--- 1/draft-ietf-opsec-ipv6-eh-filtering-07.txt 2021-06-04 00:13:10.065208411 -0700 +++ 2/draft-ietf-opsec-ipv6-eh-filtering-08.txt 2021-06-04 00:13:10.125209922 -0700 @@ -1,20 +1,20 @@ opsec F. Gont Internet-Draft SI6 Networks Intended status: Informational W. Liu -Expires: July 23, 2021 Huawei Technologies - January 19, 2021 +Expires: December 5, 2021 Huawei Technologies + June 3, 2021 Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers at Transit Routers - draft-ietf-opsec-ipv6-eh-filtering-07 + draft-ietf-opsec-ipv6-eh-filtering-08 Abstract This document analyzes the security implications of IPv6 Extension Headers and associated IPv6 options. Additionally, it discusses the operational and interoperability implications of discarding packets based on the IPv6 Extension Headers and IPv6 options they contain. Finally, it provides advice on the filtering of such IPv6 packets at transit routers for traffic *not* directed to them, for those cases where such filtering is deemed as necessary. @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 23, 2021. + This Internet-Draft will expire on December 5, 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -169,21 +169,21 @@ EHs at transit routers for traffic *not* explicitly destined to them, for cases in which such filtering is deemed as necessary. 2.3. Conventions This document assumes that nodes comply with the requirements in [RFC7045]. Namely, o If a forwarding node discards a packet containing a standard IPv6 EH, it MUST be the result of a configurable policy and not just - the result of a failure to recognise such a header. + the result of a failure to recognize such a header. o The discard policy for each standard type of EH MUST be individually configurable. o The default configuration should allow all standard IPv6 EHs. The advice provided in this document is only meant to guide an operator in configuring forwarding devices, and is *not* to be interpreted as advice regarding default configuration settings for network devices. That is, this document provides advice with respect @@ -331,21 +331,21 @@ o Type 0x00: Pad1 [RFC8200] o Type 0x01: PadN [RFC8200] o Type 0x05: Router Alert [RFC2711] o Type 0x07: CALIPSO [RFC5570] o Type 0x08: SMF_DPD [RFC6621] - o Type 0x23: RPL Option [I-D.ietf-roll-useofrplinfo] + o Type 0x23: RPL Option [RFC9008] o Type 0x26: Quick-Start [RFC4782] o Type 0x4D: (Deprecated) o Type 0x63: RPL Option [RFC6553] o Type 0x6D: MPL Option [RFC7731] o Type 0x8A: Endpoint Identification (Deprecated) @@ -639,21 +639,21 @@ 3.4.8.1. Uses This EH is employed with the Host Identity Protocol (HIP), an experimental protocol that allows consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses, thereby enabling continuity of communications across IP address changes. 3.4.8.2. Specification - This EH is specified in [RFC5201]. + This EH is specified in [RFC7401]. 3.4.8.3. Specific Security Implications The security implications of the HIP header are discussed in detail in Section 8 of [RFC6275]. 3.4.8.4. Operational and Interoperability Impact if Blocked Discarding packets that contain the Host Identity Protocol would break HIP deployments. @@ -864,21 +864,21 @@ 4.3.4. RPL Option (Type=0x63) 4.3.4.1. Uses The RPL Option provides a mechanism to include routing information with each datagram that an RPL router forwards. 4.3.4.2. Specification This option was originally specified in [RFC6553]. It has been - deprecated by [I-D.ietf-roll-useofrplinfo]. + deprecated by [RFC9008]. 4.3.4.3. Specific Security Implications Those described in [RFC6553]. 4.3.4.4. Operational and Interoperability Impact if Blocked This option is meant to be employed within an RPL instance. As a result, discarding packets based on the presence of this option (e.g. at an ISP) will not result in interoperability implications. @@ -889,31 +889,31 @@ 4.3.5. RPL Option (Type=0x23) 4.3.5.1. Uses The RPL Option provides a mechanism to include routing information with each datagram that an RPL router forwards. 4.3.5.2. Specification - This option is specified in [I-D.ietf-roll-useofrplinfo]. + This option is specified in [RFC9008]. 