idnits 2.17.1 draft-ietf-6man-ipv6-subnet-model-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4861]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 234: '...lready exist, the node SHOULD create a...' RFC 2119 keyword, line 239: '...nd the entry's reachability state MUST...' RFC 2119 keyword, line 267: '...ress option, then the recipient SHOULD...' RFC 2119 keyword, line 306: '...mented IPv6 host MUST adhere to the fo...' RFC 2119 keyword, line 310: '... configuration MUST NOT implicitly c...' (6 more instances...) -- The draft header indicates that this document updates RFC4861, but the abstract doesn't seem to directly say this. It does mention RFC4861 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4861, updated by this document, for RFC5378 checks: 2004-07-16) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 5, 2010) is 5164 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 1519 (Obsoleted by RFC 4632) -- Obsolete informational reference (is this intentional?): RFC 2461 (Obsoleted by RFC 4861) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Singh 3 Internet-Draft W. Beebee 4 Updates: 4861 (if approved) Cisco Systems, Inc. 5 Intended status: Standards Track E. Nordmark 6 Expires: September 6, 2010 Sun Microsystems 7 March 5, 2010 9 IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes 10 draft-ietf-6man-ipv6-subnet-model-08 12 Abstract 14 IPv6 specifies a model of a subnet that is different than the IPv4 15 subnet model. The subtlety of the differences has resulted in 16 incorrect implementations that do not interoperate. This document 17 spells out the most important difference; that an IPv6 address isn't 18 automatically associated with an IPv6 on-link prefix. This document 19 also updates (partially due to security concerns caused by incorrect 20 implementations) a part of the definition of on-link from [RFC4861]. 22 Status of this Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on September 6, 2010. 45 Copyright Notice 47 Copyright (c) 2010 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the BSD License. 60 This document may contain material from IETF Documents or IETF 61 Contributions published or made publicly available before November 62 10, 2008. The person(s) controlling the copyright in some of this 63 material may not have granted the IETF Trust the right to allow 64 modifications of such material outside the IETF Standards Process. 65 Without obtaining an adequate license from the person(s) controlling 66 the copyright in such materials, this document may not be modified 67 outside the IETF Standards Process, and derivative works of it may 68 not be created outside the IETF Standards Process, except to format 69 it for publication as an RFC or to translate it into languages other 70 than English. 72 Table of Contents 74 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 75 2. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 5 76 3. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 8 77 4. Observed Incorrect Implementation Behavior . . . . . . . . . . 10 78 5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 10 79 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 80 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 81 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11 82 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 83 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 84 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 85 10.2. Informative References . . . . . . . . . . . . . . . . . 12 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 88 1. Introduction 90 IPv4 implementations typically associate a netmask with an address 91 when an IPv4 address is assigned to an interface. That netmask 92 together with the IPv4 address designates an on-link prefix. Nodes 93 consider addresses covered by an on-link prefix to be directly 94 attached to the same link as the sending node, i.e., they send 95 traffic for such addresses directly rather than to a router. See 96 section 3.3.1 in [RFC1122]. Prior to the development of subnetting 97 [RFC0950] and Classless Inter-Domain Routing (CIDR) [RFC1519], an 98 address's netmask could be derived directly from the address simply 99 by determining whether it was a Class A, B or C address. Today, 100 assigning an address to an interface also requires specifying a 101 netmask to use. In the absence of specifying a specific netmask when 102 assigning an address, some implementations would fall back to 103 deriving the netmask from the class of the address. 