rfc8900xml2.original.xml   rfc8900.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="bcp" docName="draft-ietf-intarea-frag-fragile-17"
ipr="trust200902">
<front>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
category="bcp"
docName="draft-ietf-intarea-frag-fragile-17"
number="8900"
consensus="true"
ipr="trust200902"
obsoletes=""
updates=""
submissionType="IETF"
xml:lang="en"
tocInclude="true"
tocDepth="3"
symRefs="true"
sortRefs="true"
version="3">
<!-- xml2rfc v2v3 conversion 2.45.3 -->
<front>
<title abbrev="IP Fragmentation Fragile">IP Fragmentation Considered <title abbrev="IP Fragmentation Fragile">IP Fragmentation Considered
Fragile</title> Fragile</title>
<seriesInfo name="RFC" value="8900"/>
<seriesInfo name="BCP" value="230"/>
<author fullname="Ron Bonica" initials="R." surname="Bonica"> <author fullname="Ron Bonica" initials="R." surname="Bonica">
<organization>Juniper Networks</organization> <organization>Juniper Networks</organization>
<address> <address>
<postal> <postal>
<street>2251 Corporate Park Drive</street> <street>2251 Corporate Park Drive</street>
<city>Herndon</city> <city>Herndon</city>
<code>20171</code> <code>20171</code>
<region>Virginia</region> <region>Virginia</region>
<country>United States of America</country>
<country>USA</country>
</postal> </postal>
<email>rbonica@juniper.net</email> <email>rbonica@juniper.net</email>
</address> </address>
</author> </author>
<author fullname="Fred Baker" initials="F." surname="Baker"> <author fullname="Fred Baker" initials="F." surname="Baker">
<organization>Unaffiliated</organization> <organization>Unaffiliated</organization>
<address> <address>
<postal> <postal>
<street/>
<city>Santa Barbara</city> <city>Santa Barbara</city>
<region>California</region> <region>California</region>
<code>93117</code> <code>93117</code>
<country>United States of America</country>
<country>USA</country>
</postal> </postal>
<email>FredBaker.IETF@gmail.com</email> <email>FredBaker.IETF@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="Geoff Huston" initials="G." surname="Huston"> <author fullname="Geoff Huston" initials="G." surname="Huston">
<organization>APNIC</organization> <organization>APNIC</organization>
<address> <address>
<postal> <postal>
<street>6 Cordelia St</street> <street>6 Cordelia St</street>
<city>Brisbane</city> <city>Brisbane</city>
<region>4101 QLD</region> <region>4101 QLD</region>
<code/> <code/>
<country>Australia</country> <country>Australia</country>
</postal> </postal>
<email>gih@apnic.net</email> <email>gih@apnic.net</email>
</address> </address>
</author> </author>
<author fullname="Robert M. Hinden" initials="R." surname="Hinden"> <author fullname="Robert M. Hinden" initials="R." surname="Hinden">
<organization>Check Point Software</organization> <organization>Check Point Software</organization>
<address> <address>
<postal> <postal>
<street>959 Skyway Road</street> <street>959 Skyway Road</street>
<city>San Carlos</city> <city>San Carlos</city>
<region>California</region> <region>California</region>
<code>94070</code> <code>94070</code>
<country>United States of America</country>
<country>USA</country>
</postal> </postal>
<email>bob.hinden@gmail.com</email> <email>bob.hinden@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="Ole Troan" initials="O." surname="Troan"> <author fullname="Ole Troan" initials="O." surname="Troan">
<organization>Cisco</organization> <organization>Cisco</organization>
<address> <address>
<postal> <postal>
<street>Philip Pedersens vei 1</street> <street>Philip Pedersens vei 1</street>
<city>N-1366 Lysaker</city> <city>N-1366 Lysaker</city>
<country>Norway</country> <country>Norway</country>
</postal> </postal>
<email>ot@cisco.com</email> <email>ot@cisco.com</email>
</address> </address>
</author> </author>
<author fullname="Fernando Gont" initials="F." surname="Gont"> <author fullname="Fernando Gont" initials="F." surname="Gont">
<organization>SI6 Networks</organization> <organization>SI6 Networks</organization>
<address> <address>
<postal> <postal>
<street>Evaristo Carriego 2644</street> <street>Evaristo Carriego 2644</street>
<city>Haedo</city> <city>Haedo</city>
<region>Provincia de Buenos Aires</region> <region>Provincia de Buenos Aires</region>
<country>Argentina</country> <country>Argentina</country>
</postal> </postal>
<email>fgont@si6networks.com</email> <email>fgont@si6networks.com</email>
</address> </address>
</author> </author>
<date year="2020" month="September"/>
<date/>
<area>Internet Area</area> <area>Internet Area</area>
<workgroup>Internet Area WG</workgroup> <workgroup>Internet Area WG</workgroup>
<keyword>IPv6</keyword> <keyword>IPv6</keyword>
<keyword>Fragmentation</keyword> <keyword>Fragmentation</keyword>
<abstract> <abstract>
<t>This document describes IP fragmentation and explains how it <t>This document describes IP fragmentation and explains how it
introduces fragility to Internet communication.</t> introduces fragility to Internet communication.</t>
<t>This document also proposes alternatives to IP fragmentation and <t>This document also proposes alternatives to IP fragmentation and
provides recommendations for developers and network operators.</t> provides recommendations for developers and network operators.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<t><xref target="Kent">Operational experience </xref> <xref <name>Introduction</name>
target="Huston"/> <xref target="RFC7872"/> reveals that IP fragmentation <t>Operational experience <xref target="Kent" format="default"/>
<xref target="Huston" format="default"/> <xref target="RFC7872" format="de
fault"/>
reveals that IP fragmentation
introduces fragility to Internet communication. This document describes introduces fragility to Internet communication. This document describes
IP fragmentation and explains the fragility it introduces. It also IP fragmentation and explains the fragility it introduces. It also
proposes alternatives to IP fragmentation and provides recommendations proposes alternatives to IP fragmentation and provides recommendations
for developers and network operators.</t> for developers and network operators.</t>
<t>While this document identifies issues associated with IP <t>While this document identifies issues associated with IP
fragmentation, it does not recommend deprecation. Legacy protocols that fragmentation, it does not recommend deprecation. Legacy protocols that
depend upon IP fragmentation would do well to be updated to remove that de pendency. depend upon IP fragmentation would do well to be updated to remove that de pendency.
However, some applications and environments (see <xref target="rely"/>) However, some applications and environments (see <xref target="rely" forma
require IP fragmentation. In these cases, the protocol will continue to t="default"/>)
rely on IP fragmentation, but the designer should to be aware that require IP fragmentation. In these cases, the protocol will continue
fragmented packets may result in blackholes; a design should include to rely on IP fragmentation, but the designer should be aware that
fragmented packets may result in black holes. A design should include
appropriate safeguards.</t> appropriate safeguards.</t>
<t>Rather than deprecating IP fragmentation, this document recommends
<t>Rather than deprecating IP Fragmentation, this document recommends
that upper-layer protocols address the problem of fragmentation at their that upper-layer protocols address the problem of fragmentation at their
layer, reducing their reliance on IP fragmentation to the greatest layer, reducing their reliance on IP fragmentation to the greatest
degree possible.</t> degree possible.</t>
<!-- <section numbered="true" toc="default">
<section title="IP-in-IP Tunnels"> <name>Requirements Language</name>
<t>This document acknowledges that in some cases, packets must be <t>
fragmented within IP-in-IP tunnels <xref The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
target="I-D.ietf-intarea-tunnels"/>. Therefore, this document makes "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>
no ",
additional recommendations regarding IP-in-IP tunnels.</t> "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
</section> "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
<section title="Requirements Language"> be
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", interpreted as described in BCP 14 <xref target="RFC2119"/> <xref
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and target="RFC8174"/> when, and only when, they appear in all capitals, as
"OPTIONAL" in this document are to be interpreted as described in <xref shown here.
target="RFC2119">BCP 14</xref> <xref target="RFC8174"/> when, and only </t>
when, they appear in all capitals, as shown here.</t> </section>
</section>
</section> </section>
<section numbered="true" toc="default">
<section title="IP Fragmentation"> <name>IP Fragmentation</name>
<section anchor="pmtu" title="Links, Paths, MTU and PMTU"> <section anchor="pmtu" numbered="true" toc="default">
<name>Links, Paths, MTU, and PMTU</name>
<t>An Internet path connects a source node to a destination node. A <t>An Internet path connects a source node to a destination node. A
path may contain links and routers. If a path contains more than one path may contain links and routers. If a path contains more than one
link, the links are connected in series and a router connects each link, the links are connected in series, and a router connects each
link to the next.</t> link to the next.</t>
<t>Internet paths are dynamic. Assume that the path from one node <t>Internet paths are dynamic. Assume that the path from one node
to another contains a set of links and routers. If a link or a to another contains a set of links and routers. If a link or a
router fails, the path can also change so that it includes a router fails, the path can also change so that it includes a
different set of links and routers.</t> different set of links and routers.</t>
<t> <t>
Each link is constrained by the number of bytes that it can convey in Each link is constrained by the number of octets that it can convey in
a single IP packet. This constraint is called the link Maximum a single IP packet. This constraint is called the link Maximum
Transmission Unit (MTU). <xref target="RFC0791">IPv4</xref> requires Transmission Unit (MTU). <xref target="RFC0791" format="default">IPv4</xref>
every link to support at 576 bytes or greater (see NOTE 1). <xref requires every link to support an MTU of 68 octets or greater (see <xref tar
target="RFC0791">IPv6 </xref> similarly requires every link to get="note-1" format="none">NOTE 1</xref>).
support an MTU of 1280 bytes or greater. These are called the IPv4 <xref target="RFC8200" format="default">IPv6</xref> similarly requires every
and IPv6 minimum link MTU's. link to
support an MTU of 1280 octets or greater. These are called the IPv4 and IPv6
minimum link MTUs.
