Internet Protocol, Version 6 (IPv6) Specification
draft-ietf-6man-rfc2460bis-13

[Ballot comment]
Thanks for addressing my discuss. Please put a reference to RFC6465 in there to make sure that these RFCs do run out of sync.

[Ballot discuss]
Thanks for addressing my discuss. Text on rfc3168 is fine! I'm also okay with the text on extension headers, however, I have one remaining processing question: Now the text uses similar but not the same wording as RFC6564. RFC6564 says "new IPv6 extension headers MUST NOT be created or specified, ..." and this draft says "Defining new IPv6 extension headers is not recommended, ..." in not normative language. Is that on purpose? Does this draft need to absolete RFC6564 or refer or whatever?

[Ballot comment]
Thanks for updating the Security Considerations section, I was glad to see the references added to the fragmentation work that had already been done.  If the TLS and SSH reference remain in the document, references would be good - RFC7525 and RFC4250-4254, but my preference would be to delete the sentence as this document is about IPv6 and developers and implementers of this standard wouldn't need those references, IPsec is enough.

[Ballot discuss]
I'm changing this discuss because I believe changes regarding any text in section 4.8 would mostly be editorial at this point if any. I would still like to see more background information explaining the situation and risks, rather than just giving a general recommendation that might even out-date in cases routers get updated accordingly in future.

However, I holding this discuss, because the ECN issue I originally only raised as a question in the comment section really needs to be addressed. Hope to wrap this up soon. It's about this text:
Section 4.5: "The number and content of the headers preceding the Fragment
      header of different fragments of the same original packet may
      differ.  Whatever headers are present, preceding the Fragment
      header in each fragment packet, are processed when the packets
      arrive, prior to queueing the fragments for reassembly.  Only
      those headers in the Offset zero fragment packet are retained in
      the reassembled packet."
The ECN codepoint may differ in each fragment and RFC3168 speficies handling for reassembly.

[Ballot comment]
My discuss was mainly on text in section 4.8 (also based on the tsv-art review -> Thanks Martin!):

I find the recommendation to basically just not use hop-by-hop headers in section 4.8 extremely unsatisfying. Can we maybe do better? Wouldn't it be maybe time to just deprecate the current hop-by-hop number an assign a new one? I know that also has deployment problem but maybe it's worth a try. I guess the assignment could happen in a new document though, but the deprecation could be done here.

This related to this comment from Martin's review, also proposing a potential way forward:
"- Section 4.8. "Defining New Extension Headers and Options":
It says new hop-by-hop headers must never ever defined. This is problematic, as this closing the door forever, even if future instances of the IETF do would like to wish to define new hop-by-hop headers. A better way would have to say "that new hop-by-hop headers must have IETF consensus".

- Section 4.8. "Defining New Extension Headers and Options":
Also the „not recommended“ to define new extension headers looks strange, especially with the phrase "There has to be a very clear justification". The term "clear justification" is not an exact engineering specification. Why not using "technical protocol specification and real word use case required, plus IETF consensus"?"

As a side note, there is at least one experimental RFC that defines a destination option to be inspected by a network device, given the know problems of hop-by-hop option which renders them unusable.

[Ballot discuss]
I'm changing this discuss because I believe changes regarding any text in section 4.8 would mostly be editorial at this point if any. I would still like to see more background information explaining the situation and risks, rather than just giving a general recommendation that might even out-date in cases routers get updated accordingly in future.

However, I holding this discuss, because the ECN issue I originally only raised as a question in the comment section really needs to be addressed. Hope to wrap this up soon.

[Ballot comment]
My discuss was mainly on text in section 4.8 (also based on the tsv-art review -> Thanks Martin!):

I find the recommendation to basically just not use hop-by-hop headers in section 4.8 extremely unsatisfying. Can we maybe do better? Wouldn't it be maybe time to just deprecate the current hop-by-hop number an assign a new one? I know that also has deployment problem but maybe it's worth a try. I guess the assignment could happen in a new document though, but the deprecation could be done here.

This related to this comment from Martin's review, also proposing a potential way forward:
"- Section 4.8. "Defining New Extension Headers and Options":
It says new hop-by-hop headers must never ever defined. This is problematic, as this closing the door forever, even if future instances of the IETF do would like to wish to define new hop-by-hop headers. A better way would have to say "that new hop-by-hop headers must have IETF consensus".

- Section 4.8. "Defining New Extension Headers and Options":
Also the „not recommended“ to define new extension headers looks strange, especially with the phrase "There has to be a very clear justification". The term "clear justification" is not an exact engineering specification. Why not using "technical protocol specification and real word use case required, plus IETF consensus"?"

As a side note, there is at least one experimental RFC that defines a destination option to be inspected by a network device, given the know problems of hop-by-hop option which renders them unusable.

One question because I'm not sure if I interpret this correct to make it part of my discuss:
Section 4.5: "The number and content of the headers preceding the Fragment
      header of different fragments of the same original packet may
      differ.  Whatever headers are present, preceding the Fragment
      header in each fragment packet, are processed when the packets
      arrive, prior to queueing the fragments for reassembly.  Only
      those headers in the Offset zero fragment packet are retained in
      the reassembled packet."
Does this mean the ECN codepoint (part of the Traffic Class field) is copied from the first fragment? This doesn't seem to be correct, however, also not sure what the correct answer is. I know this was not changed in this revision but maybe we can still get this right.