4.3.5.3. Specific Security Implications - Those described in [I-D.ietf-roll-useofrplinfo]. + Those described in [RFC9008]. 4.3.5.4. Operational and Interoperability Impact if Blocked This option is meant to survive outside of an RPL instance. As a result, discarding packets based on the presence of this option would - break some use cases for RPL (see [I-D.ietf-roll-useofrplinfo]). + break some use cases for RPL (see [RFC9008]). 4.3.5.5. Advice Intermediate systems should not discard IPv6 packets based on the presence of this option. 4.3.6. Tunnel Encapsulation Limit (Type=0x04) 4.3.6.1. Uses @@ -935,37 +935,43 @@ 4.3.6.5. Advice Intermediate systems should not discard packets based on the presence of this option. 4.3.7. Router Alert (Type=0x05) 4.3.7.1. Uses - The Router Alert option [RFC2711] is typically employed for the RSVP - protocol [RFC2205] and the MLD protocol [RFC2710]. + The Router Alert option [RFC2711] is employed by a number of + protocols, including the Resource reSerVation Protocol (RSVP) + [RFC2205], Multicast Listener Discovery (MLD) [RFC2710] [RFC3810], + Multicast Router Discovery (MRD) [RFC4286], and General Internet + Signaling Transport (GIST) [RFC5971]. Its usage is discussed in + detail in [RFC6398]. 4.3.7.2. Specification This option is specified in [RFC2711]. 4.3.7.3. Specific Security Implications Since this option causes the contents of the packet to be inspected by the handling device, this option could be leveraged for performing - DoS attacks. + DoS attacks. The security implications of the Router Alert option + are discussed in detail in [RFC6398]. 4.3.7.4. Operational and Interoperability Impact if Blocked - Discarding packets that contain this option would break RSVP and - multicast deployments. + Discarding packets that contain this option would break any protocols + that rely on them, such as RSVP and multicast deployments. Please + see Section 4.3.7.3 for further details. 4.3.7.5. Advice Packets containing this option should be permitted in environments where support for RSVP, multicast routing, or similar protocols is desired. 4.3.8. Quick-Start (Type=0x26) 4.3.8.1. Uses @@ -1392,44 +1398,34 @@ Fernando would also like to thank Brian Carpenter and Ran Atkinson who, over the years, have answered many questions and provided valuable comments that have benefited his protocol-related work (including the present document). 9. References 9.1. Normative References - [I-D.ietf-roll-useofrplinfo] - Robles, I., Richardson, M., and P. Thubert, "Using RPI - Option Type, Routing Header for Source Routes and IPv6-in- - IPv6 encapsulation in the RPL Data Plane", draft-ietf- - roll-useofrplinfo-44 (work in progress), January 2021. - [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, DOI 10.17487/RFC2205, September 1997, . - [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 - (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, - December 1998, . - [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, December 1998, . [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", RFC 2675, DOI 10.17487/RFC2675, August 1999, . [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast Listener Discovery (MLD) for IPv6", RFC 2710, @@ -1438,20 +1434,29 @@ [RFC2711] Partridge, C. and A. Jackson, "IPv6 Router Alert Option", RFC 2711, DOI 10.17487/RFC2711, October 1999, . [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers Considered Useful", BCP 82, RFC 3692, DOI 10.17487/RFC3692, January 2004, . + [RFC3810] Vida, R., Ed. and L. Costa, Ed., "Multicast Listener + Discovery Version 2 (MLDv2) for IPv6", RFC 3810, + DOI 10.17487/RFC3810, June 2004, + . + + [RFC4286] Haberman, B. and J. Martin, "Multicast Router Discovery", + RFC 4286, DOI 10.17487/RFC4286, December 2005, + . + [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, DOI 10.17487/RFC4302, December 2005, . [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, . [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4, ICMPv6, UDP, and TCP Headers", RFC 4727, @@ -1460,34 +1465,33 @@ [RFC4782] Floyd, S., Allman, M., Jain, A., and