</t> </t>
<t>Some links, and some ways of using links, result in
<t>Some links, and some ways of using links, result in
additional variable overhead. For the simple case of tunnels, additional variable overhead. For the simple case of tunnels,
this document defers to other documents. For other cases, this document defers to other documents. For other cases,
such as MPLS, this document considers the Link MTU to include such as MPLS, this document considers the link MTU to include
appropriate allowance for any such overhead.</t> appropriate allowance for any such overhead.</t>
<t>Likewise, each Internet path is constrained by the number of octets
<t>Likewise, each Internet path is constrained by the number of bytes
that it can convey in a single IP packet. This constraint is called that it can convey in a single IP packet. This constraint is called
the Path MTU (PMTU). For any given path, the PMTU is equal to the the Path MTU (PMTU). For any given path, the PMTU is equal to the
smallest of its link MTU's. Because Internet paths are dynamic, PMTU smallest of its link MTUs. Because Internet paths are dynamic, PMTU
is also dynamic.</t> is also dynamic.</t>
<t>For reasons described below, source nodes estimate the PMTU between <t>For reasons described below, source nodes estimate the PMTU between
themselves and destination nodes. A source node can produce extremely themselves and destination nodes. A source node can produce extremely
conservative PMTU estimates in which:</t> conservative PMTU estimates in which:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>The estimate for each IPv4 path is equal to the IPv4 minimum
<t>The estimate for each IPv4 path is equal to the IPv4 minimum link MTU.</li>
link MTU.</t> <li>The estimate for each IPv6 path is equal to the IPv6 minimum
link MTU.</li>
<t>The estimate for each IPv6 path is equal to the IPv6 minimum </ul>
link MTU.</t> <t>While these conservative estimates are guaranteed to be less
</list>While these conservative estimates are guaranteed to be less
than or equal to the actual PMTU, they are likely to be much less than than or equal to the actual PMTU, they are likely to be much less than
the actual PMTU. This may adversely affect upper-layer protocol the actual PMTU. This may adversely affect upper-layer protocol
performance.</t> performance.</t>
<t>By executing Path MTU Discovery (PMTUD) procedures <xref target="RFC1
<t>By executing <xref target="RFC1191">Path MTU Discovery 191" format="default"/>
(PMTUD)</xref> <xref target="RFC8201"/> procedures, a source node can <xref target="RFC8201" format="default"/>, a source node can
maintain a less conservative estimate of the PMTU between itself and a maintain a less conservative estimate of the PMTU between itself and a
destination node. In PMTUD, the source node produces an initial PMTU destination node. In PMTUD, the source node produces an initial PMTU
estimate. This initial estimate is equal to the MTU of the first link estimate. This initial estimate is equal to the MTU of the first link
along the path to the destination node. It can be greater than the along the path to the destination node. It can be greater than the
actual PMTU.</t> actual PMTU.</t>
<t>Having produced an initial PMTU estimate, the source node sends <t>Having produced an initial PMTU estimate, the source node sends
non-fragmentable IP packets to the destination node (see NOTE 2). If non-fragmentable IP packets to the destination node (see <xref target="n ote-2" format="none">NOTE 2</xref>). If
one of these packets is larger than the actual PMTU, a downstream one of these packets is larger than the actual PMTU, a downstream
router will not be able to forward the packet through the next link router will not be able to forward the packet through the next link
along the path. Therefore, the downstream router drops the packet and along the path. Therefore, the downstream router drops the packet and
sends an <xref target="RFC0792">Internet Control Message Protocol sends an Internet Control Message Protocol (ICMP)
(ICMP)</xref> <xref target="RFC4443"/> Packet Too Big (PTB) message to <xref target="RFC0792" format="default"/> <xref target="RFC4443" format=
the source node (see NOTE 3). The ICMP PTB message indicates the MTU "default"/> Packet Too Big (PTB) message to
the source node (see <xref target="note-3" format="none">NOTE 3</xref>).
The ICMP PTB message indicates the MTU
of the link through which the packet could not be forwarded. The of the link through which the packet could not be forwarded. The
source node uses this information to refine its PMTU estimate.</t> source node uses this information to refine its PMTU estimate.</t>
<t>PMTUD produces a running estimate of the PMTU between a source node <t>PMTUD produces a running estimate of the PMTU between a source node
and a destination node. Because PMTU is dynamic, the PMTU estimate can and a destination node. Because PMTU is dynamic, the PMTU estimate can
be larger than the actual PMTU. In order to detect PMTU increases, be larger than the actual PMTU. In order to detect PMTU increases,
PMTUD occasionally resets the PMTU estimate to its initial value and PMTUD occasionally resets the PMTU estimate to its initial value and
repeats the procedure described above.</t> repeats the procedure described above.</t>
<t>Ideally, PMTUD operates as described above. However, in some <t>Ideally, PMTUD operates as described above. However, in some
scenarios, PMTUD fails. For example:</t> scenarios, PMTUD fails. For example:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>PMTUD relies on the network's ability to deliver ICMP PTB
<t>PMTUD relies on the network's ability to deliver ICMP PTB
messages to the source node. If the network cannot deliver ICMP messages to the source node. If the network cannot deliver ICMP
PTB messages to the source node, PMTUD fails.</t> PTB messages to the source node, PMTUD fails.</li>
<li>PMTUD is susceptible to attack because ICMP messages are easily
<t>PMTUD is susceptible to attack because ICMP messages are easily <xref target="RFC5927" format="default">forged</xref> and not authen
<xref target="RFC5927">forged</xref> and not authenticated by the ticated by the
receiver. Such attacks can cause PMTUD to produce unnecessarily receiver. Such attacks can cause PMTUD to produce unnecessarily
conservative PMTU estimates.</t> conservative PMTU estimates.</li>
</list></t> </ul>
<t>
NOTE 1: In IPv4, every host must be capable of receiving a packet
whose length is equal to 576 bytes. However, the IPv4 minimum
link MTU is not 576. Section 3.2 of RFC 791 explicitly states
that the IPv4 minimum link MTU is 68 bytes. But for practical
purposes, many network operators consider the IPv4 minimum link
MTU to be 576 bytes, to minimize the requirement for
fragmentation en route. So, for the purposes of this document,
we assume that the IPv4 minimum link MTU is 576 bytes.
</t>
<t>NOTE 2: A non-fragmentable packet can be fragmented at its source. <dl newline="false" spacing="normal">
<dt anchor="note-1">NOTE 1:</dt>
<dd>In IPv4, every host must be able to reassemble a packet
whose length is less than or equal to 576 octets. However, the IPv4 mini
mum
link MTU is not 576. Section <xref target="RFC0791" section="3.2" sectio
nFormat="bare" format="default"/>
of <xref target="RFC0791" format="default">RFC 791</xref> explicitly sta
tes
that the IPv4 minimum link MTU is 68 octets.
</dd>
<dt anchor="note-2">NOTE 2:</dt><dd>A non-fragmentable packet can be fra
gmented at its source.
However, it cannot be fragmented by a downstream node. An IPv4 packet However, it cannot be fragmented by a downstream node. An IPv4 packet
whose DF-bit is set to 0 is fragmentable. An IPv4 packet whose whose Don't Fragment (DF) bit is set to 0 is fragmentable. An IPv4 packe
DF-bit is set to 1 is non-fragmentable. All IPv6 packets are also t whose
non-fragmentable.</t> DF bit is set to 1 is non-fragmentable. All IPv6 packets are also
non-fragmentable.</dd>
<t>NOTE 3: The ICMP PTB message has two instantiations. In <xref <dt anchor="note-3">NOTE 3:</dt> <dd>The ICMP PTB message has two instan
target="RFC0792">ICMPv4</xref>, the ICMP PTB message is a Destination tiations. In <xref target="RFC0792" format="default">ICMPv4</xref>, the ICMP PTB
Unreachable message with Code equal to 4 fragmentation needed and DF message is a Destination
set. This message was augmented by <xref target="RFC1191"/> to Unreachable message with Code equal to 4 (fragmentation needed and DF
set). This message was augmented by <xref target="RFC1191" format="defau
lt"/> to
indicate the MTU of the link through which the packet could not be indicate the MTU of the link through which the packet could not be
forwarded. In <xref target="RFC4443">ICMPv6</xref>, the ICMP PTB forwarded. In <xref target="RFC4443" format="default">ICMPv6</xref>, the ICMP PTB
message is a Packet Too Big Message with Code equal to 0. This message is a Packet Too Big Message with Code equal to 0. This
message also indicates the MTU of the link through which the packet message also indicates the MTU of the link through which the packet
could not be forwarded.</t> could not be forwarded.</dd>
</dl>
</section> </section>
<section numbered="true" toc="default">
<section title="Fragmentation Procedures"> <name>Fragmentation Procedures</name>
<t>When an upper-layer protocol submits data to the underlying IP <t>When an upper-layer protocol submits data to the underlying IP
module, and the resulting IP packet's length is greater than the PMTU, module, and the resulting IP packet's length is greater than the PMTU,
the packet is divided into fragments. Each fragment includes an IP the packet is divided into fragments. Each fragment includes an IP
header and a portion of the original packet.</t> header and a portion of the original packet.</t>
<t><xref target="RFC0791" format="default"/> describes IPv4 fragmentatio
<t><xref target="RFC0791"/> describes IPv4 fragmentation procedures. n procedures.
An IPv4 packet whose DF-bit is set to 1 may be fragmented by the An IPv4 packet whose DF bit is set to 1 may be fragmented by the
source node, but may not be fragmented by a downstream router. An IPv4 source node, but may not be fragmented by a downstream router. An IPv4
packet whose DF-bit is set to 0 may be fragmented by the source packet whose DF bit is set to 0 may be fragmented by the source
node or by a downstream router. When an IPv4 packet is fragmented, all node or by a downstream router. When an IPv4 packet is fragmented, all
IP options (which are within the IPv4 header) appear in the first fragme nt, but only options whose "copy" IP options (which are within the IPv4 header) appear in the first fragme nt, but only options whose "copy"
bit is set to 1 appear in subsequent fragments.</t> bit is set to 1 appear in subsequent fragments.</t>
<t><xref target="RFC8200" format="default"/>, notably in
<t><xref target="RFC8200"/>, notably in section 4.5, describes Section <xref target="RFC8200" section="4.5" sectionFormat="bare" format
="default"/>, describes
IPv6 fragmentation procedures. An IPv6 packet may be IPv6 fragmentation procedures. An IPv6 packet may be
fragmented only at the source node. When an IPv6 packet is fragmented only at the source node. When an IPv6 packet is
fragmented, all extension headers appear in the first fragmented, all extension headers appear in the first
fragment, but only per-fragment headers appear in subsequent fragment, but only per-fragment headers appear in subsequent
fragments. Per-fragment headers include the following:</t> fragments. Per-fragment headers include the following:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>The IPv6 header.</li>
<t>The IPv6 header.</t> <li>The Hop-by-Hop Options header (if present).</li>
<li>The Destination Options header (if present and if it precedes a
<t>The Hop-by-hop Options header (if present)</t> Routing header).</li>
<li>The Routing header (if present).</li>
<t>The Destination Options header (if present and if it precedes a <li>The Fragment header.</li>
Routing header)</t> </ul>
<t>In IPv4, the upper-layer header usually appears in the
<t>The Routing Header (if present)</t> first fragment, due to the sizes of the headers involved.
