Deprecation Of The IPv6 Router
Alert OptionJuniper Networks2251 Corporate Park DriveHerndon20171VirginiaUSArbonica@juniper.net
INT Area
6manIPv6This document deprecates the IPv6 Router Alert Option. Current protocols that
use the Router Alert Option may continue to do so, even in future versions. However, new protocols
that are standardized in the future must not use the Router Alert Option. models an Internet router. The router
has a forwarding plane and a control plane.IPv6 operates on the forwarding plane.
It:Accepts a packet.Determines the packet's next hop.Forwards the packet to its next hop.IPv6 determines a packet's next hop by searching the Forwarding
Information Base (FIB) for an entry that best matches the packet's
destination address. Therefore, IPv6 requires read-only access to the
FIB.Routing protocols (e.g., OSPF, IS-IS, BGP) operate on a router's
control plane. They create and maintain the FIB by exchanging routing
protocol messages with other nodes. Therefore, the control plane
requires read-write access to the FIB.The forwarding and control planes communicate with one another as
follows:The control plane sends FIB updates to the forwarding plane so it
can maintain a read-only FIB copy.The control plane sends routing protocol messages through the
forwarding plane to other nodes.The forwarding plane sends routing protocol messages received
from other nodes and addressed to the router to the control
plane.The forwarding plane sends messages that are not addressed to the
router but include the IPv6 Router Alert
Option to the control plane. The control plane inspects
these messages and returns them to the forwarding plane so that they
can continue on to their ultimate destination.Many routers maintain separation between forwarding and control
plane hardware. The forwarding plain is implemented on high-performance
Application Specific Integrated Circuits (ASIC) and Network Processors
(NP), while the control plane is implemented on general-purpose
processors. Therefore, the forwarding plane can process many more
packets per second than the control plane. Given this difference in
packet-handling capabilities, a router's control plane is more
susceptible to a Denial-of-Service (DoS) attack than the router's
forwarding plane. demonstrates how a network operator can
deploy Access Control Lists (ACL) that protect the control plane from
DoS attack. These ACLs are effective and efficient when they select
packets based upon information that can be found in a fixed position in
the packet header. However, they become less effective and less
efficient when they must parse an IPv6 Hop-by-hop Options extension
header, searching for the Router Alert Option. Therefore, many network
operators drop or severely rate limit packets that contain the IPv6
Hop-by-hop Options extension header. identifies security considerations
associated with the Router Alert Option. It provides the following
recommendations:"Network operators SHOULD actively protect themselves against
externally generated IP Router Alert packets.""Applications and protocols SHOULD NOT be deployed with a
dependency on processing of the Router Alert Option (as currently
specified) across independent administrative domains in the
Internet.""Router implementations of the IP Router Alert Option SHOULD
offer the configuration option to simply ignore the presence of "IP
Router Alert" in IPv4 and IPv6 packets.""A router implementation SHOULD forward within the "fast path"
(subject to all normal policies and forwarding rules) a packet
carrying the IP Router Alert Option containing a next level protocol
that is not a protocol of interest to that router."NOTE: In RFC 6398, the terms "fast path" and "forwarding plane
components" are used synonymously.Network operators can address all of the security considerations
raised in RFC 6398 by configuring their routers to ignore the Router
Alert Option. However, such configuration may not be possible if
protocol designers continue to design protocols that use the Router
Alert Option. Alternatively, network operators will be required to
deploy the operationally complex and computationally expensive ACLs
described in RFC 6192. Therefore, this document deprecates the IPv6
Router Alert Option.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only
when, they appear in all capitals, as shown here.This document deprecates the IPv6 Router Alert Option. Current protocols that
use the Router Alert Option MAY continue to do so, even in future versions. However, new protocols
that are standardized in the future MUST NOT use the Router Alert Option. contains a list of protocols that use the
IPv6 Router Alert Option. There are no known IPv6 implementations of
MPLS PING. Neither INTSERV nor NSIS are widely deployed. All NSIS
protocols are EXPERIMENTAL. Pragmatic Generic Multicast (PGM) is
EXPERIMENTAL and there are no known IPv6 implementations.ProtocolReferencesApplicationMulticast Listener Discovery Version 2 (MLDv2)IPv6 MulticastMulticast Router Discovery (MRD)IPv6 MulticastPragmatic General Multicast (PGM)IPv6 MulticastMPLS PING (Use of router alert deprecated)MPLS OAMResource Reservation Protocol (RSVP)Integrated Services (INTSERV) (Not
Traffic engineering or MPLS signaling)Next Steps In Signaling (NSIS)NSIS This document extends the security considerations provided in RFC
2711, RFC 6192 and RFC 6398.IANA is requested to mark the Router Alert Option as Deprecated in
the Destination Options and Hop-by-hop Options Registry (
https://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#ipv6-parameters-2)
and add a pointer to this document.Thanks to Brian Carpenter, Toerless Eckert, David Farmer, Adrian Farrel, and Bob
Hinden for their reviews of this document.