IPv6 Backbone RouterCisco Systems, IncBuilding D45 Allee des Ormes - BP1200 MOUGINS - Sophia Antipolis06254FRANCE+33 497 23 26 34pthubert@cisco.comBlue Meadow NetworkingSaratoga95070United States of Americacharliep@computer.orgCisco Systems, IncBuilding D45 Allee des Ormes - BP1200 MOUGINS - Sophia Antipolis06254FRANCE+33 497 23 26 20elevyabe@cisco.com
Internet
6lo
This document updates RFC 6775 and RFC 8505 in order to enable
proxy services for IPv6 Neighbor Discovery by Routing Registrars
called Backbone Routers.
Backbone Routers are placed along the wireless edge of a Backbone, and
federate multiple wireless links to form a single Multi-Link Subnet.
IntroductionIEEE STD. 802.1 Ethernet Bridging
provides an efficient and reliable broadcast service for wired
networks; applications and protocols have been built that heavily
depend on that feature for their core operation. Unfortunately,
Low-Power Lossy Networks (LLNs) and local wireless networks generally
do not provide the broadcast capabilities of Ethernet Bridging in an
economical fashion.
As a result, protocols designed for bridged networks that rely
on multicast and broadcast often exhibit disappointing behaviours
when employed unmodified on a local wireless medium (see
).
Wi-Fi Access Points (APs)
deployed in an Extended Service Set (ESS) act as Ethernet Bridges
, with the property that the bridging
state is established at the time of association. This ensures
connectivity to the end node (the Wi-Fi STA) and protects the wireless medium
against broadcast-intensive Transparent Bridging reactive Lookups.
In other words, the association process is used to register the MAC
Address of the STA to the AP. The AP subsequently proxies the
bridging operation and does not need to forward the broadcast Lookups
over the radio.
In the same way as Transparent Bridging, IPv6
Neighbor Discovery
Protocol (IPv6 ND) is a reactive protocol, based on multicast
transmissions to locate an on-link correspondent and ensure the
uniqueness of an IPv6 address. The mechanism for Duplicate Address
Detection (DAD) was designed for
the efficient broadcast operation of Ethernet Bridging.
Since broadcast can be unreliable over wireless media, DAD often
fails to discover duplications
. In practice, the fact that IPv6 addresses very rarely conflict is mostly attributable to the entropy of the 64-bit Interface IDs as opposed to the succesful operation of the IPv6 ND duplicate address detection and resolution mechanisms.
The IPv6 ND Neighbor Solicitation (NS) message
is used for DAD and address Lookup when a node moves, or wakes up and
reconnects to the wireless network. The NS message is targeted to a
Solicited-Node Multicast Address (SNMA) and
should in theory only reach a very small group of nodes. But in
reality, IPv6 multicast messages are typically broadcast on the
wireless medium, and so they
are processed by most of the wireless nodes over the subnet (e.g., the
ESS fabric) regardless of how few of the nodes are subscribed to the
SNMA. As a result, IPv6 ND address Lookups and DADs over a large
wireless and/or a LowPower Lossy Network (LLN) can consume enough
bandwidth to cause a substantial degradation to the unicast traffic
service.
Because IPv6 ND messages sent to the SNMA group are broadcast at the
radio MAC Layer, wireless nodes that do not belong to the SNMA group
still have to keep their radio turned on to listen to multicast NS
messages, which is a total waste of energy for them. In order to
reduce their power consumption, certain battery-operated devices such
as IoT sensors and smartphones ignore some of the broadcasts, making
IPv6 ND operations even less reliable.
These problems can be alleviated by reducing the IPv6 ND broadcasts
over wireless access links. This has been done by splitting the
broadcast domains and routes between subnets, or even by assigning
a /64 prefix to each wireless node (see ).
Another way is to proxy at the boundary of the wired and wireless
domains the Layer 3 protocols that rely on MAC Layer broadcast
operations. For instance, IEEE 802.11
situates proxy-ARP (IPv4) and proxy-ND (IPv6) functions at the Access
Points (APs). The 6BBR provides a proxy-ND function and can be
extended for proxy-ARP in a continuation specification.
Knowledge of which address to proxy for can be obtained by snooping the
IPV6 ND protocol (see ), but it has been found to be unreliable. An IPv6 address may not be
discovered immediately due to a packet loss, or if a "silent" node
is not currently using one of its addresses. A change of state (e.g.,
due to movement) may be missed or misordered, leading to unreliable
connectivity and incomplete knowledge of the state of the network.
This specification defines the 6BBR as a Routing Registrar
that provides proxy services for IPv6 Neighbor
Discovery. As represented in ,
Backbone Routers federate multiple LLNs over a Backbone Link to form a
Multi-Link Subnet (MLSN). The MLSN breaks the Layer 2 continuity and splits the broadcast domain, in a fashion that each Link, including the backbone, is its own broadcast domain. This means that devices that rely on a link-scope multicast on the backbone will only reach other nodes on the backbone but not LLN nodes. A key property of MLSNs is that link-local traffic and traffic with a hop limit of 1 will not transit to nodes in the same subnet on a different link, something that may produce unexpected behavior in software that expects a subnet to be entirely contained within a single link. In order to enable the continuity of IPv6 ND operations beyond the backbone, and enable communication using Global or Unique Local Addresses between any pair of nodes in the MLSN, Backbone Routers placed along the LLN edge of the Backbone handle IPv6 ND on behalf of Registered Nodes and forward IPv6 packets back and forth.
A 6LoWPAN node (6LN) registers all its IPv6 Addresses using an NS(EARO) as specified in to the 6BBR. The 6BBR is also a Border Router that performs IPv6 Neighbor Discovery (IPv6 ND) operations on its Backbone interface on behalf of the 6LNs that have registered addresses on its LLN interfaces without the need of a broadcast over the
wireless medium. A 6LN that resides on the backbone does not register to the SNMA groups associated to its Registered Addresses and defers to the 6BBR to answer or preferably forward to it as unicast the corresponding multicast packets.
