Independent Submission T. Mizrahi
Request for Comments: 8367 Marvell
Category: Informational J. Yallouz
ISSN: 2070-1721 Intel
1 April 2018
Independent Submission T. Mizrahi
Request for Comments: 8367 Marvell
Category: Informational J. Yallouz
ISSN: 2070-1721 Intel
1 April 2018
Wrongful Termination of Internet Protocol (IP) Packets
Internet协议(IP)数据包的错误终止
Abstract
摘要
Routers and middleboxes terminate packets for various reasons. In some cases, these packets are wrongfully terminated. This memo describes some of the most common scenarios of wrongful termination of Internet Protocol (IP) packets and presents recommendations for mitigating them.
路由器和中间盒出于各种原因终止数据包。在某些情况下,这些数据包被错误地终止。本备忘录描述了一些最常见的错误终止互联网协议(IP)数据包的情况,并提出了缓解这些情况的建议。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8367.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8367.
Copyright Notice
版权公告
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2018 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ................................................... 2
2. Abbreviations .................................................. 2
3. Wrongful Termination Scenarios ................................. 3
3.1. Color-Based Termination ................................... 3
3.2. Age-Based Termination ..................................... 3
3.3. Origin-Based Termination .................................. 4
3.4. Length-Based Termination .................................. 4
3.5. IP-Version-Based Termination .............................. 5
3.6. Flag-Based Termination .................................... 5
4. Security Considerations ........................................ 5
5. IANA Considerations ............................................ 5
6. Conclusion ..................................................... 6
7. References ..................................................... 6
7.1. Normative References ...................................... 6
7.2. Informative References .................................... 6
Authors' Addresses ................................................ 6
1. Introduction ................................................... 2
2. Abbreviations .................................................. 2
3. Wrongful Termination Scenarios ................................. 3
3.1. Color-Based Termination ................................... 3
3.2. Age-Based Termination ..................................... 3
3.3. Origin-Based Termination .................................. 4
3.4. Length-Based Termination .................................. 4
3.5. IP-Version-Based Termination .............................. 5
3.6. Flag-Based Termination .................................... 5
4. Security Considerations ........................................ 5
5. IANA Considerations ............................................ 5
6. Conclusion ..................................................... 6
7. References ..................................................... 6
7.1. Normative References ...................................... 6
7.2. Informative References .................................... 6
Authors' Addresses ................................................ 6
IP packets are often terminated by network devices. In some cases, control-plane packets are terminated and processed by the local device, while in other cases packets are terminated (discarded) due to a packet filtering mechanism. Packet filtering is widely employed in network devices for sanity checking, policy enforcement, and security. IP routers and middleboxes, such as firewalls, often terminate packets that do not comply with a predefined policy. Unfortunately, some filtering policies cause false positive or unnecessary packet termination. Moreover, these wrongful terminations are sometimes biased and discriminate against packets based on their color, age, origin, length, or IP version.
IP数据包通常由网络设备终止。在某些情况下,控制平面分组由本地设备终止和处理,而在其他情况下,由于分组过滤机制,分组被终止(丢弃)。包过滤广泛应用于网络设备中,用于健康检查、策略实施和安全。IP路由器和中间盒(如防火墙)通常会终止不符合预定义策略的数据包。不幸的是,某些过滤策略会导致误报或不必要的数据包终止。此外,这些错误的终止有时是有偏见的,并根据其颜色、年龄、来源、长度或IP版本歧视数据包。
This memo discusses some of the most common scenarios of wrongful termination of IP packets and presents recommendations for preventing such discrimination.
本备忘录讨论了IP数据包错误终止的一些最常见情况,并提出了防止此类歧视的建议。
IP Internet Protocol
网际协议
TTL Time To Live
TTL生存时间
OAM Operations, Administration, and Maintenance
OAM操作、管理和维护
Synopsis
提要
IP packets are terminated due to their color.
IP数据包因其颜色而终止。
Description
描述
Routers often employ metering mechanisms [RFC4115]. These mechanisms often support a color-aware mode, in which the packet's color (green, yellow, or red) is used as a criterion in the metering algorithm. This mode has been known to prefer green packets over red and yellow packets.
路由器通常采用计量机制[RFC4115]。这些机制通常支持颜色感知模式,其中数据包的颜色(绿色、黄色或红色)用作计量算法中的标准。众所周知,这种模式更喜欢绿色分组,而不是红色和黄色分组。
Recommendation
正式建议
Use of color-blind metering is recommended, as it allows equal opportunity for packets of different colors.
