Network Working Group H. Singh Internet-Draft W. Beebee Intended status: Standards Track Cisco Systems, Inc. Expires:
April 9,September 7, 2009 E. Nordmark Sun Microsystems OctoberMarch 6, 20082009 IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes draft-ietf-6man-ipv6-subnet-model-02draft-ietf-6man-ipv6-subnet-model-03 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claimsThis Internet-Draft is submitted to IETF in full conformance with the provisions of which heBCP 78 and BCP 79. This document may contain material from IETF Documents or she is aware have beenIETF Contributions published or willmade publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be disclosed,modified outside the IETF Standards Process, and anyderivative works of which he or she becomes aware willit may not be disclosed, in accordance with Section 6 of BCP 79.created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 9,September 7, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract IPv6 specifies a model of a subnet that is different than the IPv4 subnet model. The subtlety of the differences has resulted in incorrect implementations that do not interoperate. This document spells out the most important difference; that an IPv6 address isn't automatically associated with an IPv6 on-link prefix. This document also invalidatesupdates (partially due to security concerns)concerns caused by incorrect implementations) a part of the definition of on-link from [RFC4861]. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Host Behavior and Rules. . . . . . . . . . . . . . . . . . . . . . . . 4 3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Observed Incorrect Implementation Behavior . . . . . . . . . . 6 4.9 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6.9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements .9 8. Contributors . . . . . . . . . . . . . . . . . . . . . . 7 8. References. . . 9 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 8.1. Normative10 10. References . . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . .. . . . . . . 10 10.1. Normative References . . . . . . 7 Appendix A. CHANGE HISTORY. . . . . . . . . . . . 10 10.2. Informative References . . . . . . . 8 Authors' Addresses. . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements. . . . . . . . . . 1011 1. Introduction IPv4 implementations typically associate a netmask with an address when an IPv4 address is assigned to an interface. That netmask together with the IPv4 address designates an on-link prefix. Addresses that are covered by this prefix are viewed as on-link i.e., traffic to these addresses is not sent to a router. See section 3.3.1 in [RFC1122]. Prior to the deployment of Classless Intern-Inter- Domain Routing (CIDR), an address's netmask could be derived directly from the address. In the absence of specifying a specific netmask when assigning a address, some implementations would fall back to deriving the netmask from the class of the address. The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is quite different. The on-link determination is separate from the address assignment. A host can have IPv6 addresses without any related on-link prefixes or have on-link prefixes that are not related to any IPv6 addresses that are assigned to the host. Any assigned address on an interface should initially be considered as having no internal structure as shown in [RFC4291]. In IPv6, by default, a host treats only the link-local prefix as on- link. The reception of a Prefix Information Option (PIO) with the L-bit set [RFC4861] and a non-zero valid lifetime creates an entry(or updates the valid lifetime forupdates) an existing entry)entry in the Prefix List. All the prefixes that are on the Prefix List, i.e., have not yet timed out, are considered to be on-link. The on-link definition in the Terminology section of [RFC4861], as modified by this document, defines the complete list of cases where an address is considered on-link. Note, in particular, that Redirect Messages can also indicate an address is off-link. IndividualIndividual address entries can be expired by the Neighbor Unreachability Detection mechanism. A host only performs address resolution for IPv6 addresses that are on-link. Packets to any other address are sent to a default router. If there is no default router, then the node should send an ICMPv6 Destination Unreachable indication as specified in [RFC4861] - more details are provided in the Host Behavior and Rules section. (Note that [RFC4861] changed the behavior when the Default Router List is empty. The behavior in the old version of Neighbor Discovery [RFC2461] was different when there were no default routers.) Failure of host implementations to correctly implement the IPv6 subnet model can result in lack of IPv6 connectivity. See the Observed Incorrect Implementation Behavior section for details. Host behavior is clarified in the Host Behavior and Rules section. 2. Host Behavior and Rules A correctly implemented IPv6 host MUST adhere to the following rules:1. By default only the link-local prefix is on-link. 2.The configurationoriginal ND specification [RFC4861] was unclear in its usage of the term on-link in a few places. In IPv6, an IPv6 address, whether through IPv6 statelessaddress autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual configuration MUST NOT implicitly causeis considered to be on-link (with respect to a prefix derived fromspecific link), if the address has been assigned to an interface attached to that link. Any node attached to the link can send a datagram directly to an on-link address without forwarding the datagram through a router. In IPv6, there are two ways to be treated asindicate an address is on-link. AFirst, a host considersmaintains a prefixPrefix List that identifies ranges of addresses that are to be on-link only through explicit means,considered on-link. Second, Redirects can identify individual destinations that are on-link; such as those specified inRedirects update the on-link definition inDestination Cache. The Prefix List is populated via the Terminology sectionfollowing means: * Receipt of [RFC4861], as modified by this document, or via manual configuration. Notea Valid RA that specifies a prefix with the requirement for manually configured addressesL-bit set. Such a prefix is not explicitly mentioned in [RFC4861]. 