idnits 2.17.1 draft-ietf-6man-ipv6-subnet-model-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4861]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. -- The draft header indicates that this document updates RFC4861, but the abstract doesn't seem to directly say this. It does mention RFC4861 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4861, updated by this document, for RFC5378 checks: 2004-07-16) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 27, 2010) is 5105 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 1519 (Obsoleted by RFC 4632) -- Obsolete informational reference (is this intentional?): RFC 2461 (Obsoleted by RFC 4861) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group H. Singh 3 Internet-Draft W. Beebee 4 Updates: 4861 (if approved) Cisco Systems, Inc. 5 Intended status: Standards Track E. Nordmark 6 Expires: October 29, 2010 Oracle, Inc. 7 April 27, 2010 9 IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes 10 draft-ietf-6man-ipv6-subnet-model-12 12 Abstract 14 IPv6 specifies a model of a subnet that is different than the IPv4 15 subnet model. The subtlety of the differences has resulted in 16 incorrect implementations that do not interoperate. This document 17 spells out the most important difference: that an IPv6 address isn't 18 automatically associated with an IPv6 on-link prefix. This document 19 also updates (partially due to security concerns caused by incorrect 20 implementations) a part of the definition of on-link from [RFC4861]. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 29, 2010. 39 Copyright Notice 41 Copyright (c) 2010 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 69 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 3. Host Behavior . . . . . . . . . . . . . . . . . . . . . . . . 5 71 4. Host Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 9 72 5. Observed Incorrect Implementation Behavior . . . . . . . . . . 10 73 6. Updates to RFC 4861 . . . . . . . . . . . . . . . . . . . . . 11 74 7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 11 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 76 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 77 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11 78 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 79 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 80 12.1. Normative References . . . . . . . . . . . . . . . . . . 12 81 12.2. Informative References . . . . . . . . . . . . . . . . . 12 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 84 1. Requirements Language 86 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 87 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 88 document are to be interpreted as described in RFC 2119 [RFC2119]. 90 2. Introduction 92 IPv4 implementations typically associate a netmask with an address 93 when an IPv4 address is assigned to an interface. That netmask 94 together with the IPv4 address designates an on-link prefix. Nodes 95 consider addresses covered by an on-link prefix to be directly 96 attached to the same link as the sending node, i.e., they send 97 traffic for such addresses directly rather than to a router. See 98 section 3.3.1 in [RFC1122]. Prior to the development of subnetting 99 [RFC0950] and Classless Inter-Domain Routing (CIDR) [RFC1519], an 100 address's netmask could be derived directly from the address simply 101 by determining whether it was a Class A, B or C address. Today, 102 assigning an address to an interface also requires specifying a 103 netmask to use. In the absence of specifying a specific netmask when 104 assigning an address, some implementations would fall back to 105 deriving the netmask from the class of the address. 107 The behavior of IPv6 as specified in Neighbor Discovery [RFC4861] is 108 quite different. The on-link determination is separate from the 109 address assignment. A host can have IPv6 addresses without any 110 related on-link prefixes or can have on-link prefixes that are not 111 related to any IPv6 addresses that are assigned to the host. Any 112 assigned address on an interface should initially be considered as 113 having no internal structure as shown in [RFC4291]. 115 In IPv6, by default, a host treats only the link-local prefix as on- 116 link. 118 The reception of a Prefix Information Option (PIO) with the L-bit set 119 [RFC4861] and a non-zero valid lifetime creates (or updates) an entry 120 in the Prefix List. All prefixes on a host's Prefix List (i.e., have 121 not yet timed out) are considered to be on-link by that host. 123 The on-link definition in the Terminology section of [RFC4861], as 124 modified by this document, defines the complete list of cases where a 125 host considers an address to be on-link. Individual address entries 126 can be expired by the Neighbor Unreachability Detection mechanism. 