<?xmlversion="1.0" encoding="US-ASCII"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="4"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ietf-core-hop-limit-07"ipr="trust200902">number="8768" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" consensus="true" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <front> <title abbrev="CoAPHop LimitHop-Limit Option">Constrained Application Protocol (CoAP) Hop-Limit Option</title> <seriesInfo name="RFC" value="8768"/> <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair"> <organization>Orange</organization> <address> <postal><street></street><city>Rennes</city><region></region><code>35000</code> <country>France</country> </postal> <email>mohamed.boucadair@orange.com</email> </address> </author> <author fullname="TirumaleswarReddy"Reddy.K" initials="T."surname="Reddy">surname="Reddy.K"> <organization abbrev="McAfee">McAfee, Inc.</organization> <address> <postal> <street>Embassy Golf Link Business Park</street> <city>Bangalore</city> <region>Karnataka</region> <code>560071</code> <country>India</country> </postal> <email>kondtir@gmail.com</email> </address> </author> <author fullname="Jon Shallow" initials="J." surname="Shallow"><organization></organization><organization/> <address> <postal><street></street> <city></city> <region></region> <code></code><country>United Kingdom</country> </postal> <email>supjps-ietf@jpshallow.com</email> </address> </author> <date/>month="March" year="2020"/> <workgroup>CORE</workgroup> <keyword>security</keyword> <keyword>mitigation</keyword> <keyword>service delivery</keyword> <keyword>connectivity</keyword> <keyword>anti-DDoS</keyword> <keyword>automation</keyword> <keyword>cooperation</keyword> <keyword>Resilience</keyword> <keyword>Filtering</keyword> <keyword>Security Center</keyword> <keyword>Mitigator</keyword> <keyword>Scrubbing</keyword> <keyword>dynamic service protection</keyword> <keyword>dynamic mitigation</keyword> <abstract> <t>The presence of Constrained Application Protocol (CoAP) proxies may lead to infinite forwarding loops, which is undesirable. To prevent and detect such loops, this document specifies the Hop-Limit CoAP option.</t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>More and more applications are using the Constrained Application Protocol (CoAP) <xreftarget="RFC7252"></xref>target="RFC7252" format="default"/> as a communication protocol between application agents. For example, <xreftarget="I-D.ietf-dots-signal-channel"></xref>target="I-D.ietf-dots-signal-channel" format="default"/> specifies how CoAP is used as a signaling protocol between domains under distributed denial-of-service (DDoS) attacks and DDoS mitigation providers. In such contexts, a CoAP client can communicate directly with a server or indirectly via proxies.</t> <t>When multiple proxies are involved, infinite forwarding loops may be experienced (e.g., routing misconfiguration, policy conflicts). To prevent such loops, this document defines a new CoAP option, called Hop-Limit (<xreftarget="spec"></xref>).target="spec" format="default"/>). Also, the document defines a new CoAP Response Code (<xreftarget="code"></xref>)target="code" format="default"/>) to report loops together with relevant diagnostic information to ease troubleshooting (<xreftarget="debug"></xref>).</t>target="debug" format="default"/>).</t> <sectiontitle="Intended Usage">numbered="true" toc="default"> <name>Intended Usage</name> <t>The Hop-Limit option was originally designed for a specific use case <xreftarget="I-D.ietf-dots-signal-channel"></xref>.target="I-D.ietf-dots-signal-channel" format="default"/>. However, its intended usage is general:<list style="empty"> <t>New</t> <ul empty="true" spacing="normal"> <li>New CoAP proxiesMUST<bcp14>MUST</bcp14> implement this option and have it enabled bydefault.</t> </list></t>default.</li> </ul> <t>Note that this means that a server that receives requests both via proxies and directly from clients may see otherwise identical requests with and without the Hop-Limit option included; servers with internal caching will therefore also want to implement this option, since understanding the Hop-Limit option will improve caching efficiency.