| draft-ietf-6man-addr-select-opt-10.txt | draft-ietf-6man-addr-select-opt-11.txt | |||
|---|---|---|---|---|
| 6man Working Group A.M. Matsumoto | 6man Working Group A. Matsumoto | |||
| Internet-Draft T.F. Fujisaki | Internet-Draft T. Fujisaki | |||
| Intended status: Standards Track NTT | Intended status: Standards Track NTT | |||
| Expires: November 01, 2013 T.C. Chown | Expires: February 08, 2014 T. Chown | |||
| University of Southampton | University of Southampton | |||
| April 30, 2013 | August 07, 2013 | |||
| Distributing Address Selection Policy using DHCPv6 | Distributing Address Selection Policy using DHCPv6 | |||
| draft-ietf-6man-addr-select-opt-10.txt | draft-ietf-6man-addr-select-opt-11.txt | |||
| Abstract | Abstract | |||
| RFC 6724 defines default address selection mechanisms for IPv6 that | RFC 6724 defines default address selection mechanisms for IPv6 that | |||
| allow nodes to select an appropriate address when faced with multiple | allow nodes to select an appropriate address when faced with multiple | |||
| source and/or destination addresses to choose between. The RFC 6724 | source and/or destination addresses to choose between. RFC 6724 | |||
| allowed for the future definition of methods to administratively | allows for the future definition of methods to administratively | |||
| configure the address selection policy information. This document | configure the address selection policy information. This document | |||
| defines a new DHCPv6 option for such configuration, allowing a site | defines a new DHCPv6 option for such configuration, allowing a site | |||
| administrator to distribute address selection policy overriding the | administrator to distribute address selection policy overriding the | |||
| default address selection parameters and policy table, and thus | default address selection parameters and policy table, and thus to | |||
| control the address selection behavior of nodes in their site. | control the address selection behavior of nodes in their site. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 01, 2013. | This Internet-Draft will expire on February 08, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 | skipping to change at page 2, line 25 | |||
| modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
| Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
| than English. | than English. | |||
| 1. Introduction | 1. Introduction | |||
| RFC 3484 [RFC3484] describes default algorithms for selecting an | [RFC6724] describes default algorithms for selecting an address when | |||
| address when a node has multiple destination and/or source addresses | a node has multiple destination and/or source addresses to choose | |||
| to choose from by using an address selection policy. In Section 2 of | from by using an address selection policy. In Section 2 of RFC 6724, | |||
| RFC 6724, it is suggested that the default policy table may be | it is suggested that the default policy table may be administratively | |||
| administratively configured to suit the specific needs of a site. | configured to suit the specific needs of a site. This specification | |||
| This specification defines a new DHCPv6 option for such | defines a new DHCPv6 option for such configuration. | |||
| configuration. | ||||
| Some problems have been identified with the default RFC 3484 address | Some problems were identified with the default address selection | |||
| selection policy [RFC5220]. It is unlikely that any default policy | policy as originally defined in [RFC3484]. As a result, RFC 3484 was | |||
| will suit all scenarios, and thus mechanisms to control the source | updated and obsoleted by [RFC6724]. While this update corrected a | |||
| address selection policy will be necessary. Requirements for those | number of issues identifed from operational experience, it is | |||
| mechanisms are described in [RFC5221], while solutions are discussed | unlikely that any default policy will suit all scenarios, and thus | |||
| in [I-D.ietf-6man-addr-select-considerations]. Those documents have | mechanisms to control the source address selection policy will be | |||
| necessary. Requirements for those mechanisms are described in | ||||
| [RFC5221], while solutions are discussed in | ||||
| [I-D.ietf-6man-addr-select-considerations]. Those documents have | ||||
| helped shape the improvements in the default address selection | helped shape the improvements in the default address selection | |||
| algorithm [RFC6724] as well as the DHCPv6 option defined in this | algorithm in [RFC6724] as well as the requirements for the DHCPv6 | |||