3. Note that the following items (from the definition ofconsidered on-link in [RFC4861]): -for a Neighbor Advertisement messageperiod specified in the Valid Lifetime and is received foradded to the (target) address, or - any Neighbor Discovery messagePrefix List. (The link-local prefix is received fromeffectively considered a permanent entry on the address. are not sufficient to considerPrefix List.) * Indication of an address to beon-link and willprefix (which may be removed ina future update to [RFC4861]./128) via manual configuration, or some other yet-to-be specified configuration mechanism. A literal reading of the second test would allow a neighboring intruder to generate bogus ND messages that resultRedirect can also signal whether an address is on-link. If a host originates a packet, but the first-hop router routes the received packet back out onto the same link, the router also sends the host a Redirect. If the Target and Destination Address of the Redirect are the same, the Target Address is to be treated as on-link as specified in Section 8 of [RFC4861]. That is, the host updates its Destination Cache (but not its Prefix List -- though the impact is similar). 2. Note that Redirects cannot signal that an address is off-link. In section 8.1 of [RFC4861], a Redirect message is silently discarded if it does not have an IP source address that is the same as the current first-hop router for the specified ICMP Destination Address. An ICMP Destination Address on the same link would have no current first-hop router. Any Redirect message received could not have an IP source address that is the same as the current (null) first-hop router, so the Redirect MUST be dropped. 3. IPv6 also defines the term "neighbor" and "link" to refer to nodes attached to the same link and that can send packets directly to each other. Received ND packets that pass the required validation tests can only come from a neighbor attached to the link on which the ND packet was received. Unfortunately, [RFC4861] is imprecise in its definition of on-link and states that a node considers an address to be on-link if: - a Neighbor Advertisement message is received for the (target) address, or - any Neighbor Discovery message is received from the address. Neither of these tests are acceptable definitions for an address to be considered as on-link as defined above, and this document deprecates and removes both of them from the formal definition of on-link. Neither of these tests should be used as justification for modifying the Prefix List or Destination Cache for an address. The conceptual sending algorithm of [RFC4861] defines a Prefix List and Neighbor Cache. The combination of Prefix List and Neighbor Cache form what many implementations consider to be the "IP routing table" for a host. Note that the Neighbor Cache is a separate data structure referenced by the Destination Cache, but entries in the Neighbor Cache are not necessarily in the Destination Cache. It is quite possible (and intentional) that entries be added to the Neighbor Cache for addresses that would not be considered on-link as-defined above. For example, upon receipt of a valid NS, Section 7.2.3 of [RFC4861] states: If an entry does not already exist, the node SHOULD create a new one and set its reachability state to STALE as specified in Section 7.3.3. If an entry already exists, and the cached link-layer address differs from the one in the received Source Link-Layer option, the cached address should be replaced by the received address, and the entry's reachability state MUST be set to STALE. The intention of the above feature is to add an address to the Neighbor Cache, even though it might not be considered on- link per the Prefix List. The benefit of such a step is to have the receiver populate the Neighbor Cache with an address it will almost certainly be sending packets to shortly, thus avoiding the need for an additional round of ND to perform address resolution. But because there is no validation of the address being added to the Neighbor Cache, an intruder could spoof the address and cause a receiver to add an address for a remote site to its Neighbor Cache. This vulnerability is a specific instance of the broad set of attacks that are possible by an on-link neighbor [RFC3756].This causes no problems in practice, so long as the entry only exists in the Neighbor Cache and the address is not considered to be on-link by the IP forwarding code (i.e., the address is not added to the Prefix List and is not marked as on- link in the Destination Cache). 