</t> </section> </section> <section anchor="notation"title="Terminology"> <t>Thenumbered="true" toc="default"> <name>Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"></xref><xref target="RFC8174"></xref>target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t>Readers should be familiar with the terms and concepts defined in <xreftarget="RFC7252"></xref>.</t>target="RFC7252" format="default"/>.</t> </section> <section anchor="spec"title="Hop-Limit Option">numbered="true" toc="default"> <name>Hop-Limit Option</name> <t>The properties of the Hop-Limit option are shown inTable 1.<xref target="tab-option-props" format="default"/>. The formatting of this table follows the one used in Table 4 of <xreftarget="RFC7252"></xref> (Section 5.10).target="RFC7252" section="5.10" sectionFormat="parens" format="default"/>. The C, U, N, and R columns indicate the properties Critical, Unsafe, NoCacheKey, and Repeatable defined inSection 5.4 of<xreftarget="RFC7252"></xref>.target="RFC7252" section="5.4" sectionFormat="of" format="default"/>. None of these properties is marked for the Hop-Limit option.</t><t><figure align="center"> <artwork align="center"><![CDATA[+--------+---+---+---+---+-----------+--------+--------+---------+ | Number | C | U | N | R | Name | Format | Length | Default | +--------+---+---+---+---+-----------+--------+--------+---------+ | TBA2 | | | | | Hop-Limit | uint | 1 | 16 | +--------+---+---+---+---+-----------+--------+--------+---------+ Table 1: CoAP<table anchor="tab-option-props"> <name>CoAP Hop-Limit OptionProperties]]></artwork> </figure></t>Properties</name> <thead> <tr> <th>Number</th> <th>C</th> <th>U</th> <th>N</th> <th>R</th> <th>Name</th> <th>Format</th> <th>Length</th> <th>Default</th> </tr> </thead> <tbody> <tr> <td>16</td> <td> </td> <td> </td> <td> </td> <td> </td> <td>Hop-Limit</td> <td>uint</td> <td>1</td> <td>16</td> </tr> </tbody> </table> <t>The Hop-Limit option (<xreftarget="option"></xref>)target="option" format="default"/>) is an elective option used to detect and prevent infinite loops of CoAP requests when proxies are involved. The option is not repeatable. Therefore, any request carrying multiple Hop-Limit optionsMUST<bcp14>MUST</bcp14> be handled following the procedure specified inSection 5.4.5 of<xreftarget="RFC7252"></xref>.</t>target="RFC7252" section="5.4.5" sectionFormat="of" format="default"/>.</t> <t>The value of the Hop-Limit option is encoded as an unsigned integer (seeSection 3.2 of<xreftarget="RFC7252"></xref>).target="RFC7252" section="3.2" sectionFormat="of" format="default"/>). This valueMUST<bcp14>MUST</bcp14> be between 1 and 255 inclusive. CoAP requests received with a Hop-Limit option set to '0' or greater than '255'MUST<bcp14>MUST</bcp14> be rejected by a CoAP server/proxy using 4.00 (Bad Request).</t> <t>The Hop-Limit option is safe to forward. That is, a CoAP proxy that does not understand the Hop-Limit option should forward it on. The option is also part of the cache key. As such, a CoAP proxy that does not understand the Hop-Limit option must follow the recommendations inSection 5.7.1 of<xreftarget="RFC7252"></xref>target="RFC7252" section="5.7.1" sectionFormat="of" format="default"/> for caching. Note that loops that involve only such proxies will not be detected. Nevertheless, the presence of such proxies will not prevent infinite loop detection if at least one CoAP proxy that supports the Hop-Limit option is involved in the loop.</t> <t>A CoAP proxy that understands the Hop-Limit optionSHOULD<bcp14>SHOULD</bcp14> be instructed, using a configuration parameter, to insert a Hop-Limit option when relaying a request that does not include the Hop-Limit option.</t> <t>The initial Hop-Limit value should be configurable. If no initial value is explicitly provided, the default initial Hop-Limit value of 16MUST<bcp14>MUST</bcp14> be used. This value is chosen so that in the majority ofcasescases, it is sufficiently large to guarantee that a CoAP request would not be dropped in networks when there were no loops, but not so large as to consume CoAP proxy resources when a loop does occur. The value is still configurable to accommodate unusual topologies. Lower values should be used with caution and only in networks where topologies are known by the CoAP client (or proxy) inserting the Hop-Limit option.