| specification. | option defined in this specification. | |||
| 1.1. Conventions Used in This Document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| This document uses the terminology defined in [RFC2460] and the | This document uses the terminology defined in [RFC2460] and the | |||
| DHCPv6 specification defined in [RFC3315] | DHCPv6 specification defined in [RFC3315] | |||
| 2. Address Selection options | 2. Address Selection options | |||
| The Address Selection option provides the address selection policy | The Address Selection option provides the address selection policy | |||
| table, and some other configuration parameters. | table, and some other configuration parameters. | |||
| An Address Selection option contains zero or more policy table | An Address Selection option contains zero or more policy table | |||
| options. Multiple Policy Table options in an Address Selection | options. Multiple policy table options in an Address Selection | |||
| option constitute a single policy table. When it does not contain | option constitute a single policy table. When an Address Selection | |||
| policy table option, it is used to convey the A and P flags. | option does not contain a policy table option, it may be used to just | |||
| convey the A and P flags. | ||||
| The format of the Address Selection option is given below. | The format of the Address Selection option is given below. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | OPTION_ADDRSEL | option-len | | | OPTION_ADDRSEL | option-len | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Reserved |A|P| | | | Reserved |A|P| | | |||
| +-+-+-+-+-+-+-+-+ POLICY TABLE OPTIONS | | +-+-+-+-+-+-+-+-+ POLICY TABLE OPTIONS | | |||
| skipping to change at page 3, line 37 | skipping to change at page 3, line 41 | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 1: Address Selection option format | Figure 1: Address Selection option format | |||
| option-code: OPTION_ADDRSEL (TBD). | option-code: OPTION_ADDRSEL (TBD). | |||
| option-len: The total length of the Reserved field, A, P flags, and | option-len: The total length of the Reserved field, A, P flags, and | |||
| POLICY TABLE OPTIONS in octets. | POLICY TABLE OPTIONS in octets. | |||
| Reserved: Reserved field. Server MUST set this value to zero and | Reserved: Reserved field. The server MUST set this value to zero | |||
| client MUST ignore its content. | and the client MUST ignore its content. | |||
| A: Automatic Row Addition flag. This flag toggles the Automatic | A: Automatic Row Addition flag. This flag toggles the Automatic | |||
| Row Addition flag at client hosts, which is described in the | Row Addition flag at client hosts, which is described in section | |||
| section 2.1 in RFC 6724 [RFC6724]. If this flag is set to 1, it | 2.1 of [RFC6724]. If this flag is set to 1, it does not change | |||
| does not change client host behavior, that is, a client MAY | client host behavior, that is, a client MAY automatically add | |||
| automatically add additional site-specific rows to the policy | additional site-specific rows to the policy table. If set to 0, | |||
| table. If set to 0, the Automatic Row Addition flag is | the Automatic Row Addition flag is disabled, and a client SHOULD | |||
| disabled, and a client SHOULD NOT automatically add rows to the | NOT automatically add rows to the policy table. If the option | |||
| policy table. | contains a POLICY TABLE option, this flag is meaningless, and | |||
| automatic row addition SHOULD NOT be performed against the | ||||
| distributed policy table. | ||||
| P: Privacy Preference flag. This flag toggles the Privacy | P: Privacy Preference flag. This flag toggles the Privacy | |||
| Preference flag at client hosts, which is described in the | Preference flag on client hosts, which is described in section 5 | |||
| section 5 in RFC 6724 [RFC6724]. If this flag is set to 1, it | of [RFC6724]. If this flag is set to 1, it does not change | |||
| does not change client host behavior, that is, a client will | client host behavior, that is, a client will prefer temporary | |||
| prefer temporary addresses. If set to 0, the Privacy Preference | addresses [RFC4941]. If set to 0, the Privacy Preference flag | |||
| flag is disabled, and a client will prefer public addresses. | is disabled, and a client will prefer public addresses. | |||
| POLICY TABLE OPTIONS: Zero or more Address Selection Policy Table | POLICY TABLE OPTIONS: Zero or more Address Selection Policy Table | |||
