned support is improved.</li>
sses why intermediate systems may need to access Layer-4 information to make a f <li>Highlight operational issues associated with IPv6 extension headers,
orwarding decision. Finally, <xref target="operational-implications"/> discusses such that those issues are considered in IETF standardization efforts.</li>
the operational implications of IPv6 EHs. <!--Finally, <xref target="future-wor </ul>
k"/> suggests a possible action plan for improving the state of affairs with res <t>
pect to IPv6 extension headers. --> <xref target="background" format="default"/> of this document provides backgroun
d information about the IPv6 packet structure and associated implications. <xref
target="previous-work" format="default"/> summarizes previous work that has bee
n carried out in the area of IPv6 extension headers. <xref target="pfe-constrain
ts" format="default"/> discusses packet-forwarding engine constraints in contemp
orary routers. <xref target="inability" format="default"/> discusses why interme
diate systems may need to access Layer 4 information to make a forwarding decisi
on. Finally, <xref target="operational-implications" format="default"/> discusse
s operational implications of IPv6 EHs.
</t> </t>
</section>
</section> <section numbered="true" toc="default">
<name>Terminology</name>
<section title="Terminology"> <t>
<t> This document uses the term "intermediate system" to describe both routers and m
This document uses the term "intermediate system" to describe both routers and m iddleboxes when there is no need to distinguish between the two and where the im
iddle-boxes, when there is no need to distinguish between the two and where the portant issue is that the device being discussed forwards packets.</t>
important issue is that the device being discussed forwards packets.</t> </section>
</section> <section anchor="disclaimer" numbered="true" toc="default">
<name>Disclaimer</name>
<section title="Disclaimer" anchor="disclaimer"> <t>This document analyzes the operational challenges represented by packet
<t>This document analyzes the operational challenges represented by packets that s that employ IPv6 extension headers and documents some of the operational reaso
employ IPv6 Extension Headers, and documents some of the operational reasons wh ns why these packets are often dropped in the public Internet. This document is
y these packets are often dropped in the public Internet. This document is not a not a recommendation to drop such packets, but rather an analysis of why they ar
recommendation to drop such packets, but rather an analysis of why they are cur e currently dropped.
rently dropped.
</t> </t>
</section> </section>
<section anchor="background" numbered="true" toc="default">
<section title="Background Information" anchor="background"> <name>Background Information</name>
<t> <t>
It is useful to compare the basic structure of IPv6 packets against that of IPv4 It is useful to compare the basic structure of IPv6 packets against that of IPv4
packets, and analyze the implications of the two different packet structures. packets and analyze the implications of the two different packet structures.
</t> </t>
<t> <t>
IPv4 packets have a variable-length header size, that allows for the IPv4 packets have a variable-length header size that allows for the
use of IPv4 "options" -- optional information that may be of use by use of IPv4 "options" -- optional information that may be of use to
nodes processing IPv4 packets. The IPv4 header length is specified nodes processing IPv4 packets. The IPv4 header length is specified
in the IHL header field of the mandatory IPv4 header, and must be in in the "Internet Header Length" (IHL) field of the mandatory IPv4 header and
the range from 20 octets (the minimum IPv4 header size) to 60 octets must be in
(accommodating at most 40 octets of options). The upper-layer protocol type the range of 20 octets (the minimum IPv4 header size) to 60 octets, accommod
is specified via the "Protocol" field of the mandatory IPv4 header. ating at most 40 octets of options. The upper-layer protocol type is specified v
ia the "Protocol" field of the mandatory IPv4 header.
</t> </t>
<figure anchor="ipv4-packet">
<t> <name>IPv4 Packet Structure</name>
<figure title="IPv4 Packet Structure" anchor="ipv4-packet"><artwork><![CDATA[ <artwork name="" type="" align="left" alt=""><![CDATA[
Protocol, IHL Protocol, IHL
+--------+ +--------+
| | | |
| v | v
+------//-----+------------------------+ +------//-----+------------------------+
| | | | | |
| IPv4 | Upper-Layer | | IPv4 | Upper-Layer |
| Header | Protocol | | Header | Protocol |
| | | | | |
+-----//------+------------------------+ +-----//------+------------------------+
variable length variable length
<-------------> <------------->
]]></artwork></figure> ]]></artwork>
</t> </figure>
<t>
<t> IPv6 took a different approach to the IPv6 packet structure. Rather than employi
IPv6 took a different approach to the IPv6 packet structure. Rather than employi ng a variable-length header as IPv4 does, IPv6 employs a packet structure simila
ng a variable-length header as IPv4 does, IPv6 employs a linked-list-like packet r to a linked list, where a mandatory fixed-length IPv6 header is followed by an
structure, where a mandatory fixed-length IPv6 header is followed by an arbitra arbitrary number of optional extension headers, with the upper-layer header bei
ry number of optional extension headers, with the upper-layer header being the l ng the last header in the IPv6 header chain. Each extension header typically spe
ast header in the IPv6 header chain. Each extension header typically specifies i cifies its length (unless it is implicit from the extension header type) and the
ts length (unless it is implicit from the extension header type), and the "next "next header" (NH) type that follows in the IPv6 header chain.
header" type that follows in the IPv6 header chain.
</t> </t>
<figure anchor="ipv6-packet">
<t> <name>IPv6 Packet Structure</name>
<figure title="IPv6 Packet Structure" anchor="ipv6-packet"><artwork><![CDATA[ <artwork name="" type="" align="left" alt=""><![CDATA[
NH NH, EH-length NH, EH-length NH NH, EH-length NH, EH-length
+-------+ +------+ +-------+ +-------+ +------+ +-------+
| | | | | | | | | | | |
| v | v | v | v | v | v
+-------------+-------------+-//-+---------------+--------------+ +-------------+-------------+-//-+---------------+--------------+
| | | | | | | | | | | |
| IPv6 | Ext. | | Ext. | Upper-Layer | | IPv6 | Ext. | | Ext. | Upper-Layer |
| header | Header | | Header | Protocol | | header | Header | | Header | Protocol |
| | | | | | | | | | | |
+-------------+-------------+-//-+---------------+--------------+ +-------------+-------------+-//-+---------------+--------------+
fixed length variable number of EHs & length fixed length variable number of EHs & length
<------------> <--------------------------------> <------------> <-------------------------------->
]]></artwork></figure> ]]></artwork>
</t> </figure>
<t>This packet structure has the following implications:
<t>This packet structure has the following implications:
<list style="symbols">
<t><xref target="RFC8200"/> requires the entire IPv6 header chain to be containe
d in the first fragment of a packet, therefore limiting the IPv6 extension heade
r chain to the size of the path MTU.
</t>
<t>Other than the path MTU constraints, there are no other limits to the number of IPv6 EHs that may be present in a packet. Therefore, there is no upper-limit regarding "how deep into the IPv6 packet" the upper-layer may be found.
</t> </t>
<ul spacing="normal">
<t>The only way for a node to obtain the upper-layer protocol <li>
<xref target="RFC8200" format="default"/> requires the entire IPv6 hea
der chain to be contained in the first fragment of a packet, therefore limiting
the IPv6 header chain to the size of the path MTU.
</li>
<li>Other than the path MTU constraints, there are no other limits to th
e number of IPv6 EHs that may be present in a packet. Therefore, there is no upp
er limit regarding how deep into the IPv6 packet the upper-layer protocol header
may be found.
</li>
<li>The only way for a node to obtain the upper-layer protocol
type or find the upper-layer protocol header is to parse and type or find the upper-layer protocol header is to parse and
process the entire IPv6 header chain, in sequence, starting from process the entire IPv6 header chain, in sequence, starting from
the mandatory IPv6 header, until the last header in the IPv6 the mandatory IPv6 header until the last header in the IPv6
header chain is found. header chain is found.
</li>
</ul>
</section>
<section anchor="previous-work" numbered="true" toc="default">
<name>Previous Work on IPv6 Extension Headers</name>
<t>Some of the operational and security implications of IPv6 extension hea
ders have been discussed in the IETF:
</t> </t>
</list> <ul spacing="normal">
<li>
</t>
</section>
<section title="Previous Work on IPv6 Extension Headers" anchor="previous-work">
<t>Some of the operational and security implications of IPv6 Extension Headers h
ave been discussed at the IETF:
<list style="symbols">
<t><xref target="I-D.taylor-v6ops-fragdrop"/> discusses a rationale for which op
erators drop IPv6 fragments.</t>
<t> <xref target="I-D.wkumari-long-headers"/> discusses possible issues arising
from "long" IPv6 header chains.</t>
<t><xref target="I-D.kampanakis-6man-ipv6-eh-parsing"/> describes how inconsiste
ncies in the way IPv6 packets with extension headers are parsed by different imp
lementations could result in evasion of security controls, and presents guidelin
es for parsing IPv6 extension headers with the goal of providing a common and co
nsistent parsing methodology for IPv6 implementations.
</t>
<t><xref target="I-D.ietf-opsec-ipv6-eh-filtering"/> analyzes the security impli
cations of IPv6 EHs, and the operational implications of dropping packets that e
mploy IPv6 EHs and associated options.
