Some Design Choices for IPv6
Networks
Alcatel-Lucent
600 March Road
Ottawa
Ontario
K2K 2E6
Canada
+1 613-784-3139
philip_matthews@magma.ca
Cisco
88 Queens Quay
Toronto
ON
M5J0B8
Canada
victor@jvknet.com
Operations and Management
V6OPS Working Group
This document presents advice on certain routing-related design
choices that arise when designing IPv6 networks (both dual-stack and
IPv6-only). The intended audience is someone designing an IPv6 network
who is knowledgeable about best current practices around IPv4 network
design, and wishes to learn the corresponding practices for IPv6.
This document discusses foundational choices that arise when
designing a IPv6-only or dual-stack network. The focus is on routing
related design choices that are not normally addressed when designing an
IPv4-only network. The document presents each topic area along with the
most common design choices along with the pros and cons of each choice
(or alternative) in detail. Where consensus currently exists around the
best practice, this is documented; otherwise the document simply
summarizes the current state of the discussion. Thus this document
serves to both document the reasoning behind the best current practices
for IPv6, and to allow a designer to make an informed choice where no
such consensus exists.
The design choices presented apply to both Service Provider and
Enterprise network environments. The design areas with the relative
choices are not specific to Service Provider or Enterprise networks, but
the designer should be aware of their network requirements to best
utilize the guidance or choice selection which may differ in each of
these general network environments. Where specific choices have
selection criteria or analysis requirements which may differ between a
Service Provider or Enterprise environment, that will be noted in the
text. The designer is encouraged to ensure that they familiarize
themselves with any of the discussed technologies to ensure the best
selection is made for their environment.
This document does not present advice on strategies for adding IPv6
to a network, nor does it discuss transition in these areas, see for general advice, for
wireline service providers, for mobile network
providers, for exchange point operators, for content providers, and both and for enterprises. Nor
does this document discuss the particulars of creating an IPv6
addressing plan; for advice in this area, see
or . The details of ULA usage is also
not discussed; for this the reader is referred to .
Finally, this document focuses on unicast routing design only and
does not cover multicast or the issues involved in running MPLS over
IPv6 transport.
Each subsection below presents a design choice and discusses the pros
and cons of the various options. If there is consensus in the industry
for a particular option, then the consensus position is noted.
One of the first choices a network designer needs to make is the
type of IPv6 addresses to be used in the network core. IPv6, unlike
IPv4, introduces new addressing techniques and concepts, as
introduced in [RFC4291] which requires specific attention. The
introduction of concepts such as using multiple-addresses per
interface or the introduction of linked scoped address-types like
Link-Local, mean the designer needs to think beyond the constraints
of IPv4. There are also operational considerations as with the
concept of a provider assign PA (Provider Aggregatable assigned via
upstream provider) versus a Regional Internet Registry assigned PI
(Provider Independent assigned from Registry) address type.
At the time of writing, there are still some known operational
issues with IPv6 deployments which expose near term deployments to
functional or operational gaps that may one day be eliminated. Once
such gap is host address selection challenges as noted in [RFC5220]
and renumbering challenges as described in [RFC6879] and
[RFC7010].
Within this document, Unique Local Addresses (ULA) [RFC4193] are
likened to [RFC1918] addresses from an operational perspective.
Although ULAs are not architecturally similar to [RFC1918] private
addresses, the reasons for selecting them, and the challenge that
may arise if they are the only address type available to achieve
external network connectivity are similar. “Private” in
this document refers to the nature that ULAs would be typically used
for internal communications only, or externally with assistance from
technologies like NAT, given the addresses are not routed directly
with external networks.
A related choice is whether to use only link-local addresses on
certain links. That choice is discussed later in the document; this
section is about those addresses that must be visible throughout the
network.
The following table lists the main options available.
GRT Address Type
End-User Traffic
ISP
Enterprise
PI
Hop-by-hop
Works
Works
PI
Tunneled
Works. Using private space likely a better option.