[Ballot discuss]
I would also like to see an updated security considerations section specific to IPv6 and have the opportunity to review that prior to publication of this draft.

[Ballot comment]
I think it is valuable and accurate to express the maturity of IPv6 by making it an Internet
Standard as the transition to IPv6 accelerates.

[Ballot discuss]
My discuss is mainly on text in section 4.8 (also based on the tsv-art review -> Thanks Martin!):

I find the recommendation to basically just not use hop-by-hop headers in section 4.8 extremely unsatisfying. Can we maybe do better? Wouldn't it be maybe time to just deprecate the current hop-by-hop number an assign a new one? I know that also has deployment problem but maybe it's worth a try. I guess the assignment could happen in a new document though, but the deprecation could be done here.

This related to this comment from Martin's review, also proposing a potential way forward:
"- Section 4.8. "Defining New Extension Headers and Options":
It says new hop-by-hop headers must never ever defined. This is problematic, as this closing the door forever, even if future instances of the IETF do would like to wish to define new hop-by-hop headers. A better way would have to say "that new hop-by-hop headers must have IETF consensus".

- Section 4.8. "Defining New Extension Headers and Options":
Also the „not recommended“ to define new extension headers looks strange, especially with the phrase "There has to be a very clear justification". The term "clear justification" is not an exact engineering specification. Why not using "technical protocol specification and real word use case required, plus IETF consensus"?"

As a side note, there is at least one experimental RFC that defines a destination option to be inspected by a network device, given the know problems of hop-by-hop option which renders them unusable.

[Ballot comment]
One question because I'm not sure if I interpret this correct to make it part of my discuss:
Section 4.5: "The number and content of the headers preceding the Fragment
      header of different fragments of the same original packet may
      differ.  Whatever headers are present, preceding the Fragment
      header in each fragment packet, are processed when the packets
      arrive, prior to queueing the fragments for reassembly.  Only
      those headers in the Offset zero fragment packet are retained in
      the reassembled packet."
Does this mean the ECN codepoint (part of the Traffic Class field) is copied from the first fragment? This doesn't seem to be correct, however, also not sure what the correct answer is. I know this was not changed in this revision but maybe we can still get this right.

[Ballot discuss]
This security considerations section seems fairly unsatisfactory.
First, you can't just point back to IPv4, which doesn't even have a
security considerations section. Second, IPv6 actually has
different security and privacy properties than IPv4 in
a number of respects, so you actually need to document them.

[Ballot comment]
I get that this document is from a period before the style
became as uniformly to upper-casify RFC2119 keywords, but
but it seems like it might be a good idea to do that here.

It's a little hard to determine what is normative here, but S 4. says

  A full implementation of IPv6 includes implementation of the
  following extension headers:
      Hop-by-Hop Options
      Fragment
      Destination Options
      Routing
      Authentication
      Encapsulating Security Payload

Given that 6434-bis seems to have backed away from IPsec, this
document needs to as well.

S 4.4.
Assuming I am reading this document correctly (and I've never
implemented v6 so I could be crazy), in order to implement
the routing header you need to decrement Segments Left,
but the document does not seem to say that.


S 4.5.
As I read this document the order of headers is only strongly
recommended, but the rules about fragmentation seem to absolutely
require a specific order:

      The Per-Fragment Headers consists of the IPv6 header plus any
      extension headers that must be processed by nodes en route to the
      destination, that is, all headers up to and including the Routing
      header if present, else the Hop-by-Hop Options header if present,
      else no extension headers.

Is there a reason why the rules are not MUST?


S 4.5.
  The following conditions are not expected to occur, but are not
  considered errors if they do:
 
      The number and content of the headers preceding the Fragment
      header of different fragments of the same original packet may
      differ.  Whatever headers are present, preceding the Fragment
      header in each fragment packet, are processed when the packets
      arrive, prior to queueing the fragments for reassembly.  Only
      those headers in the Offset zero fragment packet are retained in
      the reassembled packet.

If fragments follow different paths (not crazy) then the hop limit
will be different, right? So perhaps "not expected" is a bit strong.


S 8.4.
        Response packets that carry Routing headers that were derived
        by reversing the Routing header of the received packet IF AND
        ONLY IF the integrity and authenticity of the Source Address
        and Routing header from the received packet have been verified
        by the responder.

It's not clear to me how this works. If, as I suggest above, the
routing header gets changed in transit, how do you measure
the integrity and authenticity? Even if that is not the case,
and you use something like IPsec to provide integrity, why do you
trust whatever claims the sender makes about routing.

[Ballot discuss]
This security considerations section seems fairly unsatisfactory.
First, you can't just point back to IPv4, which doesn't even have a
security considerations section. Second, IPv6 actually has
different security and privacy properties than IPv4 in
a number of respects, so you actually need to document them.


document needs to as well.

