--- 1/draft-ietf-6man-addr-select-opt-03.txt 2012-07-16 21:14:30.093341891 +0200 +++ 2/draft-ietf-6man-addr-select-opt-04.txt 2012-07-16 21:14:30.113341991 +0200 @@ -1,50 +1,50 @@ 6man Working Group A. Matsumoto Internet-Draft T. Fujisaki Intended status: Standards Track J. Kato -Expires: August 24, 2012 NTT +Expires: January 17, 2013 NTT T. Chown University of Southampton - February 21, 2012 + July 16, 2012 Distributing Address Selection Policy using DHCPv6 - draft-ietf-6man-addr-select-opt-03.txt + draft-ietf-6man-addr-select-opt-04.txt Abstract RFC 3484 defines default address selection mechanisms for IPv6 that allow nodes to select appropriate address when faced with multiple source and/or destination addresses to choose between. The RFC 3484 allowed for the future definition of methods to administratively configure the address selection policy information. This document defines a new DHCPv6 option for such configuration, allowing a site administrator to distribute address selection policy overriding the - default address selection policy table, and thus control the address - selection behavior of nodes in their site. + default address selection parameters and policy table, and thus + control the address selection behavior of nodes in their site. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 24, 2012. + This Internet-Draft will expire on January 17, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -77,68 +77,105 @@ configuration. Some problems have been identified with the default RFC 3484 address selection policy [RFC5220]. It is unlikely that any default policy will suit all scenarios, and thus mechanisms to control the source address selection policy will be necessary. Requirements for those mechanisms are described in [RFC5221], while solutions are discussed in [I-D.ietf-6man-addr-select-sol] and [I-D.ietf-6man-addr-select-considerations]. Those documents have helped shape the improvements in the default address selection - algorithm [I-D.ietf-6man-rfc3484-revise] as well as the DHCPv6 option + algorithm [I-D.ietf-6man-rfc3484bis] as well as the DHCPv6 option defined in this specification. 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Terminology This document uses the terminology defined in [RFC2460] and the DHCPv6 specification defined in [RFC3315] -2. Address Selection Policy option +2. Address Selection options - The Address Selection Policy option provides the policy table for - address selection rules as described in RFC 3484 and in - [I-D.ietf-6man-rfc3484-revise]. + The Address Selection option provides the address selection policy + table, and some other configuration parameters. - Each end node is expected to configure its policy table, as described - in RFC 3484, using the Address Selection Policy option as described - in the section below on processing the option. + A address selection option contains zero or more policy table + options. Multiple policy table options in a Policy Table option + constitute a single policy table. - Multiple Address Selection Policy options MAY appear in a DHCPv6 - message. They constitute a single policy table. + The format of the Address Selection option is given below. - The format of the Address Selection Policy option is given below. + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | OPTION_ADDRSEL | option-len | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Reserved |A|P| | + +-+-+-+-+-+-+-+-+ POLICY TABLE OPTIONS | + | (variable length) | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Figure 1: Address Selection option format + + option-code: OPTION_ADDRSEL (TBD). + + option-len: The total length of the Reserved field, A, P flags, and + POLICY TABLE OPITONS in octets. + + Reserved: Reserved field. Server MUST set this value to zero and + client MUST ignore its content. + + A: Automatic Row Addition flag. This flag toggles the Automatic + Row Addition flag at client hosts, which is described in the + section 2.1 in RFC 3484 revision [I-D.ietf-6man-rfc3484bis]. If + this flag is set to 1, it does not change client host behavior, + that is, a client MAY automatically add additional site-specific + rows to the policy table. If set to 0, the Automatic Row + Addition flag is disabled, and a client MAY NOT automatically + add rows to the policy table. + + P: Privacy Preference flag. This flag toggles the Privacy + Preference flag at client hosts, which is described in the + section 5 in RFC 3484 revision [I-D.ietf-6man-rfc3484bis]. If + this flag is set to 1, it does not change client host behavior, + that is, a client SHOULD prefer temporary addresses. If set to + 0, the Privacy Preference flag is disabled, and a client SHOULD + prefer public addresses. + + POLICY TABLE OPTIONS: Zero or more Address Selection Policy Table + options described below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | OPTION_DASP | option-len | + | OPTION_ADDRSEL_TABLE | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | label | precedence | prefix-len | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | prefix (variable length) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | - . DASP options . + . Prefix Specific options . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Figure 1: Address Selection Policy option format + Figure 2: Address Selection Policy Table option format - option-code: OPTION_DASP (TBD). + option-code: OPTION_ADDRSEL_TABLE (TBD). option-len: The total length of the label field, precedence field, prefix-len field, prefix field, and DASP options field in octets. label: An 8-bit unsigned integer; this value is used to make a combination of source address prefixes and destination address prefixes. precedence: An 8-bit unsigned integer; this value is used for @@ -146,113 +183,121 @@ prefix-len: An 8-bit unsigned integer; the number of leading bits in the prefix that are valid. The value ranges from 0 to 128. prefix: A variable-length field containing an IP address or the prefix of an IP address. An IPv4-mapped address [RFC4291] must be used to represent an IPv4 address as a prefix value. The Prefix should be truncated on the byte boundary. So the length of this field should be between 0 and 16 bytes. - DASP options: Options specific to this particular Address Selection - Policy option. This includes, but not limited to, zero or one - PREFIX_ZONE option that specify the zone index of the prefix in - this option. + Prefix Specific options: Options specific to this particular Address + Selection Policy option. This includes, but not limited to, + zero or one Zone Index option that specify the zone index of the + prefix in this option. The format of the Zone Index option is given below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | OPTION_ZONE_INDEX | option-len | + | OPTION_ADDRSEL_ZONE | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | zone-index | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Figure 2: Zone Index option format + Figure 3: Zone Index option format - option-code: OPTION_ZONE_INDEX (TBD). + option-code: OPTION_ADDRSEL_ZONE (TBD). option-len: 4. zone-index: The zone-index field is an 32-bit unsigned integer, and used to specify the zone for scoped addresses. The zone-index is defined in RFC 3493 [RFC3493] as 'scope ID'. -3. Appearance of the Address Selection Policy option - - The Address Selection Policy option MUST NOT appear in any messages - other than the following ones: Solicit, Advertise, Request, Renew, - Rebind, Reconfigure, Information-Request, and Reply. +3. Appearance of the Address Selection options -4. Processing the Address Selection Policy option + The Address Selection options MUST NOT appear in any messages other + than the following ones: Solicit, Advertise, Request, Renew, Rebind, + Reconfigure, Information-Request, and Reply. - This section describes how to process received Address Selection - Policy options at the DHCPv6 client. +4. Processing the Policy Table option - When a host receives a DHCPv6 message that includes multiple Address - Selection Policy options, they MUST be treated as a single policy - table. + This section describes how to process received Policy Table option at + the DHCPv6 client. This option's concept is to serve as a hint for a node about how to behave in the network. So, basically, it should be up to the node's - administrator how to make use of or even ignore the received policy - information. + administrator how to deal with the received policy information in the + way described below. 4.1. Handling of the local policy table RFC 3484 defines the default policy table. Also, a user is usually able to configure the policy table to satisfy his requirement. - The client node SHOULD provide the following choices: + The client implementation SHOULD provide the following choices to the + user: a) It receives distributed policy table, and replaces the existing policy tables with that. b) It preserves the default policy table, or manually configured policy. 