errata logo graphic

Found 5 records.

Status: Reported (1)

RFC4443, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", March 2006

Source of RFC: ipv6 (int)

Errata ID: 4445

Status: Reported
Type: Technical

Reported By: Dennis Ferguson
Date Reported: 2015-08-15

Section 3.1 says:

   ICMPv6 Fields:

   Type           1

   Code           0 - No route to destination
[...]
                  5 - Source address failed ingress/egress policy
                  6 - Reject route to destination
[...]
   If the reason for the failure to deliver is lack of a matching entry
   in the forwarding node's routing table, the Code field is set to 0.
   (This error can occur only in nodes that do not hold a "default
   route" in their routing tables.)
[...]
   If the reason for the failure to deliver is that the route to the
   destination is a reject route, the Code field is set to 6.  This may
   occur if the router has been configured to reject all the traffic for
   a specific prefix.

   Codes 5 and 6 are more informative subsets of code 1.

It should say:

   ICMPv6 Fields:

   Type           1

   Code           0 - No route to destination
[...]
                  5 - Source address failed ingress/egress policy
                  6 - Destination address failed ingress/egress policy
[...]
   If the reason for the failure to deliver is lack of an entry in the
   forwarding node's routing table that can be used to reach the
   destination, the Code field is set to 0.  This error may be reported
   by nodes that lack a default route or are the origin of an aggregate
   route
[...]
   If the reason for the failure to deliver is that the packet with this
   destination address is not allowed due to ingress or egress filtering
   policies, the Code field is set to 6.

   Codes 5 and 6 are more informative subsets of code 1.

Notes:

A router that is the explicit or implicit origin of an aggregate
route prefix in routing must not forward messages to destinations
matching the aggregate prefix using a route with a prefix less specific
than the aggregate route it originated (e.g. a defaut route). This
constraint is necessary to produce correct, loop-free routing. The
parenthetical comment in the current description of the Code 0 error
overlooks the fact that such nodes may lack a route which may be used to
reach a destination matching an aggregate prefix, and may be the only
nodes which could report this lack, even if they do have routes to less
specific matching prefixes. The suggested change to the Code 0
description attempts to correct this.

Concerning Code 6, the earliest definition of a "reject route" I've
found in writing is in the RFC 2096 IP Forwarding Table MIB (though
4.3BSD-Reno kernels supported them in 1990 and there may well be earlier
uses). The updated description of inetCidrRouteType in RFC 4292 says this:

reject(2) refers to a route that, if matched, discards
the message as unreachable and returns a notification
(e.g., ICMP error) to the message sender. This is used
in some protocols as a means of correctly aggregating
routes.

In the MIB a reject route is a generic mechanism to indicate that packets
with matching destinations won't be forwarded using less specific routes,
but instead will be discarded if no more specific matching route to use
to forward the packet is known with an error being returned to the
message sender. The reason no specific error is associated with this is
that while the presence of the reject route describes how messages are
forwarded, or not forwarded (i.e. the mechanism), it does not describe why
they are being forwarded like that (i.e. the policy); to know the latter
requires knowing why the reject route was added. Knowing which error
will be reported hence requires knowing the purpose that is being
implemented by the reject route.

The original use of the mechanism, as indicated above, was to produce
correct forwarding on routers originating aggregate routes. Another use
of the mechanism, to prevent packets with Local IPv6 destination addresses
from being forwarded beyond a site's administrative boundary, was suggested
in Section 4.3 of RFC 4193 (I believe this can only be understood as a
suggestion, rather than an implementation requirement, since the policy
it requires could be indistinguishably implemented with a firewall filter
instead).

The current definition of Code 6 describes the error being reported
as "Reject route to destination", that is it ascribes the reason for
the error to the mechanism itself rather than the policy the mechanism
was employed to implement. If this was the intent then its discription
is technically inaccurate. A reject route does not necessarily implement
an administrative prohibition nor is its function necessarily to "reject
all traffic for a specific prefix"; the original use of reject routes
for aggregation is inconsistent with both of these. What I believe is
that the intent of Code 6 is to report the error associated with the
RFC 4193 border patrol policy, independent of how that is implemented, and
so I've changed the text to better reflect that.


Status: Held for Document Update (4)

RFC4443, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", March 2006

Source of RFC: ipv6 (int)

Errata ID: 88

Status: Held for Document Update
Type: Technical

Reported By: Alfred Hoenes
Date Reported: 2006-04-19
Held for Document Update by: Brian Haberman

 

(1)  text omission ???

I suspect that something went wrong in the publication process
for RFC 4443, leading to significant text omission.

Symptoms:

o  Text on top of page 5 apparently *continues* specifications
   that are not in the published text;

o  Appendix A contains the change item:

   - Added specification that all ICMP error messages shall have exactly
     32 bits of type-specific data, so that receivers can reliably find
     the embedded invoking packet even when they don't recognize the
     ICMP message Type.

   I could not find any text in the body of the RFC corresponding
   to this statement.

Therefore, I suspect that general specifications for ICMPv6 error
messages have been dropped inadvertently from the end of Section
2.1, at the bottom of page 4 in the published text, or that even
a subsection dealing with the peculiar requirements for ICMPv6
error messages has been dropped, just leaving in the published text
the single sentence at top of page 5.

I expect the missing text to depict the general structure of the
Message Body of ICMPv6 error messages with all related explanations,
according to the above mentioned change note.

Appendix A also states:

   - Removed the general packet format from Section 2.1.  It refers to
     Sections 3 and 4 for packet formats now.

