draft-ietf-6man-ipv6-subnet-model-06.txt   draft-ietf-6man-ipv6-subnet-model-07.txt 
Network Working Group H. Singh Network Working Group H. Singh
Internet-Draft W. Beebee Internet-Draft W. Beebee
Updates: 4861 (if approved) Cisco Systems, Inc. Updates: 4861 (if approved) Cisco Systems, Inc.
Intended status: Standards Track E. Nordmark Intended status: Standards Track E. Nordmark
Expires: May 18, 2010 Sun Microsystems Expires: June 26, 2010 Sun Microsystems
November 14, 2009 December 23, 2009
IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes
draft-ietf-6man-ipv6-subnet-model-06 draft-ietf-6man-ipv6-subnet-model-07
Abstract Abstract
IPv6 specifies a model of a subnet that is different than the IPv4 IPv6 specifies a model of a subnet that is different than the IPv4
subnet model. The subtlety of the differences has resulted in subnet model. The subtlety of the differences has resulted in
incorrect implementations that do not interoperate. This document incorrect implementations that do not interoperate. This document
spells out the most important difference; that an IPv6 address isn't spells out the most important difference; that an IPv6 address isn't
automatically associated with an IPv6 on-link prefix. This document automatically associated with an IPv6 on-link prefix. This document
also updates (partially due to security concerns caused by incorrect also updates (partially due to security concerns caused by incorrect
implementations) a part of the definition of on-link from [RFC4861]. implementations) a part of the definition of on-link from [RFC4861].
skipping to change at page 1, line 44 skipping to change at page 1, line 44
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 18, 2010. This Internet-Draft will expire on June 26, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 12 skipping to change at page 3, line 12
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Observed Incorrect Implementation Behavior . . . . . . . . . . 9 4. Observed Incorrect Implementation Behavior . . . . . . . . . . 9
5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative References . . . . . . . . . . . . . . . . . . 10 10.1. Normative References . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . 10 10.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
IPv4 implementations typically associate a netmask with an address IPv4 implementations typically associate a netmask with an address
when an IPv4 address is assigned to an interface. That netmask when an IPv4 address is assigned to an interface. That netmask
together with the IPv4 address designates an on-link prefix. together with the IPv4 address designates an on-link prefix. Nodes
Addresses that are covered by this prefix are viewed as on-link i.e., consider addresses covered by an on-link prefix to be directly
traffic to these addresses is not sent to a router. See section attached to the same link as the sending node, i.e., they send
3.3.1 in [RFC1122]. Prior to the deployment of Classless Inter- traffic for such addresses directly rather than to a router. See
Domain Routing (CIDR), an address's netmask could be derived directly section 3.3.1 in [RFC1122]. Prior to the development of subnetting
from the address. In the absence of specifying a specific netmask [RFC0950] and Classless Inter-Domain Routing (CIDR) [RFC1519], an
when assigning an address, some implementations would fall back to address's netmask could be derived directly from the address simply
by determining whether it was a Class A, B or C address. Today,
assigning an address to an interface also requires specifying a
netmask to use. In the absence of specifying a specific netmask when
assigning an address, some implementations would fall back to
deriving the netmask from the class of the address. deriving the netmask from the class of the address.
The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is
quite different. The on-link determination is separate from the quite different. The on-link determination is separate from the
address assignment. A host can have IPv6 addresses without any address assignment. A host can have IPv6 addresses without any
related on-link prefixes or have on-link prefixes that are not related on-link prefixes or has on-link prefixes that are not related
related to any IPv6 addresses that are assigned to the host. Any to any IPv6 addresses that are assigned to the host. Any assigned
assigned address on an interface should initially be considered as address on an interface should initially be considered as having no
having no internal structure as shown in [RFC4291]. internal structure as shown in [RFC4291].
In IPv6, by default, a host treats only the link-local prefix as on- In IPv6, by default, a host treats only the link-local prefix as on-
link. link.