[Ballot comment]
I get that this document is from a period before the style
became as uniformly to upper-casify RFC2119 keywords, but
but it seems like it might be a good idea to do that here.

It's a little hard to determine what is normative here, but S 4. says

  A full implementation of IPv6 includes implementation of the
  following extension headers:
      Hop-by-Hop Options
      Fragment
      Destination Options
      Routing
      Authentication
      Encapsulating Security Payload

Given that 6434-bis seems to have backed away from IPsec, this

S 4.4.
Assuming I am reading this document correctly (and I've never
implemented v6 so I could be crazy), in order to implement
the routing header you need to decrement Segments Left,
but the document does not seem to say that.


S 4.5.
As I read this document the order of headers is only strongly
recommended, but the rules about fragmentation seem to absolutely
require a specific order:

      The Per-Fragment Headers consists of the IPv6 header plus any
      extension headers that must be processed by nodes en route to the
      destination, that is, all headers up to and including the Routing
      header if present, else the Hop-by-Hop Options header if present,
      else no extension headers.

Is there a reason why the rules are not MUST?


S 4.5.
  The following conditions are not expected to occur, but are not
  considered errors if they do:
 
      The number and content of the headers preceding the Fragment
      header of different fragments of the same original packet may
      differ.  Whatever headers are present, preceding the Fragment
      header in each fragment packet, are processed when the packets
      arrive, prior to queueing the fragments for reassembly.  Only
      those headers in the Offset zero fragment packet are retained in
      the reassembled packet.

If fragments follow different paths (not crazy) then the hop limit
will be different, right? So perhaps "not expected" is a bit strong.


S 8.4.
        Response packets that carry Routing headers that were derived
        by reversing the Routing header of the received packet IF AND
        ONLY IF the integrity and authenticity of the Source Address
        and Routing header from the received packet have been verified
        by the responder.

It's not clear to me how this works. If, as I suggest above, the
routing header gets changed in transit, how do you measure
the integrity and authenticity? Even if that is not the case,
and you use something like IPsec to provide integrity, why do you
trust whatever claims the sender makes about routing.

[Ballot discuss]
First off, this DISCUSS is NOT about questioning the rough consensus calls that the responsible Chair and AD have made, or wanting to change them, but about clarifying to avoid misinterpretations.

Given the ongoing discussion about Extension Headers and controlled domains (for example [1] and [2]), the text should be very specific on what is expected and where.  Because it is not, I think that this document is teetering along the line of having a "high degree of technical maturity", and not being ready for Internet Standard [rfc6410].

Without further clarifications and guidance, this document also brings on unanticipated second order effects [rfc3439] that can impact the direction, or even the viability, of future work in the IETF.  Specifically, a straight forward interpretation of the text in Section 4 is the absolute prohibition to process, insert or delete EHs -- but discussion on the 6man mailing list seems to point at an understanding that the conditions inside a controlled domain may be different, for example (from Brian Carpenter [3]):

=====
I've tried to say this before but I'm not sure people are getting it:

RFC2460bis, if approved as is, draws a line in the sand *for interoperability across the whole Internet*. There are reasons for this - PMTUD in any form, any future replacement for the unsuccessful IPsec/AH, and all the problems of deploying extension headers that are understood by some nodes and not by others.

There is no reason why a subsequent standards-track document cannot allow header insertion (and removal) within finite domains where the above issues do not apply. In fact, an improved version of draft-voyer-6man-extension-header-insertion-00 could become exactly that.

=====

[N.B.: I'm not implying that Brian's opinion represents consensus, that is not my call to make.]

I'm pointing at an opinion (which I agree with) that recognizes the need to differentiate between contexts -- but the current text in rfc2460bis doesn't do that.  I believe that this issue is significant (as reflected by the ongoing discussions) that that it should be resolved (by clarifying the text) before proceeding with the publication of this document as an Internet Standard.

To summarize, the text in this document has the second order effect of not leaving a clear path forward for extensions to IPv6 so that they adhere to the protocol's architecture, specially when applied to a controlled domain.  At a minimum, I would like to see a clear path forward, whether that is in the form of an update for use of extensions in controlled domains, or a statement that this document just applies to IPv6 traffic intended to cross the Internet (as suggested at the 6man meeting in Chicago [4])...  My opinion is that this document should not be published as an Internet Standard until the remaining open discussions are explicitly resolved and this document reflects that resolution.


[1] https://mailarchive.ietf.org/arch/msg/ipv6/UI0PfqrWco4Hpbvm8keGR8FabRg/?qid=9a6ba8e9777114e24a1e964336ed78f1
[2] https://mailarchive.ietf.org/arch/msg/ipv6/OrLYxKumiKWLHGkeNamhq9pxutQ/?qid=63c159fe41c18653d9dc0be609f9e97f
[3] https://mailarchive.ietf.org/arch/msg/ipv6/REez0-lbebpo-Xem-xX_sWV0pf4/?qid=5cdab6c6085795129802ab622bb4159f
[4] https://www.ietf.org/proceedings/98/minutes/minutes-98-6man-00



==========

Related to the above, I also want to point out the lack of clarity in the text in Section 4. (IPv6 Extension Headers), which leaves itself open to interpretation and should be cleaned up.

