idnits 2.17.1 draft-ooms-v6ops-bgp-tunnel-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 21. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 599. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 610. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 617. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 623. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 12, 2006) is 6317 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 3036 (Obsoleted by RFC 5036) ** Obsolete normative reference: RFC 3107 (Obsoleted by RFC 8277) ** Obsolete normative reference: RFC 3513 (Obsoleted by RFC 4291) -- Obsolete informational reference (is this intentional?): RFC 2463 (Obsoleted by RFC 4443) Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force J. De Clercq 3 Internet-Draft Alcatel-Lucent 4 Intended status: Standards Track D. Ooms 5 Expires: June 15, 2007 OneSparrow 6 S. Prevost 7 BTexact Technologies 8 F. Le Faucheur 9 Cisco 10 December 12, 2006 12 Connecting IPv6 Islands over IPv4 MPLS using IPv6 Provider Edge Routers 13 (6PE) 14 draft-ooms-v6ops-bgp-tunnel-07.txt 16 Status of this Memo 18 By submitting this Internet-Draft, each author represents that any 19 applicable patent or other IPR claims of which he or she is aware 20 have been or will be disclosed, and any of which he or she becomes 21 aware will be disclosed, in accordance with Section 6 of BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on June 15, 2007. 41 Copyright Notice 43 Copyright (C) The IETF Trust (2006). 45 Abstract 47 This document explains how to interconnect IPv6 islands over a Multi- 48 Protocol Label Switching (MPLS)-enabled IPv4 cloud. This approach 49 relies on IPv6 Provider Edge routers (6PE) which are Dual Stack in 50 order to connect to IPv6 islands and to the MPLS core which is only 51 required to run IPv4 MPLS. The 6PE routers exchange the IPv6 52 reachability information transparently over the core using the Multi- 53 Protocol Border Gateway Protocol (MP-BGP) over IPv4. In doing so, 54 the BGP Next Hop field is used to convey the IPv4 address of the 6PE 55 router so that dynamically established IPv4-signaled MPLS Label 56 Switched Paths (LSPs) can be used without explicit tunnel 57 configuration. 59 Requirements Language 61 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 62 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 63 document are to be interpreted as described in RFC 2119 [RFC2119]. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5 69 3. Transport over IPv4-signaled LSPs and IPv6 label binding . . . 6 70 4. Crossing Multiple IPv4 Autonomous Systems . . . . . . . . . . 8 71 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 72 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 73 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 74 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 75 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 76 8.2. Informative References . . . . . . . . . . . . . . . . . . 12 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 78 Intellectual Property and Copyright Statements . . . . . . . . . . 14 80 1. Introduction 82 There are several approaches for providing IPv6 connectivity over an 83 MPLS core network [RFC4029] including (i) requiring that MPLS 84 networks support setting up IPv6-signaled Label Switched Paths (LSPs) 85 and establish IPv6 connectivity by using those LSPs, (ii) use 86 configured tunneling over IPv4-signaled LSPs, or (iii) use the IPv6 87 Provider Edge (6PE) approach defined in this document. 89 The 6PE approach is required as an alternative to the use of standard 90 tunnels, because it provides a solution for an MPLS environment where 91 all tunnels are established dynamically, thereby addressing 92 environments where the effort to configure and maintain explicitly 93 configured tunnels is not acceptable. 