Works. Using private space likely a better option.
PA
Hop-by-hop
Works
Works
PA
Tunneled
Works. Using private addresses likely better option.
Works. Using private addresses likely better option.
Private
Hop-by-hop
Will likely cause problems. See discussion below.
Works. Careful consideration due to NAT implications.
Private
Tunneled
Works
Works
As the table indicates, there are three options for the type of
addresses a network designer can use in the network core:
PI – Globally-unique IPv4 or IPv6 addresses obtained
directly from an address registry. An organization which has
such addresses is considered to have “its own”
address space.
PA – Globally-unique IPv4 or IPv6 addresses obtained
from an upstream provider. Such addresses must be returned if
the relationship with the upstream provider ceases.
Private – Either IPv4 addresses as per or unique-local IPv6 addresses .
In all cases, we are talking about the type of addresses
used in the GRT context (Global Routing Table aka base router). If
end-user traffic is routed hop-by-hop through the network based on
the destination address in the IP header, then this context is
visible to the end-user. However, if all end-user traffic is
tunneled through the core (for example, using MPLS) then this
context is not visible to the end-user.
First, consider the case where at least some end-user traffic is
routed hop-by-hop. In this case, the use of PI space is the best
option, as it gives the most flexibility in the future. However,
some organizations may be unable or unwilling to obtain PI space -
in this case PA space is the next-best choice. For an ISP, the use
of private address space is problematic - see for a discussion. For an enterprise, the use of
private address space is an option and may be seen as favourable
operationally, but should only be used after careful consideration
of the technological drawbacks. If ULAs are the only non-Link-Local
address available the hosts, the enterprise will need to use
translation technologies such as NPT or
NAT66 to reach the Internet. If the network has no connection to the
Internet, or the hosts only assigned a ULA do not need external
connectivity, then this limitation is not a problem.
Now consider the case where all end-user traffic is tunneled
through the core and thus the core is not visible to other networks.
In this case, the use of private addresses in the core is the most
reasonable and re-enforces the desire that these addresses have
limited visibility. The use of PI space is the next-best option -
two reasons for selecting this option is to provide flexibility in
case some traffic needs to be carried hop-by-hop in the future and
to be absolutely sure that there are no address conflicts. Getting
IPv4 PI space at this time will be difficult, but IPv6 PI space is
fairly easy.
The use of PA space is likely a poor option for many
organizations since these networks are connected to more then one
upstream provider and/or may need flexibility on how Internet
reachability needs to be managed. Using PA space subjects the end
network to possible reclamation of address space in the future,
which requires a renumbering activity.
Not shown in the table above are combinations of the basic
options. An example of a combination is using both PA and ULA
address space in the hop-by-hop enterprise case or multiple PA
and/or PI addresses. Combinations can reduce the magnitude of the
deficiency with a basic option, but does not eliminate it
completely. For example, using PA + ULA for the hop-by-hop
enterprise case reduces the amount of renumbering required when
changing providers compared with the pure PA case, but does not
eliminate it completely. Additional work analyzing the opportunities
for using multiple addresses and overcoming limitations can be found
in .
If a network is going to carry both IPv4 and IPv6 traffic, as
many networks do today, then a fundamental question arises: Should
an operator mix IPv4 and IPv6 traffic or keep them separated? More
specifically, should the design:
Mix IPv4 and IPv6 traffic on the same layer-3 interface,
OR
Separate IPv4 and IPv6 by using separate interfaces (e.g.,
two physical links or two VLANs on the same link)?
Option (a) implies a single layer-3 interface at each end of the
connection with both IPv4 and IPv6 addresses; while option (b)
implies two layer-3 interfaces at each end, one for IPv4 addresses
and one with IPv6 addresses.
