draft-ietf-6man-ipv6-subnet-model-03.txt   draft-ietf-6man-ipv6-subnet-model-04.txt 
Network Working Group H. Singh Network Working Group H. Singh
Internet-Draft W. Beebee Internet-Draft W. Beebee
Intended status: Standards Track Cisco Systems, Inc. Intended status: Standards Track Cisco Systems, Inc.
Expires: September 7, 2009 E. Nordmark Expires: November 8, 2009 E. Nordmark
Sun Microsystems Sun Microsystems
March 6, 2009 May 7, 2009
IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes
draft-ietf-6man-ipv6-subnet-model-03 draft-ietf-6man-ipv6-subnet-model-04
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 1, line 44 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2009. This Internet-Draft will expire on November 8, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 30 skipping to change at page 2, line 30
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Observed Incorrect Implementation Behavior . . . . . . . . . . 9 4. Observed Incorrect Implementation Behavior . . . . . . . . . . 9
5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 10.1. Normative References . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . 10 10.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
IPv4 implementations typically associate a netmask with an address IPv4 implementations typically associate a netmask with an address
when an IPv4 address is assigned to an interface. That netmask when an IPv4 address is assigned to an interface. That netmask
together with the IPv4 address designates an on-link prefix. together with the IPv4 address designates an on-link prefix.
Addresses that are covered by this prefix are viewed as on-link i.e., Addresses that are covered by this prefix are viewed as on-link i.e.,
traffic to these addresses is not sent to a router. See section traffic to these addresses is not sent to a router. See section
3.3.1 in [RFC1122]. Prior to the deployment of Classless Inter- 3.3.1 in [RFC1122]. Prior to the deployment of Classless Inter-
Domain Routing (CIDR), an address's netmask could be derived directly Domain Routing (CIDR), an address's netmask could be derived directly
from the address. In the absence of specifying a specific netmask from the address. In the absence of specifying a specific netmask
when assigning a address, some implementations would fall back to when assigning an address, some implementations would fall back to
deriving the netmask from the class of the address. deriving the netmask from the class of the address.
The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is
quite different. The on-link determination is separate from the quite different. The on-link determination is separate from the
address assignment. A host can have IPv6 addresses without any address assignment. A host can have IPv6 addresses without any
related on-link prefixes or have on-link prefixes that are not related on-link prefixes or have on-link prefixes that are not
related to any IPv6 addresses that are assigned to the host. Any related to any IPv6 addresses that are assigned to the host. Any
assigned address on an interface should initially be considered as assigned address on an interface should initially be considered as
having no internal structure as shown in [RFC4291]. having no internal structure as shown in [RFC4291].
skipping to change at page 3, line 39 skipping to change at page 3, line 39
The reception of a Prefix Information Option (PIO) with the L-bit set The reception of a Prefix Information Option (PIO) with the L-bit set
[RFC4861] and a non-zero valid lifetime creates (or updates) an entry [RFC4861] and a non-zero valid lifetime creates (or updates) an entry
in the Prefix List. All the prefixes that are on the Prefix List, in the Prefix List. All the prefixes that are on the Prefix List,
i.e., have not yet timed out, are considered to be on-link. i.e., have not yet timed out, are considered to be on-link.
The on-link definition in the Terminology section of [RFC4861], as The on-link definition in the Terminology section of [RFC4861], as
modified by this document, defines the complete list of cases where modified by this document, defines the complete list of cases where
an address is considered on-link. Individual address entries can be an address is considered on-link. Individual address entries can be
expired by the Neighbor Unreachability Detection mechanism. expired by the Neighbor Unreachability Detection mechanism.