The reception of a Prefix Information Option (PIO) with the L-bit set The reception of a Prefix Information Option (PIO) with the L-bit set
[RFC4861] and a non-zero valid lifetime creates (or updates) an entry [RFC4861] and a non-zero valid lifetime creates (or updates) an entry
in the Prefix List. All the prefixes that are on the Prefix List, in the Prefix List. All prefixes on a host's Prefix List, i.e., have
i.e., have not yet timed out, are considered to be on-link. not yet timed out, are considered to be on-link by that host.
The on-link definition in the Terminology section of [RFC4861], as The on-link definition in the Terminology section of [RFC4861], as
modified by this document, defines the complete list of cases where modified by this document, defines the complete list of cases where a
an address is considered on-link. Individual address entries can be host considers an address to be on-link. Individual address entries
expired by the Neighbor Unreachability Detection mechanism. can be expired by the Neighbor Unreachability Detection mechanism.
IPv6 packets sent using the Conceptual Sending Algorithm as described IPv6 packets sent using the Conceptual Sending Algorithm as described
in [RFC4861] only trigger address resolution for IPv6 addresses that in [RFC4861] only trigger address resolution for IPv6 addresses that
are on-link. Packets to any other address are sent to a default the sender considers to be on-link. Packets to any other address are
router. If there is no default router, then the node should send an sent to a default router. If there is no default router, then the
ICMPv6 Destination Unreachable indication as specified in [RFC4861] - node should send an ICMPv6 Destination Unreachable indication as
more details are provided in the Host Behavior and Rules section. specified in [RFC4861] - more details are provided in the Host
(Note that [RFC4861] changed the behavior when the Default Router Behavior and Rules section. (Note that [RFC4861] changed the
List is empty. In the old version of Neighbor Discovery [RFC2461], behavior when the Default Router List is empty. In the old version
if the Default router List is empty, rather than sending the ICMPv6 of Neighbor Discovery [RFC2461], if the Default router List is empty,
Destination Unreachable indication, the [RFC2461] node assumed that rather than sending the ICMPv6 Destination Unreachable indication,
the destination was on-link.") Note that ND is scoped to a single the [RFC2461] node assumed that the destination was on-link.") Note
link. All Neighbor Solicitation responses are assumed to be sent out that ND is scoped to a single link. All Neighbor Solicitation
the same interface on which the corresponding query was received responses are assumed to be sent out the same interface on which the
without using the Conceptual Sending Algorithm. corresponding query was received without using the Conceptual Sending
Algorithm.
Failure of host implementations to correctly implement the IPv6 Failure of host implementations to correctly implement the IPv6
subnet model can result in lack of IPv6 connectivity. See the subnet model can result in lack of IPv6 connectivity. See the
Observed Incorrect Implementation Behavior section for details. Observed Incorrect Implementation Behavior section for details.
This document deprecates the last two bullets from the definition of This document deprecates the last two bullets from the definition of
on-link from [RFC4861] to address security concerns arising from on-link from [RFC4861] to address security concerns arising from
particular ND implementations. particular ND implementations.
Host behavior is clarified in the Host Behavior and Rules section. Host behavior is clarified in the Host Behavior and Rules section.
2. Host Behavior 2. Host Behavior
1. The original Neighbor Discovery (ND) specification [RFC4861] was 1. The original Neighbor Discovery (ND) specification [RFC4861] was
unclear in its usage of the term on-link in a few places. In unclear in its usage of the term on-link in a few places. In
IPv6, an address is considered to be on-link (with respect to a IPv6, an address is on-link (with respect to a specific link), if
specific link), if the address has been assigned to an interface the address has been assigned to an interface attached to that
attached to that link. Any node attached to the link can send a link. Any node attached to the link can send a datagram directly
datagram directly to an on-link address without forwarding the to an on-link address without forwarding the datagram through a
datagram through a router. In IPv6, there are two ways to router. However, in order for a node to know that a destination
indicate an address is on-link. First, a host maintains a Prefix is on-link, it must obtain configuration information to that
List that identifies ranges of addresses that are to be effect. In IPv6, there are two main ways of maintaining
information about on-link destinations. First, a host maintains
a Prefix List that identifies ranges of addresses that are to be
considered on-link. Second, Redirects can identify individual considered on-link. Second, Redirects can identify individual
destinations that are on-link; such Redirects update the destinations that are on-link; such Redirects update the
Destination Cache. Destination Cache.
