--- 1/draft-ietf-intarea-frag-fragile-09.txt 2019-05-14 14:13:16.876460107 -0700 +++ 2/draft-ietf-intarea-frag-fragile-10.txt 2019-05-14 14:13:16.932461519 -0700 @@ -1,145 +1,154 @@ Internet Area WG R. Bonica Internet-Draft Juniper Networks Intended status: Best Current Practice F. Baker -Expires: August 16, 2019 Unaffiliated +Expires: November 15, 2019 Unaffiliated G. Huston APNIC R. Hinden Check Point Software O. Troan Cisco F. Gont SI6 Networks - February 12, 2019 + May 14, 2019 IP Fragmentation Considered Fragile - draft-ietf-intarea-frag-fragile-09 + draft-ietf-intarea-frag-fragile-10 Abstract - This document describes IP fragmentation and explains how it reduces - the reliability of Internet communication. + This document describes IP fragmentation and explains how it + introduces fragility to Internet communication. This document also proposes alternatives to IP fragmentation and provides recommendations for developers and network operators. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 16, 2019. + This Internet-Draft will expire on November 15, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. IP-in-IP Tunnels . . . . . . . . . . . . . . . . . . . . 3 2. IP Fragmentation . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Links, Paths, MTU and PMTU . . . . . . . . . . . . . . . 3 2.2. Fragmentation Procedures . . . . . . . . . . . . . . . . 5 2.3. Upper-Layer Reliance on IP Fragmentation . . . . . . . . 6 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 7 - 4. Reduced Reliability . . . . . . . . . . . . . . . . . . . . . 7 + 4. Increased Fragility . . . . . . . . . . . . . . . . . . . . . 7 4.1. Policy-Based Routing . . . . . . . . . . . . . . . . . . 7 4.2. Network Address Translation (NAT) . . . . . . . . . . . . 8 4.3. Stateless Firewalls . . . . . . . . . . . . . . . . . . . 9 4.4. Equal Cost Multipath, Link Aggregate Groups and Stateless Load-Balancers . . . . . . . . . . . . . . . . . . . . . 9 4.5. IPv4 Reassembly Errors at High Data Rates . . . . . . . . 10 - 4.6. Security Vulnerabilities . . . . . . . . . . . . . . . . 10 - 4.7. PMTU Blackholing Due to ICMP Loss . . . . . . . . . . . . 11 + 4.6. Security Vulnerabilities . . . . . . . . . . . . . . . . 11 + 4.7. PMTU Blackholing Due to ICMP Loss . . . . . . . . . . . . 12 4.7.1. Transient Loss . . . . . . . . . . . . . . . . . . . 12 - 4.7.2. Incorrect Implementation of Security Policy . . . . . 12 + 4.7.2. Incorrect Implementation of Security Policy . . . . . 13 4.7.3. Persistent Loss Caused By Anycast . . . . . . . . . . 13 - 4.8. Blackholing Due To Filtering or Loss . . . . . . . . . . 13 - 5. Alternatives to IP Fragmentation . . . . . . . . . . . . . . 14 - 5.1. Transport Layer Solutions . . . . . . . . . . . . . . . . 14 - 5.2. Application Layer Solutions . . . . . . . . . . . . . . . 15 - 6. Applications That Rely on IPv6 Fragmentation . . . . . . . . 16 - 6.1. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.2. OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.3. Packet-in-Packet Encapsulations . . . . . . . . . . . . . 17 - 6.4. Licklider Transmission Protocol (LTP) . . . . . . . . . . 18 + 4.7.4. Persistent Loss Caused By Unidirectional Routing . . 14 + 4.8. Blackholing Due To Filtering or Loss . . . . . . . . . . 14 + 5. Alternatives to IP Fragmentation . . . . . . . . . . . . . . 15 + 5.1. Transport Layer Solutions . . . . . . . . . . . . . . . . 15 + 5.2. Application Layer Solutions . . . . . . . . . . . . . . . 16 + 6. Applications That Rely on IPv6 Fragmentation . . . . . . . . 17 + 6.1. Domain Name Service (DNS) . . . . . . . . . . . . . . . . 17 + 6.2. Open Shortest Path First (OSPF) . . . . . . . . . . . . . 18 + 6.3. Packet-in-Packet Encapsulations . . . . . . . . . . . . . 18 + 6.4. UDP Applications Enhancing Performance . . . . . . . . . 18 7. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 18 7.1. For Application and Protocol Developers . . . . . . . . . 18 - 7.2. For System Developers . . . . . . . . . . . . . . . . . . 18 + 7.2. For System Developers . . . . . . . . . . . . . . . . . . 19 7.3. For Middle Box Developers . . . . . . . . . . . . . . . . 19 7.4. For ECMP, LAG and Load-Balancer Developers And Operators 19 - 7.5. For Network Operators . . . . . . . . . . . . . . . . . . 19 + 7.5. For Network Operators . . . . . . . . . . . . . . . . . . 20 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 9. Security Considerations . . . . . . . . . . . . . . . . . . . 20 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 - 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 - 11.1. Normative References . . . . . . . . . . . . . . . . . . 