95 This document specifies operations of the 6PE approach for 96 interconnection of IPv6 islands over an IPv4 MPLS cloud. The 97 approach requires the edge routers that are connected to IPv6 islands 98 to be Dual Stack Multi-Protocol-BGP-speaking routers [RFC2858bis] 99 while the core routers are only required to run IPv4 MPLS. The 100 approach uses MP-BGP over IPv4, relies on identification of the 6PE 101 routers by their IPv4 address and uses IPv4-signaled MPLS LSPs that 102 don't require any explicit tunnel configuration. 104 Throughout this document, the terminology of [RFC2460] and [RFC4364] 105 is used. 107 In this document an 'IPv6 island' is a network running native IPv6 as 108 per [RFC2460]. A typical example of an IPv6 island would be a 109 customer's IPv6 site connected via its IPv6 Customer Edge (CE) router 110 to one (or more) Dual Stack Provider Edge router(s) of a Service 111 Provider. These IPv6 Provider Edge routers (6PE) are connected to an 112 IPv4 MPLS core network. 114 +--------+ 115 |site A CE---+ +-----------------+ 116 +--------+ | | | +--------+ 117 6PE-+ IPv4 MPLS core +-6PE--CE site C | 118 +--------+ | | | +--------+ 119 |site B CE---+ +-----------------+ 120 +--------+ 122 IPv6 islands IPv4 cloud IPv6 island 123 <-------------><---------------------><--------------> 125 Figure 1 127 The interconnection method described in this document typically 128 applies to an Internet Service Provider (ISP) that has an IPv4 MPLS 129 network and is familiar with BGP (possibly already offering BGP/MPLS 130 VPN services) and that wants to offer IPv6 services to some of its 131 customers. However, the ISP may not (yet) want to upgrade its 132 network core to IPv6 nor use only IPv6-over-IPv4 tunneling. With the 133 6PE approach described here, the provider only has to upgrade some 134 Provider Edge (PE) routers to Dual Stack operations so they behave as 135 6PE routers (and route reflectors if those are used for exchange of 136 IPv6 reachability among 6PE routers) while leaving the IPv4 MPLS core 137 routers untouched. These 6PE routers provide connectivity to IPv6 138 islands. They may also provide other services simultaneously (IPv4 139 connectivity, IPv4 L3VPN services, L2VPN services, etc.). Also with 140 the 6PE approach, no tunnels need to be explicitly configured, and no 141 IPv4 headers need to be inserted in front of the IPv6 packets between 142 the customer and provider edge. 144 The ISP obtains IPv6 connectivity to its peers and upstreams using 145 means outside of the scope of this memo, and its 6PE routers 146 readvertise it over the IPv4 MPLS core with MP-BGP. 148 The interface between the edge router of the IPv6 island (Customer 149 Edge (CE) router) and the 6PE router is a native IPv6 interface which 150 can be physical or logical. A routing protocol (IGP or EGP) may run 151 between the CE router and the 6PE router for the distribution of IPv6 152 reachability information. Alternatively, static routes and/or a 153 default route may be used on the 6PE router and the CE router to 154 control reachability. An IPv6 island may connect to the provider 155 network over more than one interface. 157 The 6PE approach described in this document can be used for customers 158 that already have an IPv4 service from the network provider and 159 additionally require an IPv6 service, as well as for customers that 160 require only IPv6 connectivity. 162 The scenario is also described in [RFC4029]. 164 Note that the 6PE approach specified in this document provides global 165 IPv6 reachability. Support of IPv6 VPNs is not within the scope of 166 this document and is addressed in [RFC4659]. 168 Deployment of the 6PE approach over an existing IPv4 MPLS cloud does 169 not require introduction of new mechanisms in the core (other than 170 potentially those described at the end of section 3 for dealing with 171 dynamic MTU discovery). Configuration and operations of the 6PE 172 approach has a lot of similarities with the configuration and 173 operations of an IPv4 VPN service ([RFC4364]) or IPv6 VPN service 174 ([RFC4659]) over an IPv4 MPLS core since they all use MP-BGP to 175 distribute non-IPv4 reachability information for transport over an 176 IPv4 MPLS Core. However, the configuration and operations of the 6PE 177 approach is somewhat simpler, since it does not involve all the VPN 178 concepts such as VRFs. 180 2. Protocol Overview 182 Each IPv6 site is connected to at least one Provider Edge router that 183 is located on the border of the IPv4 MPLS cloud. We call such a 184 router a 6PE router. The 6PE router MUST be dual stack IPv4 and 185 IPv6. The 6PE router MUST be configured with at least one IPv4 186 address on the IPv4 side and at least one IPv6 address on the IPv6 187 side. The configured IPv4 address needs to be routable in the IPv4 188 cloud, and there needs to be a label bound via an IPv4 label 189 distribution protocol to this IPv4 route. 