Network Working Group A. Matsumoto Internet-Draft T. Fujisaki Intended status: Standards Track NTT Expires: December 21, 2008 R. Hiromi Intec Netcore K. Kanayama INTEC Systems June 19, 2008 Things To Be Considered for RFC 3484 Revision draft-arifumi-6man-rfc3484-revise-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 21, 2008. Abstract RFC 3484 has several known issues to be fixed mainly because of the deprecation of IPv6 site-local unicast address and the coming of ULA. Additionally, the rule 9 of the destination address selection rules, namely the longest matching rule, is known for its adverse effect on the round robin DNS technique. This document covers these essential points to be modified and proposes possible useful changes to be included in the revision of RFC 3484. Matsumoto, et al. Expires December 21, 2008 [Page 1] Internet-Draft RFC3484 Revise June 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Problem Example . . . . . . . . . . . . . . . . . . . . . 3 2. Proposed Changes to RFC 3484 . . . . . . . . . . . . . . . . . 4 2.1. To remove site-local unicast address . . . . . . . . . . . 4 2.2. To change default policy table . . . . . . . . . . . . . . 5 2.3. To add ULA related considerations . . . . . . . . . . . . 6 2.4. To make address type dependent control possible . . . . . 6 2.5. To disable or restrict RFC 3484 Section 6 Rule 9 . . . . . 7 3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Normative References . . . . . . . . . . . . . . . . . . . 8 6.2. Informative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Intellectual Property and Copyright Statements . . . . . . . . . . 10 Matsumoto, et al. Expires December 21, 2008 [Page 2] Internet-Draft RFC3484 Revise June 2008 1. Introduction RFC 3484 [RFC3484] defines default address selection rules for IPv6 and IPv4. Because of the deprecation of IPv6 site-local unicast address and the coming of ULA, [RFC4193] these rules in RFC 3484 are known to cause communication failures depending on the network environment. Additionally, there was a discussion at v6ops and ietf mailing lists that the rule 9 of the destination address selection has a serious adverse effect on the round robin DNS technique. [RFC1794] RFC 3484 defines that the destination address selection rule 9 should be applied to both IPv4 and IPv6, which spoils the DNS based load balancing technique that is widely used in the IPv4 Internet today. This document covers these essential points to be modified and proposes possible useful changes to be included in the revision of RFC 3484. 1.1. Problem Example When an enterprise has IPv4 Internet connectivity but does not yet have IPv6 Internet connectivity, and the enterprise wants to provide site-local IPv6 connectivity, ULA is the best choice for site-local IPv6 connectivity. Each employee host will have both an IPv4 global or private address and a ULA. Here, when this host tries to connect to Host-C that has registered both A and AAAA records in the DNS, the host will choose AAAA as the destination address and ULA for the source address. This will clearly result in a connection failure. Matsumoto, et al. Expires December 21, 2008 [Page 3] Internet-Draft RFC3484 Revise June 2008 +--------+ | Host-C | AAAA = 2001:db8::80 +-----+--+ A = 192.47.163.1 | ============ | Internet | ============ | no IPv6 connectivity +----+----+ | Gateway | +----+----+ | | fd01:2:3::/48 (ULA) | 192.0.2.0/24 ++--------+ | Router | +----+----+ | fd01:2:3:4::/64 (ULA) | 192.0.2.240/28 ------+---+---------- | +-+----+ fd01:2:3:4::100 (ULA) | Host | 192.0.2.245 +------+ [Fig. 1] This problem can be solved by adding one entry to the default policy table. The changed table looks like this. The changes for the default policy table are discussed at Section 2.2. Prefix Pref Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 fc00::/7 35 5 (added for ULA) ::/96 20 3 ::ffff:0:0/96 10 4 This problem was mentioned at ipv6 mailing lists by Pekka Savola. 2. Proposed Changes to RFC 3484 2.1. To remove site-local unicast address RFC3484 contains a few "site-local unicast" and "fec::" description. It's better to remove examples related to site-local unicast address, Matsumoto, et al. Expires December 21, 2008 [Page 4] Internet-Draft RFC3484 Revise June 2008 or change examples to use ULA. Possible points to be re-written are below. - 2nd paragraph in Section 3.1 describes scope comparison mechanism. - Section 10 contains examples for site-local address. 2.2. To change default policy table The default rule today is: Prefix Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 ::/96 20 3 ::ffff:0:0/96 10 4 The changes that should be included into the default policy table are those rules that are universally useful and do no harm in every reasonable network envionment. The changes we should consider for the default policy table are as follows. The policy table is defined to be configurable. The changes that are useful not universally but locally can be put into the policy table manually or by using the auto-configuration mechanism proposed as a DHCP option [I-D.fujisaki-dhc-addr-select-opt]. - IPv4-compatible IPv6 address is deprecated. [RFC4291] (However, should we keep this entry for the sake of backward compatibility ?) - Teredo [RFC4380] is defined and has 2001::/32. Teredo's priority should be less or equal to 6to4, considering its characteristic of tunnel mechanism. About Windows, this point is already in the implementation. - ULA should have less precedence than Global IPv6 unicast address. As described in Section 1.1, ULA is a possible cause of connection failure. Things will worsen as IPv6 deployment proceeds and more FQDNs have both A and AAAA records. When we apply these changes, the default policy table looks like this. Prefix Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 fc00::/7 20 3 (For ULA) ::ffff:0:0/96 10 4 2001::/32 5 5 (For Teredo) Matsumoto, et al. Expires December 21, 2008 [Page 5] Internet-Draft RFC3484 Revise June 2008 Teredo has the worst precedence. This means that, for IPv4-IPv6 dual-stack host, Teredo address will be used only when the destination host has an IPv6 address only. ULA has its own label and higher precedence than IPv4 address. This means ULA will be used when the destination host also uses ULA. If a host has a ULA and a IPv4 address, the host will not use ULA when connecting to a dual-stack host in the Internet. 