--- 1/draft-ietf-6man-rfc3484-revise-03.txt 2011-07-01 11:16:31.000000000 +0200 +++ 2/draft-ietf-6man-rfc3484-revise-04.txt 2011-07-01 11:16:31.000000000 +0200 @@ -1,19 +1,21 @@ Network Working Group A. Matsumoto Internet-Draft J. Kato Intended status: Standards Track T. Fujisaki -Expires: December 12, 2011 NTT - June 10, 2011 +Expires: January 2, 2012 NTT + T. Chown + University of Southampton + July 1, 2011 Update to RFC 3484 Default Address Selection for IPv6 - draft-ietf-6man-rfc3484-revise-03.txt + draft-ietf-6man-rfc3484-revise-04.txt Abstract RFC 3484 describes algorithms for source address selection and for destination address selection. The algorithms specify default behavior for all Internet Protocol version 6 (IPv6) implementations. This document specifies a set of updates that modify the algorithms and fix the known defects. Status of this Memo @@ -24,21 +26,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on December 12, 2011. + This Internet-Draft will expire on January 2, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -69,163 +71,164 @@ 2.1.2. Teredo in the policy table . . . . . . . . . . . . . . 4 2.1.3. 6to4, Teredo, and IPv4 prioritization . . . . . . . . 4 2.1.4. Deprecated addresses in the policy table . . . . . . . 5 2.1.5. Renewed default policy table . . . . . . . . . . . . . 5 2.2. The longest matching rule . . . . . . . . . . . . . . . . 5 2.3. Utilize next-hop for source address selection . . . . . . 6 2.4. Private IPv4 address scope . . . . . . . . . . . . . . . . 6 2.5. Deprecation of site-local unicast address . . . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 - 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 - 5.1. Normative References . . . . . . . . . . . . . . . . . . . 7 + 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 5.1. Normative References . . . . . . . . . . . . . . . . . . . 8 5.2. Informative References . . . . . . . . . . . . . . . . . . 8 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 9 Appendix B. Past Discussion . . . . . . . . . . . . . . . . . . . 9 B.1. The longest match rule . . . . . . . . . . . . . . . . . . 9 B.2. NAT64 prefix issue . . . . . . . . . . . . . . . . . . . . 10 + B.3. ISATAP issue . . . . . . . . . . . . . . . . . . . . . . . 10 Appendix C. Revision History . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The IPv6 addressing architecture [RFC4291] allows multiple unicast addresses to be assigned to interfaces. Because of this IPv6 implementations need to handle multiple possible source and - destination addresses when initiating communication RFC 3484 - [RFC3484]. specifies the default algorithms, common across all + destination addresses when initiating communication. RFC 3484 + [RFC3484] specifies the default algorithms, common across all implementations, for selecting source and destination addresses so that it is easier to predict the address selection behavior. - After RFC 3484 was specified, some issues have been identified with - the algorithm specified there. The issues are related to the longest - match algorithm used in Rule 9 of Destination address selection - breaking DNS round-robin techniques, and prioritization of poor IPv6 + Since RFC 3484 was specified, some issues have been identified with + the algorithms specified there. The issues include the longest match + algorithm used in Rule 9 of destination address selection breaking + DNS round-robin techniques, and prioritization of poor IPv6 connectivity using transition mechanisms over native IPv4 connectivity. There have also been some significant changes to the IPv6 addressing architecture that require changes in the RFC 3484 policy table. Such changes include the deprecation of site-local unicast addresses - [RFC3879] and the IPv4-compatible IPv6 addresses, the introduction of - Unique Local Addresses [RFC4193] etc. + [RFC3879] and of IPv4-compatible IPv6 addresses, and the introduction + of Unique Local Addresses [RFC4193]. This document specifies a set of updates that modify the algorithms and fix the known defects. 2. Specification 2.1. Changes related to the default policy table The default policy table is defined in RFC 3484 Section 2.1 as follows: Prefix Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 ::/96 20 3 ::ffff:0:0/96 10 4 The changes that should be included into the default policy table are those rules that are universally useful and do no harm in every - reasonable network envionment. The changes we should consider for + reasonable network environment. The changes we should consider for the default policy table are listed in this sub-section. The policy table is defined to be configurable. The changes that are - useful not universally but locally can be put into the policy table - manually or by using the auto-configuration mechanism proposed as a + useful locally but not universally can be put into the policy table + manually or by using the policy distribution mechanism proposed as a DHCP option [I-D.ietf-6man-addr-select-opt]. 