</t> <t>Because forwarding errors may occur if inadequate Hop-Limit values are used, proxies at the boundaries of an administrative domainMAY<bcp14>MAY</bcp14> be instructed to remove or rewrite the value of Hop-Limit carried in received requests (i.e., ignore the value of Hop-Limit received in a request). This modification should be done with caution in case proxy-forwarded traffic repeatedly crosses the administrative domain boundary in alooploop, rendering ineffective the efficacy of loop detection through the Hop-Limit option.</t> <t>Otherwise, a CoAP proxy that understands the Hop-Limit optionMUST<bcp14>MUST</bcp14> decrement the value of the option by 1 prior to forwarding it. A CoAP proxy that understands the Hop-Limit optionMUST NOT<bcp14>MUST NOT</bcp14> use a storedTBA15.08 (Hop Limit Reached) error response unless the value of the Hop-Limit option in the presented request is smaller than or equal to the value of the Hop-Limit option in the request used to obtain the stored response. Otherwise, the CoAP proxy follows the behavior inSection 5.6 of<xreftarget="RFC7252"></xref>.<list style="empty"> <t>Note:target="RFC7252" section="5.6" sectionFormat="of" format="default"/>.</t> <ul empty="true" spacing="normal"> <li>Note: If a request with a given value of Hop-Limit failed to reach a server because the hop limit is exhausted, then the same failure will be observed if a smaller value of the Hop-Limit option is usedinstead.</t> </list></t>instead.</li> </ul> <t>CoAP requestsMUST NOT<bcp14>MUST NOT</bcp14> be forwarded if the Hop-Limit option is set to '0' after decrement. Requests that cannot be forwarded because of exhausted Hop-LimitSHOULD<bcp14>SHOULD</bcp14> be logged with aTBA15.08 (Hop Limit Reached) error response sent back to the CoAP peer. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that CoAP implementations support means to alert administrators about loop errors so that appropriate actions are undertaken.</t> </section> <section anchor="debug"title="Debugging & Troubleshooting">numbered="true" toc="default"> <name>Debugging and Troubleshooting</name> <t>To ease debugging and troubleshooting, the CoAP proxy that detects a loop includes an identifier for itself in the diagnostic payload under the conditions detailed inSection 5.5.2 of<xreftarget="RFC7252"></xref>.target="RFC7252" section="5.5.2" sectionFormat="of" format="default"/>. That identifierMUST NOT<bcp14>MUST NOT</bcp14> include any space character (ASCII value 32). The identifier inserted by a CoAP proxy can be, for example, a proxy name (e.g., p11.example.net), proxy alias (e.g., myproxyalias), or IP address (e.g., 2001:db8::1).</t> <t>Each intermediate proxy involved in relaying aTBA15.08 (Hop Limit Reached) error message prepends its own identifier in the diagnostic payload with a space character used as separator. Only one identifier per proxy should appear in the diagnostic payload. This approach allowsto limitthe limiting of the size of theTBA15.08 (Hop Limit Reached) error message,easeeases the correlation with hops count, anddetectdetects whether a proxy was involved in the forwarding of theTBA15.08 (Hop Limit Reached) error message. Note that an intermediate proxy prepends its identifier only if there is enough space as determined by the Path MTU(Section 4.6 of <xref target="RFC7252"></xref>).(<xref target="RFC7252" section="4.6" sectionFormat="of" format="default"/>). If not, an intermediate proxy forwards theTBA15.08 (Hop Limit Reached) error message to the next hop without updating the diagnostic payload.</t> <t>An intermediate proxyMUST NOT<bcp14>MUST NOT</bcp14> forward aTBA15.08 (Hop Limit Reached) error message if it detects that its identifier is included in the diagnostic payload. Such messagesSHOULD<bcp14>SHOULD</bcp14> be logged and appropriate alerts sent to the administrators.