summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7045.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7045.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7045.txt')
-rw-r--r--doc/rfc/rfc7045.txt563
1 files changed, 563 insertions, 0 deletions
diff --git a/doc/rfc/rfc7045.txt b/doc/rfc/rfc7045.txt
new file mode 100644
index 0000000..d69701d
--- /dev/null
+++ b/doc/rfc/rfc7045.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) B. Carpenter
+Request for Comments: 7045 Univ. of Auckland
+Updates: 2460, 2780 S. Jiang
+Category: Standards Track Huawei Technologies Co., Ltd.
+ISSN: 2070-1721 December 2013
+
+
+ Transmission and Processing of IPv6 Extension Headers
+
+Abstract
+
+ Various IPv6 extension headers have been standardised since the IPv6
+ standard was first published. This document updates RFC 2460 to
+ clarify how intermediate nodes should deal with such extension
+ headers and with any that are defined in the future. It also
+ specifies how extension headers should be registered by IANA, with a
+ corresponding minor update to RFC 2780.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7045.
+
+Copyright Notice
+
+ Copyright (c) 2013 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+Carpenter & Jiang Standards Track [Page 1]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+Table of Contents
+
+ 1. Introduction and Problem Statement . . . . . . . . . . . . . 2
+ 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Requirement to Transmit Extension Headers . . . . . . . . . . 5
+ 2.1. All Extension Headers . . . . . . . . . . . . . . . . . . 5
+ 2.2. Hop-by-Hop Options . . . . . . . . . . . . . . . . . . . 6
+ 3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
+ 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
+ 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
+ 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 6.1. Normative References . . . . . . . . . . . . . . . . . . 8
+ 6.2. Informative References . . . . . . . . . . . . . . . . . 8
+
+1. Introduction and Problem Statement
+
+ In IPv6, an extension header is any header that follows the initial
+ 40 bytes of the packet and precedes the upper-layer header (which
+ might be a transport header, an ICMPv6 header, or a notional "No Next
+ Header").
+
+ An initial set of IPv6 extension headers was defined by [RFC2460],
+ which also described how they should be handled by intermediate
+ nodes, with the exception of the Hop-by-Hop Options header:
+
+ ...extension headers are not examined or processed by any node
+ along a packet's delivery path, until the packet reaches the node
+ (or each of the set of nodes, in the case of multicast) identified
+ in the Destination Address field of the IPv6 header.
+
+ This provision meant that forwarding nodes should be completely
+ transparent to extension headers. There was no provision for
+ forwarding nodes to modify them, remove them, insert them, or use
+ them to affect forwarding behaviour. Thus, new extension headers
+ could be introduced progressively and used only by hosts that have
+ been updated to create and interpret them [RFC6564]. The extension
+ header mechanism is an important part of the IPv6 architecture, and
+ several new extension headers have been standardised since RFC 2460
+ was published.
+
+ Today, IPv6 packets are not always forwarded by straightforward IP
+ routing based on their first 40 bytes. Some routers, and a variety
+ of intermediate nodes often referred to as middleboxes, such as
+ firewalls, load balancers, or packet classifiers, might inspect other
+ parts of each packet. Indeed, such middlebox functions are often
+ embedded in routers. However, experience has shown that as a result,
+ the network is not transparent to IPv6 extension headers. Contrary
+ to Section 4 of RFC 2460, middleboxes sometimes examine and process
+
+
+
+Carpenter & Jiang Standards Track [Page 2]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+ the entire IPv6 packet before making a decision to either forward or
+ discard the packet. This means that they need to traverse the chain
+ of extension headers, if present, until they find the transport
+ header (or an encrypted payload). Unfortunately, because not all
+ IPv6 extension headers follow a uniform TLV format, this process is
+ clumsy and requires knowledge of each extension header's format. A
+ separate problem is that the header chain may even be fragmented
+ [HEADER-CHAIN].
+
+ The process is potentially slow as well as clumsy, possibly
+ precluding its use in nodes attempting to process packets at line
+ speed. The present document does not intend to solve this problem,
+ which is caused by the fundamental architecture of IPv6 extension
+ headers. This document focuses on clarifying how the header chain
+ should be handled in the current IPv6 architecture.