</t>
<t><xref target="RFC7113"/> discusses how some popular RA-Guard implementations
are subject to evasion by means of IPv6 extension headers.</t>
<t><xref target="RFC8900"/> analyzes the fragility introduced by IP fragmentatio
n.</t>
</list>
</t>
<t>A number of recent RFCs have discussed issues related to IPv6 extension heade
rs, specifying updates to a previous revision of the IPv6 standard <xref target=
"RFC2460"/>, many of which have now been incorporated into the current IPv6 core
standard <xref target="RFC8200"/> or the IPv6 Node Requirements <xref target="R
FC8504"/>. Namely,
<list style="symbols">
<t><xref target="RFC5095"/> discusses the security implications of Routing Heade
r Type 0 (RTH0), and deprecates it.</t>
<t><xref target="RFC5722"/> analyzes the security implications of overlapping fr
agments, and provides recommendations in this area.</t>
<t><xref target="RFC7045"/> clarifies how intermediate nodes should deal with IP
v6 extension headers.</t>
<t><xref target="RFC7112"/> discusses the issues arising in a specific fragmenta
tion case where the IPv6 header chain is fragmented into two or more fragments (
and formally forbids such fragmentation).</t>
<t><xref target="RFC6946"/> discusses a flawed (but common) processing of the so
-called IPv6 "atomic fragments", and specified improved processing of such packe
ts.</t>
<t><xref target="RFC8021"/> deprecates the generation of IPv6 atomic fragments.<
/t>
<t><xref target="RFC8504"/> clarifies processing rules for packets with extensio
n headers, and also allows hosts to enforce limits on the number of options incl
uded in IPv6 EHs.</t>
<t><xref target="RFC7739"/> discusses the security implications of predictable f
ragment Identification values, and provides recommendations for the generation o
f these values.</t>
<t><xref target="RFC6980"/> analyzes the security implications of employing IPv6
fragmentation with Neighbor Discovery for IPv6, and formally recommends against
such usage.</t>
</list>
</t>
<t>Additionally, <xref target="RFC8200"/> has relaxed the requirement that &quot <xref target="I-D.taylor-v6ops-fragdrop" format="default"/> discusses
;all nodes examine and process the Hop-by-Hop Options header&quot; from <xref ta a rationale for which operators drop IPv6 fragments.</li>
rget="RFC2460"/>, by specifying that only nodes that have been explicitly config <li>
ured to process the Hop-by-Hop Options header are required to do so.</t> <xref target="I-D.wkumari-long-headers" format="default"/> discusses p
ossible issues arising from "long" IPv6 header chains.</li>
<li>
<xref target="I-D.kampanakis-6man-ipv6-eh-parsing" format="default"/>
describes how inconsistencies in the way IPv6 packets with extension headers are
parsed by different implementations could result in evasion of security control
s and presents guidelines for parsing IPv6 extension headers, with the goal of p
roviding a common and consistent parsing methodology for IPv6 implementations.
</li>
<li>
<xref target="I-D.ietf-opsec-ipv6-eh-filtering" format="default"/> ana
lyzes the security implications of IPv6 EHs, as well as the operational implicat
ions of dropping packets that employ IPv6 EHs and associated options.
</li>
<li>
<xref target="RFC7113" format="default"/> discusses how some popular R
outer Advertisement Guard (RA-Guard) implementations are subject to evasion by m
eans of IPv6 extension headers.</li>
<li>
<xref target="RFC8900" format="default"/> analyzes the fragility intro
duced by IP fragmentation.</li>
</ul>
<t>A number of studies have measured the extent to which packets employing IPv6 <t>A number of recent RFCs have discussed issues related to IPv6 extension
extension headers are dropped in the public Internet: headers and have specified updates to RFC 2460 <xref target="RFC2460" format="d
efault"/> (an earlier version of the IPv6 standard). Many of these updates have
now been incorporated into the current IPv6 core standard <xref target="RFC8200"
format="default"/> or the IPv6 node requirements <xref target="RFC8504" format=
"default"/>. Namely,
</t>
<list style="symbols"> <ul spacing="normal">
<t><xref target="PMTUD-Blackholes"/><!--, <xref target="Gont-IEPG88"/>, <xref ta <li>
rget="Gont-Chown-IEPG89"/>,--> and <xref target="Linkova-Gont-IEPG90"/> presente <xref target="RFC5095" format="default"/> discusses the security impli
d some preliminary measurements regarding the extent to which packet containing cations of Routing Header Type 0 (RHT0) and deprecates it.</li>
IPv6 EHs are dropped in the public Internet.</t> <li>
<t><xref target="RFC7872"/> presents more comprehensive results and documents th <xref target="RFC5722" format="default"/> analyzes the security implic
e methodology used to obtain these results.</t> ations of overlapping fragments and provides recommendations in this area.</li>
<t><xref target="Huston-2017"/> and <xref target="Huston-2020"/> measured packet <li>
drops resulting from IPv6 fragmentation when communicating with DNS servers.</t <xref target="RFC7045" format="default"/> clarifies how intermediate n
> odes should deal with IPv6 extension headers.</li>
<li>
<xref target="RFC7112" format="default"/> discusses the issues arising
in a specific fragmentation case where the IPv6 header chain is fragmented into
two or more fragments and formally forbids such fragmentation.</li>
<li>
<xref target="RFC6946" format="default"/> discusses a flawed (but comm
on) processing of the so-called IPv6 "atomic fragments" and specifies improved p
rocessing of such packets.</li>
<li>
<xref target="RFC8021" format="default"/> deprecates the generation of
IPv6 atomic fragments.</li>
<li>
<xref target="RFC8504" format="default"/> clarifies processing rules f
or packets with extension headers and also allows hosts to enforce limits on the
number of options included in IPv6 EHs.</li>
<li>
<xref target="RFC7739" format="default"/> discusses the security impli
cations of predictable fragment Identification values and provides recommendatio
ns for the generation of these values.</li>
<li>
<xref target="RFC6980" format="default"/> analyzes the security implic
ations of employing IPv6 fragmentation with Neighbor Discovery for IPv6 and form
ally recommends against such usage.</li>
</ul>
</list> <t>Additionally, <xref target="RFC8200" format="default"/> has relaxed the
requirement that "all nodes must examine and process the Hop-by-Hop Options hea
der" from <xref target="RFC2460" format="default"/>, by specifying that only nod
es that have been explicitly configured to process the Hop-by-Hop Options header
are required to do so.</t>
<t>A number of studies have measured the extent to which packets employing
IPv6 extension headers are dropped in the public Internet:
</t> </t>
</section> <ul spacing="normal">
<li>
<section title="Packet Forwarding Engine Constraints" anchor="pfe-constraints"> <xref target="PMTUD-Blackholes" format="default"/> and <xref target="L
inkova-Gont-IEPG90" format="default"/> present some preliminary measurements reg
<t> arding the extent to which packets containing IPv6 EHs are dropped in the public
Internet.</li>
<li>
<xref target="RFC7872" format="default"/> presents more comprehensive
results and documents the methodology used to obtain these results.</li>
<li>
<xref target="Huston-2017" format="default"/> and <xref target="Huston
-2020" format="default"/> measure packet drops resulting from IPv6 fragmentation
when communicating with DNS servers.</li>
</ul>
</section>
<section anchor="pfe-constraints" numbered="true" toc="default">
<name>Packet-Forwarding Engine Constraints</name>
<t>
Most contemporary carrier-grade routers use dedicated hardware, e.g. application Most contemporary carrier-grade routers use dedicated hardware, e.g., Applicatio
-specific n-Specific
integrated circuits (ASICs) or network processing units (NPUs), to determine how Integrated Circuits (ASICs) or Network Processing Units (NPUs), to determine how
to forward to forward
packets across their internal fabrics (see <xref target="IEPG94-Scudder"/> and < packets across their internal fabrics (see <xref target="IEPG94-Scudder" format=
xref target="APNIC-Scudder"/> for details). One of the "default"/> and <xref target="APNIC-Scudder" format="default"/> for details). O
common methods of handling next-hop lookup is to send a small portion of the ne common method of handling next-hop lookups is to send a small portion of the
ingress packet to a lookup engine with specialised hardware, e.g. ternary ingress packet to a lookup engine with specialized hardware, e.g., ternary
content-addressable memory (TCAM) or reduced latency dynamic random-access memor y content-addressable memory (TCAM) or reduced latency dynamic random-access memor y
(RLDRAM), to determine the packet's next-hop. Technical constraints (RLDRAM), to determine the packet's next hop. Technical constraints
mean that there is a trade-off between the amount of data sent to the lookup mean that there is a trade-off between the amount of data sent to the lookup
engine and the overall packet forwarding rate of the lookup engine. If more dat a is engine and the overall packet-forwarding rate of the lookup engine. If more dat a is
sent, the lookup engine can inspect further into the packet, but the overall sent, the lookup engine can inspect further into the packet, but the overall
packet forwarding rate of the system will be reduced. If less data is sent, the packet-forwarding rate of the system will be reduced. If less data is sent, the
overall packet forwarding rate of the router will be increased but the packet lo overall packet-forwarding rate of the router will be increased, but the packet l
okup ookup
engine may not be able to inspect far enough into a packet to determine how engine may not be able to inspect far enough into a packet to determine how
it should be handled. it should be handled.
</t> </t>
<!--
<t>
<list style="hanging">
<t hangText="NOTE:"><vspace blankLines="0"/>For example, contemporary high-end
routers can use up to 192 bytes
of header (Cisco ASR9000 Typhoon) or 384 bytes of header (Juniper MX Trio).
