idnits 2.17.1 draft-cheshire-ipv4-acd-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 2001) is 8197 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Stuart Cheshire 2 Document: draft-cheshire-ipv4-acd-00.txt Apple Computer 3 Expires 8th May 2002 8th November 2001 5 IPv4 Address Conflict Detection 7 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. Internet-Drafts are 13 working documents of the Internet Engineering Task Force (IETF), 14 its areas, and its working groups. Note that other groups may 15 also distribute working documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six 18 months and may be updated, replaced, or obsoleted by other documents 19 at any time. It is inappropriate to use Internet-Drafts as 20 reference material or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html 28 Distribution of this memo is unlimited. 30 Abstract 32 When two hosts on the same link attempt to use the same IPv4 address 33 at the same time (except in rare special cases where this has been 34 arranged by prior coordination) problems ensue for one or both hosts. 35 This document describes a simple precaution that a host can take to 36 help prevent this misconfiguration from happening, and a simple 37 mechanism by which a host can passively detect when this 38 misconfiguration has occurred. 40 1. Introduction 42 Historically, accidentally configuring two Internet hosts with the 43 same IP address has often been an annoying and hard-to-diagnose 44 problem. 46 This is unfortunate, because the existing ARP protocol provides an 47 easy way for a host to detect this kind of misconfiguration and 48 report it to the user. The DHCP specification [RFC 2131] briefly 49 mentions the role of ARP in detecting misconfiguration: 51 the client SHOULD probe the newly received address, 52 e.g., with ARP. 54 The client SHOULD perform a final check on the parameters 55 (e.g., ARP for allocated network address) 57 If the client detects that the address is already in use 58 (e.g., through the use of ARP), the client MUST send 59 a DHCPDECLINE message to the server 61 if the client is on a network that supports ARP, the client 62 may issue an ARP request for the suggested request [sic]. When 63 broadcasting an ARP request for the suggested address, the 64 client must fill in its own hardware address as the sender's 65 hardware address, and 0 as the sender's IP address, to avoid 66 confusing ARP caches in other hosts on the same subnet. If the 67 network address appears to be in use, the client MUST send a 68 DHCPDECLINE message to the server. The client SHOULD broadcast 69 an ARP reply to announce the client's new IP address and clear 70 any outdated ARP cache entries in hosts on the client's subnet. 72 Unfortunately, the DHCP specification does not give any guidance to 73 implementers concerning the number of ARP packets to send, the 74 interval between packets, the total time to wait before concluding 75 that an address may safely be used, or indeed even which kinds of 76 packets a host should be listening for, in order to make this 77 determination. It leaves unspecified the action a host should take 78 if, after concluding that an address may safely be used, it 79 subsequently discovers that it was wrong. It also fails to specify 80 what precautions a DHCP client should take to guard against 81 pathological failure cases, such as DHCP server that repeatedly 82 OFFERs the same address, even though it has been DECLINEd multiple 83 times. 85 The authors of the DHCP specification may have thought the answers to 86 these questions too obvious to mention; however, experience has shown 87 that even amongst intelligent experienced protocol implementers, 88 these issues are the subject of debate. This draft seeks to end this 89 ambiguity by clearly specifying the required actions for: 91 1. Determining whether use of an address is likely to lead to an 92 addressing conflict. This includes (a) the case where the address 93 is already actively in use by another host on the same link, and 94 (b) the case where two hosts are inadvertently about to begin 95 using the same address, and both are simultaneously in the process 96 of probing to determine whether the address may safely be used. 98 2. Subsequent passive detection that another host on the network is 99 inadvertently using the same address. Even if all hosts observe 100 precautions to avoid using an address that is already in use, 101 conflicts can still occur if two hosts are out of communication at 102 the time of initial interface configuration. This could occur with 103 wireless network interfaces if the hosts are temporarily out of 104 range, or with Ethernet interfaces if the link between two 105 Ethernet hubs is not functioning at the time of address 106 configuration. A well-designed host will handle not only conflicts 107 detected during interface configuration, but also conflicts 108 detected later, for the entire duration of the time that the host 109 is using the address. 111 3. Rate-limiting in the case of an excessive number of repeated 112 conflicts. 