idnits 2.17.1 draft-ietf-dhc-v6only-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2563, updated by this document, for RFC5378 checks: 1998-08-14) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 11, 2020) is 1354 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Dynamic Host Configuration L. Colitti 3 Internet-Draft J. Linkova 4 Updates: 2563 (if approved) Google 5 Intended status: Standards Track M. Richardson 6 Expires: February 12, 2021 Sandelman 7 T. Mrugalski 8 ISC 9 August 11, 2020 11 IPv6-Only-Preferred Option for DHCPv4 12 draft-ietf-dhc-v6only-07 14 Abstract 16 This document specifies a DHCPv4 option to indicate that a host 17 supports an IPv6-only mode and is willing to forgo obtaining an IPv4 18 address if the network provides IPv6 connectivity. It also updates 19 RFC2563 to specify the DHCPv4 server behavior when the server 20 receives a DHCPDISCOVER not containing the Auto-Configure option but 21 containing the new option defined in this document. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 12, 2021. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 59 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 60 2. Reasons to Signal IPv6-Only Support in DHCPv4 Packets . . . . 5 61 3. IPv6-Only Preferred Option . . . . . . . . . . . . . . . . . 5 62 3.1. Option format . . . . . . . . . . . . . . . . . . . . . . 5 63 3.2. DHCPv4 Client Behavior . . . . . . . . . . . . . . . . . 6 64 3.3. DHCPv4 Server Behavior . . . . . . . . . . . . . . . . . 8 65 3.3.1. Interaction with RFC2563 . . . . . . . . . . . . . . 9 66 3.4. Constants and Configuration Variables . . . . . . . . . . 10 67 4. IPv6-Only Transition Technologies Considerations . . . . . . 10 68 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 70 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 73 8.2. Informative References . . . . . . . . . . . . . . . . . 13 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 76 1. Introduction 78 One of the biggest challenges of deploying IPv6-only LANs is that 79 such networks might contain rather heterogeneous collection of hosts. 80 While some hosts are capable of operating in IPv6-only mode (either 81 because the OS and all applications are IPv6-only capable or because 82 the host has some form of 464XLAT [RFC6877] deployed), others might 83 still have IPv4 dependencies and need IPv4 addresses to operate 84 properly. To incrementally rollout IPv6-only, network operators 85 might need to provide IPv4 on demand whereby a host receives an IPv4 86 address if it needs it, while IPv6-only capable hosts (such as modern 87 mobile devices) are not allocated IPv4 addresses. Traditionally that 88 goal is achieved by placing IPv6-only capable devices into a 89 dedicated IPv6-only network segment or WiFi SSID, while dual-stack 90 devices reside in another network with IPv4 and DHCPv4 enabled. 91 However such approach has a number of drawbacks, including but not 92 limited to: 94 o Doubling the number of network segments leads to operational 95 complexity and performance impact, for instance due to high memory 96 utilization caused by an increased number of ACL entries. 98 o Placing a host into the correct network segment is problematic. 99 For example, in the case of 802.11 Wi-Fi the user might select the 100 wrong SSID. In the case of wired 802.1x authentication the 101 authentication server might not have all the information required 102 to make the correct decision and choose between an IPv6-only and a 103 dual-stack VLAN. 105 It would be beneficial for IPv6 deployment if operators could 106 implement IPv6-mostly (or IPv4-on-demand) segments where IPv6-only 107 hosts co-exist with legacy dual-stack devices. The trivial solution 108 of disabling IPv4 stack on IPv6-only capable hosts is not feasible as 109 those clients must be able to operate on IPv4-only networks as well. 110 While IPv6-only capable devices might use a heuristic approach to 111 learning if the network provides IPv6-only functionality and stop 112 using IPv4 if it does, such approach might be practically 113 undesirable. One important reason is