</t>
</list>
</t>
<t> <aside>
<list style="hanging"> <t>NOTE:</t>
<t hangText="NOTE:"><vspace blankLines="0"/>For example, some contemporary high- <t indent="3">
end routers are known to inspect up to 192 bytes, while others are known to pars For example, some contemporary high-end routers are known to inspect up to 192 b
e up to 384 bytes of header. ytes, while others are known to parse up to 384 bytes of header.
</t>
</list>
</t> </t>
</aside>
<t>If a hardware forwarding engine on a contemporary router cannot make a <t>If a hardware-forwarding engine on a contemporary router cannot make a
forwarding decision about a packet because critical information is not sent forwarding decision about a packet because critical information is not sent
to the look-up engine, then the router will normally drop the packet. <xref targ to the lookup engine, then the router will normally drop the packet. <xref targe
et="inability"/> discusses some of the reasons for which a contemporary router m t="inability" format="default"/> discusses some of the reasons for which a conte
ight need to access layer-4 information to make a forwarding decision.</t> mporary router might need to access Layer 4 information to make a forwarding dec
ision.</t>
<t> <t>
Historically, some packet forwarding engines punted packets of this form to Historically, some packet-forwarding engines punted packets of this kind to
the control plane for more in-depth analysis, but this is unfeasible on most the control plane for more in-depth analysis, but this is unfeasible on most
contemporary router architectures as a result of the vast difference between the contemporary router architectures as a result of the vast difference between the
hardware hardware-based forwarding
forwarding capacity of the router and processing capacity of the control plane a capacity of the router and the processing capacity of the control plane and the
nd the size of the management link which size of the management link that connects the control plane to the forwarding pl
connects the control plane to the forwarding plane. Other platforms may have a ane. Other platforms may have a separate software-based forwarding plane that i
separate software forwarding plane that is s
distinct both from the hardware forwarding plane and the control distinct both from the hardware-based forwarding plane and the control
plane. However, the limited CPU resources of this software-based plane. However, the limited CPU resources of this software-based
forwarding plane, as well as the limited bandwidth of the associated forwarding plane, as well as the limited bandwidth of the associated
link results in similar throughput constraints. </t> link, results in similar throughput constraints. </t>
<t>
<t>
If an IPv6 header chain is sufficiently long that it exceeds the If an IPv6 header chain is sufficiently long such that it exceeds the
packet look-up capacity of the router, the router might be unable to packet lookup capacity of the router, the router might be unable to
determine how the packet should be handled, and thus could resort to determine how the packet should be handled and thus could resort to
dropping the packet. dropping the packet.
</t> </t>
<section anchor="recirculation" numbered="true" toc="default">
<name>Recirculation</name>
<t>
<section title="Recirculation" anchor="recirculation"> Although type-length-value (TLV) chains are amenable to iterative processing on
<t> architectures
that have packet lookup engines with deep inspection capabilities, some
Although TLV chains are amenable to iterative processing on architectures packet-forwarding engines manage IPv6 header chains using
that have packet look-up engines with deep inspection capabilities, some recirculation. This approach processes extension headers one at a time:
packet forwarding engines manage IPv6 Extension Header chains using when processing on one extension header is completed, the packet is looped
recirculation. This approach processes Extension Headers one at a time:
when processing on one Extension Header is completed, the packet is looped
back through the processing engine again. This recirculation process back through the processing engine again. This recirculation process
continues repeatedly until there are no more Extension Headers left to be continues repeatedly until there are no more extension headers left to be
processed. processed.
</t> </t>
<t> <t>
Recirculation is typically used on packet forwarding engines with limited Recirculation is typically used on packet-forwarding engines with limited
look-up capability, because it allows arbitrarily long header chains to be lookup capability, because it allows arbitrarily long header chains to be
processed without the complexity and cost associated with packet forwarding processed without the complexity and cost associated with packet-forwarding
engines which have deep look-up capabilities. However, recirculation can engines, which have deep lookup capabilities. However, recirculation can
impact the forwarding capacity of hardware, as each packet will pass through impact the forwarding capacity of hardware, as each packet will pass through
the processing engine multiple times. Depending on configuration, the type the processing engine multiple times. Depending on configuration, the type
of packets being processed, and the hardware capabilities of the packet of packets being processed, and the hardware capabilities of the packet-forwardi
forwarding engine, this could impact data-plane throughput performance on the ng
router. engine, the data-plane throughput performance on the
router might be negatively affected.
</t> </t>
</section>
</section> </section>
<section anchor="inability" numbered="true" toc="default">
</section> <name>Requirement to Process Layer 3 / Layer 4 Information in Intermediate
Systems</name>
<section title="Requirement to Process Layer-3/layer-4 information in Intermedia <t>The following subsections discuss some of the reasons for which interme
te Systems" anchor="inability"> diate systems may need to process Layer 3 / Layer 4 information to make a forwar
ding decision.</t>
<t>The following subsections discuss some of the reasons for which intermediate <section anchor="ecmp-load-balancing" numbered="true" toc="default">
systems may need to process Layer-3/layer-4 information to make a forwarding dec <name>ECMP and Hash-Based Load Sharing</name>
ision.</t> <t>In the case of Equal Cost Multipath (ECMP) load sharing, the intermed
iate system
<section title="ECMP and Hash-based Load-Sharing" anchor="ecmp-load-balancing">
<t>In the case of equal cost multi-path (ECMP) load sharing, the intermediate sy
stem
needs to make a decision regarding which of its interfaces to needs to make a decision regarding which of its interfaces to
use to forward a given packet. Since round-robin usage of the links is usually use to forward a given packet. Since round-robin usage of the links is usually
avoided to prevent packet reordering, forwarding engines need to avoided to prevent packet reordering, forwarding engines need to
use a mechanism that will consistently forward the same data streams down use a mechanism that will consistently forward the same data streams down
the same forwarding paths. Most forwarding engines achieve this by the same forwarding paths. Most forwarding engines achieve this by
calculating a simple hash using an n-tuple gleaned from a combination of calculating a simple hash using an n-tuple gleaned from a combination of
layer-2 through to layer-4 packet header information. This n-tuple will Layer 2 through to Layer 4 protocol header information. This n-tuple will
typically use the src/dst MAC address, src/dst IP address, and if possible typically use the src/dst Media Access Control (MAC) addresses, src/dst IP addre
further layer-4 src/dst port information. sses, and, if possible,
further Layer 4 src/dst port information.
</t> </t>
<t>In the IPv6 world, flows are expected to be identified by means of th
<t>In the IPv6 world, flows are expected to be identified by means of the IPv6 F e IPv6 "Flow Label" <xref target="RFC6437" format="default"/>. Thus, ECMP and ha
low Label <xref target="RFC6437"/>. Thus, ECMP and Hash-based Load-Sharing shoul sh-based load sharing should be possible without the need to process the entire
d be possible without the need to process the entire IPv6 header chain to obtain IPv6 header chain to obtain upper-layer information to identify flows. <xref tar
upper-layer information to identify flows. <xref target="RFC7098"/> discusses h get="RFC7098" format="default"/> discusses how the IPv6 Flow Label can be used t
ow the IPv6 Flow Label can used to enhance layer 3/4 load distribution and balan o enhance Layer 3/4 load distribution and balancing for large server farms.
cing for large server farms.
</t> </t>
<t>Historically, many IPv6 implementations failed to set the Flow Label,
<t>Historically, many IPv6 implementations failed to set the Flow Label, and has and hash-based ECMP/load-sharing devices also did not employ the Flow Label for
h-based ECMP/load-sharing devices also did not employ the Flow Label for perform performing their task. While support of <xref target="RFC6437" format="default"
ing their task. While support of <xref target="RFC6437"/> is currently widesprea /> is currently widespread for current versions of all popular host implementati
d for current versions of all popular host implementations, there is still only ons, there is still only marginal usage of the IPv6 Flow Label for ECMP and load
marginal usage of the IPv6 Flow Label for ECMP and load balancing <xref target=" balancing <xref target="Almeida-2020" format="default"/>. A contributing factor
Cunha-2020"/>. A contributing factor could be the issues that have been found in could be the issues that have been found in host implementations and middleboxe
host implementations and middle-boxes <xref target="Jaeggli-2018"/>.</t> s <xref target="Jaeggli-2018" format="default"/>.</t>
<t>
<t> Clearly, widespread support of <xref target="RFC6437" format="default"/> would r
Clearly, widespread support of <xref target="RFC6437"/> would relieve intermedia elieve intermediate systems from having to process the entire IPv6 header chain,
te systems from having to process the entire IPv6 header chain, making Flow Labe making Flow Label-based ECMP and load sharing <xref target="RFC6438" format="de
l-based ECMP and Load-Sharing <xref target="RFC6438"/> feasible. fault"/> feasible.
</t> </t>
<t> <t>
If an intermediate system cannot determine consistent n-tuples for calculating f low hashes, data streams are more likely to end up being distributed unequally a cross ECMP and load-shared links. This may lead to packet drops or reduced perf ormance. If an intermediate system cannot determine consistent n-tuples for calculating f low hashes, data streams are more likely to end up being distributed unequally a cross ECMP and load-shared links. This may lead to packet drops or reduced perf ormance.