2.1.1. ULA in the policy table - RFC 5220 [RFC5220] Section 2.1.4, 2.2.2, and 2.2.3 describes address - selection problems related to ULA [RFC4193]. These problems can be - solved by either changing the scope of ULA to site-local, or by - adding an entry for default policy table entry that has its own label - for ULA. + RFC 5220 [RFC5220] sections 2.1.4, 2.2.2, and 2.2.3 describe address + selection problems related to ULAs [RFC4193]. These problems can be + solved by either changing the scope of ULAs to site-local, or by + adding an entry for the default policy table that has its own label + for ULAs. - Centrally assigned ULA [I-D.ietf-ipv6-ula-central] is proposed, and - is assigned fc00::/8. Using the different labels for fc00::/8 and - fd00::/8 makes sense if we assume the same kind of address block is - assigned in the same or adjacent network. However, we cannot expect - that the type of ULA address block and network adjancency commonly - have any relationships. + Centrally assigned ULAs [I-D.ietf-ipv6-ula-central] have been + proposed, and are assigned fc00::/8. Using the different labels for + fc00::/8 and fd00::/8 makes sense if we assume the same kind of + address block is assigned in the same or adjacent network. However, + we cannot expect that the type of ULA address block and network + adjacency commonly have any relationships. - Regarding the scope of ULA, ULA has been specified with a global - scope because the reachability of the ULA was intended to be - restricted by the routing system. Since the ULAs will not be exposed - outside of its reachability domain, if an ULA is available as a - candidate destination address, it can be expected to be reachable. + Regarding the scope of ULAs, ULAs have been specified with a global + scope because the reachability of ULAs was intended to be restricted + by the routing system. Since the ULAs will not be exposed outside of + their reachability domain, if a ULA is available as a candidate + destination address, it can be expected to be reachable. - if we change the scope of ULA smaller than global, we can prioritize - ULA to ULA communication over GUA to GUA communication. At the same - time, however, finer-grained configuration of ULA address selection - will be impossible. For example, even if you want to priorize - communication related to the only /48 ULA prefix used in your site, - and do not want to prioritize communication to any other ULA prefix, - such a policy cannot be implemented in the policy table. So, this - draft proposes the use of the policy table to differentiate ULA from - GUA. + If we change the scope of ULAs to be smaller than global, we can + prioritize ULA to ULA communication over GUA to GUA communication. + At the same time, however, finer-grained configuration of ULA address + selection will be impossible. For example, even if you want to + prioritize communication related to the only /48 ULA prefix used in + your site, and do not want to prioritize communication to any other + ULA prefix, such a policy cannot be implemented in the policy table. + So, this draft proposes the use of the policy table to differentiate + ULAs from GUAs. 2.1.2. Teredo in the policy table Teredo [RFC4380] is defined and has been assigned 2001::/32. This address block should be assigned its own label in the policy table. - Teredo's priority should be less or equal to 6to4, considering its - characteristic of transitional tunnel mechanism. About Windows, this - is already in the implementation. + Teredo's priority should be less than or equal to 6to4, considering + its characteristic of being a transitional tunnel mechanism. 2.1.3. 6to4, Teredo, and IPv4 prioritization Regarding the prioritization between IPv4 and these transitional - mechanisms, the connectivity of them are known to be worse than IPv4. - These mechiansms are said to be the last resort access to IPv6 - resources. While 6to4 should have higher precedence over Teredo, in - that 6to4 host to 6to4 host communication can be over IPv4, which can - result in more optimal path, and 6to4 does not need NAT traversal. + mechanisms, their connectivity is known to usually be worse than + IPv4. These mechanisms are said to be the last resort access method + to IPv6 resources. 