| draft-ietf-idr-bgp-flowspec-oid-10.txt | draft-ietf-idr-bgp-flowspec-oid-11.txt | |||
|---|---|---|---|---|
| Network Working Group J. Uttaro | Network Working Group J. Uttaro | |||
| Internet-Draft AT&T | Internet-Draft AT&T | |||
| Updates: 5575bis (if approved) J. Alcaide | Updates: 5575bis (if approved) J. Alcaide | |||
| Intended status: Standards Track C. Filsfils | Intended status: Standards Track C. Filsfils | |||
| Expires: February 9, 2020 D. Smith | Expires: September 9, 2020 D. Smith | |||
| Cisco | Cisco | |||
| P. Mohapatra | P. Mohapatra | |||
| Sproute Networks | Sproute Networks | |||
| August 8, 2019 | March 8, 2020 | |||
| Revised Validation Procedure for BGP Flow Specifications | Revised Validation Procedure for BGP Flow Specifications | |||
| draft-ietf-idr-bgp-flowspec-oid-10 | draft-ietf-idr-bgp-flowspec-oid-11 | |||
| Abstract | Abstract | |||
| This document describes a modification to the validation procedure | This document describes a modification to the validation procedure | |||
| defined in [RFC5575bis] for the dissemination of BGP Flow | defined in [RFC5575bis] for the dissemination of BGP Flow | |||
| Specifications. [RFC5575bis] requires that the originator of the | Specifications. [RFC5575bis] requires that the originator of the | |||
| Flow Specification matches the originator of the best-match unicast | Flow Specification matches the originator of the best-match unicast | |||
| route for the destination prefix embedded in the Flow Specification. | route for the destination prefix embedded in the Flow Specification. | |||
| This allows only BGP speakers within the data forwarding path (such | This allows only BGP speakers within the data forwarding path (such | |||
| as autonomous system border routers) to originate BGP Flow | as autonomous system border routers) to originate BGP Flow | |||
| skipping to change at page 1, line 47 ¶ | skipping to change at page 1, line 47 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 9, 2020. | This Internet-Draft will expire on September 9, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Revised Validation Procedure . . . . . . . . . . . . . . . . 5 | 4. Revised Validation Procedure . . . . . . . . . . . . . . . . 5 | |||
| 4.1. Revision of Route Feasibility . . . . . . . . . . . . . . 5 | 4.1. Revision of Route Feasibility . . . . . . . . . . . . . . 5 | |||
| 4.2. Revision of AS_PATH Validation . . . . . . . . . . . . . 6 | 4.2. Revision of AS_PATH Validation . . . . . . . . . . . . . 6 | |||
| 5. Other RFC5575bis Considerations . . . . . . . . . . . . . . . 7 | 5. Other RFC5575bis Considerations . . . . . . . . . . . . . . . 7 | |||
| 6. Topology Considerations . . . . . . . . . . . . . . . . . . . 8 | 6. Topology Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 10. Normative References . . . . . . . . . . . . . . . . . . . . 10 | 10. Normative References . . . . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 1. Requirements Language | 1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2. Introduction | 2. Introduction | |||
| [RFC5575bis] defined a new BGP [RFC4271] capability that can be used | [RFC5575bis] defined a new BGP [RFC4271] capability that can be used | |||
| skipping to change at page 3, line 33 ¶ | skipping to change at page 3, line 33 ¶ | |||
| modification cannot be used for inter-domain coordination of traffic | modification cannot be used for inter-domain coordination of traffic | |||
| filtering, it greatly simplifies distribution of intra-domain traffic | filtering, it greatly simplifies distribution of intra-domain traffic | |||
| filtering policies within an autonomous system which has a large | filtering policies within an autonomous system which has a large | |||
| number of border routers having complex BGP policies. By relaxing | number of border routers having complex BGP policies. By relaxing | |||
| the validation procedure for iBGP, the proposed modification allows | the validation procedure for iBGP, the proposed modification allows | |||
| Flow Specifications to be distributed in a standard and scalable | Flow Specifications to be distributed in a standard and scalable | |||
| manner throughout an autonomous system. | manner throughout an autonomous system. | |||
| 3. Motivation | 3. Motivation | |||
| Step (a) of the validation procedure in [RFC5575bis], section 6 is | Step (b) of the validation procedure in [RFC5575bis], section 6 is | |||