</t> </t>
</section> </section>
<section anchor="enforcing-infrastructure-acls" numbered="true" toc="defau
<section title="Enforcing infrastructure ACLs" anchor="enforcing-infrastructure- lt">
acls"> <name>Enforcing Infrastructure ACLs</name>
<t>Infrastructure Access Control Lists (iACLs) drop unwanted packets des
<t>Infrastructure ACLs (iACLs) drop unwanted packets destined tined
to a network's infrastructure. Typically, iACLs are deployed because external d to a network's infrastructure. Typically, iACLs are deployed because external d
irect access to a network's infrastructure addresses is operationally unnecessar irect access to a network's infrastructure addresses is operationally unnecessar
y, and can be used for attacks of different sorts against router y and can be used for attacks of different sorts against router
control planes. To this end, traffic usually needs to be differentiated on the control planes. To this end, traffic usually needs to be differentiated on the
basis of layer-3 basis of Layer 3
or layer-4 criteria to achieve a useful balance of protection and functionality. or Layer 4 criteria to achieve a useful balance of protection and functionality.
For example, an infrastructure may be configured with the following policy: For example, an infrastructure may be configured with the following policy:
<list style="symbols">
<t>Permit some amount of ICMP echo (ping) traffic towards a router's
addresses for troubleshooting.</t>
<t>Permit BGP sessions on the shared network of an exchange point (potentially
differentiating between the amount of packets/seconds permitted for established
sessions and connection establishment), but do not permit other traffic from the
same peer IP addresses.</t>
</list>
</t> </t>
<t> <ul spacing="normal">
<li>Permit some amount of ICMP echo (ping) traffic towards a router's
addresses for troubleshooting.</li>
<li>Permit BGP sessions on the shared network of an exchange point (po
tentially differentiating between the amount of packets/second permitted for est
ablished sessions and for connection establishment), but do not permit other tra
ffic from the same peer IP addresses.</li>
</ul>
<t>
If a forwarding router cannot determine consistent n-tuples for calculating flow hashes, data streams are more likely to end up being distributed unequally acro ss ECMP and load-shared links. This may lead to packet drops or reduced perform ance. If a forwarding router cannot determine consistent n-tuples for calculating flow hashes, data streams are more likely to end up being distributed unequally acro ss ECMP and load-shared links. This may lead to packet drops or reduced perform ance.
</t> </t>
<t> <t>
If a network cannot deploy infrastructure ACLs, then the security of the network If a network cannot deploy infrastructure ACLs, then the security of the network
may be compromised due to having more potential attack vectors open. may be compromised as a result of the increased attack surface.
</t> </t>
</section> </section>
<section anchor="ddos-management" numbered="true" toc="default">
<section title="DDoS Management and Customer Requests for Filtering" anchor="ddo <name>DDoS Management and Customer Requests for Filtering</name>
s-management"> <t>The case of customer Distributed Denial-of-Service (DDoS) protection
<t>The case of customer DDoS protection and edge-to-core customer protection and edge-to-core customer protection
filters is similar in nature to the iACL protection. Similar filters is similar in nature to the iACL protection. Similar
to iACL protection, layer-4 ACLs generally need to be applied as close to the to iACL protection, Layer 4 ACLs generally need to be applied as close to the
edge of the network as possible, even though the intent is usually to protect th e edge of the network as possible, even though the intent is usually to protect th e
customer edge rather than the provider core. Application of layer-4 DDoS protec customer edge rather than the provider core. Application of Layer 4 DDoS protec
tion tion
to a network edge is often automated using Flowspec <xref target="RFC8955"/> <xr to a network edge is often automated using BGP Flowspec <xref target="RFC8955" f
ef target="RFC8956"/>. ormat="default"/> <xref target="RFC8956" format="default"/>.
</t> </t>
<t>For example, a website that normally only handles traffic on TCP port
<t>For example, a web site that normally only handled traffic on TCP ports s
80 and 443 could be subject to a volumetric DDoS attack using NTP and DNS 80 and 443 could be subject to a volumetric DDoS attack using NTP and DNS
packets with randomised source IP address, thereby rendering packets with a randomized source IP address, thereby rendering
traditional <xref target="RFC5635"/> source-based real-time black hole source-based remote triggered black hole <xref target="RFC5635"/>
mechanisms useless. In this situation, DDoS protection ACLs could be configured mechanisms useless. In this situation, ACLs that provide DDoS protection could
to be configured to
block all UDP traffic at the network edge without impairing the web server block all UDP traffic at the network edge without impairing the web server
functionality in any way. Thus, being able to block arbitrary functionality in any way. Thus, being able to block arbitrary
protocols at the network edge can avoid DDoS-related problems both in the provid er protocols at the network edge can avoid DDoS-related problems both in the provid er
network and on the customer edge link. network and on the customer edge link.
</t> </t>
</section> </section>
<section anchor="nids" numbered="true" toc="default">
<name>Network Intrusion Detection and Prevention</name>
<section title="Network Intrusion Detection and Prevention" anchor="nids"> <t>Network Intrusion Detection Systems (NIDS) examine network traffic an
<t>Network Intrusion Detection Systems (NIDS) examine network traffic and try to d try to identify traffic patterns that can be correlated to network-based attac
identify traffic patterns that can be correlated to network-based attacks. Thes ks. These systems generally attempt to inspect application-layer traffic (if pos
e systems generally inspect application-layer traffic (if possible), but at the sible) but, at the bare minimum, inspect Layer 4 flows. When attack activity is
bare minimum inspect layer-4 flows. When attack activity is inferred, the operat inferred, the operator is notified of the potential intrusion attempt.
or is notified of the potential intrusion attempt.
</t> </t>
<t>Network Intrusion Prevention Systems (IPS) operate similarly to NIDS's, but t <t>Network Intrusion Prevention Systems (IPS) operate similarly to NIDSs
hey can also prevent intrusions by reacting to detected attack attempts by e.g., , but they can also prevent intrusions by reacting to detected attack attempts b
triggering packet filtering policies at firewalls and other devices.</t> y e.g., triggering packet filtering policies at firewalls and other devices.</t>
<t>Use of extension headers can be problematic for NIDS/IPS, since:
<t>Use of extension headers can be problematic for NIDS/IPS, since:
<list style="symbols">
<t>Extension headers increase the complexity of resulting traffic, and the assoc
iated work and system requirements to process it.</t>
<t>Use of unknown extension headers can prevent an NIDS/IPS from processing laye
r-4 information.</t>
<t>Use of IPv6 fragmentation requires a stateful fragment-reassembly operation,
even for decoy traffic employing forged source addresses (see e.g., <xref target
="nmap"/>).</t>
</list>
</t> </t>
<ul spacing="normal">
<t>As a result, in order to increase the efficiency or effectiveness of these sy <li>Extension headers increase the complexity of resulting traffic and
stems, packets employing IPv6 extension headers are often dropped at the network the associated work and system requirements to process it.</li>
ingress point(s) of networks that deploy these systems.</t> <li>Use of unknown extension headers can prevent a NIDS or IPS from pr
ocessing Layer 4 information.</li>
</section> <li>Use of IPv6 fragmentation requires a stateful fragment-reassembly
operation, even for decoy traffic employing forged source addresses (see, e.g.,
<section title="Firewalling" anchor="firewalls"> <xref target="nmap" format="default"/>).</li>
<t>Firewalls enforce security policies by means of packet filtering. These syste </ul>
ms usually inspect layer-3 and layer-4 traffic, but can often also examine appli <t>As a result, in order to increase the efficiency or effectiveness of
cation-layer traffic flows.</t> these systems, packets employing IPv6 extension headers are often dropped at the
network ingress point(s) of networks that deploy these systems.</t>
<t>As with NIDS/IPS (<xref target="nids"/>), use of IPv6 extension headers can r </section>
epresent a challenge to network firewalls, since: <section anchor="firewalls" numbered="true" toc="default">
<list style="symbols"> <name>Firewalling</name>
<t>Extension headers increase the complexity of resulting traffic, and the assoc <t>Firewalls enforce security policies by means of packet filtering. The
iated work and system requirements to process it, as outlined in <xref target="Z se systems usually inspect Layer 3 and Layer 4 traffic but can often also examin
ack-FW-Benchmark"/>.</t> e application-layer traffic flows.</t>
<t>Use of unknown extension headers can prevent firewalls from processing layer- <t>As with a NIDS or IPS (<xref target="nids" format="default"/>), use o
4 information.</t> f IPv6 extension headers can represent a challenge to network firewalls, since:
<t>Use of IPv6 fragmentation requires a stateful fragment-reassembly operation,
even for decoy traffic employing forged source addresses (see e.g., <xref target
="nmap"/>).</t>
</list>
</t> </t>
<ul spacing="normal">
<t>Additionally, a common firewall filtering policy is the so-called &quot;defau <li>Extension headers increase the complexity of resulting traffic and
lt deny&quot;, where all traffic is blocked (by default), and only expected traf the associated work and system requirements to process it, as outlined in <xref
fic is added to an "allow/accept list".</t> target="Zack-FW-Benchmark" format="default"/>.</li>
<li>Use of unknown extension headers can prevent firewalls from proces
<t>As a result, packets employing IPv6 extension headers are often sing Layer 4 information.</li>
<li>Use of IPv6 fragmentation requires a stateful fragment-reassembly
operation, even for decoy traffic employing forged source addresses (see, e.g.,
<xref target="nmap" format="default"/>).</li>
</ul>
<t>Additionally, a common firewall filtering policy is the so-called "de
fault deny", where all traffic is blocked (by default), and only expected traffi
c is added to an "allow/accept list".</t>
<t>As a result, packets employing IPv6 extension headers are often
dropped by network firewalls, either because of the challenges dropped by network firewalls, either because of the challenges
represented by extension headers or because the use of IPv6 extension represented by extension headers or because the use of IPv6 extension
headers has not been explicitly allowed.</t> headers has not been explicitly allowed.</t>
<t>Note that although the data presented in <xref target="Zack-FW-Benchmark"/> w <t>Note that although the data presented in <xref target="Zack-FW-Benchm
ere several years old at the time of publication of this document, many contempo ark" format="default"/> was several years old at the time of publication of this
rary firewalls use comparable hardware and software architecture, and consequent document, many contemporary firewalls use comparable hardware and software arch
ly the conclusions of this benchmark are still relevant, despite its age.</t> itectures; consequently, the conclusions of this benchmark are still relevant, d
</section> espite its age.</t>
</section>
</section> </section>
<section anchor="operational-implications" numbered="true" toc="default">
<section title="Operational and Security Implications" anchor="operational-impli <name>Operational and Security Implications</name>
cations">
<!--
[fgont] Isn't this already discussed in the "ddos-management" section?
