| rfc9805v1.txt | rfc9805.txt | |||
|---|---|---|---|---|
| skipping to change at line 111 ¶ | skipping to change at line 111 ¶ | |||
| 3. Issues Associated with the IPv6 Router Alert Option | 3. Issues Associated with the IPv6 Router Alert Option | |||
| [RFC6398] identifies security considerations associated with the | [RFC6398] identifies security considerations associated with the | |||
| Router Alert Option. In a nutshell, the IP Router Alert Option does | Router Alert Option. In a nutshell, the IP Router Alert Option does | |||
| not provide a universal mechanism to accurately and reliably | not provide a universal mechanism to accurately and reliably | |||
| distinguish between IP Router Alert packets of interest and unwanted | distinguish between IP Router Alert packets of interest and unwanted | |||
| IP Router Alerts. This creates a security concern because, short of | IP Router Alerts. This creates a security concern because, short of | |||
| appropriate router-implementation-specific mechanisms, the router's | appropriate router-implementation-specific mechanisms, the router's | |||
| control plane is at risk of being flooded by unwanted traffic. | control plane is at risk of being flooded by unwanted traffic. | |||
| NOTE: Many routers maintain separation between forwarding and control | | NOTE: Many routers maintain separation between forwarding and | |||
| plane hardware. The forwarding plane is implemented on high- | | control plane hardware. The forwarding plane is implemented on | |||
| performance Application-Specific Integrated Circuits (ASICs) and | | high-performance Application-Specific Integrated Circuits | |||
| Network Processors (NPs), while the control plane is implemented on | | (ASICs) and Network Processors (NPs), while the control plane | |||
| general-purpose processors. Given this difference, the control plane | | is implemented on general-purpose processors. Given this | |||
| is more susceptible to a Denial-of-Service (DoS) attack than the | | difference, the control plane is more susceptible to a Denial- | |||
| forwarding plane. | | of-Service (DoS) attack than the forwarding plane. | |||
| [RFC6192] demonstrates how a network operator can deploy Access | [RFC6192] demonstrates how a network operator can deploy Access | |||
| Control Lists (ACLs) that protect the control plane from DoS attacks. | Control Lists (ACLs) that protect the control plane from DoS attacks. | |||
| These ACLs are effective and efficient when they select packets based | These ACLs are effective and efficient when they select packets based | |||
| upon information that can be found in a fixed position. However, | upon information that can be found in a fixed position. However, | |||
| they become less effective and less efficient when they must parse an | they become less effective and less efficient when they must parse a | |||
| IPv6 Hop-by-Hop Options header, searching for the Router Alert | Hop-by-Hop Options header, searching for the Router Alert Option. | |||
| Option. | ||||
| Network operators can address the security considerations raised in | Network operators can address the security considerations raised in | |||
| [RFC6398] by: | [RFC6398] by: | |||
| * Deploying the operationally complex and computationally expensive | * Deploying the operationally complex and computationally expensive | |||
| ACLs described in [RFC6192]. | ACLs described in [RFC6192]. | |||
| * Configuring their routers to ignore the Router Alert Option. | * Configuring their routers to ignore the Router Alert Option. | |||
| * Dropping or severely rate limiting packets that contain the IPv6 | * Dropping or severely rate limiting packets that contain the Hop- | |||
| Hop-by-Hop Options header at the network edge. | by-Hop Options header at the network edge. | |||
| These options become less viable as protocol designers continue to | These options become less viable as protocol designers continue to | |||
| design protocols that use the Router Alert Option. | design protocols that use the Router Alert Option. | |||
| [RFC9673] seeks to eliminate hop-by-hop processing on the control | [RFC9673] seeks to eliminate hop-by-hop processing on the control | |||
| plane. However, because of its unique function, the Router Alert | plane. However, because of its unique function, the Router Alert | |||
| option is granted an exception to this rule. One approach would be | option is granted an exception to this rule. One approach would be | |||
| to deprecate the Router Alert option, because current usage beyond | to deprecate the Router Alert option, because current usage beyond | |||
| the local network appears to be limited and packets containing Hop- | the local network appears to be limited and packets containing Hop- | |||
| by-Hop options are frequently dropped. Deprecation would allow | by-Hop options are frequently dropped. Deprecation would allow | |||