191 As a result of this, every considered 6PE router knows which MPLS 192 label to use to send packets to any other 6PE router. Note that an 193 MPLS network offering BGP/MPLS IP VPN services already fulfills these 194 requirements. 196 No extra routes need to be injected in the IPv4 cloud. 198 We call the 6PE router receiving IPv6 packets from an IPv6 site an 199 Ingress 6PE router (relative to these IPv6 packets). We call a 6PE 200 router forwarding IPv6 packets to an IPv6 site an Egress 6PE router 201 (relative to these IPv6 packets). 203 Interconnecting IPv6 islands over an IPv4 MPLS cloud takes place 204 through the following steps: 206 1. Exchange IPv6 reachability information among 6PE routers with MP- 207 BGP [RFC2545]: 209 The 6PE routers MUST exchange the IPv6 prefixes over MP-BGP 210 sessions as per [RFC2545] running over IPv4. The MP-BGP Address 211 Family Identifier (AFI) used MUST be IPv6 (value 2). In doing 212 so, the 6PE routers convey their IPv4 address as the BGP Next Hop 213 for the advertised IPv6 prefixes. The IPv4 address of the egress 214 6PE router MUST be encoded as an IPv4-mapped IPv6 address in the 215 BGP Next Hop field. This encoding is consistent with the 216 definition of an IPv4-mapped IPv6 address in [RFC3513] as an 217 "address type used to represent the address of IPv4 nodes as IPv6 218 addresses". In addition, the 6PE MUST bind a label to the IPv6 219 prefix as per [RFC3107]. The Subsequence Address Family 220 Identifier (SAFI) used in MP-BGP MUST be the "label" SAFI (value 221 4) as defined in [RFC3107]. Rationale for this and label 222 allocation policies are discussed in section 3. 224 2. Transport IPv6 packets from Ingress 6PE router to Egress 6PE 225 router over IPv4-signaled LSPs: 227 The Ingress 6PE router MUST forward IPv6 data over the IPv4- 228 signaled LSP towards the Egress 6PE router identified by the IPv4 229 address advertised in the IPv4-mapped IPv6 address of the BGP 230 Next Hop for the corresponding IPv6 prefix. 232 As required by the BGP specification [RFC4271], PE routers form a 233 full peering mesh unless Route Reflectors are used. 235 3. Transport over IPv4-signaled LSPs and IPv6 label binding 237 In this approach, the IPv4-mapped IPv6 addresses allow a 6PE router 238 that has to forward an IPv6 packet to automatically determine the 239 IPv4-signaled LSP to use for a particular IPv6 destination by looking 240 at the MP-BGP routing information. 242 The IPv4-signaled LSPs can be established using any existing 243 technique for label setup [RFC3031] (LDP, RSVP-TE, ...). 245 To ensure interoperability among systems that implement the 6PE 246 approach described in this document, all such systems MUST support 247 tunneling using IPv4-signaled MPLS LSPs established by LDP [RFC3036]. 249 When tunneling IPv6 packets over the IPv4 MPLS backbone, rather than 250 successively prepend an IPv4 header and then perform label imposition 251 based on the IPv4 header, the ingress 6PE Router MUST directly 252 perform label imposition of the IPv6 header without prepending any 253 IPv4 header. The (outer) label imposed MUST correspond to the IPv4- 254 signaled LSP starting on the ingress 6PE Router and ending on the 255 egress 6PE Router. 257 While this approach could theoretically operate in some situations 258 using a single level of labels, there are significant advantages in 259 using a second level of labels which are bound to IPv6 prefixes via 260 MP-BGP advertisements in accordance with [RFC3107]. 