4. After the update to the on-link definition in [RFC4861], certain text from section 7.2.3 of [RFC4861] may appear, upon a cursory examination, to be inconsistent with the updated definition of on-link because the text does not ensure that the source address is already deemed on-link through other methods: If the Source Address is not the unspecified address and, on- link layers that have addresses, the solicitation includes a spoofedSource Link-Layer Address option, then the recipient SHOULD create or update the Neighbor Cache entry for the IP Source Address of the solicitation. Similarly, the following text from section 6.2.5 of [RFC4861] may also seem inconsistent: If there is no existing Neighbor Cache entry for the solicitation's sender, the router creates one, installs the link- layer address being improperly treatedand sets its reachability state to STALE as on-link. This vulnerabilityspecified in Section 7.3.3. However, the text in the aforementioned sections of [RFC4861], upon closer inspection, is a specific instanceactually consistent with the deprecation of the broad setlast two bullets of attacks thatthe on-link definition because there are possible by an on- link neighbor [RFC3756]. The threat is particularly problematictwo different ways in the case of routerswhich allow such a spoofed message to update their forwarding tables (which can happen if a neighbor cache entryon-link determination can updateaffect the forwarding table). Only addresses that are covered bystate of ND: through updating the Prefix List or the Neighbor Cache. Through deprecating the last two bullets of the modifiedon-link definition shoulddefinition, the Prefix List is explicitly not to be treated as on-link fromchanged when a sendingnode receives an NS, NA, or forwarding perspective, and it shouldRS. The Neighbor Cache can still be noted that routers should generally obtain on-link informationupdated through receipt of an NS, NA, or RS. 5. [RFC4861] is written from sources other than RAs and Redirects. 4. To maintain consistency withthe invalidationperspective of a host with a single interface on which Neighbor Discovery is run. All ND traffic (whether sent or received) traverses the last two bulletssingle interface. On hosts with multiple interfaces, care must be taken to ensure that the scope of ND processing from one link stays local to that link. That is, when responding to a NS, the on-link definition in [RFC4861],NA would be sent out on the following text from section 7.2.3same link on which it was received. Likewise, a host would not respond to a received NS for an an address assigned to an interface on a different link. Although implementions may choose to implement Neighbor Discovery using a single data structure that merges the Neighbor Caches of [RFC4861] will alsoall interfaces, an implementation's behavior must be augmented: Ifconsistent with the Source Addressabove model. 6. Note that the receipt of a link-local IPv6 multicast packet which is not the unspecified address and,an ND packet indicates direct reachability on link layers that have addresses, the solicitation includesa Source Link-Layer Address option, then the recipient SHOULD create or update the Neighbor Cache entry forlink, but is not specifically treated by [RFC4861]. 7. Note that the IP Source Addressreceipt of a packet with the solicitation. changes to: If the Source AddressHop Limit field unchanged (the Hop Limit could be specified in a packet-type specific document) which is not an ND packet indicates direct reachability on a link, but is not specifically treated by [RFC4861]. 3. Host Rules A correctly implemented IPv6 host MUST adhere to the unspecifiedfollowing rules: 1. The assignment of an IPv6 address, whether through IPv6 stateless address and, on link layersautoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual configuration MUST NOT implicitly cause a prefix derived from that have addresses,address to be treated as on-link and added to the solicitation includesPrefix List. A host considers a Source Link-Layer Address option, then the recipient SHOULD create or updateprefix to be on-link only through explicit means, such as those specified in the Neighbor Cache entry foron-link definition in the IP Source AddressTerminology section of the solicitation provided[RFC4861], as modified by this document, or via manual configuration. Note that the source address of the NSrequirement for manually configured addresses is deemed on-link through other indications. 5.not explicitly mentioned in [RFC4861]. 2. In the absence of other sources of on-link information, including Redirects, if the RA advertises a prefix with the on-link(L) bit set and later the Valid Lifetime expires, the host MUST then consider addresses of the prefix to be off-link, as specified by the PIO paragraph of section 6.3.4 of [RFC4861]. 6.3. Newer implementations, which are compliant with [RFC4861] MUST adhere to the following rules. Older implementations, which are compliant with [RFC2461] but not [RFC4861] may remain as is. If the Default Router List is empty and there is no other source of on-link information about any address or prefix: 1. The host MUST NOT assume that all destinations are on-link. 2. The host MUST NOT perform address resolution for non-link- local addresses. 3. Since the host cannot assume the destination is on-link, and off-link traffic cannot be sent to a default router (since the Default Router List is empty), address resolution cannot be performed. This case is specified in the last paragraph of section 4 of [RFC4943]: when there is no route to destination, the host should send an ICMPv6 Destination Unreachable indication (for example, a locally delivered error message) as specified in the Terminology section of [RFC4861]. On-link information concerning particular addresses and prefixes can make those specific addresses and prefixes on-link, but does not change the default behavior mentioned above for addresses and prefixes not specified. [RFC4943] provides justification for these rules. Using cached on-link determination information without first verifying that the information is still valid after IPv6 interface re-initialization may lead to lack of IPv6 network connectivity. For example, a host receives an RA from a router with on-link prefix A. The host reboots.powers down. During the reboot,power off, the router sends out prefix A with on-link bit set and a zero lifetime to indicate a renumbering. The host misses the renumbering. The host powers on and comes online. Then, the router sends an RA with no PIO. The host uses cached on-link prefix A and issues NS's instead of sending traffic to a default router. The "Observed Incorrect Implementation Behavior" section below describes how this can result in lack of IPv6 connectivity. 