In IPv6, the upper-layer header must appear in the first fragment.</t>
<t>The Fragment Header</t>
</list></t>
<t>In IPv4, the upper-layer header usually appears in the
first fragment, due to the sizes of the headers involved;
in IPv6, it is required to. </t>
</section> </section>
<section anchor="upper" numbered="true" toc="default">
<section anchor="upper" title="Upper-Layer Reliance on IP Fragmentation"> <name>Upper-Layer Reliance on IP Fragmentation</name>
<t>Upper-layer protocols can operate in the following modes:</t> <t>Upper-layer protocols can operate in the following modes:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Do not rely on IP fragmentation.</li>
<t>Do not rely on IP fragmentation.</t> <li>Rely on IP fragmentation by the source node only.</li>
<li>Rely on IP fragmentation by any node.</li>
<t>Rely on IP fragmentation by the source node only.</t> </ul>
<t>Rely on IP fragmentation by any node.</t>
</list></t>
<t>Upper-layer protocols running over IPv4 can operate in all of the <t>Upper-layer protocols running over IPv4 can operate in all of the
above-mentioned modes. Upper-layer protocols running over IPv6 can above-mentioned modes. Upper-layer protocols running over IPv6 can
operate in the first and second modes only.</t> operate in the first and second modes only.</t>
<t>Upper-layer protocols that operate in the first two modes (above) <t>Upper-layer protocols that operate in the first two modes (above)
require access to the PMTU estimate. In order to fulfill this require access to the PMTU estimate. In order to fulfill this
requirement, they can:</t> requirement, they can:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Estimate the PMTU to be equal to the IPv4 or IPv6 minimum link
<t>Estimate the PMTU to be equal to the IPv4 or IPv6 minimum link MTU.</li>
MTU.</t> <li>Access the estimate that PMTUD produced.</li>
<li>Execute PMTUD procedures themselves.</li>
<t>Access the estimate that PMTUD produced.</t> <li>Execute Packetization Layer PMTUD (PLPMTUD) procedures
<xref target="RFC4821" format="default"/>
<t>Execute PMTUD procedures themselves.</t> <xref target="RFC8899" format="default"/>.</li>
</ul>
<t>Execute <xref target="RFC4821">Packetization Layer PMTUD <t>According to PLPMTUD procedures, the upper-layer protocol
(PLPMTUD)</xref> <xref target="I-D.ietf-tsvwg-datagram-plpmtud"/>
procedures.</t>
</list>According to PLPMTUD procedures, the upper-layer protocol
maintains a running PMTU estimate. It does so by sending probe packets maintains a running PMTU estimate. It does so by sending probe packets
of various sizes to its upper-layer peer and receiving of various sizes to its upper-layer peer and receiving
acknowledgements. This strategy differs from PMTUD in that it relies acknowledgements. This strategy differs from PMTUD in that it relies
on acknowledgement of received messages, as opposed to ICMP PTB on acknowledgement of received messages, as opposed to ICMP PTB
messages concerning dropped messages. Therefore, PLPMTUD does not rely messages concerning dropped messages. Therefore, PLPMTUD does not rely
on the network's ability to deliver ICMP PTB messages to the on the network's ability to deliver ICMP PTB messages to the
source.</t> source.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Increased Fragility"> <name>Increased Fragility</name>
<t>This section explains how IP fragmentation introduces fragility to <t>This section explains how IP fragmentation introduces fragility to
Internet communication.</t> Internet communication.</t>
<section anchor="virtualreassembly" title="Virtual Reassembly"> <section anchor="virtualreassembly" numbered="true" toc="default">
<t>Virtual reassembly is a procedure in which a device <name>Virtual Reassembly</name>
<t>Virtual reassembly is a procedure in which a device
conceptually reassembles a packet, forwards its fragments, and discards conceptually reassembles a packet, forwards its fragments, and discards
the reassembled copy. In A+P and CGN, virtual reassembly the reassembled copy. In <xref target="RFC6346" format="default">Address
plus Port (A+P)</xref>
and <xref target="RFC6888" format="default">Carrier Grade NAT (CGN)</xre
f>, virtual reassembly
is required in order to correctly translate fragment is required in order to correctly translate fragment
addresses. It could be useful to address the problems in addresses. It could be useful to address the problems in Sections
<xref target="mb"/>, <xref target="nat"/>, <xref <xref target="mb" format="counter"/>, <xref target="nat" format="counter"
target="statelessfirewall"/>, and <xref target="ecmp"/>. />,
</t> <xref target="statelessfirewall" format="counter"/>, and <xref target="e
cmp" format="counter"/>.
<t>Virtual reassembly in the network is problematic, however, </t>
because it is computationally expensive and because it holds <t>Virtual reassembly is computationally expensive and holds
state for indeterminate periods of time, is prone to errors state for indeterminate periods of time. Therefore, it is prone
and, is prone to <xref target="at">attacks</xref>.</t> to errors and <xref target="at" format="default">attacks</xref>.</t>
<t>One of the benefits of fragmenting at the source, as IPv6 does,
is that there is no question of temporary state or involved
processes as required in virtual fragmentation. The sender
has the entire message, and is fragmenting it as needed -
and can apply that knowledge consistently across the fragments
it produces. It is better than virtual fragmentation in
that sense.</t>
</section> </section>
<section anchor="mb" numbered="true" toc="default">
<section anchor="mb" title="Policy-Based Routing"> <name>Policy-Based Routing</name>
<t>IP Fragmentation causes problems for routers that implement <t>IP fragmentation causes problems for routers that implement
policy-based routing.</t> policy-based routing.</t>
<t>When a router receives a packet, it identifies the next hop on
<t>When a router receives a packet, it identifies the next-hop on
route to the packet's destination and forwards the packet to that route to the packet's destination and forwards the packet to that
next-hop. In order to identify the next-hop, the router interrogates a next hop. In order to identify the next hop, the router interrogates a
local data structure called the Forwarding Information Base (FIB).</t> local data structure called the Forwarding Information Base (FIB).</t>
<t>Normally, the FIB contains destination-based entries that map a <t>Normally, the FIB contains destination-based entries that map a
destination prefix to a next-hop. Policy-based routing allows destination prefix to a next hop. Policy-based routing allows
destination-based and policy-based entries to coexist in the same FIB. destination-based and policy-based entries to coexist in the same FIB.
A policy-based FIB entry maps multiple fields, drawn from either the A policy-based FIB entry maps multiple fields, drawn from either the
IP or transport-layer header, to a next-hop.</t> IP or transport-layer header, to a next hop.</t>
<t/> <t/>
<table anchor="FIB" align="center">
<texttable anchor="FIB" style="full" title="Policy-Based Routing FIB"> <name>Policy-Based Routing FIB</name>
<ttcol align="center">Entry</ttcol> <thead>
<tr>
<ttcol align="left">Type</ttcol> <th align="center">Entry</th>
<th align="left">Type</th>
<ttcol>Dest. Prefix</ttcol> <th align="left">Dest.&nbsp;Prefix</th>
<th align="left">Next Hdr / Dest. Port</th>
<ttcol align="left">Next Hdr / Dest. Port</ttcol> <th align="left">Next Hop</th>
</tr>
<ttcol>Next-Hop</ttcol> </thead>
<tbody>
<c/> <tr>
<td align="center">1</td>
<c/> <td align="left">Destination-based</td>
<td align="left">2001:db8::1/128</td>
<c/> <td align="left">Any / Any</td>
<td align="left">2001:db8:2::2</td>
<c/> </tr>
<tr>
<c/> <td align="center">2</td>
<td align="left">Policy-based</td>
<c>1</c> <td align="left">2001:db8::1/128</td>
<td align="left">TCP / 80</td>
<c>Destination- based</c> <td align="left">2001:db8:3::3</td>
</tr>
<c>2001:db8::1/128</c> </tbody>
</table>
<c>Any / Any</c> <t>Assume that a router maintains the FIB in <xref target="FIB" format="
default"/>. The
<c>2001:db8::2</c>
<c/>
<c/>
<c/>
<c/>
<c/>
<c>2</c>
<c>Policy- based</c>
<c>2001:db8::1/128</c>
<c>TCP / 80</c>
<c>2001:db8::3</c>
</texttable>
<t>Assume that a router maintains the FIB in <xref target="FIB"/>. The
first FIB entry is destination-based. It maps a destination prefix first FIB entry is destination-based. It maps a destination prefix
2001:db8::1/128 to a next-hop 2001:db8::2. The second FIB entry is 2001:db8::1/128 to a next hop 2001:db8:2::2. The second FIB entry is
policy-based. It maps the same destination prefix 2001:db8::1/128 policy-based. It maps the same destination prefix 2001:db8::1/128
and a destination port ( TCP / 80 ) to a different next-hop and a destination port (TCP / 80) to a different next hop
(2001:db8::3). The second entry is more specific than the first.</t> (2001:db8:3::3). The second entry is more specific than the first.</t>
<t>When the router receives the first fragment of a packet that is <t>When the router receives the first fragment of a packet that is
destined for TCP port 80 on 2001:db8::1, it interrogates the FIB. Both destined for TCP port 80 on 2001:db8::1, it interrogates the FIB. Both
FIB entries satisfy the query. The router selects the second FIB entry FIB entries satisfy the query. The router selects the second FIB entry
because it is more specific and forwards the packet to because it is more specific and forwards the packet to
2001:db8::3.</t> 2001:db8:3::3.</t>
<t>When the router receives the second fragment of the packet, it <t>When the router receives the second fragment of the packet, it
interrogates the FIB again. This time, only the first FIB entry interrogates the FIB again. This time, only the first FIB entry
satisfies the query, because the second fragment contains no satisfies the query, because the second fragment contains no
indication that the packet is destined for TCP port 80. Therefore, the indication that the packet is destined for TCP port 80. Therefore, the
router selects the first FIB entry and forwards the packet to router selects the first FIB entry and forwards the packet to
2001:db8::2.</t> 2001:db8:2::2.</t>
<t>Policy-based routing is also known as filter-based forwarding.</t>
<t>Policy-based routing is also known as filter-based-forwarding.</t>
</section> </section>
<section anchor="nat" numbered="true" toc="default">
<section anchor="nat" title="Network Address Translation (NAT)"> <name>Network Address Translation (NAT)</name>
<t>IP fragmentation causes problems for Network Address Translation <t>IP fragmentation causes problems for Network Address Translation
(NAT) devices. When a NAT device detects a new, outbound flow, it maps (NAT) devices. When a NAT device detects a new, outbound flow, it maps
that flow's source port and IP address to another source port and IP that flow's source port and IP address to another source port and IP
address. Having created that mapping, the NAT device translates:</t> address. Having created that mapping, the NAT device translates:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>The source IP address and source port on each outbound
<t>The Source IP Address and Source Port on each outbound packet.</li>
packet.</t> <li>The destination IP address and destination port on each inbound
packet.</li>
<t>The Destination IP Address and Destination Port on each inbound </ul>
packet.</t> <t></t>
</list></t> <t><xref target="RFC6346" format="default">A+P</xref> and
<xref target="RFC6888" format="default">Carrier Grade NAT (CGN)</xref>
<t><xref target="RFC6346">A+P</xref> and <xref are two common NAT strategies. In both approaches, the NAT device must v
target="RFC6888">Carrier Grade NAT (CGN)</xref> are two common NAT irtually
strategies. In both approaches the NAT device must virtually
reassemble fragmented packets in order to translate and forward each reassemble fragmented packets in order to translate and forward each
fragment. (See NOTE 1.)</t> fragment.</t>
</section> </section>
<section anchor="statelessfirewall" numbered="true" toc="default">
<section anchor="statelessfirewall" title="Stateless Firewalls"> <name>Stateless Firewalls</name>
<t>As discussed in more detail in <xref target="at"/>, IP <t>As discussed in more detail in <xref target="at" format="default"/>,
IP
fragmentation causes problems for stateless firewalls whose rules fragmentation causes problems for stateless firewalls whose rules
include TCP and UDP ports. Because port information is only include TCP and UDP ports. Because port information is only
available in the first fragment and not available available in the first fragment and not available
in the subsequent fragments the firewall is limited to the following in the subsequent fragments, the firewall is limited to the following
options:</t> options:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Accept all subsequent fragments, possibly admitting certain
<t>Accept all trailing subsequent, possibly admitting certain classes of attack.</li>
classes of attack.</t> <li>Block all subsequent fragments, possibly blocking legitimate
traffic.</li>
<t>Block all subsequent fragments, possibly blocking legitimate </ul>
traffic.</t> <t>Neither option is attractive.</t>
</list>Neither option is attractive.</t>
</section> </section>
<section anchor="ecmp" numbered="true" toc="default">