262 For instance, use of a second level label allows Penultimate Hop 263 Popping (PHP) on the IPv4 Label Switch Router (LSR) upstream of the 264 egress 6PE router without any IPv6 capabilities/upgrade on the 265 penultimate router; this is because it still transmits MPLS packets 266 even after the PHP (instead of having to transmit IPv6 packets and 267 encapsulate them appropriately). 269 Also, an existing IPv4-signaled LSP which is using "IPv4 Explicit 270 NULL label" over the last hop (say because that LSP is already used 271 to transport IPv4 traffic with the Pipe Diff-Serv Tunneling Model as 272 defined in [RFC3270]) could not be used to carry IPv6 with a single 273 label since the "IPv4 Explicit NULL label" can not be used to carry 274 native IPv6 traffic (see [RFC3032]), while it could be used to carry 275 labeled IPv6 traffic (see [RFC4182]). 277 This is why a second label MUST be used with the 6PE approach. 279 The label bound by MP-BGP to the IPv6 prefix indicates to the Egress 280 6PE Router that the packet is an IPv6 packet. This label advertised 281 by the Egress 6PE Router with MP-BGP MAY be an arbitrary label value 282 which identifies an IPv6 routing context or outgoing interface to 283 send the packet to, or MAY be the IPv6 Explicit Null Label. An 284 Ingress 6PE Router MUST be able to accept any such advertised label. 286 [RFC2460] requires that every link in the IPv6 Internet have an MTU 287 of 1280 octets or larger. Therefore, on MPLS links that are used for 288 transport of IPv6 as per the 6PE approach and that do not support 289 link-specific fragmentation and reassembly, the MTU must be 290 configured to at least 1280 octets plus the encapsulation overhead. 292 Some IPv6 hosts might be sending packets larger than the MTU 293 available in the IPv4 MPLS core and rely on Path MTU discovery to 294 learn about those links. To simplify MTU discovery operations, one 295 option is for the network administrator to engineer the MTU on the 296 core facing interfaces of the ingress 6PE, consistent with the core 297 MTU, so that ICMP 'Packet Too Big' messages can be sent back by the 298 ingress 6PE without the corresponding packets ever entering the MPLS 299 core. Otherwise, routers in the IPv4 MPLS network have the option to 300 generate an ICMP "Packet Too Big" message using mechanisms as 301 described in section 2.3.2 "Tunneling Private Addresses through a 302 Public Backbone" of [RFC3032]. 304 In that case, note that, should a core router with an outgoing link 305 with a MTU smaller than 1280 receive an encapsulated IPv6 packet 306 larger than 1280, then the mechanisms of [RFC3032] may result in the 307 "Packet Too Big" message never reaching the sender. This is because, 308 according to [RFC2463], the core router will build an ICMP "Packet 309 Too Big" message filled with the invoking packet up to 1280 bytes and 310 when forwarding downstream towards the egress PE as per [RFC3032], 311 the MTU of the outgoing link will cause the packet to be dropped. 312 This may cause significant operational problems; the originator of 313 the packets will notice that his data is not getting through, without 314 knowing why and where they are discarded. This issue would only 315 occur if the above recommendation (to configure MTU on MPLS links of 316 at least 1280 octets plus encapsulation overhead) is not adhered to 317 (perhaps by misconfiguration). 319 4. Crossing Multiple IPv4 Autonomous Systems 321 This section discusses the case where two IPv6 islands are connected 322 to different Autonomous Systems. 324 Like in the case of multi-AS backbone operations for IPv4 VPNs 325 described in section 10 of [RFC4364], three main approaches can be 326 distinguished: 328 a. EBGP redistribution of IPv6 routes from AS to neighboring AS 330 This approach is the equivalent for exchange of IPv6 routes to 331 procedure (a) described in section 10 of [RFC4364] for the 332 exchange of VPN-IPv4 routes. 