128 IPv6 packets sent using the Conceptual Sending Algorithm as described 129 in [RFC4861] only trigger address resolution for IPv6 addresses that 130 the sender considers to be on-link. Packets to any other address are 131 sent to a default router. If there is no default router, then the 132 node should send an ICMPv6 Destination Unreachable indication as 133 specified in [RFC4861] - more details are provided in the Host 134 Behavior and Host Rules sections. (Note that [RFC4861] changed the 135 behavior when the Default Router List is empty. In the old version 136 of Neighbor Discovery [RFC2461], if the Default router List is empty, 137 rather than sending the ICMPv6 Destination Unreachable indication, 138 the [RFC2461] node assumed that the destination was on-link.") Note 139 that ND is scoped to a single link. All Neighbor Solicitation 140 responses are assumed to be sent out the same interface on which the 141 corresponding query was received without using the Conceptual Sending 142 Algorithm. 144 Failure of host implementations to correctly implement the IPv6 145 subnet model can result in lack of IPv6 connectivity. See the 146 Observed Incorrect Implementation Behavior section for details. 148 This document deprecates the last two bullets from the definition of 149 on-link from [RFC4861] to address security concerns arising from 150 particular ND implementations. 152 Host behavior is clarified in the Host Behavior and Rules section. 154 3. Host Behavior 156 1. The original Neighbor Discovery (ND) specification [RFC4861] was 157 unclear in its usage of the term on-link in a few places. In 158 IPv6, an address is on-link (with respect to a specific link), if 159 the address has been assigned to an interface attached to that 160 link. Any node attached to the link can send a datagram directly 161 to an on-link address without forwarding the datagram through a 162 router. However, in order for a node to know that a destination 163 is on-link, it must obtain configuration information to that 164 effect. In IPv6, there are two main ways of maintaining 165 information about on-link destinations. First, a host maintains 166 a Prefix List that identifies ranges of addresses that are to be 167 considered on-link. Second, Redirects can identify individual 168 destinations that are on-link; such Redirects update the 169 Destination Cache. 171 The Prefix List is populated via the following means: 173 * Receipt of a Valid Router Advertisement (RA) that specifies a 174 prefix with the L-bit set. Such a prefix is considered on- 175 link for a period specified in the Valid Lifetime and is added 176 to the Prefix List. (The link-local prefix is effectively 177 considered a permanent entry on the Prefix List.) 179 * Indication of an on-link prefix (which may be a /128) via 180 manual configuration, or some other yet-to-be specified 181 configuration mechanism. 183 A Redirect can also signal whether an address is on-link. If a 184 host originates a packet, but the first-hop router routes the 185 received packet back out onto the same link, the router also 186 sends the host a Redirect. If the Target and Destination Address 187 of the Redirect are the same, the Target Address is to be treated 188 as on-link as specified in Section 8 of [RFC4861]. That is, the 189 host updates its Destination Cache (but not its Prefix List -- 190 though the impact is similar). 192 2. It should be noted that ND does not have a way to indicate a 193 destination is "off-link". Rather, a destination is assumed to 194 be off-link, unless there is explicit information indicating that 195 it is on-link. Such information may later expire or be changed, 196 in which case a destination may revert back to being considered 197 off-link, but that is different than there being an explicit 198 mechanism for signaling that a destination is off-link. Redirect 199 Messages do not contain sufficient information to signal that an 200 address is off-link. Instead, Redirect Messages indicate a 201 preferred next-hop that is a more appropriate choice to use than 202 the originator of the Redirect. 