draft-ietf-v6ops-ipv6-ehs-in-real-world-00.txt		draft-ietf-v6ops-ipv6-ehs-in-real-world-01.txt
	IPv6 Operations Working Group (v6ops) F. Gont		IPv6 Operations Working Group (v6ops) F. Gont
	Internet-Draft SI6 Networks / UTN-FRH		Internet-Draft SI6 Networks / UTN-FRH
	Intended status: Informational J. Linkova		Intended status: Informational J. Linkova
	Expires: October 23, 2015 Google		Expires: April 17, 2016 Google
	T. Chown		T. Chown
	University of Southampton		University of Southampton
	W. Liu		W. Liu
	Huawei Technologies		Huawei Technologies
	April 21, 2015		October 15, 2015
	Observations on IPv6 EH Filtering in the Real World		Observations on the Dropping of Packets with IPv6 Extension Headers in
	draft-ietf-v6ops-ipv6-ehs-in-real-world-00		the Real World
			draft-ietf-v6ops-ipv6-ehs-in-real-world-01
	Abstract		Abstract
	This document presents real-world data regarding the extent to which		This document presents real-world data regarding the extent to which
	packets with IPv6 extension headers are filtered in the Internet (as		packets with IPv6 extension headers are dropped in the Internet (as
	measured in August 2014), and where in the network such filtering		measured in August 2014), and where in the network such dropping
	occurs. The aforementioned results serve as a problem statement that		occurs. The aforementioned results serve as a problem statement that
	is expected to trigger operational advice on the filtering of IPv6		is expected to trigger operational advice on the filtering of IPv6
	packets carrying IPv6 Extension Headers, so that the situation		packets carrying IPv6 Extension Headers, so that the situation
	improves over time. This document also explains how the		improves over time. This document also explains how the
	aforementioned results were obtained, such that the corresponding		aforementioned results were obtained, such that the corresponding
	measurements can be reproduced by other members of the community.		measurements can be reproduced by other members of the community.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This Internet-Draft is submitted in full conformance with the
	skipping to change at page 1, line 43		skipping to change at page 1, line 44
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on October 23, 2015.		This Internet-Draft will expire on April 17, 2016.
	Copyright Notice		Copyright Notice
	Copyright (c) 2015 IETF Trust and the persons identified as the		Copyright (c) 2015 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 26		skipping to change at page 2, line 31
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
	2. Support of IPv6 Extension Headers in the Internet . . . . . . 3		2. Support of IPv6 Extension Headers in the Internet . . . . . . 3
	3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7		3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
	4. Security Considerations . . . . . . . . . . . . . . . . . . . 7		4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
	5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7		5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
	6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7		6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
	6.1. Normative References . . . . . . . . . . . . . . . . . . 7		6.1. Normative References . . . . . . . . . . . . . . . . . . 7
	6.2. Informative References . . . . . . . . . . . . . . . . . 8		6.2. Informative References . . . . . . . . . . . . . . . . . 8
	Appendix A. Reproducing Our Experiment . . . . . . . . . . . . . 9		Appendix A. Reproducing Our Experiment . . . . . . . . . . . . . 9
	A.1. Obtaining the List of Domain Names . . . . . . . . . . . 9		A.1. Obtaining the List of Domain Names . . . . . . . . . . . 10
	A.2. Obtaining AAAA Resource Records . . . . . . . . . . . . . 10		A.2. Obtaining AAAA Resource Records . . . . . . . . . . . . . 10
	A.3. Filtering the IPv6 Address Datasets . . . . . . . . . . . 10		A.3. Filtering the IPv6 Address Datasets . . . . . . . . . . . 10
	A.4. Performing Measurements with Each IPv6 Address Dataset . 11		A.4. Performing Measurements with Each IPv6 Address Dataset . 11
	A.5. Obtaining Statistics from our Measurements . . . . . . . 12		A.5. Obtaining Statistics from our Measurements . . . . . . . 12
	Appendix B. Measurements Caveats . . . . . . . . . . . . . . . . 13		Appendix B. Measurements Caveats . . . . . . . . . . . . . . . . 13
	B.1. Isolating the Dropping Node . . . . . . . . . . . . . . . 13		B.1. Isolating the Dropping Node . . . . . . . . . . . . . . . 13
	B.2. Obtaining the Responsible Organization for the Packet		B.2. Obtaining the Responsible Organization for the Packet
	Drops . . . . . . . . . . . . . . . . . . . . . . . . . . 14		Drops . . . . . . . . . . . . . . . . . . . . . . . . . . 14
	Appendix C. Troubleshooting Packet Drops due to IPv6 Extension		Appendix C. Troubleshooting Packet Drops due to IPv6 Extension
	Headers . . . . . . . . . . . . . . . . . . . . . . 15		Headers . . . . . . . . . . . . . . . . . . . . . . 15
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
	1. Introduction		1. Introduction
	IPv6 Extension Headers (EHs) allow for the extension of the IPv6		IPv6 Extension Headers (EHs) allow for the extension of the IPv6
	protocol, and provide support for core functionality such as IPv6		protocol, and provide support for core functionality such as IPv6
	fragmentation. While packets employing IPv6 Extension Headers have		fragmentation. While packets employing IPv6 Extension Headers have
	been suspected to be dropped in some IPv6 deployments, there was not		been suspected to be dropped in some IPv6 deployments, there was not
	much concrete data on the topic. Some preliminary measurements have		much concrete data on the topic. Some preliminary measurements have
	been presented in [PMTUD-Blackholes], [Gont-IEPG88] and		been presented in [PMTUD-Blackholes], [Gont-IEPG88] and
	[Gont-Chown-IEPG89], whereas [Linkova-Gont-IEPG90] presents more		[Gont-Chown-IEPG89], whereas [Linkova-Gont-IEPG90] presents more
	comprehensive results on which this document is based.		comprehensive results on which this document is based.