20 - 11.2. Informative References . . . . . . . . . . . . . . . . . 21 + 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 + 11.1. Normative References . . . . . . . . . . . . . . . . . . 21 + 11.2. Informative References . . . . . . . . . . . . . . . . . 22 Appendix A. Contributors' Address . . . . . . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 1. Introduction Operational experience [Kent] [Huston] [RFC7872] reveals that IP - fragmentation reduces the reliability of Internet communication. - This document describes IP fragmentation and explains how it reduces - the reliability of Internet communication. This document also - proposes alternatives to IP fragmentation and provides - recommendations for developers and network operators. + fragmentation introduces fragility to Internet communication. This + document describes IP fragmentation and explains how it introduces + fragility to Internet communication. This document also proposes + alternatives to IP fragmentation and provides recommendations for + developers and network operators. While this document identifies issues associated with IP fragmentation, it does not recommend deprecation. Some applications (see Section 6) require IP fragmentation. Furthermore, fragmentation - is expected to work in limited domains where security and - interoperability issues can be addressed. + is expected to work in domains where security and interoperability + issues are addressed. Rather than deprecating IP Fragmentation, this document recommends that upper-layer protocols address the problem of fragmentation at their layer, reducing their reliance on IP fragmentation to the greatest degree possible. +1.1. IP-in-IP Tunnels + + This document acknowledges that in some cases, packets must be + fragmented within IP-in-IP tunnels [I-D.ietf-intarea-tunnels]. + Therefore, this document makes no recommendations regarding IP-in-IP + tunnels. + 2. IP Fragmentation 2.1. Links, Paths, MTU and PMTU An Internet path connects a source node to a destination node. A path can contain links and routers. If a path contains more than one link, the links are connected in series and a router connects each link to the next. Internet paths are dynamic. Assume that the path from one node to - another contains a set of links and routers. If the network topology - changes, that path can also change so that it includes a different - set of links and routers. + another contains a set of links and routers. If a link fails, the + path can also change so that it includes a different set of links and + routers. Each link is constrained by the number of bytes that it can convey in a single IP packet. This constraint is called the link Maximum Transmission Unit (MTU). IPv4 [RFC0791] requires every link to support a specified MTU (see NOTE 1). IPv6 [RFC8200] requires every link to support an MTU of 1280 bytes or greater. These are called the IPv4 and IPv6 minimum link MTU's. Likewise, each Internet path is constrained by the number of bytes that it can convey in a IP single packet. This constraint is called @@ -187,30 +196,31 @@ its initial value and repeats the procedure described above. Ideally, PMTUD operates as described above. However, in some scenarios, PMTUD fails. For example: o PMTUD relies on the network's ability to deliver ICMP PTB messages to the source node. If the network cannot deliver ICMP PTB messages to the source node, PMTUD fails. o PMTUD is susceptible to attack because ICMP messages are easily - forged [RFC5927]. Such attacks can cause PMTUD to produce - unnecessarily conservative PMTU estimates. + forged [RFC5927] and not authenticated by the receiver. Such + attacks can cause PMTUD to produce unnecessarily conservative PMTU + estimates. NOTE 1: In IPv4, every host must be capable of receiving a packet whose length is equal to 576 bytes. However, the IPv4 minimum link MTU is not 576. Section 3.2 of RFC 791 explicitly states that the IPv4 minimum link MTU is 68 bytes. But for practical purposes, many network operators consider the IPv4 minimum link MTU to be 576 bytes. So, for the purposes of this document, we assume that the IPv4 - minimum link MTU is 576 bytes. + minimum path MTU is 576 bytes. NOTE 2: A non-fragmentable packet can be fragmented at its source. However, it cannot be fragmented by a downstream node. An IPv4 packet whose DF-bit is set to zero is fragmentable. An IPv4 packet whose DF-bit is set to one is non-fragmentable. All IPv6 packets are also non-fragmentable. NOTE 3:: The ICMP PTB message has two instantiations. In ICMPv4 [RFC0792], the ICMP PTB message is Destination Unreachable message with Code equal to (4) fragmentation needed and DF set. This message @@ -292,23 +302,23 @@ ability to deliver ICMP PTB messages to the source. 3. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. -4. Reduced Reliability +4. Increased Fragility - This section explains how IP fragmentation reduces the reliability of + This section explains how IP fragmentation introduces fragility to Internet communication. 4.1. Policy-Based Routing IP Fragmentation causes problems for routers that implement policy- based routing. When a router receives a packet, it identifies the next-hop on route to the packet's destination and forwards the packet to that next-hop. In order to identify the next-hop, the router interrogates a local @@ -366,26 +376,31 @@ translates: o The Source IP Address and Source Port on each outbound packet. o The Destination IP Address and Destination Port on each inbound packet. A+P [RFC6346] and Carrier Grade NAT (CGN) [RFC6888] are two common NAT strategies. In both approaches the NAT device must virtually reassemble fragmented packets in order to translate and forward each - fragment. + fragment. (See NOTE 1.) Virtual reassembly in the network is problematic, because it is computationally expensive and because it is prone to attacks (Section 4.6). + NOTE 1: Virtual reassembly is a procedure in which a device + reassembles a packet, forwards its fragments, and discards the + reassembled copy. In A+P and CGN, virtual reassembly is required in + order to correctly translate fragment addresses. + 4.3. Stateless Firewalls IP fragmentation causes problems for stateless firewalls whose rules include TCP and UDP ports. Because port information is not available in the trailing fragments the firewall is limited to the following options: o Accept all trailing fragments, possibly admitting certain classes of attack. @@ -437,20 +452,24 @@ "At intermediate routers that perform load distribution, the hash algorithm used to determine the outgoing component-link in an ECMP and/or LAG toward the next hop MUST minimally include the 3-tuple {dest addr, source addr, flow label} and MAY also include the remaining components of the 5-tuple." If the algorithm includes only the 3-tuple {dest addr, source addr, flow label}, it will assign all fragments belonging to a packet to the same link. (See [RFC6437] and [RFC7098]). + In order to avoid the problem described above, implementations SHOULD + implement the recommendations provided in Section 7.4 of this + document. + 4.5. IPv4 Reassembly Errors at High Data Rates IPv4 fragmentation is not sufficiently robust for use under some conditions in today's Internet. At high data rates, the 16-bit IP identification field is not large enough to prevent frequent incorrectly assembled IP fragments, and the TCP and UDP checksums are insufficient to prevent the resulting corrupted datagrams from being delivered to higher protocol layers. [RFC4963] describes some easily reproduced experiments demonstrating the problem, and discusses some of the operational implications of these observations. @@ -483,21 +502,21 @@ overwritten by data from the second fragment. The reassembled packet does not comply with local security policy. Had it traversed the firewall in one piece, the firewall would have rejected it. A stateless firewall cannot protect against the overlapping fragment attack. However, destination nodes can protect against the overlapping fragment attack by implementing the procedures described in RFC 1858, RFC 3128 and RFC 8200. These reassembly procedures detect the overlap and discard the packet. - The fragment reassembly algorithm is a stateful procedure for an + The fragment reassembly algorithm is a stateful procedure in an otherwise stateless protocol. Therefore, it can be exploited by resource exhaustion attacks. An attacker can construct a series of fragmented packets, with one fragment missing from each packet so that the reassembly is impossible. Thus, this attack causes resource exhaustion on the destination node, possibly denying reassembly services to other flows. This type of attack can be mitigated by flushing fragment reassembly buffers when necessary, at the expense of possibly dropping legitimate fragments. Each IP fragment contains an "Identification" field that destination @@ -599,20 +618,31 @@ A downstream router drops the packet and sends an ICMP PTB message the packet's source (i.e., the anycast address). The network routes the ICMP PTB message to the anycast instance closest to the downstream router. That anycast instance may not be the DNS