that when a host connects to a 114 network, it does not know if the network is IPv4-only, dual-stack or 115 IPv6-only. To ensure that the connectivity over whatever protocol is 116 present becomes available as soon as possible the host usually starts 117 configuring both IPv4 and IPv6 immediately. If hosts were to delay 118 requesting IPv4 until IPv6 reachability is confirmed, that would 119 penalize IPv4-only and dual-stack networks, which does not seem 120 practical. Requesting IPv4 and then releasing it later, after IPv6 121 reachability is confirmed, might cause user-visible errors as it 122 would be disruptive for applications which have started using the 123 assigned IPv4 address already. Instead it would be useful to have a 124 mechanism which would allow a host to indicate that its request for 125 an IPv4 address is optional and a network to signal that IPv6-only 126 functionality (such as NAT64, [RFC6146]) is available. The proposed 127 solution is to introduce a new DHCPv4 option which a client uses to 128 indicate that it does not need an IPv4 address if the network 129 provides IPv6-only connectivity (as NAT64 and DNS64). If the 130 particular network segment provides IPv4-on-demand such clients would 131 not be supplied with IPv4 addresses, while on IPv4-only or dual-stack 132 segments without NAT64 services IPv4 addresses will be provided. 134 [RFC2563] introduces the Auto-Configure DHCPv4 option and describes 135 DHCPv4 servers behavior if no address is chosen for a host. This 136 document updates [RFC2563] to modify the server behavior if the 137 DHCPOFFER contains the IPv6-only Preferred option. 139 1.1. Requirements Language 141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 143 "OPTIONAL" in this document are to be interpreted as described in BCP 144 14 [RFC2119] [RFC8174] when, and only when, they appear in all 145 capitals, as shown here. 147 1.2. Terminology 149 IPv6-only capable host: a host which does not require an IPv4 address 150 and can operate on IPv6-only networks. Strictly speaking IPv6-only 151 capability is specific to a given interface of the host: if some 152 application on a host require IPv4 and 464XLAT CLAT [RFC6877] is only 153 enabled on one interface, the host is IPv6-only capable if connected 154 to a NAT64 network via that interface. This document implies that 155 IPv6-only capable hosts reach IPv4-only destinations via NAT64 156 service provided by the network. Section 4 discusses hypothetical 157 scenarios of other transition technologies being used. 159 IPv4-requiring host: a host which is not IPv6-only capable and can 160 not operate in IPv6-only network providing NAT64 service. 162 IPv4-on-demand: a deployment scenario where end hosts are expected to 163 operate in IPv6-only mode by default and IPv4 addresses can be 164 assigned to some hosts if those hosts explicitly opt-in to receiving 165 IPv4 addresses. 167 IPv6-mostly network: a network which provides NAT64 (possibly with 168 DNS64) service as well as IPv4 connectivity and allows coexistence of 169 IPv6-only, dual-stack and IPv4-only hosts on the same segment. Such 170 deployment scenario allows operators to incrementally turn off IPv4 171 on end hosts, while still providing IPv4 to devices which require 172 IPv4 to operate. But, IPv6-only capable devices need not be assigned 173 IPv4 addresses. 175 IPv6-only mode: a mode of operation when a host acts as an IPv6-only 176 capable host and does not have IPv4 addresses assigned (except that 177 IPv4 link-local addresses [RFC3927] may have been configured). 179 IPv6-Only network: a network which does not provide routing 180 functionality for IPv4 packets. Such networks may or may not allow 181 intra-LAN IPv4 connectivity. IPv6-Only network usually provides 182 access to IPv4-only resources via NAT64 [RFC6146]. 184 NAT64: Network Address and Protocol Translation from IPv6 Clients to 185 IPv4 Servers [RFC6146]. 187 RA: Router Advertisement, a message used by IPv6 routers to advertise 188 their presence together with various link and Internet parameters 189 [RFC4861]. 