建议使用色盲计量,因为它允许不同颜色的数据包有相同的机会。
Synopsis
提要
IP packets are terminated based on their TTL.
IP数据包根据其TTL终止。
Description
描述
The IPv4 TTL field [RFC791] and the IPv6 Hop Limit field [RFC8200] are used for loop prevention. These fields essentially represent the packet's age. A router that receives an IP packet with a TTL value of 0 or 1 typically terminates the packet. In this document, packets with a TTL or Hop Limit of 0 or 1 are referred to as 'senior packets'.
IPv4 TTL字段[RFC791]和IPv6跃点限制字段[RFC8200]用于环路预防。这些字段基本上表示数据包的年龄。接收TTL值为0或1的IP数据包的路由器通常会终止该数据包。在本文档中,TTL或跃点限制为0或1的数据包称为“高级数据包”。
Recommendation
正式建议
When possible, the practice of reverse discrimination is recommended. Notably, senior packets have been known to be highly effective for OAM tasks, such as Hello [RFC2328] and Traceroute [RFC2151]. Therefore, senior packets should not be easily dismissed; to the extent possible, senior packets should be used in control-plane protocols.
如有可能,建议采取反向歧视的做法。值得注意的是,高级数据包对于OAM任务非常有效,例如Hello[RFC2328]和Traceroute[RFC2151]。因此,高级包不应轻易被解雇;应尽可能在控制平面协议中使用高级数据包。
Synopsis
提要
IP packets are terminated based on their origin (source IP address prefix).
IP数据包根据其来源(源IP地址前缀)终止。
Description
描述
Routers and middleboxes often perform IP address filtering. Packets are often discarded based on the prefix of their source IP address. In this memo, prefix-based source address filtering is referred to as origin-based filtering. While source IP address filtering is an acceptable technique for preventing security attacks performed by known attackers, filtering an entire prefix may lead to unnecessary termination of legitimate traffic.
路由器和中间盒通常执行IP地址过滤。数据包通常根据其源IP地址的前缀被丢弃。在本备忘录中,基于前缀的源地址过滤称为基于源地址的过滤。虽然源IP地址过滤是防止已知攻击者执行安全攻击的可接受技术,但过滤整个前缀可能会导致合法流量的不必要终止。
Recommendation
正式建议
Origin-based filtering should be limited, to the extent possible, so as not to punish an entire autonomous system for the crime of a single host. Individual address-based filtering should be preferred in cases where the address of the potential threat is well known.
应尽可能限制基于来源的过滤,以免因单个主机的犯罪而惩罚整个自治系统。在已知潜在威胁的地址的情况下,应首选基于单个地址的过滤。
Synopsis
提要
Short IP packets are wrongfully terminated due to their length.
短IP数据包由于其长度而被错误终止。
Description
描述
The minimum permissible size of an IPv4 [RFC791] packet is 20 octets, and the minimum size of an IPv6 [RFC8200] packet is 40 octets. However, due to the size limits of Ethernet, it is often the case that IP packets that are shorter than 46 octets are discarded. This is because the minimal Ethernet frame size is 64 octets, the minimal Ethernet header size is 14 octets, and the Ethernet Frame Check Sequence is 4 octets long (i.e., 64 - 14 - 4 = 46). In the context of this memo, legitimate IP packets that are less than 46 octets long are referred to as 'short IP packets'.
IPv4[RFC791]数据包的最小允许大小为20个八位字节,IPv6[RFC8200]数据包的最小允许大小为40个八位字节。然而,由于以太网的大小限制,通常会丢弃小于46个八位字节的IP数据包。这是因为最小以太网帧大小为64个八位字节,最小以太网报头大小为14个八位字节,以太网帧检查序列为4个八位字节长(即64-14-4=46)。在本备忘录中,长度小于46个八位字节的合法IP数据包称为“短IP数据包”。
Recommendation
正式建议
Short IP packets should not be discarded. The Ethernet frame length should be enforced at the Ethernet layer, while the IP layer should avoid discrimination of short IP packets.
不应丢弃短IP数据包。以太网帧长度应在以太网层强制执行,而IP层应避免区分短IP数据包。
Synopsis
提要
IPv6 packets are terminated due to their version.
IPv6数据包因其版本而终止。
Description
描述
Many routers and middleboxes are configured to process only IPv4 [RFC791] packets and to reject IPv6 [RFC8200] packets.