Additional benefits are discussed in .
TerminologyBCP 14
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only when,
they appear in all capitals, as shown here.
New Terms
This document introduces the following terminology:
Federated:
A subnet that comprises a Backbone and one or more (wireless)
access links, is said to be federated into one Multi-Link Subnet.
The proxy-ND operation of 6BBRs over the Backbone and the access
links provides the appearance of a subnet for IPv6 ND.
Sleeping Proxy:
A 6BBR acts as a Sleeping Proxy if it answers ND Neighbor
Solicitations over the Backbone on behalf of the Registering
Node which might be in a sleep state in a low power network.
The Sleeping Proxy that is also a Bridging Proxy will preferably
forward the relevant messages to the Registering Node as unicast
frames in accord to the duty cycle of the Registering Node and let it
respond.
Routing Proxy:
A Routing Proxy provides IPv6 ND proxy functions and enables the
MLSN operation over federated links that may not be compatible for
bridging. The Routing Proxy advertises its own MAC
Address as the Target Link Layer Address (TLLA) in the proxied NAs
over the Backbone, and routes
at the Network Layer between the federated links.
Bridging Proxy:
A Bridging Proxy provides IPv6 ND proxy functions while preserving
forwarding continuity at the MAC Layer. The Bridging Proxy advertises
the MAC Address of the Registering Node as the TLLA in the proxied NAs
over the Backbone. In that case, the MAC Address and the mobility of
6LN is still visible across the bridged Backbone, and the 6BBR may be
configured to proxy for Link Local Addresses.
Binding Table:
The Binding Table is an abstract database that is maintained by the
6BBR to store the state associated with its registrations.
Binding:
A Binding is an abstract state associated to one registration, in
other words one entry in the Binding Table.
Abbreviations This document uses the following abbreviations:
6BBR:
6LoWPAN Backbone Router
6LBR:
6LoWPAN Border Router
6LN:
6LoWPAN Node
6LR:
6LoWPAN Router
6CIO:
Capability Indication Option
ARO:
Address Registration Option
DAC:
Duplicate Address Confirmation
DAD:
Duplicate Address Detection
DAR:
Duplicate Address Request
EARO:
Extended Address Registration Option
EDAC:
Extended Duplicate Address Confirmation
EDAR:
Extended Duplicate Address Request
DODAG:
Destination-Oriented Directed Acyclic Graph
ID:
Identifier
LLN:
Low-Power and Lossy Network
NA:
Neighbor Advertisement
MAC:
Medium Access Control
NCE:
Neighbor Cache Entry
ND:
Neighbor Discovery
NDP:
Neighbor Discovery Protocol
NS:
Neighbor Solicitation
NS(DAD):
NDP NS message used for the purpose of duplication avoidance (multicast)
NS(Lookup):
NDP NS message used for the purpose of address resolution (multicast)
NS(NUD):
NDP NS message used for the purpose of unreachability detection (unicast)
NUD:
Neighbor Unreachability Detection
ROVR:
Registration Ownership Verifier
RPL:
IPv6 Routing Protocol for LLNs
RA:
Router Advertisement
RS:
Router Solicitation
SNMA:
Solicited-Node Multicast Address
LLA:
Link Layer Address (aka MAC address)
SLLA:
Source Link Layer Address
TLLA:
Target Link Layer Address
TID:
Transaction ID
References
In this document, readers will encounter terms and concepts
that are discussed in the following documents:
"Neighbor Discovery for IP version 6"
,
"IPv6 Stateless Address Autoconfiguration"
and
"Optimistic Duplicate Address Detection"
,
"Neighbor Discovery Proxies (proxy-ND)"
and
"Multi-Link Subnet Issues",
"Problem Statement and Requirements for
IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN)
Routing" , and
Neighbor Discovery Optimization for Low-Power
and Lossy Networks and
"Registration Extensions for 6LoWPAN Neighbor Discovery".
Overview This section and its subsections present a non-normative high level view of
the operation of the 6BBR. The following sections cover the normative part.
illustrates a backbone link that federates a
collection of LLNs as a single IPv6 Subnet, with a number of 6BBRs
providing proxy-ND services to their attached LLNs.
The LLN may be a hub-and-spoke access link such as (Low-Power)
IEEE STD. 802.11 (Wi-Fi)
and IEEE STD. 802.15.1 (Bluetooth) ,
or a Mesh-Under or a Route-Over network .
The proxy state can be distributed across multiple 6BBRs attached to
the same Backbone.
Backbone Link and Backbone Routers
The main features of a 6BBR are as follows:
Multi-Link-subnet functions (provided by the 6BBR on the
backbone) performed on behalf of registered 6LNs, and
Routing registrar services that reduce multicast within the LLN:
Binding Table management
failover, e.g., due to mobility
Each Backbone Router (6BBR) maintains a data structure for its
Registered Addresses called a Binding Table. The combined Binding Tables
of all the 6BBRs on a backbone form a distributed database of 6LNs
that reside in the LLNs or on the IPv6 Backbone.
Unless otherwise configured, a 6BBR does the following:
Create a new entry in a Binding Table for a new
Registered Address and ensure that the Address is not
duplicated over the Backbone.
Advertise a Registered Address over the Backbone using an unsolicited NA
message, asynchronously or as a response to a NS message. This includes
joining the multicast group associated to the SNMA derived from the
Registered Address as specified in
section 7.2.1. of over the Backbone.