(A)  The main piece of text that has been discussed now reads:

  With one exception, extension headers are not examined, processed,
  inserted, or deleted by any node along a packet's delivery path,
  until the packet reaches the node (or each of the set of nodes, in
  the case of multicast) identified in the Destination Address field of
  the IPv6 header.  Note: If an intermediate forwarding node examines
  an extension header for any reason, it must do so in accordance with
  the provisions of [RFC7045].
  ...
  The exception referred to in the preceding paragraph is the Hop-by-
  Hop Options header, which carries information that may be examined
  and processed by every node along a packet's delivery path, including
  the source and destination nodes.  The Hop-by-Hop Options header,
  when present, must immediately follow the IPv6 header.  Its presence
  is indicated by the value zero in the Next Header field of the IPv6
  header.

  NOTE: While [RFC2460] required that all nodes must examine and
  process the Hop-by-Hop Options header, it is now expected that nodes
  along a packet's delivery path only examine and process the Hop-by-
  Hop Options header if explicitly configured to do so.


While the first sentence seems clear on what this document wants forwarding nodes to do (or not), there are two notes that define exceptions: any forwarding node can examine the headers "for any reason", and, the Hop-by-Hop Options header doesn't really have to be examined and processed by everyone.

This text needs some more work to at least not contradict itself: there is more than one exception, and they are not absolute, anyone can examine the headers "for any reason"...




(B)

As it stands, the note about the changed expectations for the Hop-by-Hop options header opens a significant door to work around the "limitations" of other options.  For example, it would be relatively straight forward to define a new Hop-by-Hop option to carry any type of information that could then be "examined, processed, inserted, or deleted by any node along a packet's delivery path".  In the world of controllers and programmatic access to forwarding nodes, changing the explicit configuration on the fly to customize which nodes do what, is trivial.

Is that the intent of this document, to provide a generic mechanism for cases that may need extension headers to be "examined, processed, inserted, or deleted by any node along a packet's delivery path"?  Will the WG/IETF be in a position to charter, adopt and/or publish these types of documents?  I ask this question not only in the context of my concerns expressed above, but also because the definition of the Hop-by-Hop Option would seem to be able to handle anything ("used to carry optional information that may be examined and processed by every node along a packet's delivery path" - I didn't see any constraints), even if (for example) the Routing Header "is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination" -- so it makes me wonder whether using the Hop-by-Hop Options header to carry (for example) routing information so that it can be "examined, processed, inserted, or deleted by any node along a packet's delivery path" would pass the bar set in Section 4.8. (Defining New Extension Headers and Options):

  New hop-by-hop options are not recommended because nodes may be
  configured to ignore the Hop-by-Hop Option header, drop packets
  containing a hop-by-hop header, or assign packets containing a hop-
  by-hop header to a slow processing path.  Designers considering
  defining new hop-by-hop options need to be aware of this likely
  behaviour.  There has to be a very clear justification why any new
  hop-by-hop option is needed before it is standardized.

In the context of a controlled domain, it should be relatively easy for the operator to account for those issues.  So my interpretation of whether a Hop-by-Hop option is ok to carry (for example) routing information is a strong "Yes!".  Whether my interpretation is what was intended or not, I believe the overall text could benefit from more clarity.

[Ballot discuss]
First off, this DISCUSS is NOT about questioning the rough consensus calls that the responsible Chair and AD have made, or wanting to change them, but about clarifying to avoid misinterpretations.

Given the ongoing discussion about Extension Headers and controlled domains (for example [1] and [2]), the text should be very specific on what is expected and where.  Because it is not, I think that this document is teetering along the line of having a "high degree of technical maturity", and not being ready for Internet Standard [rfc6410].

Without further clarifications and guidance, this document also brings on unanticipated second order effects [rfc3439] that can impact the direction, or even the viability, of future work in the IETF.  Specifically, a straight forward interpretation of the text in Section 4 is the absolute prohibition to process, insert or delete EHs -- but discussion on the 6man mailing list seems to point at an understanding that the conditions inside a controlled domain may be different, for example (from Brian Carpenter [3]):

=====
I've tried to say this before but I'm not sure people are getting it:

RFC2460bis, if approved as is, draws a line in the sand *for interoperability across the whole Internet*. There are reasons for this - PMTUD in any form, any future replacement for the unsuccessful IPsec/AH, and all the problems of deploying extension headers that are understood by some nodes and not by others.

There is no reason why a subsequent standards-track document cannot allow header insertion (and removal) within finite domains where the above issues do not apply. In fact, an improved version of draft-voyer-6man-extension-header-insertion-00 could become exactly that.

=====

[N.B.: I'm not implying that Brian's opinion represents consensus, that is not my call to make.]

I'm pointing at an opinion (which I agree with) that recognizes the need to differentiate between contexts -- but the current text in rfc2460bis doesn't do that.  I believe that this issue is significant (as reflected by the ongoing discussions) that that it should be resolved (by clarifying the text) before proceeding with the publication of this document as an Internet Standard.