许多路由器和中间盒配置为仅处理IPv4[RFC791]数据包,并拒绝IPv6[RFC8200]数据包。
Recommendation
正式建议
It is quite unsettling that there are still networks in which IPv6 packets are deemed unwanted in the second decade of the 21st century. Indeed, IPv6 packets have a slightly shorter payload than IPv4 packets. However, they are essential to the future growth of the Internet. It is time for operators to finally give IPv6 its well-deserved opportunity.
令人不安的是,在21世纪的第二个十年,仍然有一些网络认为IPv6数据包是不需要的。事实上,IPv6数据包的有效负载比IPv4数据包略短。然而,它们对互联网的未来发展至关重要。现在是运营商最终为IPv6提供其当之无愧的机会的时候了。
Synopsis
提要
IPv4 packets are terminated because their More Fragments (MF) flag is set.
IPv4数据包被终止,因为设置了它们的更多片段(MF)标志。
Description
描述
Many routers and middleboxes are configured to discard fragmented packets.
许多路由器和中间盒配置为丢弃碎片数据包。
Recommendation
正式建议
A packet should not be discarded on the grounds of a flag it supports. All flags should be respected, as well as the features they represent.
数据包不应以其支持的标志为理由而被丢弃。应尊重所有标志及其所代表的特征。
This memo proposes to practice liberality with respect to IP packet filtering in routers and middleboxes. Arguably, such a liberal approach may compromise security in some cases. Not only must security be done; it must also be seen to be done.
本备忘录建议在路由器和中间盒中对IP包过滤实行宽松。可以说,在某些情况下,这种自由主义做法可能会损害安全。不仅必须确保安全;还必须看到这一点。
This document has no IANA actions.
本文档没有IANA操作。
This memo recommends that every router and middlebox be an Equal Opportunity Device, which does not discriminate on the basis of actual or perceived rate, color, age, origin, length, IP version, fragmentation characteristics, higher-layer protocols, or any other IP characteristic.
本备忘录建议每个路由器和中间盒都是一个机会均等的设备,它不会根据实际或感知的速率、颜色、年龄、来源、长度、IP版本、碎片特征、高层协议或任何其他IP特征进行区分。
[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, <https://www.rfc-editor.org/info/rfc791>.
[RFC791]Postel,J.,“互联网协议”,STD 5,RFC 791,DOI 10.17487/RFC07911981年9月<https://www.rfc-editor.org/info/rfc791>.
[RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, <https://www.rfc-editor.org/info/rfc8200>.
[RFC8200]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,STD 86,RFC 8200,DOI 10.17487/RFC8200,2017年7月<https://www.rfc-editor.org/info/rfc8200>.
[RFC2151] Kessler, G. and S. Shepard, "A Primer On Internet and TCP/IP Tools and Utilities", FYI 30, RFC 2151, DOI 10.17487/RFC2151, June 1997, <https://www.rfc-editor.org/info/rfc2151>.
[RFC2151]Kessler,G.和S.Shepard,“互联网和TCP/IP工具及实用程序入门”,FYI 30,RFC 2151,DOI 10.17487/RFC2151,1997年6月<https://www.rfc-editor.org/info/rfc2151>.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, DOI 10.17487/RFC2328, April 1998, <https://www.rfc-editor.org/info/rfc2328>.
[RFC2328]Moy,J.,“OSPF版本2”,STD 54,RFC 2328,DOI 10.17487/RFC2328,1998年4月<https://www.rfc-editor.org/info/rfc2328>.
[RFC4115] Aboul-Magd, O. and S. Rabie, "A Differentiated Service Two-Rate, Three-Color Marker with Efficient Handling of in-Profile Traffic", RFC 4115, DOI 10.17487/RFC4115, July 2005, <https://www.rfc-editor.org/info/rfc4115>.
[RFC4115]Aboul Magd,O.和S.Rabie,“有效处理配置文件内流量的区分服务双速率三色标记”,RFC 4115,DOI 10.17487/RFC4115,2005年7月<https://www.rfc-editor.org/info/rfc4115>.
Authors' Addresses
作者地址
Tal Mizrahi Marvell Email: talmi@marvell.com
Tal Mizrahi Marvell电子邮件:talmi@marvell.com
Jose Yallouz Intel Email: jose@alumni.technion.ac.il
Jose Yallouz英特尔电子邮件:jose@alumni.technion.ac.il