The advantages of option (a) include:
Requires only half as many layer 3 interfaces as option (b),
thus providing better scaling;
May require fewer physical ports, thus saving money;
Can make the QoS implementation much easier (for example,
rate-limiting the combined IPv4 and IPv6 traffic to or from a
customer);
Works well in practice, as any increase in IPv6 traffic is
usually counter-balanced by a corresponding decrease in IPv4
traffic to or from the same host (ignoring the common pattern of
an overall increase in Internet usage);
And is generally conceptually simpler.
For these reasons, there is a relatively strong consensus
in the operator community that option (a) is the preferred way to
go. Most networks today use option (a) wherever possible.
However, there can be times when option (b) is the pragmatic
choice. Most commonly, option (b) is used to work around limitations
in network equipment. One big example is the generally poor level of
support today for individual statistics on IPv4 traffic vs IPv6
traffic when option (a) is used. Other, device-specific, limitations
exist as well. It is expected that these limitations will go away as
support for IPv6 matures, making option (b) less and less attractive
until the day that IPv4 is finally turned off.
As noted in the introduction, this document does not cover the
ins and outs around creating an IPv6 addressing plan. However, there
is one fundamental question in this area that often arises: Should
an interface:
Use only a link-local address
(“link-local-only”), OR
Have global and/or unique-local addresses assigned in
addition to the link-local?
There are two advantages in interfaces with only link-local
addresses ("link-local-only interfaces"). The first advantage is
ease of configuration. In a network with a large number of
link-local-only interfaces, the operator can just enable an IGP on
each router, without going through the tedious process of assigning
and tracking the addresses for each interface. The second advantage
is security. Since packets with Link-Local destination addresses
should not be routed, it is very difficult to attack the associated
nodes from an off-link device. This implies less effort around
maintaining security ACLs.
Countering this advantage are various disadvantages to
link-local-only interfaces:
It is not possible to ping a link-local-only interface from a
device that is not directly attached to the link. Thus, to
troubleshoot, one must typically log into a device that is
directly attached to the device in question, and execute the
ping from there.
A traceroute passing over the link-local-only interface will
return the loopback or system address of the router, rather than
the address of the interface itself.
In cases of parallel point to point links it is difficult to
determine which of the parallel links was taken when attempting
to troubleshoot unless one sends packets directly between the
two attached link-locals on the specific interfaces. Since many
network problems behave differently for traffic to/from a router
than for traffic through the router(s) in question, this can
pose a significant hurdle to some troubleshooting scenarios.
On some routers, by default the link-layer address of the
interface is derived from the MAC address assigned to interface.
When this is done, swapping out the interface hardware (e.g.
interface card) will cause the link-layer address to change. In
some cases (peering config, ACLs, etc) this may require
additional changes. However, many devices allow the link-layer
address of an interface to be explicitly configured, which
avoids this issue. This problem should fade away over time as
more and more routers select interface identifiers according to
the rules in .
The practice of naming router interfaces using DNS names is
difficult and not recommended when using link-locals only. More
generally, it is not recommended to put link-local addresses
into DNS; see .
It is often not possible to identify the interface or link
(in a database, email, etc) by giving just its address without
also specifying the link in some manner.
It should be noted that it is quite possible for the same
link-local address to be assigned to multiple interfaces. This can
happen because the MAC address is duplicated (due to manufacturing
process defaults or the use of virtualization), because a device
deliberately re-uses automatically-assigned link-local addresses on
different links, or because an operator manually assigns the same
easy-to-type link-local address to multiple interfaces. All these
are allowed in IPv6 as long as the addresses are used on different
links.
For more discussion on the pros and cons, see . See also for IPv6
unicast address assignment considerations.
Today, most operators use interfaces with global or unique-local
addresses (option b).
For the most part, the use of static routes in IPv6 parallels
their use in IPv4. There is, however, one exception, which revolves
around the choice of next-hop address in the static route.
Specifically, should an operator:
Use the far-end’s link-local address as the next-hop
address, OR
Use the far-end’s GUA/ULA address as the next-hop
address?