114 The utility of IPv4 Address Conflict Detection is not limited to DHCP 115 clients. No matter how an address was configured, whether via manual 116 entry by a human user, via information received from a DHCP server, 117 or via any other source of configuration information, detecting 118 conflicts is useful. Upon detecting a conflict, the configuring agent 119 should be notified of the error. In the case where the configuring 120 agent is a human user, that notification may take the form of an 121 error message on a screen, an SNMP trap, or an error message sent via 122 pager. In the case of a DHCP server, that notification takes the form 123 of a DHCP DECLINE message sent to the server. In the case of 124 configuration by some other kind of software, that notification takes 125 the form of an error indication to the software in question, to 126 inform it that the address it selected is in conflict with some other 127 host on the network. The configuring software may choose to cease 128 network operation, or it may automatically select a new address so 129 that the host may re-establish IP connectivity as soon as possible. 131 The specifications described in this document have been implemented 132 in Mac OS, Windows and other platforms for many years, and work 133 successfully. 135 1.1. Conventions and Terminology Used in this Document 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in "Key words for use in 140 RFCs to Indicate Requirement Levels" [RFC 2119]. 142 Wherever this document uses the term "sender IP address" or "target 143 IP address" in the context of an ARP packet, it is referring to the 144 fields of the ARP packet identified in the ARP specification [RFC 145 826] as "ar$spa" (Sender Protocol Address) and "ar$tpa" (Target 146 Protocol Address) respectively. For the usage of ARP described in 147 this document, each of these fields always contains an IP address. 149 In this document, the term "ARP Probe" is used to refer to an ARP 150 request packet, broadcast on the local link, with an all-zero 'sender 151 IP address'. The 'sender hardware address' MUST contain the hardware 152 address of the interface sending the packet. The 'target hardware 153 address' field is ignored and SHOULD be set to all zeroes. The 154 'target IP address' field MUST be set to the address being probed. 156 In this document, the term "ARP Announcement" is used to refer to 157 an ARP request packet, broadcast on the local link, identical to 158 the ARP probe described above, except that both the sender and 159 target IP address fields contain the IP address being announced. 161 1.2 Relationship to RFC 826 163 This draft does not modify any of the protocol rules in RFC 826; it 164 merely clarifies two things that were unstated in RFC 826. In RFC 165 826, an ARP Request packet serves two functions, an assertion and a 166 question. 168 Assertion: The fields "ar$sha" (Sender Hardware Address) and "ar$spa" 169 (Sender Protocol Address) together serve as an assertion of a fact, 170 that the stated Protocol Address is mapped to the stated Hardware 171 Address. 173 Question: The fields "ar$tha" (Target Hardware Address, zero) and 174 "ar$tpa" (Target Protocol Address) serve as a question, asking, for 175 the stated Protocol Address, to which Hardware Address it is mapped. 177 This draft standardizes the natural and widely-used interpretation 178 of an ARP Request where the Target Protocol Address is non-zero but 179 the Sender Protocol Address is zero, namely that it is a question 180 without an associated assertion (an "ARP Probe"). 182 This draft standardizes the natural and widely-used interpretation 183 of an ARP Request where the Sender and Target Protocol Address fields 184 contain the same address, namely that it is an assertion without an 185 associated question (an "ARP Announcement"). 187 1.3. Applicability 189 The specifications in this document apply to any link-layer network 190 technology that uses ARP [RFC 826] to map from IP addresses to 191 link-layer hardware addresses. 193 2. Address Probing, Announcing, Conflict Detection and Defense 195 This section describes initial probing to safely determine whether an 196 address is already in use, ongoing conflict checking, and optional 197 use of broadcast ARP replies to provide faster conflict detection. 199 2.1 Probing an Address 201 Before beginning to use an IP address (whether received from manual 202 configuration, DHCP, or some other means), a host may test to see if 203 the address is already in use, using ARP probes. 205 A host probes to see if an address is already in use by broadcasting 206 an ARP request for the desired address. The client MUST fill in the 207 'sender hardware address' field of the ARP request with the hardware 208 address of the interface through which it is sending the packet. 209 The 'sender IP address' field MUST be set to all zeroes, to avoid 210 polluting ARP caches in other hosts on the same link in the case 211 where the address turns out to be already in use by another host. 212 The 'target hardware address' field is ignored and SHOULD be set to 213 all zeroes. The 'target IP address' field MUST be set to the address 214 being probed. An ARP request constructed this way with an all-zero 215 'sender IP address' is referred to as an "ARP probe". 217 Where link-state information is available, the host should delay 218 beginning the probing process until after the underlying hardware or 219 link-layer driver software indicates that the physical link (e.g. the 220 port on an Ethernet hub) has become active and is forwarding packets. 222 When ready to begin probing, the host should then wait for a random 223 time interval selected uniformly in the range zero to two seconds, 224 and should then send four probe packets, spaced two seconds apart. 