| options described below. This option corresponds to a row in | options, as described below. This option corresponds to a row | |||
| the policy table defined in the section 2.1 in RFC 6724 | in the policy table defined in section 2.1 of [RFC6724]. | |||
| [RFC6724]. | ||||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | OPTION_ADDRSEL_TABLE | option-len | | | OPTION_ADDRSEL_TABLE | option-len | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | label | precedence | prefix-len | | | | label | precedence | prefix-len | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | |||
| | | | | | | |||
| | prefix (variable length) | | | prefix (variable length) | | |||
| skipping to change at page 5, line 7 | skipping to change at page 4, line 43 | |||
| Figure 2: Address Selection Policy Table option format | Figure 2: Address Selection Policy Table option format | |||
| option-code: OPTION_ADDRSEL_TABLE (TBD). | option-code: OPTION_ADDRSEL_TABLE (TBD). | |||
| option-len: The total length of the label field, precedence field, | option-len: The total length of the label field, precedence field, | |||
| prefix-len field, and prefix field. | prefix-len field, and prefix field. | |||
| label: An 8-bit unsigned integer; this value is for correlation of | label: An 8-bit unsigned integer; this value is for correlation of | |||
| source address prefixes and destination address prefixes. This | source address prefixes and destination address prefixes. This | |||
| field is used to deliver a label value in RFC 6724 policy table. | field is used to deliver a label value in the [RFC6724] policy | |||
| table. | ||||
| precedence: An 8-bit unsigned integer; this value is used for | precedence: An 8-bit unsigned integer; this value is used for | |||
| sorting destination addresses. This field is used to to deliver | sorting destination addresses. This field is used to to deliver | |||
| a precedence value in RFC 6724 policy table. | a precedence value in [RFC6724] policy table. | |||
| prefix-len: An 8-bit unsigned integer; the number of leading bits in | prefix-len: An 8-bit unsigned integer; the number of leading bits in | |||
| the prefix that are valid. The value ranges from 0 to 128. | the prefix that are valid. The value ranges from 0 to 128. | |||
| prefix: A variable-length field containing an IP address or the | prefix: A variable-length field containing an IP address or the | |||
| prefix of an IP address. An IPv4-mapped address [RFC4291] must | prefix of an IP address. An IPv4-mapped address [RFC4291] must | |||
| be used to represent an IPv4 address as a prefix value. This | be used to represent an IPv4 address as a prefix value. This | |||
| field is padded with zeros up to the nearest octet boundary when | field is padded with zeros up to the nearest octet boundary when | |||
| prefix6-len is not divisible by 8. This can be expressed using | prefix-len is not divisible by 8. This can be expressed using | |||
| the following equation: (prefix-len+7)/8 So the length of this | the following equation: (prefix-len + 7)/8 So the length of this | |||
| field should be between 0 and 16 bytes. For example, the prefix | field should be between 0 and 16 bytes. For example, the prefix | |||
| 2001:db8::/60 would be encoded with an prefix-len of 60, the | 2001:db8::/60 would be encoded with an prefix-len of 60, the | |||
| prefix would be 8 octets and would contains octets 20 01 0d b8 | prefix would be 8 octets and would contains octets 20 01 0d b8 | |||
| 00 00 00 00. | 00 00 00 00. | |||
| 3. Processing the Policy Table option | 3. Processing the Address Selection option | |||
| This section describes how to process received Policy Table option at | This section describes how to process a received Address Selection | |||
| the DHCPv6 client. | option at the DHCPv6 client. | |||
| This option's concept is to serve as a hint for a node about how to | This option's concept is to serve as a hint for a node about how to | |||
| behave in the network. Ultimately, it can be controlled by the | behave in the network. Ultimately, while the node's administrator | |||
| node's administrator how to deal with the received policy | can control how to deal with the received policy information, the | |||
| information, but the implementation SHOULD follow the way described | implementation SHOULD follow the method described below uniformly, to | |||
| below uniformly to ease diagnose brokenness and to reduce operational | ease troubleshooting and to reduce operational costs. | |||
| costs. | ||||