+
+ If they encounter an unrecognised extension header type, some
+ firewalls treat the packet as suspect and drop it. Unfortunately, it
+ is an established fact that several widely used firewalls do not
+ recognise some or all of the extension headers standardised since RFC
+ 2460 was published. It has also been observed that certain firewalls
+ do not even handle all the extension headers standardised in RFC
+ 2460, including the fragment header [FRAGDROP], causing fundamental
+ problems of end-to-end connectivity. This applies in particular to
+ firewalls that attempt to inspect packets at very high speed, since
+ they cannot take the time to reassemble fragmented packets,
+ especially when under a denial-of-service attack.
+
+ Other types of middleboxes, such as load balancers or packet
+ classifiers, might also fail in the presence of extension headers
+ that they do not recognise.
+
+ A contributory factor to this problem is that because extension
+ headers are numbered out of the existing IP Protocol Number space,
+ there is no collected list of them. For this reason, it is hard for
+ an implementor to quickly identify the full set of standard extension
+ headers. An implementor who consults only RFC 2460 will miss all
+ extension headers defined subsequently.
+
+ This combination of circumstances creates a "Catch-22" situation
+ [Heller] for the deployment of any newly standardised extension
+ header except for local use. It cannot be widely deployed because
+ existing middleboxes will drop it on many paths through the Internet.
+ However, most middleboxes will not be updated to allow the new header
+ to pass until it has been proved safe and useful on the open
+ Internet, which is impossible until the middleboxes have been
+ updated.
+
+
+
+
+Carpenter & Jiang Standards Track [Page 3]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+ The uniform TLV format now defined for extension headers [RFC6564]
+ will improve the situation, but only for future extensions. Some
+ tricky and potentially malicious cases will be avoided by forbidding
+ very long chains of extension headers that need to be fragmented
+ [HEADER-CHAIN]. This will alleviate concerns that stateless
+ firewalls cannot locate a complete header chain as required by the
+ present document.
+
+ However, these changes are insufficient to correct the underlying
+ problem. The present document clarifies that the above requirement
+ from RFC 2460 applies to all types of nodes that forward IPv6 packets
+ and to all extension headers standardised now and in the future. It
+ also requests that IANA create a subsidiary registry that clearly
+ identifies extension header types and updates RFC 2780 accordingly.
+ Fundamental changes to the IPv6 extension header architecture are out
+ of scope for this document.
+
+ Also, hop-by-hop options are not handled by many high-speed routers
+ or are processed only on a slow path. This document also updates the
+ requirements for processing the Hop-by-Hop Options header to make
+ them more realistic.
+
+1.1. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ In the remainder of this document, the term "forwarding node" refers
+ to any router, firewall, load balancer, prefix translator, or any
+ other device or middlebox that forwards IPv6 packets with or without
+ examining the packet in any way.
+
+ In this document, "standard" IPv6 extension headers are those
+ specified in detail by IETF Standards Actions [RFC5226].
+ "Experimental" extension headers include those defined by any
+ Experimental RFC and the header values 253 and 254 defined by
+ [RFC3692] and [RFC4727] when used as experimental extension headers.
+ "Defined" extension headers are the "standard" extension headers plus
+ the "experimental" ones.
+
+
+
+
+
+
+
+
+
+
+
+Carpenter & Jiang Standards Track [Page 4]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+2. Requirement to Transmit Extension Headers
+
+2.1. All Extension Headers
+
+ As mentioned above, forwarding nodes that discard packets containing
+ extension headers are known to cause connectivity failures and
+ deployment problems. Therefore, it is important that forwarding
+ nodes that inspect IPv6 headers be able to parse all defined
+ extension headers and deal with them appropriately, as specified in
+ this section.
+
+ Any forwarding node along an IPv6 packet's path, which forwards the
+ packet for any reason, SHOULD do so regardless of any extension
+ headers that are present, as required by RFC 2460. Exceptionally, if
+ a forwarding node is designed to examine extension headers for any
+ reason, such as firewalling, it MUST recognise and deal appropriately
+ with all standard IPv6 extension header types and SHOULD recognise
+ and deal appropriately with experimental IPv6 extension header types.
+ The list of standard and experimental extension header types is
+ maintained by IANA (see Section 4), and implementors are advised to
+ check this list regularly for updates.
+
+ RFC 2460 requires destination hosts to discard packets containing
+ unrecognised extension headers. However, intermediate forwarding
+ nodes SHOULD NOT do this, since that might cause them to
+ inadvertently discard traffic using a recently standardised extension
+ header not yet recognised by the intermediate node. The exceptions
+ to this rule are discussed next.