<t>FIXME: Implementation of edge-to-core customer sanitisation filters</t>
<section title="Inability to Find Layer-4 Information" anchor="inability-layer-4 <section anchor="inability-layer-4-info" numbered="true" toc="default">
-info"> <name>Inability to Find Layer 4 Information</name>
<t>As discussed in <xref target="inability"/>, intermediate systems that need to <t>As discussed in <xref target="inability" format="default"/>, intermed
find the layer-4 header must process the entire IPv6 extension header chain. W iate systems that need to find the Layer 4 header must process the entire IPv6 h
hen such devices are unable to obtain the required information, the forwarding d eader chain. When such devices are unable to obtain the required information, t
evice has the option to drop the packet unconditionally, forward the packet unco he forwarding device has the option to drop the packet unconditionally, forward
nditionally, or process the packet outside the normal forwarding path. Forwardi the packet unconditionally, or process the packet outside the normal forwarding
ng packets unconditionally will usually allow for the circumvention of security path. Forwarding packets unconditionally will usually allow for the circumventi
controls (see e.g., <xref target="firewalls"/>), while processing packets outsid on of security controls (see, e.g., <xref target="firewalls" format="default"/>)
e of the normal forwarding path will usually open the door to DoS attacks (see e , while processing packets outside of the normal forwarding path will usually op
.g., <xref target="pfe-constraints"/>). Thus, in these scenarios, devices often en the door to Denial-of-Service (DoS) attacks (see, e.g., <xref target="pfe-con
simply resort to dropping such packets unconditionally. straints" format="default"/>). Thus, in these scenarios, devices often simply re
sort to dropping such packets unconditionally.
</t> </t>
</section> </section>
<section anchor="route-processor-protection" numbered="true" toc="default"
<section title="Route-Processor Protection" anchor="route-processor-protection"> >
<t>Most contemporary carrier-grade routers have a fast hardware-assisted forward <name>Route-Processor Protection</name>
ing plane <t>Most contemporary carrier-grade routers have a fast hardware-assisted
forwarding plane
and a loosely coupled control plane, connected together with a link that and a loosely coupled control plane, connected together with a link that
has much less capacity than the forwarding plane could handle. Traffic has much less capacity than the forwarding plane could handle. Traffic
differentiation cannot be performed by the control plane, because this would differentiation cannot be performed by the control plane because this would
overload the internal link connecting the forwarding plane to the control overload the internal link connecting the forwarding plane to the control
plane. plane.
</t> </t>
<t>The Hop-by-Hop Options header has been particularly challenging since
<t>The Hop-by-Hop Options header has been particularly challenging since in most , in most circumstances, the corresponding packet is punted to the control plane
circumstances, the corresponding packet is punted to the control plane for proc for processing. As a result, many operators drop IPv6 packets containing this e
essing. As a result, many operators drop IPv6 packets containing this extension xtension header <xref target="RFC7872" format="default"/>. <xref target="RFC6192
header <xref target="RFC7872"/>. <xref target="RFC6192"/> provides advice regard " format="default"/> provides advice regarding protection of a router's control
ing protection of a router's control plane.</t> plane.</t>
</section> </section>
<section anchor="finer-grained" numbered="true" toc="default">
<section title="Inability to Perform Fine-grained Filtering" anchor="finer-grain <name>Inability to Perform Fine-Grained Filtering</name>
ed"> <t>Some intermediate systems do not have support for fine-grained filter
ing of IPv6 extension headers. For example, an operator that wishes to drop pack
<t>Some intermediate systems do not have support for fine-grained filtering of I ets containing RHT0 may only be able to filter on the extension header type (Rou
Pv6 extension headers. For example, an operator that wishes to drop packets cont ting Header). This could result in an operator enforcing a coarser filtering pol
aining Routing Header Type 0 (RHT0), may only be able to filter on the extension icy (e.g., "drop all packets containing a Routing Header" vs. "only drop packets
header type (Routing Header). This could result in an operator enforcing a more that contain a Routing Header Type 0").
coarse filtering policy (e.g., "drop all packets containing a Routing Header" v
s. "only drop packets that contain a Routing Header Type 0").
</t>
<!--
<t>Some router implementations lack fine-grained filtering of IPv6 extension hea
ders. For example, an operator may want to drop packets containing Routing Heade
r Type 0 (RHT0) but may only be able to filter on the extension header type (Rou
ting Header). As a result, the operator may end up enforcing a more coarse filte
ring policy (e.g., "drop all packets containing a Routing Header" vs. "only drop
packets that contain a Routing Header Type 0").
</t>
</section>
<section title="Security Concerns Associated with IPv6 Extension Headers" anchor
="security-implications">
<t>The security implications of IPv6 Extension Headers generally fall into one o
r more of these categories:
<list style="symbols">
<t>Evasion of security controls</t>
<t>DoS due to processing requirements</t>
<t>DoS due to implementation errors</t>
<t>Extension Header-specific issues</t>
</list>
</t> </t>
<!-- IPv4 packets that contain limited space for IPv4 options and an "Internet H eader Length" (IHL) field where the upper-layer protocols c -->
<t>Unlike IPv4 packets where the upper-layer protocol can be trivially found by </section>
means of the "IHL" ("Internet Header Length") IPv4 header field, the structure o <section anchor="security-implications" numbered="true" toc="default">
f IPv6 packets is more flexible and complex. This can represent a challenge for <name>Security Concerns Associated with IPv6 Extension Headers</name>
devices that need to find this information, since locating upper-layer protocol <t>The security implications of IPv6 extension headers generally fall in
information requires that all IPv6 extension headers be examined. In turn, this to one or more of these categories:
presents implementation difficulties, since some packet filtering mechanisms th
at require upper-layer information (even if just the upper layer protocol type)
can be trivially circumvented by inserting IPv6 Extension Headers between the ma
in IPv6 header and the upper layer protocol. <xref target="RFC7113"/> describes
this issue for the RA-Guard case, but the same techniques could be employed to c
ircumvent other IPv6 firewall and packet filtering mechanisms. Additionally, im
plementation inconsistencies in packet forwarding engines can result in evasion
of security controls <xref target="I-D.kampanakis-6man-ipv6-eh-parsing"/> <xref
target="Atlasis2014"/> <xref target="BH-EU-2014"/>.
</t> </t>
<ul spacing="normal">
<li>Evasion of security controls</li>
<li>DoS due to processing requirements</li>
<li>DoS due to implementation errors</li>
<li>Issues specific to the extension header type</li>
</ul>
<t>Sometimes packets with IPv6 Extension Headers can impact throughput performan <t>Unlike IPv4 packets where the upper-layer protocol can be trivially found by
ce on intermediate systems. Unless appropriate mitigations are put in place (e.g means of the IHL field of the IPv4 header, the structure of IPv6 packets is more
., packet dropping and/or rate-limiting), an attacker could simply send a large flexible and complex. This can represent a challenge for devices that need to
amount of IPv6 traffic employing IPv6 Extension Headers with the purpose of perf find this information, since locating upper-layer protocol information requires
orming a Denial of Service (DoS) attack (see <xref target="recirculation"/> and that all IPv6 extension headers be examined. In turn, this presents implementati
<xref target="operational-implications"/> for further details). on difficulties, since some packet-filtering mechanisms that require upper-layer
<list style="hanging"> information (even if just the upper-layer protocol type) can be trivially circu
<t hangText="NOTE:"><vspace blankLines="0"/>In the most trivial case, a packet t mvented by inserting IPv6 extension headers between the main IPv6 header and the
hat includes a Hop-by-Hop Options header might go through the slow forwarding pa upper-layer protocol header. <xref target="RFC7113" format="default"/> describe
th, to be processed by the router's CPU. Alternatively, a router configured to e s this issue for the RA-Guard case, but the same techniques could be employed to
nforce an ACL based on upper-layer information (e.g., upper layer protocol or TC circumvent other IPv6 firewall and packet-filtering mechanisms. Additionally,
P Destination Port) may need to process the entire IPv6 header chain in order to implementation inconsistencies in packet-forwarding engines can result in evasio
find the required information, thereby causing the packet to be processed in th n of security controls <xref target="I-D.kampanakis-6man-ipv6-eh-parsing" format
e slow path <xref target="Cisco-EH-Cons"/>. We note that, for obvious reasons, t ="default"/> <xref target="Atlasis2014" format="default"/> <xref target="BH-EU-2
he aforementioned performance issues can affect other devices such as firewalls, 014" format="default"/>.