| defined with the underlying assumption that the Flow Specification | defined with the underlying assumption that the Flow Specification | |||
| NLRI traverses the same path, in the inter-domain and intra-domain | NLRI traverses the same path, in the inter-domain and intra-domain | |||
| route distribution graph, as that of the longest-match unicast route | route distribution graph, as that of the longest-match unicast route | |||
| for the destination prefix embedded in the Flow Specification. | for the destination prefix embedded in the Flow Specification. | |||
| In the case of inter-domain traffic filtering, the Flow Specification | In the case of inter-domain traffic filtering, the Flow Specification | |||
| originator at the egress border routers of an AS (e.g. RTR-D and | originator at the egress border routers of an AS (e.g. RTR-D and | |||
| RTR-E of ASN1 in figure 1) matches the eBGP neighbor that advertised | RTR-E of ASN1 in figure 1) matches the eBGP neighbor that advertised | |||
| the longest match destination prefix (see RTR-F and RTR-G | the longest match destination prefix (see RTR-F and RTR-G | |||
| respectively in figure 1). Similarly, at the ingress border routers | respectively in figure 1). Similarly, at the ingress border routers | |||
| skipping to change at page 5, line 16 ¶ | skipping to change at page 5, line 16 ¶ | |||
| plane. In this way, operators can direct border routers within their | plane. In this way, operators can direct border routers within their | |||
| ASN with specific attack mitigation actions (drop the traffic, | ASN with specific attack mitigation actions (drop the traffic, | |||
| forward to a clean-pipe center, etc.). | forward to a clean-pipe center, etc.). | |||
| To originate a Flow Specification NLRI, a central BGP route | To originate a Flow Specification NLRI, a central BGP route | |||
| controller must set itself as the originator in the Flow | controller must set itself as the originator in the Flow | |||
| Specification NLRI. This is necessary given the route controller is | Specification NLRI. This is necessary given the route controller is | |||
| originating the Flow Specification rather than reflecting it, and to | originating the Flow Specification rather than reflecting it, and to | |||
| avoid the complexity of having to determine the egress border router | avoid the complexity of having to determine the egress border router | |||
| whose path was chosen as the best in each of the ingress border | whose path was chosen as the best in each of the ingress border | |||
| routers. Thus, it is necessary to modify step (a) of the | routers. Thus, it is necessary to modify step (b) of the | |||
| [RFC5575bis] validation procedure such that an iBGP peer that is not | [RFC5575bis] validation procedure such that an iBGP peer that is not | |||
| within the data forwarding plane may originate Flow Specification | within the data forwarding plane may originate Flow Specification | |||
| NLRIs. | NLRIs. | |||
| 4. Revised Validation Procedure | 4. Revised Validation Procedure | |||
| 4.1. Revision of Route Feasibility | 4.1. Revision of Route Feasibility | |||
| Step (a) of the validation procedure specified in [RFC5575bis], | Step (b) of the validation procedure specified in [RFC5575bis], | |||
| section 6 is redefined as follows: | section 6 is redefined as follows: | |||
| a. One of the following conditions MUST hold true. | a. One of the following conditions MUST hold true: | |||
| 1. The originator of the Flow Specification matches the | 1. The originator of the Flow Specification matches the | |||
| originator of the best-match unicast route for the | originator of the best-match unicast route for the | |||
| destination prefix embedded in the Flow Specification. | destination prefix embedded in the Flow Specification (this | |||
| is the unicast route with the longest possible prefix length | ||||
| covering the destination prefix embedded in the Flow | ||||
| Specification). | ||||
| 2. The AS_PATH attribute of the Flow Specification does not | 2. The AS_PATH attribute of the Flow Specification does not | |||
| contain AS_SET and/or AS_SEQUENCE segments. | contain AS_SET and/or AS_SEQUENCE segments. | |||
| 1. This condition SHOULD be enabled by default. This | 1. This condition SHOULD be enabled by default. This | |||
| default behavior should validate an empty AS_PATH. | default behavior should validate an empty AS_PATH. | |||