191 DNS64: a mechanism for synthesizing AAAA records from A records 192 [RFC6147]. 194 Network attachment event: A Link Up event, as described by [RFC4957] 195 which results in a host detecting an available network. 197 Disabling IPv4 stack on the host interface: the host behavior when 198 the host: 200 o does not send any IPv4 packets from that interface, 202 o drops all IPv4 packets received on that interface and 204 o does not forward any IPv4 packets to that interface. 206 2. Reasons to Signal IPv6-Only Support in DHCPv4 Packets 208 For networks which contain a mix of both IPv6-only capable hosts and 209 IPv4-requiring hosts, and which utilize DHCPv4 for configuring the 210 IPv4 network stack on hosts, it seems natural to leverage the same 211 protocol to signal that IPv4 is discretional on a given segment. An 212 ability to remotely disable IPv4 on a host can be seen as a new 213 denial-of-service attack vector. The proposed approach limits the 214 attack surface to DHCPv4-related attacks without introducing new 215 vulnerable elements. 217 Another benefit of using DHCPv4 for signaling is that IPv4 will be 218 disabled only if both the client and the server indicate IPv6-only 219 capability. It allows IPv6-only capable hosts to turn off IPv4 only 220 upon receiving an explicit signal from the network and operate in 221 dual-stack or IPv4-only mode otherwise. In addition, the proposed 222 mechanism does not introduce any additional delays to the process of 223 configuring IP stack on hosts. If the network does not support IPv6- 224 only/IPv4-on-demand mode, an IPv6-only capable host would configure 225 an IPv4 address as quickly as on any other host. 227 Being a client/server protocol, DHCPv4 allows IPv4 to be selectively 228 disabled on a per-host basis on a given network segment. Coexistence 229 of IPv6-only, dual-stack and even IPv4-only hosts on the same LAN 230 would not only allow network administrators to preserve scarce IPv4 231 addresses but would also drastically simplify incremental deployment 232 of IPv6-only networks, positively impacting IPv6 adoption. 234 3. IPv6-Only Preferred Option 236 3.1. Option format 237 0 1 2 3 238 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 240 | Code | Length | Value | 241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 242 | Value (contd) | 243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 245 Figure 1: IPv6-Only Preferred Option Format 247 Fields: 249 Code: 8-bit identifier of the IPv6-Only Preferred option code as 250 assigned by IANA: TBD. 251 The client includes the Code in the Parameter Request List in 252 DHCPDISCOVER and DHCPREQUEST messages as described in 253 Section 3.2. 254 Length: 8-bit unsigned integer. The length of the option excluding 255 the Code and Length Fields. The server MUST set the length 256 field to 4. The client MUST ignore the IPv6-Only Preferred 257 option if the length field value is not 4. 258 Value: 32-bit unsigned integer. 259 The number of seconds the client should disable DHCPv4 for 260 (V6ONLY_WAIT configuration variable). 261 If the server pool is explicitly configured with a 262 V6ONLY_WAIT timer the server MUST set the field to that 263 configured value. Otherwise the server MUST set it to zero. 264 The client MUST process that field as described in 265 Section 3.2. 266 The client never sets this field as it never sends the full 267 option but includes the option code in the Parameter Request 268 List as described in Section 3.2. 270 3.2. DHCPv4 Client Behavior 272 A DHCPv4 client SHOULD allow a device administrator to configure 273 IPv6-only preferred mode either for a specific interface (to indicate 274 that the device is IPv6-only capable if connected to a NAT64 network 275 via that interface) or for all interfaces. If only a specific 276 interface is configured as IPv6-only capable the DHCPv4 client MUST 277 NOT consider the host to be an IPv6-only capable for the purpose of 278 sending/receiving DHCPv4 packets over any other interfaces. 280 The DHCPv4 client on an IPv4-requiring host MUST NOT include the 281 IPv6-only Preferred option in the Parameter Request List of any 282 DHCPv4 packets and MUST ignore that option in packets received from 283 DHCPv4 servers. 