The Prefix List is populated via the following means: The Prefix List is populated via the following means:
* Receipt of a Valid Router Advertisement (RA) that specifies a * Receipt of a Valid Router Advertisement (RA) that specifies a
prefix with the L-bit set. Such a prefix is considered on- prefix with the L-bit set. Such a prefix is considered on-
link for a period specified in the Valid Lifetime and is added link for a period specified in the Valid Lifetime and is added
to the Prefix List. (The link-local prefix is effectively to the Prefix List. (The link-local prefix is effectively
skipping to change at page 6, line 9 skipping to change at page 6, line 15
A Redirect can also signal whether an address is on-link. If a A Redirect can also signal whether an address is on-link. If a
host originates a packet, but the first-hop router routes the host originates a packet, but the first-hop router routes the
received packet back out onto the same link, the router also received packet back out onto the same link, the router also
sends the host a Redirect. If the Target and Destination Address sends the host a Redirect. If the Target and Destination Address
of the Redirect are the same, the Target Address is to be treated of the Redirect are the same, the Target Address is to be treated
as on-link as specified in Section 8 of [RFC4861]. That is, the as on-link as specified in Section 8 of [RFC4861]. That is, the
host updates its Destination Cache (but not its Prefix List -- host updates its Destination Cache (but not its Prefix List --
though the impact is similar). though the impact is similar).
2. Note that Redirect Messages do not contain sufficient information 2. It should be noted that ND does not have a way to indicate a
to signal that an address is off-link. Rather, they indicate a destination is "off-link". Rather, a destination is assumed to
be off-link, unless there is explicit information indicating that
it is on-link. Such information may later expire or be changed,
in which case a destination may revert back to being considered
off-link, but that is different than there being an explicit
mechanism for signaling that a destination is off-link. Redirect
Messages do not contain sufficient information to signal that an
address is off-link. Instead, Redirect Messages indicate a
preferred next-hop that is a more appropriate choice to use than preferred next-hop that is a more appropriate choice to use than
the originator of the Redirect. That alternate next-hop may be the originator of the Redirect.
the destination itself (in which case packets would flow directly
to a neighbor), or a router closer to the destination than the
current next-hop router (which is the originator of the
Redirect). Note, however, that the Redirect message itself does
not contain sufficient information to distinguish these cases.
But that does not matter, because the receiver of such a message
does the same in either case, updating its Neighbor Cache as
defined in Section 8.1 of [RFC4861].
3. IPv6 also defines the term "neighbor" and "link" to refer to 3. IPv6 also defines the term "neighbor" to refer to nodes attached
nodes attached to the same link and that can send packets to the same link and that can send packets directly to each
directly to each other. Received ND packets that pass the other. Received ND packets that pass the required validation
required validation tests can only come from a neighbor attached tests can only come from a neighbor attached to the link on which
to the link on which the ND packet was received. Unfortunately, the ND packet was received. Unfortunately, [RFC4861] is
[RFC4861] is imprecise in its definition of on-link and states imprecise in its definition of on-link and states that a node
that a node considers an address to be on-link if: considers an address to be on-link if:
- a Neighbor Advertisement message is received for the - a Neighbor Advertisement message is received for the
(target) address, or (target) address, or
- any Neighbor Discovery message is received from the address. - any Neighbor Discovery message is received from the address.
Neither of these tests are acceptable definitions for an address Neither of these tests are acceptable definitions for an address
to be considered as on-link as defined above, and this document to be considered as on-link as defined above, and this document
deprecates and removes both of them from the formal definition of deprecates and removes both of them from the formal definition of
on-link. Neither of these tests should be used as justification on-link. Neither of these tests should be used as justification
for modifying the Prefix List or Destination Cache for an for modifying the Prefix List or Destination Cache for an
address. address.
