idnits 2.17.1 draft-ietf-6man-ipv6-subnet-model-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4861]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document updates RFC4861, but the abstract doesn't seem to directly say this. It does mention RFC4861 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4861, updated by this document, for RFC5378 checks: 2004-07-16) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 25, 2010) is 5136 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 1519 (Obsoleted by RFC 4632) -- Obsolete informational reference (is this intentional?): RFC 2461 (Obsoleted by RFC 4861) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Singh 3 Internet-Draft W. Beebee 4 Updates: 4861 (if approved) Cisco Systems, Inc. 5 Intended status: Standards Track E. Nordmark 6 Expires: September 26, 2010 Oracle, Inc. 7 March 25, 2010 9 IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes 10 draft-ietf-6man-ipv6-subnet-model-10 12 Abstract 14 IPv6 specifies a model of a subnet that is different than the IPv4 15 subnet model. The subtlety of the differences has resulted in 16 incorrect implementations that do not interoperate. This document 17 spells out the most important difference: that an IPv6 address isn't 18 automatically associated with an IPv6 on-link prefix. This document 19 also updates (partially due to security concerns caused by incorrect 20 implementations) a part of the definition of on-link from [RFC4861]. 22 Status of this Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on September 26, 2010. 45 Copyright Notice 47 Copyright (c) 2010 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the BSD License. 60 This document may contain material from IETF Documents or IETF 61 Contributions published or made publicly available before November 62 10, 2008. The person(s) controlling the copyright in some of this 63 material may not have granted the IETF Trust the right to allow 64 modifications of such material outside the IETF Standards Process. 65 Without obtaining an adequate license from the person(s) controlling 66 the copyright in such materials, this document may not be modified 67 outside the IETF Standards Process, and derivative works of it may 68 not be created outside the IETF Standards Process, except to format 69 it for publication as an RFC or to translate it into languages other 70 than English. 72 Table of Contents 74 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 75 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 76 3. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 77 4. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 8 78 5. Observed Incorrect Implementation Behavior . . . . . . . . . . 9 79 6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9 80 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 81 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 82 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10 83 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 84 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 85 11.1. Normative References . . . . . . . . . . . . . . . . . . 10 86 11.2. Informative References . . . . . . . . . . . . . . . . . 11 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 89 1. Requirements Language 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC 2119 [RFC2119]. 95 2. Introduction 97 IPv4 implementations typically associate a netmask with an address 98 when an IPv4 address is assigned to an interface. That netmask 99 together with the IPv4 address designates an on-link prefix. Nodes 100 consider addresses covered by an on-link prefix to be directly 101 attached to the same link as the sending node, i.e., they send 102 traffic for such addresses directly rather than to a router. See 103 section 3.3.1 in [RFC1122]. Prior to the development of subnetting 104 [RFC0950] and Classless Inter-Domain Routing (CIDR) [RFC1519], an 105 address's netmask could be derived directly from the address simply 106 by determining whether it was a Class A, B or C address. Today, 107 assigning an address to an interface also requires specifying a 108 netmask to use. In the absence of specifying a specific netmask when 109 assigning an address, some implementations would fall back to 110 deriving the netmask from the class of the address. 112 The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is 113 quite different. The on-link determination is separate from the 114 address assignment. A host can have IPv6 addresses without any 115 related on-link prefixes or can have on-link prefixes that are not 116 related to any IPv6 addresses that are assigned to the host. Any 117 assigned address on an interface should initially be considered as 118 having no internal structure as shown in [RFC4291]. 120 In IPv6, by default, a host treats only the link-local prefix as on- 121 link. 123 The reception of a Prefix Information Option (PIO) with the L-bit set 124 [RFC4861] and a non-zero valid lifetime creates (or updates) an entry 125 in the Prefix List. All prefixes on a host's Prefix List (i.e., have 126 not yet timed out) are considered to be on-link by that host. 128 The on-link definition in the Terminology section of [RFC4861], as 129 modified by this document, defines the complete list of cases where a 130 host considers an address to be on-link. Individual address entries 131 can be expired by the Neighbor Unreachability Detection mechanism. 