	This document presents real-world data regarding the extent to which		This document presents real-world data regarding the extent to which
	packets containing IPv6 Extension Headers are filtered in the		packets containing IPv6 Extension Headers are dropped in the
	Internet, as measured in August 2014 (pending operational advice in		Internet, as measured in August 2014 (pending operational advice in
	this area). The results presented in this document indicate that in		this area). The results presented in this document indicate that in
	the scenarios where the corresponding measurements were performed,		the scenarios where the corresponding measurements were performed,
	the use of IPv6 extension headers can lead to packet drops. We note		the use of IPv6 extension headers can lead to packet drops. We note
	that, in particular, packet drops occurring at transit networks are		that, in particular, packet drops occurring at transit networks are
	undesirable, and it is hoped and expected that this situation will		undesirable, and it is hoped and expected that this situation will
	improve over time.		improve over time.
	2. Support of IPv6 Extension Headers in the Internet		2. Support of IPv6 Extension Headers in the Internet
	skipping to change at page 7, line 14		skipping to change at page 7, line 14
	3. IANA Considerations		3. IANA Considerations
	There are no IANA registries within this document. The RFC-Editor		There are no IANA registries within this document. The RFC-Editor
	can remove this section before publication of this document as an		can remove this section before publication of this document as an
	RFC.		RFC.
	4. Security Considerations		4. Security Considerations
	This document presents real-world data regarding the extent to which		This document presents real-world data regarding the extent to which
	IPv6 packets employing extension headers are filtered in the		IPv6 packets employing extension headers are dropped in the Internet.
	Internet. As such, this document does not introduce any new security		As such, this document does not introduce any new security issues.
	issues.
	5. Acknowledgements		5. Acknowledgements
	The authors would like to thank (in alphabetical order) Mikael		The authors would like to thank (in alphabetical order) Mikael
	Abrahamsson, Mark Andrews, Fred Baker, Brian Carpenter, Gert Doering,		Abrahamsson, Mark Andrews, Fred Baker, Brian Carpenter, Gert Doering,
	C. M. Heard, Nick Hilliard, Joel Jaeggli, Tatuya Jinmei, Merike		C. M. Heard, Nick Hilliard, Joel Jaeggli, Tatuya Jinmei, Merike
	Kaeo, Warren Kumari, Mark Smith, Ole Troan, and Eric Vyncke, for		Kaeo, Warren Kumari, Ted Lemon, Mark Smith, Ole Troan, and Eric
	providing valuable comments on earlier versions of this document.		Vyncke, for providing valuable comments on earlier versions of this
	Additionally, the authors would like to thank participants of the		document. Additionally, the authors would like to thank participants
	v6ops and opsec working groups for their valuable input on the topics		of the v6ops and opsec working groups for their valuable input on the
	discussed in this document.		topics discussed in this document.
	The authors would like to thank Fred Baker for his guidance in		The authors would like to thank Fred Baker for his guidance in
	improving this document.		improving this document.
	Fernando Gont would like to thank Jan Zorz / Go6 Lab		Fernando Gont would like to thank Jan Zorz / Go6 Lab
	<http://go6lab.si/>, and Jared Mauch / NTT America, for providing		<http://go6lab.si/>, and Jared Mauch / NTT America, for providing
	access to systems and networks that were employed to produce some of		access to systems and networks that were employed to produce some of
	the measurement results presented in this document. Additionally, he		the measurement results presented in this document. Additionally, he
	would like to thank SixXS <https://www.sixxs.net> for providing IPv6		would like to thank SixXS <https://www.sixxs.net> for providing IPv6
	connectivity.		connectivity.