Network Intrusion Detection Systems (NIDS), etc. <xref target="Zack-FW-Benchmar
k"/>. The extent to which performance is affected on these devices is implementa
tion-dependent.
</t> </t>
</list> <t>Sometimes, packets with IPv6 extension headers can impact throughput performance on intermediate systems. Unless appropriate mitigations are put in p lace (e.g., packet dropping and/or rate limiting), an attacker could simply send a large amount of IPv6 traffic employing IPv6 extension headers with the purpos e of performing a DoS attack (see Sections <xref target="recirculation" format=" counter"/> and <xref target="operational-implications" format="counter"/> for fu rther details). The extent to which performance is affected on these devices is implementation dependent.
</t> </t>
<t>IPv6 implementations, like all other software, tend to mature with time and w <aside>
ide-scale deployment. While the IPv6 protocol itself has existed for over 20 yea <t>NOTE:</t>
rs, serious bugs related to IPv6 Extension Header processing continue to be disc <t indent="3">
overed (see e.g., <xref target="Cisco-Frag"/>, <xref target="Microsoft-SA"/>, an In the most trivial case, a packet that includes a Hop-by-Hop Options header mig
d <xref target="FreeBSD-SA"/>). Because there is currently little operational r ht go through the slow forwarding path, to be processed by the router's CPU. Alt
eliance on IPv6 Extension headers, the corresponding code paths are rarely exerc ernatively, a router configured to enforce an ACL based on upper-layer informati
ised, and there is the potential for bugs that still remain to be discovered in on (e.g., upper-layer protocol type or TCP Destination Port) may need to process
some implementations.</t> the entire IPv6 header chain in order to find the required information, thereby
causing the packet to be processed in the slow path <xref target="Cisco-EH-Cons
<t>IPv6 Fragment Headers are employed to allow fragmentation of IPv6 packets. Wh " format="default"/>. We note that, for obvious reasons, the aforementioned perf
ile many of the security implications of the fragmentation / reassembly mechanis ormance issues can affect devices such as firewalls, NIDSs, etc. <xref target="Z
m are known from the IPv4 world, several related issues have crept into IPv6 imp ack-FW-Benchmark" format="default"/>.
lementations. These range from denial of service attacks to information leakage,
as discussed in <xref target="RFC7739"/>, <xref target="Bonica-NANOG58"/> and <
xref target="Atlasis2012"/>).
</t> </t>
</section> </aside>
</section>
<section title="IANA Considerations" anchor="iana-cons"> <t>IPv6 implementations, like all other software, tend to mature with ti
<t>This document has no IANA actions. me and wide-scale deployment. While the IPv6 protocol itself has existed for ove
r 20 years, serious bugs related to IPv6 extension header processing continue to
be discovered (see, e.g., <xref target="Cisco-Frag" format="default"/>, <xref t
arget="Microsoft-SA" format="default"/>, and <xref target="FreeBSD-SA" format="d
efault"/>). Because there is currently little operational reliance on IPv6 exte
nsion headers, the corresponding code paths are rarely exercised, and there is t
he potential for bugs that still remain to be discovered in some implementations
.</t>
<t>The IPv6 Fragment Header is employed for the fragmentation and reasse
mbly of IPv6 packets. While many of the security implications of the fragmentati
on/reassembly mechanism are known from the IPv4 world, several related issues ha
ve crept into IPv6 implementations. These range from DoS attacks to information
leakages, as discussed in <xref target="RFC7739" format="default"/>, <xref targe
t="Bonica-NANOG58" format="default"/>, and <xref target="Atlasis2012" format="de
fault"/>.
</t> </t>
</section> </section>
</section>
<section title="Security Considerations"> <section anchor="iana-cons" numbered="true" toc="default">
<name>IANA Considerations</name>
<t>The security implications of IPv6 extension headers are discussed in <xref ta <t>This document has no IANA actions.
rget="security-implications"/>. This document does not introduce any new securi
ty issues.
</t> </t>
</section> </section>
<section numbered="true" toc="default">
<section title="Acknowledgements"> <name>Security Considerations</name>
<t>The authors would like to thank (in alphabetical order) Mikael Abrahamsson, F <t>The security implications of IPv6 extension headers are discussed in <x
red Baker, Dale W. Carder, Brian Carpenter, Tim Chown, Owen DeLong, Gorry Fairhu ref target="security-implications" format="default"/>. This document does not i
rst, Guillermo Gont, Tom Herbert, Lee Howard, Tom Petch, Sander Steffann, Eduard ntroduce any new security issues.
Vasilenko, Eric Vyncke, Rob Wilton, Jingrong Xie, and Andrew Yourtchenko, for p </t>
roviding valuable comments on earlier versions of this document. </t>
<t>Fernando Gont would like to thank Jan Zorz / Go6 Lab &lt;https://go6lab.si/&g
t;, Jared Mauch, and Sander Steffann &lt;https://steffann.nl/&gt;, for providing
access to systems and networks that were employed to perform experiments and me
asurements involving packets with IPv6 Extension Headers.</t>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-opsec-ipv6-eh-filtering" to="IPV6-EH"/>
<displayreference target="I-D.kampanakis-6man-ipv6-eh-parsing" to="PARSING"/>
<displayreference target="I-D.taylor-v6ops-fragdrop" to="OPERATORS"/>
<displayreference target="I-D.wkumari-long-headers" to="HEADERS"/>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6946.xml"/>
<references title='Normative References'> <xi:include
<?rfc include="reference.RFC.6946" ?> href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5095.xml"/>
<?rfc include="reference.RFC.5095" ?>
<?rfc include="reference.RFC.5722" ?>
<?rfc include="reference.RFC.7112" ?>
<?rfc include="reference.RFC.8021" ?>
<?rfc include="reference.RFC.8200" ?>
<?rfc include="reference.RFC.8504" ?>
<?rfc include="reference.RFC.6980" ?>
</references>
<references title='Informative References'>
<?rfc include="reference.RFC.2460" ?>
<?rfc include="reference.RFC.5635" ?>
<?rfc include="reference.RFC.6192" ?>
<?rfc include="reference.RFC.6437" ?>
<?rfc include="reference.RFC.6438" ?>
<?rfc include="reference.RFC.7098" ?>
<?rfc include="reference.RFC.7045" ?> <xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5722.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7112.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8021.xml"/>
<?rfc include="reference.RFC.7113" ?> <xi:include
<?rfc include="reference.I-D.taylor-v6ops-fragdrop" ?> href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8200.xml"/>
<?rfc include="reference.I-D.wkumari-long-headers" ?> <xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8504.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6980.xml"/>
</references>
<references>
<name>Informative References</name>
<?rfc include="reference.I-D.kampanakis-6man-ipv6-eh-parsing" ?> <xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2460.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5635.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6192.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6437.xml"/>
<?rfc include="reference.RFC.7739" ?> <xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6438.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7098.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7045.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7113.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7739.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7872.xml"/>
<?rfc include="reference.RFC.7872" ?> <xi:include
<?rfc include="reference.I-D.ietf-opsec-ipv6-eh-filtering" ?> href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8900.xml"/>
<?rfc include="reference.RFC.8900" ?> <xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8955.xml"/>
<xi:include
href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8956.xml"/>
<?rfc include="reference.RFC.8955" ?> <reference anchor='I-D.ietf-opsec-ipv6-eh-filtering'>
<?rfc include="reference.RFC.8956" ?> <front>
<title>Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extensio
n Headers at Transit Routers</title>
<author initials='F' surname='Gont' fullname='Fernando Gont'>
<organization />
</author>
<author initials='W' surname='Liu' fullname='Will Liu'>
<organization />
</author>
<date year='2021' month='June' day='3' />
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-opsec-ipv6-eh-filtering-08'/
>
<format type='TXT' target='https://www.ietf.org/internet-drafts/draft-ietf-opsec
-ipv6-eh-filtering-08.txt'/>
</reference>
<reference anchor="Atlasis2014" target="http://www.insinuator.net/2014/05/a- <reference anchor='I-D.taylor-v6ops-fragdrop'>
novel-way-of-abusing-ipv6-extension-headers-to-evade-ipv6-security-devices/"> <front>
<front> <title>Why Operators Filter Fragments and What It Implies</title>
<title>A Novel Way of Abusing IPv6 Extension Headers to Evade IPv6 Security De