204 3. IPv6 also defines the term "neighbor" to refer to nodes attached 205 to the same link and that can send packets directly to each 206 other. Received ND packets that pass the required validation 207 tests can only come from a neighbor attached to the link on which 208 the ND packet was received. Unfortunately, [RFC4861] is 209 imprecise in its definition of on-link and states that a node 210 considers an address to be on-link if: 212 - a Neighbor Advertisement message is received for the 213 (target) address, or 214 - any Neighbor Discovery message is received from the address. 216 Neither of these tests are acceptable definitions for an address 217 to be considered as on-link as defined above, and this document 218 deprecates and removes both of them from the formal definition of 219 on-link. Neither of these tests should be used as justification 220 for modifying the Prefix List or Destination Cache for an 221 address. 223 The conceptual sending algorithm of [RFC4861] defines a Prefix 224 List, Destination Cache, and Default Router List. The 225 combination of Prefix List, Destination Cache, and Default Router 226 List form what many implementations consider to be the IP data 227 forwarding table for a host. Note that the Neighbor Cache is a 228 separate data structure referenced by the Destination Cache, but 229 entries in the Neighbor Cache are not necessarily in the 230 Destination Cache. It is quite possible (and intentional) that 231 entries be added to the Neighbor Cache for addresses that would 232 not be considered on-link as-defined above. For example, upon 233 receipt of a valid NS, Section 7.2.3 of [RFC4861] states: 235 If an entry does not already exist, the node SHOULD create a 236 new one and set its reachability state to STALE as specified 237 in Section 7.3.3. If an entry already exists, and the cached 238 link-layer address differs from the one in the received Source 239 Link-Layer option, the cached address should be replaced by 240 the received address, and the entry's reachability state MUST 241 be set to STALE. 243 The intention of the above feature is to add an address to the 244 Neighbor Cache, even though it might not be considered on-link 245 per the Prefix List. The benefit of such a step is to have the 246 receiver populate the Neighbor Cache with an address it will 247 almost certainly be sending packets to shortly, thus avoiding the 248 need for an additional round of ND to perform address resolution. 249 But because there is no validation of the address being added to 250 the Neighbor Cache, an intruder could spoof the address and cause 251 a receiver to add an address for a remote site to its Neighbor 252 Cache. This vulnerability is a specific instance of the broad 253 set of attacks that are possible by an on-link neighbor 254 [RFC3756]. This causes no problems in practice, so long as the 255 entry only exists in the Neighbor Cache and the address is not 256 considered to be on-link by the IP forwarding code (i.e., the 257 address is not added to the Prefix List and is not marked as on- 258 link in the Destination Cache). 260 4. After the update to the on-link definition in [RFC4861], certain 261 text from section 7.2.3 of [RFC4861] may appear, upon a cursory 262 examination, to be inconsistent with the updated definition of 263 on-link because the text does not ensure that the source address 264 is already deemed on-link through other methods: 266 If the Source Address is not the unspecified address and, on 267 link layers that have addresses, the solicitation includes a 268 Source Link-Layer Address option, then the recipient SHOULD 269 create or update the Neighbor Cache entry for the IP Source 270 Address of the solicitation. 272 Similarly, the following text from section 6.2.5 of [RFC4861] may 273 also seem inconsistent: 275 If there is no existing Neighbor Cache entry for the 276 solicitation's sender, the router creates one, installs the 277 link-layer address and sets its reachability state to STALE as 278 specified in Section 7.3.3. 