The 6BBR may respond immediately as a Proxy in lieu of the Registering Node, e.g., if the Registering Node has a sleeping cycle that the 6BBR does not want to interrupt, or if the 6BBR has a recent state that is deemed fresh enough to permit the proxied response. It is preferred, though, that the 6BBR checks whether the Registering Node is still responsive on the Registered Address. To that effect:
- as a Bridging Proxy:
the 6BBR forwards the multicast DAD and Address Lookup messages as a unicast MAC-Layer frames to the MAC address of the Registering Node that matches the Target in the ND message, and forwards as is the unicast Neighbor Unreachability Detection (NUD) messages, so as to let the Registering Node answer with the ND Message and options that it sees fit;
- as a Routing Proxy:
the 6BBR checks the liveliness of the Registering Node, e.g., using a NUD verification, before answering on its behalf.
Deliver packets arriving from the LLN, using Neighbor Solicitation
messages to look up the destination over the Backbone.
Forward or bridge packets between the LLN and the Backbone.
Verify liveness for a registration, when needed.
The first of these functions enables the 6BBR to fulfill its
role as a Routing Registrar for each of its attached LLNs.
The remaining functions fulfill the role of the 6BBRs as the
border routers connecting the
Multi-link IPv6 subnet to the Internet.
The operation of IPv6 ND and of proxy-ND are not mutually exclusive on the Backbone, meaning that nodes attached to the Backbone and using IPv6 ND can transparently interact with 6LNs that rely on a 6BBR to proxy ND for them, whether the 6LNs are reachable over an LLN or directly attached to the Backbone.
The registration mechanism used to learn addresses to be proxied for may
co-exist in a 6BBR with a proprietary snooping or the traditional bridging functionality of an Access Point, in order to support legacy LLN nodes that do not support this specification.
The registration to a proxy service uses an NS/NA(EARO) exchange.
The 6BBR operation resembles that of a
Mobile IPv6 (MIPv6) Home Agent (HA).
The combination of a 6BBR and a MIPv6 HA enables full mobility
support for 6LNs, inside and outside the links that form the subnet.
The 6BBRs use the Extended Address Registration Option (EARO) defined in
as follows:
The EARO is used in the IPv6 ND exchanges over the Backbone
between the 6BBRs to help distinguish duplication from movement.
Extended Duplicate Address Messages (EDAR and EDAC) may also be
used between a 6LBR, if one is present, and the 6BBR.
Address duplication is detected using the ROVR field.
Conflicting registrations to different 6BBRs for the same
Registered Address are resolved using the TID field.
The Link Layer Address (LLA) that the 6BBR advertises for the
Registered Address on behalf of the Registered Node over the
Backbone can belong to the Registering Node; in that case, the 6BBR
(acting as a Bridging Proxy (see ))
bridges the unicast packets. Alternatively, the LLA can be that
of the 6BBR on the Backbone interface, in which case the 6BBR
(acting as a Routing Proxy(see ))
receives the unicast packets at Layer 3 and routes over.
Updating RFC 6775 and RFC 8505
This specification adds the EARO as a possible option in RS, NS(DAD)
and NA messages over the backbone. requires
that the registration NS(EARO) contains an Source Link Layer Address Option
(SLLAO).
This specification details the use of those messages
over the backbone.
Note: requires that the
registration NS(EARO) contains an SLLAO and that
the NS(DAD) is sent from the unspecified address for which there cannot be a
SLLAO. Consequently, an NS(DAD) cannot be confused with a registration.
This specification adds the capability to insert IPv6 ND options in
the EDAR and EDAC messages. In particular, a 6BBR acting as a 6LR for
the Registered Address can insert an SLLAO in the EDAR to the 6LBR in
order to avoid a Lookup back. This enables the 6LBR to store the MAC
address associated to the Registered Address on a Link and to serve as a
mapping server as described in
.
Access Link
The simplest Multi-Link Subnet topology from the Layer 3 perspective occurs
when the wireless network appears as a single hop hub-and-spoke network as
shown in . The Layer 2 operation may effectively
be hub-and-spoke (e.g., Wi-Fi) or Mesh-Under, with a Layer 2 protocol
handling the complex topology.
Access Link Use case illustrates a flow where 6LN forms an IPv6
Address and registers it to a 6BBR acting as a 6LR
. The 6BBR applies ODAD (see
) to the registered address to enable
connectivity while the message flow is still in progress.
In this example, a 6LBR is deployed on the backbone link to serve the whole
subnet, and EDAR / EDAC messages are used in combination with DAD to enable
coexistence with IPv6 ND over the backbone.
The RS sent initially by the 6LN(STA) is transmitted as a multicast but
since it is intercepted by the 6BBR, it is never effectively broadcast.
The multiple arrows associated to the ND messages on the Backbone denote a
real Layer 2 broadcast.
Initial Registration Flow to a 6BBR acting as Routing Proxy| | |
| RA(PIO, Unicast)| | |
|<----------------| | |
| NS(EARO) | | |
|---------------->| | |
| | Extended DAR | |
| |--------------->| |
| | Extended DAC | |
| |<---------------| |
| | |
| | NS-DAD(EARO, multicast) |
| |--------> |
| |----------------------------------->|
| | |
| | RS(no SLLAO, for ODAD) |
| |----------------------------------->|
| | if (no fresher Binding) NS(Lookup) |
| | <----------------|
| |<-----------------------------------|
| | NA(SLLAO, not(O), EARO) |
| |----------------------------------->|
| | RA(unicast) |
| |<-----------------------------------|
| | |
| IPv6 Packets in optimistic mode |
|<---------------------------------------------------->|
| | |
| |
| NA(EARO) |
|<----------------|
| |]]>Route-Over Mesh
A more complex Multi-Link Subnet topology occurs when the wireless network
appears as a Layer 3 Mesh network as shown in .
A so-called Route-Over routing protocol exposes routes between 6LRs towards
both 6LRs and 6LNs, and a 6LBR acts as Root of the Layer 3 Mesh network and
proxy-registers the LLN addresses to the 6BBR.
Route-Over Mesh Use case illustrates IPv6 signaling that
enables a 6LN (the Registered Node) to form a Global or a Unique-Local Address and register it to the 6LBR that serves its LLN using .
The 6LBR (the Registering Node) then proxies the registration to the 6BBR to obtain proxy-ND services from the 6BBR.
