idnits 2.17.1 draft-ietf-6man-ipv6-subnet-model-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4861]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 227: '...lready exist, the node SHOULD create a...' RFC 2119 keyword, line 232: '...nd the entry's reachability state MUST...' RFC 2119 keyword, line 260: '...ress option, then the recipient SHOULD...' RFC 2119 keyword, line 299: '...mented IPv6 host MUST adhere to the fo...' RFC 2119 keyword, line 303: '... configuration MUST NOT implicitly c...' (5 more instances...) -- The draft header indicates that this document updates RFC4861, but the abstract doesn't seem to directly say this. It does mention RFC4861 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4861, updated by this document, for RFC5378 checks: 2004-07-16) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 14, 2009) is 5277 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2461 (Obsoleted by RFC 4861) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Singh 3 Internet-Draft W. Beebee 4 Updates: 4861 (if approved) Cisco Systems, Inc. 5 Intended status: Standards Track E. Nordmark 6 Expires: May 18, 2010 Sun Microsystems 7 November 14, 2009 9 IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes 10 draft-ietf-6man-ipv6-subnet-model-06 12 Abstract 14 IPv6 specifies a model of a subnet that is different than the IPv4 15 subnet model. The subtlety of the differences has resulted in 16 incorrect implementations that do not interoperate. This document 17 spells out the most important difference; that an IPv6 address isn't 18 automatically associated with an IPv6 on-link prefix. This document 19 also updates (partially due to security concerns caused by incorrect 20 implementations) a part of the definition of on-link from [RFC4861]. 22 Status of this Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on May 18, 2010. 45 Copyright Notice 47 Copyright (c) 2009 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the BSD License. 60 This document may contain material from IETF Documents or IETF 61 Contributions published or made publicly available before November 62 10, 2008. The person(s) controlling the copyright in some of this 63 material may not have granted the IETF Trust the right to allow 64 modifications of such material outside the IETF Standards Process. 65 Without obtaining an adequate license from the person(s) controlling 66 the copyright in such materials, this document may not be modified 67 outside the IETF Standards Process, and derivative works of it may 68 not be created outside the IETF Standards Process, except to format 69 it for publication as an RFC or to translate it into languages other 70 than English. 72 Table of Contents 74 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 75 2. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 76 3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 7 77 4. Observed Incorrect Implementation Behavior . . . . . . . . . . 9 78 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9 79 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 80 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 81 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10 82 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 83 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 84 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 85 10.2. Informative References . . . . . . . . . . . . . . . . . 10 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 88 1. Introduction 90 IPv4 implementations typically associate a netmask with an address 91 when an IPv4 address is assigned to an interface. That netmask 92 together with the IPv4 address designates an on-link prefix. 93 Addresses that are covered by this prefix are viewed as on-link i.e., 94 traffic to these addresses is not sent to a router. See section 95 3.3.1 in [RFC1122]. Prior to the deployment of Classless Inter- 96 Domain Routing (CIDR), an address's netmask could be derived directly 97 from the address. In the absence of specifying a specific netmask 98 when assigning an address, some implementations would fall back to 99 deriving the netmask from the class of the address. 101 The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is 102 quite different. The on-link determination is separate from the 103 address assignment. A host can have IPv6 addresses without any 104 related on-link prefixes or have on-link prefixes that are not 105 related to any IPv6 addresses that are assigned to the host. Any 106 assigned address on an interface should initially be considered as 107 having no internal structure as shown in [RFC4291]. 109 In IPv6, by default, a host treats only the link-local prefix as on- 110 link. 112 The reception of a Prefix Information Option (PIO) with the L-bit set 113 [RFC4861] and a non-zero valid lifetime creates (or updates) an entry 114 in the Prefix List. All the prefixes that are on the Prefix List, 115 i.e., have not yet timed out, are considered to be on-link. 117 The on-link definition in the Terminology section of [RFC4861], as 118 modified by this document, defines the complete list of cases where 119 an address is considered on-link. Individual address entries can be 120 expired by the Neighbor Unreachability Detection mechanism. 