A host only performs address resolution for IPv6 addresses that are IPv6 packets sent using the Conceptual Sending Algorithm as described
on-link. Packets to any other address are sent to a default router. in [RFC4861] only trigger address resolution for IPv6 addresses that
If there is no default router, then the node should send an ICMPv6 are on-link. Note that transmission of ND messages is not governed
Destination Unreachable indication as specified in [RFC4861] - more by the Conceptual Sending Algorithm. Packets to any other address
details are provided in the Host Behavior and Rules section. (Note are sent to a default router. If there is no default router, then
that [RFC4861] changed the behavior when the Default Router List is the node should send an ICMPv6 Destination Unreachable indication as
empty. The behavior in the old version of Neighbor Discovery specified in [RFC4861] - more details are provided in the Host
[RFC2461] was different when there were no default routers.) Behavior and Rules section. (Note that [RFC4861] changed the
behavior when the Default Router List is empty. The behavior in the
old version of Neighbor Discovery [RFC2461] was different when there
were no default routers.) Note that ND is scoped to a single link.
All Neighbor Solicitaton responses are assumed to be sent our the
same interface on which the corresponding query was received.
Failure of host implementations to correctly implement the IPv6 Failure of host implementations to correctly implement the IPv6
subnet model can result in lack of IPv6 connectivity. See the subnet model can result in lack of IPv6 connectivity. See the
Observed Incorrect Implementation Behavior section for details. Observed Incorrect Implementation Behavior section for details.
This document deprecates the last two bullets from the definition of
on-link from [RFC4861] to address security concerns arising from
particular ND implementations.
Host behavior is clarified in the Host Behavior and Rules section. Host behavior is clarified in the Host Behavior and Rules section.
2. Host Behavior 2. Host Behavior
1. The original ND specification [RFC4861] was unclear in its usage 1. The original Neighbor Discovery (ND) specification [RFC4861] was
of the term on-link in a few places. In IPv6, an address is unclear in its usage of the term on-link in a few places. In
considered to be on-link (with respect to a specific link), if IPv6, an address is considered to be on-link (with respect to a
the address has been assigned to an interface attached to that specific link), if the address has been assigned to an interface
link. Any node attached to the link can send a datagram directly attached to that link. Any node attached to the link can send a
to an on-link address without forwarding the datagram through a datagram directly to an on-link address without forwarding the
router. In IPv6, there are two ways to indicate an address is datagram through a router. In IPv6, there are two ways to
on-link. First, a host maintains a Prefix List that identifies indicate an address is on-link. First, a host maintains a Prefix
ranges of addresses that are to be considered on-link. Second, List that identifies ranges of addresses that are to be
Redirects can identify individual destinations that are on-link; considered on-link. Second, Redirects can identify individual
such Redirects update the Destination Cache. destinations that are on-link; such Redirects update the
Destination Cache.
The Prefix List is populated via the following means: The Prefix List is populated via the following means:
* Receipt of a Valid RA that specifies a prefix with the L-bit * Receipt of a Valid Router Advertisement (RA) that specifies a
set. Such a prefix is considered on-link for a period prefix with the L-bit set. Such a prefix is considered on-
specified in the Valid Lifetime and is added to the Prefix link for a period specified in the Valid Lifetime and is added
List. (The link-local prefix is effectively considered a to the Prefix List. (The link-local prefix is effectively
permanent entry on the Prefix List.) considered a permanent entry on the Prefix List.)
* Indication of an on-link prefix (which may be a /128) via * Indication of an on-link prefix (which may be a /128) via
manual configuration, or some other yet-to-be specified manual configuration, or some other yet-to-be specified
configuration mechanism. configuration mechanism.
A Redirect can also signal whether an address is on-link. If a A Redirect can also signal whether an address is on-link. If a
host originates a packet, but the first-hop router routes the host originates a packet, but the first-hop router routes the
received packet back out onto the same link, the router also received packet back out onto the same link, the router also
sends the host a Redirect. If the Target and Destination Address sends the host a Redirect. If the Target and Destination Address
of the Redirect are the same, the Target Address is to be treated of the Redirect are the same, the Target Address is to be treated
as on-link as specified in Section 8 of [RFC4861]. That is, the as on-link as specified in Section 8 of [RFC4861]. That is, the
host updates its Destination Cache (but not its Prefix List -- host updates its Destination Cache (but not its Prefix List --
though the impact is similar). though the impact is similar).