As above,
the RS sent initially by the 6LN(STA) is a transmitted as a multicast but
since it is intercepted by the 6BBR, it is never effectively broadcast,
and the multiple arrows associated to the ND messages on the Backbone denote
a real Layer 2 broadcast.
Initial Registration Flow over Route-Over Mesh| | |
|-----------> | | |
|------------------> | |
| IPv6 ND RA | | |
|<--------------| | |
| | | |
| NS(EARO) | | |
|-------------->| | |
| 6LoWPAN ND | Extended DAR | |
| |-------------->| |
| | | NS(EARO) |
| | |-------------->|
| | | (proxied) | NS-DAD
| | | |------>
| | | | (EARO)
| | | |
| | | NA(EARO) |
| | |<--------------|
| | Extended DAC | |
| |<--------------| |
| NA(EARO) | | |
|<--------------| | |
| | | |]]>
As a non-normative example of a Route-Over Mesh, the
6TiSCH architecture
suggests using the RPL routing protocol and collocating the RPL
root with a 6LBR that serves the LLN. The 6LBR is also either collocated with or directly connected to the 6BBR over an IPv6 Link.
The Binding Table
Addresses in an LLN that are reachable from the Backbone by way of the 6BBR
function must be registered to that 6BBR, using an NS(EARO) with the R flag
set .
A 6BBR maintains a state for its active registrations in an abstract
Binding Table.
An entry in the Binding Table is called a "Binding".
A Binding may be in Tentative, Reachable or Stale state.
The 6BBR uses a combination of and IPv6 ND over the
Backbone to advertise the registration and avoid a duplication.
Conflicting registrations are solved by the 6BBRs, transparently to the
Registering Nodes.
Only one 6LN may register a given Address, but the Address may be registered
to Multiple 6BBRs for higher availability.
Over the LLN, Binding Table management is as follows:
De-registrations (newer TID, same ROVR, null Lifetime) are
accepted with a status of 4 ("Removed"); the entry is deleted;
Newer registrations (newer TID, same ROVR, non-null Lifetime) are
accepted with a status of 0 (Success); the Binding is updated
with the new TID, the Registration Lifetime and the Registering
Node; in Tentative state the EDAC response
is held and may be overwritten; in other states the
Registration Lifetime timer is restarted and the entry is placed
in Reachable state.
Identical registrations (same TID, same ROVR) from the same
Registering Node are accepted with a status of 0 (Success).
In Tentative state, the response is held and may be overwritten,
but the response is eventually produced, carrying
the result of the DAD process;
Older registrations (older TID, same ROVR) from the same
Registering Node are discarded;
Identical and older registrations (not-newer TID, same ROVR) from
a different Registering Node are rejected with a status of 3
(Moved); this may be rate limited to avoid undue interference;
Any registration for the same address but with a different
ROVR is rejected with a status of 1 (Duplicate).
The operation of the Binding Table is specified in detail in .
Primary and Secondary 6BBRs
The same address may be successfully registered to more than one 6BBR,
in which case the Registering Node uses the same EARO in all the parallel
registrations.
To allow for this, ND(DAD) and NA messages with an EARO that indicate
an identical Binding in another 6BBR (same Registered address, same TID,
same ROVR) are silently ignored.
A 6BBR may optionally be primary or secondary. The primary is the 6BBR
that has the highest EUI-64
Address of all the 6BBRs that share a registration for the same
Registered Address, with the same ROVR and same Transaction ID, the
EUI-64 Address being considered as an unsigned 64bit integer.
A given 6BBR can be primary for a given Address and secondary for another
Address, regardless of whether or not the Addresses belong to the same 6LN.
In the following sections, is is expected that an NA is sent over the
backbone only if the node is primary or does not support the concept of
primary. More than one 6BBR claiming or defending an address generates
unwanted traffic but no reachability issue since all 6BBRs provide
reachability from the Backbone to the 6LN.
Using Optimistic DADOptimistic Duplicate Address Detection
(ODAD) specifies how an IPv6 Address can be used before completion of
Duplicate Address Detection (DAD). ODAD guarantees that this behavior
will not cause harm if the new Address is a duplicate.
Support for ODAD avoids delays in installing the Neighbor Cache Entry (NCE)
in the 6BBRs and the default router, enabling immediate connectivity
to the registered node. As shown in , if the
6BBR is aware of the Link-Layer Address (LLA) of a router, then the
6BBR sends a Router Solicitation (RS), using the Registered Address as
the IP Source Address, to the known router(s). The RS is sent
without a Source LLA Option (SLLAO), to avoid invalidating a
preexisting NCE in the router.
Following ODAD, the router may then send a unicast RA to the Registered
Address, and it may resolve that Address using an NS(Lookup) message.
In response, the 6BBR sends an NA with an EARO and the Override (O) flag
that is not set.
The router can then determine the freshest EARO in case of
conflicting NA(EARO) messages, using the method described in section 5.2.1
of .
If the NA(EARO) is the freshest answer, the default router creates a
Binding with the SLLAO of the 6BBR (in Routing Proxy mode) or that of the
Registering Node (in Bridging Proxy mode) so that traffic from/to the
Registered Address can flow immediately.
Multi-Link Subnet Considerations
The Backbone and the federated LLN Links are considered as different
links in the Multi-Link Subnet, even if multiple LLNs are attached to
the same 6BBR. ND messages are link-scoped and are not forwarded by the
6BBR between the backbone and the LLNs though some packets may be
reinjected in Bridging Proxy mode (see ).
Nodes located inside the subnet do not perform the IPv6 Path MTU
Discovery . For that reason, the MTU MUST have
the same value on the Backbone and all attached LLNs. As a consequence,
the 6BBR MUST use the same MTU value in RAs over the Backbone and
in the RAs that it transmits towards the LLN links.