105 The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is 106 quite different. The on-link determination is separate from the 107 address assignment. A host can have IPv6 addresses without any 108 related on-link prefixes or has on-link prefixes that are not related 109 to any IPv6 addresses that are assigned to the host. Any assigned 110 address on an interface should initially be considered as having no 111 internal structure as shown in [RFC4291]. 113 In IPv6, by default, a host treats only the link-local prefix as on- 114 link. 116 The reception of a Prefix Information Option (PIO) with the L-bit set 117 [RFC4861] and a non-zero valid lifetime creates (or updates) an entry 118 in the Prefix List. All prefixes on a host's Prefix List, i.e., have 119 not yet timed out, are considered to be on-link by that host. 121 The on-link definition in the Terminology section of [RFC4861], as 122 modified by this document, defines the complete list of cases where a 123 host considers an address to be on-link. Individual address entries 124 can be expired by the Neighbor Unreachability Detection mechanism. 126 IPv6 packets sent using the Conceptual Sending Algorithm as described 127 in [RFC4861] only trigger address resolution for IPv6 addresses that 128 the sender considers to be on-link. Packets to any other address are 129 sent to a default router. If there is no default router, then the 130 node should send an ICMPv6 Destination Unreachable indication as 131 specified in [RFC4861] - more details are provided in the Host 132 Behavior and Rules section. (Note that [RFC4861] changed the 133 behavior when the Default Router List is empty. In the old version 134 of Neighbor Discovery [RFC2461], if the Default router List is empty, 135 rather than sending the ICMPv6 Destination Unreachable indication, 136 the [RFC2461] node assumed that the destination was on-link.") Note 137 that ND is scoped to a single link. All Neighbor Solicitation 138 responses are assumed to be sent out the same interface on which the 139 corresponding query was received without using the Conceptual Sending 140 Algorithm. 142 Failure of host implementations to correctly implement the IPv6 143 subnet model can result in lack of IPv6 connectivity. See the 144 Observed Incorrect Implementation Behavior section for details. 146 This document deprecates the last two bullets from the definition of 147 on-link from [RFC4861] to address security concerns arising from 148 particular ND implementations. 150 Host behavior is clarified in the Host Behavior and Rules section. 152 2. Host Behavior 154 1. The original Neighbor Discovery (ND) specification [RFC4861] was 155 unclear in its usage of the term on-link in a few places. In 156 IPv6, an address is on-link (with respect to a specific link), if 157 the address has been assigned to an interface attached to that 158 link. Any node attached to the link can send a datagram directly 159 to an on-link address without forwarding the datagram through a 160 router. However, in order for a node to know that a destination 161 is on-link, it must obtain configuration information to that 162 effect. In IPv6, there are two main ways of maintaining 163 information about on-link destinations. First, a host maintains 164 a Prefix List that identifies ranges of addresses that are to be 165 considered on-link. Second, Redirects can identify individual 166 destinations that are on-link; such Redirects update the 167 Destination Cache. 169 The Prefix List is populated via the following means: 171 * Receipt of a Valid Router Advertisement (RA) that specifies a 172 prefix with the L-bit set. Such a prefix is considered on- 173 link for a period specified in the Valid Lifetime and is added 174 to the Prefix List. (The link-local prefix is effectively 175 considered a permanent entry on the Prefix List.) 177 * Indication of an on-link prefix (which may be a /128) via 178 manual configuration, or some other yet-to-be specified 179 configuration mechanism. 181 A Redirect can also signal whether an address is on-link. If a 182 host originates a packet, but the first-hop router routes the 183 received packet back out onto the same link, the router also 184 sends the host a Redirect. If the Target and Destination Address 185 of the Redirect are the same, the Target Address is to be treated 186 as on-link as specified in Section 8 of [RFC4861]. That is, the 187 host updates its Destination Cache (but not its Prefix List -- 188 though the impact is similar). 190 2. It should be noted that ND does not have a way to indicate a 191 destination is "off-link". Rather, a destination is assumed to 192 be off-link, unless there is explicit information indicating that 193 it is on-link. Such information may later expire or be changed, 194 in which case a destination may revert back to being considered 195 off-link, but that is different than there being an explicit 196 mechanism for signaling that a destination is off-link. Redirect 197 Messages do not contain sufficient information to signal that an 198 address is off-link. Instead, Redirect Messages indicate a 199 preferred next-hop that is a more appropriate choice to use than 200 the originator of the Redirect. 