4.2. Handling of the stale policy table When the information from the DHCP server goes stale, the policy received form the DHCP server should be removed and the default policy should be restored. The received information can be considered stale in several cases, such as, when the interface goes down, the DHCP server does not respond for a certain amount of time, and the Information Refresh Time is expired. -4.3. Processing multiple received policy tables +4.3. Processing multiple received policies - The policy table is node-global information by its nature. So, the - node cannot use multiple received policy tables at the same time. In - other words, once the received policy from one source is merged with - another source, the policy is more or less changed. The policy table - is defined as a whole, so the slightest addition/deletion from the - policy table brings a change in semantics of the policy. + The policy table, and other parameters specified in this document are + node-global information by its nature. So, the node cannot use + multiple received policies at the same time. In other words, once + the received policy from one source is merged with another source, + the policy is more or less changed. The policy table is defined as a + whole, so the slightest addition/deletion from the policy table + brings a change in semantics of the policy. It also should be noted that, when a node is single-homed and has only one upstream line, adopting a received policy table does not degrade the security level. - Under the above assumptions, we specify how to handle multiple - received policy tables below. + Under the above assumptions, how to handle multiple received policies + is specified below. - A node MAY use OPTION_DASP in any of the following two cases: + A node MAY use Address Selection options in any of the following two + cases: - 1: The address selection option is delivered across the only secure, + 1: The Address Selection option is delivered across the only secure, trusted channel. - 2: The address selection option delivery is not secured, but the node + 2: The Address Selection option delivery is not secured, but the node is single-homed. - In other cases the node MUST NOT use OPTION_DASP unless the node is - specifically configured to do so. + In other cases the node MUST NOT use Policy Table options unless the + node is specifically configured to do so. + + Discussion: The secure trusted channel does not necessarily mean a + prioritized route in the routing table. So, such a situation + could happen that the traffic goes through a non-secure, non- + trusted channel and the host follows the delivered policy from a + secure, truested channel. However, this policy is not for + optimization of traffic and resources at the local network and the + hosts, but for implementing the network policy to the hosts in the + network. 5. Implementation Considerations o The value 'label' is passed as an unsigned integer, but there is no special meaning for the value, that is whether it is a large or small number. It is used to select a preferred source address prefix corresponding to a destination address prefix by matching the same label value within the DHCP message. DHCPv6 clients need to convert this label to a representation specified by each implementation (e.g., string). @@ -288,27 +333,40 @@ Another threat is about privacy concern. As in the security consideration section of RFC 3484, at least a part of, the address selection policy stored in a host can be leaked by a packet from a remote host. This issue will not be degraded regardless of the introduction of this option, or regardless of whether the host is multihomed or not. 7. IANA Considerations - IANA is requested to assign option codes to OPTION_DASP from the - option-code space as defined in section "DHCPv6 Options" of RFC 3315. + IANA is requested to assign option codes to OPTION_ADDRSEL , + OPTION_ADDRSEL_TABLE, and OPTION_ADDRSEL_ZONE from the option-code + space as defined in section "DHCPv6 Options" of RFC 3315. 8. References 8.1. Normative References + [I-D.ietf-6man-rfc3484bis] + Thaler, D., Draves, R., Matsumoto, A., and T. Chown, + "Default Address Selection for Internet Protocol version 6 + (IPv6)", draft-ietf-6man-rfc3484bis-06 (work in progress), + June 2012. + + [I-D.ietf-6man-stable-privacy-addresses] + Gont, F., "A method for Generating Stable Privacy-Enhanced + Addresses with IPv6 Stateless Address Autoconfiguration + (SLAAC)", draft-ietf-6man-stable-privacy-addresses-00 + (work in progress), May 2012. + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3484] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. @@ -319,26 +377,20 @@ Address Selection Policy Changes", draft-ietf-6man-addr-select-considerations-04 (work in progress), October 2011. [I-D.ietf-6man-addr-select-sol] Matsumoto, A., Fujisaki, T., and R. Hiromi, "Solution approaches for address-selection problems", draft-ietf-6man-addr-select-sol-03 (work in progress), March 2010. - [I-D.ietf-6man-rfc3484-revise] - Matsumoto, A., Kato, J., Fujisaki, T., and T. Chown, - "Update to RFC 3484 Default Address Selection for IPv6", - draft-ietf-6man-rfc3484-revise-05 (work in progress), - October 2011. - [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. Stevens, "Basic Socket Interface Extensions for IPv6", RFC 3493, February 2003. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006.