<section anchor="ecmp" title="Equal Cost Multipath, Link Aggregate Groups <name>Equal-Cost Multipath, Link Aggregate Groups, and Stateless Load Ba
and Stateless Load-Balancers"> lancers</name>
<t>IP fragmentation causes problems for Equal Cost Multipath (ECMP), <t>IP fragmentation causes problems for Equal-Cost Multipath (ECMP),
Link Aggregate Groups (LAG) and other stateless load-distribution Link Aggregate Groups (LAG), and other stateless load-distribution
technologies. In order to assign a packet or packet fragment to a technologies. In order to assign a packet or packet fragment to a
link, an intermediate node executes a hash (i.e., load-distributing) link, an intermediate node executes a hash (i.e., load-distributing)
algorithm. The following paragraphs describe a commonly deployed hash algorithm. The following paragraphs describe a commonly deployed hash
algorithm.</t> algorithm.</t>
<t>If the packet or packet fragment contains a transport-layer header, <t>If the packet or packet fragment contains a transport-layer header,
the algorithm accepts the following 5-tuple as input:</t> the algorithm accepts the following 5-tuple as input:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>IP Source Address.</li>
<t>IP Source Address.</t> <li>IP Destination Address.</li>
<li>IPv4 Protocol or IPv6 Next Header.</li>
<t>IP Destination Address.</t> <li>transport-layer source port.</li>
<li>transport-layer destination port.</li>
<t>IPv4 Protocol or IPv6 Next Header.</t> </ul>
<t>If the packet or packet fragment does not contain a
<t>transport-layer source port.</t>
<t>transport-layer destination port.</t>
</list>If the packet or packet fragment does not contain a
transport-layer header, the algorithm accepts only the following transport-layer header, the algorithm accepts only the following
3-tuple as input:</t> 3-tuple as input:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>IP Source Address.</li>
<t>IP Source Address.</t> <li>IP Destination Address.</li>
<li>IPv4 Protocol or IPv6 Next Header.</li>
<t>IP Destination Address.</t> </ul>
<t>IPv4 Protocol or IPv6 Next Header.</t>
</list></t>
<t>Therefore, non-fragmented packets belonging to a flow can be <t>Therefore, non-fragmented packets belonging to a flow can be
assigned to one link while fragmented packets belonging to the same assigned to one link while fragmented packets belonging to the same
flow can be divided between that link and another. This can cause flow can be divided between that link and another. This can cause
suboptimal load-distribution.</t> suboptimal load distribution.</t>
<t><xref target="RFC6438" format="default"/> offers a partial solution t
<t><xref target="RFC6438"/> offers a partial solution to this problem o this problem
for IPv6 devices only. According to <xref target="RFC6438"/>:</t> for IPv6 devices only. According to <xref target="RFC6438" format="defau
lt"/>:</t>
<t>"At intermediate routers that perform load balancing, the hash <blockquote>At intermediate routers that perform load distribution, the
hash
algorithm used to determine the outgoing component-link in an ECMP algorithm used to determine the outgoing component-link in an ECMP
and/or LAG toward the next hop MUST minimally include the 3-tuple and/or LAG toward the next hop <bcp14>MUST</bcp14> minimally include the
{dest addr, source addr, flow label} and MAY also include the 3-tuple
remaining components of the 5-tuple."</t> {dest addr, source addr, flow label} and <bcp14>MAY</bcp14> also include
the
remaining components of the 5-tuple.</blockquote>
<t>If the algorithm includes only the 3-tuple {dest addr, source addr, <t>If the algorithm includes only the 3-tuple {dest addr, source addr,
flow label}, it will assign all fragments belonging to a packet to the flow label}, it will assign all fragments belonging to a packet to the
same link. (See <xref target="RFC6437"/> and <xref same link. (See <xref target="RFC6437" format="default"/> and <xref targ
target="RFC7098"/>).</t> et="RFC7098" format="default"/>).</t>
<t>In order to avoid the problem described above, implementations <t>In order to avoid the problem described above, implementations
SHOULD implement the recommendations provided in <xref <bcp14>SHOULD</bcp14> implement the recommendations provided in <xref ta
target="lagrec"/> of this document.</t> rget="lagrec" format="default"/> of this document.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="IPv4 Reassembly Errors at High Data Rates"> <name>IPv4 Reassembly Errors at High Data Rates</name>
<t>IPv4 fragmentation is not sufficiently robust for use under some <t>IPv4 fragmentation is not sufficiently robust for use under some
conditions in today's Internet. At high data rates, the 16-bit IP conditions in today's Internet. At high data rates, the 16-bit IP
identification field is not large enough to prevent duplicate IDs result ing in frequent identification field is not large enough to prevent duplicate IDs, resul ting in frequent
incorrectly assembled IP fragments, and the TCP and UDP checksums are incorrectly assembled IP fragments, and the TCP and UDP checksums are
insufficient to prevent the resulting corrupted datagrams from being insufficient to prevent the resulting corrupted datagrams from being
delivered to higher protocol layers. <xref target="RFC4963"/> delivered to upper-layer protocols. <xref target="RFC4963" format="defau lt"/>
describes some easily reproduced experiments demonstrating the describes some easily reproduced experiments demonstrating the
problem, and discusses some of the operational implications of these problem and discusses some of the operational implications of these
observations.</t> observations.</t>
<t>These reassembly issues do not occur as frequently in IPv6 because <t>These reassembly issues do not occur as frequently in IPv6 because
the IPv6 identification field is 32 bits long.</t> the IPv6 identification field is 32 bits long.</t>
</section> </section>
<section anchor="at" numbered="true" toc="default">
<section anchor="at" title="Security Vulnerabilities"> <name>Security Vulnerabilities</name>
<t>Security researchers have documented several attacks that exploit <t>Security researchers have documented several attacks that exploit
IP fragmentation. The following are examples:</t> IP fragmentation. The following are examples:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Overlapping fragment attacks <xref target="RFC1858" format="defaul
<t>Overlapping fragment attacks <xref target="RFC1858"/><xref t"/>
target="RFC3128"/><xref target="RFC5722"/></t> <xref target="RFC3128" format="default"/> <xref target="RFC5722" forma
t="default"/>.</li>
<t>Resource exhaustion attacks</t> <li>Resource exhaustion attacks.</li>
<li>Attacks based on predictable fragment identification values
<t>Attacks based on predictable fragment identification values <xref target="RFC7739" format="default"/>.</li>
<xref target="RFC7739"/></t> <li>Evasion of Network Intrusion Detection Systems (NIDS) <xref target
="Ptacek1998" format="default"/>.</li>
<t>Evasion of Network Intrusion Detection Systems (NIDS) <xref </ul>
target="Ptacek1998"/></t>
</list></t>
<t>In the overlapping fragment attack, an attacker constructs a series <t>In the overlapping fragment attack, an attacker constructs a series
of packet fragments. The first fragment contains an IP header, a of packet fragments. The first fragment contains an IP header, a
transport-layer header, and some transport-layer payload. This transport-layer header, and some transport-layer payload. This
fragment complies with local security policy and is allowed to pass fragment complies with local security policy and is allowed to pass
through a stateless firewall. A second fragment, having a non-zero through a stateless firewall. A second fragment, having a nonzero
offset, overlaps with the first fragment. The second fragment also offset, overlaps with the first fragment. The second fragment also
passes through the stateless firewall. When the packet is reassembled, passes through the stateless firewall. When the packet is reassembled,
the transport layer header from the first fragment is overwritten by the transport-layer header from the first fragment is overwritten by
data from the second fragment. The reassembled packet does not comply data from the second fragment. The reassembled packet does not comply
with local security policy. Had it traversed the firewall in one with local security policy. Had it traversed the firewall in one
piece, the firewall would have rejected it.</t> piece, the firewall would have rejected it.</t>
<t>A stateless firewall cannot protect against the overlapping <t>A stateless firewall cannot protect against the overlapping
fragment attack. However, destination nodes can protect against the fragment attack. However, destination nodes can protect against the
overlapping fragment attack by implementing the procedures described overlapping fragment attack by implementing the procedures described
in RFC 1858, RFC 3128 and RFC 8200. These reassembly procedures detect in RFC 1858, RFC 3128, and RFC 8200. These reassembly procedures detect
the overlap and discard the packet.</t> the overlap and discard the packet.</t>
<t>The fragment reassembly algorithm is a stateful procedure in an <t>The fragment reassembly algorithm is a stateful procedure in an
otherwise stateless protocol. Therefore, it can be exploited by otherwise stateless protocol. Therefore, it can be exploited by
resource exhaustion attacks. An attacker can construct a series of resource exhaustion attacks. An attacker can construct a series of
fragmented packets, with one fragment missing from each packet so that fragmented packets with one fragment missing from each packet so that
the reassembly is impossible. Thus, this attack causes resource the reassembly is impossible. Thus, this attack causes resource
exhaustion on the destination node, possibly denying reassembly exhaustion on the destination node, possibly denying reassembly
services to other flows. This type of attack can be mitigated by services to other flows. This type of attack can be mitigated by
flushing fragment reassembly buffers when necessary, at the expense of flushing fragment reassembly buffers when necessary, at the expense of
possibly dropping legitimate fragments.</t> possibly dropping legitimate fragments.</t>
<t>Each IP fragment contains an "Identification" field that <t>Each IP fragment contains an "Identification" field that
destination nodes use to reassemble fragmented packets. Some destination nodes use to reassemble fragmented packets. Some
implementations set the Identification field to a predictable value, implementations set the Identification field to a predictable value,
thus making it easy for an attacker to forge malicious IP fragments thus making it easy for an attacker to forge malicious IP fragments
that would cause the reassembly procedure for legitimate packets to that would cause the reassembly procedure for legitimate packets to
fail.</t> fail.</t>
<t>NIDS aims at identifying malicious activity by analyzing network <t>NIDS aims at identifying malicious activity by analyzing network
traffic. Ambiguity in the possible result of the fragment reassembly traffic. Ambiguity in the possible result of the fragment reassembly
process may allow an attacker to evade these systems. Many of these process may allow an attacker to evade these systems. Many of these
systems try to mitigate some of these evasion techniques (e.g. By systems try to mitigate some of these evasion techniques (e.g., by
computing all possible outcomes of the fragment reassembly process, at computing all possible outcomes of the fragment reassembly process, at
the expense of increased processing requirements).</t> the expense of increased processing requirements).</t>
</section> </section>
<section anchor="PTB" numbered="true" toc="default">
<section anchor="PTB" title="PMTU Blackholing Due to ICMP Loss"> <name>PMTU Black-Holing Due to ICMP Loss</name>
<t>As mentioned in <xref target="upper" format="default"/>, upper-layer
<t>As mentioned in <xref target="upper"/>, upper-layer protocols can protocols can
be configured to rely on PMTUD. Because PMTUD relies upon the network be configured to rely on PMTUD. Because PMTUD relies upon the network
to deliver ICMP PTB messages, those protocols also rely on the to deliver ICMP PTB messages, those protocols also rely on the
networks to deliver ICMP PTB messages.</t> networks to deliver ICMP PTB messages.</t>
<t>According to <xref target="RFC4890" format="default"/>, ICMPv6 PTB me
<t>According to <xref target="RFC4890"/>, ICMPv6 PTB messages must not ssages must not
be filtered. However, ICMP PTB delivery is not reliable. It is subject be filtered. However, ICMP PTB delivery is not reliable. It is subject
to both transient and persistent loss.</t> to both transient and persistent loss.</t>
<t>Transient loss of ICMP PTB messages can cause transient PMTU black <t>Transient loss of ICMP PTB messages can cause transient PMTU black
holes. When the conditions contributing to transient loss abate, the holes. When the conditions contributing to transient loss abate, the
network regains its ability to deliver ICMP PTB messages and network regains its ability to deliver ICMP PTB messages and
connectivity between the source and destination nodes is restored. connectivity between the source and destination nodes is restored.