202 3. IPv6 also defines the term "neighbor" to refer to nodes attached 203 to the same link and that can send packets directly to each 204 other. Received ND packets that pass the required validation 205 tests can only come from a neighbor attached to the link on which 206 the ND packet was received. Unfortunately, [RFC4861] is 207 imprecise in its definition of on-link and states that a node 208 considers an address to be on-link if: 210 - a Neighbor Advertisement message is received for the 211 (target) address, or 213 - any Neighbor Discovery message is received from the address. 215 Neither of these tests are acceptable definitions for an address 216 to be considered as on-link as defined above, and this document 217 deprecates and removes both of them from the formal definition of 218 on-link. Neither of these tests should be used as justification 219 for modifying the Prefix List or Destination Cache for an 220 address. 222 The conceptual sending algorithm of [RFC4861] defines a Prefix 223 List, Destination Cache, and Default Router List. The 224 combination of Prefix List, Destination Cache, and Default Router 225 List form what many implementations consider to be the IP data 226 forwarding table for a host. Note that the Neighbor Cache is a 227 separate data structure referenced by the Destination Cache, but 228 entries in the Neighbor Cache are not necessarily in the 229 Destination Cache. It is quite possible (and intentional) that 230 entries be added to the Neighbor Cache for addresses that would 231 not be considered on-link as-defined above. For example, upon 232 receipt of a valid NS, Section 7.2.3 of [RFC4861] states: 234 If an entry does not already exist, the node SHOULD create a 235 new one and set its reachability state to STALE as specified 236 in Section 7.3.3. If an entry already exists, and the cached 237 link-layer address differs from the one in the received Source 238 Link-Layer option, the cached address should be replaced by 239 the received address, and the entry's reachability state MUST 240 be set to STALE. 242 The intention of the above feature is to add an address to the 243 Neighbor Cache, even though it might not be considered on-link 244 per the Prefix List. The benefit of such a step is to have the 245 receiver populate the Neighbor Cache with an address it will 246 almost certainly be sending packets to shortly, thus avoiding the 247 need for an additional round of ND to perform address resolution. 248 But because there is no validation of the address being added to 249 the Neighbor Cache, an intruder could spoof the address and cause 250 a receiver to add an address for a remote site to its Neighbor 251 Cache. This vulnerability is a specific instance of the broad 252 set of attacks that are possible by an on-link neighbor 253 [RFC3756]. This causes no problems in practice, so long as the 254 entry only exists in the Neighbor Cache and the address is not 255 considered to be on-link by the IP forwarding code (i.e., the 256 address is not added to the Prefix List and is not marked as on- 257 link in the Destination Cache). 259 4. After the update to the on-link definition in [RFC4861], certain 260 text from section 7.2.3 of [RFC4861] may appear, upon a cursory 261 examination, to be inconsistent with the updated definition of 262 on-link because the text does not ensure that the source address 263 is already deemed on-link through other methods: 265 If the Source Address is not the unspecified address and, on 266 link layers that have addresses, the solicitation includes a 267 Source Link-Layer Address option, then the recipient SHOULD 268 create or update the Neighbor Cache entry for the IP Source 269 Address of the solicitation. 271 Similarly, the following text from section 6.2.5 of [RFC4861] may 272 also seem inconsistent: 274 If there is no existing Neighbor Cache entry for the 275 solicitation's sender, the router creates one, installs the 276 link-layer address and sets its reachability state to STALE as 277 specified in Section 7.3.3. 