2. Note that Redirects cannot signal that an address is off-link. 2. Note that Redirect Messages do not contain sufficient information
In section 8.1 of [RFC4861], a Redirect message is silently to signal that an address is off-link. Rather, they indicate a
discarded if it does not have an IP source address that is the preferred next-hop that is a more appropriate choice to use than
same as the current first-hop router for the specified ICMP the originator of the Redirect. That alternate next-hop may be
Destination Address. An ICMP Destination Address on the same the destination itself (in which case packets would flow directly
link would have no current first-hop router. Any Redirect to a neighbor), or a router closer to the destination than the
message received could not have an IP source address that is the current next-hop router (which is the originator of the
same as the current (null) first-hop router, so the Redirect MUST Redirect). Note, however, that the Redirect message itself does
be dropped. not contain sufficient information to distinguish these cases.
But that does not matter, because the receiver of such a message
does the same in either case, updating its Neighbor Cache as
defined in Section 8.1 of [RFC4861].
3. IPv6 also defines the term "neighbor" and "link" to refer to 3. IPv6 also defines the term "neighbor" and "link" to refer to
nodes attached to the same link and that can send packets nodes attached to the same link and that can send packets
directly to each other. Received ND packets that pass the directly to each other. Received ND packets that pass the
required validation tests can only come from a neighbor attached required validation tests can only come from a neighbor attached
to the link on which the ND packet was received. Unfortunately, to the link on which the ND packet was received. Unfortunately,
[RFC4861] is imprecise in its definition of on-link and states [RFC4861] is imprecise in its definition of on-link and states
that a node considers an address to be on-link if: that a node considers an address to be on-link if:
- a Neighbor Advertisement message is received for the - a Neighbor Advertisement message is received for the
skipping to change at page 5, line 32 skipping to change at page 5, line 45
Neither of these tests are acceptable definitions for an address Neither of these tests are acceptable definitions for an address
to be considered as on-link as defined above, and this document to be considered as on-link as defined above, and this document
deprecates and removes both of them from the formal definition of deprecates and removes both of them from the formal definition of
on-link. Neither of these tests should be used as justification on-link. Neither of these tests should be used as justification
for modifying the Prefix List or Destination Cache for an for modifying the Prefix List or Destination Cache for an
address. address.
The conceptual sending algorithm of [RFC4861] defines a Prefix The conceptual sending algorithm of [RFC4861] defines a Prefix
List and Neighbor Cache. The combination of Prefix List and List and Neighbor Cache. The combination of Prefix List and
Neighbor Cache form what many implementations consider to be the Neighbor Cache form what many implementations consider to be the
"IP routing table" for a host. Note that the Neighbor Cache is a IP data forwarding table for a host. Note that the Neighbor
separate data structure referenced by the Destination Cache, but Cache is a separate data structure referenced by the Destination
entries in the Neighbor Cache are not necessarily in the Cache, but entries in the Neighbor Cache are not necessarily in
Destination Cache. It is quite possible (and intentional) that the Destination Cache. It is quite possible (and intentional)
entries be added to the Neighbor Cache for addresses that would that entries be added to the Neighbor Cache for addresses that
not be considered on-link as-defined above. For example, upon would not be considered on-link as-defined above. For example,
receipt of a valid NS, Section 7.2.3 of [RFC4861] states: upon receipt of a valid NS, Section 7.2.3 of [RFC4861] states:
If an entry does not already exist, the node SHOULD create a If an entry does not already exist, the node SHOULD create a
new one and set its reachability state to STALE as specified new one and set its reachability state to STALE as specified
in Section 7.3.3. If an entry already exists, and the cached in Section 7.3.3. If an entry already exists, and the cached
link-layer address differs from the one in the received Source link-layer address differs from the one in the received Source
Link-Layer option, the cached address should be replaced by Link-Layer option, the cached address should be replaced by
the received address, and the entry's reachability state MUST the received address, and the entry's reachability state MUST
be set to STALE. be set to STALE.