334 In this approach, the 6PE routers use IBGP (according to 335 [RFC2545] and [RFC3107] and as described in this document for the 336 single-AS situation) to redistribute labeled IPv6 routes either 337 to an Autonomous System Border Router (ASBR) 6PE router, or to a 338 route reflector of which an ASBR 6PE router is a client. The 339 ASBR then uses EBGP to redistribute the (non-labeled) IPv6 routes 340 to an ASBR in another AS, which in turn distributes them to the 341 6PE routers in that AS as described earlier in this 342 specification, or perhaps to another ASBR which in turn 343 distributes them etc. 345 There may be one, or multiple, ASBR interconnection(s) across any 346 two ASes. IPv6 needs to be activated on the inter-ASBR links and 347 each ASBR 6PE router has at least one IPv6 address on the 348 interface to that link. 350 No inter-AS LSPs are used. There is effectively a separate mesh 351 of LSPs across the 6PE routers within each AS. 353 In this approach, the ASBR exchanging IPv6 routes may peer over 354 IPv6 or over IPv4. The exchange of IPv6 routes MUST be carried 355 out as per [RFC2545]. 357 Note that the peering ASBR in the neighboring AS to which the 358 IPv6 routes were distributed with EBGP, should in its turn 359 redistribute these routes to the 6PEs in its AS using IBGP and 360 encoding its own IPv4 address as the IPv4-mapped IPv6 BGP Next 361 Hop. 363 b. EBGP redistribution of labeled IPv6 routes from AS to neighboring 364 AS 366 This approach is the equivalent for exchange of IPv6 routes to 367 procedure (b) described in section 10 of [RFC4364] for the 368 exchange of VPN-IPv4 routes. 370 In this approach, the 6PE routers use IBGP (as described earlier 371 in this document for the single-AS situation) to redistribute 372 labeled IPv6 routes either to an Autonomous System Border Router 373 (ASBR) 6PE router, or to a route reflector of which an ASBR 6PE 374 router is a client. The ASBR then uses EBGP to redistribute the 375 labeled IPv6 routes to an ASBR in another AS, which in turn 376 distributes them to the 6PE routers in that AS as described 377 earlier in this specification, or perhaps to another ASBR which 378 in turn distributes them etc. 380 There may be one, or multiple, ASBR interconnection(s) across any 381 two ASes. IPv6 may or may not be activated on the inter-ASBR 382 links. 384 This approach requires that there be label switched paths 385 established across ASes. Hence the corresponding considerations 386 described for procedure (b) in section 10 of [RFC4364] apply 387 equally to this approach for IPv6. 389 In this approach, the ASBR exchanging IPv6 routes may peer over 390 IPv4 or IPv6 (in which case, IPv6 obviously needs to be activated 391 on the inter-ASBR link). When peering over IPv6, the exchange of 392 labeled IPv6 routes MUST be carried out as per [RFC2545] and 393 [RFC3107]. When peering over IPv4, the exchange of labeled IPv6 394 routes MUST be carried out as per [RFC2545] and [RFC3107] with 395 encoding of the IPv4 address of the ASBR as an IPv4-mapped IPv6 396 address in the BGP Next Hop field. 398 c. Multihop EBGP redistribution of labeled IPv6 routes between 399 source and destination ASes, with EBGP redistribution of labeled 400 IPv4 routes from AS to neighboring AS. 402 This approach is the equivalent for exchange of IPv6 routes to 403 procedure (c) described in section 10 of [RFC4364] for exchange 404 of VPN- IPv4 routes. 406 In this approach, IPv6 routes are neither maintained nor 407 distributed by the ASBR routers. The ASBR routers need not be 408 dual stack and may be IPv4/MPLS-only routers. An ASBR needs to 409 maintain labeled IPv4 /32 routes to the 6PE routers within its 410 AS. It uses EBGP to distribute these routes to other ASes. 411 ASBRs in any transit ASes will also have to use EBGP to pass 412 along the labeled IPv4 /32 routes. This results in the creation 413 of an IPv4 label switched path from the ingress 6PE router to the 414 egress 6PE router. Now 6PE routers in different ASes can 415 establish multi-hop EBGP connections to each other over IPv4, and 416 can exchange labeled IPv6 routes (with an IPv4-mapped IPv6 BGP 417 Next Hop) over those connections. 419 IPv6 need not be activated on the inter-ASBR links. 