IPv6 Hop-by-Hop Options Processing Procedures

This document specifies procedures for how IPv6 Hop-by-Hop options are processed. It modifies the procedures specified in the IPv6 Protocol Specification (RFC8200) to make processing of IPv6 Hop-by-Hop options practical with the goal of making IPv6 Hop-by-Hop options useful to deploy and use in the Internet. The editors focus for this document is to set a lower bound for the minimum number of hop-by-hop options that a node should process. This document does not discuss an upper bound. That topic is discussed in . When published this document updates and updates section 2.2 of . The current list of defined Hop-by-Hop options can be found at .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

This document uses the following loosely defined terms:

Forwarding Plane: IPv6 hosts exchange user data through the forwarding plane. User data is processed by its recipient (i.e., an IPv6 host). User data can traverse routers between its source and its destination. These routers process fields contained in packet headers. However, they do not process information contained in packet payloads.
Control Plane: IPv6 routers exchange management and routing information with controllers. They also exchange routing information with one another. Management and routing information is processed by its recipient (i.e., an IPv6 router or controller). Management and control information can traverse router that process fields contained in packet headers. However, they do not process information contained in packet payloads.
Fast Path: A path through a router that is optimized for forwarding packets without processing their payloads. The Fast Path might be supported by Application Specific Integrated Circuits (ASICS), Network Processor (NP), or other special purpose hardware. This is the usual processing path within a router taken by the forwarding plane.
Slow Path: A path through a router that is capable of general purpose processing and is not optimized for any particular function. This processing path is used for packets that require special processing or differ from assumptions made in Fast Path heuristics or to process router control protocols used by the control plane.
Full Forwarding Rate: This is the rate that a router can forward packets and keep the aggregate data rate for it's outgoing interfaces full (for example, the maximum speed the interface can support). This is sometimes call "wire speed". When used in this document, it means that the router can process packets with HBH Options at the rate that allows it to maintain the full speed on its outgoing interfaces.

NOTE: is an example of how designs can separate control plane (Slow Path) and forwarding plane (Fast Path) functions. The separation between hardware and software processing described in does not apply to all router architectures. However, a router that performs all or most processing in software might still incur more processing cost when providing special processing (aka Slow Path).

In the first versions of the IPv6 specification and , Hop-by-Hop options were required to be processed by all nodes: routers and hosts. This proved to not be practical in current high speed routers due to several factors, including:

Inability to process the hop-by-hop options at the full forwarding rate (e.g., routers with no support on the Fast Path).
Hop-by-Hop options would be sent to the Slow Path. This could degrade a router's performance and its ability to process important control traffic.
It was recognised that a mechanism that forces packets from any source to the routers "Slow Path" could be exploited as a Denial of Service attack against the router.
If a subset of packets in a flow include Hop-by-Hop options that require "Slow Path" forwarding, it introduces the potential for packets to be delivered out of order to the destination. Significant reordering of the packets belonging to a flow can significantly impact the performance of upper layer protocols and needs to be avoided.
Packets could contain multiple Hop-by-Hop options making the previous issues worse by increasing the complexity required to process them, or requiring access to more bytes of protocol header.

When the IPv6 Specification was updated and published in July 2017 as , the procedures relating to hop-by-hop options were as follows:

Extension headers (except for the Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node (or each of the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header.
The Hop-by-Hop Options header is not inserted or deleted, but may be examined or processed by any node along a packet's delivery path, until the packet reaches the node (or each of the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header. The Hop-by-Hop Options header, when present, must immediately follow the IPv6 header. Its presence is indicated by the value zero in the Next Header field of the IPv6 header.
NOTE: While [RFC2460] required that all nodes must examine and process the Hop-by-Hop Options header, it is now expected that nodes along a packet's delivery path only examine and process the Hop-by-Hop Options header if explicitly configured to do so.