The intention of the above feature is to add an address to the The intention of the above feature is to add an address to the
skipping to change at page 6, line 35 skipping to change at page 7, line 5
examination, to be inconsistent with the updated definition of examination, to be inconsistent with the updated definition of
on-link because the text does not ensure that the source address on-link because the text does not ensure that the source address
is already deemed on-link through other methods: is already deemed on-link through other methods:
If the Source Address is not the unspecified address and, on- If the Source Address is not the unspecified address and, on-
link layers that have addresses, the solicitation includes a link layers that have addresses, the solicitation includes a
Source Link-Layer Address option, then the recipient SHOULD Source Link-Layer Address option, then the recipient SHOULD
create or update the Neighbor Cache entry for the IP Source create or update the Neighbor Cache entry for the IP Source
Address of the solicitation. Address of the solicitation.
Similarly, the following text from section 6.2.5 of [RFC4861] Similarly, the following text from section 6.2.5 of [RFC4861] may
may also seem inconsistent: If there is no existing Neighbor also seem inconsistent:
Cache entry for the solicitation's sender, the router creates
one, installs the link- layer address and sets its If there is no existing Neighbor Cache entry for the
reachability state to STALE as specified in Section 7.3.3. solicitation's sender, the router creates one, installs the
link-layer address and sets its reachability state to STALE as
specified in Section 7.3.3.
However, the text in the aforementioned sections of [RFC4861], However, the text in the aforementioned sections of [RFC4861],
upon closer inspection, is actually consistent with the upon closer inspection, is actually consistent with the
deprecation of the last two bullets of the on-link definition deprecation of the last two bullets of the on-link definition
because there are two different ways in which on-link because there are two different ways in which on-link
determination can affect the state of ND: through updating the determination can affect the state of ND: through updating the
Prefix List or the Neighbor Cache. Through deprecating the last Prefix List or the Neighbor Cache. Through deprecating the last
two bullets of the on-link definition, the Prefix List is two bullets of the on-link definition, the Prefix List is
explicitly not to be changed when a node receives an NS, NA, or explicitly not to be changed when a node receives an NS, NA, or
RS. The Neighbor Cache can still be updated through receipt of RS. The Neighbor Cache can still be updated through receipt of
skipping to change at page 7, line 20 skipping to change at page 7, line 38
the scope of ND processing from one link stays local to that the scope of ND processing from one link stays local to that
link. That is, when responding to a NS, the NA would be sent out link. That is, when responding to a NS, the NA would be sent out
on the same link on which it was received. Likewise, a host on the same link on which it was received. Likewise, a host
would not respond to a received NS for an an address assigned to would not respond to a received NS for an an address assigned to
an interface on a different link. Although implementions may an interface on a different link. Although implementions may
choose to implement Neighbor Discovery using a single data choose to implement Neighbor Discovery using a single data
structure that merges the Neighbor Caches of all interfaces, an structure that merges the Neighbor Caches of all interfaces, an
implementation's behavior must be consistent with the above implementation's behavior must be consistent with the above
model. model.
6. Note that the receipt of a link-local IPv6 multicast packet which
is not an ND packet indicates direct reachability on a link, but
is not specifically treated by [RFC4861].
7. Note that the receipt of a packet with the Hop Limit field
unchanged (the Hop Limit could be specified in a packet-type
specific document) which is not an ND packet indicates direct
reachability on a link, but is not specifically treated by
[RFC4861].
3. Host Rules 3. Host Rules
A correctly implemented IPv6 host MUST adhere to the following rules: A correctly implemented IPv6 host MUST adhere to the following rules:
1. The assignment of an IPv6 address, whether through IPv6 stateless 1. The assignment of an IPv6 address, whether through IPv6 stateless
address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual
configuration MUST NOT implicitly cause a prefix derived from configuration MUST NOT implicitly cause a prefix derived from
that address to be treated as on-link and added to the Prefix that address to be treated as on-link and added to the Prefix
List. A host considers a prefix to be on-link only through List. A host considers a prefix to be on-link only through
explicit means, such as those specified in the on-link definition explicit means, such as those specified in the on-link definition
skipping to change at page 8, line 38 skipping to change at page 8, line 40
Unreachable indication (for example, a locally delivered Unreachable indication (for example, a locally delivered
error message) as specified in the Terminology section of error message) as specified in the Terminology section of
[RFC4861]. [RFC4861].