122 IPv6 packets sent using the Conceptual Sending Algorithm as described 123 in [RFC4861] only trigger address resolution for IPv6 addresses that 124 are on-link. Packets to any other address are sent to a default 125 router. If there is no default router, then the node should send an 126 ICMPv6 Destination Unreachable indication as specified in [RFC4861] - 127 more details are provided in the Host Behavior and Rules section. 128 (Note that [RFC4861] changed the behavior when the Default Router 129 List is empty. In the old version of Neighbor Discovery [RFC2461], 130 if the Default router List is empty, rather than sending the ICMPv6 131 Destination Unreachable indication, the [RFC2461] node assumed that 132 the destination was on-link.") Note that ND is scoped to a single 133 link. All Neighbor Solicitation responses are assumed to be sent out 134 the same interface on which the corresponding query was received 135 without using the Conceptual Sending Algorithm. 137 Failure of host implementations to correctly implement the IPv6 138 subnet model can result in lack of IPv6 connectivity. See the 139 Observed Incorrect Implementation Behavior section for details. 141 This document deprecates the last two bullets from the definition of 142 on-link from [RFC4861] to address security concerns arising from 143 particular ND implementations. 145 Host behavior is clarified in the Host Behavior and Rules section. 147 2. Host Behavior 149 1. The original Neighbor Discovery (ND) specification [RFC4861] was 150 unclear in its usage of the term on-link in a few places. In 151 IPv6, an address is considered to be on-link (with respect to a 152 specific link), if the address has been assigned to an interface 153 attached to that link. Any node attached to the link can send a 154 datagram directly to an on-link address without forwarding the 155 datagram through a router. In IPv6, there are two ways to 156 indicate an address is on-link. First, a host maintains a Prefix 157 List that identifies ranges of addresses that are to be 158 considered on-link. Second, Redirects can identify individual 159 destinations that are on-link; such Redirects update the 160 Destination Cache. 162 The Prefix List is populated via the following means: 164 * Receipt of a Valid Router Advertisement (RA) that specifies a 165 prefix with the L-bit set. Such a prefix is considered on- 166 link for a period specified in the Valid Lifetime and is added 167 to the Prefix List. (The link-local prefix is effectively 168 considered a permanent entry on the Prefix List.) 170 * Indication of an on-link prefix (which may be a /128) via 171 manual configuration, or some other yet-to-be specified 172 configuration mechanism. 174 A Redirect can also signal whether an address is on-link. If a 175 host originates a packet, but the first-hop router routes the 176 received packet back out onto the same link, the router also 177 sends the host a Redirect. If the Target and Destination Address 178 of the Redirect are the same, the Target Address is to be treated 179 as on-link as specified in Section 8 of [RFC4861]. That is, the 180 host updates its Destination Cache (but not its Prefix List -- 181 though the impact is similar). 183 2. Note that Redirect Messages do not contain sufficient information 184 to signal that an address is off-link. Rather, they indicate a 185 preferred next-hop that is a more appropriate choice to use than 186 the originator of the Redirect. That alternate next-hop may be 187 the destination itself (in which case packets would flow directly 188 to a neighbor), or a router closer to the destination than the 189 current next-hop router (which is the originator of the 190 Redirect). Note, however, that the Redirect message itself does 191 not contain sufficient information to distinguish these cases. 192 But that does not matter, because the receiver of such a message 193 does the same in either case, updating its Neighbor Cache as 194 defined in Section 8.1 of [RFC4861]. 196 3. IPv6 also defines the term "neighbor" and "link" to refer to 197 nodes attached to the same link and that can send packets 198 directly to each other. Received ND packets that pass the 199 required validation tests can only come from a neighbor attached 200 to the link on which the ND packet was received. Unfortunately, 201 [RFC4861] is imprecise in its definition of on-link and states 202 that a node considers an address to be on-link if: 204 - a Neighbor Advertisement message is received for the 205 (target) address, or 207 - any Neighbor Discovery message is received from the address. 209 Neither of these tests are acceptable definitions for an address 210 to be considered as on-link as defined above, and this document 211 deprecates and removes both of them from the formal definition of 212 on-link. Neither of these tests should be used as justification 213 for modifying the Prefix List or Destination Cache for an 214 address. 216 The conceptual sending algorithm of [RFC4861] defines a Prefix 217 List and Neighbor Cache. The combination of Prefix List and 218 Neighbor Cache form what many implementations consider to be the 219 IP data forwarding table for a host. Note that the Neighbor 220 Cache is a separate data structure referenced by the Destination 221 Cache, but entries in the Neighbor Cache are not necessarily in 222 the Destination Cache. It is quite possible (and intentional) 223 that entries be added to the Neighbor Cache for addresses that 224 would not be considered on-link as-defined above. For example, 225 upon receipt of a valid NS, Section 7.2.3 of [RFC4861] states: 227 If an entry does not already exist, the node SHOULD create a 228 new one and set its reachability state to STALE as specified 229 in Section 7.3.3. If an entry already exists, and the cached 230 link-layer address differs from the one in the received Source 231 Link-Layer option, the cached address should be replaced by 232 the received address, and the entry's reachability state MUST 233 be set to STALE. 