Optional 6LBR serving the Multi-Link Subnet
A 6LBR can be deployed to serve the whole MLSN. It may be attached to the
backbone, in which case it can be discovered by its capability advertisement
(see section 4.3. of ) in RA messages.
This specification allows for an address to be registered to more than one
6BBR. Consequently a 6LBR MUST be capable of maintaining state for
each of the 6BBR having registered with the same TID and same ROVR.
When a 6LBR is present, the 6BBR uses an EDAR/EDAC message
exchange with the 6LBR to check if the new registration corresponds to a duplication or a movement.
This is done prior to the NS(DAD) process, which may be avoided if
the 6LBR already maintains a conflicting state for the Registered Address.
If this registration is duplicate or not the freshest, then the 6LBR
replies with an EDAC message with a status code of 1 ("Duplicate
Address") or 3 ("Moved"), respectively.
If this registration is the freshest, then the 6LBR replies with a status
code of 0. In that case, if this registration is fresher than an existing
registration for another 6BBR, then the 6LBR also sends an asynchronous
EDAC with a status of 4 ("Removed") to that other 6BBR.
The EDAR message SHOULD carry the SLLAO used in NS messages by the 6BBR
for that Binding, and the EDAC message SHOULD carry the Target Link Layer
Address Option (TLLAO) associated with the currently accepted registration.
This enables a 6BBR to locate
the new position of a mobile 6LN in the case of a Routing Proxy operation,
and opens the capability for the 6LBR to serve as a mapping server in the
future.
Note that if Link Local addresses are registered, then the scope of
uniqueness on which the address duplication is checked is the total
collection of links that the 6LBR serves as opposed to the sole link on
which the Link Local address is assigned.
Using IPv6 ND Over the Backbone Link
On the Backbone side, the 6BBR MUST join the SNMA group corresponding
to a Registered Address as soon as it creates a Binding for that
Address, and maintain that SNMA membership as long as it maintains the
registration.
The 6BBR uses either the SNMA or plain unicast to
defend the Registered Addresses in its Binding Table over the
Backbone (as specified in ).
The 6BBR advertises and defends the Registered Addresses over the
Backbone Link using RS, NS(DAD) and NA messages with the Registered
Address as the Source or Target address, respectively.
The 6BBR MUST place an EARO in the IPv6 ND messages that it generates
on behalf of the Registered Node. Note that an NS(DAD) does not
contain an SLLAO and cannot be confused with a proxy registration such as
performed by a 6LBR.
An NA message generated in response to an NS(DAD) MUST have the Override
flag set and a status of 1 (Duplicate) or 3 (Moved) in the EARO.
An NA message generated in response to an NS(Lookup) or an NS(NUD) MUST
NOT have the Override flag set.
This specification enables proxy operation for the IPv6 ND resolution of
LLN devices and a prefix that is used across a Multi-Link Subnet MAY be
advertised as on-link over the Backbone. This is done for backward
compatibility with existing IPv6 hosts by setting the L flag in the Prefix
Information Option (PIO) of RA messages .
For movement involving a slow reattachment, the NUD procedure
defined in may time out too
quickly. Nodes on the backbone SHOULD support
whenever possible.
Routing Proxy Operations
A Routing Proxy provides IPv6 ND proxy functions for Global and Unique
Local addresses between the LLN and the backbone, but not for Link-Local
addresses. It operates as an IPv6 border router and provides a full
Link-Layer isolation.
In this mode, it is not required that the MAC addresses of the 6LNs are
visible at Layer 2 over the Backbone. It is thus useful when the messaging
over the Backbone that is associated to wireless mobility becomes
expensive, e.g., when the Layer 2 topology is virtualized over a wide area
IP underlay.
This mode is definitely required when the LLN uses a MAC address format
that is different from that on the Backbone (e.g., EUI-64 vs. EUI-48).
Since a 6LN may not be able to resolve an arbitrary destination in the
MLSN directly, the MLSN prefix MUST NOT be advertised as on-link in RA
messages sent towards the LLN.
In order to maintain IP connectivity, the 6BBR installs a connected
Host route to the Registered Address on the LLN interface, via the
Registering Node as identified by the Source Address and the SLLA
option in the NS(EARO) messages.
When operating as a Routing Proxy, the 6BBR MUST use its Layer 2
Address on its Backbone Interface in the SLLAO of the RS messages and
the TLLAO of the NA messages that it generates to advertise the
Registered Addresses.
For each Registered Address, multiple peers on the Backbone may
have resolved the Address with the 6BBR MAC Address, maintaining that
mapping in their Neighbor Cache. The 6BBR SHOULD maintain a list of
the peers on the Backbone which have associated its MAC Address with
the Registered Address. If that Registered Address moves to a new 6BBR,
the previous 6BBR SHOULD unicast a gratuitous NA with the
Override flag set to each such peer, to supply the LLA of the new
6BBR in the TLLA option for the Address.
A 6BBR that does not maintain this list MAY multicast a
gratuitous NA with the Override flag; this NA
will possibly hit all the nodes on the Backbone, whether or not
they maintain an NCE for the Registered Address.
If a correspondent fails to receive the gratuitous NA, it will keep
sending traffic to a 6BBR to which the node was previously registered.
Since the previous 6BBR removed its Host route to the Registered Address,
it will look up the address over the backbone, resolve the address
with the LLA of the new 6BBR, and forward the packet to the correct
6BBR. The previous 6BBR SHOULD also issue a redirect message
to update the cache of the correspondent.
Bridging Proxy Operations
A Bridging Proxy provides IPv6 ND proxy functions between the LLN and the
backbone while preserving the forwarding continuity at the MAC Layer.
It acts as a Layer 2 Bridge for all types of unicast packets including
link-scoped, and appears as an IPv6 Host on the Backbone.
The Bridging Proxy registers any Binding including for a Link-Local
address to the 6LBR (if present) and defends it over the backbone in IPv6
ND procedures.