On-link information concerning particular addresses and prefixes On-link information concerning particular addresses and prefixes
can make those specific addresses and prefixes on-link, but does can make those specific addresses and prefixes on-link, but does
not change the default behavior mentioned above for addresses and not change the default behavior mentioned above for addresses and
prefixes not specified. [RFC4943] provides justification for prefixes not specified. [RFC4943] provides justification for
these rules. these rules.
Using cached on-link determination information without first 4. Hosts MUST verify that on-link information is still valid after
verifying that the information is still valid after IPv6 interface IPv6 interface re-initialization before using cached on-link
re-initialization may lead to lack of IPv6 network connectivity. For determination information. Failure to do so may lead to lack of
example, a host receives an RA from a router with on-link prefix A. IPv6 network connectivity. For example, a host receives an RA
The host powers down. During the power off, the router sends out from a router with on-link prefix A. The host powers down.
prefix A with on-link bit set and a zero lifetime to indicate a During the power off, the router sends out prefix A with on-link
renumbering. The host misses the renumbering. The host powers on bit set and a zero lifetime to indicate a renumbering. The host
and comes online. Then, the router sends an RA with no PIO. The misses the renumbering. The host powers on and comes online.
host uses cached on-link prefix A and issues NS's instead of sending Then, the router sends an RA with no PIO. The host uses cached
traffic to a default router. The "Observed Incorrect Implementation on-link prefix A and issues NS's instead of sending traffic to a
Behavior" section below describes how this can result in lack of IPv6 default router. The "Observed Incorrect Implementation Behavior"
section below describes how this can result in lack of IPv6
connectivity. connectivity.
4. Observed Incorrect Implementation Behavior 4. Observed Incorrect Implementation Behavior
One incorrect implementation behavior illustrates the severe One incorrect implementation behavior illustrates the severe
consequences when the IPv6 subnet model is not understood by the consequences when the IPv6 subnet model is not understood by the
implementers of several popular host operating systems. In an access implementers of several popular host operating systems. In an access
concentrator network ([RFC4388]), a host receives a Router concentrator network ([RFC4388]), a host receives a Router
Advertisement Message with no on-link prefix advertised. The host Advertisement Message with no on-link prefix advertised. The host
incorrectly assumes an invented prefix is on-link and performs incorrectly assumes an invented prefix is on-link and performs
skipping to change at page 9, line 33 skipping to change at page 9, line 39
address does not imply the existence of corresponding on-link address does not imply the existence of corresponding on-link
prefixes. One should also look at API considerations for prefix prefixes. One should also look at API considerations for prefix
length as described in last paragraph of section 4.2 of [RFC4903]. length as described in last paragraph of section 4.2 of [RFC4903].
This document also updates the definition of on-link from [RFC4861] This document also updates the definition of on-link from [RFC4861]
by retracting the last two bullets. by retracting the last two bullets.
6. Security Considerations 6. Security Considerations
This document addresses a security concern present in [RFC4861]. As This document addresses a security concern present in [RFC4861]. As
a result, the last bullet of the on-link definition in [RFC4861] has a result, the last bullet of the on-link definition in [RFC4861] has
been retracted. been retracted. US-CERT Vulnerability Note VU#472363 lists the
implementations affected.
7. IANA Considerations 7. IANA Considerations
None. None.
8. Contributors 8. Contributors
Thomas Narten contributed significant text and provided substantial Thomas Narten contributed significant text and provided substantial
guidance to the production of this document. guidance to the production of this document.
 End of changes. 16 change blocks. 
73 lines changed or deleted 80 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/