Recall that the IPv6 specs for OSPF and
ISIS dictate that they always use
link-locals for next-hop addresses. For static routes, section 8 says:
A router MUST be able to determine the link-local address for
each of its neighboring routers in order to ensure that the
target address in a Redirect message identifies the neighbor
router by its link-local address. For static routing, this
requirement implies that the next-hop router's address should be
specified using the link-local address of the router.
This implies that using a GUA or ULA as the next hop will prevent
a router from sending Redirect messages for packets that "hit" this
static route. All this argues for using a link-local as the next-hop
address in a static route.
However, there are two cases where using a link-local address as
the next-hop clearly does not work. One is when the static route is
an indirect (or multi-hop) static route. The second is when the
static route is redistributed into another routing protocol. In
these cases, the above text from RFC 4861 notwithstanding, either a
GUA or ULA must be used.
Furthermore, many network operators are concerned about the
dependency of the default link-local address on an underlying MAC
address, as described in the previous section.
Today most operators use GUAs as next-hop addresses.
One of the main decisions for a network operator looking to
deploy IPv6 is the choice of IGP (Interior Gateway Protocol) within
the network. The main options are OSPF, IS-IS and EIGRP. RIPng is
another option, but very few networks run RIP in the core these
days, so it is covered in a separate section below.
OSPF and IS-IS
are both
standardized and link-state protocols. Standardized means they are
widely supported by vendors, while link-state means amongst other
things that they can support RSVP-TE, which is widely used for MPLS
signaling. Both of these protocols are widely deployed. By contrast,
EIGRP [ref] is a proprietary distance-vector protocol. EIGRP is
rarely deployed in service-provider networks, but is quite common in
enterprise networks.
The table below sets out possible combinations of protocols to
route both IPv4 and IPv6, and makes some observations on each
combination.
IGP for IPv4
IGP for IPv6
Multiple Known Deployments
Protocol separation
Similar configuration possible
OSPFv2
OSPFv3
YES (8)
YES
YES
OSPFv2
IS-IS
YES (3)
YES
-
OSPFv2
EIGRP
-
YES
-
OSPFv3
IS-IS
-
YES
-
OSPFv3
EIGRP
-
YES
-
IS-IS
OSPFv3
YES (2)
YES
-
IS-IS
IS-IS
YES (12)
-
YES
IS-IS
EIGRP
-
YES
-
EIGRP
OSPFv3
? (1)
YES
-
EIGRP
IS-IS
-
YES
-
EIGRP
EIGRP
? (2)
-
YES
In the column "Multiple Known Deployments", a YES indicates that
a significant number of production networks run this combination,
with the number of such networks indicated in parentheses following,
while a "?" indicates that the authors are only aware of one or two
small networks that run this combination. Data for this column was
gathered from an informal poll of operators on a number of mailing
lists. This poll was not intended to be a thorough scientific study
of IGP choices, but to provide a snapshot of known operator choices
at the time of writing (Mid-2015) for successful production dual
stack network deployments. There were twenty six (26) network
implementations represented by 17 respondents. Some respondents
provided information on more then one network or network deployment.
Due to privacy considerations, the networks' represented and
respondents are not listed in this document.
A number of combinations are marked as offering “Protocol
separation”. These options use a different IGP protocol for
IPv4 vs IPv6. With these options, a problem with routing IPv6 is
unlikely to affect IPv4 or visa-versa. Some operator may consider
this as a benefit when first introducing dual stack capabilities or
for ongoing technical reasons.
Three combinations are marked “Similar configuration
possible”. This means it is possible (but not required) to use
very similar IGP configuration for IPv4 and IPv6: for example, the
same area boundaries, area numbering, link costing, etc. If you are
happy with your IPv4 IGP design, then this will likely be a
consideration. By contrast, the options that use, for example, IS-IS
for one IP version and OSPF for the other version will require
considerably different configuration, and will also require the
operations staff to become familiar with the difference between the
two protocols.