To summarize, the text in this document has the second order effect of not leaving a clear path forward for extensions to IPv6 so that they adhere to the protocol's architecture, specially when applied to a controlled domain.  At a minimum, I would like to see a clear path forward, whether that is in the form of an update for use of extensions in controlled domains, or a statement that this document just applies to IPv6 traffic intended to cross the Internet (as suggested at the 6man meeting in Chicago [4])...  My opinion is that this document should not be published as an Internet Standard until the remaining open discussions are explicitly resolved and this document reflects that resolution.


[1] https://mailarchive.ietf.org/arch/msg/ipv6/UI0PfqrWco4Hpbvm8keGR8FabRg/?qid=9a6ba8e9777114e24a1e964336ed78f1
[2] https://mailarchive.ietf.org/arch/msg/ipv6/OrLYxKumiKWLHGkeNamhq9pxutQ/?qid=63c159fe41c18653d9dc0be609f9e97f
[3] https://mailarchive.ietf.org/arch/msg/ipv6/REez0-lbebpo-Xem-xX_sWV0pf4/?qid=5cdab6c6085795129802ab622bb4159f
[4] https://www.ietf.org/proceedings/98/minutes/minutes-98-6man-00



==========

Related to the above, I also want to point out the lack of clarity in the text in Section 4. (IPv6 Extension Headers), which leaves itself open to interpretation and should be cleaned up.

(A)  The main piece of text that has been discussed now reads:

  With one exception, extension headers are not examined, processed,
  inserted, or deleted by any node along a packet's delivery path,
  until the packet reaches the node (or each of the set of nodes, in
  the case of multicast) identified in the Destination Address field of
  the IPv6 header.  Note: If an intermediate forwarding node examines
  an extension header for any reason, it must do so in accordance with
  the provisions of [RFC7045].
  ...
  The exception referred to in the preceding paragraph is the Hop-by-
  Hop Options header, which carries information that may be examined
  and processed by every node along a packet's delivery path, including
  the source and destination nodes.  The Hop-by-Hop Options header,
  when present, must immediately follow the IPv6 header.  Its presence
  is indicated by the value zero in the Next Header field of the IPv6
  header.

  NOTE: While [RFC2460] required that all nodes must examine and
  process the Hop-by-Hop Options header, it is now expected that nodes
  along a packet's delivery path only examine and process the Hop-by-
  Hop Options header if explicitly configured to do so.


While the first sentence seems clear on what this document wants forwarding nodes to do (or not), there are two notes that define exceptions: any forwarding node can examine the headers "for any reason", and, the Hop-by-Hop Options header doesn't really have to be examined and processed by everyone.

This text needs some more work to at least not contradict itself: there is more than one exception, and they are not absolute, anyone can examine the headers "for any reason"...



(B)

As it stands, the note about the changed expectations for the Hop-by-Hop options header opens a significant door to work around the "limitations" of other options.  For example, it would be relatively straight forward to define a new Hop-by-Hop option to carry any type of information that could then be "examined, processed, inserted, or deleted by any node along a packet's delivery path".  In the world of controllers and programmatic access to forwarding nodes, changing the explicit configuration on the fly to customize which nodes do what, is trivial.

Is that the intent of this document, to provide a generic mechanism for cases that may need extension headers to be "examined, processed, inserted, or deleted by any node along a packet's delivery path"?  Will the WG/IETF be in a position to charter, adopt and/or publish these types of documents?  I ask this question not only in the context of my concerns expressed above, but also because the definition of the Hop-by-Hop Option would seem to be able to handle anything ("used to carry optional information that may be examined and processed by every node along a packet's delivery path" - I didn't see any constraints), even if (for example) the Routing Header "is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination" -- so it makes me wonder whether using the Hop-by-Hop Options header to carry (for example) routing information so that it can be "examined, processed, inserted, or deleted by any node along a packet's delivery path" would pass the bar set in Section 4.8. (Defining New Extension Headers and Options):

  New hop-by-hop options are not recommended because nodes may be
  configured to ignore the Hop-by-Hop Option header, drop packets
  containing a hop-by-hop header, or assign packets containing a hop-
  by-hop header to a slow processing path.  Designers considering
  defining new hop-by-hop options need to be aware of this likely
  behaviour.  There has to be a very clear justification why any new
  hop-by-hop option is needed before it is standardized.

In the context of a controlled domain, it should be relatively easy for the operator to account for those issues.  So my interpretation of whether a Hop-by-Hop option is ok to carry (for example) routing information is a strong "Yes!".  Whether my interpretation is what was intended or not, I believe the overall text could benefit from more clarity.

[Ballot discuss]
First off, this DISCUSS is NOT about questioning the rough consensus calls that the responsible Chair and AD have made, or wanting to change them, but about clarifying to avoid misinterpretations.

Given the ongoing discussion about Extension Headers and controlled domains (for example [1] and [2]), the text should be very specific on what is expected and where.  Because it is not, I think that this document is teetering along the line of having a "high degree of technical maturity", and not being ready for Internet Standard [rfc6410].