6to4 should have higher precedence than Teredo, + given that 6to4 host to 6to4 host communication can be over IPv4 + (which can result in a more optimal path) and that 6to4 should not + used behind a NAT device. 2.1.4. Deprecated addresses in the policy table - IPv4-compatible IPv6 address (::/96) is deprecated [RFC4291]. IPv6 - site-local unicast address (fec0::/10) is deprecated [RFC3879]. 6bone - testing address [RFC3701] was returned. + IPv4-compatible IPv6 addresses (::/96) are deprecated [RFC4291]. + IPv6 site-local unicast addresses (fec0::/10) are deprecated + [RFC3879]. 6bone testing addresses [RFC3701] were returned. - These addresses were removed from the current specification. So, it + These addresses were removed from the current specification. So they should not be treated differently, especially if we plan future re- - use of these address blocks. Hense, 6bone testing address block - should not be treated specially. + use of these address blocks. The 6bone testing address block should + not be treated specially. - Considering the inappropriate use of these address blocks especially - in outdated implementations and bad effects brought by them, it + Considering the inappropriate use of these address blocks, especially + in outdated implementations and bad effects brought by them, they should be labeled differently from the legitimate address blocks as - far as the address block is reserved by IANA. + long as the address block is reserved by IANA. 2.1.5. Renewed default policy table After applying these updates, the default policy table will be: Prefix Precedence Label ::1/128 60 0 fc00::/7 50 1 ::/0 40 2 ::ffff:0:0/96 30 3 2002::/16 20 4 2001::/32 10 5 ::/96 1 10 fec0::/10 1 11 2.2. The longest matching rule This issue is related to the longest matching rule, which was found - by Dave Thaler. It is malfunction of DNS round robin technique. It - is common for both IPv4 and IPv6. + by Dave Thaler. It causes a malfunction of the DNS round robin + technique, as described below. It is common for both IPv4 and IPv6. When a destination address DA, DB, and the source address of DA Source(DA) are on the same subnet and Source(DA) == Source(DB), DNS round robin load-balancing cannot function. By considering prefix lengths that are longer than the subnet prefix, this rule establishes preference between addresses that have no substantive differences between them. The rule functions as an arbitrary tie-breaker between the hosts in a round robin, causing a given host to always prefer a given member of the round robin. @@ -239,35 +242,39 @@ When DA and DB belong to the same address family (both are IPv6 or both are IPv4): If CommonPrefixLen(DA & Netmask(Source(DA)), Source(DA)) > CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)), then prefer DA. Similarly, if CommonPrefixLen(DA & Netmask(Source(DA)), Source(DA)) < CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)), then prefer DB. 2.3. Utilize next-hop for source address selection - The RFC 3484 source address selection rule 5 defines the address that + RFC 3484 source address selection rule 5 says that the address that is attached to the outgoing interface should be preferred as the source address. This rule is reasonable considering the prevalence - of Ingress Filtering described in BCP 38 [RFC2827]. This is because - an upstream network provider usually assumes it receives those - packets from their customer that have the delegated addresses as the - source addresses. + of ingress filtering described in BCP 38 [RFC2827]. This is because + an upstream network provider usually assumes it receives packets from + their customer that only have the delegated addresses as the source + addresses. - This rule, however, is not effective in such a environment described - in RFC 5220 Section 2.1.1, where a host has multiple upstream routers - on the same link and has addresses delegated from each upstream - routers on single interface. + This rule, however, is not effective in an environment such as that + described in RFC 5220 Section 2.1.1, where a host has multiple + upstream routers on the same link and has addresses delegated from + each upstream router on a single interface. + + Also, DHCPv6 assigned addresses are not associated like SLAAC + assigned addresses to a next-hop gateway, so implementations usually + can't apply this heuristic in a DHCPv6 network. So, a new rule 5.1 that utilizes next-hop information for source - address selection is inserted just after the rule 5. + address selection is inserted just after rule 5. Rule 5.1: Use an address assigned by the selected next-hop. If SA is assigned by the selected