idnits 2.17.1 draft-ietf-v6ops-v6inixp-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 15, 2010) is 5031 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-08) exists of draft-ietf-v6ops-ra-guard-05 == Outdated reference: A later version (-02) exists of draft-ietf-v6ops-rogue-ra-00 -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 3627 (Obsoleted by RFC 6547) -- Obsolete informational reference (is this intentional?): RFC 4601 (Obsoleted by RFC 7761) -- Obsolete informational reference (is this intentional?): RFC 5101 (Obsoleted by RFC 7011) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force R. Gagliano 3 Internet-Draft Cisco Systems 4 Intended status: Informational July 15, 2010 5 Expires: January 16, 2011 7 IPv6 Deployment in Internet Exchange Points (IXPs) 8 draft-ietf-v6ops-v6inixp-09.txt 10 Abstract 12 This document provides guidance on IPv6 deployment in Internet 13 Exchange Points (IXP). It includes information regarding the switch 14 fabric configuration, the addressing plan and general organizational 15 tasks that need to be performed. IXPs are mainly a layer 2 16 infrastructure and in many cases the best recommendations suggest 17 that the IPv6 data, control and management plane should not be 18 handled differently than in IPv4. 20 Status of this Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on January 16, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Switch Fabric Configuration . . . . . . . . . . . . . . . . . 3 56 3. Addressing Plan . . . . . . . . . . . . . . . . . . . . . . . 4 57 4. Multicast IPv6 . . . . . . . . . . . . . . . . . . . . . . . . 6 58 4.1. Multicast Support and Monitoring for Neighbor 59 Discovery at an IXP . . . . . . . . . . . . . . . . . . . 6 60 4.2. IPv6 Multicast traffic exchange at an IXP . . . . . . . . 7 61 5. Reverse DNS . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 6. Route-Server . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 7. External and Internal support . . . . . . . . . . . . . . . . 8 64 8. IXP Policies and IPv6 . . . . . . . . . . . . . . . . . . . . 8 65 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 66 10. Security Considerations . . . . . . . . . . . . . . . . . . . 9 67 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 68 12. Informative References . . . . . . . . . . . . . . . . . . . . 9 69 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 1. Introduction 73 Most Internet Exchange Points (IXP) work at the Layer 2 level, making 74 the adoption of IPv6 an easy task. However, IXPs normally implement 75 additional services such as statistics, route servers, looking 76 glasses and broadcast control that may be impacted by the 77 implementation of IPv6. This document clarifies the impact of IPv6 78 on a new or an existing IXP. The document assumes an Ethernet switch 79 fabric, although other layer 2 configurations can be deployed. 81 2. Switch Fabric Configuration 83 An Ethernet based IXP switch fabric implements IPv6 over Ethernet as 84 described in [RFC2464] . Therefore, the switching of IPv6 traffic 85 happens in the same way as in IPv4. However, some management 86 functions (such as switch management, SNMP [RFC3411] support or flow 87 analysis exportation) may require IPv6 as underlying layer and this 88 should be assessed by the IXP operator. 90 There are two common configurations of IXP switch ports to support 91 IPv6: 93 1. dual-stack LAN (Local Area Network): when both IPv4 and IPv6 94 traffic share a common LAN. No extra configuration is required 95 in the switch. 97 2. independent VLAN (Virtual Local Area Network)[IEEE.P802-1Q.1998]: 98 when an IXP logically separates IPv4 and IPv6 traffic in 99 different VLANs. 101 In both configurations, IPv6 and IPv4 traffic can either share a 102 common physical port or use independent physical ports. The use of 103 independent ports can be more costly in both capital expenses (as new 104 ports are needed) and operational expenses. 106 When using the same physical port for both IPv4 and IPv6 traffic, 107 some changes may be needed at the participants' interfaces 108 configurations. If the IXP implements the "dual-stack 109 configuration", IXP's participants will configure dual-stack 110 interfaces. On the other hand, if the IXP implements the 111 "independent VLAN configuration", IXP participants are required to 112 pass one additional VLAN tag across the interconnection. In this 113 case, if the IXP did not originally use VLAN tagging, VLAN tagging 114 should be established and previously configured LAN may continue 115 untagged as a "native VLAN" or be transitioned to a tagged VLAN. The 116 "independent VLAN" configuration provides a logical separation of 117 IPv4 and IPv6 traffic, simplifying separate statistical analysis for 118 IPv4 and IPv6 traffic. Conversely, the "dual-stack" configuration 119 (when performing separate statistical analysis for IPv4 and IPv6 120 traffic) would require the use of flows techniques such as IPFIX 121 [RFC5101] to classify traffic based on the different ether-types 122 (0x0800 for IPv4, 0x0806 for ARP and 0x86DD for IPv6). 