280 However, the text in the aforementioned sections of [RFC4861], 281 upon closer inspection, is actually consistent with the 282 deprecation of the last two bullets of the on-link definition 283 because there are two different ways in which on-link 284 determination can affect the state of ND: through updating the 285 Prefix List or the Destination Cache. Through deprecating the 286 last two bullets of the on-link definition, the Prefix List is 287 explicitly not to be changed when a node receives an NS, NA, or 288 RS. The Neighbor Cache can still be updated through receipt of 289 an NS, NA, or RS. 291 5. [RFC4861] is written from the perspective of a host with a single 292 interface on which Neighbor Discovery is run. All ND traffic 293 (whether sent or received) traverses the single interface. On 294 hosts with multiple interfaces, care must be taken to ensure that 295 the scope of ND processing from one link stays local to that 296 link. That is, when responding to a NS, the NA would be sent out 297 on the same link on which it was received. Likewise, a host 298 would not respond to a received NS for an address assigned to an 299 interface on a different link. Although implementations may 300 choose to implement Neighbor Discovery using a single data 301 structure that merges the Neighbor Caches of all interfaces, an 302 implementation's behavior must be consistent with the above 303 model. 305 4. Host Rules 307 A correctly implemented IPv6 host MUST adhere to the following rules: 309 1. The assignment of an IPv6 address, whether through IPv6 stateless 310 address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual 311 configuration MUST NOT implicitly cause a prefix derived from 312 that address to be treated as on-link and added to the Prefix 313 List. A host considers a prefix to be on-link only through 314 explicit means, such as those specified in the on-link definition 315 in the Terminology section of [RFC4861], as modified by this 316 document, or via manual configuration. Note that the requirement 317 for manually configured addresses is not explicitly mentioned in 318 [RFC4861]. 320 2. In the absence of other sources of on-link information, including 321 Redirects, if the RA advertises a prefix with the on-link(L) bit 322 set and later the Valid Lifetime expires, the host MUST then 323 consider addresses of the prefix to be off-link, as specified by 324 the PIO paragraph of section 6.3.4 of [RFC4861]. 326 3. In the absence of other sources of on-link information, including 327 Redirects, if the RA advertises a prefix with the on-link(L) bit 328 set and later the Valid Lifetime expires, the host MUST then 329 update its Prefix List with respect to the entry. In most cases, 330 this will result in the addresses covered by the prefix 331 defaulting back to being considered off-link, as specified by the 332 PIO paragraph of section 6.3.4 of [RFC4861]. However, there are 333 cases where an address could be covered by multiple entries in 334 the Prefix List, where expiration of one prefix would result in 335 destinations then being covered by a different entry. 337 4. Implementations compliant with [RFC4861] MUST adhere to the 338 following rules. If the Default Router List is empty and there 339 is no other source of on-link information about any address or 340 prefix: 342 1. The host MUST NOT assume that all destinations are on-link. 344 2. The host MUST NOT perform address resolution for non-link- 345 local addresses. 347 3. Since the host cannot assume the destination is on-link, and 348 off-link traffic cannot be sent to a default router (since 349 the Default Router List is empty), address resolution cannot 350 be performed. This case is specified in the last paragraph 351 of section 4 of [RFC4943]: when there is no route to 352 destination, the host should send an ICMPv6 Destination 353 Unreachable indication (for example, a locally delivered 354 error message) as specified in the Terminology section of 355 [RFC4861]. 357 On-link information concerning particular addresses and prefixes 358 can make those specific addresses and prefixes on-link, but does 359 not change the default behavior mentioned above for addresses and 360 prefixes not specified. [RFC4943] provides justification for 361 these rules. 363 5. Observed Incorrect Implementation Behavior 365 One incorrect implementation behavior illustrates the severe 366 consequences when the IPv6 subnet model is not understood by the 367 implementers of several popular host operating systems. In an access 368 concentrator network ([RFC4388]), a host receives a Router 369 Advertisement Message with no on-link prefix advertised. An address 370 could be acquired through the DHCPv6 IA_NA option (which does not 371 include a prefix length), or through manual configuration (if no 372 prefix length is specified). The host incorrectly assumes an 373 invented prefix is on-link. This invented prefix typically is a /64 374 that was written by the developer of the operating system network 375 module API to any IPv6 application as a "default" prefix length when 376 a length isn't specified. This may cause the API to seem to work in 377 the case of a network interface initiating SLAAC, however it can 378 cause connectivity problems in NBMA networks. Having incorrectly 379 assumed an invented prefix, the host performs address resolution when 380 the host should send all non-link-local traffic to a default router. 