2.3. To add ULA related considerations For example, we have to pay attention to source address selection for a multicast packet. By default, ULA will be chosen for a multicast packet of any scope. This issue cannot be solved by changing a RFC 3484 rule. This is because, multicast and unicast have different sets of scope and it is site-dependent which unicast address scope is appropriate for the site's multicast scope. Therefore, this issue can be solved, for example, by configuring the policy table. 2.4. To make address type dependent control possible It is hard to define default preferences for these address types, RA- based, DHCP-based, manual-based, and privacy extention address, because the appropriate preference value depends on the usage of these addresses, but not on address types themselves. It is the policy table where you can control host's address selection behavior. For example, You can set priority on RFC 3041 [RFC3041] address (privacy extension) by putting a line in policy table specifying RFC 3041 address by 128-bit prefixlen and continuing to update policy table according to RFC 3041 address re-generation. But, this is surely troublesome for users and implementers. One idea is to update RFC 3484 policy table definition so that it can handle meta addresses like privacy, DHCPv6 generated, RA generated, manually generated (and even Home Address ?) To prefer privacy address by default, and to prefer RA-generated address for site internal, the policy table will look like this. Prefix Pref Label 2001:db8:1234::(PRIVACY)/128 30 2 ::/0 10 2 2001:db8:1234::(RA):/128 30 1 2001:db8::/48 20 1 Matsumoto, et al. Expires December 21, 2008 [Page 6] Internet-Draft RFC3484 Revise June 2008 2.5. To disable or restrict RFC 3484 Section 6 Rule 9 There was a discussion at v6ops and ietf@ietf.org mailing lists that the rule 9 of the destination address selection has a serious adverse effect on the round robin DNS technique. RFC 3484 defines that the destination address selection rule 9 should be applied to both IPv4 and IPv6, which spoils the DNS based load balancing technique that is widely used in the IPv4 Internet today. When the destination address acquired from one FQDN are two or more, the Rule 9 defines that the longest matching destination and source address pair should be chosen. As in RFC 1794, the DNS based load balancing technique is achived by not re-ordering the destination addresses returned from the DNS server. The Rule 9 defines deterministic rule for re-ordering at hosts, hence the technique of RFC 1794 is not available anymore. Possible changes to RFC 3484 are as follows: 1. To delete Rule 9 completely. 2. To apply Rule 9 only for IPv6 and not for IPv4. In IPv6, hiearchical address assignment is general principle, hence the longest matchin rule is beneficial in many cases. In IPv4, as stated above, the DNS based load balancing technique is widely used. 3. To apply Rule 9 for IPv6 conditionally and not for IPv4. When the length of matching bits of the destination address and the source address is longer than N, the rule 9 is applied. Otherwise, the order of the destination addresses do not change. The N should be configurable and it should be 32 by default. This is simply because the two sites whose matching bit length is longer than 32 are probably adjacent. Now that IPv6 PI address is admitted in some RIRs, hierachical address assignment is not maintained anymore. It seems that the longest matching algorithm is not worth the adverse effect of disalbing the DNS based load balance technique. Therefore, the proposal 1 or 3 seems to be preferable. 3. Conclusion This document lists up several issues that should be included in the revision of RFC 3484, which are useful universally and do no harm in reasonable network environments. The address selection rules that are useful locally can be implemented, for example, by configuring the policy table. The Matsumoto, et al. Expires December 21, 2008 [Page 7] Internet-Draft RFC3484 Revise June 2008 policy distribution mechanism [I-D.fujisaki-dhc-addr-select-opt] may be useful to configure a lot of hosts at a time. The destination address selection rule 9 will spoil the DNS based load balancing technique that is widely deployed at least in IPv4. To keep this functionality in IPv6, the rule 9 have to be deleted or restricted. 4. Security Considerations No security risk is found that degrades RFC 3484. 5. IANA Considerations Address type number for the policy table may have to be assigned by IANA. 6. References 6.1. Normative References [RFC1794] Brisco, T., "DNS Support for Load Balancing", RFC 1794, April 1995. [RFC3484] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast Addresses", RFC 4193, October 2005. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)", RFC 4380, February 2006. 6.2. Informative References [I-D.fujisaki-dhc-addr-select-opt] Fujisaki, T., Matsumoto, A., Niinobe, S., Hiromi, R., and K. Kanayama, "Distributing Address Selection Policy using DHCPv6", draft-fujisaki-dhc-addr-select-opt-06 (work in progress), June 2008. Matsumoto, et al. Expires December 21, 2008 [Page 8] Internet-Draft RFC3484 Revise June 2008 [RFC3041] Narten, T. and R. Draves, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001. Authors' Addresses Arifumi Matsumoto NTT PF Lab Midori-Cho 3-9-11 Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 3334 Email: arifumi@nttv6.net Tomohiro Fujisaki NTT PF Lab Midori-Cho 3-9-11 Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 7351 Email: fujisaki@syce.net Ruri Hiromi Intec Netcore, Inc. Shinsuna 1-3-3 Koto-ku, Tokyo 136-0075 Japan Phone: +81 3 5665 5069 Email: hiromi@inetcore.com Ken-ichi Kanayama INTEC Systems Institute, Inc. Shimoshin-machi 5-33 Toyama-shi, Toyama 930-0804 Japan Phone: +81 76 444 8088 Email: kanayama_kenichi@intec-si.co.jp Matsumoto, et al. Expires December 21, 2008 [Page 9] Internet-Draft RFC3484 Revise June 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Matsumoto, et al. Expires December 21, 2008 [Page 10]