225 This initial random delay helps ensure that a large number of hosts 226 powered on at the same time do not all send their initial probe 227 packets simultaneously. 229 If during this period, from the beginning of the probing process 230 until two seconds after the last probe packet is sent, the host 231 receives any ARP packet (request *or* reply) where the packet's 232 'sender IP address' is the address being probed for, then the host 233 MUST treat this address as being in use by some other host, and 234 should indicate to the configuring agent (human operator, DHCP 235 server, etc.) that the proposed address is not acceptable. In 236 addition, if during this period the host receives any ARP probe where 237 the packet's 'target IP address' is the address being probed for, and 238 the packet's 'sender hardware address' is not the hardware address of 239 any of the host's interfaces, then the host MUST similarly treat this 240 as an address conflict and signal an error to the configuring agent 241 as above. This can occur if two (or more) hosts have, for whatever 242 reason, been inadvertently configured with the same address, and both 243 are simultaneously in the process of probing that address to see if 244 it can safely be used. 246 A host should maintain a counter of the number of conflicts it has 247 experienced in the process of trying to configure an interface, and 248 if the number of conflicts exceeds ten then the host MUST limit the 249 rate at which it probes for new addresses to no more than one new 250 address per minute. This is to prevent catastrophic ARP storms in 251 pathological failure cases, such as a defective DHCP server that 252 repeatedly assigns the same address to every host that asks for one. 254 If, by two seconds after the transmission of the last ARP probe 255 no conflicting ARP reply has been received, then the host has 256 successfully determined that the desired address may be used safely. 258 2.2 Announcing an Address 260 Having determined that a desired address may be used safely, a host 261 should then announce that it is commencing to use this address by 262 broadcasting two ARP announcements, spaced two seconds apart. An ARP 263 announcement is identical to the ARP probe described above, except 264 that now the sender and target IP addresses are both set to the 265 host's newly selected IP address. The purpose of these ARP 266 announcements is to make sure that other hosts on the link do not 267 have stale ARP cache entries left over from some other host that may 268 previously have been using the same address. 270 2.3 Ongoing Address Conflict Detection and Address Defense 272 Address conflict detection should not be limited to only the time of 273 initial interface configuration, when a host is sending ARP probes. 274 Address conflict detection is an ongoing process that is in effect 275 for as long as a host is using an address. At any time, if a host 276 receives an ARP packet (request *or* reply) where the 'sender IP 277 address' is the host's own IP address, but the 'sender hardware 278 address' does not match any of the host's own interface addresses, 279 then this is a conflicting ARP packet, indicating some other unknown 280 host also thinks it is validly using this address. To resolve the 281 address conflict, a host must respond to a conflicting ARP packet as 282 described in either (a) or (b) below: 284 (a) Upon receiving a conflicting ARP packet, a host MAY elect to 285 immediately cease using the address, and signal an error to the 286 configuring agent as described above, or 288 (b) If a host currently has active TCP connections or other reasons 289 to prefer to keep the same IP address, and it has not seen any other 290 conflicting ARP packets recently (for Ethernet, within the last ten 291 seconds) then it MAY elect to attempt to defend its address. 292 To defend its address, the host first records the time that the 293 conflicting ARP packet was received, and then broadcasts one single 294 ARP announcement, giving its own IP and hardware addresses. Having 295 done this, the host can then continue to use the address normally 296 without any further special action. However, if this is not the first 297 conflicting ARP packet the host has seen, and the time recorded for 298 the previous conflicting ARP packet is recent (within ten seconds for 299 Ethernet) then the host MUST immediately cease using this address and 300 signal an error to the configuring agent as described above. This is 301 necessary to ensure that two hosts do not get stuck in an endless 302 loop with both hosts trying to defend the same address. 304 A host wishing to provide reliable network operation must respond to 305 conflicting ARP packets as described in either (a) or (b) above. 306 Ignoring conflicting ARP packets results in seemingly random network 307 failures which can be hard to diagnose and very frustrating for human 308 users. 310 Forced address reconfiguration may be disruptive, causing TCP 311 connections to be broken. However, it is expected that such 312 disruptions will be rare, and if inadvertent address duplication 313 happens, then disruption of communication is inevitable. It is not 314 possible for two different hosts using the same IP address on the 315 same network to operate reliably. 