To achieve this, the Bridging Proxy intercepts the IPv6 ND messages
and may reinject them on the other side, respond directly or drop them.
For instance, an ND(Lookup) from the backbone that matches a Binding can be
responded directly, or turned into a unicast on the LLN side to let the
6LN respond.
As a Bridging Proxy, the 6BBR MUST use the Registering Node's Layer 2
Address in the SLLAO of the NS/RS messages and the TLLAO of the NA
messages that it generates to advertise the Registered Addresses.
The Registering Node's Layer 2 address is found in the SLLA of the
registration NS(EARO), and maintained in the Binding Table.
The Multi-Link Subnet prefix SHOULD NOT be advertised as on-link in RA
messages sent towards the LLN.
If a destination address is seen as on-link, then a 6LN may use NS(Lookup)
messages to resolve that address. In that case, the 6BBR MUST either answer the NS(Lookup) message directly or reinject the message on the
backbone, either as a Layer 2 unicast or a multicast.
If the Registering Node owns the Registered Address, then
its mobility does not impact existing NCEs over the Backbone.
Otherwise, when the 6LN selects another Registering Node, the new
Registering Node SHOULD send a multicast NA with the Override
flag set to fix the existing NCEs across the Backbone.
This method can fail if the multicast message is not received; one or more
correspondent nodes on the Backbone might maintain an stale NCE,
and packets to the Registered Address may be lost.
When this condition happens, it is eventually discovered and
resolved using NUD as
defined in .
Creating and Maintaining a Binding
Upon receiving a registration for a new Address (i.e., an NS(EARO) with
the R flag set), the 6BBR creates a Binding and operates as a 6LR according
to , interacting with the 6LBR if one is present.
An implementation of a Routing Proxy that creates a Binding MUST also create an associated Host route pointing to the registering node in the LLN
interface from which the registration was received.
The 6LR operation is modified as follows:
EDAR and EDAC messages SHOULD carry a SLLAO and a TLLAO, respectively.
A Bridging Proxy MAY register Link Local addresses at the 6BBR and
proxy ND for these addresses over the backbone.
An EDAC message with a status of 9 (6LBR Registry Saturated) is
assimilated as a status of 0 if a following DAD process protects the
address against duplication.
This specification enables nodes on a Backbone Link to co-exist along
with nodes implementing IPv6 ND as well as other
non-normative specifications such as .
It is possible that not all IPv6 addresses on the Backbone are registered
and known to the 6LBR, and an EDAR/EDAC echange with the 6LBR might
succeed even for a duplicate address.
Consequently, and unless administratively overridden, the 6BBR still
needs to perform IPv6 ND DAD over the backbone after an EDAC with a
status code of 0 or 9.
For the DAD operation, the Binding is placed in Tentative state for a
duration of TENTATIVE_DURATION (),
and an NS(DAD) message is sent as a multicast
message over the Backbone to the SNMA associated with the registered Address
.
The EARO from the registration MUST be placed unchanged in the NS(DAD)
message.
If a registration is received for an existing Binding with a non-null
Registration Lifetime and the registration is fresher (same ROVR, fresher TID), then the Binding is updated, with the new Registration Lifetime,
TID, and possibly Registering Node. In Tentative state
(see ), the current DAD operation continues unaltered.
In other states (see and ),
the Binding is placed in Reachable state for the Registration Lifetime, and
the 6BBR returns an NA(EARO) to the Registering Node with a status of 0
(Success).
Upon a registration that is identical (same ROVR, TID, and Registering
Node), the 6BBR returns an NA(EARO) back to the Registering Node with a status of 0 (Success).
A registration that is not as fresh (same ROVR, older TID) is ignored.
If a registration is received for an existing Binding and a registration
Lifetime of zero, then the Binding is removed, and the 6BBR returns an
NA(EARO) back to the Registering Node with a status of 0 (Success).
An implementation of a Routing Proxy that removes a binding MUST remove the
associated Host route pointing on the registering node.
It MAY preserve a temporary state in order to forward packets in flight.
The state may be a NCE formed based on a received NA message, or a Binding
in Stale state and pointing at the new 6BBR on the backbone.
The implementation should also use REDIRECT messages as specified in
to update the correspondents for the Registered
Address, pointing the new 6BBR.
Operations on a Binding in Tentative StateThe Tentative state covers a DAD period over the backbone during which
an address being registered is checked for duplication using procedures
defined in .
For a Binding in Tentative state:
The Binding MUST be removed if an NA message is received over the
Backbone for the Registered Address with no EARO, or containing an EARO
with a status of 1 (Duplicate) that indicates an existing registration
owned by a different Registering Node. In that case, an NA MUST be
sent back to the Registering Node with a status of 1 (Duplicate) in
the EARO. This behavior might be overriden by policy, in particular
if the registration is trusted, e.g., based on the validation of the
ROVR field (see ).
An NS(DAD) with no EARO or with an EARO that indicates a duplicate
registration (i.e., different ROVR) MUST be answered with an NA message
containing an EARO with a status of 1 (Duplicate) and the Override flag
not set. This behavior might be overriden by policy, in particular
if the registration is not trusted.
The Binding MUST be removed if an NA message is received over the
Backbone for the Registered Address containing an EARO with a
status of 3 (Moved), or an NS(DAD) with an EARO that indicates a
fresher registration () for the same Registered
Node (i.e., same ROVR).
A status of 3 is returned in the NA(EARO) back to the Registering Node.
NS(DAD) and NA messages containing an EARO that indicates a
registration for the same Registered Node that is not as fresh as this
SHOULD be answered with an NA message containing an EARO with a
status of 3 (Moved) in order to clean up the situation immediately.
Other NS(DAD) and NA messages from the Backbone are ignored.
NS(Lookup) and NS(NUD) messages SHOULD be optimistically answered with
an NA message containing an EARO with a status of 0 and the Override
flag not set (see ).
If optimistic DAD is disabled, then they SHOULD be queued to be answered
when the Binding goes to Reachable state.