P. Sarolahti, "Quick- Start for TCP and IP", RFC 4782, DOI 10.17487/RFC4782, January 2007, . [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation of Type 0 Routing Headers in IPv6", RFC 5095, DOI 10.17487/RFC5095, December 2007, . - [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., Ed., and T. - Henderson, "Host Identity Protocol", RFC 5201, - DOI 10.17487/RFC5201, April 2008, - . - [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533, June 2009, . [RFC5570] StJohns, M., Atkinson, R., and G. Thomas, "Common Architecture Label IPv6 Security Option (CALIPSO)", RFC 5570, DOI 10.17487/RFC5570, July 2009, . + [RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet + Signalling Transport", RFC 5971, DOI 10.17487/RFC5971, + October 2010, . + [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July 2011, . [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October 2011, . [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, @@ -1535,20 +1539,25 @@ [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing of IPv6 Extension Headers", RFC 7045, DOI 10.17487/RFC7045, December 2013, . [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of Oversized IPv6 Header Chains", RFC 7112, DOI 10.17487/RFC7112, January 2014, . + [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. + Henderson, "Host Identity Protocol Version 2 (HIPv2)", + RFC 7401, DOI 10.17487/RFC7401, April 2015, + . + [RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731, February 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, @@ -1558,20 +1567,26 @@ [RFC8754] Filsfils, C., Ed., Dukes, D., Ed., Previdi, S., Leddy, J., Matsushima, S., and D. Voyer, "IPv6 Segment Routing Header (SRH)", RFC 8754, DOI 10.17487/RFC8754, March 2020, . [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., and F. Gont, "IP Fragmentation Considered Fragile", BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, . + [RFC9008] Robles, M., Richardson, M., and P. Thubert, "Using RPI + Option Type, Routing Header for Source Routes, and IPv6- + in-IPv6 Encapsulation in the RPL Data Plane", RFC 9008, + DOI 10.17487/RFC9008, April 2021, + . + 9.2. Informative References [Biondi2007] Biondi, P. and A. Ebalard, "IPv6 Routing Header Security", CanSecWest 2007 Security Conference, 2007, . [Cisco-EH] Cisco Systems, "IPv6 Extension Headers Review and Considerations", Whitepaper. October 2006, @@ -1589,51 +1604,50 @@ 1995. [FW-Benchmark] Zack, E., "Firewall Security Assessment and Benchmarking IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, Berlin, Germany. June 30, 2013, . - [I-D.ietf-6man-hbh-header-handling] - Baker, F. and R. Bonica, "IPv6 Hop-by-Hop Options - Extension Header", draft-ietf-6man-hbh-header-handling-03 - (work in progress), March 2016. - [I-D.ietf-v6ops-ipv6-ehs-packet-drops] Gont, F., Hilliard, N., Doering, G., Kumari, W., Huston, - G., and W. LIU, "Operational Implications of IPv6 Packets - with Extension Headers", draft-ietf-v6ops-ipv6-ehs-packet- - drops-03 (work in progress), January 2021. + G., and W. (. Liu, "Operational Implications of IPv6 + Packets with Extension Headers", draft-ietf-v6ops-ipv6- + ehs-packet-drops-06 (work in progress), April 2021. [I-D.irtf-pearg-numeric-ids-generation] Gont, F. and I. Arce, "On the Generation of Transient Numeric Identifiers", draft-irtf-pearg-numeric-ids- - generation-06 (work in progress), January 2021. + generation-07 (work in progress), February 2021. [IANA-IPV6-PARAM] Internet Assigned Numbers Authority, "Internet Protocol Version 6 (IPv6) Parameters", December 2013, . [IANA-PROTOCOLS] Internet Assigned Numbers Authority, "Protocol Numbers", 2014, . [NIMROD-DOC] Nimrod Documentation Page, "http://ana-3.lcs.mit.edu/~jnc/nimrod/". + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, + December 1998, . + [RFC3871] Jones, G., Ed., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, DOI 10.17487/RFC3871, September 2004, . [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the Router Control Plane", RFC 6192, DOI 10.17487/RFC6192, March 2011, . [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations