Network Working Group
Independent Submission                                        T. Mizrahi
Internet Draft
Request for Comments: 8367                                       Marvell
Intended status:
Category: Informational                                       J. Yallouz
Expires: August 2018
ISSN: 2070-1721                                                    Intel
                                                      February 21,
                                                            1 April 2018

         Wrongful Termination of Internet Protocol (IP) Packets
                   draft-tj-wrongful-termination-00.txt

Abstract

   Routers and middleboxes terminate packets for various reasons.  In
   some cases, these packets are wrongfully terminated.  This memo
   describes some of the most common scenarios of wrongful termination
   of Internet Protocol (IP) packets, packets and presents recommendations for
   mitigating them.

Status of this This Memo

   This memo provides information for the Internet community.  It does document is not specify an Internet standard Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any kind.  Distribution other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this
   memo is unlimited. document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8367.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1. Introduction...................................................2 Introduction ................................................... 2
   2. Abbreviations..................................................2 Abbreviations .................................................. 2
   3. Wrongful Termination Scenarios.................................2 Scenarios ................................. 3
      3.1. Color-based Termination...................................2 Color-Based Termination ................................... 3
      3.2. Age-based Termination.....................................3 Age-Based Termination ..................................... 3
      3.3. Origin-based Termination..................................3 Origin-Based Termination .................................. 4
      3.4. Length-based Termination..................................4 Length-Based Termination .................................. 4
      3.5. IP-version-based Termination..............................4 IP-Version-Based Termination .............................. 5
      3.6. Flag-based Termination....................................4 Flag-Based Termination .................................... 5
   4. Security Considerations........................................5 Considerations ........................................ 5
   5. IANA Considerations............................................5 Considerations ............................................ 5
   6. Conclusion.....................................................5 Conclusion ..................................................... 6
   7. Acknowledgments................................................5
   8. References.....................................................5
      8.1. References ..................................................... 6
      7.1. Normative References......................................5
      8.2. References ...................................... 6
      7.2. Informative References....................................6 References .................................... 6
   Authors' Addresses ................................................ 6

1.  Introduction

   IP packets are often terminated by network devices.  In some cases
   control plane cases,
   control-plane packets are terminated and processed by the local
   device, while in other cases packets are terminated (discarded) due
   to a packet filtering mechanism.  Packet filtering is widely employed
   in network devices for sanity checking, policy enforcement, and
   security.  IP routers and middleboxes, such as firewalls, often
   terminate packets that do not comply to with a pre-defined predefined policy.
   Unfortunately, some filtering policies tend to cause false positive or
   unnecessary packet termination.  Moreover, in some cases these wrongful
   terminations are biased, sometimes biased and tend to discriminate against packets
   based on their color, age, origin, length, or IP version.

   This memo discusses some of the most common scenarios of wrongful
   termination of IP packets, packets and presents recommendations for preventing
   such discrimination.

2.  Abbreviations

   IP    Internet Protocol

   TTL   Time To Live

   OAM   Operations, Administration, and Maintenance

3.  Wrongful Termination Scenarios

3.1. Color-based  Color-Based Termination

   Synopsis

      IP packets are terminated due to their color.

   Description

      Routers often employ metering mechanisms [RFC4115].  These
      mechanisms often support a color-aware mode, in which the packet's
      color (green, yellow, or red) is used as a criterion in the
      metering algorithm.  This mode has been known to prefer green
      packets over red and yellow packets.

   Recommendation

   This memo recommends to use

      Use of color-blind metering, allowing metering is recommended, as it allows equal
      opportunity for packets of different colors.

3.2. Age-based  Age-Based Termination

   Synopsis

      IP packets are terminated based on their Time To Live (TTL). TTL.

   Description

      The IPv4 TTL field [RFC791], [RFC791] and the IPv6 Hop Limit field [RFC8200]
      are used for loop prevention.  These fields essentially represent
      the packet's age.  A router that receives an IP packet with a TTL
      value of 0 or 1 typically terminates the packet.  In this
      document, packets with a TTL or Hop Limit of 0 or 1 are referred
      to as 'senior packets'.

   Recommendation

   It is recommended to

      When possible, the practice of reverse discrimination when possible. is
      recommended.  Notably, senior packets have been known to be highly
      effective for
   operations, administration and maintenance (OAM) OAM tasks, such as Hello
   [RFC2328], [RFC2328] and Traceroute
      [RFC2151].  Therefore, senior packets should not be easily
      dismissed; to the extent possible, senior packets should be used
      in control plane control-plane protocols.

3.3. Origin-based  Origin-Based Termination

   Synopsis

      IP packets are terminated based on their origin (source IP address
      prefix).

   Description

      Routers and middleboxes often perform IP address filtering.
      Packets are often discarded based on the prefix of their source IP
      address.  In this memo, prefix-based source address filtering is
      referred to as origin-based filtering.  While source IP address
      filtering is an acceptable technique for preventing security
      attacks performed by known attackers, filtering an entire prefix
      may lead to unnecessary termination of legitimate traffic.