It should be noted that a number of ISPs have run OSPF as their
IPv4 IGP for quite a few years, but have selected IS-IS as their
IPv6 IGP. However, there are very few (none?) that have made the
reverse choice. This is, in part, because routers generally support
more nodes in an IS-IS area than in the corresponding OSPF area, and
because IS-IS is seen as more secure because it runs at layer 2.
When IS-IS is used to route both IPv4 and IPv6, then there is an
additional choice of whether to run IS-IS in single-topology or
multi-topology mode. Single-topology mode allows IPv4 and IPv6 to
share a single topology and a single set of link costs. Multi-topology mode allows separate IPv4 and
IPv6 topologies with potentially different link costs.
In the informal poll of operators, out of 12 production networks
that ran IS-IS for both IPv4 and IPv6, 6 used Single Topology mode,
4 used Multi-Topology mode, and 2 did not specify. One motivation
often cited by then operators for using Single Topology mode was
because some device did not support multi-topology mode.
Traditional thinking has been that multi-topology mode offers the
most flexibility. Never-the-less, as shown by the poll results, a
number of operators have used single-topology mode successfully.
A protocol option not described in the table above is RIPng . RIPng is a distance vector protocol with
limitations in larger networks. However there is prevalent use case
in large operator networks where RIP is used for edge facing core
interfaces to manage high count aggregation of dynamic routing
endpoints. Although not a mainline option for the network core as a
whole, it is commonly used in IPv4, and potentially in IPv6 for a
common set of links/functions.
BGP these days is multi-protocol. It can carry routes from many
different families, and it can do this when the BGP session, or more
accurately the underlying TCP connection, runs over either IPv4 or
IPv6 (here referred to as either "IPv4 transport" or "IPv6
transport"). Given this flexibility, one of the biggest questions
when deploying BGP in a dual-stack network is the question of which
routes should be carried over sessions using IPv4 transport and
which should be carried over sessions using IPv6 transport.
To answer this question, consider the following table:
Route Family
Transport
Comments
Unlabeled IPv4
IPv4
Works well
Unlabeled IPv4
IPv6
Next-hop issues
Unlabeled IPv6
IPv4
Next-hop issues
Unlabeled IPv6
IPv6
Works well
Labeled IPv4
IPv4
Works well
Labeled IPv4
IPv6
Next-hop issues
Labeled IPv6
IPv4
(6PE) Works well
Labeled IPv6
IPv6
Needs MPLS over IPv6
VPN IPv4
IPv4
Works well
VPN IPv4
IPv6
Next-hop issues
VPN IPv6
IPv4
(6VPE) Works well
VPN IPv6
IPv6
Needs MPLS over IPv6
The first column in this table lists various route families,
where “unlabeled” means SAFI 1, “labeled”
means the routes carry an MPLS label (SAFI 4, see ), and “VPN” means the routes are
normally associated with a layer-3 VPN (SAFI 128, see ). The second column lists the protocol used to
transport the BGP session, frequently specified by giving either an
IPv4 or IPv6 address in the “neighbor” statement.
The third column comments on the combination in the first two
columns:
For combinations marked “Works well”, these
combinations are widely supported and are generally
recommended.
For combinations marked “Next-hop issues”, these
combinations are less-widely supported and when supported, often
have next-hop issues. That is, the next-hop address is typically
a v4-mapped IPv6 address, which is based on some IPv4 address on
the sending router. This v4-mapped IPv6 address is often not
reachable by default using IPv6 routing. One common solution to
this problem is to use routing policy to change the next-hop to
a different IPv6 address.
For combinations marked as “Needs MPLS over
IPv6”, these require MPLS over IPv6 for full support,
though special policy configuration may allow them to be used
with MPLS over IPv4.
Also, it is important to note that changing the set of address
families being carried over a BGP session requires the BGP session
to be reset (unless something like or is in use). This is
generally more of an issue with eBGP sessions than iBGP sessions:
for iBGP sessions it is common practice for a router to have two
iBGP sessions, one to each member of a route reflector pair, so one
can change the set of address families on first one of the sessions
and then the other.