</t> </section> <sectiontitle="HTTP-Mapping Considerations">numbered="true" toc="default"> <name>HTTP Mapping Considerations</name> <t>This section focuses on the HTTP mappings specific to the CoAP extension specified in this document. As a reminder, the basic normative requirements on HTTP/CoAP mappings are defined inSection 10 of<xreftarget="RFC7252"></xref>.target="RFC7252" section="10" sectionFormat="of" format="default"/>. The implementation guidelines for HTTP/CoAP mappings are elaborated in <xreftarget="RFC8075"></xref>.</t>target="RFC8075" format="default"/>.</t> <t>By default, the HTTP-to-CoAP Proxy inserts a Hop-Limit option following the guidelines in <xreftarget="spec"></xref>.target="spec" format="default"/>. The HTTP-to-CoAP Proxy may be instructed by policy to insert a Hop-Limit option only if a Via(Section 5.7.1 of <xref target="RFC7230"></xref>)(<xref target="RFC7230" section="5.7.1" sectionFormat="of" format="default"/>) or CDN-Loop header field <xreftarget="RFC8586"></xref>target="RFC8586" format="default"/> is present in the HTTP request.</t> <t>The HTTP-to-CoAP Proxy uses 508 (Loop Detected) as the HTTP response status code to mapTBA15.08 (Hop Limit Reached). Furthermore, it maps the diagnostic payload ofTBA15.08 (Hop Limit Reached) as perSection 6.6 of<xreftarget="RFC8075"></xref>.</t>target="RFC8075" section="6.6" sectionFormat="of" format="default"/>.</t> <t>By default, the CoAP-to-HTTP Proxy inserts a Via header field in the HTTP request if the CoAP request includes a Hop-Limit option. The CoAP-to-HTTP Proxy may be instructed by policy to insert a CDN-Loop header field instead of the Via header field.</t> <t>The CoAP-to-HTTP Proxy maps the 508 (Loop Detected) HTTP response status code toTBA15.08 (Hop Limit Reached). Moreover, the CoAP-to-HTTP Proxy inserts its information following the guidelines in <xreftarget="debug"></xref>.</t>target="debug" format="default"/>.</t> <t>When both HTTP-to-CoAP and CoAP-to-HTTP proxies are involved, the loop detection mayget brokenbreak if the proxy-forwarded traffic repeatedly crosses the HTTP-to-CoAP and CoAP-to-HTTP proxies. Nevertheless, if the loop is within the CoAP or HTTP legs, the loop detection is still functional.</t> </section> <section anchor="IANA"title="IANA Considerations"> <t><list style="empty"> <t>Editorial Note: Please update TBA1/TBA2 statements within the document with the assigned codes.</t> </list></t>numbered="true" toc="default"> <name>IANA Considerations</name> <section anchor="code"title="CoAPnumbered="true" toc="default"> <name>CoAP ResponseCode">Code</name> <t>IANAis requested to addhas registered the following entrytoin the "CoAP Response Codes"sub-registrysubregistry available athttps://www.iana.org/assignments/core-parameters/core-parameters.xhtml#response-codes:</t> <t><figure align="center"> <artwork align="center"><![CDATA[+------+------------------+-----------+ | Code | Description | Reference | +------+------------------+-----------+ | TBA1 | Hop Limit Reached| [RFCXXXX] | +------+------------------+-----------+ Table 2: CoAP<eref target="https://www.iana.org/assignments/core-parameters" brackets="angle"/>:</t> <table anchor="tab-resp-codes"> <name>CoAP ResponseCodes]]></artwork> </figure></t> <t>This document suggests 5.08 as a code to be assigned for the new response code.</t>Codes</name> <thead> <tr> <th>Code</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>5.08</td> <td>Hop Limit Reached</td> <td>RFC 8768</td> </tr> </tbody> </table> </section> <section anchor="option"title="CoAPnumbered="true" toc="default"> <name>CoAP OptionNumber">Number</name> <t>IANAis requested to addhas registered the following entrytoin the "CoAP Option Numbers"sub-registrysubregistry available athttps://www.iana.org/assignments/core-parameters/core-parameters.xhtml#option-numbers:</t> <t><figure align="center"> <artwork align="center"><![CDATA[+--------+------------------+-----------+ | Number | Name | Reference | +--------+------------------+-----------+ | TBA2 | Hop-Limit | [RFCXXXX] | +--------+------------------+-----------+ Table 3: CoAP<eref target="https://www.iana.org/assignments/core-parameters" brackets="angle"/>:</t> <table anchor="tab-option-number"> <name>CoAP OptionNumber]]></artwork> </figure></t> <t>This document suggests 16 as a value to be assigned for the new option number.