The changes meant that an implementation complied with the IPv6 specification even if it did not process hop-by-hop options, and that it was expected that routers would add configuration information to control which hop-by-hop options they would process. The text regarding processing Hop-by Hop Options in was not intended to change the processing of Hop-by-Hop options. It only documented how they were being used in the Internet at the time RFC8200 was published. This was a constraint on publishing the IPv6 specification as an IETF Standard. The main issues remain:

Routers are commonly configured to drop transit packets containing hop-by-hop options that would have required processing in the Slow Path. This could be to protect against a denial of service attack on the router.
A survey in 2015 reported a high loss rate in transit ASs for packets with HBH options . The operational implications of IPv6 Packets that set extension headers are discussed in .
Allowing multiple hop-by-hop options in a single packet in some cases consumes more router resources to process these packets. It also adds complexity to the number of permutations that might need to be processed/configured.
Any mechanism that can be used to force packets into the router's Slow Path can be exploited as a denial of service attack on a transit router by saturating the resources needed for router management protocols (e.g., routing protocols, network management protocols, etc.) that could cause the router to fail. This is an issue for the Router Alert option, which intentionally places packets on the Slow Path, is discussed in . Section 3 of that RFC includes a good summary:

"In a nutshell, the IP Router Alert Option does not provide a convenient universal mechanism to accurately and reliably distinguish between IP Router Alert packets of interest and unwanted IP Router Alert packets. This, in turn, creates a security concern when the IP Router Alert Option is used, because, short of appropriate router-implementation-specific mechanisms, the router Slow Path is at risk of being flooded by unwanted traffic."

There has been research that discussed the general problem with dropping packets containing IPv6 extension headers, including the Hop-by-Hop Options header. For example states that "dropping all packets with Extension Headers, is a bad practice", and that "The share of traffic containing more than one EH however, is very small. For the design of hardware able to handle the dynamic nature of Extension Headers we therefore recommend to support at least one EH". The topic discussed in this section is also discussed in . "Transmission and Processing of IPv6 Extension Headers" clarified how intermediate nodes should process extension headers. This document is generally consistent with , and was considered when was updated and was itself replaced by . This document updates as described in the next section and consequently updates the description in Section 2.2 of . This document defines a set of procedures for the Hop-by-Hop Option header that are intended to make the processing of hop-by-hop options practical in modern transit routers. The authors expectations are that some hop-by-hop options will be processed across the Internet while others will only be processed in a limited domain (e.g., where there is a specific service made available in that network segment that relies on one or more hop-by-hop options).

This section describes several changes to .

The Hop-by-Hop Option Header as defined in Section 4.3 of is identified by a Next Header value of 0 in the IPv6 header. Section 4.1 of requires a Hop-by-Hop Options header to appear immediately after the IPv6 header. also requires that a Hop-by-Hop Options header can only appear once in a packet. The Hop-by-Hop Options Header as defined in can contain one or more Hop-by-Hop options. This document updates to specify that a node MUST process the first Option in the Hop-by-Hop Header at full forwarding rate (e.g. on the router's Fast Path) and MAY process additional Hop-by-Hop Options if configured to do so. The motivation for this change is to simplify the processing of Hop-by-Hop options as a part of normal forwarding. Nodes creating packets with a Hop-by-Hop option header SHOULD by default include a single Hop-by-Hop Option in the packet and based on local configuration MAY include more Hop-by-Hop Options.

Nodes SHOULD process the Hop-by-Hop Option header. If the node does not process the Hop-by-Hop Option header, it MUST forward the packet normally. Nodes MUST process all Hop-by-Hop options at full forwarding rates. The one exception to this is the Router Alert Option . See for discussion of the Router Alert Option. If the node is unable to process an option at the full forwarding rate, it MUST behave in the way specified for an unrecognized Option Type when the action bits were set to "00". That is, it must skip over this option and continue processing the header (as described in the next paragraph). If there are more than one Hop-by-Hop options in the Hop-by-Hop Options header, the node MAY skip the rest of the options without having to examine these options using the "Hdr Ext Len" field in the Hop-by-Hop Options header. This field specifies the length of the Option Header in 8-octet units. The additional options do not need to be processed or verified. Section 4.2 of defines the Option Type identifiers as internally encoded such that their highest-order 2 bits specify the action that must be taken if the processing IPv6 node does not recognize the Option Type. The text is: This document modifies this behaviour for the "10" and "11" values that the node MAY send an ICMP Parameter Problem, Code 2, message to the packet's Source Address, pointing to the unrecognized Option Type. The modified text for "10" and 11" values is: The motivation for this change is to loosen the requirement to send ICMPv6 Parameter Problem messages by simplifying what the router needs to do when it performs forwarding of an Option Type it does not recognize. When an ICMP Parameter Problem, Code 2, message is delivered to the source, the source can become aware that at least one node on the path has failed to recognize the option.