<xref target="transLoss"/> of this document describes conditions that <xref target="transLoss" format="default"/> of this document describes c onditions that
lead to transient loss of ICMP PTB messages.</t> lead to transient loss of ICMP PTB messages.</t>
<t>Persistent loss of ICMP PTB messages can cause persistent black <t>Persistent loss of ICMP PTB messages can cause persistent black
holes. <xref target="CPE"/>, <xref target="Anycast"/>, and <xref holes. Sections <xref target="CPE" format="counter"/>, <xref target="Any
target="unidirectional"/> of this document describe conditions that cast" format="counter"/>,
and <xref target="unidirectional" format="counter"/> of this document de
scribe conditions that
lead to persistent loss of ICMP PTB messages.</t> lead to persistent loss of ICMP PTB messages.</t>
<t>The problem described in this section is specific to PMTUD. It does <t>The problem described in this section is specific to PMTUD. It does
not occur when the upper-layer protocol obtains its PMTU estimate from not occur when the upper-layer protocol obtains its PMTU estimate from
PLPMTUD or from any other source.</t> PLPMTUD or from any other source.</t>
<section anchor="transLoss" numbered="true" toc="default">
<section anchor="transLoss" title="Transient Loss"> <name>Transient Loss</name>
<t>The following factors can contribute to transient loss of ICMP <t>The following factors can contribute to transient loss of ICMP
PTB messages:</t> PTB messages:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Network congestion.</li>
<t>Network congestion.</t> <li>Packet corruption.</li>
<li>Transient routing loops.</li>
<t>Packet corruption.</t> <li>ICMP rate limiting.</li>
</ul>
<t>Transient routing loops.</t>
<t>ICMP rate limiting.</t>
</list></t>
<t>The effect of rate limiting may be severe, as RFC 4443 recommends <t>The effect of rate limiting may be severe, as RFC 4443 recommends
strict rate limiting of ICMPv6 traffic.</t> strict rate limiting of ICMPv6 traffic.</t>
</section> </section>
<section anchor="CPE" numbered="true" toc="default">
<section anchor="CPE" <name>Incorrect Implementation of Security Policy</name>
title="Incorrect Implementation of Security Policy">
<t>Incorrect implementation of security policy can cause persistent <t>Incorrect implementation of security policy can cause persistent
loss of ICMP PTB messages.</t> loss of ICMP PTB messages.</t>
<t>For example, assume that a Customer Premises Equipment (CPE) router
<t>For example assume that a Customer Premise Equipment (CPE) router i implements
mplements
the following zone-based security policy:</t> the following zone-based security policy:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Allow any traffic to flow from the inside zone to the outside
<t>Allow any traffic to flow from the inside zone to the outside zone.</li>
zone.</t> <li>Do not allow any traffic to flow from the outside zone to the
<t>Do not allow any traffic to flow from the outside zone to the
inside zone unless it is part of an existing flow (i.e., it was inside zone unless it is part of an existing flow (i.e., it was
elicited by an outbound packet).</t> elicited by an outbound packet).</li>
</ul>
</list>When a correct implementation of the above-mentioned <t>When a correct implementation of the above-mentioned
security policy receives an ICMP PTB message, it examines the ICMP security policy receives an ICMP PTB message, it examines the ICMP
PTB payload in order to determine whether the original packet (i.e., PTB payload in order to determine whether the original packet (i.e.,
the packet that elicited the ICMP PTB message) belonged to an the packet that elicited the ICMP PTB message) belonged to an
existing flow. If the original packet belonged to an existing flow, existing flow. If the original packet belonged to an existing flow,
the implementation allows the ICMP PTB to flow from the outside zone the implementation allows the ICMP PTB to flow from the outside zone
to the inside zone. If not, the implementation discards the ICMP PTB to the inside zone. If not, the implementation discards the ICMP PTB
message.</t> message.</t>
<t>When an incorrect implementation of the above-mentioned security <t>When an incorrect implementation of the above-mentioned security
policy receives an ICMP PTB message, it discards the packet because policy receives an ICMP PTB message, it discards the packet because
its source address is not associated with an existing flow.</t> its source address is not associated with an existing flow.</t>
<t>The security policy described above has been implemented incorrectl y on <t>The security policy described above has been implemented incorrectl y on
many consumer CPE routers.</t> many consumer CPE routers.</t>
</section> </section>
<section anchor="Anycast" numbered="true" toc="default">
<section anchor="Anycast" title="Persistent Loss Caused By Anycast "> <name>Persistent Loss Caused by Anycast</name>
<t>Anycast can cause persistent loss of ICMP PTB messages. Consider <t>Anycast can cause persistent loss of ICMP PTB messages. Consider
the example below:</t> the example below:</t>
<t>A DNS client sends a request to an anycast address. The network <t>A DNS client sends a request to an anycast address. The network
routes that DNS request to the nearest instance of that anycast routes that DNS request to the nearest instance of that anycast
address (i.e., a DNS Server). The DNS server generates a response address (i.e., a DNS server). The DNS server generates a response
and sends it back to the DNS client. While the response does not and sends it back to the DNS client. While the response does not
exceed the DNS server's PMTU estimate, it does exceed the actual exceed the DNS server's PMTU estimate, it does exceed the actual
PMTU.</t> PMTU.</t>
<t>A downstream router drops the packet and sends an ICMP PTB <t>A downstream router drops the packet and sends an ICMP PTB
message the packet's source (i.e., the anycast address). The network message the packet's source (i.e., the anycast address). The network
routes the ICMP PTB message to the anycast instance closest to the routes the ICMP PTB message to the anycast instance closest to the
downstream router. That anycast instance may not be the DNS server downstream router. That anycast instance may not be the DNS server
that originated the DNS response. It may be another DNS server with that originated the DNS response. It may be another DNS server with
the same anycast address. The DNS server that originated the the same anycast address. The DNS server that originated the
response may never receive the ICMP PTB message and may never update response may never receive the ICMP PTB message and may never update
its PMTU estimate.</t> its PMTU estimate.</t>
</section> </section>
<section anchor="unidirectional" numbered="true" toc="default">
<section anchor="unidirectional" <name>Persistent Loss Caused by Unidirectional Routing</name>
title="Persistent Loss Caused By Unidirectional Routing">
<t>Unidirectional routing can cause persistent loss of ICMP PTB <t>Unidirectional routing can cause persistent loss of ICMP PTB
messages. Consider the example below:</t> messages. Consider the example below:</t>
<t>A source node sends a packet to a destination node. All <t>A source node sends a packet to a destination node. All
intermediate nodes maintain a route to the destination node, but do intermediate nodes maintain a route to the destination node but do
not maintain a route to the source node. In this case, when an not maintain a route to the source node. In this case, when an
intermediate node encounters an MTU issue, it cannot send an ICMP intermediate node encounters an MTU issue, it cannot send an ICMP
PTB message to the source node.</t> PTB message to the source node.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Blackholing Due To Filtering or Loss"> <name>Black-Holing Due to Filtering or Loss</name>
<t>In RFC 7872, researchers sampled Internet paths to determine <t>In RFC 7872, researchers sampled Internet paths to determine
whether they would convey packets that contain IPv6 extension headers. whether they would convey packets that contain IPv6 extension headers.
Sampled paths terminated at popular Internet sites (e.g., popular web, Sampled paths terminated at popular Internet sites (e.g., popular web,
mail and DNS servers).</t> mail, and DNS servers).</t>
<t>The study revealed that at least 28% of the sampled paths did not <t>The study revealed that at least 28% of the sampled paths did not
convey packets containing the IPv6 Fragment extension header. In most convey packets containing the IPv6 Fragment extension header. In most
cases, fragments were dropped in the destination autonomous system. In cases, fragments were dropped in the destination autonomous system. In
other cases, the fragments were dropped in transit autonomous other cases, the fragments were dropped in transit autonomous
systems.</t> systems.</t>
<t>Another <xref target="Huston" format="default">study</xref> confirmed
<t>Another <xref target="Huston">study</xref> confirmed this this
finding. It reported that 37% of sampled endpoints used IPv6-capable finding. It reported that 37% of sampled endpoints used IPv6-capable
DNS resolvers that were incapable of receiving a fragmented IPv6 DNS resolvers that were incapable of receiving a fragmented IPv6
response.</t> response.</t>
<t>It is difficult to determine why network operators drop fragments. <t>It is difficult to determine why network operators drop fragments.
Possible causes follow:</t> Possible causes follow:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Hardware inability to process fragmented packets.</li>
<t>Hardware inability to process fragmented packets.</t> <li>Failure to change vendor defaults.</li>
<li>Unintentional misconfiguration.</li>
<t>Failure to change vendor defaults.</t> <li>Intentional configuration (e.g., network operators consciously
<t>Unintentional misconfiguration.</t>
<t>Intentional configuration (e.g., network operators consciously
chooses to drop IPv6 fragments in order to address the issues chooses to drop IPv6 fragments in order to address the issues
raised in <xref target="mb"/> through <xref target="PTB"/>, raised in Sections <xref target="mb" format="counter"/> through <xre
above.)</t> f target="PTB" format="counter"/>,
</list></t> above.)</li>
</ul>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Alternatives to IP Fragmentation"> <name>Alternatives to IP Fragmentation</name>
<t/> <t/>
<section numbered="true" toc="default">
<section title="Transport Layer Solutions"> <name>Transport-Layer Solutions</name>
<t>The <xref target="RFC0793">Transport Control Protocol (TCP)</xref>) <t>The <xref target="RFC0793" format="default">Transport Control Protoco
l (TCP)</xref>)
can be operated in a mode that does not require IP fragmentation.</t> can be operated in a mode that does not require IP fragmentation.</t>
<t>Applications submit a stream of data to TCP. TCP divides that <t>Applications submit a stream of data to TCP. TCP divides that
stream of data into segments, with no segment exceeding the TCP stream of data into segments, with no segment exceeding the TCP
Maximum Segment Size (MSS). Each segment is encapsulated in a TCP Maximum Segment Size (MSS). Each segment is encapsulated in a TCP
header and submitted to the underlying IP module. The underlying IP header and submitted to the underlying IP module. The underlying IP
module prepends an IP header and forwards the resulting packet.</t> module prepends an IP header and forwards the resulting packet.</t>
<t>If the TCP MSS is sufficiently small, then the underlying IP module
<t>If the TCP MSS is sufficiently small, the underlying IP module
never produces a packet whose length is greater than the actual PMTU. never produces a packet whose length is greater than the actual PMTU.