124 The only technical requirement for IPv6 referring link MTUs is that 125 they need to be greater than or equal to 1280 octets [RFC2460]. The 126 MTU size for every LAN in an IXP should be well known by all its 127 participants. 129 3. Addressing Plan 131 Regional Internet Registries (RIRs) have specific address policies to 132 assign Provider Independent (PI) IPv6 address to IXPs. Those 133 allocations are usually /48 or shorter prefixes [RIR_IXP_POLICIES]. 134 Depending on the country and region of operation, address assignments 135 may be made by NIRs (National Internet Registries). Unique Local 136 IPv6 Unicast Addresses ( [RFC4193] ) are normally not used in an IXP 137 LAN as global reverse DNS resolution and whois services are required. 139 IXPs will normally use manual address configuration. The manual 140 configuration of IPv6 addresses allows IXP participants to replace 141 network interfaces with no need to reconfigure Border Gateway 142 Protocol (BGP) sessions information and it also facilitates 143 management tasks. The IPv6 Addressing Architecture [RFC4291] 144 requires that interface identifiers are 64 bits in size for prefixes 145 not starting with binary 000, resulting in a maximum prefix length of 146 /64. Longer prefix lengths up to /127 have been used operationally. 147 If prefix lengths longer than 64 bits are chosen, the implications 148 described in [RFC3627] need to be considered. A /48 prefix allows 149 the addressing of 65536 /64 LANs. 151 When selecting the use of static Interface Identifiers (IIDs), there 152 are different options on how to fill its 64 bits (or 16 hexadecimal 153 characters). A non-exhaustive list of possible IID selection 154 mechanisms is the following: 156 1. Some IXPs like to include the participants' ASN number decimal 157 encoding inside each IPv6 address. The ASN decimal number is 158 used as the BCD (binary code decimal) encoding of the upper part 159 of the IID such as shown in this example: 161 * IXP LAN prefix: 2001:db8::/64 163 * ASN: 64496 164 * IPv6 Address: 2001:db8:0000:0000:0000:0006:4496:0001/64 or its 165 equivalent representation 2001:db8::6:4496:1/64 167 In this example we are right justifying the participant's ASN 168 number from the 112nd bit. Remember that 32 bits ASNs require a 169 maximum of 10 characters. With this example, up to 2^16 IPv6 170 addresses can be configured per ASN. 172 2. Although BCD encoding is more "human-readable", some IXPs prefer 173 to use the hexadecimal encoding of the ASNs number as the upper 174 part of the IID as follow: 176 * IXP LAN prefix: 2001:db8::/64 178 * ASN: 64496 (DEC) or fbf0 (HEX) 180 * IPv6 Address: 2001:db8:0000:0000:0000:0000:fbf0:0001/64 or its 181 equivalent representation 2001:db8::fbf0:1/64 183 In this case a maximum of 8 characters will be needed to 184 represent 32 bits ASNs. 186 3. A third scheme for statically assigning IPv6 addresses on an IXP 187 LAN could be to relate some portions of a participant's IPv6 188 address to its IPv4 address. In the following example, the last 189 four decimals of the IPv4 address are copied to the last 190 hexadecimals of the IPv6 address, using the decimal number as the 191 BCD encoding for the last three characters of the IID such as in 192 the following example: 194 * IXP LAN prefix: 2001:db8::/64 196 * IPv4 Address: 192.0.2.123/23 198 * IPv6 Address: 2001:db8:2::123/64 200 4. A fourth approach might be based on the IXPs ID for that 201 participant. 203 IPv6 prefixes for IXP LANs are typically publicly well known and 204 taken from dedicated IPv6 blocks for IXP assignments reserved for 205 this purpose by the different RIRs. These blocks are usually only 206 meant for addressing the exchange fabric, and may be filtered out by 207 DFZ (Default Free Zone) operators. When considering the routing of 208 the IXP LANs two options are identified: 210 o IXPs may decide that LANs should not to be globally routed in 211 order to limit the possible origins of a Denial of Service (DoS) 212 attack to its participants' AS boundaries. In this configuration 213 participants may route these prefixes inside their networks (e. g. 214 using BGP no-export communities or routing the IXP LANs within the 215 participants' IGP) to perform fault management. Using this 216 configuration, the monitoring of the IXP LANs from outside of its 217 participants' AS boundaries is not possible. 219 o IXP may decide that LANs should (attempt to be) be globally 220 routed. In this case, IXP LANs monitoring from outside its 221 participants' AS boundaries may be possible but the IXP LANs will 222 be vulnerable to DoS from outside of those boundaries. 