Deprecation Of The IPv6 Router Alert Option
Juniper Networks
USA
rbonica@juniper.net
INT Area
6man
IPv6
This document deprecates the IPv6 Router Alert Option.
Protocols that use the Router Alert Option may continue to do so,
even in future versions. However, new protocols that are standardized
in the future must not use the Router Alert Option.
This document updates RFC 2711.
In IPv6, optional internet-layer
information is encoded in separate headers that may be placed
between the IPv6 header and the upper-layer header in a packet.
There is a small number of such extension headers, each one
identified by a distinct Next Header value.
One of these extension headers is called the Hop-by-Hop Options
header. The Hop-by-Hop Options header is used to carry optional
information that may be examined and processed by every node along
a packet's delivery path.
The Hop-by-Hop Options header can carry one or more options.
Among these is the Router Alert Option
.
The Router Alert Option provides a mechanism whereby
routers can know when to intercept datagrams not addressed to
them without having to extensively examine every datagram.
The semantic of the Router Alert Option is, "routers should
examine this datagram more closely". Excluding this option
tells the router that there is no need to examine this datagram
more closely.
As explained below, the Router Alert Option introduces many issues.
This document updates .
Implementers of protocols that continue to use the Router
Option can continue to reference for Router
Alert Option details.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all
capitals, as shown here.
identifies security considerations
associated with the Router Alert Option. In a nutshell,
the IP Router Alert Option does not provide a
universal mechanism to accurately and reliably distinguish
between IP Router Alert packets of interest and unwanted IP Router
Alerts. This creates a security concern, because, short of
appropriate router-implementation-specific mechanisms, the router's
control plane is at risk of being flooded by unwanted traffic.
NOTE: Many routers maintain separation between forwarding
and control plane hardware. The forwarding plane is implemented
on high-performance Application Specific Integrated Circuits (ASIC)
and Network Processors (NP), while the control plane is implemented
on general-purpose processors. Given this difference, the control
plane is more susceptible to a Denial-of-Service (DoS) attack than the
forwarding plane.
demonstrates how a network operator can
deploy Access Control Lists (ACL) that protect the control plane from
DoS attack. These ACLs are effective and efficient when they select
packets based upon information that can be found in a fixed position.
However, they become less effective and less efficient when they
must parse an IPv6 Hop-by-Hop Options header, searching for the
Router Alert Option.
So, network operators can address the security considerations
raised in by:
Deploying the operationally complex and computationally
expensive ACLs described in .
Configuring their routers to ignore the Router
Alert Option.
Dropping or severely rate limiting packets that contain the
IPv6 Hop-by-hop Options header at the network edge.
These options become less viable as protocol designers continue
to design protocols that use the Router Alert Option.
seeks to eliminate Hop-by-Hop
processing on the control plane. However, because of its unique
function, the Router Alert option is granted an exception to this rule.
One approach would be to deprecate the Router Alert option, because
current usage beyond the local network appears to be limited,
and packets containing Hop-by-Hop options are frequently dropped.
Deprecation would allow current implementations to continue using it,
but its use could be phased out over time.
This document deprecates the IPv6 Router Alert Option.
Protocols that use the Router Alert Option MAY continue to do so,
even in future versions. However, new protocols that are standardized
in the future MUST NOT use the Router Alert Option.
contains an exhaustive list of protocols that may
continue to use the Router Alert Option.
This document updates .
As listed in , there are a number of protocols
that use the Router Alert option. The only protocols in
the Appendix that have wide spread deployment are
Multicast Listener Discovery Version 2 (MLDv2)
and
Multicast Router Discovery (MRD) .
The other protocols have either limited deployment, are Experimental, or have no known implementation.
It is left for future work to develop new versions of MLDv2 and MRD that do not
rely on the Router Alert option. That task is out of scope for this document.
This document mitigates all security considerations associated with the IPv6 Router Alert
Option. These security considerations can be found in ,
and .
IANA is requested to mark the Router Alert Option as
"Deprecated" in the Destination Options and Hop-by-hop Options
Registry (
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2)
and add a pointer to this document.
Please include a note describing how this document uses the word "deprecate". Text can be
take from the abstract of this document.
IANA is also requested to make a note in the IPv6 Router Alert Option Values Registry
(https://www.iana.org/assignments/ipv6-routeralert-values/ipv6-routeralert-values.xhtml?) stating
that allocations from this registry are no longer available. Please mark all unused and experimental codepoints in this
registry as "reserved".
Thanks to Zafar Ali, Brian Carpenter, Toerless Eckert, David Farmer,
Adrian Farrel, Bob Hinden and Jen Linkova for their reviews of this document.
contains an exhaustive list of protocols that use the
IPv6 Router Alert Option. There are no known IPv6 implementations of
MPLS PING. Neither INTSERV nor NSIS are widely deployed. All NSIS
protocols are EXPERIMENTAL. Pragmatic Generic Multicast (PGM) is
EXPERIMENTAL and there are no known IPv6 implementations.
Protocol
References
Application
Multicast Listener Discovery Version 2 (MLDv2)
IPv6 Multicast
Multicast Router Discovery (MRD)
IPv6 Multicast
Pragmatic General Multicast (PGM)
IPv6 Multicast
MPLS PING (Use of router alert deprecated)
MPLS OAM
Resource Reservation Protocol (RSVP): Both IPv4 and IPv6 implementations
Integrated Services (INTSERV)
and
Multiprotocol Label Switching (MPLS)
Next Steps In Signaling (NSIS)
NSIS