235 The intention of the above feature is to add an address to the 236 Neighbor Cache, even though it might not be considered on-link 237 per the Prefix List. The benefit of such a step is to have the 238 receiver populate the Neighbor Cache with an address it will 239 almost certainly be sending packets to shortly, thus avoiding the 240 need for an additional round of ND to perform address resolution. 241 But because there is no validation of the address being added to 242 the Neighbor Cache, an intruder could spoof the address and cause 243 a receiver to add an address for a remote site to its Neighbor 244 Cache. This vulnerability is a specific instance of the broad 245 set of attacks that are possible by an on-link neighbor 246 [RFC3756]. This causes no problems in practice, so long as the 247 entry only exists in the Neighbor Cache and the address is not 248 considered to be on-link by the IP forwarding code (i.e., the 249 address is not added to the Prefix List and is not marked as on- 250 link in the Destination Cache). 252 4. After the update to the on-link definition in [RFC4861], certain 253 text from section 7.2.3 of [RFC4861] may appear, upon a cursory 254 examination, to be inconsistent with the updated definition of 255 on-link because the text does not ensure that the source address 256 is already deemed on-link through other methods: 258 If the Source Address is not the unspecified address and, on- 259 link layers that have addresses, the solicitation includes a 260 Source Link-Layer Address option, then the recipient SHOULD 261 create or update the Neighbor Cache entry for the IP Source 262 Address of the solicitation. 264 Similarly, the following text from section 6.2.5 of [RFC4861] may 265 also seem inconsistent: 267 If there is no existing Neighbor Cache entry for the 268 solicitation's sender, the router creates one, installs the 269 link-layer address and sets its reachability state to STALE as 270 specified in Section 7.3.3. 272 However, the text in the aforementioned sections of [RFC4861], 273 upon closer inspection, is actually consistent with the 274 deprecation of the last two bullets of the on-link definition 275 because there are two different ways in which on-link 276 determination can affect the state of ND: through updating the 277 Prefix List or the Neighbor Cache. Through deprecating the last 278 two bullets of the on-link definition, the Prefix List is 279 explicitly not to be changed when a node receives an NS, NA, or 280 RS. The Neighbor Cache can still be updated through receipt of 281 an NS, NA, or RS. 283 5. [RFC4861] is written from the perspective of a host with a single 284 interface on which Neighbor Discovery is run. All ND traffic 285 (whether sent or received) traverses the single interface. On 286 hosts with multiple interfaces, care must be taken to ensure that 287 the scope of ND processing from one link stays local to that 288 link. That is, when responding to a NS, the NA would be sent out 289 on the same link on which it was received. Likewise, a host 290 would not respond to a received NS for an an address assigned to 291 an interface on a different link. Although implementions may 292 choose to implement Neighbor Discovery using a single data 293 structure that merges the Neighbor Caches of all interfaces, an 294 implementation's behavior must be consistent with the above 295 model. 297 3. Host Rules 299 A correctly implemented IPv6 host MUST adhere to the following rules: 301 1. The assignment of an IPv6 address, whether through IPv6 stateless 302 address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual 303 configuration MUST NOT implicitly cause a prefix derived from 304 that address to be treated as on-link and added to the Prefix 305 List. A host considers a prefix to be on-link only through 306 explicit means, such as those specified in the on-link definition 307 in the Terminology section of [RFC4861], as modified by this 308 document, or via manual configuration. Note that the requirement 309 for manually configured addresses is not explicitly mentioned in 310 [RFC4861]. 312 2. In the absence of other sources of on-link information, including 313 Redirects, if the RA advertises a prefix with the on-link(L) bit 314 set and later the Valid Lifetime expires, the host MUST then 315 consider addresses of the prefix to be off-link, as specified by 316 the PIO paragraph of section 6.3.4 of [RFC4861]. 318 3. Newer implementations, which are compliant with [RFC4861] MUST 319 adhere to the following rules. Older implementations, which are 320 compliant with [RFC2461] but not [RFC4861] may remain as is. If 321 the Default Router List is empty and there is no other source of 322 on-link information about any address or prefix: 324 1. The host MUST NOT assume that all destinations are on-link. 326 2. The host MUST NOT perform address resolution for non-link- 327 local addresses. 