285 DHCPv4 clients running on IPv6-only capable hosts SHOULD include the 286 IPv6-only Preferred option code in the Parameter Request List in 287 DHCPDISCOVER and DHCPREQUEST messages for interfaces so enabled and 288 follow the processing as described below on a per enabled interface 289 basis. 291 If the client did not include the IPv6-only Preferred option code in 292 the Parameter Request List option in the DHCPDISCOVER or DHCPREQUEST 293 message it MUST ignore the IPv6-only Preferred option in any messages 294 received from the server. 296 If the client includes the IPv6-only Preferred option in the 297 Parameter Request List and the DHCPOFFER message from the server 298 contains a valid IPv6-only Preferred option, the client SHOULD NOT 299 request the IPv4 address provided in the DHCPOFFER. If the IPv6-only 300 Preferred option returned by the server contains a value greater or 301 equal to MIN_V6ONLY_WAIT, the client SHOULD set the V6ONLY_WAIT timer 302 to that value. Otherwise, the client SHOULD set the V6ONLY_WAIT 303 timer to MIN_V6ONLY_WAIT. The client SHOULD stop the DHCPv4 304 configuration process for V6ONLY_WAIT seconds or until a network 305 attachment event, whichever happens first. The host MAY disable the 306 IPv4 stack completely on the affected interface for V6ONLY_WAIT 307 seconds or until the network attachment event, whichever happens 308 first. 310 The IPv6-only Preferred option SHOULD be included in the Parameter 311 Request List option in DHCPREQUEST messages (after receiving a 312 DHCPOFFER without this option, for a INIT-REBOOT, or when renewing or 313 rebinding a leased address). If the DHCPv4 server responds with a 314 DHCPACK that includes the IPv6-only Preferred option, the client 315 behaviour depends on the client's state. If the client is in the 316 INIT-REBOOT state it SHOULD stop the DHCPv4 configuration process or 317 disable IPv4 stack completely for V6ONLY_WAIT seconds or until the 318 network event, whichever happens first. It also MAY send a 319 DHCPRELEASE message. If the client is in any other state it SHOULD 320 continue to use the assigned IPv4 address until further DHCPv4 321 reconfiguration events. 323 If the client includes the IPv6-only Preferred option in the 324 Parameter Request List and the server responds with DHCPOFFER message 325 without a valid IPv6-only Preferred option, the client MUST proceed 326 as normal with a DHCPREQUEST. 328 If the client waits for multiple DHCPOFFER responses and selects one 329 of them, it MUST follow the processing for the IPv6-only Preferred 330 option based on the selected response. A client MAY use the presence 331 of the IPv6-only Preferred option as a selection criteria. 333 When an IPv6-only capable client receives the IPv6-Only Preferred 334 option from the server, the client MAY configurean IPv4 link-local 335 address [RFC3927]. In that case IPv6-Only capable devices might 336 still be able to communicate over IPv4 to other devices on the link. 337 The Auto-Configure Option [RFC2563] can be used to control IPv4 link- 338 local addresses autoconfiguration. Section 3.3.1 discusses the 339 interaction between the IPv6-only Preferred and the Auto-Configure 340 options. 342 3.3. DHCPv4 Server Behavior 344 The DHCPv4 server SHOULD be able to configure all or individual pools 345 to include the IPv6-only preferred option in DHCPv4 responses if the 346 client included the option code in the Parameter Request List option. 347 The DHCPv4 server MAY have a configuration option to specify the 348 V6ONLY_WAIT timer for all or individual IPv6-mostly pools. 350 The server MUST NOT include the IPv6-only Preferred option in the 351 DHCPOFFER or DHCPACK message if the YIADDR field in the message does 352 not belong to a pool configured as IPv6-mostly. The server MUST NOT 353 include the IPv6-only Preferred option in the DHCPOFFER or DHCPACK 354 message if the option was not present in the Parameter Request List 355 sent by the client. 