next-hop that will be used to send to D and SB is assigned by a different next-hop, then prefer SA. Similarly, if SB is assigned by the next-hop that will be used to send to D and SA is assigned by a different next-hop, then prefer SB. 2.4. Private IPv4 address scope @@ -276,41 +283,41 @@ follows that the result of the source address selection algorithm may be different when the original address is replaced with the NATed address. The algorithm currently specified in RFC 3484 is based on the assumption that a source address with a small scope cannot reach a destination address with a larger scope. This assumption does not hold if private IPv4 addresses and a NAT are used to reach public IPv4 addresses. - Due to this assumption, in the presence of both NATed private IPv4 - address and transitional addresses (like 6to4 and Teredo), the host + Due to this assumption, in the presence of both a NATed private IPv4 + address and a transitional address (like 6to4 or Teredo), the host will choose the transitional IPv6 address to access dual-stack peers [I-D.denis-v6ops-nat-addrsel]. Choosing transitional IPv6 - connectivity over native IPv4 connectivity is not considered to be a - very wise result. + connectivity over native IPv4 connectivity, particularly where the + transitional connectivity is unmanaged, is not considered to be + generally desirable. This issue can be fixed by changing the address scope of private IPv4 - addresses to global. Such change has already been implemented in - some OSes. + addresses to global. 2.5. Deprecation of site-local unicast address RFC 3484 contains a few "site-local unicast" and "fec0::" - description. It's better to remove examples related to site-local - unicast address, or change examples to use ULA. Possible points to - be re-written are below. + descriptions. It's better to remove examples related to site-local + unicast addresses, or change the examples to use ULAs. Possible + points to be re-written are listed below. - - 2nd paragraph in RFC 3484 Section 3.1 describes scope comparison - mechanism. - - RFC 3484 Section 10 contains examples for site-local address. + - 2nd paragraph in RFC 3484 Section 3.1 describes the scope + comparison mechanism. + - RFC 3484 Section 10 contains examples for site-local addresses. 3. Security Considerations No security risk is found that degrades RFC 3484. 4. IANA Considerations Address type number for the policy table may have to be assigned by IANA. @@ -337,42 +343,46 @@ [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, October 2005. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)", RFC 4380, February 2006. + [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site + Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, + March 2008. + [RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, "Problem Statement for Default Address Selection in Multi- Prefix Environments: Operational Issues of RFC 3484 Default Rules", RFC 5220, July 2008. 5.2. Informative References [I-D.chown-addr-select-considerations] Chown, T., "Considerations for IPv6 Address Selection Policy Changes", draft-chown-addr-select-considerations-03 (work in progress), July 2009. [I-D.denis-v6ops-nat-addrsel] Denis-Courmont, R., "Problems with IPv6 source address selection and IPv4 NATs", draft-denis-v6ops-nat-addrsel-00 (work in progress), February 2009. [I-D.ietf-6man-addr-select-opt] - Matsumoto, A., Fujisaki, T., and J. Kato, "Distributing - Address Selection Policy using DHCPv6", - draft-ietf-6man-addr-select-opt-00 (work in progress), - December 2010. + Matsumoto, A., Fujisaki, T., Kato, J., and T. Chown, + "Distributing Address Selection Policy using DHCPv6", + draft-ietf-6man-addr-select-opt-01 (work in progress), + June 2011. [I-D.ietf-ipv6-ula-central] Hinden, R., "Centrally Assigned Unique Local IPv6 Unicast Addresses", draft-ietf-ipv6-ula-central-02 (work in progress), June 2007. [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. @@ -386,73 +396,83 @@ Courmont and the members of 6man's address selection design team for their invaluable contributions to this document. Appendix B. Past Discussion This section summarizes discussions we had before related to address selection mechanisms. B.1. The longest match rule - RFC 3484 defines that the destination address selection rule 9 should - be applied to both IPv4 and IPv6, which spoils the DNS based load + RFC 3484 defines that destination address selection rule 9 should be + applied to both IPv4 and IPv6, which spoils the DNS-based load balancing technique that is widely used in the IPv4 Internet today. When two or more destination addresses are acquired from