317 Immediately configuring a new address as soon as the conflict is 318 detected is the best way to restore useful communication as quickly 319 as possible. The mechanism described above of broadcasting a single 320 ARP announcement to defend the address mitigates the problem 321 somewhat, by helping to improve the chance that one of the two 322 conflicting hosts may be able to retain its address. 324 2.4 Broadcast ARP Replies 326 In a carefully-run network with manually-assigned addresses, or 327 a network with a reliable DHCP server and reliable DHCP clients, 328 address conflicts should occur only in rare failure scenarios, 329 so the passive monitoring described above in Section 2.3 is adequate. 330 If two hosts are using the same IP address, then sooner or later one 331 or other host will broadcast an ARP request, which the other will 332 see, allowing the conflict to be detected and consequently resolved. 334 It is possible however, that a conflicting configuration may persist 335 for a short time before it is detected. Suppose that two hosts A and 336 B have been inadvertently assigned the same IP address X. Suppose 337 further that at the time they were both probing to determine whether 338 the address could safely be used, the communication link between them 339 was non-functional for some reason, so neither detected the conflict 340 at interface-configuration time. Suppose now that the communication 341 link is restored, and a third host C broadcasts an ARP request for 342 address X. Unaware of any conflict, both hosts A and B will send 343 unicast ARP replies to host C. Host C will see both replies, and may 344 be a little confused, but neither host A nor B will see the other's 345 reply, and neither will immediately detect that there is a conflict 346 to be resolved. Hosts A and B will continue to be unaware of the 347 conflict until one or other broadcasts an ARP request of their own. 349 If quicker conflict detection is desired, this can be achieved by 350 having hosts send ARP replies using link-level broadcast, instead 351 of sending only ARP requests via broadcast, and replies via unicast. 353 3. Security Considerations 355 The ARP protocol [RFC 826] is insecure. A malicious host may send 356 fraudulent ARP packets on the network, interfering with the correct 357 operation of other hosts. For example, it is easy for a host to 358 answer all ARP requests with responses giving its own hardware 359 address, thereby claiming ownership of every address on the network. 361 4. IANA Considerations 363 This document has no IANA-related considerations. 365 5. Acknowledgements 367 This document arose as a result of discussions on link-local 368 addressing, where it was not clear to many readers which elements of 369 link-local address management were specific to that particular 370 problem, and which elements were generic and applicable to all IPv4 371 address configuration mechanisms. The following people made valuable 372 comments in the course of that work: Bernard Aboba, Jim Busse, Pavani 373 Diwanji, Donald Eastlake 3rd, Peter Ford, Spencer Giacalone, Josh 374 Graessley, Erik Guttman, Myron Hattig, Hugh Holbrook, Richard 375 Johnson, Kim Yong-Woon, Rod Lopez, Satish Mundra, Thomas Narten, Erik 376 Nordmark, Howard Ridenour, Daniel Senie, Dieter Siegmund, Valery 377 Smyslov and Ryan Troll. 379 6. Copyright 381 Copyright (C) The Internet Society 8th March 2000. 382 All Rights Reserved. 384 This document and translations of it may be copied and furnished to 385 others, and derivative works that comment on or otherwise explain it 386 or assist in its implementation may be prepared, copied, published 387 and distributed, in whole or in part, without restriction of any 388 kind, provided that the above copyright notice and this paragraph are 389 included on all such copies and derivative works. However, this 390 document itself may not be modified in any way, such as by removing 391 the copyright notice or references to the Internet Society or other 392 Internet organizations, except as needed for the purpose of 393 developing Internet standards in which case the procedures for 394 copyrights defined in the Internet Standards process must be 395 followed, or as required to translate it into languages other than 396 English. 398 The limited permissions granted above are perpetual and will not be 399 revoked by the Internet Society or its successors or assigns. 401 This document and the information contained herein is provided on an 402 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 403 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 404 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 405 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 406 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 408 7. References 410 [RFC 826] D. Plummer, "An Ethernet Address Resolution Protocol -or- 411 Converting Network Addresses to 48-bit Ethernet Address 412 for Transmission on Ethernet Hardware", STD 37, RFC 826, 413 November 1982. 415 [RFC 2131] R. Droms, "Dynamic Host Configuration Protocol", 416 RFC 2131, March 1997. 418 [RFC 2119] S. Bradner, "Key words for use in RFCs to Indicate 419 Requirement Levels", RFC 2119, March 1997. 421 8. Author's Address 423 Stuart Cheshire 424 Apple Computer, Inc. 425 1 Infinite Loop 426 Cupertino 427 California 95014 428 USA 430 Phone: +1 408 974 3207 431 EMail: rfc@stuartcheshire.org