server that originated the DNS response. It may be another DNS server with the same anycast address. The DNS server that originated the response may never receive the ICMP PTB message and may never update its PMTU estimate. +4.7.4. Persistent Loss Caused By Unidirectional Routing + + Unidirectional routing can cause persistent loss of ICMP PTB + messages. Consider the example below: + + A source node sends a packet to a destination node. All intermediate + nodes maintain a route to the destination node, but do not maintain a + route to the source node. In this case, when an intermediate node + encounters an MTU issue, it cannot send an ICMP PTB message to the + source node. + 4.8. Blackholing Due To Filtering or Loss In RFC 7872, researchers sampled Internet paths to determine whether they would convey packets that contain IPv6 extension headers. Sampled paths terminated at popular Internet sites (e.g., popular web, mail and DNS servers). The study revealed that at least 28% of the sampled paths did not convey packets containing the IPv6 Fragment extension header. In most cases, fragments were dropped in the destination autonomous @@ -666,41 +697,40 @@ manual configuration prevents TCP from taking advantage of larger link MTU's. Upper-layer protocols can implement PMTUD in order to discover and take advantage of larger path MTUs. However, as mentioned in Section 2.1, PMTUD relies upon the network to deliver ICMP PTB messages. Therefore, PMTUD is applicable only in environments where the risk of ICMP PTB loss is acceptable. By contrast, PLPMTUD does not rely upon the network's ability to - deliver ICMP PTB messages. However, in many loss-based TCP - congestion control algorithms, the dropping of a packet may cause the - TCP control algorithm to drop the congestion control window, or even - re-start with the entire slow start process. For high capacity, long - round-trip time, large volume TCP streams, the deliberate probing - with large packets and the consequent packet drop may impose too - harsh a penalty on total TCP throughput for it to be a viable - approach. [RFC4821] defines PLPMTUD procedures for TCP. + deliver ICMP PTB messages. It utilises probe messages sent as TCP + segments to determine if the probed PMTU can be successfully used + across the network path. In PLPMTUD, probing is separated from + congestion control, so that loss of a TCP probe segment does not + cause a reduction of the congestion control window. [RFC4821] + defines PLPMTUD procedures for TCP. While TCP will never cause the underlying IP module to emit a packet that is larger than the PMTU estimate, it can cause the underlying IP module to emit a packet that is larger than the actual PMTU. If this occurs, the packet is dropped, the PMTU estimate is updated, the segment is divided into smaller segments and each smaller segment is submitted to the underlying IP module. - The Datagram Congestion Control Protocol (DCCP) [RFC4340] and the - Stream Control Protocol (SCP) [RFC4960] also can be operated in a - mode that does not require IP fragmentation. They both accept data - from an application and divide that data into segments, with no - segment exceeding a maximum size. Both DCCP and SCP offer manual + The Datagram Congestion Control Protocol (DCCP) [RFC4340]. the Stream + Control Protocol (SCP) [RFC4960], and the Stream Control Transport + Protocol (SCTP) [RFC4960] also can be operated in a mode that does + not require IP fragmentation. They both accept data from an + application and divide that data into segments, with no segment + exceeding a maximum size. Both DCCP and SCP offer manual configuration, PMTUD and PLPMTUD as mechanisms for managing that maximum size. [I-D.ietf-tsvwg-datagram-plpmtud] proposes PLPMTUD procedures for DCCP and SCP. Currently, User Data Protocol (UDP) [RFC0768] lacks a fragmentation mechanism of its own and relies on IP fragmentation. However, [I-D.ietf-tsvwg-udp-options] proposes a fragmentation mechanism for UDP. 5.2. Application Layer Solutions @@ -753,21 +782,21 @@ Each of these applications relies on IPv6 fragmentation to a varying degree. In some cases, that reliance is essential, and cannot be broken without fundamentally changing the protocol. In other cases, that reliance is incidental, and most implementations already take appropriate steps to avoid fragmentation. This list is not comprehensive, and other protocols that rely on IP fragmentation may exist. They are not specifically considered in the context of this document. -6.1. DNS +6.1. Domain Name Service (DNS) DNS relies on UDP for efficiency, and the consequence