Therefore, IP fragmentation is not required.</t> Therefore, IP fragmentation is not required.</t>
<t>TCP offers the following mechanisms for MSS management:</t> <t>TCP offers the following mechanisms for MSS management:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>Manual configuration.</li>
<t>Manual configuration</t> <li>PMTUD.</li>
<li>PLPMTUD.</li>
<t>PMTUD</t> </ul>
<t>PLPMTUD</t>
</list></t>
<t>Manual configuration is always applicable. If the MSS is configured <t>Manual configuration is always applicable. If the MSS is configured
to a sufficiently low value, the IP layer will never produce a packet to a sufficiently low value, the IP layer will never produce a packet
whose length is greater than the protocol minimum link MTU. However, whose length is greater than the protocol minimum link MTU. However,
manual configuration prevents TCP from taking advantage of larger link manual configuration prevents TCP from taking advantage of larger link
MTU's.</t> MTUs.</t>
<t>Upper-layer protocols can implement PMTUD in order to discover and <t>Upper-layer protocols can implement PMTUD in order to discover and
take advantage of larger path MTUs. However, as mentioned in <xref take advantage of larger Path MTUs. However, as mentioned in
target="pmtu"/>, PMTUD relies upon the network to deliver ICMP PTB <xref target="pmtu" format="default"/>, PMTUD relies upon the network to
deliver ICMP PTB
messages. Therefore, PMTUD can only provide an estimate of the PMTU in messages. Therefore, PMTUD can only provide an estimate of the PMTU in
environments where the risk of ICMP PTB loss is acceptable (e.g., environments where the risk of ICMP PTB loss is acceptable (e.g.,
known to not be filtered).</t> known to not be filtered).</t>
<t>By contrast, PLPMTUD does not rely upon the network's ability to <t>By contrast, PLPMTUD does not rely upon the network's ability to
deliver ICMP PTB messages. It utilises probe messages sent as TCP deliver ICMP PTB messages. It utilizes probe messages sent as TCP
segments to determine whether the probed PMTU can be successfully used segments to determine whether the probed PMTU can be successfully used
across the network path. In PLPMTUD, probing is separated from across the network path. In PLPMTUD, probing is separated from
congestion control, so that loss of a TCP probe segment does not cause congestion control, so that loss of a TCP probe segment does not cause
a reduction of the congestion control window. <xref target="RFC4821"/> a reduction of the congestion control window. <xref target="RFC4821" for mat="default"/>
defines PLPMTUD procedures for TCP.</t> defines PLPMTUD procedures for TCP.</t>
<t>While TCP will never knowingly cause the underlying IP module to <t>While TCP will never knowingly cause the underlying IP module to
emit a packet that is larger than the PMTU estimate, it can cause the emit a packet that is larger than the PMTU estimate, it can cause the
underlying IP module to emit a packet that is larger than the actual underlying IP module to emit a packet that is larger than the actual
PMTU. For example, if routing changes and as a result the PMTU becomes PMTU. For example, if routing changes and as a result the PMTU becomes
smaller, TCP will not know until the ICMP PTB message arrives. If this smaller, TCP will not know until the ICMP PTB message arrives. If this
occurs, the packet is dropped, the PMTU estimate is updated, the occurs, the packet is dropped, the PMTU estimate is updated, the
segment is divided into smaller segments and each smaller segment is segment is divided into smaller segments, and each smaller segment is
submitted to the underlying IP module.</t> submitted to the underlying IP module.</t>
<t>The <xref target="RFC4340" format="default">Datagram Congestion Contr
<t>The <xref target="RFC4340">Datagram Congestion Control Protocol ol Protocol
(DCCP)</xref> and the <xref target="RFC4960">Stream Control Transport (DCCP)</xref> and the <xref target="RFC4960" format="default">Stream Con
trol Transmission
Protocol (SCTP)</xref> also can be operated in a mode that does not Protocol (SCTP)</xref> also can be operated in a mode that does not
require IP fragmentation. They both accept data from an application require IP fragmentation. They both accept data from an application
and divide that data into segments, with no segment exceeding a and divide that data into segments, with no segment exceeding a
maximum size. maximum size.
</t> </t>
<t>DCCP offers manual configuration, <t>DCCP offers manual configuration,
PMTUD, and PLPMTUD as mechanisms for managing that maximum size. PMTUD, and PLPMTUD as mechanisms for managing that maximum size.
Datagram protocols can also implement PLPMTUD to estimate the PMTU Datagram protocols can also implement PLPMTUD to estimate the PMTU
via<xref target="I-D.ietf-tsvwg-datagram-plpmtud"/>. This proposes via <xref target="RFC8899" format="default"/>. This proposes
procedures for performing PLPMTUD with UDP, UDP-Options, SCTP, QUIC procedures for performing PLPMTUD with UDP, UDP options, SCTP, QUIC,
and other datagram protocols.</t> and other datagram protocols.</t>
<t>Currently, <xref target="RFC0768" format="default">User Datagram Prot
<t>Currently, <xref target="RFC0768">User Datagram Protocol (UDP)</xref> ocol (UDP)</xref>
lacks a fragmentation mechanism of its own and relies on IP lacks a fragmentation mechanism of its own and relies on IP
fragmentation. However, <xref target="I-D.ietf-tsvwg-udp-options"/> fragmentation. However, <xref target="I-D.ietf-tsvwg-udp-options" format ="default"/>
proposes a fragmentation mechanism for UDP.</t> proposes a fragmentation mechanism for UDP.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Application Layer Solutions"> <name>Application-Layer Solutions</name>
<t><xref target="RFC8085"/> recognizes that IP fragmentation reduces <t><xref target="RFC8085" format="default"/> recognizes that IP fragment
ation reduces
the reliability of Internet communication. It also recognizes that UDP the reliability of Internet communication. It also recognizes that UDP
lacks a fragmentation mechanism of its own and relies on IP lacks a fragmentation mechanism of its own and relies on IP
fragmentation. Therefore, <xref target="RFC8085"/> offers the fragmentation. Therefore, <xref target="RFC8085" format="default"/> offe
following advice regarding applications the run over the UDP.</t> rs the
following advice regarding applications the run over the UDP:</t>
<t>"An application SHOULD NOT send UDP datagrams that result in IP <blockquote>An application <bcp14>SHOULD NOT</bcp14> send UDP datagrams
that result in IP
packets that exceed the Maximum Transmission Unit (MTU) along the path packets that exceed the Maximum Transmission Unit (MTU) along the path
to the destination. Consequently, an application SHOULD either use the to the destination. Consequently, an application <bcp14>SHOULD</bcp14> e ither use the
path MTU information provided by the IP layer or implement Path MTU path MTU information provided by the IP layer or implement Path MTU
Discovery (PMTUD) itself to determine whether the path to a Discovery (PMTUD) itself <xref target="RFC1191" format="default"/>
<xref target="RFC1981" format="default"/> <xref target="RFC4821" format=
"default"/> to determine whether the path to a
destination will support its desired message size without destination will support its desired message size without
fragmentation."</t> fragmentation.</blockquote>
<t>RFC 8085 continues:</t> <t>RFC 8085 continues:</t>
<blockquote>Applications that do not follow the recommendation to do
<t>"Applications that do not follow the recommendation to do PMTU/PLPMTUD discovery <bcp14>SHOULD</bcp14> still avoid sending UDP dat
PMTU/PLPMTUD discovery SHOULD still avoid sending UDP datagrams that agrams that
would result in IP packets that exceed the path MTU. Because the would result in IP packets that exceed the path MTU. Because the
actual path MTU is unknown, such applications SHOULD fall back to actual path MTU is unknown, such applications <bcp14>SHOULD</bcp14> fall back to
sending messages that are shorter than the default effective MTU for sending messages that are shorter than the default effective MTU for
sending (EMTU_S in <xref target="RFC1122"/>). For IPv4, EMTU_S is the sending (EMTU_S in <xref target="RFC1122" format="default"/>). For IPv4,
smaller of 576 bytes and the first-hop MTU. For IPv6, EMTU_S is 1280 EMTU_S is the
bytes <xref target="RFC8200"/>. The effective PMTU for a directly smaller of 576 bytes and the first-hop MTU <xref target="RFC1122" format
="default"/>. For IPv6, EMTU_S is 1280
bytes <xref target="RFC2460" format="default"/>. The effective PMTU for
a directly
connected destination (with no routers on the path) is the configured connected destination (with no routers on the path) is the configured
interface MTU, which could be less than the maximum link payload size. interface MTU, which could be less than the maximum link payload size.
Transmission of minimum-sized UDP datagrams is inefficient over paths Transmission of minimum-sized UDP datagrams is inefficient over paths
that support a larger PMTU, which is a second reason to implement PMTU that support a larger PMTU, which is a second reason to implement PMTU
discovery."</t> discovery.</blockquote>
<t>RFC 8085 assumes that for IPv4 an EMTU_S of 576 is sufficiently
<t>RFC 8085 assumes that for IPv4, an EMTU_S of 576 is sufficiently
small to be supported by most current Internet small to be supported by most current Internet
paths, even though the IPv4 minimum link MTU is 68 bytes.</t> paths, even though the IPv4 minimum link MTU is 68 octets.</t>
<t>This advice applies equally to any application that runs directly <t>This advice applies equally to any application that runs directly
over IP.</t> over IP.</t>
</section> </section>
</section> </section>
<section anchor="rely" numbered="true" toc="default">
<section anchor="rely" <name>Applications That Rely on IPv6 Fragmentation</name>
title="Applications That Rely on IPv6 Fragmentation">
<t>The following applications rely on IPv6 fragmentation:</t> <t>The following applications rely on IPv6 fragmentation:</t>
<ul spacing="normal">
<t><list style="symbols"> <li><xref target="RFC1035" format="default">DNS</xref>.</li>
<t><xref target="RFC1035">DNS </xref></t> <li><xref target="RFC2328" format="default">OSPFv2</xref>.</li>
<li><xref target="RFC5340" format="default">OSPFv3</xref>.</li>
<t><xref target="RFC2328">OSPFv3</xref><xref target="RFC5340"> <li>Packet-in-packet encapsulations.</li>
</xref></t> </ul>
<t>Each of these applications relies on IPv6 fragmentation to a
<t>Packet-in-packet encapsulations</t> varying degree. In some cases, that reliance is essential and cannot be
</list>Each of these applications relies on IPv6 fragmentation to a
varying degree. In some cases, that reliance is essential, and cannot be
broken without fundamentally changing the protocol. In other cases, that broken without fundamentally changing the protocol. In other cases, that
reliance is incidental, and most implementations already take reliance is incidental, and most implementations already take
appropriate steps to avoid fragmentation.</t> appropriate steps to avoid fragmentation.</t>
<t>This list is not comprehensive, and other protocols that rely on IP <t>This list is not comprehensive, and other protocols that rely on IP
fragmentation may exist. They are not specifically considered in the fragmentation may exist. They are not specifically considered in the
context of this document.</t> context of this document.</t>
<section numbered="true" toc="default">
<section title="Domain Name Service (DNS)"> <name>Domain Name Service (DNS)</name>
<t>DNS relies on UDP for efficiency, and the consequence is the use of <t>DNS relies on UDP for efficiency, and the consequence is the use of
IP fragmentation for large responses, as permitted by the DNS EDNS0 IP fragmentation for large responses, as permitted by the Extension Mech anisms for DNS (EDNS0)
options in the query. It is possible to mitigate the issue of options in the query. It is possible to mitigate the issue of
fragmentation-based packet loss by having queries use smaller EDNS0 fragmentation-based packet loss by having queries use smaller EDNS0
UDP buffer sizes, or by having the DNS server limit the size of its UDP buffer sizes or by having the DNS server limit the size of its
UDP responses to some self-imposed maximum packet size that may be UDP responses to some self-imposed maximum packet size that may be
less than the preferred EDNS0 UDP Buffer Size. In both cases, large less than the preferred EDNS0 UDP buffer size. In both cases, large
responses are truncated in the DNS, signaling to the client to responses are truncated in the DNS, signaling to the client to
re-query using TCP to obtain the complete response. However, the re-query using TCP to obtain the complete response. However, the
operational issue of the partial level of support for DNS over TCP, operational issue of the partial level of support for DNS over TCP,
particularly in the case where IPv6 transport is being used, becomes a particularly in the case where IPv6 transport is being used, becomes a
limiting factor of the efficacy of this approach <xref limiting factor of the efficacy of this approach <xref target="Damas" fo
target="Damas"/>.</t> rmat="default"/>.</t>
<t>Larger DNS responses can normally be avoided by aggressively <t>Larger DNS responses can normally be avoided by aggressively
pruning the Additional section of DNS responses. One scenario where pruning the Additional section of DNS responses. One scenario where
such pruning is ineffective is in the use of DNSSEC, where large key such pruning is ineffective is in the use of DNSSEC, where large key
sizes act to increase the response size to certain DNS queries. There sizes act to increase the response size to certain DNS queries. There
is no effective response to this situation within the DNS other than is no effective response to this situation within the DNS other than
using smaller cryptographic keys and adoption of DNSSEC administrative using smaller cryptographic keys and adopting of DNSSEC administrative
practices that attempt to keep DNS response as short as possible.</t> practices that attempt to keep DNS response as short as possible.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Open Shortest Path First (OSPF)"> <name>Open Shortest Path First (OSPF)</name>
<t>OSPF implementations can emit messages large enough to cause <t>OSPF implementations can emit messages large enough to cause
fragmentation. However, in order to optimize performance, most OSPF fragmentation. However, in order to optimize performance, most OSPF
implementations restrict their maximum message size to a value that implementations restrict their maximum message size to a value that
will not cause fragmentation.</t> will not cause fragmentation.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Packet-in-Packet Encapsulations"> <name>Packet-in-Packet Encapsulations</name>
<t> This document acknowledges that in some cases, packets must
<t> This document acknowledges that in some cases, packets must
be fragmented within IP-in-IP tunnels. Therefore, this document be fragmented within IP-in-IP tunnels. Therefore, this document
makes no additional recommendations regarding IP-in-IP makes no additional recommendations regarding IP-in-IP
tunnels.</t> tunnels.</t>
<t>In this document, packet-in-packet encapsulations include
<t>In this document, packet-in-packet encapsulations include <xref <xref target="RFC2003" format="default">IP-in-IP</xref>,
target="RFC2003">IP-in-IP </xref>, <xref target="RFC2784">Generic <xref target="RFC2784" format="default">Generic Routing Encapsulation (G
Routing Encapsulation (GRE) </xref>, <xref RE)</xref>,
target="RFC8086">GRE-in-UDP</xref> and <xref target="RFC2473">Generic <xref target="RFC8086" format="default">GRE-in-UDP</xref>, and
Packet Tunneling in IPv6</xref>. <xref target="RFC4459"/> describes <xref target="RFC2473" format="default">Generic Packet Tunneling in IPv6
</xref>.