133 IPv6 packets sent using the Conceptual Sending Algorithm as described 134 in [RFC4861] only trigger address resolution for IPv6 addresses that 135 the sender considers to be on-link. Packets to any other address are 136 sent to a default router. If there is no default router, then the 137 node should send an ICMPv6 Destination Unreachable indication as 138 specified in [RFC4861] - more details are provided in the Host 139 Behavior and Host Rules sections. (Note that [RFC4861] changed the 140 behavior when the Default Router List is empty. In the old version 141 of Neighbor Discovery [RFC2461], if the Default router List is empty, 142 rather than sending the ICMPv6 Destination Unreachable indication, 143 the [RFC2461] node assumed that the destination was on-link.") Note 144 that ND is scoped to a single link. All Neighbor Solicitation 145 responses are assumed to be sent out the same interface on which the 146 corresponding query was received without using the Conceptual Sending 147 Algorithm. 149 Failure of host implementations to correctly implement the IPv6 150 subnet model can result in lack of IPv6 connectivity. See the 151 Observed Incorrect Implementation Behavior section for details. 153 This document deprecates the last two bullets from the definition of 154 on-link from [RFC4861] to address security concerns arising from 155 particular ND implementations. 157 Host behavior is clarified in the Host Behavior and Rules section. 159 3. Host Behavior 161 1. The original Neighbor Discovery (ND) specification [RFC4861] was 162 unclear in its usage of the term on-link in a few places. In 163 IPv6, an address is on-link (with respect to a specific link), if 164 the address has been assigned to an interface attached to that 165 link. Any node attached to the link can send a datagram directly 166 to an on-link address without forwarding the datagram through a 167 router. However, in order for a node to know that a destination 168 is on-link, it must obtain configuration information to that 169 effect. In IPv6, there are two main ways of maintaining 170 information about on-link destinations. First, a host maintains 171 a Prefix List that identifies ranges of addresses that are to be 172 considered on-link. Second, Redirects can identify individual 173 destinations that are on-link; such Redirects update the 174 Destination Cache. 176 The Prefix List is populated via the following means: 178 * Receipt of a Valid Router Advertisement (RA) that specifies a 179 prefix with the L-bit set. Such a prefix is considered on- 180 link for a period specified in the Valid Lifetime and is added 181 to the Prefix List. (The link-local prefix is effectively 182 considered a permanent entry on the Prefix List.) 184 * Indication of an on-link prefix (which may be a /128) via 185 manual configuration, or some other yet-to-be specified 186 configuration mechanism. 188 A Redirect can also signal whether an address is on-link. If a 189 host originates a packet, but the first-hop router routes the 190 received packet back out onto the same link, the router also 191 sends the host a Redirect. If the Target and Destination Address 192 of the Redirect are the same, the Target Address is to be treated 193 as on-link as specified in Section 8 of [RFC4861]. That is, the 194 host updates its Destination Cache (but not its Prefix List -- 195 though the impact is similar). 197 2. It should be noted that ND does not have a way to indicate a 198 destination is "off-link". Rather, a destination is assumed to 199 be off-link, unless there is explicit information indicating that 200 it is on-link. Such information may later expire or be changed, 201 in which case a destination may revert back to being considered 202 off-link, but that is different than there being an explicit 203 mechanism for signaling that a destination is off-link. Redirect 204 Messages do not contain sufficient information to signal that an 205 address is off-link. Instead, Redirect Messages indicate a 206 preferred next-hop that is a more appropriate choice to use than 207 the originator of the Redirect. 209 3. IPv6 also defines the term "neighbor" to refer to nodes attached 210 to the same link and that can send packets directly to each 211 other. Received ND packets that pass the required validation 212 tests can only come from a neighbor attached to the link on which 213 the ND packet was received. Unfortunately, [RFC4861] is 214 imprecise in its definition of on-link and states that a node 215 considers an address to be on-link if: 217 - a Neighbor Advertisement message is received for the 218 (target) address, or 219 - any Neighbor Discovery message is received from the address. 221 Neither of these tests are acceptable definitions for an address 222 to be considered as on-link as defined above, and this document 223 deprecates and removes both of them from the formal definition of 224 on-link. Neither of these tests should be used as justification 225 for modifying the Prefix List or Destination Cache for an 226 address. 228 The conceptual sending algorithm of [RFC4861] defines a Prefix 229 List, Destination Cache, and Default Router List. The 230 combination of Prefix List, Destination Cache, and Default Router 231 List form what many implementations consider to be the IP data 232 forwarding table for a host. Note that the Neighbor Cache is a 233 separate data structure referenced by the Destination Cache, but 234 entries in the Neighbor Cache are not necessarily in the 235 Destination Cache. It is quite possible (and intentional) that 236 entries be added to the Neighbor Cache for addresses that would 237 not be considered on-link as-defined above. For example, upon 238 receipt of a valid NS, Section 7.2.3 of [RFC4861] states: 240 If an entry does not already exist, the node SHOULD create a 241 new one and set its reachability state to STALE as specified 242 in Section 7.3.3. If an entry already exists, and the cached 243 link-layer address differs from the one in the received Source 244 Link-Layer option, the cached address should be replaced by 245 the received address, and the entry's reachability state MUST 246 be set to STALE. 