one FQDN, - the rule 9 defines that the longest matching destination and source - address pair should be chosen. As in RFC 1794, the DNS based load - balancing technique is achived by not re-ordering the destination - addresses returned from the DNS server. The Rule 9 defines - deterministic rule for re-ordering at hosts, hence the technique of - RFC 1794 is not available anymore. + rule 9 states that the longest matching destination and source + address pair should be chosen. As in RFC 1794, the DNS-based load + balancing technique is achieved by not re-ordering the destination + addresses returned from the DNS server. Rule 9 defines a + deterministic rule for re-ordering hosts, hence the technique + described in RFC 1794 is not available anymore. Regarding this problem, there was discussion in IETF and other places like below. Discussion: The possible changes to RFC 3484 are as follows: 1. To delete Rule 9 completely. 2. To apply Rule 9 only for IPv6 and not for IPv4. In IPv6, - hiearchical address assignment is general principle, hence the - longest matchin rule is beneficial in many cases. In IPv4, as - stated above, the DNS based load balancing technique is widely + hierarchical address assignment generally used at present, hence + the longest matching rule is beneficial in many cases. In IPv4, + as stated above, the DNS based load balancing technique is widely used. - 3. To apply Rule 9 for IPv6 conditionally and not for IPv4. When the length of matching bits of the destination address and the - source address is longer than N, the rule 9 is applied. - Otherwise, the order of the destination addresses do not change. - The N should be configurable and it should be 32 by default. - This is simply because the two sites whose matching bit length is + source address is longer than N, rule 9 is applied. Otherwise, + the order of the destination addresses do not change. The value + of N should be configurable and it should be 32 by default. This + is simply because the two sites whose matching bit length is longer than 32 are probably adjacent. - Now that IPv6 PI address is admitted in some RIRs, hierachical - address assignment is not maintained anymore. It seems that the - longest matching algorithm may not worth the adverse effect of - disalbing the DNS based load balance technique. - - After long discussion, however we could not reach any consensus here. - That means, we cannot change the current rules for this issue. + Now that IPv6 PI addresses are being introduced by RIRs, hierarchical + address assignment is not always maintained anymore. It seems that + the longest matching algorithm may not worth the adverse effect of + disabling the DNS-based load balance technique. B.2. NAT64 prefix issue - NAT64 WKP was newly defined[RFC6052]. It depends site by site - whether NAT64 should be preferred over IPv4, in other words NAT44, or - NAT44 over NAT64. So, this issue of site local policy should be - solved by policy distribution mechanism. + The NAT64 WKP has recently been defined[RFC6052]. It depends site by + site whether NAT64 should be preferred over IPv4, in other words + NAT44, or NAT44 over NAT64. So, the issue of local site policy + should be solved by manual policy table changes locally, or by use of + the proposed DHCP-based policy distribution mechanism. + +B.3. ISATAP issue + + Where a site is using ISATAP [RFC5214], there is generally no way to + differentiate an ISATAP address from a native address without + interface information. However, a site will assign a prefix for its + ISATAP overlay, and can choose to add an entry for that prefix to the + policy table if it wishes to change the default preference for that + prefix. Appendix C. Revision History + 04: + Added comment about ISATAP. + 03: + ULA address selection issue was expanded. - 6to4, Teredo and IPv4 priorization issue was elaborated. - Deperecated address blocks in policy table section was elaborated. + 6to4, Teredo and IPv4 prioritization issue was elaborated. + Deprecated address blocks in policy table section was elaborated. In appendix, NAT64 prefix issue was added. 02: Suresh Krishnan's suggestions for better english sentences were incorporated. A new source address selection rule that utilizes the next-hop information is included in Section 2.3. Site local address prefix was corrected. 01: @@ -500,10 +518,17 @@ Email: kato@syce.net Tomohiro Fujisaki NTT PF Lab Midori-Cho 3-9-11 Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 7351 Email: fujisaki@syce.net + + Tim Chown + University of Southampt on + Southampton, Hampshire SO17 1BJ + United Kingdom + + Email: tjc@ecs.soton.ac.uk