<xref target="RFC4459" format="default"/> describes
fragmentation issues associated with all of the above-mentioned fragmentation issues associated with all of the above-mentioned
encapsulations.</t> encapsulations.</t>
<t>The fragmentation strategy described for GRE in
<t>The fragmentation strategy described for GRE in <xref <xref target="RFC7588" format="default"/> has been deployed for all of t
target="RFC7588"/> has been deployed for all of the above-mentioned he above-mentioned
encapsulations. This strategy does not rely on IP fragmentation except encapsulations. This strategy does not rely on IP fragmentation except
in one corner case. (see Section 3.3.2.2 of RFC 7588 and Section 7.1 in one corner case.
of RFC 2473). Section 3.3 of <xref target="RFC7676"/> further (See <xref target="RFC7588" section="3.3.2.2" sectionFormat="of" format=
"default"/>
and <xref target="RFC2473" section="7.1" sectionFormat="of" format="defa
ult"/>.)
<xref target="RFC7676" section="3.3" sectionFormat="of" format="default"
/> further
describes this corner case.</t> describes this corner case.</t>
<t>See <xref target="I-D.ietf-intarea-tunnels" format="default"/> for fu
<t>See <xref target="I-D.ietf-intarea-tunnels"/> for further rther
discussion.</t> discussion.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="UDP Applications Enhancing Performance"> <name>UDP Applications Enhancing Performance</name>
<t>Some UDP applications rely on IP fragmentation to achieve <t>Some UDP applications rely on IP fragmentation to achieve
acceptable levels of performance. These applications use UDP datagram acceptable levels of performance. These applications use UDP datagram
sizes that are larger than the path MTU so that more data can be sizes that are larger than the Path MTU so that more data can be
conveyed between the application and the kernel in a single system conveyed between the application and the kernel in a single system
call.</t> call.</t>
<t>To pick one example, the <xref target="RFC5326" format="default">Lick
<t>To pick one example, the <xref target="RFC5326">Licklider lider
Transmission Protocol (LTP),</xref>which is in current use on the Transmission Protocol (LTP)</xref>, which is in current use on the
International Space Station (ISS), uses UDP datagram sizes larger than International Space Station (ISS), uses UDP datagram sizes larger than
the path MTU to achieve acceptable levels of performance even though the Path MTU to achieve acceptable levels of performance even though
this invokes IP fragmentation. More generally, SNMP and video this invokes IP fragmentation. More generally, SNMP and video
applications may transmit an application-layer quantum of data, applications may transmit an application-layer quantum of data,
depending on the network layer to fragment and reassemble as depending on the network layer to fragment and reassemble as
needed.</t> needed.</t>
<t/> <t/>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="Recommendations"> <name>Recommendations</name>
<t/> <t/>
<section numbered="true" toc="default">
<section title="For Application and Protocol Developers"> <name>For Application and Protocol Developers</name>
<t>Developers SHOULD NOT develop new protocols or applications that <t>Developers <bcp14>SHOULD NOT</bcp14> develop new protocols or applica
tions that
rely on IP fragmentation. When a new protocol or application is rely on IP fragmentation. When a new protocol or application is
deployed in an environment that does not fully support IP deployed in an environment that does not fully support IP
fragmentation, it SHOULD operate correctly, either in its default fragmentation, it <bcp14>SHOULD</bcp14> operate correctly, either in its default
configuration or in a specified alternative configuration.</t> configuration or in a specified alternative configuration.</t>
<t>While there may be controlled environments where IP <t>While there may be controlled environments where IP
fragmentation fragmentation
works reliably, this is a deployment issue and can not be known works reliably, this is a deployment issue and can not be known
to someone developing a new protocol or application. It is not to someone developing a new protocol or application. It is not
recommended that new protocols or applications be developed that recommended that new protocols or applications be developed that
rely on IP fragmentation. rely on IP fragmentation.
<!--
Protocols and applications that rely
on IP fragmentation will fail to work on the Internet.
-->
Protocols and Protocols and
applications that rely on IP fragmentation will work less applications that rely on IP fragmentation will work less
reliably on the Internet. reliably on the Internet.
<!--unless they also include mechanisms to detect that IP </t>
fragmentation isn't working reliably. <t>Legacy protocols that depend upon IP fragmentation <bcp14>SHOULD</bcp
--> 14> be
</t>
<t>Legacy protocols that depend upon IP fragmentation SHOULD be
updated to break that dependency. However, in some cases, there may be updated to break that dependency. However, in some cases, there may be
no viable alternative to IP fragmentation (e.g., IPSEC tunnel mode, no viable alternative to IP fragmentation (e.g., IPSEC tunnel mode,
IP-in-IP encapsulation). IP-in-IP encapsulation).
Applications and protocols cannot necessarily know or control Applications and protocols cannot necessarily know or control
whether they use lower layers or network paths that rely on such whether they use lower layers or network paths that rely on such
fragmentation. fragmentation.
In these cases, the protocol will continue to In these cases, the protocol will continue to
rely on IP fragmentation but should only be used in environments where rely on IP fragmentation but should only be used in environments where
IP fragmentation is known to be supported.</t> IP fragmentation is known to be supported.</t>
<t>Protocols may be able to avoid IP fragmentation by using a <t>Protocols may be able to avoid IP fragmentation by using a
sufficiently small MTU (e.g., The protocol minimum link MTU), disabling sufficiently small MTU (e.g., The protocol minimum link MTU), disabling
IP fragmentation, and ensuring that the transport protocol in use IP fragmentation, and ensuring that the transport protocol in use
adapts its segment size to the MTU. Other protocols may deploy a adapts its segment size to the MTU. Other protocols may deploy a
sufficiently reliable PMTU discovery mechanism (e.g., PLMPTUD). sufficiently reliable PMTU discovery mechanism (e.g., PLPMTUD).
<!-- </t>
The risks of IP fragmentation can also be mitigated through the <t>UDP applications <bcp14>SHOULD</bcp14> abide by the recommendations s
use of encapsulation, e.g., by transmitting IP fragments as tated in
payloads. <xref target="RFC8085" section="3.2" sectionFormat="of" format="default"
</t> />.</t>
<t>UDP applications SHOULD abide by the recommendations stated in
Section 3.2 of <xref target="RFC8085"/>.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="For System Developers"> <name>For System Developers</name>
<t>Software libraries SHOULD include provision for PLPMTUD for each <t>Software libraries <bcp14>SHOULD</bcp14> include provision for PLPMTU
D for each
supported transport protocol.</t> supported transport protocol.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="For Middle Box Developers"> <name>For Middlebox Developers</name>
<t>Middle boxes, which are systems that "transparently" <t>Middleboxes, which are systems that "transparently"
perform policy functions on passing traffic but do not perform policy functions on passing traffic but do not
participate in the routing system, should process IP fragments participate in the routing system, should process IP fragments
in a manner that is consistent with <xref target="RFC0791"/> in a manner that is consistent with <xref target="RFC0791" format="defaul
and <xref target="RFC8200"/>. In many cases, middle boxes t"/>
and <xref target="RFC8200" format="default"/>. In many cases, middleboxe
s
must maintain state in order to achieve this goal.</t> must maintain state in order to achieve this goal.</t>
<t>Price and performance considerations frequently motivate network <t>Price and performance considerations frequently motivate network
operators to deploy stateless middle boxes. These stateless middle operators to deploy stateless middleboxes. These stateless middleboxes
boxes may perform sub-optimally, process IP fragments in a manner that may perform suboptimally, process IP fragments in a manner that is not
is not compliant with RFC 791 or RFC 8200, or even discard IP compliant with RFC 791 or RFC 8200, or even discard IP fragments
fragments completely. Such behaviors are NOT RECOMMENDED. If a completely. Such behaviors are <bcp14>NOT RECOMMENDED</bcp14>. If a
middleboxes implements non-standard behavior with respect to IP middlebox implements nonstandard behavior with respect to IP
fragmentation, then that behavior MUST be clearly documented.</t> fragmentation, then that behavior <bcp14>MUST</bcp14> be clearly
documented.</t>
</section> </section>
<section anchor="lagrec" numbered="true" toc="default">
<section anchor="lagrec" <name>For ECMP, LAG, and Load-Balancer Developers And Operators</name>
title="For ECMP, LAG and Load-Balancer Developers And Operators">
<t>In their default configuration, when the IPv6 Flow Label is not <t>In their default configuration, when the IPv6 Flow Label is not
equal to zero, IPv6 devices that implement Equal-Cost Multipath (ECMP) equal to zero, IPv6 devices that implement Equal-Cost Multipath (ECMP)
Routing as described in <xref target="RFC2328">OSPF</xref> Routing as described in <xref target="RFC2328" format="default">OSPF</xr
and other routing protocols, <xref target="RFC7424">Link ef>
and other routing protocols, <xref target="RFC7424" format="default">Lin
k
Aggregation Grouping (LAG)</xref>, or other load-distribution Aggregation Grouping (LAG)</xref>, or other load-distribution
technologies SHOULD accept only the following fields as input to their technologies <bcp14>SHOULD</bcp14> accept only the following fields as i nput to their
hash algorithm:</t> hash algorithm:</t>
<ul spacing="normal">
<t><list style="symbols"> <li>IP Source Address.</li>
<t>IP Source Address.</t> <li>IP Destination Address.</li>
<li>Flow Label.</li>
<t>IP Destination Address.</t> </ul>
<t>Operators <bcp14>SHOULD</bcp14> deploy these devices in their
<t>Flow Label.</t>
</list></t>
<t>Operators SHOULD deploy these devices in their
default configuration.</t> default configuration.</t>
<t>These recommendations are similar to those presented in <xref target=
<t>These recommendations are similar to those presented in <xref "RFC6438" format="default"/> and <xref target="RFC7098" format="default"/>. They
target="RFC6438"/> and <xref target="RFC7098"/>. They differ in that differ in that
they specify a default configuration.</t> they specify a default configuration.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="For Network Operators"> <name>For Network Operators</name>
<t>Operators MUST ensure proper PMTUD operation in their network, <t>Operators <bcp14>MUST</bcp14> ensure proper PMTUD operation in their
network,
including making sure the network generates PTB packets when including making sure the network generates PTB packets when
dropping packets too large compared to outgoing interface dropping packets too large compared to outgoing interface
MTU. However, implementations MAY rate limit the generation of MTU. However, implementations <bcp14>MAY</bcp14> rate limit the generati
ICMP messages as per <xref target="RFC1812"/> and <xref on of
target="RFC4443"/>.</t> ICMP messages per <xref target="RFC1812" format="default"/> and <xref ta
rget="RFC4443" format="default"/>.</t>
<t>As per RFC 4890, network operators MUST NOT filter ICMPv6 PTB <t>As per RFC 4890, network operators <bcp14>MUST NOT</bcp14> filter ICM
Pv6 PTB
messages unless they are known to be forged or otherwise illegitimate. messages unless they are known to be forged or otherwise illegitimate.