| current implementations to continue using it, but its use could be | current implementations to continue using it, but its use could be | |||
| phased out over time. | phased out over time. | |||
| 4. Deprecation of the IPv6 Router Alert Option | 4. Deprecation of the IPv6 Router Alert Option | |||
| This document deprecates the IPv6 Router Alert Option. Protocols | This document deprecates the IPv6 Router Alert Option. Protocols | |||
| that use the Router Alert Option MAY continue to do so, even in | that use the Router Alert Option MAY continue to do so, even in | |||
| future versions. However, new protocols that are standardized in the | future versions. However, new protocols that are standardized in the | |||
| future MUST NOT use the Router Alert Option. Appendix A contains an | future MUST NOT use the Router Alert Option. Appendix A contains an | |||
| exhaustive list of protocols that may continue to use the Router | exhaustive list of protocols that MAY continue to use the Router | |||
| Alert Option. | Alert Option. | |||
| This document updates [RFC2711]. | This document updates [RFC2711]. | |||
| 5. Future Work | 5. Future Work | |||
| A number of protocols use the Router Alert option; these are listed | A number of protocols use the Router Alert option; these are listed | |||
| in Appendix A. The only protocols in Appendix A that have widespread | in Appendix A. The only protocols in Appendix A that have widespread | |||
| deployment are Multicast Listener Discovery Version 2 (MLDv2) | deployment are Multicast Listener Discovery Version 2 (MLDv2) | |||
| [RFC3810] and Multicast Router Discovery (MRD) [RFC4286]. The other | [RFC9777] and Multicast Router Discovery (MRD) [RFC4286]. The other | |||
| protocols either have limited deployment, are experimental, or have | protocols either have limited deployment, are experimental, or have | |||
| no known implementation. | no known implementation. | |||
| It is left for future work to develop new versions of MLDv2 and MRD | It is left for future work to develop new versions of MLDv2 and MRD | |||
| that do not rely on the Router Alert option. That task is out of | that do not rely on the Router Alert option. That task is out of | |||
| scope for this document. | scope for this document. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This document mitigates all security considerations associated with | This document mitigates all security considerations associated with | |||
| skipping to change at line 248 ¶ | skipping to change at line 247 ¶ | |||
| RFC 3175, DOI 10.17487/RFC3175, September 2001, | RFC 3175, DOI 10.17487/RFC3175, September 2001, | |||
| <https://www.rfc-editor.org/info/rfc3175>. | <https://www.rfc-editor.org/info/rfc3175>. | |||
| [RFC3208] Speakman, T., Crowcroft, J., Gemmell, J., Farinacci, D., | [RFC3208] Speakman, T., Crowcroft, J., Gemmell, J., Farinacci, D., | |||
| Lin, S., Leshchiner, D., Luby, M., Montgomery, T., Rizzo, | Lin, S., Leshchiner, D., Luby, M., Montgomery, T., Rizzo, | |||
| L., Tweedly, A., Bhaskar, N., Edmonstone, R., | L., Tweedly, A., Bhaskar, N., Edmonstone, R., | |||
| Sumanasekera, R., and L. Vicisano, "PGM Reliable Transport | Sumanasekera, R., and L. Vicisano, "PGM Reliable Transport | |||
| Protocol Specification", RFC 3208, DOI 10.17487/RFC3208, | Protocol Specification", RFC 3208, DOI 10.17487/RFC3208, | |||
| December 2001, <https://www.rfc-editor.org/info/rfc3208>. | December 2001, <https://www.rfc-editor.org/info/rfc3208>. | |||
| [RFC3810] Vida, R., Ed. and L. Costa, Ed., "Multicast Listener | ||||
| Discovery Version 2 (MLDv2) for IPv6", RFC 3810, | ||||
| DOI 10.17487/RFC3810, June 2004, | ||||
| <https://www.rfc-editor.org/info/rfc3810>. | ||||
| [RFC4080] Hancock, R., Karagiannis, G., Loughney, J., and S. Van den | [RFC4080] Hancock, R., Karagiannis, G., Loughney, J., and S. Van den | |||
| Bosch, "Next Steps in Signaling (NSIS): Framework", | Bosch, "Next Steps in Signaling (NSIS): Framework", | |||
| RFC 4080, DOI 10.17487/RFC4080, June 2005, | RFC 4080, DOI 10.17487/RFC4080, June 2005, | |||
| <https://www.rfc-editor.org/info/rfc4080>. | <https://www.rfc-editor.org/info/rfc4080>. | |||
| [RFC4286] Haberman, B. and J. Martin, "Multicast Router Discovery", | [RFC4286] Haberman, B. and J. Martin, "Multicast Router Discovery", | |||
| RFC 4286, DOI 10.17487/RFC4286, December 2005, | RFC 4286, DOI 10.17487/RFC4286, December 2005, | |||
| <https://www.rfc-editor.org/info/rfc4286>. | <https://www.rfc-editor.org/info/rfc4286>. | |||
| [RFC5946] Le Faucheur, F., Manner, J., Narayanan, A., Guillou, A., | [RFC5946] Le Faucheur, F., Manner, J., Narayanan, A., Guillou, A., | |||
| skipping to change at line 307 ¶ | skipping to change at line 301 ¶ | |||
| Aldrin, S., and M. Chen, "Detecting Multiprotocol Label | Aldrin, S., and M. Chen, "Detecting Multiprotocol Label | |||
| Switched (MPLS) Data-Plane Failures", RFC 8029, | Switched (MPLS) Data-Plane Failures", RFC 8029, | |||