When the TENTATIVE_DURATION () timer elapses,
the Binding is placed in
Reachable state for the Registration Lifetime, and the 6BBR returns
an NA(EARO) to the Registering Node with a status of 0 (Success).
The 6BBR also attempts to take over any existing Binding from other
6BBRs and to update existing NCEs in backbone nodes. This is done by
sending an NA message with an EARO and the Override flag set over the
backbone
(see and ).
Operations on a Binding in Reachable State
The Reachable state covers an active registration after a successful DAD
process.
If the Registration Lifetime is of a long duration,
an implementation might be configured to reassess the availability of the
Registering Node at a lower period, using a NUD procedure as specified in
. If the NUD procedure fails, the Binding SHOULD be
placed in Stale state immediately.
For a Binding in Reachable state:
The Binding MUST be removed if an NA or an NS(DAD) message is received
over the Backbone for the Registered Address containing an EARO that
indicates a fresher registration () for the same
Registered Node (i.e., same ROVR).
A status of 4 (Removed) is returned in an asynchronous NA(EARO) to the
Registering Node.
Based on configuration, an implementation may delay this operation by a
timer with a short setting, e.g., a few seconds to a minute, in order
to a allow for a parallel registration to reach this node, in which case
the NA might be ignored.
An NS(DAD) with no EARO or with an EARO that indicates a duplicate
registration (i.e., different ROVR) MUST be answered with an NA message
containing an EARO with a status of 1 (Duplicate) and the Override flag
not set.
NS(DAD) and NA messages containing an EARO that indicates a
registration for the same Registered Node that is not as fresh as this
binding MUST be answered with an NA message containing an EARO with a
status of 3 (Moved).
Other NS(DAD) and NA messages from the Backbone are ignored.
NS(Lookup) and NS(NUD) messages SHOULD be answered with
an NA message containing an EARO with a status of 0 and the Override
flag not set. The 6BBR MAY check whether
the Registering Node is still available using a NUD procedure over the
LLN prior to answering;
this behaviour depends on the use case and is subject to configuration.
When the Registration Lifetime timer elapses, the Binding is placed in
Stale state for a duration of STALE_DURATION ().
Operations on a Binding in Stale State
The Stale state enables tracking of the Backbone peers that have a
NCE pointing to this 6BBR in case the Registered Address shows up later.
If the Registered Address is claimed by another 6LN on the Backbone, with an
NS(DAD) or an NA, the 6BBR does not defend the Address.
For a Binding in Stale state:
The Binding MUST be removed if an NA or an NS(DAD) message is received
over the Backbone for the Registered Address containing no EARO or
an EARO that indicates either a fresher registration for the same
Registered Node or a duplicate registration.
A status of 4 (Removed) MAY be returned in an asynchronous NA(EARO) to
the Registering Node.
NS(DAD) and NA messages containing an EARO that indicates a
registration for the same Registered Node that is not as fresh as this
MUST be answered with an NA message containing an EARO with a
status of 3 (Moved).
If the 6BBR receives an NS(Lookup) or an NS(NUD) message for the
Registered Address, the 6BBR MUST attempt a NUD procedure as specified
in to the Registering Node, targeting
the Registered Address, prior to answering. If the NUD procedure
succeeds, the operation in Reachable state applies. If the NUD fails,
the 6BBR refrains from answering.
Other NS(DAD) and NA messages from the Backbone are ignored.
When the STALE_DURATION () timer elapses, the
Binding MUST be removed.
Registering Node Considerations
A Registering Node MUST implement in order to
interact with a 6BBR (which acts as a routing registrar). Following
, the Registering Node signals that it requires IPv6
proxy-ND services from a 6BBR by registering the corresponding IPv6 Address
using an NS(EARO) message with the R flag set.
The Registering Node may be the 6LN owning the IPv6 Address, or a 6LBR that
performs the registration on its behalf in a Route-Over mesh.
The Registering Node SHOULD register all of its IPv6 Addresses to its 6LR,
which is the 6BBR when they are connected at Layer 2. Failure to register an
address may result in the address being unreachable by other parties
if the 6BBR cancels the NS(Lookup) over the LLN or to selected LLN
nodes that are known to register their addresses.
The Registering Node MUST refrain from using multicast NS(Lookup) when the
destination is not known as on-link, e.g., if the prefix is advertised
in a PIO with the L flag that is not set. In that case, the Registering
Node sends its packets directly to its 6LR.
The Registering Node SHOULD also follow in order to
limit the use of multicast RAs. It SHOULD also implement
Simple Procedures for Detecting Network Attachment
in IPv6 (DNA procedures) to detect movements, and
support
Packet-Loss Resiliency for Router Solicitations in order to
improve reliability for the unicast RS messages.
Security Considerations
This specification applies to LLNs and a backbone in which the individual links are protected against rogue access, e.g., by authenticating a node that attaches to the network and encrypting at the MAC layer the transmissions that may be overheard.
In particular,
the LLN MAC is required to provide secure unicast to/from the
Backbone Router and secure Broadcast from the Backbone Router
in a way that prevents tampering with or replaying the RA messages.
guarantees the ownership of a registered address based on a proof-of-ownership encoded in the ROVR field and protects against address theft and impersonation inside the LLN, because the 6LR can challenge the Registered Node for a proof-of-ownership. This method does not extend over the backbone since the 6BBR cannot provide the proof-of-ownership.
A possible attack over the backbone can be done by sending an NS with
an EARO and expecting the NA(EARO) back to contain the TID and ROVR
fields of the existing state. With that information, the attacker can
easily increase the TID and take over the Binding.
Protocol Constants
This Specification uses the following constants:
TENTATIVE_DURATION:
800 milliseconds
STALE_DURATION:
see below
In LLNs with long-lived Addresses such as LPWANs, STALE_DURATION
SHOULD be configured with a relatively long value to cover an interval when the address may be reused, and before it is safe to expect that the address was definitively released. A good default value can be 24 hours.