| 3.1. Handling of the local policy table | 3.1. Handling local configurations | |||
| RFC 6724 defines the default policy table. Also, users are usually | [RFC6724] defines two flags (A, P) and the default policy table. | |||
| able to configure the policy table to satisfy their own requirements. | Also, users are usually able to configure the flags and the policy | |||
| table to satisfy their own requirements. | ||||
| The client implementation SHOULD provide the following choices to the | The client implementation SHOULD provide the following choices to the | |||
| user. The choice a SHOULD be default, as far as the policy table is | user. | |||
| not configured by the user. | ||||
| a) replace the existing active policy table with the DHCPv6 | (a) replace the existing flags and active policy table with the | |||
| distributed policy table. | DHCPv6 distributed flags and policy table. | |||
| b) preserve the existing active policy table, whether this be the | (b) preserve the existing flags and active policy table, whether | |||
| default policy table, or user configured policy. | this be the default policy table, or user configured policy. | |||
| 3.2. Handling of the stale policy table | Choice (a) SHOULD be the default, i.e. that the policy table is not | |||
| explictly configured by the user. | ||||
| 3.2. Handling stale policy tables | ||||
| When the information from the DHCP server goes stale, the policy | When the information from the DHCP server goes stale, the policy | |||
| received form the DHCP server SHOULD be deprecated. | received from the DHCP server SHOULD be deprecated. | |||
| The received information can be considered stale in several cases, | The received information can be considered stale in several cases, | |||
| such as, when the interface goes down, the DHCP server does not | e.g., when the interface goes down, the DHCP server does not respond | |||
| respond for a certain amount of time, and the Information Refresh | for a certain amount of time, and the Information Refresh Time is | |||
| Time is expired. | expired. | |||
| 3.3. Multi-interface situation | 3.3. Handling multiple interfaces | |||
| The policy table, and other parameters specified in this document are | The policy table, and other parameters specified in this document, | |||
| node-global information by their nature. One reason being that the | are node-global information by their nature. One reason being that | |||
| outbound interface is usually chosen after destination address | the outbound interface is usually chosen after destination address | |||
| selection. So, a host cannot make use of multiple address selection | selection. So a host cannot make use of multiple address selection | |||
| policies even if they are stored per interface. | policies even if they are stored per interface. | |||
| Even if the received policy from one source is merged with one from | ||||
| another source, the effect of both policy are more or less changed. | ||||
| The policy table is defined as a whole, so the slightest addition/ | The policy table is defined as a whole, so the slightest addition/ | |||
| deletion from the policy table brings a change in semantics of the | deletion from the policy table brings a change in the semantics of | |||
| policy. | the policy. | |||
| It also should be noted that absence of the distributed policy from a | It also should be noted that the absence of a DHCP-distributed policy | |||
| certain network interface should not be treated as absence of policy | from a certain network interface should not infer that the network | |||
| itself, because it may mean preference for the default address | administrator does not care about address selection policy at all, | |||
| selection policy. | because it may mean there is a preference to use the default address | |||
| selection policy. So, it should be safe to assume that the default | ||||
| address selection policy should be used where no overriding policy is | ||||
| provided. | ||||
| Under the above assumptions, how to handle received policy is | Under the above assumptions, we can specify how to handle received | |||
| specified below. | policy as follows. | |||
| A node SHOULD use Address Selection options by default in any of the | In the absence of distributed policy for a certain network interface, | |||
| following two cases: | the default address selection policy SHOULD be used. A node should | |||
| use Address Selection options by default in any of the following two | ||||
| cases: | ||||