The following subsections discuss specific scenarios in more
detail.
Unlabeled routes are commonly carried on eBGP sessions, as well
as on iBGP sessions in networks where Internet traffic is carried
unlabeled across the network. In these scenarios, operators today
most commonly use two BGP sessions: one session is transported
over IPv4 and carries the unlabeled IPv4 routes, while the second
session is transported over IPv6 and carries the unlabeled IPv6
routes.
There are several reasons for this choice:
It gives a clean separation between IPv4 and IPv6. This can
be especially useful when first deploying IPv6 and
troubleshooting resulting problems.
This avoids the next-hop problem described in note 1
above.
The status of the routes follows the status of the
underlying transport. If, for example, the IPv6 data path
between the two BGP speakers fails, then the IPv6 session
between the two speakers will fail and the IPv6 routes will be
withdrawn, which will allow the traffic to be re-routed
elsewhere. By contrast, if the IPv6 routes were transported
over IPv4, then the failure of the IPv6 data path might leave
a working IPv4 data path, so the BGP session would remain up
and the IPv6 routes would not be withdrawn, and thus the IPv6
traffic would be sent into a black hole.
It avoids resetting the BGP session when adding IPv6 to an
existing session, or when removing IPv4 from an existing
session.
In these scenarios, it is most common today to carry both the
IPv4 and IPv6 routes over sessions transported over IPv4. This can
be done with either: (a) one session carrying both route families,
or (b) two sessions, one for each family.
Using a single session is usually appropriate for an iBGP
session going to a route reflector handling both route families.
Using a single session here usually means that the BGP session
will reset when changing the set of address families, but as noted
above, this is usually not a problem when redundant route
reflectors are involved.
In eBGP situations, two sessions are usually more
appropriate.
When running eBGP over IPv6, there are two options for the
addresses to use at each end of the eBGP session (or more properly,
the underlying TCP session):
Use link-local addresses for the eBGP session, OR
Use global addresses for the eBGP session.
Note that the choice here is the addresses to use for the eBGP
sessions, and not whether the link itself has global (or
unique-local) addresses. In particular, it is quite possible for the
eBGP session to use link-local addresses even when the link has
global addresses.
The big attraction for option (a) is security: an eBGP session
using link-local addresses is extremely difficult to attack from a
device that is off-link. This provides very strong protection
against TCP RST and similar attacks. Though there are other ways to
get an equivalent level of security (e.g. GTSM , MD5 , or ACLs), these
other ways require additional configuration which can be forgotten
or potentially mis-configured.
However, there are a number of small disadvantages to using
link-local addresses:
Using link-local addresses only works for single-hop eBGP
sessions; it does not work for multi-hop sessions.
One must use “next-hop self” at both endpoints,
otherwise re-advertising routes learned via eBGP into iBGP will
not work. (Some products enable “next-hop self” in
this situation automatically).
Operators and their tools are used to referring to eBGP
sessions by address only, something that is not possible with
link-local addresses.
If one is configuring parallel eBGP sessions for IPv4 and
IPv6 routes, then using link-local addresses for the IPv6
session introduces extra operational differences between the two
sessions which could otherwise be avoided.
On some products, an eBGP session using a link-local address
is more complex to configure than a session that uses a global
address.
If hardware or other issues cause one to move the cable to a
different local interface, then reconfiguration is required at
both ends: at the local end because the interface has changed
(and with link-local addresses, the interface must always be
specified along with the address), and at the remote end because
the link-local address has likely changed. (Contrast this with
using global addresses, where less re-configuration is required
at the local end, and no reconfiguration is required at the
remote end).
Finally, a strict application of
forbids running eBGP between link-local addresses, as requires the BGP next-hop field to contain at
least a global address.
For these reasons, most operators today choose to have
their eBGP sessions use global addresses.