279 However, the text in the aforementioned sections of [RFC4861], 280 upon closer inspection, is actually consistent with the 281 deprecation of the last two bullets of the on-link definition 282 because there are two different ways in which on-link 283 determination can affect the state of ND: through updating the 284 Prefix List or the Destination Cache. Through deprecating the 285 last two bullets of the on-link definition, the Prefix List is 286 explicitly not to be changed when a node receives an NS, NA, or 287 RS. The Neighbor Cache can still be updated through receipt of 288 an NS, NA, or RS. 290 5. [RFC4861] is written from the perspective of a host with a single 291 interface on which Neighbor Discovery is run. All ND traffic 292 (whether sent or received) traverses the single interface. On 293 hosts with multiple interfaces, care must be taken to ensure that 294 the scope of ND processing from one link stays local to that 295 link. That is, when responding to a NS, the NA would be sent out 296 on the same link on which it was received. Likewise, a host 297 would not respond to a received NS for an address assigned to an 298 interface on a different link. Although implementations may 299 choose to implement Neighbor Discovery using a single data 300 structure that merges the Neighbor Caches of all interfaces, an 301 implementation's behavior must be consistent with the above 302 model. 304 3. Host Rules 306 A correctly implemented IPv6 host MUST adhere to the following rules: 308 1. The assignment of an IPv6 address, whether through IPv6 stateless 309 address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual 310 configuration MUST NOT implicitly cause a prefix derived from 311 that address to be treated as on-link and added to the Prefix 312 List. A host considers a prefix to be on-link only through 313 explicit means, such as those specified in the on-link definition 314 in the Terminology section of [RFC4861], as modified by this 315 document, or via manual configuration. Note that the requirement 316 for manually configured addresses is not explicitly mentioned in 317 [RFC4861]. 319 2. In the absence of other sources of on-link information, including 320 Redirects, if the RA advertises a prefix with the on-link(L) bit 321 set and later the Valid Lifetime expires, the host MUST then 322 consider addresses of the prefix to be off-link, as specified by 323 the PIO paragraph of section 6.3.4 of [RFC4861]. 325 3. In the absence of other sources of on-link information, including 326 Redirects, if the RA advertises a prefix with the on-link(L) bit 327 set and later the Valid Lifetime expires, the host MUST then 328 update its Prefix List with respect to the entry. In most cases, 329 this will result in the addresses covered by the prefix 330 defaulting back to being considered off-link, as specified by the 331 PIO paragraph of section 6.3.4 of [RFC4861]. However, there are 332 cases where an address could be covered by multiple entries in 333 the Prefix List, where expiration of one prefix would result in 334 destinations then being covered by a different entry. 336 4. Implementations compliant with [RFC4861] MUST adhere to the 337 following rules. If the Default Router List is empty and there 338 is no other source of on-link information about any address or 339 prefix: 341 1. The host MUST NOT assume that all destinations are on-link. 343 2. The host MUST NOT perform address resolution for non-link- 344 local addresses. 346 3. Since the host cannot assume the destination is on-link, and 347 off-link traffic cannot be sent to a default router (since 348 the Default Router List is empty), address resolution cannot 349 be performed. This case is specified in the last paragraph 350 of section 4 of [RFC4943]: when there is no route to 351 destination, the host should send an ICMPv6 Destination 352 Unreachable indication (for example, a locally delivered 353 error message) as specified in the Terminology section of 354 [RFC4861]. 356 On-link information concerning particular addresses and prefixes 357 can make those specific addresses and prefixes on-link, but does 358 not change the default behavior mentioned above for addresses and 359 prefixes not specified. [RFC4943] provides justification for 360 these rules. 362 5. Hosts MUST verify that on-link information is still valid after 363 IPv6 interface re-initialization. Failure to do so may lead to 364 lack of IPv6 network connectivity. For example, a host receives 365 an RA from a router with on-link prefix A. The host powers down. 366 During the power off, the router sends out prefix A with on-link 367 bit set and a zero lifetime to indicate a renumbering. The host 368 misses the renumbering. The host powers on and comes online. 369 Then, the router sends an RA with no PIO. The host uses cached 370 on-link prefix A and issues NS's instead of sending traffic to a 371 default router. The "Observed Incorrect Implementation Behavior" 372 section below describes how this can result in lack of IPv6 373 connectivity. 