| 1: The host is single-homed, where the host belongs to one | 1: A single-homed host SHOULD use default address selection options, | |||
| administrative network domain exclusively usually through one | where the host belongs exclusively to one administrative network | |||
| active network interface. | domain, usually through one active network interface. | |||
| 2: The host implements some advanced heuristics to deal with multiple | 2: Hosts that use advanced heuristics to deal with multiple received | |||
| received policy, which is outside the scope of this document. | policies that are defined outside the scope of this document | |||
| SHOULD use Address Selection options. | ||||
| The above restrictions do not preclude implementations from providing | Implementations MAY provide configuration options to enable this | |||
| configuration options to enable this option on a certain network | protocol on a per interface basis. | |||
| interface. | ||||
| Nor, they do not preclude implementations from storing distributed | Implementations MAY store distributed address selection policies per | |||
| address selection policies per interface. They can be used | interface. They can be used effectively on implementations that | |||
| effectively on such implementations that adopt per-application | adopt per-application interface selection. | |||
| interface selection. | ||||
| 4. Implementation Considerations | 4. Implementation Considerations | |||
| o The value 'label' is passed as an unsigned integer, but there is | o The value 'label' is passed as an unsigned integer, but there is | |||
| no special meaning for the value, that is whether it is a large or | no special meaning for the value, that is whether it is a large or | |||
| small number. It is used to select a preferred source address | small number. It is used to select a preferred source address | |||
| prefix corresponding to a destination address prefix by matching | prefix corresponding to a destination address prefix by matching | |||
| the same label value within the DHCP message. DHCPv6 clients | the same label value within the DHCP message. DHCPv6 clients | |||
| SHOULD convert this label to a representation appropriate for the | SHOULD convert this label to a representation appropriate for the | |||
| local implementation (e.g., string). | local implementation (e.g., string). | |||
| o Currently, the label and precedence values are defined as 8-bit | ||||
| unsigned integers. In almost all cases, this value will be | ||||
| enough. | ||||
| o The maximum number of address selection rules that may be conveyed | o The maximum number of address selection rules that may be conveyed | |||
| in one DHCPv6 message depends on the prefix length of each rule | in one DHCPv6 message depends on the prefix length of each rule | |||
| and the maximum DHCPv6 message size defined in RFC 3315. It is | and the maximum DHCPv6 message size defined in [RFC3315]. It is | |||
| possible to carry over 3,000 rules in one DHCPv6 message (maximum | possible to carry over 3,000 rules in one DHCPv6 message (maximum | |||
| UDP message size). However, it should not be expected that DHCP | UDP message size). However, it should not be expected that DHCP | |||
| clients, servers and relay agents can handle UDP fragmentation. | clients, servers and relay agents can handle UDP fragmentation. | |||
| Network adiministrators SHOULD consider local limitations to the | Network adiministrators SHOULD consider local limitations to the | |||
| maximum DHCPv6 message size that can be reliably transported via | maximum DHCPv6 message size that can be reliably transported via | |||
| their specific local infrastructure to end nodes; and therefore | their specific local infrastructure to end nodes; and therefore | |||
| they SHOULD consider the number of options, the total size of the | they SHOULD consider the number of options, the total size of the | |||
| options, and the resulting DHCPv6 message size, when defining | options, and the resulting DHCPv6 message size, when defining | |||
| their Policy Table. | their policy table. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| A rogue DHCPv6 server could issue bogus address selection policies to | A rogue DHCPv6 server could issue bogus address selection policies to | |||
| a client. This might lead to incorrect address selection by the | a client. This might lead to incorrect address selection by the | |||
| client, and the affected packets might be blocked at an outgoing ISP | client, and the affected packets might be blocked at an outgoing ISP | |||