vices</title>
<author initials="A.A." surname="Atlasis" fullname="Antonios Atlasis">
<organization></organization>
</author>
<date month="May" year="2014"/>
</front>
</reference> <author initials='J' surname='Jaeggli' fullname='Joel Jaeggli'>
<organization />
</author>
<reference anchor="nmap" target="https://nmap.org/book/man-bypass-firewalls- <author initials='L' surname='Colitti' fullname='Lorenzo Colitti'>
ids.html"> <organization />
<front> </author>
<title>Dealing with IPv6 fragmentation in the DNS</title>
<author fullname="Fyodor" initials="" surname="Fyodor">
</author> <author initials='W' surname='Kumari' fullname='Warren Kumari'>
<date/> <organization />
</front> </author>
<seriesInfo name="" value="Firewall/IDS Evasion and Spoofing"/>
</reference>
<reference anchor="Huston-2017" target="https://blog.apnic.net/2017/08/22/de <author initials='E' surname='Vyncke' fullname='Eric Vyncke'>
aling-ipv6-fragmentation-dns/"> <organization />
<front> </author>
<title>Dealing with IPv6 fragmentation in the DNS</title>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization abbrev="APNIC"/>
<address> <author initials='M' surname='Kaeo' fullname='Merike Kaeo'>
<email>gih@apnic.net</email> <organization />
<uri>http://www.apnic.net</uri> </author>
</address>
</author>
<date year="2017"/>
</front>
<seriesInfo name="" value="APNIC Blog"/>
</reference>
<reference anchor="Huston-2020" target="https://www.cmand.org/workshops/2020 <author initials='T' surname='Taylor' fullname='Tom Taylor' role="editor">
06-v6/slides/2020-06-16-xtn-hdrs.pdf"> <organization />
<front> </author>
<title>Measurement of IPv6 Extension Header Support</title>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization abbrev="APNIC"/>
<address> <date month='December' day='3' year='2013' />
<email>gih@apnic.net</email> </front>
<uri>http://www.apnic.net</uri>
</address>
</author>
<date year="2020"/>
</front>
<seriesInfo name="" value="NPS/CAIDA 2020 Virtual IPv6 Workshop"/
>
</reference>
<reference anchor="Jaeggli-2018" target="https://blog.apnic.net/2018/01/11/i <seriesInfo name='Internet-Draft' value='draft-taylor-v6ops-fragdrop-02' />
pv6-flow-label-misuse-hashing/"> <format type='TXT'
<front> target='http://www.ietf.org/internet-drafts/draft-taylor-v6ops-fragdrop-
<title>IPv6 flow label: misuse in hashing</title> 02.txt' />
<author fullname="Joel Jaeggli" initials="J." surname="Jaeggli"> </reference>
</author>
<date year="2018"/>
</front>
<seriesInfo name="" value="APNIC Blog"/>
</reference>
<reference anchor="Cunha-2020" target="https://www.cmand.org/workshops/20200 <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.wkumari
6-v6/slides/cunha.pdf"> -long-headers.xml"/>
<front>
<title>IPv4 vs IPv6 load balancing in Internet routes</title>
<author fullname="Italo Cunha" initials="I." surname="Cunha">
<organization abbrev="UFMG"/>
</author> <reference anchor='I-D.kampanakis-6man-ipv6-eh-parsing'>
<front>
<title>Implementation Guidelines for Parsing IPv6 Extension Headers</title>
<author initials='P' surname='Kampanakis' fullname='Panos Kampanakis'>
<organization />
</author>
<date month='August' day='5' year='2014' />
</front>
<seriesInfo name='Internet-Draft' value='draft-kampanakis-6man-ipv6-eh-parsing-0
1' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-kampanakis-6man-ipv6-e
h-parsing-01.txt' />
</reference>
<date year="2020"/> <reference anchor="Atlasis2014" target="http://www.insinuator.net/2014/0
</front> 5/a-novel-way-of-abusing-ipv6-extension-headers-to-evade-ipv6-security-devices/"
<seriesInfo name="" value="NPS/CAIDA 2020 Virtual IPv6 Workshop"/ >
> <front>
</reference> <title>A Novel Way of Abusing IPv6 Extension Headers to Evade IPv6 S
ecurity Devices</title>
<author initials="A." surname="Atlasis" fullname="Antonios Atlasis">
<organization/>
</author>
<date month="May" year="2014"/>
</front>
</reference>
<reference anchor="BH-EU-2014" target="https://www.ernw.de/download/eu-14-At <reference anchor="nmap" target="https://nmap.org/book/man-bypass-firewa
lasis-Rey-Schaefer-briefings-Evasion-of-HighEnd-IPS-Devices-wp.pdf"> lls-ids.html">
<front> <front>
<title>Evasion of High-End IDPS Devices at the IPv6 Era</title> <title>Firewall/IDS Evasion and Spoofing</title>
<author initials="A.a." surname="Atlasis" fullname="Antonios Atlasis"> <author fullname="Gordon 'Fyodor' Lyon" initials="G." surname="Lyon"
<organization></organization> >
</author> </author>
<author initials="E.R." surname="Rey" fullname="Enno Rey"> <date/>
<organization></organization> </front>
</author> <refcontent>Chapter 15. Nmap Reference Guide</refcontent>
<author initials="R.S." surname="Schaefer" fullname="Rafael Schaefer"> </reference>
<organization></organization>
</author>
<date year="2014"/> <reference anchor="Huston-2017" target="https://blog.apnic.net/2017/08/2
</front> 2/dealing-ipv6-fragmentation-dns/">
<seriesInfo name="" value="BlackHat Europe 2014"/> <front>
</reference> <title>Dealing with IPv6 fragmentation in the DNS</title>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization abbrev="APNIC"/>
</author>
<date year="2017" month="August"/>
</front>
<refcontent>APNIC Blog</refcontent>
</reference>
<reference anchor="Atlasis2012" target="https://media.blackhat.com/bh-eu-12/ <reference anchor="Huston-2020" target="https://www.cmand.org/workshops/
Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-Slides.pdf"> 202006-v6/slides/2020-06-16-xtn-hdrs.pdf">
<front> <front>
<title>Attacking IPv6 Implementation Using Fragmentation</title> <title>Measurement of IPv6 Extension Header Support</title>
<author initials="A.A." surname="Atlasis" fullname="Antonios Atlasis"> <author fullname="Geoff Huston" initials="G." surname="Huston">
<organization></organization> <organization abbrev="APNIC"/>
</author> </author>
<date year=""/> <date year="2020" month="June"/>
</front> </front>
<seriesInfo name="" value="BlackHat Europe 2012. Amsterdam, Nethe <refcontent>NPS/CAIDA 2020 Virtual IPv6 Workshop</refcontent>
rlands. March 14-16, 2012"/> </reference>
</reference>
<reference anchor="Linkova-Gont-IEPG90" target="http://www.iepg.org/2014-07- <reference anchor="Jaeggli-2018" target="https://blog.apnic.net/2018/01/
20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf"> 11/ipv6-flow-label-misuse-hashing/">
<front> <front>
<title>IPv6 Extension Headers in the Real World v2.0</title> <title>IPv6 flow label: misuse in hashing</title>
<author initials="J." surname="Linkova" fullname="Jen Linkova"> <author fullname="Joel Jaeggli" initials="J." surname="Jaeggli">
<organization></organization> </author>
</author> <date year="2018" month="January"/>
<author initials="F." surname="Gont" fullname="Fernando Gont"> </front>
<organization></organization> <refcontent>APNIC Blog</refcontent>
</author> </reference>
<date year=""/> <reference anchor="Almeida-2020" target="https://homepages.dcc.ufmg.br/~
</front> cunha/papers/almeida20infocom-mca.pdf">
<seriesInfo name="" value="IEPG 90. Toronto, ON, Canada. July 20, <front>
2014"/> <title>Classification of Load Balancing in the Internet</title>
</reference>
<reference anchor="IEPG94-Scudder" target="http://www.iepg.org/2015-11-01-ie <author fullname="Rafael Almeida" initials="R." surname="Almeida">
tf94/IEPG-RouterArchitecture-jgs.pdf"> <organization abbrev="UFMG"/>
<front> </author>
<title>Modern Router Architecture for Protocol Designers</title>
<author initials="B." surname="Petersen" fullname="Brian Petersen">
<organization>Juniper Networks</organization>
</author>
<author initials="J." surname="Scudder" fullname="John Scudder">
<organization>Juniper Networks</organization>
</author>
<date year=""/> <author fullname="Italo Cunha" initials="I." surname="Cunha">
</front> <organization abbrev="UFMG"/>
<seriesInfo name="" value="IEPG 94. Yokohama, Japan. November 1, </author>
2015"/>
</reference>
<reference anchor="APNIC-Scudder" target="https://blog.apnic.net/2020/06/04/ <author fullname="Renata Teixeira" initials="R" surname="Teixeira">
modern-router-architecture-and-ipv6/"> <organization abbrev="INRIA"/>
<front> </author>
<title>Modern router architecture and IPv6</title>
<author initials="J." surname="Scudder" fullname="John Scudder"> <author fullname="Darryl Veitch" initials="D." surname="Veitch">
<organization>Juniper Networks</organization> <organization abbrev="UTS"/>
</author> </author>
<date year=""/> <author fullname="Christophe Diot" initials="C." surname="Diot">
</front> <organization abbrev="Google"/>
<seriesInfo name="" value="APNIC Blog, June 4, 2020"/> </author>
</reference>
<reference anchor="Bonica-NANOG58" target="https://www.nanog.org/sites/defau <date year="2020" month="July"/>
lt/files/mon.general.fragmentation.bonica.pdf"> </front>
<front> <refcontent>IEEE INFOCOM 2020</refcontent>
<title>IPV6 FRAGMENTATION: The Case For Deprecation</title> <seriesInfo name="DOI" value="10.1109/INFOCOM41043.2020.9155387"/>
<author initials="R." surname="Bonica" fullname="Ron Bonica"> </reference>
<organization></organization>
</author>