421 The considerations described for procedure (c) in section 10 of 422 [RFC4364] with respect to possible use of multi-hop EBGP 423 connections via route-reflectors in different ASes, as well as 424 with respect to the use of a third label in case the IPv4 /32 425 routes for the PE routers are NOT made known to the P routers, 426 apply equally to this approach for IPv6. 428 This approach requires that there be IPv4 label switched paths 429 established across the ASes leading form a packet's ingress 6PE 430 router to its egress 6PE router. Hence, the considerations 431 described for procedure (c) in section 10 of [RFC4364] with 432 respect to LSPs spanning multiple ASes apply equally to this 433 approach for IPv6. 435 Note also that the exchange of IPv6 routes can only start after 436 BGP has created IPv4 connectivity between the ASes. 438 5. Security Considerations 440 The extensions defined in this document allow BGP to propagate 441 reachability information about IPv6 routes over an MPLS IPv4 core 442 network. As such, no new security issues are raised beyond those 443 that already exist in BGP-4 and use of MP-BGP for IPv6. 445 The security features of BGP and corresponding security policy 446 defined in the ISP domain are applicable. 448 For the inter-AS distribution of IPv6 routes according to case (a) of 449 section 4 of this document, no new security issues are raised beyond 450 those that already exist in the use of EBGP for IPv6 [RFC2545]. 452 For the inter-AS distribution of IPv6 routes according to case (b) 453 and (c) of section 4 of this document, the procedures require that 454 there be label switched paths established across the AS boundaries. 455 Hence the appropriate trust relationships must exist between and 456 among the set of ASes along the path. Care must be taken to avoid 457 "label spoofing". To this end an ASBR 6PE SHOULD only accept labeled 458 packets from its peer ASBR 6PE if the topmost label is a label that 459 it has explicitly signaled to that peer ASBR 6PE. 461 Note that for the inter-AS distribution of IPv6 routes according to 462 case (c) of section 4 of this document, label spoofing may be more 463 difficult to prevent. Indeed, the MPLS label distributed with the 464 IPv6 routes via multi-hop EBGP is directly sent from the egress 6PE 465 to ingress 6PEs in an other AS (or through route reflectors). This 466 label is advertised transparently through the AS boundaries. When 467 the egress 6PE that sent the labeled IPv6 routes receives a data 468 packet that has this particular label on top of its stack, it may not 469 be able to verify whether the label was pushed on the stack by an 470 ingress 6PE that is allowed to do so. As such one AS may be 471 vulnerable to label spoofing in a different AS. The same issue 472 equally applies to the option (c) of section 10 of [RFC4364]. Just 473 like it is the case for [RFC4364], addressing this particular 474 security issue is for further study. 476 6. IANA Considerations 478 This document has no actions for IANA. 480 7. Acknowledgements 482 We wish to thank Gerard Gastaud and Eric Levy-Abegnoli who 483 contributed to this document, and we wish to thank Tri T. Nguyen who 484 initiated this document, but who unfortunately passed away much too 485 soon. We also thank Pekka Savola for his valuable comments and 486 suggestions. 488 8. References 490 8.1. Normative References 492 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 493 Requirement Levels", BCP 14, RFC 2119, March 1997. 495 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 496 (IPv6) Specification", RFC 2460, December 1998. 498 [RFC2545] Marques, P. and F. Dupont, "Use of BGP-4 Multiprotocol 499 Extensions for IPv6 Inter-Domain Routing", RFC 2545, 500 March 1999. 502 [RFC2858bis] 503 Bates, T., Rekhter, Y., Chandra, R., and D. Katz, 504 "Multiprotocol Extensions for BGP-4", 505 draft-ietf-idr-rfc2858bis-10.txt, work in progress. 507 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 508 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 509 Encoding", RFC 3032, January 2001. 511 [RFC3036] Andersson, L., Doolan, P., Feldman, N., Fredette, A., and 512 B. Thomas, "LDP Specification", RFC 3036, January 2001. 