| because of ingress filtering, incur additional network charges, or be | because of ingress filtering, incur additional network charges, or be | |||
| misdirected to an attacker's machine. Alternatively, an IPv6 | misdirected to an attacker's machine. Alternatively, an IPv6 | |||
| transition mechanism might be preferred over native IPv6, even if it | transition mechanism might be preferred over native IPv6, even if it | |||
| is available. To guard against such attacks, a legitimate DHCPv6 | is available. To guard against such attacks, a legitimate DHCPv6 | |||
| server should communicate through a secure, trusted channel, such as | server should communicate through a secure, trusted channel, such as | |||
| a channel protected by IPsec, SEND and DHCP authentication, as | a channel protected by IPsec, SEND and DHCP authentication, as | |||
| described in section 21 of RFC 3315, | described in section 21 of [RFC3315]. A commonly used alternative | |||
| mitigation is to employ DHCP snooping at Layer 2. | ||||
| Another threat is about privacy concern. As in the security | Another threat surrounds the potential privacy concern as described | |||
| consideration section of RFC 6724, at least a part of, the address | in the security considerations section of [RFC6724], whereby an | |||
| selection policy stored in a host can be leaked by a packet from a | attacker can send packets with different source addresses to a | |||
| remote host. This issue will not be modified by the introduction of | destination to solicit different source addresses in the responses | |||
| this option, regardless of whether the host is multihomed or not. | from that destination. This issue will not be modified by the | |||
| introduction of this option, regardless of whether the host is | ||||
| multihomed or not. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| IANA is requested to assign option codes to OPTION_ADDRSEL and | IANA is requested to assign option codes to OPTION_ADDRSEL and | |||
| OPTION_ADDRSEL_TABLE from the "DHCP Option Codes" registry (http:// | OPTION_ADDRSEL_TABLE from the "DHCP Option Codes" registry (http:// | |||
| www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xml). | www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xml). | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., | [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., | |||
| and M. Carney, "Dynamic Host Configuration Protocol for | and M. Carney, "Dynamic Host Configuration Protocol for | |||
| IPv6 (DHCPv6)", RFC 3315, July 2003. | IPv6 (DHCPv6)", RFC 3315, July 2003. | |||
| [RFC3484] Draves, R., "Default Address Selection for Internet | ||||
| Protocol version 6 (IPv6)", RFC 3484, February 2003. | ||||
| [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, | [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, | |||
| "Default Address Selection for Internet Protocol Version 6 | "Default Address Selection for Internet Protocol Version 6 | |||
| (IPv6)", RFC 6724, September 2012. | (IPv6)", RFC 6724, September 2012. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [I-D.ietf-6man-addr-select-considerations] | [I-D.ietf-6man-addr-select-considerations] | |||
| Chown, T. and A. Matsumoto, "Considerations for IPv6 | Chown, T. and A. Matsumoto, "Considerations for IPv6 | |||
| Address Selection Policy Changes", draft-ietf-6man-addr- | Address Selection Policy Changes", draft-ietf-6man-addr- | |||
| select-considerations-05 (work in progress), April 2013. | select-considerations-05 (work in progress), April 2013. | |||
| [RFC2460] Deering, S.E. and R.M. Hinden, "Internet Protocol, Version | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| 6 (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, December 1998. | |||
| [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | [RFC3484] Draves, R., "Default Address Selection for Internet | |||
| Stevens, "Basic Socket Interface Extensions for IPv6", RFC | Protocol version 6 (IPv6)", RFC 3484, February 2003. | |||
| 3493, February 2003. | ||||
| [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | |||
| Architecture", RFC 4291, February 2006. | Architecture", RFC 4291, February 2006. | |||
| [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy | [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy | |||
| Extensions for Stateless Address Autoconfiguration in | Extensions for Stateless Address Autoconfiguration in | |||
| IPv6", RFC 4941, September 2007. | IPv6", RFC 4941, September 2007. | |||