The conceptual sending algorithm of [RFC4861] defines a Prefix The conceptual sending algorithm of [RFC4861] defines a Prefix
List and Neighbor Cache. The combination of Prefix List and List, Destination Cache, and Default Router List. The
Neighbor Cache form what many implementations consider to be the combination of Prefix List, Destination Cache, and Default Router
IP data forwarding table for a host. Note that the Neighbor List form what many implementations consider to be the IP data
Cache is a separate data structure referenced by the Destination forwarding table for a host. Note that the Neighbor Cache is a
Cache, but entries in the Neighbor Cache are not necessarily in separate data structure referenced by the Destination Cache, but
the Destination Cache. It is quite possible (and intentional) entries in the Neighbor Cache are not necessarily in the
that entries be added to the Neighbor Cache for addresses that Destination Cache. It is quite possible (and intentional) that
would not be considered on-link as-defined above. For example, entries be added to the Neighbor Cache for addresses that would
upon receipt of a valid NS, Section 7.2.3 of [RFC4861] states: not be considered on-link as-defined above. For example, upon
receipt of a valid NS, Section 7.2.3 of [RFC4861] states:
If an entry does not already exist, the node SHOULD create a If an entry does not already exist, the node SHOULD create a
new one and set its reachability state to STALE as specified new one and set its reachability state to STALE as specified
in Section 7.3.3. If an entry already exists, and the cached in Section 7.3.3. If an entry already exists, and the cached
link-layer address differs from the one in the received Source link-layer address differs from the one in the received Source
Link-Layer option, the cached address should be replaced by Link-Layer option, the cached address should be replaced by
the received address, and the entry's reachability state MUST the received address, and the entry's reachability state MUST
be set to STALE. be set to STALE.
The intention of the above feature is to add an address to the The intention of the above feature is to add an address to the
skipping to change at page 7, line 42 skipping to change at page 8, line 5
considered to be on-link by the IP forwarding code (i.e., the considered to be on-link by the IP forwarding code (i.e., the
address is not added to the Prefix List and is not marked as on- address is not added to the Prefix List and is not marked as on-
link in the Destination Cache). link in the Destination Cache).
4. After the update to the on-link definition in [RFC4861], certain 4. After the update to the on-link definition in [RFC4861], certain
text from section 7.2.3 of [RFC4861] may appear, upon a cursory text from section 7.2.3 of [RFC4861] may appear, upon a cursory
examination, to be inconsistent with the updated definition of examination, to be inconsistent with the updated definition of
on-link because the text does not ensure that the source address on-link because the text does not ensure that the source address
is already deemed on-link through other methods: is already deemed on-link through other methods:
If the Source Address is not the unspecified address and, on- If the Source Address is not the unspecified address and, on
link layers that have addresses, the solicitation includes a link layers that have addresses, the solicitation includes a
Source Link-Layer Address option, then the recipient SHOULD Source Link-Layer Address option, then the recipient SHOULD
create or update the Neighbor Cache entry for the IP Source create or update the Neighbor Cache entry for the IP Source
Address of the solicitation. Address of the solicitation.
Similarly, the following text from section 6.2.5 of [RFC4861] may Similarly, the following text from section 6.2.5 of [RFC4861] may
also seem inconsistent: also seem inconsistent:
If there is no existing Neighbor Cache entry for the If there is no existing Neighbor Cache entry for the
solicitation's sender, the router creates one, installs the solicitation's sender, the router creates one, installs the
link-layer address and sets its reachability state to STALE as link-layer address and sets its reachability state to STALE as
specified in Section 7.3.3. specified in Section 7.3.3.
However, the text in the aforementioned sections of [RFC4861], However, the text in the aforementioned sections of [RFC4861],
upon closer inspection, is actually consistent with the upon closer inspection, is actually consistent with the
deprecation of the last two bullets of the on-link definition deprecation of the last two bullets of the on-link definition
because there are two different ways in which on-link because there are two different ways in which on-link
determination can affect the state of ND: through updating the determination can affect the state of ND: through updating the
Prefix List or the Neighbor Cache. Through deprecating the last Prefix List or the Destination Cache. Through deprecating the
two bullets of the on-link definition, the Prefix List is last two bullets of the on-link definition, the Prefix List is
explicitly not to be changed when a node receives an NS, NA, or explicitly not to be changed when a node receives an NS, NA, or
RS. The Neighbor Cache can still be updated through receipt of RS. The Neighbor Cache can still be updated through receipt of
an NS, NA, or RS. an NS, NA, or RS.