514 [RFC3107] Rekhter, Y. and E. Rosen, "Carrying Label Information in 515 BGP-4", RFC 3107, May 2001. 517 [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 518 (IPv6) Addressing Architecture", RFC 3513, April 2003. 520 8.2. Informative References 522 [RFC2463] Conta, A. and S. Deering, "Internet Control Message 523 Protocol (ICMPv6) for the Internet Protocol Version 6 524 (IPv6) Specification", RFC 2463, December 1998. 526 [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol 527 Label Switching Architecture", RFC 3031, January 2001. 529 [RFC3270] Le Faucheur, F., Wu, L., Davie, B., Davari, S., Vaananen, 530 P., Krishnan, R., Cheval, P., and J. Heinanen, "Multi- 531 Protocol Label Switching (MPLS) Support of Differentiated 532 Services", RFC 3270, May 2002. 534 [RFC4029] Lind, M., Ksinant, V., Park, S., Baudot, A., and P. 535 Savola, "Scenarios and Analysis for Introducing IPv6 into 536 ISP Networks", RFC 4029, March 2005. 538 [RFC4182] Rosen, E., "Removing a Restriction on the use of MPLS 539 Explicit NULL", RFC 4182, September 2005. 541 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 542 Protocol 4 (BGP-4)", RFC 4271, January 2006. 544 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 545 Networks (VPNs)", RFC 4364, February 2006. 547 [RFC4659] De Clercq, J., Ooms, D., Carugi, M., and F. Le Faucheur, 548 "BGP-MPLS IP Virtual Private Network (VPN) Extension for 549 IPv6 VPN", RFC 4659, September 2006. 551 Authors' Addresses 553 Jeremy De Clercq 554 Alcatel-Lucent 555 Copernicuslaan 50 556 Antwerpen 2018 557 Belgium 559 Email: jeremy.de_clercq@alcatel-lucent.be 561 Dirk Ooms 562 OneSparrow 563 Belegstraat 13 564 Antwerpen 2018 565 Belgium 567 Email: dirk@onesparrow.com 569 Stuart Prevost 570 BTexact Technologies 571 Room 136 Polaris House, Adastral Park, Martlesham Heath 572 Ipswich Suffolk IP5 3RE 573 England 575 Email: stuart.prevost@bt.com 577 Francois Le Faucheur 578 Cisco 579 Domaine Green Side 400, Avenue de Roumanille, Batiment T3 580 Biot, Sophia Antipolis 06410 581 France 583 Email: flefauch@cisco.com 585 Full Copyright Statement 587 Copyright (C) The IETF Trust (2006). 589 This document is subject to the rights, licenses and restrictions 590 contained in BCP 78, and except as set forth therein, the authors 591 retain all their rights. 593 This document and the information contained herein are provided on an 594 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 595 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 596 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 597 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 598 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 599 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 601 Intellectual Property 603 The IETF takes no position regarding the validity or scope of any 604 Intellectual Property Rights or other rights that might be claimed to 605 pertain to the implementation or use of the technology described in 606 this document or the extent to which any license under such rights 607 might or might not be available; nor does it represent that it has 608 made any independent effort to identify any such rights. Information 609 on the procedures with respect to rights in RFC documents can be 610 found in BCP 78 and BCP 79. 612 Copies of IPR disclosures made to the IETF Secretariat and any 613 assurances of licenses to be made available, or the result of an 614 attempt made to obtain a general license or permission for the use of 615 such proprietary rights by implementers or users of this 616 specification can be obtained from the IETF on-line IPR repository at 617 http://www.ietf.org/ipr. 619 The IETF invites any interested party to bring to its attention any 620 copyrights, patents or patent applications, or other proprietary 621 rights that may cover technology that may be required to implement 622 this standard. Please address the information to the IETF at 623 ietf-ipr@ietf.org. 625 Acknowledgment 627 Funding for the RFC Editor function is provided by the IETF 628 Administrative Support Activity (IASA).