</t>Number</name> <thead> <tr> <th>Number</th> <th>Name</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>16</td> <td>Hop-Limit</td> <td>RFC 8768</td> </tr> </tbody> </table> </section> </section> <section anchor="security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>Security considerations related to CoAP proxying are discussed inSection 11.2 of<xreftarget="RFC7252"></xref>.</t>target="RFC7252" section="11.2" sectionFormat="of" format="default"/>.</t> <t>A CoAP endpoint can probe the topology of a network into which it is making requests by tweaking the value of the Hop-Limit option. Such probing is likely to fail if proxies at the boundaries of that network rewrite the value of Hop-Limit carried in received requests (see <xreftarget="spec"></xref>).</t>target="spec" format="default"/>).</t> <t>The diagnostic payload of aTBA15.08 (Hop Limit Reached) error message may leak sensitive information revealing the topology of an administrative domain. To prevent that, a CoAP proxy that is located at the boundary of an administrative domainMAY<bcp14>MAY</bcp14> be instructed to strip the diagnostic payload or part of it before forwarding on theTBA15.08 (Hop Limit Reached) response.</t> </section> </middle> <back> <displayreference target="I-D.ietf-dots-signal-channel" to="DOTS-SIG-CHANNEL"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7230.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8075.xml"/> </references> <references> <name>Informative References</name> <reference anchor="I-D.ietf-dots-signal-channel"> <front> <title>Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification</title> <author initials="T" surname="Reddy" fullname="Tirumaleswar Reddy"> <organization/> </author> <author initials="M" surname="Boucadair" fullname="Mohamed Boucadair"> <organization/> </author> <author initials="P" surname="Patil" fullname="Prashanth Patil"> <organization/> </author> <author initials="A" surname="Mortensen" fullname="Andrew Mortensen"> <organization/> </author> <author initials="N" surname="Teague" fullname="Nik Teague"> <organization/> </author> <date month="January" day="6" year="2020"/> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-dots-signal-channel-41"/> <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-ietf-dots-signal-channel-41.txt"/> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8586.xml"/> </references> </references> <section anchor="ack"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgements</name> <t>This specification was part of <xreftarget="I-D.ietf-dots-signal-channel"></xref>.target="I-D.ietf-dots-signal-channel" format="default"/>. Many thanks to those who reviewed DOTS specifications.</t> <t>Thanks toKlaus Hartke, Carsten Bormann, Peter<contact fullname="Klaus Hartke"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Peter van derStok, Jim Schaad, Jaime Jiménez, Roni Even, Scott Bradner, Thomas Fossati, Radia Perlman, Éric Vyncke, Suresh Krishnan, Roman Danyliw, Barry Leiba, Christer Holmberg, Benjamin Kaduk, and Adam RoachStok"/>, <contact fullname="Jim Schaad"/>, <contact fullname="Jaime Jiménez"/>, <contact fullname="Roni Even"/>, <contact fullname="Scott Bradner"/>, <contact fullname="Thomas Fossati"/>, <contact fullname="Radia Perlman"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Suresh Krishnan"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Barry Leiba"/>, <contact fullname="Christer Holmberg"/>, <contact fullname="Benjamin Kaduk"/>, and <contact fullname="Adam Roach"/> for their review and comments.</t><t>Carsten Bormann<t><contact fullname="Carsten Bormann"/> provided the "Intended Usage" text.</t> </section></middle> <back> <references title="Normative References"> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.7252"?> <?rfc include='reference.RFC.8174'?> <?rfc include='reference.RFC.7230'?> <?rfc include='reference.RFC.8075'?> </references> <references title="Informative References"> <?rfc include="reference.I-D.ietf-dots-signal-channel"?> <?rfc include='reference.RFC.8586'?> </references></back> </rfc>