Without further clarifications and guidance, this document also brings on unanticipated second order effects [rfc3439] that can impact the direction, or even the viability, of future work in the IETF.  Specifically, a straight forward interpretation of the text in Section 4 is the absolute prohibition to process, insert or delete EHs -- but discussion on the 6man mailing list seems to point at an understanding that the conditions inside a controlled domain may be different, for example (from Brian Carpenter [3]):

=====
I've tried to say this before but I'm not sure people are getting it:

RFC2460bis, if approved as is, draws a line in the sand *for interoperability across the whole Internet*. There are reasons for this - PMTUD in any form, any future replacement for the unsuccessful IPsec/AH, and all the problems of deploying extension headers that are understood by some nodes and not by others.

There is no reason why a subsequent standards-track document cannot allow header insertion (and removal) within finite domains where the above issues do not apply. In fact, an improved version of draft-voyer-6man-extension-header-insertion-00 could become exactly that.
=====

[N.B.: I'm not implying that Brian's opinion represents consensus, that is not my call to make.]

I'm pointing at an opinion (which I agree with) that recognizes the need to differentiate between contexts -- but the current text in rfc2460bis doesn't do that.  I believe that this issue is significant (as reflected by the ongoing discussions) that that it should be resolved (by clarifying the text) before proceeding with the publication of this document as an Internet Standard.

To summarize, the text in this document has the second order effect of not leaving a clear path forward for extensions to IPv6 so that they adhere to the protocol's architecture, specially when applied to a controlled domain.  At a minimum, I would like to see a clear path forward, whether that is in the form of an update for use of extensions in controlled domains, or a statement that this document just applies to IPv6 traffic intended to cross the Internet (as suggested at the 6man meeting in Chicago [4])...  My opinion is that this document should not be published as an Internet Standard until the remaining open discussions are explicitly resolved and this document reflects that resolution.


[1] https://mailarchive.ietf.org/arch/msg/ipv6/UI0PfqrWco4Hpbvm8keGR8FabRg/?qid=9a6ba8e9777114e24a1e964336ed78f1
[2] https://mailarchive.ietf.org/arch/msg/ipv6/OrLYxKumiKWLHGkeNamhq9pxutQ/?qid=63c159fe41c18653d9dc0be609f9e97f
[3] https://mailarchive.ietf.org/arch/msg/ipv6/REez0-lbebpo-Xem-xX_sWV0pf4/?qid=5cdab6c6085795129802ab622bb4159f
[4] https://www.ietf.org/proceedings/98/minutes/minutes-98-6man-00



==========

Related to the above, I also want to point out the lack of clarity in the text in Section 4. (IPv6 Extension Headers), which leaves itself open to interpretation and should be cleaned up.

(A)  The main piece of text that has been discussed now reads:

  With one exception, extension headers are not examined, processed,
  inserted, or deleted by any node along a packet's delivery path,
  until the packet reaches the node (or each of the set of nodes, in
  the case of multicast) identified in the Destination Address field of
  the IPv6 header.  Note: If an intermediate forwarding node examines
  an extension header for any reason, it must do so in accordance with
  the provisions of [RFC7045].
  ...
  The exception referred to in the preceding paragraph is the Hop-by-
  Hop Options header, which carries information that may be examined
  and processed by every node along a packet's delivery path, including
  the source and destination nodes.  The Hop-by-Hop Options header,
  when present, must immediately follow the IPv6 header.  Its presence
  is indicated by the value zero in the Next Header field of the IPv6
  header.

  NOTE: While [RFC2460] required that all nodes must examine and
  process the Hop-by-Hop Options header, it is now expected that nodes
  along a packet's delivery path only examine and process the Hop-by-
  Hop Options header if explicitly configured to do so.


While the first sentence seems clear on what this document wants forwarding nodes to do (or not), there are two notes that define exceptions: any forwarding node can examine the headers "for any reason", and, the Hop-by-Hop Options header doesn't really have to be examined and processed by everyone.

This text needs some more work to at least not contradict itself: there is more than one exception, and they are not absolute, anyone can examine the headers "for any reason"...



(B)

As it stands, the note about the changed expectations for the Hop-by-Hop options header opens a significant door to work around the "limitations" of other options.  For example, it would be relatively straight forward to define a new Hop-by-Hop option to carry any type of information that could then be "examined, processed, inserted, or deleted by any node along a packet's delivery path".  In the world of controllers and programmatic access to forwarding nodes, changing the explicit configuration on the fly to customize which nodes do what, is trivial.

Is that the intent of this document, to provide a generic mechanism for cases that may need extension headers to be "examined, processed, inserted, or deleted by any node along a packet's delivery path"?  Will the WG/IETF be in a position to charter, adopt and/or publish these types of documents?  I ask this question not only in the context of my concerns expressed above, but also because the definition of the Hop-by-Hop Option would seem to be able to handle anything ("used to carry optional information that may be examined and processed by every node along a packet's delivery path" - I didn't see any constraints), even if (for example) the Routing Header "is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination" -- so it makes me wonder whether using the Hop-by-Hop Options header to carry (for example) routing information so that it can be "examined, processed, inserted, or deleted by any node along a packet's delivery path" would pass the bar set in Section 4.8. (Defining New Extension Headers and Options):

  New hop-by-hop options are not recommended because nodes may be
  configured to ignore the Hop-by-Hop Option header, drop packets
  containing a hop-by-hop header, or assign packets containing a hop-
  by-hop header to a slow processing path.  Designers considering
  defining new hop-by-hop options need to be aware of this likely
  behaviour.  There has to be a very clear justification why any new
  hop-by-hop option is needed before it is standardized.