248 The intention of the above feature is to add an address to the 249 Neighbor Cache, even though it might not be considered on-link 250 per the Prefix List. The benefit of such a step is to have the 251 receiver populate the Neighbor Cache with an address it will 252 almost certainly be sending packets to shortly, thus avoiding the 253 need for an additional round of ND to perform address resolution. 254 But because there is no validation of the address being added to 255 the Neighbor Cache, an intruder could spoof the address and cause 256 a receiver to add an address for a remote site to its Neighbor 257 Cache. This vulnerability is a specific instance of the broad 258 set of attacks that are possible by an on-link neighbor 259 [RFC3756]. This causes no problems in practice, so long as the 260 entry only exists in the Neighbor Cache and the address is not 261 considered to be on-link by the IP forwarding code (i.e., the 262 address is not added to the Prefix List and is not marked as on- 263 link in the Destination Cache). 265 4. After the update to the on-link definition in [RFC4861], certain 266 text from section 7.2.3 of [RFC4861] may appear, upon a cursory 267 examination, to be inconsistent with the updated definition of 268 on-link because the text does not ensure that the source address 269 is already deemed on-link through other methods: 271 If the Source Address is not the unspecified address and, on 272 link layers that have addresses, the solicitation includes a 273 Source Link-Layer Address option, then the recipient SHOULD 274 create or update the Neighbor Cache entry for the IP Source 275 Address of the solicitation. 277 Similarly, the following text from section 6.2.5 of [RFC4861] may 278 also seem inconsistent: 280 If there is no existing Neighbor Cache entry for the 281 solicitation's sender, the router creates one, installs the 282 link-layer address and sets its reachability state to STALE as 283 specified in Section 7.3.3. 285 However, the text in the aforementioned sections of [RFC4861], 286 upon closer inspection, is actually consistent with the 287 deprecation of the last two bullets of the on-link definition 288 because there are two different ways in which on-link 289 determination can affect the state of ND: through updating the 290 Prefix List or the Destination Cache. Through deprecating the 291 last two bullets of the on-link definition, the Prefix List is 292 explicitly not to be changed when a node receives an NS, NA, or 293 RS. The Neighbor Cache can still be updated through receipt of 294 an NS, NA, or RS. 296 5. [RFC4861] is written from the perspective of a host with a single 297 interface on which Neighbor Discovery is run. All ND traffic 298 (whether sent or received) traverses the single interface. On 299 hosts with multiple interfaces, care must be taken to ensure that 300 the scope of ND processing from one link stays local to that 301 link. That is, when responding to a NS, the NA would be sent out 302 on the same link on which it was received. Likewise, a host 303 would not respond to a received NS for an address assigned to an 304 interface on a different link. Although implementations may 305 choose to implement Neighbor Discovery using a single data 306 structure that merges the Neighbor Caches of all interfaces, an 307 implementation's behavior must be consistent with the above 308 model. 310 4. Host Rules 312 A correctly implemented IPv6 host MUST adhere to the following rules: 314 1. The assignment of an IPv6 address, whether through IPv6 stateless 315 address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual 316 configuration MUST NOT implicitly cause a prefix derived from 317 that address to be treated as on-link and added to the Prefix 318 List. A host considers a prefix to be on-link only through 319 explicit means, such as those specified in the on-link definition 320 in the Terminology section of [RFC4861], as modified by this 321 document, or via manual configuration. Note that the requirement 322 for manually configured addresses is not explicitly mentioned in 323 [RFC4861]. 325 2. In the absence of other sources of on-link information, including 326 Redirects, if the RA advertises a prefix with the on-link(L) bit 327 set and later the Valid Lifetime expires, the host MUST then 328 consider addresses of the prefix to be off-link, as specified by 329 the PIO paragraph of section 6.3.4 of [RFC4861]. 331 3. In the absence of other sources of on-link information, including 332 Redirects, if the RA advertises a prefix with the on-link(L) bit 333 set and later the Valid Lifetime expires, the host MUST then 334 update its Prefix List with respect to the entry. In most cases, 335 this will result in the addresses covered by the prefix 336 defaulting back to being considered off-link, as specified by the 337 PIO paragraph of section 6.3.4 of [RFC4861]. However, there are 338 cases where an address could be covered by multiple entries in 339 the Prefix List, where expiration of one prefix would result in 340 destinations then being covered by a different entry. 342 4. Implementations compliant with [RFC4861] MUST adhere to the 343 following rules. If the Default Router List is empty and there 344 is no other source of on-link information about any address or 345 prefix: 347 1. The host MUST NOT assume that all destinations are on-link. 349 2. The host MUST NOT perform address resolution for non-link- 350 local addresses. 