In LLNs where addresses are renewed rapidly, e.g., for privacy reasons,
STALE_DURATION SHOULD be configured with a relatively shorter value, by
default 5 minutes.
IANA ConsiderationsThis document has no request to IANA. AcknowledgmentsMany thanks to Dorothy Stanley, Thomas Watteyne and Jerome Henry for their various contributions.
Also many thanks to Timothy Winters and Erik Nordmark for their help, review and support in preparation to the IESG cycle, and to Kyle Rose, Elwyn Davies and Dominique Barthel for their useful contributions through the IETF last call and IESG process.
Normative ReferencesInformative References
IEEE Standard for Information technology -- Telecommunications
and information exchange between systems Local and metropolitan
area networks Part 1: Bridging and Architecture
IEEE standard for Information TechnologyIEEE Standard for Information technology --
Telecommunications and information exchange between systems
Local and metropolitan area networks-- Specific requirements
Part 11: Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications
IEEE standard for Information Technology IEEE Standard for Information Technology -
Telecommunications and Information Exchange Between Systems -
Local and Metropolitan Area Networks - Specific Requirements. -
Part 15.1: Wireless Medium Access Control (MAC) and Physical
Layer (PHY) Specifications for Wireless Personal Area Networks
(WPANs)
IEEE standard for Information Technology
IEEE Standard for Local and metropolitan area networks --
Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)
IEEE standard for Information Technology
Possible Future Extensions
With the current specification, the 6LBR is not leveraged to avoid
multicast NS(Lookup) on the Backbone. This could be done by adding
a lookup procedure in the EDAR/EDAC exchange.
By default the specification does not have a trust model, e.g., whereby
nodes that associate their address with a proof-of-ownership
should be more trusted than nodes that
do not. Such a trust model and related signaling could be added in the
future to override the default operation and favor trusted nodes.
Future documents may extend this specification by allowing the
6BBR to redistribute Host routes in routing protocols that would
operate over the Backbone, or in MIPv6, or FMIP, or the
Locator/ID Separation Protocol (LISP)
to support mobility on behalf of the 6LNs, etc...
LISP may also be used to provide an equivalent to the EDAR/EDAC exchange
using a Map Server / Map Resolver as a replacement to the 6LBR.
Applicability and Requirements Served
This document specifies proxy-ND functions that can be used to
federate an IPv6 Backbone Link and multiple IPv6 LLNs into a
single Multi-Link Subnet. The proxy-ND functions enable IPv6 ND
services for Duplicate Address Detection (DAD) and Address Lookup
that do not require broadcasts over the LLNs.
The term LLN is used to cover multiple types of WLANs and WPANs,
including (Low-Power) Wi-Fi, BLUETOOTH(R) Low Energy,
IEEE STD 802.11ah and IEEE STD.802.15.4 wireless meshes, covering the
types of networks listed in Appendix B.3 of
"Requirements Related to Various Low-Power Link Types".
Each LLN in the subnet is attached to an IPv6 Backbone Router (6BBR).
The Backbone Routers interconnect the LLNs and advertise the Addresses
of the 6LNs over the Backbone Link using proxy-ND operations.
This specification updates IPv6 ND over the Backbone to
distinguish Address movement from duplication and eliminate stale
state in the Backbone routers and Backbone nodes once a 6LN has
roamed. This way, mobile nodes may roam rapidly from
one 6BBR to the next and requirements in Appendix B.1 of
"Requirements Related to Mobility" are met.
A 6LN can register its IPv6 Addresses and thereby obtain proxy-ND
services over the Backbone, meeting the requirements
expressed in Appendix B.4 of ,
"Requirements Related to Proxy Operations".
The impact if the IPv6 ND operation is limited to one of the federated LLNs, enabling the number of 6LNs to grow. The Routing Proxy operation avoids the need to expose the MAC addresses of the 6LNs onto the backbone, keeping the Layer 2 topology simple and stable. This meets the requirements in Appendix B.6 of
"Requirements Related to Scalability", as long has the 6BBRs are
dimensioned for the
number of registrations that each needs to support.
In the case of a Wi-Fi access link, a 6BBR may be collocated
with the Access Point (AP), or with a Fabric Edge (FE) or a CAPWAP
Wireless LAN Controller (WLC).
In those cases, the wireless client (STA) is the 6LN
that makes use of to register its IPv6
Address(es) to the 6BBR acting as Routing Registrar. The 6LBR can be
centralized and either connected to the Backbone Link or reachable
over IP.
The 6BBR proxy-ND operations eliminate the need for wireless nodes
to respond synchronously when a Lookup is performed for their IPv6
Addresses. This provides the function of a Sleep Proxy for ND
.
For the TimeSlotted Channel Hopping (TSCH) mode of
, the
6TiSCH architecture
describes how a 6LoWPAN ND host could connect to the Internet via a
RPL mesh Network, but doing so requires extensions to the 6LOWPAN ND
protocol to support mobility and reachability in a secure and
manageable environment. The extensions detailed in this document
also work for the 6TiSCH architecture, serving the requirements listed
in Appendix B.2 of
"Requirements Related to Routing Protocols".
The registration mechanism may be seen as a more reliable alternate to
snooping . It can be noted that
registration and snooping are not mutually exclusive. Snooping may be used in
conjunction with the registration for nodes that do not register their IPv6
Addresses.
The 6BBR assumes that if a node registers at least one IPv6 Address to it,
then the node registers all of its Addresses to the 6BBR.
With this assumption, the 6BBR can possibly cancel all undesirable multicast
NS messages that would otherwise have been delivered to that node.
Scalability of the Multi-Link Subnet requires
avoidance of multicast/broadcast operations as much as possible even on
the Backbone .
Although hosts can connect to the Backbone using IPv6 ND operations,
multicast RAs can be saved by using
, which also requires the
support of .