| 2. This condition MAY be disabled by configuration on a BGP | 2. This condition MAY be disabled by configuration on a BGP | |||
| speaker. | speaker. | |||
| skipping to change at page 6, line 4 ¶ | skipping to change at page 6, line 9 ¶ | |||
| 3. As an exception to this rule, a given AS_PATH with AS_SET | 3. As an exception to this rule, a given AS_PATH with AS_SET | |||
| and/or AS_SEQUENCE segments MAY be validated by policy. | and/or AS_SEQUENCE segments MAY be validated by policy. | |||
| Explanation: | Explanation: | |||
| In this context, an empty AS_PATH means that it does not have | In this context, an empty AS_PATH means that it does not have | |||
| AS_SET and/or AS_SEQUENCE segments, and local domain means the | AS_SET and/or AS_SEQUENCE segments, and local domain means the | |||
| local AS [RFC4271] or the local confederation of ASes (in the case | local AS [RFC4271] or the local confederation of ASes (in the case | |||
| that the local AS belongs to a confederation of ASes [RFC5065]). | that the local AS belongs to a confederation of ASes [RFC5065]). | |||
| Thus, receiving a Flow Specification with an empty AS_PATH | Thus, receiving a Flow Specification with an empty AS_PATH | |||
| indicates that the Flow Specification was originated inside the | indicates that the Flow Specification was originated inside the | |||
| local domain. | local domain. | |||
| With the above modification to the [RFC5575bis] validation | With the above modification to the [RFC5575bis] validation | |||
| procedure, a BGP peer within the local domain that is not within | procedure, a BGP peer within the local domain that is not within | |||
| the data forwarding path can originate a Flow Specification. | the data forwarding path can originate a Flow Specification. | |||
| Disabling the new condition above (a.2.2) may be a good practice | Disabling the new condition above (b.2.2) may be a good practice | |||
| when the operator knows with certainty that there is not a Flow | when the operator knows with certainty that there is not a Flow | |||
| Specification originated inside the local domain. | Specification originated inside the local domain. | |||
| Also, policy may be useful to validate a specific set of non-empty | Also, policy may be useful to validate a specific set of non-empty | |||
| AS_PATHs (a.2.3). For example, it could validate a Flow | AS_PATHs (b.2.3). For example, it could validate a Flow | |||
| Specification whose AS_PATH contains only an AS_SEQUENCE with ASes | Specification whose AS_PATH contains only an AS_SEQUENCE with ASes | |||
| that are all known to belong to the same administrative domain. | that are all known to belong to the same administrative domain. | |||
| 4.2. Revision of AS_PATH Validation | 4.2. Revision of AS_PATH Validation | |||
| [RFC5575bis] states: | [RFC5575bis] states: | |||
| o BGP implementations MUST also enforce that the AS_PATH attribute | o BGP implementations MUST also enforce that the AS_PATH attribute | |||
| of a route received via the External Border Gateway Protocol | of a route received via the External Border Gateway Protocol | |||
| (eBGP) contains the neighboring AS in the left-most position of | (eBGP) contains the neighboring AS in the left-most position of | |||
| skipping to change at page 7, line 38 ¶ | skipping to change at page 7, line 43 ¶ | |||
| from an External Border Gateway Protocol (eBGP) peer belonging to | from an External Border Gateway Protocol (eBGP) peer belonging to | |||
| the same local domain (in the case that the local AS belongs to a | the same local domain (in the case that the local AS belongs to a | |||
| confederation of ASes) is out of the scope of this document. Note | confederation of ASes) is out of the scope of this document. Note | |||
| that although it's possible, its utility is dubious. | that although it's possible, its utility is dubious. | |||
| 5. Other RFC5575bis Considerations | 5. Other RFC5575bis Considerations | |||
| This section clarifies some of the terminology and rules referenced | This section clarifies some of the terminology and rules referenced | |||
| in [RFC5575bis]. Namely: | in [RFC5575bis]. Namely: | |||
| o [RFC5575bis] references "the best-match unicast route for the | ||||
| destination prefix embedded in the Flow Specification". For | ||||
| clarity, this route is defined hereby as the best path of the | ||||
| unicast network with the longer prefix-length that covers the | ||||