375 4. Observed Incorrect Implementation Behavior 377 One incorrect implementation behavior illustrates the severe 378 consequences when the IPv6 subnet model is not understood by the 379 implementers of several popular host operating systems. In an access 380 concentrator network ([RFC4388]), a host receives a Router 381 Advertisement Message with no on-link prefix advertised. The host 382 incorrectly assumes an invented prefix is on-link. This invented 383 prefix typically is a /64 that was written by the developer of the 384 API as a "default" prefix length when a length isn't specified. This 385 may cause the API to seem to work in the case of a network interface 386 initiating SLAAC, however it can cause connectivity problems in NBMA 387 networks. Having incorrectly assumed an invented prefix, the host 388 performs address resolution when the host should send all non-link- 389 local traffic to a default router. Neither the router nor any other 390 host will respond to the address resolution, preventing this host 391 from sending IPv6 traffic. 393 5. Conclusion 395 This document clarifies and summarizes the relationship between links 396 and subnet prefixes described in [RFC4861]. Configuration of an IPv6 397 address does not imply the existence of corresponding on-link 398 prefixes. One should also look at API considerations for prefix 399 length as described in last paragraph of section 4.2 of [RFC4903]. 400 This document also updates the definition of on-link from [RFC4861] 401 by retracting the last two bullets. 403 6. Security Considerations 405 This document addresses a security concern present in [RFC4861]. As 406 a result, the last two bullets of the on-link definition in [RFC4861] 407 have been retracted. US-CERT Vulnerability Note VU#472363 lists the 408 implementations affected. 410 7. IANA Considerations 412 None. 414 8. Contributors 416 Thomas Narten contributed significant text and provided substantial 417 guidance to the production of this document. 419 9. Acknowledgements 421 Thanks (in alphabetical order) to Adeel Ahmed, Jari Arkko, Ralph 422 Droms, Alun Evans, Dave Forster, Prashanth Krishnamurthy, Suresh 423 Krishnan, Josh Littlefield, Bert Manfredi, David Miles, Madhu Sudan, 424 Jinmei Tatuya, Dave Thaler, Bernie Volz, and Vlad Yasevich for their 425 consistent input, ideas and review during the production of this 426 document. The security problem related to an NS message that 427 provides one reason for invalidating a part of the on-link definition 428 was found by David Miles. Jinmei Tatuya found the security problem 429 to also exist with an RS message. 431 10. References 433 10.1. Normative References 435 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 436 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 437 September 2007. 439 10.2. Informative References 441 [RFC0950] Mogul, J. and J. Postel, "Internet Standard Subnetting 442 Procedure", STD 5, RFC 950, August 1985. 444 [RFC1122] Braden, R., "Requirements for Internet Hosts - 445 Communication Layers", STD 3, RFC 1122, October 1989. 447 [RFC1519] Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless 448 Inter-Domain Routing (CIDR): an Address Assignment and 449 Aggregation Strategy", RFC 1519, September 1993. 451 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 452 Discovery for IP Version 6 (IPv6)", RFC 2461, 453 December 1998. 455 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 456 and M. Carney, "Dynamic Host Configuration Protocol for 457 IPv6 (DHCPv6)", RFC 3315, July 2003. 459 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor 460 Discovery (ND) Trust Models and Threats", RFC 3756, 461 May 2004. 463 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 464 Architecture", RFC 4291, February 2006. 466 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 467 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 469 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 470 Address Autoconfiguration", RFC 4862, September 2007. 472 [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, 473 June 2007. 475 [RFC4943] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor 476 Discovery On-Link Assumption Considered Harmful", 477 RFC 4943, September 2007. 479 Authors' Addresses 481 Hemant Singh 482 Cisco Systems, Inc. 483 1414 Massachusetts Ave. 484 Boxborough, MA 01719 485 USA 487 Phone: +1 978 936 1622 488 Email: shemant@cisco.com 489 URI: http://www.cisco.com/ 491 Wes Beebee 492 Cisco Systems, Inc. 493 1414 Massachusetts Ave. 494 Boxborough, MA 01719 495 USA 497 Phone: +1 978 936 2030 498 Email: wbeebee@cisco.com 499 URI: http://www.cisco.com/ 501 Erik Nordmark 502 Sun Microsystems 503 17 Network Circle 504 Menlo Park, CA 94025 505 USA 507 Phone: +1 650 786 2921 508 Email: erik.nordmark@sun.com