357 If the IPv6-only Preferred option is present in the Parameter Request 358 List received from the client and the corresponding DHCPv4 pool is 359 explicitly configured as belonging to an IPv6-mostly network segment, 360 the server MUST include the IPv6-only Preferred option when 361 responding with the DHCPOFFER or DHCPACK message. If the server 362 responds with the IPv6-only Preferred option and the V6ONLY_WAIT 363 timer is configured for the pool, the server MUST copy the configured 364 value to the IPv6-only Preferred option value field. Otherwise it 365 MUST set the field to zero. The server SHOULD NOT assign an address 366 from the pool. Instead it SHOULD return 0.0.0.0 as the offered 367 address. Alternatively, if offering 0.0.0.0 is not feasible, for 368 example due to some limitations of the server or the network 369 infrastructure, the server MAY include an available IPv4 address from 370 the pool into the DHCPOFFER as per recommendations in [RFC2131]. In 371 this case, the offered address MUST be a valid address that is not 372 committed to any other client. Because the client is not expected 373 ever to request this address, the server SHOULD NOT reserve the 374 address and SHOULD NOT verify its uniqueness. If the client then 375 issues a DHCPREQUEST for the address, the server MUST process it per 376 [RFC2131], including replying with a DHCPACK for the address if in 377 the meantime it has not been committed to another client. 379 If a client includes both a Rapid-Commit option [RFC4039] and 380 IPv6-Only Preferred option in the DHCPDISCOVER message the server 381 SHOULD NOT honor the Rapid-Commit option if the response would 382 contain the IPv6-only Preferred option to the client. It SHOULD 383 instead respond with a DHCPOFFER as indicated above. 385 If the server receives a DHCPREQUEST containing the IPv6-only 386 Preferred option for the address from a pool configured as 387 IPv6-mostly, the server MUST process it per [RFC2131]. 389 3.3.1. Interaction with RFC2563 391 [RFC2563] defines an Auto-Configure DHCPv4 option to disable IPv4 392 link-local address configuration for IPv4 clients. Clients can 393 support both, neither or just one of IPv6-Only Preferred and Auto- 394 Configure options. If a client sends both IPv6-Only Preferred and 395 Auto-Configure options the network administrator can prevent the host 396 from configuring an IPv4 link-local address on an IPv6-mostly 397 network. To achieve this the server needs to send DHCPOFFER which 398 contains a 'yiaddr' of 0x00000000, and the Auto-Configure flag saying 399 "DoNotAutoConfigure". 401 However special care should be taken in a situation when a server 402 supports both options and receives just IPv6-Only Preferred option 403 from a client. Section 2.3 of [RFC2563] states that if no address is 404 chosen for the host (which would be the case for IPv6-only capable 405 clients on IPv6-mostly network) then: "If the DHCPDISCOVER does not 406 contain the Auto-Configure option, it is not answered." Such 407 behavior would be undesirable for clients supporting the IPv6-Only 408 Preferred option w/o supporting the Auto-Configure option as they 409 would not receive any response from the server and would keep asking, 410 instead of disabling DHCPv4 for V6ONLY_WAIT seconds. Therefore the 411 following update is proposed to Section 2.3 of [RFC2563]" 413 OLD TEXT: 415 --- 417 However, if no address is chosen for the host, a few additional steps 418 MUST be taken. 420 If the DHCPDISCOVER does not contain the Auto-Configure option, it is 421 not answered. 423 --- 425 NEW TEXT: 427 --- 428 However, if no address is chosen for the host, a few additional steps 429 MUST be taken. 431 If the DHCPDISCOVER does not contain the Auto-Configure option and 432 the IPv6-Only Preferred option is not present, it is not answered. 433 If the DHCPDISCOVER does not contain the Auto-Configure option but 434 contains the IPv6-Only Preferred option, the processing rules for the 435 IPv6-Only Preferred option apply. 