| destination prefix embedded in the Flow Specification. | ||||
| Explanation: | ||||
| We consider only the best-match network and we do not consider | ||||
| unicast non-best paths (even if it is received from the same peer | ||||
| as the Flow Specification). | ||||
| o If a BGP Flow Specification does not embed a destination prefix | ||||
| component, then the default behavior SHOULD be not to perform the | ||||
| validation procedures. | ||||
| Explanation: | ||||
| The reason for this is because the best-match unicast route is not | ||||
| defined in this case. | ||||
| o In the context of this document and [RFC5575bis], AS_PATH | o In the context of this document and [RFC5575bis], AS_PATH | |||
| attribute is defined as the reconstructed AS path information (by | attribute is defined as the reconstructed AS path information (by | |||
| combining AS_PATH and AS4_PATH attributes, if the BGP speaker is a | combining AS_PATH and AS4_PATH attributes, if the BGP speaker is a | |||
| NEW speaker and receives the route from an OLD speaker), according | NEW speaker and receives the route from an OLD speaker), according | |||
| to section 4.2.3 of [RFC6793]. | to section 4.2.3 of [RFC6793]. | |||
| o Support for two-octet AS only implementations is out of the scope | o Support for two-octet AS only implementations is out of the scope | |||
| of this document (i.e. it's assumed that the BGP speaker supports | of this document (i.e. it's assumed that the BGP speaker supports | |||
| [RFC6793]). | [RFC6793]). | |||
| 6. Topology Considerations | 6. Topology Considerations | |||
| [RFC5575bis] indicates that the originator may refer to the | [RFC5575bis] indicates that the originator may refer to the | |||
| originator path attribute (ORIGINATOR_ID) or (if the attribute is not | originator path attribute (ORIGINATOR_ID) or (if the attribute is not | |||
| present) the transport address of the peer from which we received the | present) the transport address of the peer from which we received the | |||
| update. If the latter applies, a network should be designed so it | update. If the latter applies, a network should be designed so it | |||
| has a congruent topology. | has a congruent topology. | |||
| With the additional second condition (a.2) in the validation | With the additional second condition (b.2) in the validation | |||
| procedure, non-congruent topologies are supported within the local | procedure, non-congruent topologies are supported within the local | |||
| domain if the Flow Specification is originated within the local | domain if the Flow Specification is originated within the local | |||
| domain. | domain. | |||
| Explanation: | Explanation: | |||
| Consider the following scenarios without the second condition | Consider the following scenarios without the second condition | |||
| (a.2) being added to the validation procedure: | (b.2) being added to the validation procedure: | |||
| 1. Consider a topology with two BGP speakers with two peering | 1. Consider a topology with two BGP speakers with two peering | |||
| sessions between them, one for unicast and one for Flow | sessions between them, one for unicast and one for Flow | |||
| Specification. This is a non-congruent topology. Let's | Specification. This is a non-congruent topology. Let's | |||
| assume that the ORIGINATOR_ID attribute was not received (e.g. | assume that the ORIGINATOR_ID attribute was not received (e.g. | |||
| a route reflector receiving routes from its clients). In this | a route reflector receiving routes from its clients). In this | |||
| case, the Flow Specification validation procedure will fail | case, the Flow Specification validation procedure will fail | |||
| because of the first condition (a.1). | because of the first condition (b.1). | |||
| 2. Consider a topology with a BGP speaker within a confederation | 2. Consider a topology with a BGP speaker within a confederation | |||
| of ASes, inside local AS X. ORIGINATOR_ID attribute is not | of ASes, inside local AS X. ORIGINATOR_ID attribute is not | |||
| advertised within the local domain. Let's assume the Flow | advertised within the local domain. Let's assume the Flow | |||
| Specification route is received from peer A and the best-match | Specification route is received from peer A and the best-match | |||
| unicast route is received from peer B. Both peers belong in | unicast route is received from peer B. Both peers belong in | |||