<date year=""/> <reference anchor="BH-EU-2014" target="https://www.ernw.de/download/eu-1
</front> 4-Atlasis-Rey-Schaefer-briefings-Evasion-of-HighEnd-IPS-Devices-wp.pdf">
<seriesInfo name="" value="NANOG 58. New Orleans, Louisiana, USA. <front>
June 3-5, 2013"/> <title>Evasion of High-End IDPS Devices at the IPv6 Era</title>
</reference> <author initials="A." surname="Atlasis" fullname="Antonios Atlasis">
<organization/>
</author>
<author initials="E." surname="Rey" fullname="Enno Rey">
<organization/>
</author>
<author initials="R." surname="Schaefer" fullname="Rafael Schaefer">
<organization/>
</author>
<date year="2014"/>
</front>
<refcontent>Black Hat Europe 2014</refcontent>
</reference>
<reference anchor="Cisco-Frag" target="http://tools.cisco.com/security/cente <reference anchor="Atlasis2012" target="https://void.gr/kargig/ipv6/bh-e
r/content/CiscoSecurityAdvisory/cisco-sa-20150611-iosxr"> u-12-Atlasis-Attacking_IPv6-Slides.pdf">
<front> <front>
<title>Cisco IOS XR Software Crafted IPv6 Packet Denial of Service Vulnerabili <title>Attacking IPv6 Implementation Using Fragmentation</title>
ty</title> <author initials="A." surname="Atlasis" fullname="Antonios Atlasis">
<author> <organization/>
<organization>Cisco</organization> </author>
</author> <date month="March" year="2012"/>
<date month="June" year="2015"/> </front>
</front> <refcontent>Black Hat Europe 2012</refcontent>
</reference>
</reference> <reference anchor="Linkova-Gont-IEPG90" target="http://www.iepg.org/2014
-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf">
<front>
<title>IPv6 Extension Headers in the Real World v2.0</title>
<author initials="J." surname="Linkova" fullname="Jen Linkova">
<organization/>
</author>
<author initials="F." surname="Gont" fullname="Fernando Gont">
<organization/>
</author>
<date year="2014" month="July"/>
</front>
<refcontent>IEPG 90</refcontent>
</reference>
<reference anchor="FreeBSD-SA" target="https://www.freebsd.org/security/advi <reference anchor="IEPG94-Scudder" target="http://www.iepg.org/2015-11-0
sories/FreeBSD-SA-20:24.ipv6.asc"> 1-ietf94/IEPG-RouterArchitecture-jgs.pdf">
<front> <front>
<title>FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6: IPv6 Hop-by-Hop option <title>Modern Router Architecture for Protocol Designers</title>
s use-after-free bug</title> <author initials="B." surname="Petersen" fullname="Brian Petersen">
<author> <organization>Juniper Networks</organization>
<organization>FreeBSD</organization> </author>
</author> <author initials="J." surname="Scudder" fullname="John Scudder">
<date day="2" month="September" year="2020"/> <organization>Juniper Networks</organization>
</front> </author>
<date year="2015" month="November"/>
</front>
<refcontent>IEPG 94</refcontent>
</reference>
</reference> <reference anchor="APNIC-Scudder" target="https://blog.apnic.net/2020/06
/04/modern-router-architecture-and-ipv6/">
<front>
<title>Modern router architecture and IPv6</title>
<author initials="J." surname="Scudder" fullname="John Scudder">
<organization>Juniper Networks</organization>
</author>
<date year="2020" month="June"/>
</front>
<refcontent>APNIC Blog</refcontent>
</reference>
<reference anchor="Microsoft-SA" target="https://msrc.microsoft.com/update-g <reference anchor="Bonica-NANOG58" target="https://www.nanog.org/sites/d
uide/vulnerability/CVE-2021-24094"> efault/files/mon.general.fragmentation.bonica.pdf">
<front> <front>
<title>Windows TCP/IP Remote Code Execution Vulnerability (CVE-2021-24094)</ti <title>IPv6 Fragmentation: The Case For Deprecation</title>
tle> <author initials="R." surname="Bonica" fullname="Ron Bonica">
<author> <organization/>
<organization>Microsoft</organization> </author>
</author> <date year="2013" month="June"/>
<date day="9" month="February" year="2021"/> </front>
</front> <refcontent>NANOG 58</refcontent>
</reference>
</reference> <reference anchor="Cisco-Frag" target="http://tools.cisco.com/security/c
enter/content/CiscoSecurityAdvisory/cisco-sa-20150611-iosxr">
<front>
<title>Cisco IOS XR Software Crafted IPv6 Packet Denial of Service V
ulnerability</title>
<author>
<organization>Cisco</organization>
</author>
<date month="June" year="2015"/>
</front>
</reference>
<reference anchor="Cisco-EH-Cons" target="http://www.cisco.com/en/US/technol <reference anchor="FreeBSD-SA" target="https://www.freebsd.org/security/
ogies/tk648/tk872/technologies_white_paper0900aecd8054d37d.pdf"> advisories/FreeBSD-SA-20:24.ipv6.asc">
<front> <front>
<title>IPv6 Extension Headers Review and Considerations</title> <title>IPv6 Hop-by-Hop options use-after-free bug</title>
<author> <author>
<organization>Cisco</organization> <organization>The FreeBSD Project</organization>
</author> </author>
<date month="October" year="2006"/> <date month="September" year="2020"/>
</front> </front>
</reference>
</reference> <reference anchor="Microsoft-SA" target="https://msrc.microsoft.com/upda
te-guide/vulnerability/CVE-2021-24094">
<front>
<title>Windows TCP/IP Remote Code Execution Vulnerability</title>
<author>
<organization>Microsoft</organization>
</author>
<date month="February" year="2021"/>
</front>
<refcontent>CVE-2021-24094</refcontent>
</reference>
<reference anchor="Zack-FW-Benchmark" target="https://www.ipv6hackers.org/fi <reference anchor="Cisco-EH-Cons" target="http://www.cisco.com/en/US/tec
les/meetings/ipv6-hackers-1/zack-ipv6hackers1-firewall-security-assessment-and-b hnologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.pdf">
enchmarking.pdf"> <front>
<front> <title>IPv6 Extension Headers Review and Considerations</title>
<title abbrev="Firewall Benchmarking">Firewall Security Assessment and Benchma <author>
rking IPv6 Firewall Load Tests</title> <organization>Cisco</organization>
<author initials="E." surname="Zack" fullname="Eldad Zack"> </author>
</author> <date month="October" year="2006"/>
<date year=""/> </front>
</front> </reference>
<seriesInfo name="" value="IPv6 Hackers Meeting #1, Berlin, Germa
ny. June 30, 2013"/>
<!-- July 27 - August 1 -->
</reference>
<reference anchor="PMTUD-Blackholes" target="http://www.nlnetlabs.nl/downloa <reference anchor="Zack-FW-Benchmark" target="https://www.ipv6hackers.or
ds/publications/pmtu-black-holes-msc-thesis.pdf"> g/files/meetings/ipv6-hackers-1/zack-ipv6hackers1-firewall-security-assessment-a
<front> nd-benchmarking.pdf">
<title>Discovering Path MTU black holes on the Internet using RIPE Atlas</titl <front>
e> <title abbrev="Firewall Benchmarking">Firewall Security Assessment a
<author initials="M." surname="De Boer" fullname="Maikel De Boer"> nd Benchmarking IPv6 Firewall Load Tests</title>
<organization></organization> <author initials="E." surname="Zack" fullname="Eldad Zack">
</author>
<author initials="J." surname="Bosma" fullname="Jeffrey Bosma">
<organization></organization>
</author> </author>
<date month="July" year="2012"/> <date year="2013" month="June"/>
</front> </front>
<refcontent>IPv6 Hackers Meeting #1</refcontent>
</reference> </reference>
</references> <reference anchor="PMTUD-Blackholes" target="http://www.nlnetlabs.nl/dow
nloads/publications/pmtu-black-holes-msc-thesis.pdf">
<front>
<title>Discovering Path MTU black holes on the Internet using RIPE A
tlas</title>
<author initials="M." surname="De Boer" fullname="Maikel De Boer">
<organization/>
</author>
<author initials="J." surname="Bosma" fullname="Jeffrey Bosma">
<organization/>
</author>
<date month="July" year="2012"/>
</front>
<refcontent>University of Amsterdam, MSc. Systems &amp; Network Engineer
ing</refcontent>
</reference>
</references>
</references>
<section numbered="false" toc="default">
<name>Acknowledgements</name>
<t>The authors would like to thank (in alphabetical order) <contact fullna
me="Mikael Abrahamsson"/>, <contact fullname="Fred Baker"/>, <contact fullname="
Dale W. Carder"/>, <contact fullname="Brian Carpenter"/>, <contact fullname="Tim
Chown"/>, <contact fullname="Owen DeLong"/>, <contact fullname="Gorry Fairhurst
"/>, <contact fullname="Guillermo Gont"/>, <contact fullname="Tom Herbert"/>, <c
ontact fullname="Lee Howard"/>, <contact fullname="Tom Petch"/>, <contact fullna
me="Sander Steffann"/>, <contact fullname="Eduard Vasilenko"/>, <contact fullnam
e="Éric Vyncke"/>, <contact fullname="Rob Wilton"/>, <contact fullname="Jingrong
Xie"/>, and <contact fullname="Andrew Yourtchenko"/> for providing valuable com
ments on earlier draft versions of this document. </t>
<t><contact fullname="Fernando Gont"/> would like to thank <contact fullna
me="Jan Zorz"/> / Go6 Lab <eref brackets="angle" target="https://go6lab.si/"/>,
<contact fullname="Jared Mauch"/>, and <contact fullname="Sander Steffann"/> <er
ef brackets="angle" target="https://steffann.nl/"/> for providing access to syst
ems and networks that were employed to perform experiments and measurements invo
lving packets with IPv6 extension headers.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 139 change blocks. 
820 lines changed or deleted 865 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/