is the use of IP fragmentation for large responses, as permitted by the DNS EDNS(0) options in the query. It is possible to mitigate the issue of fragmentation-based packet loss by having queries use smaller EDNS(0) UDP buffer sizes, or by having the DNS server limit the size of its UDP responses to some self-imposed maximum packet size that may be less than the preferred EDNS(0) UDP Buffer Size. In both cases, large responses are truncated in the DNS, signalling to the client to re-query using TCP to obtain the complete response. However, the @@ -777,21 +806,21 @@ Larger DNS responses can normally be avoided by aggressively pruning the Additional section of DNS responses. One scenario where such pruning is ineffective is in the use of DNSSEC, where large key sizes act to increase the response size to certain DNS queries. There is no effective response to this situation within the DNS other than using smaller cryptographic keys and adoption of DNSSEC administrative practices that attempt to keep DNS response as short as possible. -6.2. OSPF +6.2. Open Shortest Path First (OSPF) OSPF implementations can emit messages large enough to cause fragmentation. However, in order to optimize performance, most OSPF implementations restrict their maximum message size to a value that will not cause fragmentation. 6.3. Packet-in-Packet Encapsulations In this document, packet-in-packet encapsulations include IP-in-IP [RFC2003], Generic Routing Encapsulation (GRE) [RFC2784], GRE-in-UDP @@ -800,21 +829,21 @@ mentioned encapsulations. The fragmentation strategy described for GRE in [RFC7588] has been deployed for all of the above-mentioned encapsulations. This strategy does not rely on IP fragmentation except in one corner case. (see Section 3.3.2.2 of RFC 7588 and Section 7.1 of RFC 2473). Section 3.3 of [RFC7676] further describes this corner case. See [I-D.ietf-intarea-tunnels] for further discussion. -6.4. Licklider Transmission Protocol (LTP) +6.4. UDP Applications Enhancing Performance Some UDP applications rely on IP fragmentation to achieve acceptable levels of performance. These applications use UDP datagram sizes that are larger than the path MTU so that more data can be conveyed between the application and the kernel in a single system call. For example, the Licklider Transmission Protocol (LTP) [RFC5326] which is in current use on the International Space Station (ISS) uses UDP datagram sizes larger than the path MTU to achieve acceptable levels of performance even though this invokes IP fragmentation. @@ -840,28 +869,31 @@ rely on IP fragmentation but should only be used in environments where IP fragmentation is known to be supported. Protocols may be able to avoid IP fragmentation by using a sufficiently small MTU (e.g. The protocol minimum link MTU), disabling IP fragmentation, and ensuring that the transport protocol in use adapts its segment size to the MTU. Other protocols may deploy a sufficiently reliable PMTU discovery mechanism (e.g.,PLMPTUD). + UDP applications SHOULD abide by the recommendations state in + Section 3.2 of [RFC8085]. + 7.2. For System Developers Software libraries SHOULD include provision for PLPMTUD for each supported transport protocol. 7.3. For Middle Box Developers - Middle boxes SHOULD process IP fragments in a manner that is + Middle boxes should process IP fragments in a manner that is consistent with [RFC0791] and [RFC8200]. In many cases, middle boxes must maintain state in order to achieve this goal. Price and performance considerations frequently motivate network operators to deploy stateless middle boxes. These stateless middle boxes may perform sub-optimally, process IP fragments in a manner that is not compliant with RFC 791 or RFC 8200, or even discard IP fragments completely. Such behaviors are NOT RECOMMENDED. If a middleboxes implements non-standard behavior with respect to IP fragmentation, then that behavior MUST be clearly documented. @@ -874,60 +906,73 @@ input to their hash algorithm: o IP Source Address. o IP Destination Address. o Flow Label. Operators SHOULD deploy these devices in their default configuration. + These recommendations are similar to those presented in [RFC6438] and + [RFC7098]. They differ in that they specify a default configuration. + 7.5. For Network Operators Operators MUST ensure proper PMTUD operation in their network, including making sure the network generates PTB packets when dropping - packets too large compared to outgoing interface MTU. + packets too large compared to outgoing interface MTU. However, + implementations MAY rate limit ICMP messages as per [RFC1812] and + [RFC4443]. As per RFC 4890, network operators MUST NOT filter ICMPv6 PTB messages unless they are known to be forged or otherwise illegitimate. As stated in Section 4.7, filtering ICMPv6 PTB packets causes PMTUD to fail. Many upper-layer protocols rely on PMTUD. As per RFC 8200, network operators MUST NOT deploy IPv6 links whose MTU is less than 1280 bytes. Network operators SHOULD NOT filter IP fragments if they originated at a domain name server or are destined for a domain name server. + This is because domain name services are critical to operation of the + Internet. 