	6. References		6. References
	6.1. Normative References		6.1. Normative References
	[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC		[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
	793, September 1981.		RFC 793, DOI 10.17487/RFC0793, September 1981,
			<http://www.rfc-editor.org/info/rfc793>.
	[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",		[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
	STD 13, RFC 1034, November 1987.		STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
			<http://www.rfc-editor.org/info/rfc1034>.
	[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6		[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
	(IPv6) Specification", RFC 2460, December 1998.		(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
			December 1998, <http://www.rfc-editor.org/info/rfc2460>.
	[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control		[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
	Message Protocol (ICMPv6) for the Internet Protocol		Control Message Protocol (ICMPv6) for the Internet
	Version 6 (IPv6) Specification", RFC 4443, March 2006.		Protocol Version 6 (IPv6) Specification", RFC 4443,
			DOI 10.17487/RFC4443, March 2006,
			<http://www.rfc-editor.org/info/rfc4443>.
	[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,		[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
	"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,		"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
	September 2007.		DOI 10.17487/RFC4861, September 2007,
			<http://www.rfc-editor.org/info/rfc4861>.
	[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation		[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
	Algorithm", RFC 6145, April 2011.		Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
			<http://www.rfc-editor.org/info/rfc6145>.
	[RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC		[RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
	6946, May 2013.		RFC 6946, DOI 10.17487/RFC6946, May 2013,
			<http://www.rfc-editor.org/info/rfc6946>.
	6.2. Informative References		6.2. Informative References
			[blackhole6]
			blackhole6, , "blackhole6 tool manual page",
			<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
	[Gont-Chown-IEPG89]		[Gont-Chown-IEPG89]
	Gont, F. and T. Chown, "A Small Update on the Use of IPv6		Gont, F. and T. Chown, "A Small Update on the Use of IPv6
	Extension Headers", IEPG 89. London, UK. March 2, 2014,		Extension Headers", IEPG 89. London, UK. March 2, 2014,
	<http://www.iepg.org/2014-03-02-ietf89/		<http://www.iepg.org/2014-03-02-ietf89/
	fgont-iepg-ietf89-eh-update.pdf>.		fgont-iepg-ietf89-eh-update.pdf>.
	[Gont-IEPG88]		[Gont-IEPG88]
	Gont, F., "Fragmentation and Extension header Support in		Gont, F., "Fragmentation and Extension header Support in
	the IPv6 Internet", IEPG 88. Vancouver, BC, Canada.		the IPv6 Internet", IEPG 88. Vancouver, BC, Canada.
	November 13, 2013, <http://www.iepg.org/2013-11-ietf88/		November 13, 2013, <http://www.iepg.org/2013-11-ietf88/
	fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>.		fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>.
	[IANA-PORT-NUMBERS]		[IANA-PORT-NUMBERS]
	IANA, "Service Name and Transport Protocol Port Number		IANA, "Service Name and Transport Protocol Port Number
	Registry", <http://www.iana.org/assignments/		Registry", <http://www.iana.org/assignments/
	service-names-port-numbers/		service-names-port-numbers/
	service-names-port-numbers.txt>.		service-names-port-numbers.txt>.
	[IPv6-Toolkit]		[IPv6-Toolkit]
	"SI6 Networks' IPv6 Toolkit",		"SI6 Networks' IPv6 Toolkit",
	<http://www.si6networks.com/tools/ipv6toolkit>.		<http://www.si6networks.com/tools/ipv6toolkit>.
	[Linkova-Gont-IEPG90]		[Linkova-Gont-IEPG90]
	Linkova, J. and F. Gont, "IPv6 Extension Headers in the		Linkova, J. and F. Gont, "IPv6 Extension Headers in the
	Real World v2.0", IEPG 90. Toronto, ON, Canada. July 20,		Real World v2.0", IEPG 90. Toronto, ON, Canada. July 20,
	2014, <http://www.iepg.org/2014-07-20-ietf90/		2014, <http://www.iepg.org/2014-07-20-ietf90/
	iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>.		iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>.
			[path6] path6, , "path6 tool manual page",
			<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
	[PMTUD-Blackholes]		[PMTUD-Blackholes]
	De Boer, M. and J. Bosma, "Discovering Path MTU black		De Boer, M. and J. Bosma, "Discovering Path MTU black
	holes on the Internet using RIPE Atlas", July 2012,		holes on the Internet using RIPE Atlas", July 2012,
	<http://www.nlnetlabs.nl/downloads/publications/		<http://www.nlnetlabs.nl/downloads/publications/
	pmtu-black-holes-msc-thesis.pdf>.		pmtu-black-holes-msc-thesis.pdf>.