| local AS Y. Both AS X and AS Y belong to the same local | local AS Y. Both AS X and AS Y belong to the same local | |||
| domain. The Flow Specification validation procedure will also | domain. The Flow Specification validation procedure will also | |||
| fail because of the first condition (a.1). | fail because of the first condition (b.1). | |||
| In the examples above, if Flow Specifications are originated in | In the examples above, if Flow Specifications are originated in | |||
| the same local domain, AS_PATH will not contain AS_SET and/or | the same local domain, AS_PATH will not contain AS_SET and/or | |||
| AS_SEQUENCE segments. When the second condition (a.2) in the | AS_SEQUENCE segments. When the second condition (b.2) in the | |||
| validation procedure is used, the validation procedure will pass. | validation procedure is used, the validation procedure will pass. | |||
| Thus, non-congruent topologies are supported if the Flow | Thus, non-congruent topologies are supported if the Flow | |||
| Specification is originated in the same local domain. | Specification is originated in the same local domain. | |||
| Even when the second condition (a.2) is used in the validation | Even when the second condition (b.2) is used in the validation | |||
| procedure, a Flow Specification originated in a different local | procedure, a Flow Specification originated in a different local | |||
| domain needs a congruent topology. AS_SEQUENCE is not empty and | domain needs a congruent topology. AS_SEQUENCE is not empty and | |||
| the first condition (a.1) in the validation procedure needs to be | the first condition (b.1) in the validation procedure needs to be | |||
| evaluated. Because transport addresses for Flow Specification and | evaluated. Because transport addresses for Flow Specification and | |||
| unicast routes are different, the validation procedure will fail. | unicast routes are different, the validation procedure will fail. | |||
| This is true both across domains and within domains. Consider | This is true both across domains and within domains. Consider | |||
| both cases: | both cases: | |||
| * Consider the first example. If the Flow Specification route is | * Consider the first example. If the Flow Specification route is | |||
| originated in another AS, the validation procedure will fail | originated in another AS, the validation procedure will fail | |||
| because the topology is non-congruent within the domain. | because the topology is non-congruent within the domain. | |||
| * Consider the second example and modify it so AS X and AS Y | * Consider the second example and modify it so AS X and AS Y | |||
| belong to different local domains (no confederation of ASes | belong to different local domains (no confederation of ASes | |||
| exists). The validation procedure will fail because the | exists). The validation procedure will fail because the | |||
| skipping to change at page 10, line 20 ¶ | skipping to change at page 10, line 6 ¶ | |||
| 9. Acknowledgements | 9. Acknowledgements | |||
| The authors would like to thank Han Nguyen for his direction on this | The authors would like to thank Han Nguyen for his direction on this | |||
| work as well as Waqas Alam, Keyur Patel, Robert Raszuk, Eric Rosen | work as well as Waqas Alam, Keyur Patel, Robert Raszuk, Eric Rosen | |||
| and Shyam Sethuram for their review comments. | and Shyam Sethuram for their review comments. | |||
| 10. Normative References | 10. Normative References | |||
| [I-D.ietf-idr-rfc5575bis] | [I-D.ietf-idr-rfc5575bis] | |||
| Hares, S., Loibl, C., Raszuk, R., McPherson, D., and M. | Loibl, C., Hares, S., Raszuk, R., McPherson, D., and M. | |||
| Bacher, "Dissemination of Flow Specification Rules", | Bacher, "Dissemination of Flow Specification Rules", | |||
| draft-ietf-idr-rfc5575bis-14 (work in progress), April | draft-ietf-idr-rfc5575bis-19 (work in progress), January | |||
| 2019. | 2020. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | |||
| Border Gateway Protocol 4 (BGP-4)", RFC 4271, | Border Gateway Protocol 4 (BGP-4)", RFC 4271, | |||
| DOI 10.17487/RFC4271, January 2006, | DOI 10.17487/RFC4271, January 2006, | |||
| <https://www.rfc-editor.org/info/rfc4271>. | <https://www.rfc-editor.org/info/rfc4271>. | |||
| End of changes. 25 change blocks. | ||||
| 47 lines changed or deleted | 29 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||