This is not literally true.  The general format *is* in Section 2.1.
But in fact, it would be logical to have the (missing) specifications
for error messages -- including the 4 lines of test on top of page 5 --
incorporated into (the start of) Section 3 (*before* the heading for
Section 3.1.) instead of the end of Section 2.1.


(2)  possible textual improvement

in the lower third of page 3, Section 2.1 says:

   The code field depends on the message type.  It is used to create an
   additional level of message granularity.

It should perhaps better say:

   The code field depends on the message type.  It is used to create an
   additional level of message type granularity.
                              ^^^^^^

(3)  reference to old IPsec Architecture document

Section 5.1, at the bottom of page 15, has been updated to point
to the new IPsec Architecture document, RFC 4301, via the reference
tag [SEC-ARCH].  But immediately below, in the first paragraph of
Section 5.2, on top of page 16, the RFC text says:

   ICMP messages may be subject to various attacks.  A complete
   discussion can be found in the IP Security Architecture [IPv6-SA].
   [...]

It remains unclear why the reference is made to the previous IPsec
Architecture document, RFC 2401, in this case.
In fact, RFC 4301 has simplified ICMP handling by the introduction
of ICMP Type+Code as a Traffic Selector for the SPD, and therefore
contains restructured text on ICMP message processing.
Nevertheless, as far as I can see, RFC 4301 has not removed
significant ICMP security related material from RFC 2401.
Thus, IMHO there is no reason to explicitely refer to the obsoleted
specification, RFC 2401 [IPv6-SA], instead of the current one,
RFC 4301 [SEC-ARCH].


(4)  more issues with references

According to Appendix A, RFC 4443 has

   - Separated References into Normative and Informative.

The latest RFC Authoring Internet draft revisions
(cf. draft-rfc-editor-rfc2223bis-xx
 and draft-hoffman-rfc-author-guide-01)
all have included the definition:
     Normative references specify documents that must be read
     to understand or implement the technology in the document,
     or whose technology must be present for the technology in
     the new RFC to work.  [...] an informative reference might
     provide background or historical information to the reader.
     [...]

The separation performed does not match this definition.

(4a)
RFC 4443 refers to RFC 792 and RFC 1122 to point out the analogy
to ICMP[v4], but it is a self-contained specification, and ICMPv6
does not rely on the implementation of ICMP[v4] -- IPv6 only nodes
are possible and even expected for the (far?) future.
Therefore, the references [RFC-792] and [RFC-1122] should better
have been placed into section 7.2, Informative References, instead
of Section 7.1, Normative References.

(4b)
RFC 4443 also lists in Section 7.1, Normative References, the
reference to its obsoleted predecessor, RFC 2463 [RFC-2463].
This is a fatal lock on the Standards Track for RFC 4443:
RFC 4443 can *not* be advanced above the level of RFC 2463,
if the written procedures are taken literally !
(Also, RFC 4443 contains all material from RFC 2463, and thus
RFC 2463 is not needed to understand and/or implement RFC 4443.)

Therefore, all references to obsoleted documents should be
named Informative, and in the case of RFC 4443, [RFC-2463]
should have been moved into Section 7.2 as well.

(4c)
The old IPv6 Addressing Architecture document, RFC 3513, has been
replaced by RFC 4291, published more than 5 weeks before RFC 4443.

Therefore, in Section 7.2 of RFC 4443, the Informative Reference
[IPv6-ADDR] should be have been changed to point to RFC 4291
instead of the obsolete RFC 3513.

(4d)
When following my recommendations in item (3) above, the
Informative Reference [IPv6-SA] is not needed any more;
its role has been taken over by the Reference [SEC-ARCH].


(5)  misleading change note

The second bulleted item in Appendix A,

   - Corrected typos in Section 2.4, where references to sub-bullet e.2
     were supposed to be references to e.3.

apparently is not correct; it must have been introduced in the
draft history, referring to a change in the draft.
The references in RFC 2463 to sub-bullet (e.2) were correct.
RFC 4443 has inserted a new item (e.2) into the list, incrementing
the numbers of the previous sub-bullet (e.2) and all subsequent
sub-bullets, thus making it necessary to increment the references.
Perhaps, the latter had not been done in an early draft revision,
and has then been corrected in a later one.
Thus, the above change note should not have been included in RFC 4443.

Notes:

from pending


Errata ID: 1918

Status: Held for Document Update
Type: Editorial

Reported By: Thorsten Ulbricht
Date Reported: 2009-10-19
Held for Document Update by: Brian Haberman

Section 7.2 says:

   [IPv6-ESP]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
                4203, December 2005.

It should say:

   [IPv6-ESP]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
                4303, December 2005.


Errata ID: 1926

Status: Held for Document Update
Type: Editorial

Reported By: Thorsten Ulbricht
Date Reported: 2009-10-23
Held for Document Update by: Brian Haberman

Section 7.2 says:

   [IPv6-ADDR]  Hinden, R. and S. Deering, "Intpernet Protocol Version 6
                (IPv6) Addressing Architecture", RFC 3513, April 2003.

It should say:

   [IPv6-ADDR]  Hinden, R. and S. Deering, "Internet Protocol Version 6
                (IPv6) Addressing Architecture", RFC 3513, April 2003.


Errata ID: 3201

Status: Held for Document Update
Type: Editorial

Reported By: David Gräff
Date Reported: 2012-04-25
Held for Document Update by: Brian Haberman

Section 7.2 says:

   [IPv6-ESP]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
                4203, December 2005.

It should say:

   [IPv6-ESP]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
                4303, December 2005.

Notes:

Wrong RFC reference.


Report New Errata