381 Neither the router nor any other host will respond to the address 382 resolution, preventing this host from sending IPv6 traffic. 384 6. Updates to RFC 4861 386 This document deprecates the following two bullets from the on-link 387 definition in section 2.1 of [RFC4861]: 389 o a Neighbor Advertisement message is received for the (target) 390 address, or 392 o any Neighbor Discovery message is received from the address. 394 7. Conclusion 396 This document clarifies and summarizes the relationship between links 397 and subnet prefixes described in [RFC4861]. Configuration of an IPv6 398 address does not imply the existence of corresponding on-link 399 prefixes. One should also look at API considerations for prefix 400 length as described in last paragraph of section 4.2 of [RFC4903]. 401 This document also updates the definition of on-link from [RFC4861] 402 by deprecating the last two bullets. 404 8. Security Considerations 406 This document addresses a security concern present in [RFC4861]. As 407 a result, the last two bullets of the on-link definition in [RFC4861] 408 have been deprecated. US-CERT Vulnerability Note VU#472363 lists the 409 implementations affected. 411 9. IANA Considerations 413 None. 415 10. Contributors 417 Thomas Narten contributed significant text and provided substantial 418 guidance to the production of this document. 420 11. Acknowledgements 422 Thanks (in alphabetical order) to Adeel Ahmed, Jari Arkko, Ralph 423 Droms, Alun Evans, Dave Forster, Prashanth Krishnamurthy, Suresh 424 Krishnan, Josh Littlefield, Bert Manfredi, David Miles, Madhu Sudan, 425 Jinmei Tatuya, Dave Thaler, Bernie Volz, and Vlad Yasevich for their 426 consistent input, ideas and review during the production of this 427 document. The security problem related to an NS message that 428 provides one reason for invalidating a part of the on-link definition 429 was found by David Miles. Jinmei Tatuya found the security problem 430 to also exist with an RS message. 432 12. References 434 12.1. Normative References 436 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 437 Requirement Levels", BCP 14, RFC 2119, March 1997. 439 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 440 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 441 September 2007. 443 12.2. Informative References 445 [RFC0950] Mogul, J. and J. Postel, "Internet Standard Subnetting 446 Procedure", STD 5, RFC 950, August 1985. 448 [RFC1122] Braden, R., "Requirements for Internet Hosts - 449 Communication Layers", STD 3, RFC 1122, October 1989. 451 [RFC1519] Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless 452 Inter-Domain Routing (CIDR): an Address Assignment and 453 Aggregation Strategy", RFC 1519, September 1993. 455 [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 456 Discovery for IP Version 6 (IPv6)", RFC 2461, 457 December 1998. 459 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 460 and M. Carney, "Dynamic Host Configuration Protocol for 461 IPv6 (DHCPv6)", RFC 3315, July 2003. 463 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor 464 Discovery (ND) Trust Models and Threats", RFC 3756, 465 May 2004. 467 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 468 Architecture", RFC 4291, February 2006. 470 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 471 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 473 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 474 Address Autoconfiguration", RFC 4862, September 2007. 476 [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, 477 June 2007. 479 [RFC4943] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor 480 Discovery On-Link Assumption Considered Harmful", 481 RFC 4943, September 2007. 483 Authors' Addresses 485 Hemant Singh 486 Cisco Systems, Inc. 487 1414 Massachusetts Ave. 488 Boxborough, MA 01719 489 USA 491 Phone: +1 978 936 1622 492 Email: shemant@cisco.com 493 URI: http://www.cisco.com/ 495 Wes Beebee 496 Cisco Systems, Inc. 497 1414 Massachusetts Ave. 498 Boxborough, MA 01719 499 USA 501 Phone: +1 978 936 2030 502 Email: wbeebee@cisco.com 503 URI: http://www.cisco.com/ 505 Erik Nordmark 506 Oracle, Inc. 507 17 Network Circle 508 Menlo Park, CA 94025 509 USA 511 Phone: +1 650 786 2921 512 Email: erik.nordmark@sun.com