	[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.		[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
			DOI 10.17487/RFC5927, July 2010,
			<http://www.rfc-editor.org/info/rfc5927>.
	[RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation		[RFC6980] Gont, F., "Security Implications of IPv6 Fragmentation
	with IPv6 Neighbor Discovery", RFC 6980, August 2013.		with IPv6 Neighbor Discovery", RFC 6980,
			DOI 10.17487/RFC6980, August 2013,
			<http://www.rfc-editor.org/info/rfc6980>.
	[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing		[RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing
	of IPv6 Extension Headers", RFC 7045, December 2013.		of IPv6 Extension Headers", RFC 7045,
			DOI 10.17487/RFC7045, December 2013,
			<http://www.rfc-editor.org/info/rfc7045>.
	[RFC7113] Gont, F., "Implementation Advice for IPv6 Router		[RFC7113] Gont, F., "Implementation Advice for IPv6 Router
	Advertisement Guard (RA-Guard)", RFC 7113, February 2014.		Advertisement Guard (RA-Guard)", RFC 7113,
			DOI 10.17487/RFC7113, February 2014,
			<http://www.rfc-editor.org/info/rfc7113>.
	[RFC7123] Gont, F. and W. Liu, "Security Implications of IPv6 on		[RFC7123] Gont, F. and W. Liu, "Security Implications of IPv6 on
	IPv4 Networks", RFC 7123, February 2014.		IPv4 Networks", RFC 7123, DOI 10.17487/RFC7123, February
			2014, <http://www.rfc-editor.org/info/rfc7123>.
	[blackhole6]
	blackhole6, , "blackhole6 tool manual page",
	<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
	[path6] path6, , "path6 tool manual page",
	<http://www.si6networks.com/tools/ipv6toolkit>, 2014.
	Appendix A. Reproducing Our Experiment		Appendix A. Reproducing Our Experiment
	This section describes, step by step, how to reproduce the experiment		This section describes, step by step, how to reproduce the experiment
	with which we obtained the results presented in this document. Each		with which we obtained the results presented in this document. Each
	subsection represents one step in the experiment. The tools employed		subsection represents one step in the experiment. The tools employed
	for the experiment are traditional UNIX-like tools (such as gunzip),		for the experiment are traditional UNIX-like tools (such as gunzip),
	and the SI6 Networks' IPv6 Toolkit [IPv6-Toolkit].		and the SI6 Networks' IPv6 Toolkit [IPv6-Toolkit].
	A.1. Obtaining the List of Domain Names		A.1. Obtaining the List of Domain Names
	skipping to change at page 14, line 25		skipping to change at page 14, line 38
	enabled traceroute" ("2001:db8:4:1000::1" in our case), as "M+1",		enabled traceroute" ("2001:db8:4:1000::1" in our case), as "M+1",
	etc.		etc.
	Based on traceroute information above, which node is the one actually		Based on traceroute information above, which node is the one actually
	dropping the EH-enabled packets will depend on whether the dropping		dropping the EH-enabled packets will depend on whether the dropping
	node filters packets before making the forwarding decision, or after		node filters packets before making the forwarding decision, or after
	making the forwarding decision. If the former, the dropping node		making the forwarding decision. If the former, the dropping node
	will be M+1. If the latter, the dropping node will be "M".		will be M+1. If the latter, the dropping node will be "M".
	Throughout this document (and our measurements), we assume that those		Throughout this document (and our measurements), we assume that those
	nodes filtering packets that carry IPv6 EHs apply their filtering		nodes dropping packets that carry IPv6 EHs apply their filtering
	policy, and only then, if necessary, forward the packets. Thus, in		policy, and only then, if necessary, forward the packets. Thus, in
	our example above the last responding node to the EH-enabled		our example above the last responding node to the EH-enabled
	traceroute ("M") is "2001:db8:4:4000::1", and therefore we assume the		traceroute ("M") is "2001:db8:4:4000::1", and therefore we assume the
	dropping node to be "2001:db8:4:1000::1" ("M+1").		dropping node to be "2001:db8:4:1000::1" ("M+1").
	Additionally, we note that when isolating the dropping node we assume		Additionally, we note that when isolating the dropping node we assume
	that both the EH-enabled and the EH-free traceroutes result in the		that both the EH-enabled and the EH-free traceroutes result in the
	same paths. However, this might not be the case.		same paths. However, this might not be the case.
	B.2. Obtaining the Responsible Organization for the Packet Drops		B.2. Obtaining the Responsible Organization for the Packet Drops
End of changes. 28 change blocks.
	44 lines changed or deleted		62 lines changed or added
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/