224 Additionally, possible IXP external services (such as DNS, web pages, 225 FTP servers) need to be globally routed. These should be addressed 226 from separate address blocks, either from upstream providers' address 227 space, or separate independent assignments. Strict prefix length 228 filtering could be a reason for requesting more than one /48 229 assignment from a RIR (i.e. requesting one /48 assignment for the 230 IXPs LANs that may not be globally routed and a different, non-IXP 231 /48 assignment for the IXP external services that will be globally 232 routed). 234 4. Multicast IPv6 236 There are two elements that need to be evaluated when studying IPv6 237 multicast in an IXP: multicast support for neighbor discovery and 238 multicast peering. 240 4.1. Multicast Support and Monitoring for Neighbor Discovery at an IXP 242 IXPs typically control broadcast traffic across the switching fabric 243 in order to avoid broadcast storms by only allowing limited ARP 244 [RFC0826] traffic for address resolution. In IPv6 there is not 245 broadcast support but IXPs may intend to control multicast traffic in 246 each LAN instead. ICMPv6 Neighbor Discovery [RFC4861] implements the 247 following necessary functions in an IXP switching fabric: Address 248 Resolution, Neighbor Unreachability Detection and Duplicate Address 249 Detection. In order to perform these functions, Neighbor 250 Solicitation and Neighbor Advertisement packets are exchanged using 251 the link-local all-nodes multicast address (ff02::1) and/or 252 solicited-node multicast addresses (ff02:0:0:0:0:1:ff00:0000 to ff02: 253 0:0:0:0:1:ffff:ffff). As described in [RFC4861] routers will 254 initialize its interfaces by joining its solicited-node multicast 255 addresses using either Multicast Listener Discovery (MLD) [RFC2710] 256 or MLDv2 [RFC3810] . MLD messages may be sent to the corresponding 257 group address ff02::2 (MLD) or ff02::16 (MLDv2). Depending on the 258 addressing plan selected by the IXP, each solicited-node multicast 259 group may be shared by a sub-set of participants' conditioned by how 260 the last three octets of the addresses are selected. In Section 3 261 example 1, only participants with ASNs with the same two last digits 262 are going to share the same solicited-node multicast group. 264 Similarly to the ARP policy an IXP may limit multicast traffic across 265 the switching fabric in order to only allow ICMPv6 Neighbor 266 Solicitation, Neighbor Advertisement and MLD messages. Configuring 267 default routes in an IXP LAN without an agreement between the parties 268 is normally against IXP policies. ICMPv6 Router Advertisement 269 packets should neither be issued nor accepted by routers connected to 270 the IXP. Where possible, the IXP operator should block link-local RA 271 packets using IPv6 RA-GUARD [I-D.ietf-v6ops-ra-guard] . If this is 272 not possible, the IXP operator should monitor the exchange for rogue 273 Router Advertisement packets as described in 274 [I-D.ietf-v6ops-rogue-ra] . 276 4.2. IPv6 Multicast traffic exchange at an IXP 278 For IPv6 Multicast traffic exchange, an IXP may decide to use either 279 the same LAN being used for unicast IPv6 traffic exchange, the same 280 LAN being used for IPv4 Multicast traffic exchange or a dedicated LAN 281 for IPv6 Multicast traffic exchange. The reason for having a 282 dedicated LAN for multicast is to prevent unwanted multicast traffic 283 to reach participants that do not have multicast support. Protocol 284 Independent Multicast (PIM) [RFC4601] messages will be sent to the 285 link-local IPv6 'ALL-PIM-ROUTERS' multicast group ff02::d in the 286 selected LAN and should be allowed. Implementing IPv6 PIM snooping 287 will allow only the participants associated to a particular group to 288 receive its multicast traffic. BGP reachability information for IPv6 289 multicast address-family (SAFI=2) is normally exchanged using MP-BGP 290 [RFC4760] and is used for Reverse Path Forwarding (RPF) lookups 291 performed by the IPv6 PIM. If a dedicated LAN is configured for 292 Multicast IPv6 traffic exchange, reachability information for IPv6 293 Multicast address family should be carried in new BGP sessions. 294 ICMPv6 Neighbor Discovery should be allowed in the Multicast IPv6 LAN 295 as described in the previous paragraph. 297 5. Reverse DNS 299 The inclusion of PTR records for all addresses assigned to 300 participants in the IXP reverse zone under "ip6.arpa" facilitates 301 troubleshooting, particularly when using tools such as traceroute. 302 If reverse DNS is configured, DNS servers should be reachable over 303 IPv6 transport for complete IPv6 support. 305 6. Route-Server 307 IXPs may offer a Route-Server service, either for Multi-Lateral 308 Peering Agreements (MLPA) service, looking glass service or route- 309 collection service. IPv6 support needs to be added to the BGP 310 speaking router. The equipment should be able to transport IPv6 311 traffic and to support Multi-protocol BGP (MP-BGP) extensions for 312 IPv6 address family ([RFC2545] and [RFC4760]). 