8. IANA Considerations This document makes no request of IANA. 9. Security Considerations This document mitigates some of the security considerations associated with IP fragmentation by discouraging its use. It does not introduce any new security vulnerabilities, because it does not introduce any new alternatives to IP fragmentation. Instead, it recommends well-understood alternatives. 10. Acknowledgements Thanks to Mikael Abrahamsson, Brian Carpenter, Silambu Chelvan, - Lorenzo Colitti, Mike Heard, Tom Herbert, Tatuya Jinmei, Jen Linkova, - Paolo Lucente, Manoj Nayak, Eric Nygren, Fred Templin and Joe Touch - for their comments. + Lorenzo Colitti, Gorry Fairhurst, Mike Heard, Tom Herbert, Tatuya + Jinmei, Jen Linkova, Paolo Lucente, Manoj Nayak, Eric Nygren, Fred + Templin and Joe Touch for their comments. 11. References 11.1. Normative References + [I-D.ietf-tsvwg-datagram-plpmtud] + Fairhurst, G., Jones, T., Tuexen, M., Ruengeler, I., and + T. Voelker, "Packetization Layer Path MTU Discovery for + Datagram Transports", draft-ietf-tsvwg-datagram-plpmtud-07 + (work in progress), February 2019. + [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI 10.17487/RFC0768, August 1980, . [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, . [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981, @@ -958,20 +1003,25 @@ [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, . [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, "IPv6 Flow Label Specification", RFC 6437, DOI 10.17487/RFC6437, November 2011, . + [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label + for Equal Cost Multipath Routing and Link Aggregation in + Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, + . + [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, @@ -990,47 +1040,45 @@ [Huston] Huston, G., "IPv6, Large UDP Packets and the DNS (http://www.potaroo.net/ispcol/2017-08/xtn-hdrs.html)", August 2017. [I-D.ietf-intarea-tunnels] Touch, J. and M. Townsley, "IP Tunnels in the Internet Architecture", draft-ietf-intarea-tunnels-09 (work in progress), July 2018. - [I-D.ietf-tsvwg-datagram-plpmtud] - Fairhurst, G., Jones, T., Tuexen, M., and I. Ruengeler, - "Packetization Layer Path MTU Discovery for Datagram - Transports", draft-ietf-tsvwg-datagram-plpmtud-06 (work in - progress), November 2018. - [I-D.ietf-tsvwg-udp-options] Touch, J., "Transport Options for UDP", draft-ietf-tsvwg- - udp-options-05 (work in progress), July 2018. + udp-options-07 (work in progress), March 2019. [Kent] Kent, C. and J. Mogul, ""Fragmentation Considered Harmful", In Proc. SIGCOMM '87 Workshop on Frontiers in Computer Communications Technology, DOI 10.1145/55483.55524", August 1987, . [Ptacek1998] Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", 1998, . [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, October 1989, . + [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", + RFC 1812, DOI 10.17487/RFC1812, June 1995, + . + [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security Considerations for IP Fragment Filtering", RFC 1858, DOI 10.17487/RFC1858, October 1995, . [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, DOI 10.17487/RFC2003, October 1996, . [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, @@ -1089,24 +1137,23 @@ [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, DOI 10.17487/RFC5927, July 2010, . [RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to the IPv4 Address Shortage", RFC 6346, DOI 10.17487/RFC6346, August 2011, . - [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label - for Equal Cost Multipath Routing and Link Aggregation in - Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, - . + [RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field", + RFC 6864, DOI 10.17487/RFC6864, February 2013, + . [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013, . [RFC7098] Carpenter, B., Jiang, S., and W. Tarreau, "Using the IPv6 Flow Label for Load Balancing in Server Farms", RFC 7098, DOI 10.17487/RFC7098, January 2014, .