As stated in <xref target="PTB"/>, filtering ICMPv6 PTB packets causes As stated in <xref target="PTB" format="default"/>, filtering ICMPv6 PTB packets causes
PMTUD to fail. Many upper-layer protocols rely on PMTUD.</t> PMTUD to fail. Many upper-layer protocols rely on PMTUD.</t>
<t>As per RFC 8200, network operators <bcp14>MUST NOT</bcp14> deploy IPv
<t>As per RFC 8200, network operators MUST NOT deploy IPv6 links whose 6 links whose
MTU is less than 1280 bytes.</t> MTU is less than 1280 octets.</t>
<t>Network operators <bcp14>SHOULD NOT</bcp14> filter IP fragments if th
<t>Network operators SHOULD NOT filter IP fragments if they are known ey are known
to have originated at a domain name server or be destined for a domain to have originated at a domain name server or be destined for a domain
name server. This is because domain name services are critical to name server. This is because domain name services are critical to
operation of the Internet.</t> operation of the Internet.</t>
</section> </section>
</section> </section>
<section numbered="true" toc="default">
<section title="IANA Considerations"> <name>IANA Considerations</name>
<t>This document makes no request of IANA.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Security Considerations"> <name>Security Considerations</name>
<t>This document mitigates some of the security considerations <t>This document mitigates some of the security considerations
associated with IP fragmentation by discouraging its use. It does not associated with IP fragmentation by discouraging its use. It does not
introduce any new security vulnerabilities, because it does not introduce any new security vulnerabilities, because it does not
introduce any new alternatives to IP fragmentation. Instead, it introduce any new alternatives to IP fragmentation. Instead, it
recommends well-understood alternatives.</t> recommends well-understood alternatives.</t>
</section> </section>
<section title="Acknowledgements">
<t>Thanks to Mikael Abrahamsson, Brian Carpenter, Silambu Chelvan,
Joel Halpern, Lorenzo Colitti, Gorry Fairhurst, Mike Heard, Tom
Herbert, Tatuya Jinmei, Suresh Krishnan, Jen Linkova, Paolo
Lucente, Manoj Nayak, Eric Nygren, Fred Templin and Joe Touch for
their comments.
</t>
</section>
</middle> </middle>
<back> <back>
<references title="Normative References"> <displayreference target="I-D.ietf-intarea-tunnels" to="TUNNELS"/>
<?rfc include="reference.RFC.2119"?> <displayreference target="I-D.ietf-tsvwg-udp-options" to="UDP-OPTIONS"/>
<references>
<?rfc include='reference.RFC.8174'?> <name>References</name>
<references>
<?rfc include='reference.RFC.8085'?> <name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.8200'?> ence.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.0791'?> ence.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.8201'?> ence.RFC.8085.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.4821'?> ence.RFC.8200.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.1191'?> ence.RFC.0791.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.0792'?> ence.RFC.8201.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.0793'?> ence.RFC.4821.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.0768'?> ence.RFC.1191.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.1035'?> ence.RFC.0792.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.4443'?> ence.RFC.0793.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.6437'?> ence.RFC.0768.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.6438'?> ence.RFC.1035.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.I-D.ietf-tsvwg-datagram-plpmtud'?> ence.RFC.4443.xml"/>
</references> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.6437.xml"/>
<references title="Informative References"> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
<?rfc include='reference.RFC.7872'?> ence.RFC.6438.xml"/>
<?rfc include='reference.RFC.1122'?>
<?rfc include='reference.RFC.1812'?>
<?rfc include='reference.RFC.1858'?>
<?rfc include='reference.RFC.2473'?>
<?rfc include='reference.RFC.4960'?>
<?rfc include='reference.RFC.5927'?>
<?rfc include='reference.RFC.6346'?>
<?rfc include='reference.RFC.4340'?>
<?rfc include='reference.RFC.2003'?>
<?rfc include='reference.RFC.5340'?>
<?rfc include='reference.RFC.4890'?>
<?rfc include='reference.RFC.2784'?>
<?rfc include='reference.RFC.7676'?>
<?rfc include='reference.RFC.5722'?>
<?rfc include='reference.RFC.7739'?>
<?rfc include='reference.RFC.7588'?>
<?rfc include='reference.RFC.8086'?>
<?rfc include='reference.RFC.4459'?>
<?rfc include='reference.RFC.6888'?>
<?rfc include='reference.RFC.4963'?>
<?rfc include='reference.RFC.2328'?>
<?rfc include='reference.RFC.5326'?>
<?rfc include='reference.I-D.ietf-tsvwg-udp-options'?>
<?rfc include='reference.I-D.ietf-intarea-tunnels'?>
<?rfc include='reference.RFC.3128'?>
<?rfc include='reference.RFC.7098'?>
<?rfc include='reference.RFC.7424'?>
<reference anchor="Huston">
<front>
<title>IPv6, Large UDP Packets and the DNS
http://www.potaroo.net/ispcol/2017-08/xtn-hdrs.html</title>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization/>
</author>
<date month="August" year="2017"/>
</front>
</reference>
<reference anchor="Kent"
target="http://www.hpl.hp.com/techreports/Compaq-DEC/WRL-87-3.p
df">
<front>
<title>"Fragmentation Considered Harmful", In Proc. SIGCOMM '87
Workshop on Frontiers in Computer Communications Technology, DOI
10.1145/55483.55524</title>
<author fullname="Kent" initials="C. " surname="Kent">
<organization/>
</author>
<author fullname="Mogul" initials="J." surname="Mogul">
<organization/>
<address>
<postal>
<street/>
<city/>
<region/>
<code/>
<country/>
</postal>
<phone/>
<facsimile/>
<email/>
<uri/>
</address>
</author>
<date month="August" year="1987"/>
</front>
</reference>
<reference anchor="Damas"
target="http://www.potaroo.net/ispcol/2018-04/atr.html">
<front>
<title>Measuring ATR</title>
<author fullname="Joao Damas" initials="J." surname="Damas">
<organization/>
</author>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization/>
</author>
<date month="April" year="2018"/> <reference anchor="RFC8899" target="https://www.rfc-editor.org/info/rfc8899">
</front> <front>
</reference> <title>
Packetization Layer Path MTU Discovery for Datagram Transports
</title>
<author initials="G" surname="Fairhurst" fullname="Godred Fairhurst">
<organization/>
</author>
<author initials="T" surname="Jones" fullname="Tom Jones">
<organization/>
</author>
<author initials="M" surname="Tüxen" fullname="Michael Tüxen">
<organization/>
</author>
<author initials="I" surname="Rüngeler" fullname="Irene Rüngeler">
<organization/>
</author>
<author initials="T" surname="Völker" fullname="Timo Völker">
<organization/>
</author>
<date month="September" year="2020"/>
</front>
<seriesInfo name="RFC" value="8899"/>
<seriesInfo name="DOI" value="10.17487/RFC8899"/>
</reference>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7872.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.1122.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.1812.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.1858.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2473.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4960.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.5927.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.6346.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4340.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2003.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.5340.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4890.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2784.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7676.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.5722.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7739.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7588.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8086.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4459.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.6888.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4963.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2328.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.5326.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/refe
rence.I-D.draft-ietf-tsvwg-udp-options-08.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/refe
rence.I-D.draft-ietf-intarea-tunnels-10.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.3128.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7098.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7424.xml"/>
<reference anchor="Huston" target="http://www.potaroo.net/ispcol/2017-08
/xtn-hdrs.html">
<front>
<title>IPv6, Large UDP Packets and the DNS</title>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization/>
</author>
<date month="August" year="2017"/>
</front>
</reference>
<reference anchor="Ptacek1998" <reference anchor="Kent" target="http://www.hpl.hp.com/techreports/Compa
target="http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps" q-DEC/WRL-87-3.pdf">
> <front>
<front> <title>Fragmentation Considered Harmful</title>
<title>Insertion, Evasion and Denial of Service: Eluding Network <author fullname="Kent" initials="C. " surname="Kent">
<organization/>
</author>
<author fullname="Mogul" initials="J." surname="Mogul">
<organization/>
</author>
<date month="August" year="1987"/>
</front>
<seriesInfo name="DOI" value="10.1145/55482.55524"/>
<refcontent>SIGCOMM '87: Proceedings of the ACM workshop on Frontiers
in computer communications technology</refcontent>
</reference>
<reference anchor="Damas" target="http://www.potaroo.net/ispcol/2018-04/
atr.html">
<front>
<title>Measuring ATR</title>
<author fullname="Joao Damas" initials="J." surname="Damas">
<organization/>
</author>
<author fullname="Geoff Huston" initials="G." surname="Huston">
<organization/>
</author>
<date month="April" year="2018"/>
</front>
</reference>
<reference anchor="Ptacek1998" target="http://www.aciri.org/vern/Ptacek-
Newsham-Evasion-98.ps">
<front>
<title>Insertion, Evasion and Denial of Service: Eluding Network
Intrusion Detection</title> Intrusion Detection</title>
<author fullname="T. H. Ptacek" initials="T. H." surname="Ptacek">
<author fullname="T. H. Ptacek" initials="T. H." surname="Ptacek"> <organization>Secure Networks, Inc.</organization>
<organization>Secure Networks, Inc.</organization> </author>
</author> <author fullname="T. N. Newsham" initials="T. N." surname="Newsham">
<organization>Secure Networks, Inc.</organization>
<author fullname="T. N. Newsham" initials="T. N." surname="Newsham"> </author>
<organization>Secure Networks, Inc.</organization> <date year="1998"/>
</author> </front>
</reference>
<date year="1998"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
</front> ence.RFC.1981.xml"/>
</reference> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2460.xml"/>
</references>
</references> </references>
<section title="Contributors' Address"> <section numbered="false" toc="default">
<figure> <name>Acknowledgements</name>
<artwork>
</artwork>
</figure>
<t/> <t>Thanks to <contact fullname="Mikael Abrahamsson"/>,
<contact fullname="Brian Carpenter"/>, <contact fullname="Silambu Chelvan"
/>,
<contact fullname="Lorenzo Colitti"/>,
<contact fullname="Gorry Fairhurst"/>,
<contact fullname="Joel Halpern"/>,
<contact fullname="Mike Heard"/>,
<contact fullname="Tom Herbert"/>, <contact fullname="Tatuya Jinmei"/>,
<contact fullname="Suresh Krishnan"/>, <contact fullname="Jen Linkova"/>,
<contact fullname="Paolo Lucente"/>, <contact fullname="Manoj Nayak"/>,
<contact fullname="Eric Nygren"/>, <contact fullname="Fred Templin"/>, and
<contact fullname="Joe Touch"/> for their comments.
</t>
</section> </section>
</back> </back>
</rfc> </rfc>
 End of changes. 242 change blocks. 
858 lines changed or deleted 718 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/