| [RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, | [RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, | |||
| "Problem Statement for Default Address Selection in Multi- | "Problem Statement for Default Address Selection in Multi- | |||
| skipping to change at page 9, line 29 | skipping to change at page 9, line 22 | |||
| July 2008. | July 2008. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| Authors would like to thank to Dave Thaler, Pekka Savola, Remi Denis- | Authors would like to thank to Dave Thaler, Pekka Savola, Remi Denis- | |||
| Courmont, Francois-Xavier Le Bail, Ole Troan, Bob Hinden, Dmitry | Courmont, Francois-Xavier Le Bail, Ole Troan, Bob Hinden, Dmitry | |||
| Anipko, Ray Hunter, Rui Paulo, Brian E Carpenter, Tom Petch, and the | Anipko, Ray Hunter, Rui Paulo, Brian E Carpenter, Tom Petch, and the | |||
| members of 6man's address selection design team for their invaluable | members of 6man's address selection design team for their invaluable | |||
| contributions to this document. | contributions to this document. | |||
| Appendix B. Examples | ||||
| [RFC5220] gives several cases where address selection problems | ||||
| happen. This section contains some examples for solving those cases | ||||
| by using the DHCP option defined in this text to update the hosts' | ||||
| policy table in a network accordingly. There is also some discussion | ||||
| of example policy tables in sections 10.3 to 10.7 of RFC 6724. | ||||
| B.1. Ingress Filtering Problem | ||||
| In the case described in section 2.1.2 of [RFC5220], the following | ||||
| policy table should be distributed, when Router performs static | ||||
| routing and directs the default route to ISP1 as per Figure 2. By | ||||
| putting the same label value to all IPv6 addresses (::/0) and the | ||||
| local subnet (2001:db8:1000:1::/64), a host picks a source address in | ||||
| this subnet to send a packet via the default route. | ||||
| Prefix Precedence Label | ||||
| ::1/128 50 0 | ||||
| ::/0 40 1 | ||||
| 2001:db8:1000:1::/64 45 1 | ||||
| 2001:db8:8000:1::/64 45 14 | ||||
| ::ffff:0:0/96 35 4 | ||||
| 2002::/16 30 2 | ||||
| 2001::/32 5 5 | ||||
| fc00::/7 3 13 | ||||
| ::/96 1 3 | ||||
| fec0::/10 1 11 | ||||
| 3ffe::/16 1 12 | ||||
| B.2. Half-Closed Network Problem | ||||
| In the case described in section 2.1.3 of [RFC5220], the following | ||||
| policy table should be distributed. By splitting the closed network | ||||
| prefix (2001:db8:8000::/36) from all IPv6 addresses (::/0) and giving | ||||
| different labels, the closed network prefix will only be used when | ||||
| packets are destined for the closed network. | ||||
| Prefix Precedence Label | ||||
| ::1/128 50 0 | ||||
| ::/0 40 1 | ||||
| 2001:db8:8000::/36 45 14 | ||||
| ::ffff:0:0/96 35 4 | ||||
| 2002::/16 30 2 | ||||
| 2001::/32 5 5 | ||||
| fc00::/7 3 13 | ||||
| ::/96 1 3 | ||||
| fec0::/10 1 11 | ||||
| 3ffe::/16 1 12 | ||||
| B.3. IPv4 or IPv6 Prioritization | ||||
| In the case described in section 2.2.1 of [RFC5220], the following | ||||
| policy table should be distributed to prioritize IPv6. This case is | ||||
| also described in [RFC6724] | ||||
| Prefix Precedence Label | ||||
| ::1/128 50 0 | ||||
| ::/0 40 1 | ||||
| ::ffff:0:0/96 100 4 | ||||
| 2002::/16 30 2 | ||||
| 2001::/32 5 5 | ||||
| fc00::/7 3 13 | ||||
| ::/96 1 3 | ||||
| fec0::/10 1 11 | ||||
| 3ffe::/16 1 12 | ||||
| B.4. ULA or Global Prioritization | ||||
| In the case described in section 2.2.3 of [RFC5220], the following | ||||
| policy table should be distributed, or Automatic Row Addition flag | ||||
| should be set to 1. By splitting the ULA in this site | ||||
| (fc12:3456:789a::/48) from all IPv6 addresses (::/0) and giving it | ||||
| higher precendence, the ULA will be used to connect to servers in the | ||||
| same site. | ||||
| Prefix Precedence Label | ||||
| ::1/128 50 0 | ||||
| fc12:3456:789a::/48 45 14 | ||||
| ::/0 40 1 | ||||
| ::ffff:0:0/96 35 4 | ||||
| 2002::/16 30 2 | ||||
| 2001::/32 5 5 | ||||
| fc00::/7 3 13 | ||||
| ::/96 1 3 | ||||
| fec0::/10 1 11 | ||||
| 3ffe::/16 1 12 | ||||
| Authors' Addresses | Authors' Addresses | |||
| Arifumi Matsumoto | Arifumi Matsumoto | |||
| NTT NT Lab | NTT NT Lab | |||
| 3-9-11 Midori-Cho | 3-9-11 Midori-Cho | |||
| Musashino-shi, Tokyo 180-8585 | Musashino-shi, Tokyo 180-8585 | |||
| Japan | Japan | |||
| Phone: +81 422 59 3334 | Phone: +81 422 59 3334 | |||
| Email: arifumi@nttv6.net | Email: arifumi@nttv6.net | |||
| End of changes. 50 change blocks. | ||||
| 119 lines changed or deleted | 212 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||