In the context of a controlled domain, it should be relatively easy for the operator to account for those issues.  So my interpretation of whether a Hop-by-Hop option is ok to carry (for example) routing information is a strong "Yes!".  Whether my interpretation is what was intended or not, I believe the overall text could benefit from more clarity.

[Ballot comment]
Appendix B. (Changes Since RFC2460) mentions that the text was revised based on updates from several other RFCs which Updated rfc2460.  I didn't check all the details, but if the updates were incorporated in this document, why are those RFCs not marked as being Obsolete?  Is there any value left in them?

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-6man-rfc2460bis-08. If any part of this review is inaccurate, please let us know.

We have a question about the actions requested in this document.

The document provides a list of registries and other locations at iana.org where references to RFC 2460 need to be replaced with references to this document. However, there are references to RFC 2460 that are not included in this list. In addition to the list below, references to RFC 2460 can be found here:

http://www.iana.org/assignments/xml-registry/schema/traceroute-1.0.xsd
http://www.iana.org/assignments/ipfix
http://www.iana.org/assignments/version-numbers

Should the references in those locations be updated as well?

These are the locations named by the document, which should complete the list of locations where references to RFC 2460 appear:

Internet Protocol Version 6 (IPv6) Parameters located at:
www.iana.org/assignments/ipv6-parameters/

Assigned Internet Protocol Numbers located at:
www.iana.org/assignments/protocol-numbers/

ONC RPC Network Identifiers (netids) located at:
www.iana.org/assignments/rpc-netids/

Technical requirements for authoritative name servers located at:
www.iana.org/help/nameserver-requirements

Network Layer Protocol Identifiers (NLPIDs) of Interest located at:
www.iana.org/assignments/nlpids/

Protocol Registries located at:
www.iana.org/protocols

Structure of Management Information (SMI) Numbers (MIB Module Registrations) located at:
www.iana.org/assignments/smi-numbers/

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Amanda Baber
Lead IANA Services Specialist
PTI

The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-6man-rfc2460bis@ietf.org, ipv6@ietf.org, "Ole Troan" , suresh.krishnan@ericsson.com, otroan@employees.org, 6man-chairs@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Internet Protocol, Version 6 (IPv6) Specification) to Internet Standard


The IESG has received a request from the IPv6 Maintenance WG (6man) to
consider the following document:
- 'Internet Protocol, Version 6 (IPv6) Specification'
  as Internet Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-03-01. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document specifies version 6 of the Internet Protocol (IPv6).
  It obsoletes RFC2460




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-6man-rfc2460bis/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-6man-rfc2460bis/ballot/


No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification (Draft Standard - IETF stream)
    rfc3168: The Addition of Explicit Congestion Notification (ECN) to IP (Proposed Standard - IETF stream)
Note that some of these references may already be listed in the acceptable Downref Registry.

RFC2460bis Writeup


Title        : Internet Protocol, Version 6 (IPv6) Specification
Author        : Stephen E. Deering
                Robert M. Hinden
Filename      : draft-ietf-6man-rfc2460bis-08.txt
Pages        : 39
Date          : 2016-11-15


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the
proper type of RFC? Is this type of RFC indicated in the title page
header?

  Internet Standard

  RFC2460 is currently at Draft Standard, the 6MAN working group has
  reached a consensus that it’s time to elevate the IPv6 protocol
  specification to Internet Standard.

  The header indicates “Standards Track”.


(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary:

  This document specifies version 6 of the Internet Protocol (IPv6).  It
  obsoletes RFC2460

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was
there controversy about particular points or were there decisions where
the consensus was particularly rough?

  The 6MAN working started working on advancing the IPv6 core
  specifications to Internet Standard at IETF93 July 2015.  See:
  https://www.ietf.org/proceedings/93/slides/slides-93-6man-3.pdf The
  working group identified three RFCs to update (RFC2460, RFC4291, and
  RFC1981) by incorporating updates from other RFCs and Errata, and
  three to advance in place RFC4443, RFC3596, and RFC4941.  After
  further analysis, the w.g. decided to not reclassify RFC4941 at this
  time.

  The working followed the requirements in RFC6410 for advancing a Draft
  Standard to Internet Standard.  While RFC6410 describes how to handle
  Errata, it doesn't say anything about Updated-By RFCs.  The working
  group, with the advice of our AD, incorporated the changes from the
  the Updated-By RFC and verified there was interoperability of the
  updates.

  All of the Updated-By and errata were brought into the new draft in
  small steps to allow thorough review of all of the changes.  A summary
  and link to diff from the previous version was sent to the mailing
  list.  All of the changes to each draft were also discussed in detail
  at IETF94, IETF95, IETF96, and IETF97.  All of the changes from
  RFC2460 are summarized in Appendix B and are ordered by the Internet
  Draft that brought the change in.