| DOI 10.17487/RFC8029, March 2017, | DOI 10.17487/RFC8029, March 2017, | |||
| <https://www.rfc-editor.org/info/rfc8029>. | <https://www.rfc-editor.org/info/rfc8029>. | |||
| [RFC9570] Kompella, K., Bonica, R., and G. Mirsky, Ed., "Deprecating | [RFC9570] Kompella, K., Bonica, R., and G. Mirsky, Ed., "Deprecating | |||
| the Use of Router Alert in LSP Ping", RFC 9570, | the Use of Router Alert in LSP Ping", RFC 9570, | |||
| DOI 10.17487/RFC9570, May 2024, | DOI 10.17487/RFC9570, May 2024, | |||
| <https://www.rfc-editor.org/info/rfc9570>. | <https://www.rfc-editor.org/info/rfc9570>. | |||
| [RFC9777] Haberman, B., Ed., "Multicast Listener Discovery Version 2 | ||||
| (MLDv2) for IPv6", STD 101, RFC 9777, | ||||
| DOI 10.17487/RFC9777, March 2025, | ||||
| <https://www.rfc-editor.org/info/rfc9777>. | ||||
| Appendix A. Protocols That Use the Router Alert Option | Appendix A. Protocols That Use the Router Alert Option | |||
| Table 1 contains an exhaustive list of protocols that use the IPv6 | Table 1 contains an exhaustive list of protocols that use the IPv6 | |||
| Router Alert Option. There are no known IPv6 implementations of MPLS | Router Alert Option. There are no known IPv6 implementations of MPLS | |||
| Ping. Neither Integrated Services (INTSERV) nor Next Steps in | Ping. Neither Integrated Services (Intserv) nor Next Steps in | |||
| Signaling (NSIS) are widely deployed. All NSIS protocols are | Signaling (NSIS) are widely deployed. All NSIS protocols are | |||
| experimental. Pragmatic Generic Multicast (PGM) is experimental, and | experimental. Pragmatic Generic Multicast (PGM) is experimental, and | |||
| there are no known IPv6 implementations. | there are no known IPv6 implementations. | |||
| +=================+=============================+==================+ | +=================+=============================+==================+ | |||
| | Protocol | References | Application | | | Protocol | References | Application | | |||
| +=================+=============================+==================+ | +=================+=============================+==================+ | |||
| | Multicast | [RFC3810] | IPv6 Multicast | | | Multicast | [RFC9777] | IPv6 Multicast | | |||
| | Listener | | | | | Listener | | | | |||
| | Discovery | | | | | Discovery | | | | |||
| | Version 2 | | | | | Version 2 | | | | |||
| | (MLDv2) | | | | | (MLDv2) | | | | |||
| +-----------------+-----------------------------+------------------+ | +-----------------+-----------------------------+------------------+ | |||
| | Multicast | [RFC4286] | IPv6 Multicast | | | Multicast | [RFC4286] | IPv6 Multicast | | |||
| | Router | | | | | Router | | | | |||
| | Discovery (MRD) | | | | | Discovery (MRD) | | | | |||
| +-----------------+-----------------------------+------------------+ | +-----------------+-----------------------------+------------------+ | |||
| | Pragmatic | [RFC3208] | IPv6 Multicast | | | Pragmatic | [RFC3208] | IPv6 Multicast | | |||
| | General | | | | | General | | | | |||
| | Multicast (PGM) | | | | | Multicast (PGM) | | | | |||
| +-----------------+-----------------------------+------------------+ | +-----------------+-----------------------------+------------------+ | |||
| | MPLS Ping (Use | [RFC7506][RFC8029][RFC9570] | MPLS Operations, | | | MPLS Ping (Use | [RFC7506][RFC8029][RFC9570] | MPLS Operations, | | |||
| | of router alert | | Administration, | | | of the Router | | Administration, | | |||
| | deprecated) | | and Maintenance | | | Alert Option is | | and Maintenance | | |||
| | | | (OAM) | | | deprecated) | | (OAM) | | |||
| +-----------------+-----------------------------+------------------+ | +-----------------+-----------------------------+------------------+ | |||
| | Resource | [RFC3175] [RFC5946] | Integrated | | | Resource | [RFC3175] [RFC5946] | Integrated | | |||
| | Reservation | [RFC6016] [RFC6401] | Services | | | Reservation | [RFC6016] [RFC6401] | Services | | |||
| | Protocol | | (INTSERV) | | | Protocol | | (Intserv) | | |||
| | (RSVP): Both | | [RFC1633] and | | | (RSVP): Both | | [RFC1633] and | | |||
| | IPv4 and IPv6 | | Multiprotocol | | | IPv4 and IPv6 | | Multiprotocol | | |||
| | implementations | | Label Switching | | | implementations | | Label Switching | | |||
| | | | (MPLS) [RFC3031] | | | | | (MPLS) [RFC3031] | | |||
| +-----------------+-----------------------------+------------------+ | +-----------------+-----------------------------+------------------+ | |||
| | Next Steps in | [RFC5979] [RFC5971] | NSIS [RFC4080] | | | Next Steps in | [RFC5979] [RFC5971] | NSIS [RFC4080] | | |||
| | Signaling | | | | | Signaling | | | | |||
| | (NSIS) | | | | | (NSIS) | | | | |||
| +-----------------+-----------------------------+------------------+ | +-----------------+-----------------------------+------------------+ | |||
| End of changes. 11 change blocks. | ||||
| 25 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||