437 --- 439 3.4. Constants and Configuration Variables 441 V6ONLY_WAIT The minimum time the client SHOULD stop the DHCPv4 442 configuration process for. The value MUST NOT be less 443 than MIN_V6ONLY_WAIT seconds. Default: 1800 seconds 444 MIN_V6ONLY_WAIT The lower boundary for V6ONLY_WAIT. Value: 300 445 seconds 447 4. IPv6-Only Transition Technologies Considerations 449 Until IPv6 adoption in the Internet reaches 100%, communication 450 between an IPv6-only host and IPv4-only destination requires some 451 form of transition mechanism deployed in the network. At the time of 452 writing, the only such mechanism that is widely supported by end 453 hosts is NAT64 [RFC6146] (either with or without 464XLAT). Therefore 454 the IPv6-only Preferred option is only sent by hosts capable of 455 operating on NAT64 networks. In a typical deployment scenario, a 456 network administrator would not configure the DHCPv4 server to return 457 the IPv6-only Preferred option unless the network provides NAT64 458 service. 460 Hypothetically it is possible for multiple transition technologies to 461 coexist. In such scenario some form of negotiation would be required 462 between a client and a server to ensure that the transition 463 technology supported by the client is the one the network provides. 464 However it seems unlikely that any new transition technology would 465 arise and be widely adopted in any foreseeable future. Therefore 466 adding support for non-existing technologies seems to be suboptimal 467 and the proposed mechanism implies that NAT64 is used to facilitate 468 connectivity between IPv6 and IPv4. In the unlikely event that a new 469 transition mechanism becomes widely deployed, the applicability of 470 the IPv6-Only-Preferred option to that mechanism will depend on the 471 nature of the new mechanism. If the new mechanism is designed in 472 such a way that it's fully transparent for hosts that support NAT64 473 and the IPv6-Only-Preferred option, then the option can continue to 474 be used with the new mechanism. If the new mechanism is not 475 compatible with NAT64, and implementation on the host side is 476 required to support it, then a new DHCPv4 option needs to be defined. 478 It should be also noted that declaring a host or (strictly speaking, 479 a host interface) IPv6-only capable is a policy decision. For 480 example, 482 o An operating system vendor may make such decision and configure 483 their DHCPv4 clients to send the IPv6-Only Preferred option by 484 default if the OS has 464XLAT CLAT [RFC6877] enabled. 486 o An enterprise network administrator may provision the corporate 487 hosts as IPv6-only capable if all applications users are supposed 488 to run have been tested in IPv6-only environment (or if 464XLAT 489 CLAT is enabled on the devices). 491 o IoT devices may be shipped in IPv6-only capable mode if they are 492 designed to connect to IPv6-enabled cloud destination only. 494 5. IANA Considerations 496 The IANA is requested to assign a new DHCPv4 Option code for the 497 IPv6-Only Preferred option from the BOOTP Vendor Extensions and 498 DHCPv4 Options registry, located at https://www.iana.org/assignments/ 499 bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml#options . If 500 possible, please assign option code 108. 502 +-----------+-----------+--------+----------+-----------------------+ 503 | Tag | Name | Data | Meaning | Reference | 504 | | | Length | | | 505 +-----------+-----------+--------+----------+-----------------------+ 506 | TBD | IPv6-only | 4 | Number | draft-ietf-dhc-v6only | 507 | (proposed | Preferred | | of | | 508 | value: | option | | seconds | | 509 | 108) | | | to | | 510 | | | | disable | | 511 | | | | DHCPv4 | | 512 | | | | for | | 513 +-----------+-----------+--------+----------+-----------------------+ 515 Table 1 517 6. Security Considerations 519 An attacker might send a spoofed DHCPOFFER containing IPv6-only 520 Preferred option with the value field set to a large number, such as 521 0xffffffff, effectively disabling DHCPv4 on clients supporting the 522 option. If the network is IPv4-only such clients would lose 523 connectivity, while on a dual-stack network without NAT64 service 524 only connectivity to IPv4-only destinations would be affected. The 525 recovery would require triggering a network attachment event. 