329 3. Since the host cannot assume the destination is on-link, and 330 off-link traffic cannot be sent to a default router (since 331 the Default Router List is empty), address resolution cannot 332 be performed. This case is specified in the last paragraph 333 of section 4 of [RFC4943]: when there is no route to 334 destination, the host should send an ICMPv6 Destination 335 Unreachable indication (for example, a locally delivered 336 error message) as specified in the Terminology section of 337 [RFC4861]. 339 On-link information concerning particular addresses and prefixes 340 can make those specific addresses and prefixes on-link, but does 341 not change the default behavior mentioned above for addresses and 342 prefixes not specified. [RFC4943] provides justification for 343 these rules. 345 4. Hosts MUST verify that on-link information is still valid after 346 IPv6 interface re-initialization before using cached on-link 347 determination information. Failure to do so may lead to lack of 348 IPv6 network connectivity. For example, a host receives an RA 349 from a router with on-link prefix A. The host powers down. 350 During the power off, the router sends out prefix A with on-link 351 bit set and a zero lifetime to indicate a renumbering. The host 352 misses the renumbering. The host powers on and comes online. 353 Then, the router sends an RA with no PIO. The host uses cached 354 on-link prefix A and issues NS's instead of sending traffic to a 355 default router. The "Observed Incorrect Implementation Behavior" 356 section below describes how this can result in lack of IPv6 357 connectivity. 359 4. Observed Incorrect Implementation Behavior 361 One incorrect implementation behavior illustrates the severe 362 consequences when the IPv6 subnet model is not understood by the 363 implementers of several popular host operating systems. In an access 364 concentrator network ([RFC4388]), a host receives a Router 365 Advertisement Message with no on-link prefix advertised. The host 366 incorrectly assumes an invented prefix is on-link and performs 367 address resolution when the host should send all non-link-local 368 traffic to a default router. Neither the router nor any other host 369 will respond to the address resolution, preventing this host from 370 sending IPv6 traffic. 372 5. Conclusion 374 This document clarifies and summarizes the relationship between links 375 and subnet prefixes described in [RFC4861]. Configuration of an IPv6 376 address does not imply the existence of corresponding on-link 377 prefixes. One should also look at API considerations for prefix 378 length as described in last paragraph of section 4.2 of [RFC4903]. 379 This document also updates the definition of on-link from [RFC4861] 380 by retracting the last two bullets. 382 6. Security Considerations 384 This document addresses a security concern present in [RFC4861]. As 385 a result, the last bullet of the on-link definition in [RFC4861] has 386 been retracted. US-CERT Vulnerability Note VU#472363 lists the 387 implementations affected. 389 7. IANA Considerations 391 None. 393 8. Contributors 395 Thomas Narten contributed significant text and provided substantial 396 guidance to the production of this document. 398 9. Acknowledgements 400 Thanks (in alphabetical order) to Adeel Ahmed, Jari Arkko, Ralph 401 Droms, Alun Evans, Dave Forster, Prashanth Krishnamurthy, Suresh 402 Krishnan, Josh Littlefield, Bert Manfredi, David Miles, Madhu Sudan, 403 Jinmei Tatuya, Dave Thaler, Bernie Volz, and Vlad Yasevich for their 404 consistent input, ideas and review during the production of this 405 document. The security problem related to an NS message that 406 provides one reason for invalidating a part of the on-link definition 407 was found by David Miles. Jinmei Tatuya found the security problem 408 to also exist with an RS message. 410 10. References 412 10.1. Normative References 414 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 415 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 416 September 2007. 418 10.2. Informative References 420 [RFC1122] Braden, R., "Requirements for Internet Hosts - 421 Communication Layers", STD 3, RFC 1122, October 1989. 423 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 424 Discovery for IP Version 6 (IPv6)", RFC 2461, 425 December 1998. 427 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 428 and M. Carney, "Dynamic Host Configuration Protocol for 429 IPv6 (DHCPv6)", RFC 3315, July 2003. 431 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor 432 Discovery (ND) Trust Models and Threats", RFC 3756, 433 May 2004. 435 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 436 Architecture", RFC 4291, February 2006. 438 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 439 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 441 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 442 Address Autoconfiguration", RFC 4862, September 2007. 444 [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, 445 June 2007. 447 [RFC4943] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor 448 Discovery On-Link Assumption Considered Harmful", 449 RFC 4943, September 2007. 451 Authors' Addresses 453 Hemant Singh 454 Cisco Systems, Inc. 455 1414 Massachusetts Ave. 456 Boxborough, MA 01719 457 USA 459 Phone: +1 978 936 1622 460 Email: shemant@cisco.com 461 URI: http://www.cisco.com/ 463 Wes Beebee 464 Cisco Systems, Inc. 465 1414 Massachusetts Ave. 466 Boxborough, MA 01719 467 USA 469 Phone: +1 978 936 2030 470 Email: wbeebee@cisco.com 471 URI: http://www.cisco.com/ 473 Erik Nordmark 474 Sun Microsystems 475 17 Network Circle 476 Menlo Park, CA 94025 477 USA 479 Phone: +1 650 786 2921 480 Email: erik.nordmark@sun.com