314 A good practice is that all BGP sessions used to exchange IPv6 315 network information are configured using IPv6 data transport. This 316 configuration style ensures that both network reachability 317 information and generic packet data transport use the same transport 318 plane. Because of the size of the IPv6 space, limiting the maximum 319 number of IPv6 prefixes in every session should be studied. 321 External services should be available for external IPv6 access, 322 either by an IPv6 enabled web page or an IPv6 enabled console 323 interface. 325 7. External and Internal support 327 Some external services that need to have IPv6 support are traffic 328 graphics, DNS, FTP, Web, Route Server and Looking Glass. Other 329 external services such as NTP servers, or SIP Gateways need to be 330 evaluated as well. In general, each service that is currently 331 accessed through IPv4 or that handle IPv4 addresses should be 332 evaluated for IPv6 support. 334 Internal services are also important when considering IPv6 adoption 335 at an IXP. Such services may not deal with IPv6 traffic but may 336 handle IPv6 addresses; that is the case of provisioning systems, 337 logging tools and statistics analysis tools. Databases and tools 338 should be evaluated for IPv6 support. 340 8. IXP Policies and IPv6 342 IXP Policies and contracts should be revised as any mention of IP 343 should be clarified if it refers to IPv4, IPv6 or both. 345 Policies for IPv6 traffic monitoring and filtering may be in place as 346 described in Section Section 4 . 348 9. IANA Considerations 350 This memo includes no request to IANA. 352 10. Security Considerations 354 This memo includes references to procedures for monitoring and/or 355 avoiding particular ICMPv6 traffic at IXPs' LANs. None of these 356 procedures prevent Ethernet loops caused by mischief in the LAN. The 357 document also mentions how to limit IPv6 DoS attacks to the IXP 358 switch fabric by not globally announce the IXP LANs prefix. 360 11. Acknowledgements 362 The author would like to thank the contributions from Alain Aina, 363 Bernard Tuy, Stig Venaas, Martin Levy, Nick Hilliard, Martin Pels, 364 Bill Woodcock, Carlos Friacas, Arien Vijn, Fernando Gont and Louis 365 Lee. 367 12. Informative References 369 [I-D.ietf-v6ops-ra-guard] 370 Levy-Abegnoli, E., Velde, G., Popoviciu, C., and J. 371 Mohacsi, "IPv6 RA-Guard", draft-ietf-v6ops-ra-guard-05 372 (work in progress), May 2010. 374 [I-D.ietf-v6ops-rogue-ra] 375 Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement 376 Problem Statement", draft-ietf-v6ops-rogue-ra-00 (work in 377 progress), May 2009. 379 [IEEE.P802-1Q.1998] 380 Institute of Electrical and Electronics Engineers, "Local 381 and Metropolitan Area Networks: Virtual Bridged Local Area 382 Networks", IEEE Draft P802.1Q, March 1998. 384 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 385 converting network protocol addresses to 48.bit Ethernet 386 address for transmission on Ethernet hardware", STD 37, 387 RFC 826, November 1982. 389 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 390 (IPv6) Specification", RFC 2460, December 1998. 392 [RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet 393 Networks", RFC 2464, December 1998. 395 [RFC2545] Marques, P. and F. Dupont, "Use of BGP-4 Multiprotocol 396 Extensions for IPv6 Inter-Domain Routing", RFC 2545, 397 March 1999. 399 [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast 400 Listener Discovery (MLD) for IPv6", RFC 2710, 401 October 1999. 403 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 404 Architecture for Describing Simple Network Management 405 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 406 December 2002. 408 [RFC3627] Savola, P., "Use of /127 Prefix Length Between Routers 409 Considered Harmful", RFC 3627, September 2003. 411 [RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery 412 Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. 414 [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 415 Addresses", RFC 4193, October 2005. 417 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 418 Architecture", RFC 4291, February 2006. 420 [RFC4601] Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas, 421 "Protocol Independent Multicast - Sparse Mode (PIM-SM): 422 Protocol Specification (Revised)", RFC 4601, August 2006. 424 [RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, 425 "Multiprotocol Extensions for BGP-4", RFC 4760, 426 January 2007. 428 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 429 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 430 September 2007. 432 [RFC5101] Claise, B., "Specification of the IP Flow Information 433 Export (IPFIX) Protocol for the Exchange of IP Traffic 434 Flow Information", RFC 5101, January 2008. 436 [RIR_IXP_POLICIES] 437 Numbers Resource Organization (NRO)., "RIRs Allocations 438 Policies for IXP. NRO Comparison matrix", 2009, 439 . 441 Author's Address 443 Roque Gagliano 444 Cisco Systems 445 Avenue des Uttins 5 446 Rolle, 1180 447 Switzerland 449 Email: rogaglia@cisco.com