The Router Alert option purpose is to tell the node that the packet needs additional processing on the Slow Path. The Router Alert option includes a two-octet Value field that describes the protocol that is carried in the packet. The current values can be found in the IANA Router Alert Value registry . DISCUSSION

The Router Alert Option is a problem since its function is to do what this specification is proposing to eliminate, that is, to instruct a router to process the packet in the Slow Path. One approach would be to deprecate because current usage appears to be limited and packets containing Hop-by-Hop options are frequently dropped. Deprecation would allow current implementations to continue and its use could be phased out over time.
The authors' current thinking is that the Router Alert function may have reasonable potential use for new functions that have to be processed in the Slow Path. We think that keeping it as the single exception for Slow Path processing with the following restrictions is a reasonable compromise to allow future flexibility. These are compatible with Section 5 of .

As specified in the top two bits of Option Type for the Router Alert option are always set to "00" indicating the node should skip over this option and continue processing the header in this case. A Fast Path implementation SHOULD verify that a Router Alert contains a protocol, as indicated by the Value field in the Router Alert option, that is configured as a protocol of interest to that router. A verified packet SHOULD be sent on the Slow Path for processing . Otherwise, the router implementation SHOULD forward within the Fast Path (subject to all normal policies and forwarding rules). Implementations of the IP Router Alert Option SHOULD offer the configuration option to simply ignore the presence of "IP Router Alert" in IPv4 and IPv6 packets" . A node that is configured to process a Router Alert option using the Slow Path MUST protect itself from infrastructure attack that could result from processing on the Slow Path. This might include some combination of access control list to only permit from trusted nodes, rate limiting of processing, or other methods .

Section 4 of allows a router to control its processing of IPv6 Hop-by-Hop options by local configuration. The text is:

NOTE: While required that all nodes must examine and process the Hop-by-Hop Options header, it is now expected that nodes along a packet's delivery path only examine and process the Hop-by-Hop Options header if explicitly configured to do so.

A possible approach to implementing this is to maintain a lookup table based on Option Type of the IPv6 options that are supported in the Fast Path. This would allow for a node to quickly determine if an option is supported and can be processed. If the option is not supported, then the node processes it as described in of this document. This requires the node to examine the first two bits of the option even if it does not support the specific option. A node MUST drop the packet if the top two bits of the Option Type field of the first HBH option is non-zero as specified in . The actions of the lookup table SHOULD be configurable by the operator of the router.

Any new IPv6 Hop-by-Hop option designed in the future should be designed to be processed at full forwarding rate (e.g., on a router's Fast Path, or at least without slowing processing of other packets). New options SHOULD NOT be defined that are not expected to be executed at full forwarding rate. New Hop-by-Hop options should have the following characteristics:

Straight forward to process. That is, new Hop-by-Hop options SHOULD be designed to ensure the node can process the options at the full forwarding rate (e.g., on the router's Fast Path). See .
New options SHOULD be defined with the Action type (highest-order 2 bits of the Option Type) set to 00 to skip over this option and continue processing the header if a node does not recognize the option.
New Hop-by-Hop options SHOULD be designed to be the first option in a Hop-by-Hop options header.
The size of an option SHOULD NOT extend beyond what can be expected to be executed at full forwarding rate (e.g., forwarded on a router's fast path).

Any new Hop-by-Hop option that is standardized that does not meet these criteria needs to explain in detail in its specification why this can not be accomplished and that there is a reasonable expectation that it can be proceed at full forwarding rate.

There are no actions required for IANA defined in this document.

Security issues with IPv6 Hop-by-Hop options are well known and have been documented in several places, including , , and . The main issue, as noted in , is that any mechanism that can be used to force packets into the router's Slow Path can be exploited as a denial of service attack on a transit router by saturating the resources needed for router management protocols (e.g., routing protocols, network management protocols, etc.) that may cause the router to fail or perform sub-optimally. Due to this it’s common for transit routers to drop packets with a Hop-by-Hop options header. While Hop-by-Hop options are not required to be processed in the Slow Path, the Router Alert option is designed to do just that. Some IPv6 nodes implement features that access more of the protocol information than a typical IPv6 router (e.g. ). Examples are nodes that provide virus-scanning, DDOS mitigation, Firewall/access control, traffic engineering, or traffic normalization. These nodes could be configured to drop packets when they are unable to access and process all extension headers, or are unable to locate and process the higher-layer packet information. This document provides guidance on the requirements concerning Hop-by-Hop Options. Finally, the document notes that Internet protocol processing needs to be robust to malformed/malicious protocol fields. This requirement is not specific to Hop-by-Hop Options. It is important that implementations fail gracefully when a malformed or malicious Hop-by-Hop Option is encountered. This document changes the way Hop-by-Hop options are processed in several ways that significantly reduce the attack surface. These changes include:

All Hop-by-Hop options (with one exception) must be processed at full forwarding rate. Only one HBH Option MUST be processed and additional HBH Options MAY be processed based on local configuration.
Only the Router Alert option can be processed in the Slow Path, and the router MUST be configured to do so.
The document added criteria to allow control over how Router Alert options are processed and that a node configured to support these options must protect itself from attacks using the Router Alert.
The document limited the default number of Hop-by-Hop options that can be included in a packet to a single Hop-by-Hop option.
Additional Hop-by-Hop options MAY be included, based on local configuration. Although nodes only process these additional Hop-by-Hop Options if configured to do so.
The document added restrictions to any future new Hop-by-Hop options that limit their size and computational requirements.

The authors intent is that these changes significantly reduce the security issues relating to IPv6 Hop-by-Hop options and will enable them to be used safely in the Internet.

Helpful comments were received from Brian Carpenter, Ron Bonica, Ole Troan, Mark Heard, Tom Herbert, Cheng Li, Eric Vyncke, Greg Mirksy, Xiao Min, Fernando Gont, Darren Dukes, Peng Shuping, Dave Thaler, [your name here], and other members of the 6MAN working group.

draft-ietf-6man-hbh-processing-05, 2022-November-11:

Clarified text in about processing complexity and time to process.
Added a definition to for "Full Forwarding Rate".
Added text to about nodes that do not process the Hop-by-Hop Options header.
Added text to about slow path processing can cause packets to be deliver out of order to the destination.
Editorial changes

draft-ietf-6man-hbh-processing-04, 2022-October-21:

Add a paragraph to that describes the relationship to "Transmission and Processing of IPv6 Extension Headers".
Change that this draft updates section 2.2 of .

draft-ietf-6man-hbh-processing-03, 2022-October-12:

Changed in to have router skip over options if can't process at full forwarding rate.
Added to that new options should be defined with action type set to 00.

draft-ietf-6man-hbh-processing-02, 2022-August-23:

Several clarification and editorial changes suggested by a review by Peng Shuping.
Editorial changes.
Revised text relating to fast/slow path and processing rates.
Revised the third paragraph in to be clearer.
Revised text in Security section based on comments from Fernando Gont.

draft-ietf-6man-hbh-processing-01, 2022-June-15:

Fixed typo in last paragraph of
Revised text in to reflect constraints on publishing RFC8200.
Changed text in that new options SHOULD NOT (from MUST NOT) be defined that require that are not expected to be excepted at full forwarding rates.
Added reference to RFC7872 in .
Added text to that the focus of this document is to set a minium bound on the number of Hop-by-Hop Options a node should process.
Added text to that the authors some Hop-by-Hop options will be supported Internet wide, and others only in limited domains.
Editorial changes.

draft-ietf-6man-hbh-processing-00, 2022-January-29:

6MAN Working Group Draft
Reworked text to talk about processing HBH options at full forwarding rates, instead of "fast path"
Revised "New Hop-by-Hop Options" to allow variable sized HBH options, remove specific length requirements, and other clarifications.
Editorial changes.

draft-hinden-6man-hbh-processing-01, 2021-June-2:

Expanded terminology section to include Forwarding Plane and Control Plane.
Changed draft that only one HBH Option MUST be processed and additional HBH Options MAY be processed based on local configuration.
Clarified that all HBH options (with one exception) must be processed on the Fast Path.
Kept the Router Alert options as the single exception for Slow Path processing.
Rewrote and expanded section on New Hop-by-Hop Options.
Removed requirement for HBH Option size and alignment.
Removed sections evaluating currently defined HBH Options.
Added content to the Security Considerations section.
Added people to the acknowledgements section.
Numerous editorial changes

draft-hinden-6man-hbh-processing-00, 2020-Nov-29:

Initial draft.