   Recommendation

      Origin-based filtering should be limited, to the extent possible,
      so as not to punish an entire autonomous system for the crime of a
      single host. Individual-address-based  Individual address-based filtering should be
      preferred in cases where the address of the potential threat is well-known.
      well known.

3.4. Length-based  Length-Based Termination

   Synopsis

      Short IP packets are wrongfully terminated due to their length.

   Description

      The minimum permissible size of an IPv4 [RFC791] packet is 20
      octets, and the minimum size of an IPv6 [RFC8200] packet is 40
      octets.  However, due to the size limits of an Ethernet, it is
      often the case that IP packets that are shorter than 46 octets are
      discarded.  This is due to the fact that because the minimal Ethernet frame size is 64
      octets, the minimal Ethernet header size is 14 octets, and the
      Ethernet Frame Check Sequence is 4 octets long (64 (i.e., 64 - 14 - 4
      = 46). In the context of this memo, legal legitimate IP packets that are
      less than 46 octets long are referred to as 'short IP packets'.

   Recommendation

      Short IP packets should not be discarded.  The Ethernet frame
      length should be enforced at the Ethernet layer, while the IP
      layer should avoid the discrimination of short IP packets.

3.5. IP-version-based  IP-Version-Based Termination

   Synopsis

      IPv6 packets are terminated due to their version.

   Description

      Many routers and middleboxes are configured to process only IPv4
      [RFC791] packets, packets and to reject IPv6 [RFC8200] packets.

   Recommendation

      It is quite unsettling that in the second decade of the 21st century there are still networks in which IPv6
      packets are deemed unwanted. unwanted in the second decade of the 21st
      century.  Indeed, IPv6 packets have a slightly shorter payload
      than IPv4 packets.  However, they bare the potential for the
      future growth of the internet. Internet.  It is time for operators to
      finally give IPv6 its well-
   deserved well-deserved opportunity.

3.6. Flag-based  Flag-Based Termination

   Synopsis

      IPv4 packets are terminated since because their More Fragments (MF) flag
      is set.

   Description

      Many routers and middleboxes are configured to discard fragmented
      packets.

   Recommendation

      A packet should not be discarded on the grounds of a flag it
      supports.  All flags should be respected, as well as the features
      they represent.

4.  Security Considerations

   This memo proposes to practice liberality with respect to IP packet
   filtering in routers and middleboxes.  Arguably, such a liberal
   approach may compromise security in some cases.  However, we argue
   that security must not only be done, but must be seen to be done.

5.  IANA Considerations

   There are

   This document has no IANA considerations implied by this memo. actions.

6.  Conclusion

   This memo recommends that every router and middlebox should be an Equal
   Opportunity Device, which does not discriminate on the basis of
   actual or perceived rate, color, age, origin, length, IP version,
   fragmentation characteristics, higher layer higher-layer protocols, or any other
   internet protocol
   IP characteristic.

7. Acknowledgments

   This document was prepared using 2-Word-v2.0.template.dot.

  8.  References

8.1.

7.1.  Normative References

   [RFC791]   Postel, J., "Internet Protocol", STD 5, RFC 791,
              DOI 10.17487/RFC0791, September 1981, <http://www.rfc-
                 editor.org/info/rfc791>.
              <https://www.rfc-editor.org/info/rfc791>.

   [RFC8200]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", STD 86, RFC 8200,
              DOI 10.17487/RFC8200, July 2017, <https://www.rfc-
                 editor.org/info/rfc8200>.

8.2.
              <https://www.rfc-editor.org/info/rfc8200>.

7.2.  Informative References

   [RFC2151]  Kessler, G. and S. Shepard, "A Primer On Internet and
              TCP/IP Tools and Utilities", FYI 30, RFC 2151,
              DOI 10.17487/RFC2151, June 1997, <http://www.rfc-
                 editor.org/info/rfc2151>.
              <https://www.rfc-editor.org/info/rfc2151>.

   [RFC2328]  Moy, J., "OSPF Version 2", STD 54, RFC 2328,
              DOI 10.17487/RFC2328, April 1998, <http://www.rfc-
                 editor.org/info/rfc2328>.
              <https://www.rfc-editor.org/info/rfc2328>.

   [RFC4115]  Aboul-Magd, O. and S. Rabie, "A Differentiated Service
              Two-Rate, Three-Color Marker with Efficient Handling of
              in-Profile Traffic", RFC 4115, DOI 10.17487/RFC4115,
              July 2005, <http://www.rfc-
                 editor.org/info/rfc4115>. <https://www.rfc-editor.org/info/rfc4115>.

Authors' Addresses

   Tal Mizrahi
   Marvell
   Email: talmi@marvell.com

   Jose Yallouz
   Intel
   Email: jose@alumni.technion.ac.il