+
+ If a forwarding node discards a packet containing a standard IPv6
+ extension header, it MUST be the result of a configurable policy and
+ not just the result of a failure to recognise such a header. This
+ means that the discard policy for each standard type of extension
+ header MUST be individually configurable. The default configuration
+ SHOULD allow all standard extension headers.
+
+ Experimental IPv6 extension headers SHOULD be treated in the same way
+ as standard extension headers, including an individually configurable
+ discard policy. However, the default configuration MAY drop
+ experimental extension headers.
+
+ Forwarding nodes MUST be configurable to allow packets containing
+ unrecognised extension headers, but the default configuration MAY
+ drop such packets.
+
+ The IPv6 Routing Header Types 0 and 1 have been deprecated. Note
+ that Type 0 was deprecated by [RFC5095]. However, this does not mean
+ that the IPv6 Routing Header can be unconditionally dropped by
+
+
+
+Carpenter & Jiang Standards Track [Page 5]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+ forwarding nodes. Packets containing standardised and undeprecated
+ Routing Headers SHOULD be forwarded by default. At the time of
+ writing, these include Type 2 [RFC6275], Type 3 [RFC6554], and the
+ experimental Routing Header Types 253 and 254 [RFC4727]. Others may
+ be defined in the future.
+
+2.2. Hop-by-Hop Options
+
+ The IPv6 Hop-by-Hop Options header SHOULD be processed by
+ intermediate forwarding nodes as described in [RFC2460]. However, it
+ is to be expected that high-performance routers will either ignore it
+ or assign packets containing it to a slow processing path. Designers
+ planning to use a hop-by-hop option need to be aware of this likely
+ behaviour.
+
+ As a reminder, in RFC 2460, it is stated that the Hop-by-Hop Options
+ header, if present, must be first.
+
+3. Security Considerations
+
+ Forwarding nodes that operate as firewalls MUST conform to the
+ requirements in the previous section in order to respect the IPv6
+ extension header architecture. In particular, packets containing
+ standard extension headers are only to be discarded as a result of an
+ intentionally configured policy.
+
+ These changes do not affect a firewall's ability to filter out
+ traffic containing unwanted or suspect extension headers, if
+ configured to do so. However, the changes do require firewalls to be
+ capable of permitting any or all extension headers, if configured to
+ do so. The default configurations are intended to allow normal use
+ of any standard extension header, avoiding the connectivity issues
+ described in Sections 1 and 2.1.
+
+ As noted above, the default configuration might drop packets
+ containing experimental extension headers. There is no header length
+ field in an IPv6 header, and header types 253 and 254 might be used
+ either for experimental extension headers or for experimental payload
+ types. Therefore, there is no generic algorithm by which a firewall
+ can distinguish these two cases and analyze the remainder of the
+ packet. This should be considered when deciding on the appropriate
+ default action for header types 253 and 254.
+
+ When new extension headers are standardised in the future, those
+ implementing and configuring forwarding nodes, including firewalls,
+ will need to take them into account. A newly defined header will
+ exercise new code paths in a host that does recognise it, so caution
+ may be required. Additional security issues with experimental values
+
+
+
+Carpenter & Jiang Standards Track [Page 6]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+ or new extension headers are to be found in [RFC4727] and [RFC6564].
+ As a result, it is to be expected that the deployment process will be
+ slow and will depend on satisfactory operational experience. Until
+ deployment is complete, the new extension will fail in some parts of
+ the Internet. This aspect needs to be considered when deciding to
+ standardise a new extension. Specific security considerations for
+ each new extension should be documented in the document that defines
+ it.
+
+4. IANA Considerations
+
+ IANA has added an extra column titled "IPv6 Extension Header" to the
+ "Assigned Internet Protocol Numbers" registry to clearly mark those
+ values that are also IPv6 extension header types defined by an IETF
+ Standards Action or IESG Approval (see list below). This also
+ applies to IPv6 extension header types defined in the future.