352 3. Since the host cannot assume the destination is on-link, and 353 off-link traffic cannot be sent to a default router (since 354 the Default Router List is empty), address resolution cannot 355 be performed. This case is specified in the last paragraph 356 of section 4 of [RFC4943]: when there is no route to 357 destination, the host should send an ICMPv6 Destination 358 Unreachable indication (for example, a locally delivered 359 error message) as specified in the Terminology section of 360 [RFC4861]. 362 On-link information concerning particular addresses and prefixes 363 can make those specific addresses and prefixes on-link, but does 364 not change the default behavior mentioned above for addresses and 365 prefixes not specified. [RFC4943] provides justification for 366 these rules. 368 5. Observed Incorrect Implementation Behavior 370 One incorrect implementation behavior illustrates the severe 371 consequences when the IPv6 subnet model is not understood by the 372 implementers of several popular host operating systems. In an access 373 concentrator network ([RFC4388]), a host receives a Router 374 Advertisement Message with no on-link prefix advertised. The host 375 incorrectly assumes an invented prefix is on-link. This invented 376 prefix typically is a /64 that was written by the developer of the 377 API as a "default" prefix length when a length isn't specified. This 378 may cause the API to seem to work in the case of a network interface 379 initiating SLAAC, however it can cause connectivity problems in NBMA 380 networks. Having incorrectly assumed an invented prefix, the host 381 performs address resolution when the host should send all non-link- 382 local traffic to a default router. Neither the router nor any other 383 host will respond to the address resolution, preventing this host 384 from sending IPv6 traffic. 386 6. Conclusion 388 This document clarifies and summarizes the relationship between links 389 and subnet prefixes described in [RFC4861]. Configuration of an IPv6 390 address does not imply the existence of corresponding on-link 391 prefixes. One should also look at API considerations for prefix 392 length as described in last paragraph of section 4.2 of [RFC4903]. 393 This document also updates the definition of on-link from [RFC4861] 394 by retracting the last two bullets. 396 7. Security Considerations 398 This document addresses a security concern present in [RFC4861]. As 399 a result, the last two bullets of the on-link definition in [RFC4861] 400 have been retracted. US-CERT Vulnerability Note VU#472363 lists the 401 implementations affected. 403 8. IANA Considerations 405 None. 407 9. Contributors 409 Thomas Narten contributed significant text and provided substantial 410 guidance to the production of this document. 412 10. Acknowledgements 414 Thanks (in alphabetical order) to Adeel Ahmed, Jari Arkko, Ralph 415 Droms, Alun Evans, Dave Forster, Prashanth Krishnamurthy, Suresh 416 Krishnan, Josh Littlefield, Bert Manfredi, David Miles, Madhu Sudan, 417 Jinmei Tatuya, Dave Thaler, Bernie Volz, and Vlad Yasevich for their 418 consistent input, ideas and review during the production of this 419 document. The security problem related to an NS message that 420 provides one reason for invalidating a part of the on-link definition 421 was found by David Miles. Jinmei Tatuya found the security problem 422 to also exist with an RS message. 424 11. References 426 11.1. Normative References 428 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 429 Requirement Levels", BCP 14, RFC 2119, March 1997. 431 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 432 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 433 September 2007. 435 11.2. Informative References 437 [RFC0950] Mogul, J. and J. Postel, "Internet Standard Subnetting 438 Procedure", STD 5, RFC 950, August 1985. 440 [RFC1122] Braden, R., "Requirements for Internet Hosts - 441 Communication Layers", STD 3, RFC 1122, October 1989. 443 [RFC1519] Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless 444 Inter-Domain Routing (CIDR): an Address Assignment and 445 Aggregation Strategy", RFC 1519, September 1993. 447 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 448 Discovery for IP Version 6 (IPv6)", RFC 2461, 449 December 1998. 451 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 452 and M. Carney, "Dynamic Host Configuration Protocol for 453 IPv6 (DHCPv6)", RFC 3315, July 2003. 455 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor 456 Discovery (ND) Trust Models and Threats", RFC 3756, 457 May 2004. 459 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 460 Architecture", RFC 4291, February 2006. 462 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 463 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 465 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 466 Address Autoconfiguration", RFC 4862, September 2007. 468 [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, 469 June 2007. 471 [RFC4943] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor 472 Discovery On-Link Assumption Considered Harmful", 473 RFC 4943, September 2007. 475 Authors' Addresses 477 Hemant Singh 478 Cisco Systems, Inc. 479 1414 Massachusetts Ave. 480 Boxborough, MA 01719 481 USA 483 Phone: +1 978 936 1622 484 Email: shemant@cisco.com 485 URI: http://www.cisco.com/ 487 Wes Beebee 488 Cisco Systems, Inc. 489 1414 Massachusetts Ave. 490 Boxborough, MA 01719 491 USA 493 Phone: +1 978 936 2030 494 Email: wbeebee@cisco.com 495 URI: http://www.cisco.com/ 497 Erik Nordmark 498 Oracle, Inc. 499 17 Network Circle 500 Menlo Park, CA 94025 501 USA 503 Phone: +1 650 786 2921 504 Email: erik.nordmark@sun.com