5. [RFC4861] is written from the perspective of a host with a single 5. [RFC4861] is written from the perspective of a host with a single
interface on which Neighbor Discovery is run. All ND traffic interface on which Neighbor Discovery is run. All ND traffic
(whether sent or received) traverses the single interface. On (whether sent or received) traverses the single interface. On
hosts with multiple interfaces, care must be taken to ensure that hosts with multiple interfaces, care must be taken to ensure that
the scope of ND processing from one link stays local to that the scope of ND processing from one link stays local to that
link. That is, when responding to a NS, the NA would be sent out link. That is, when responding to a NS, the NA would be sent out
on the same link on which it was received. Likewise, a host on the same link on which it was received. Likewise, a host
would not respond to a received NS for an an address assigned to would not respond to a received NS for an address assigned to an
an interface on a different link. Although implementions may interface on a different link. Although implementations may
choose to implement Neighbor Discovery using a single data choose to implement Neighbor Discovery using a single data
structure that merges the Neighbor Caches of all interfaces, an structure that merges the Neighbor Caches of all interfaces, an
implementation's behavior must be consistent with the above implementation's behavior must be consistent with the above
model. model.
3. Host Rules 3. Host Rules
A correctly implemented IPv6 host MUST adhere to the following rules: A correctly implemented IPv6 host MUST adhere to the following rules:
1. The assignment of an IPv6 address, whether through IPv6 stateless 1. The assignment of an IPv6 address, whether through IPv6 stateless
skipping to change at page 9, line 13 skipping to change at page 9, line 19
document, or via manual configuration. Note that the requirement document, or via manual configuration. Note that the requirement
for manually configured addresses is not explicitly mentioned in for manually configured addresses is not explicitly mentioned in
[RFC4861]. [RFC4861].
2. In the absence of other sources of on-link information, including 2. In the absence of other sources of on-link information, including
Redirects, if the RA advertises a prefix with the on-link(L) bit Redirects, if the RA advertises a prefix with the on-link(L) bit
set and later the Valid Lifetime expires, the host MUST then set and later the Valid Lifetime expires, the host MUST then
consider addresses of the prefix to be off-link, as specified by consider addresses of the prefix to be off-link, as specified by
the PIO paragraph of section 6.3.4 of [RFC4861]. the PIO paragraph of section 6.3.4 of [RFC4861].
3. Newer implementations, which are compliant with [RFC4861] MUST 3. In the absence of other sources of on-link information, including
adhere to the following rules. Older implementations, which are Redirects, if the RA advertises a prefix with the on-link(L) bit
compliant with [RFC2461] but not [RFC4861] may remain as is. If set and later the Valid Lifetime expires, the host MUST then
the Default Router List is empty and there is no other source of update its Prefix List with respect to the entry. In most cases,
on-link information about any address or prefix: this will result in the addresses covered by the prefix
defaulting back to being considered off-link, as specified by the
PIO paragraph of section 6.3.4 of [RFC4861]. However, there are
cases where an address could be covered by multiple entries in
the Prefix List, where expiration of one prefix would result in
destinations then being covered by a different entry.
4. Implementations compliant with [RFC4861] MUST adhere to the
following rules. If the Default Router List is empty and there
is no other source of on-link information about any address or
prefix:
1. The host MUST NOT assume that all destinations are on-link. 1. The host MUST NOT assume that all destinations are on-link.
2. The host MUST NOT perform address resolution for non-link- 2. The host MUST NOT perform address resolution for non-link-
local addresses. local addresses.
3. Since the host cannot assume the destination is on-link, and 3. Since the host cannot assume the destination is on-link, and
off-link traffic cannot be sent to a default router (since off-link traffic cannot be sent to a default router (since
the Default Router List is empty), address resolution cannot the Default Router List is empty), address resolution cannot
be performed. This case is specified in the last paragraph be performed. This case is specified in the last paragraph
skipping to change at page 9, line 40 skipping to change at page 10, line 14
Unreachable indication (for example, a locally delivered Unreachable indication (for example, a locally delivered
error message) as specified in the Terminology section of error message) as specified in the Terminology section of
[RFC4861]. [RFC4861].