3.4. Observed Incorrect Implementation Behavior One incorrect implementation behavior illustrates the severe consequences when the IPv6 subnet model is not understood by the implementers of several popular host operating systems. In an access concentrator network ([RFC4388]), a host receives a Router Advertisement Message with no on-link prefix advertised. The host incorrectly assumes an invented prefix is on-link and performs address resolution when the host should send all non-link-local traffic to a default router. Neither the router nor any other host will respond to the address resolution, preventing this host from sending IPv6 traffic. 4.5. Conclusion This document clarifies and summarizes the relationship between links and subnet prefixes described in [RFC4861]. Configuration of an IPv6 address does not imply the existence of corresponding on-link prefixes. One should also look at API considerations for prefix length as described in last paragraph of section 4.2 of [RFC4903]. This document also invalidates a part ofupdates the definition of on-link from [RFC4861]. 5.[RFC4861] by retracting the last two bullets. 6. Security Considerations This document addresses a security concern present in [RFC4861]. As a result, the last two bulletsbullet of the on-link definition in [RFC4861] havehas been invalidated. 6.retracted. 7. IANA Considerations None. 7.8. Contributors Thomas Narten contributed significant text and provided substantial guidance to the production of this document. 9. Acknowledgements Thanks (in alphabetical order) to Adeel Ahmed, Jari Arkko, Ralph Droms, Alun Evans, Dave Forster, Prashanth Krishnamurthy, Suresh Krishnan, Josh Littlefield, David Miles, Thomas Narten,Madhu Sudan, Jinmei Tatuya, Dave Thaler, Bernie Volz, and Vlad Yasevich for their consistent input, ideas and review during the production of this document. The security problem related to an NS message that provides one reason for invalidating a part of the on-link definition was found by David Miles. Thomas Narten has provided substantial guidance toJinmei Tatuya found the production of this document. 8.security problem to also exist with an RS message. 10. References 18.104.22.168. Normative References [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007. 22.214.171.124. Informative References [RFC1122] Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, October 1989. [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, May 2004. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration Protocol (DHCP) Leasequery", RFC 4388, February 2006. [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007. [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, June 2007. [RFC4943] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor Discovery On-Link Assumption Considered Harmful", RFC 4943, September 2007. Appendix A. CHANGE HISTORY [NOTE TO RFC EDITOR: PLEASE REMOVE THIS SECTION UPON PUBLICATION.] Changes in draft-ietf-6man-ipv6-subnet-model-02.txt since -01.txt are: o Augmented Abstract to say an important change to [RFC4861] is being made by this document. o Removed the following sentence at the end of the Introduction section: "Finally, this document mainly restates and clarifies [RFC4861]." o Added new bullet three to the "Host Behavior and Rules" section where the bullet invalidates bullets three and four from the on- link definition from [RFC4861]. o Added new bullet four to the "Host Behavior and Rules" section where the bullet proposes changes to text in section 7.2.3 of [RFC4861]. o The security section has been modified to reflect the important invalidation proposed by this document. o Modified minor text in the "Observed Incorrect Implementation Behavior" section to explain what the prefix is in the second sentence. o Changed bullet 3 from a new rule with normative language to just a paragraph of text describing behavior for a host blindly caching on-link determination and a possible severe consequence of that. The text also includes a solution for the problem. The new text lies at the end of section 2 as a new paragraph. o The title of section 2 has been changed to Host Behavior and Rules. Also changed Host Behavior Rules to Host Behavior and Rules in two places in the Introduction section. Changes in draft-ietf-6man-ipv6-subnet-model-01.txt since -00.txt are: o Changed Introduction section to remove any mention of src address of ND message as a means for on-link determination. Also reworded first paragraph of Introduction section. o Reworded bullet 2 of section 2K. Kinnear, "Dynamic Host Configuration Protocol (DHCP) Leasequery", RFC 4388, February 2006. [RFC4862] Thomson, S., Narten, T., and added text to clarify on-link definition. o Added text to bullet 3 of section 2 to make explicit that this is a new rule. o Reworded bullet 5 of section 2 to clearly explain where ICMPv6 Destination Unreachable is sent to.T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007. [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, June 2007. [RFC4943] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor Discovery On-Link Assumption Considered Harmful", RFC 4943, September 2007. Authors' Addresses Hemant Singh Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: +1 978 936 1622 Email: email@example.com URI: http://www.cisco.com/ Wes Beebee Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: +1 978 936 2030 Email: firstname.lastname@example.org URI: http://www.cisco.com/ Erik Nordmark Sun Microsystems 17 Network Circle Menlo Park, CA 94025 USA Phone: +1 650 786 2921 Email: email@example.com Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org.