| Internet-Draft | Deprecate IPv6 Router Alert | November 2024 |
| Bonica | Expires 9 May 2025 | [Page] |
This document deprecates the IPv6 Router Alert Option. Protocols that use the Router Alert Option may continue to do so, even in future versions. However, protocols that are standardized in the future must not use the Router Alert Option.¶
This document obsoletes RFC 2711.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 9 May 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In IPv6 [RFC8200], optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There is a small number of such extension headers, each one identified by a distinct Next Header value.¶
One of these extension headers is called the Hop-by-Hop Options header. The Hop-by-Hop Options header is used to carry optional information that may be examined and processed by every node along a packet's delivery path.¶
The Hop-by-Hop Options header can carry one or more options. Among these is the Router Alert Option [RFC2711].¶
The Router Alert Option provides a mechanism whereby routers can know when to intercept datagrams not addressed to them without having to extensively examine every datagram. The semantic of the Router Alert Option is, "routers should examine this datagram more closely". Not including this option tells the router that there is no need to closely examine the contents of the datagram.¶
[RFC6398] identifies security considerations associated with the Router Alert Option. In a nutshell, the IP Router Alert Option does not provide a universal mechanism to accurately and reliably distinguish between IP Router Alert packets of interest and unwanted IP Router Alerts. This creates a security concern, because, short of appropriate router-implementation-specific mechanisms, the router's control plane is at risk of being flooded by unwanted traffic.¶
NOTE: Many routers maintain separation between forwarding and control plane hardware. The forwarding plain is implemented on high-performance Application Specific Integrated Circuits (ASIC) and Network Processors (NP), while the control plane is implemented on general-purpose processors. Given this difference, the control plane is more susceptible to a Denial-of-Service (DoS) attack than the forwarding plane.¶
[RFC6192] demonstrates how a network operator can deploy Access Control Lists (ACL) that protect the control plane from DoS attack. These ACLs are effective and efficient when they select packets based upon information that can be found in a fixed position. However, they become less effective and less efficient when they must parse an IPv6 Hop-by-hop Options header, searching for the Router Alert Option.¶
So, network operators can address the security considerations raised in RFC 6398 by:¶
Deploying the operationally complex and computationally expensive ACLs described in RFC 6192.¶
Configuring their routers to ignore the Router Alert Option.¶
Dropping or severely rate limiting packets that contain the IPv6 Hop-by-hop Options header.¶
These options become less viable as protocol designers continue to design protocols that use the Router Alert Option.¶
[RFC9673] seeks to eliminate Hop-by-Hop processing on the control plane. However, because of its unique function, the Router Alert option is granted an exception to this rule. One approach would be to deprecate the Router Alert option, because current usage beyond the local network appears to be limited, and packets containing Hop-by-Hop options are frequently dropped. Deprecation would allow current implementations to continue using it, but its use could be phased out over time.¶
Therefore, this document deprecates the IPv6 Router Alert Option. Protocols that use the Router Alert Option MAY continue to do so, even in future versions. However, protocols that are standardized in the future MUST NOT use the Router Alert Option. Appendix A contains a list of protocols that may continue to use the Router Alert Option.¶
This document obsoletes RFC 2711.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following is an alternative to the Router Address Option for unicast traffic being sent from a source node to an ultimate destination node along a delivery path:¶
The source node encodes the ultimate destination node's address in the message body.¶
The source node sets packet's destination address to that of the next node along the delivery path.¶
The source node sends the packet to the next node along the delivery path.¶
The next node along the delivery path processes the packet and repeats the process.¶
The following is an alternative to the Router Address Option for multicast traffic being sent from a source node to all nodes on the directly connected subnetwork:¶
This document extends the security considerations provided in RFC 2711, RFC 6192 and RFC 6398.¶
IANA is requested to mark the Router Alert Option as Deprecated in the Destination Options and Hop-by-hop Options Registry ( https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2) and add a pointer to this document.¶
Thanks to Brian Carpenter, Toerless Eckert, David Farmer, Adrian Farrel, and Bob Hinden for their reviews of this document.¶
Table 1 contains a list of protocols that use the IPv6 Router Alert Option. There are no known IPv6 implementations of MPLS PING. Neither INTSERV nor NSIS are widely deployed. All NSIS protocols are EXPERIMENTAL. Pragmatic Generic Multicast (PGM) is EXPERIMENTAL and there are no known IPv6 implementations.¶
| Protocol | References | Application |
|---|---|---|
| Multicast Listener Discovery Version 2 (MLDv2) | [RFC3810] | IPv6 Multicast |
| Multicast Router Discovery (MRD) | [RFC4286] | IPv6 Multicast |
| Pragmatic General Multicast (PGM) | [RFC3208] | IPv6 Multicast |
| MPLS PING (Use of router alert deprecated) | [RFC7506][RFC8029][RFC9570] | MPLS OAM |
| Resource Reservation Protocol (RSVP) | [RFC3175] [RFC5946] [RFC6016] [RFC6401] | Integrated Services (INTSERV) [RFC1633] (Not Traffic engineering or MPLS signaling) |
| Next Steps In Signaling (NSIS) | [RFC5979] [RFC5971] | NSIS [RFC4080] |