On-link information concerning particular addresses and prefixes On-link information concerning particular addresses and prefixes
can make those specific addresses and prefixes on-link, but does can make those specific addresses and prefixes on-link, but does
not change the default behavior mentioned above for addresses and not change the default behavior mentioned above for addresses and
prefixes not specified. [RFC4943] provides justification for prefixes not specified. [RFC4943] provides justification for
these rules. these rules.
4. Hosts MUST verify that on-link information is still valid after 5. Hosts MUST verify that on-link information is still valid after
IPv6 interface re-initialization before using cached on-link IPv6 interface re-initialization before using cached on-link
determination information. Failure to do so may lead to lack of determination information. Failure to do so may lead to lack of
IPv6 network connectivity. For example, a host receives an RA IPv6 network connectivity. For example, a host receives an RA
from a router with on-link prefix A. The host powers down. from a router with on-link prefix A. The host powers down.
During the power off, the router sends out prefix A with on-link During the power off, the router sends out prefix A with on-link
bit set and a zero lifetime to indicate a renumbering. The host bit set and a zero lifetime to indicate a renumbering. The host
misses the renumbering. The host powers on and comes online. misses the renumbering. The host powers on and comes online.
Then, the router sends an RA with no PIO. The host uses cached Then, the router sends an RA with no PIO. The host uses cached
on-link prefix A and issues NS's instead of sending traffic to a on-link prefix A and issues NS's instead of sending traffic to a
default router. The "Observed Incorrect Implementation Behavior" default router. The "Observed Incorrect Implementation Behavior"
skipping to change at page 10, line 32 skipping to change at page 11, line 4
will respond to the address resolution, preventing this host from will respond to the address resolution, preventing this host from
sending IPv6 traffic. sending IPv6 traffic.
5. Conclusion 5. Conclusion
This document clarifies and summarizes the relationship between links This document clarifies and summarizes the relationship between links
and subnet prefixes described in [RFC4861]. Configuration of an IPv6 and subnet prefixes described in [RFC4861]. Configuration of an IPv6
address does not imply the existence of corresponding on-link address does not imply the existence of corresponding on-link
prefixes. One should also look at API considerations for prefix prefixes. One should also look at API considerations for prefix
length as described in last paragraph of section 4.2 of [RFC4903]. length as described in last paragraph of section 4.2 of [RFC4903].
This document also updates the definition of on-link from [RFC4861] This document also updates the definition of on-link from [RFC4861]
by retracting the last two bullets. by retracting the last two bullets.
6. Security Considerations 6. Security Considerations
This document addresses a security concern present in [RFC4861]. As This document addresses a security concern present in [RFC4861]. As
a result, the last bullet of the on-link definition in [RFC4861] has a result, the last two bullets of the on-link definition in [RFC4861]
been retracted. US-CERT Vulnerability Note VU#472363 lists the have been retracted. US-CERT Vulnerability Note VU#472363 lists the
implementations affected. implementations affected.
7. IANA Considerations 7. IANA Considerations
None. None.
8. Contributors 8. Contributors
Thomas Narten contributed significant text and provided substantial Thomas Narten contributed significant text and provided substantial
guidance to the production of this document. guidance to the production of this document.
skipping to change at page 11, line 32 skipping to change at page 11, line 46
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007. September 2007.
10.2. Informative References 10.2. Informative References
[RFC0950] Mogul, J. and J. Postel, "Internet Standard Subnetting
Procedure", STD 5, RFC 950, August 1985.
[RFC1122] Braden, R., "Requirements for Internet Hosts - [RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989. Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1519] Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless
Inter-Domain Routing (CIDR): an Address Assignment and
Aggregation Strategy", RFC 1519, September 1993.
[RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
Discovery for IP Version 6 (IPv6)", RFC 2461, Discovery for IP Version 6 (IPv6)", RFC 2461,
December 1998. December 1998.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003. IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
Discovery (ND) Trust Models and Threats", RFC 3756, Discovery (ND) Trust Models and Threats", RFC 3756,
 End of changes. 23 change blocks. 
81 lines changed or deleted 106 lines changed or added

This html diff was produced by rfcdiff 1.37b. The latest version is available from http://tools.ietf.org/tools/rfcdiff/