There are two themes that run though many of the design choices in
this document. This section presents some general discussion on these
two themes.
The proper use of link-local addresses is a common theme in the
IPv6 network design choices. Link-layer addresses are, of course,
always present in an IPv6 network, but current network design practice
mostly ignores them, despite efforts such as .
There are three main reasons for this current practice:
Network operators are concerned about the volatility of
link-local addresses based on MAC addresses, despite the fact that
this concern can be overcome by manually-configuring link-local
addresses;
It is very difficult to impossible to ping a link-local address
from a device that is not on the same subnet. This is a
troubleshooting disadvantage, though it can also be viewed as a
security advantage.
Most operators are currently running networks that carry both
IPv4 and IPv6 traffic, and wish to harmonize their IPv4 and IPv6
design and operational practices where possible.
Currently, most operators are running or planning to run networks
that carry both IPv4 and IPv6 traffic. Hence the question: To what
degree should IPv4 and IPv6 be kept separate? As can be seen above,
this breaks into two sub-questions: To what degree should IPv4 and
IPv6 traffic be kept separate, and to what degree should IPv4 and IPv6
routing information be kept separate?
The general consensus around the first question is that IPv4 and
IPv6 traffic should generally be mixed together. This recommendation
is driven by the operational simplicity of mixing the traffic, plus
the general observation that the service being offered to the end user
is Internet connectivity and most users do not know or care about the
differences between IPv4 and IPv6. Thus it is very desirable to mix
IPv4 and IPv6 on the same link to the end user. On other links,
separation is possible but more operationally complex, though it does
occasionally allow the operator to work around limitations on network
devices. The situation here is roughly comparable to IP and MPLS
traffic: many networks mix the two traffic types on the same links
without issues.
By contrast, there is more of an argument for carrying IPv6 routing
information over IPv6 transport, while leaving IPv4 routing
information on IPv4 transport. By doing this, one gets fate-sharing
between the control and data plane for each IP protocol version: if
the data plane fails for some reason, then often the control plane
will too.
This document makes no requests of IANA.
This document introduces no new security considerations that are not
already documented elsewhere.
The following is a brief list of pointers to documents related to the
topics covered above that the reader may wish to review for security
considerations.
For general IPv6 security, provides guidance
on security considerations around IPv6 transition and coexistence.
For OSPFv3, the base protocol specification
has a short security considerations section which notes that the
fundamental mechanism for protecting OSPFv3 from attacks is the
mechanism described in .
For IS-IS, notes that ISIS for IPv6 raises
no new security considerations over ISIS for IPv4 over those documented
in and .
For BGP, notes that BGP for IPv6 raises no
new security considerations over those present in BGP for IPv4. However,
there has been much discussion of BGP security recently, and the
interested reader is referred to the documents of the IETF's SIDR
working group.
Many, many people in the V6OPS working group provided comments and
suggestions that made their way into this document. A partial list
includes: Rajiv Asati, Fred Baker, Michael Behringer, Marc Blanchet, Ron
Bonica, Randy Bush, Cameron Byrne, Brian Carpenter, KK Chittimaneni, Tim
Chown, Lorenzo Colitti, Gert Doering, Francis Dupont, Bill Fenner, Kedar
K Gaonkar, Chris Grundemann, Steinar Haug, Ray Hunter, Joel Jaeggli,
Victor Kuarsingh, Jen Linkova, Ivan Pepelnjak, Alexandru Petrescu, Rob
Shakir, Mark Smith, Jean-Francois Tremblay, Dave Thaler, Tina Tsou, Eric
Vyncke, Dan York, and Xuxiaohu.
The authors would also like to thank Pradeep Jain and Alastair
Johnson for helpful comments on a very preliminary version of this
document.
Intermediate system to Intermediate system intra-domain
routeing information exchange protocol for use in conjunction with
the protocol for providing the connectionless-mode Network Service
(ISO 8473)
International Standards Organization
Preparing an IPv6 Address Plan
SurfNet