  A working group last call for moving this and the other two documents
  to Internet Standard was started on 30 May 2016.  Reviews were also
  requested.  Issues found during the last call and reviews were entered
  into the 6MAN ticket system.  These are now closed.

  The biggest issue raised was how to handle the issue of Extension
  Header insertion in this document.  After many discussion on the
  mailing list and face to face meeting, there wasn’t a clear consensus.
  The chairs conducted an online survey that provided three choices: Ban
  header insertion, describe the problems with header insertion, or say
  nothing.  The result of the survey was to describe the solution.  The
  results and methodology used to evaluate the results can be seen at:

    https://mailarchive.ietf.org/arch/msg/ipv6/_gG2foiugk5B7w3TpnPvBbjHDzs

  This was discussed at the 6MAN session at IETF97 and on the mailing
  list after the meeting.  The chairs believe there is a consensus to go
  forward with the text that is in draft-ietf-6man-rfc2460bis-08.


Document Quality:

Are there existing implementations of the protocol? Have a significant
number of vendors indicated their plan to implement the specification?
Are there any reviewers that merit special mention as having done a
thorough review, e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If there was a
MIB Doctor, Media Type or other expert review, what was its course
(briefly)? In the case of a Media Type review, on what date was the
request posted?

  IPv6 is implemented on most platforms (hosts, routers, servers, etc.),
  including proprietary and open source.  A list of products that have
  received the IPV6 Ready logo can be found at:
  https://www.ipv6ready.org/db/index.php/public/?o=4

  Most major ISP now support IPv6, as well as many mobile
  operators.

  Google’s IPv6 stats at
  https://www.google.com/intl/en/ipv6/statistics.html show they are
  seeing now about 15% of their overall user traffic is IPv6. Country
  adoption is 29% in the US, Germany 27%, Finland 12%, Japan 14%, Brazil
  11%.  IPv6 users per AS can be found at
  http://stats.labs.apnic.net/aspop

  The University of New Hampshire InterOperability Laboratory (UNH)
  analyzed the incorporated updates to insure they were implemented and
  interoperable.  No problems were found.  Their report can be found at:
  https://www.ietf.org/proceedings/95/slides/slides-95-6man-2.pdf

  No MIB, Media, or other expert reviews are required.


Personnel:

Who is the Document Shepherd? Who is the Responsible Area Director?

  Document Shepherd: Ole Trøan
  Responsible AD: Suresh Krishnan



(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the
IESG.

  The document was reviewed by the Document Shepherd and believes it is
  ready for publication.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No.


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that took
place.

  No.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the IESG
should be aware of? For example, perhaps he or she is uncomfortable with
certain parts of the document, or has concerns whether there really is a
need for it. In any event, if the WG has discussed those issues and has
indicated that it still wishes to advance the document, detail those
concerns here.

  Nothing, issues raised in the working group are discussed in working
  group summary above.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why?

  Yes


(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR.


(9) How solid is the WG consensus behind this document? Does it represent
the strong concurrence of a few individuals, with others being silent, or
does the WG as a whole understand and agree with it?

  The document has had extensive review in the 6MAN working group and
  there is broad support to this version of the IPv6 specification as an
  Internet Standard.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No appeals have been threatened. The biggest area of conflict has been
  around text describing Extension Header Insertion, there are strong
  opinions on both sides.


(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  Nothing serious.  A few miscellaneous warning about line spacing and
  notice that the reference to draft-ietf-6man-rfc4291bis is a down
  reference. Draft-ietf-6man-rfc4291bis will be submitted for Internet
  Standard with this.


(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.

  N/A


(13) Have all references within this document been identified as either
normative or informative?

  Yes.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

  The only normative reference this is not an RFC, is a reference to
  draft-ietf-6man-rfc4291bis. This draft is also being submitted to the
  IESG for Internet standard around the same time.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the
Last Call procedure.


  [RFC2474]  Nichols, K., Blake, S., Baker, F., and D. Black,
              "Definition of the Differentiated Services Field (DS
              Field) in the IPv4 and IPv6 Headers", RFC 2474, DOI
              10.17487/RFC2474, December 1998,
              .


  [RFC3168]  Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
              of Explicit Congestion Notification (ECN) to IP", RFC
              3168, DOI 10.17487/RFC3168, September 2001,
              .

  [RFC6437]  Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme,
              "IPv6 Flow Label Specification", RFC 6437, DOI 10.17487/
              RFC6437, November 2011,
              .

  RFC4443 is also listed, but the working group is going to request that
  RFC4443 be advance in place to Internet Standard.


(16) Will publication of this document change the status of any existing
RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs is
discussed. If this information is not in the document, explain why the WG
considers it unnecessary.


  This document obsoletes RFC2460. This is indicated in the header and
  abstract.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed
specification of the initial contents for the registry, that allocations
procedures for future registrations are defined, and a reasonable name
for the new registry has been suggested (see RFC 5226).

    This document does not make any new assignment, but it does requests
    that the IANA update a number of IANA registries to point to this
    document instead of RFC2460.


(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

    None.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.


    N/A