+
+ Additionally, IANA has closed the existing empty "Next Header Types"
+ registry to new entries and is redirecting its users to a new "IPv6
+ Extension Header Types" registry. This registry contains only those
+ protocol numbers that are also marked as IPv6 Extension Header types
+ in the "Assigned Internet Protocol Numbers" registry. Experimental
+ values will be marked as such. The initial list will be as follows:
+
+ o 0, IPv6 Hop-by-Hop Option, [RFC2460]
+
+ o 43, Routing Header for IPv6, [RFC2460], [RFC5095]
+
+ o 44, Fragment Header for IPv6, [RFC2460]
+
+ o 50, Encapsulating Security Payload, [RFC4303]
+
+ o 51, Authentication Header, [RFC4302]
+
+ o 60, Destination Options for IPv6, [RFC2460]
+
+ o 135, Mobility Header, [RFC6275]
+
+ o 139, Experimental use, Host Identity Protocol [RFC5201]
+
+ o 140, Shim6 Protocol, [RFC5533]
+
+ o 253, Use for experimentation and testing, [RFC3692], [RFC4727]
+
+ o 254, Use for experimentation and testing, [RFC3692], [RFC4727]
+
+ This list excludes type 59, No Next Header, [RFC2460], which is not
+ an extension header as such.
+
+
+
+Carpenter & Jiang Standards Track [Page 7]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+ The references to the IPv6 Next Header field in [RFC2780] are to be
+ interpreted as also applying to the IPv6 Extension Header field, and
+ the "IPv6 Extension Header Types" registry will be managed
+ accordingly.
+
+5. Acknowledgements
+
+ This document was triggered by mailing list discussions including
+ John Leslie, Stefan Marksteiner, and others. Valuable comments and
+ contributions were made by Dominique Barthel, Tim Chown, Lorenzo
+ Colitti, Fernando Gont, C. M. Heard, Bob Hinden, Ray Hunter, Suresh
+ Krishnan, Marc Lampo, Sandra Murphy, Michael Richardson, Dan
+ Romascanu, Dave Thaler, Joe Touch, Bjoern Zeeb, and others.
+
+ Brian Carpenter was a visitor at the Computer Laboratory at Cambridge
+ University during part of this work.
+
+6. References
+
+6.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+ (IPv6) Specification", RFC 2460, December 1998.
+
+ [RFC2780] Bradner, S. and V. Paxson, "IANA Allocation Guidelines For
+ Values In the Internet Protocol and Related Headers", BCP
+ 37, RFC 2780, March 2000.
+
+ [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
+ Considered Useful", BCP 82, RFC 3692, January 2004.
+
+ [RFC4727] Fenner, B., "Experimental Values In IPv4, IPv6, ICMPv4,
+ ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006.
+
+ [RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and
+ M. Bhatia, "A Uniform Format for IPv6 Extension Headers",
+ RFC 6564, April 2012.
+
+6.2. Informative References
+
+ [FRAGDROP] Jaeggli, J., Colitti, L., Kumari, W., Vyncke, E., Kaeo,
+ M., and T. Taylor, "Why Operators Filter Fragments and
+ What It Implies", Work in Progress, June 2013.
+
+
+
+
+
+Carpenter & Jiang Standards Track [Page 8]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+ [HEADER-CHAIN]
+ Gont, F., Manral, V., and R. Bonica, "Implications of
+ Oversized IPv6 Header Chains", Work in Progress, October
+ 2013.
+
+ [Heller] Heller, J., "Catch-22", Simon and Schuster, November 1961.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December
+ 2005.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
+ 4303, December 2005.
+
+ [RFC5095] Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
+ of Type 0 Routing Headers in IPv6", RFC 5095, December
+ 2007.
+
+ [RFC5201] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson,
+ "Host Identity Protocol", RFC 5201, April 2008.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008.
+
+ [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
+ Shim Protocol for IPv6", RFC 5533, June 2009.
+
+ [RFC6275] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support
+ in IPv6", RFC 6275, July 2011.
+
+ [RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6
+ Routing Header for Source Routes with the Routing Protocol
+ for Low-Power and Lossy Networks (RPL)", RFC 6554, March
+ 2012.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Carpenter & Jiang Standards Track [Page 9]
+
+RFC 7045 IPv6 Extension Header Transmission December 2013
+
+
+Authors' Addresses
+
+ Brian Carpenter
+ Department of Computer Science
+ University of Auckland
+ PB 92019
+ Auckland 1142
+ New Zealand
+
+ EMail: brian.e.carpenter@gmail.com
+
+
+ Sheng Jiang
+ Huawei Technologies Co., Ltd.
+ Q14, Huawei Campus
+ No. 156 Beiqing Road
+ Hai-Dian District, Beijing 100095
+ P.R. China
+
+ EMail: jiangsheng@huawei.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Carpenter & Jiang Standards Track [Page 10]
+