526 However it should be noted that if the network does not provide 527 protection from a rogue DHCPv4 server the similar attack vector can 528 be executed by offering an invalid address and setting the Lease Time 529 option value field to 0xffffffff. The latter attack would affect all 530 hosts, not just hosts that support the IPv6-only Preferred option. 531 Therefore the security measures against rogue DHCPv4 servers would be 532 sufficient to prevent the attacks specific to IPv6-only Preferred 533 option. Additionally such attacks can only be executed if the victim 534 prefers the rogue DHCPOFFER over the legitimate ones. Therefore for 535 the attack to be successful the attacker needs to know the selection 536 criteria used by the client and to be able to make its rogue offer 537 more preferable. 539 It should be noted that disabling IPv4 on a host upon receiving the 540 IPv6-only Preferred option from the DHCPv4 server protects the host 541 from IPv4-related attacks and therefore could be considered a 542 security feature. 544 7. Acknowledgements 546 Thanks to the following people (in alphabetical order) for their 547 review and feedback: Mohamed Boucadair, Martin Duke, Russ Housley, 548 Sheng Jiang, Benjamin Kaduk, Murray Kucherawy, Ted Lemon, Roy 549 Marples, Bjorn Mork, Alvaro Retana, Peng Shuping, Pascal Thubert, 550 Bernie Volz, Eric Vyncke. Authors would like to thank Bob Hinden and 551 Brian Carpenter for the initial idea of signaling IPv6-only 552 capability to hosts. Special thanks to Erik Kline, Mark Townsley and 553 Maciej Zenczykowski for the discussion which led to the idea of 554 signalling IPv6-only capability over DHCPv4. 556 8. References 558 8.1. Normative References 560 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 561 Requirement Levels", BCP 14, RFC 2119, 562 DOI 10.17487/RFC2119, March 1997, 563 . 565 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 566 RFC 2131, DOI 10.17487/RFC2131, March 1997, 567 . 569 [RFC2563] Troll, R., "DHCP Option to Disable Stateless Auto- 570 Configuration in IPv4 Clients", RFC 2563, 571 DOI 10.17487/RFC2563, May 1999, 572 . 574 [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic 575 Configuration of IPv4 Link-Local Addresses", RFC 3927, 576 DOI 10.17487/RFC3927, May 2005, 577 . 579 [RFC4039] Park, S., Kim, P., and B. Volz, "Rapid Commit Option for 580 the Dynamic Host Configuration Protocol version 4 581 (DHCPv4)", RFC 4039, DOI 10.17487/RFC4039, March 2005, 582 . 584 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 585 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 586 May 2017, . 588 8.2. Informative References 590 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 591 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 592 DOI 10.17487/RFC4861, September 2007, 593 . 595 [RFC4957] Krishnan, S., Ed., Montavont, N., Njedjou, E., Veerepalli, 596 S., and A. Yegin, Ed., "Link-Layer Event Notifications for 597 Detecting Network Attachments", RFC 4957, 598 DOI 10.17487/RFC4957, August 2007, 599 . 601 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 602 NAT64: Network Address and Protocol Translation from IPv6 603 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 604 April 2011, . 606 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 607 Beijnum, "DNS64: DNS Extensions for Network Address 608 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 609 DOI 10.17487/RFC6147, April 2011, 610 . 612 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 613 Combination of Stateful and Stateless Translation", 614 RFC 6877, DOI 10.17487/RFC6877, April 2013, 615 . 617 Authors' Addresses 619 Lorenzo Colitti 620 Google 621 Shibuya 3-21-3 622 Shibuya, Tokyo 150-0002 623 JP 625 Email: lorenzo@google.com 627 Jen Linkova 628 Google 629 1 Darling Island Rd 630 Pyrmont, NSW 2009 631 AU 633 Email: furry@google.com 635 Michael C. Richardson 636 Sandelman Software Works 638 Email: mcr+ietf@sandelman.ca 639 URI: http://www.sandelman.ca/ 641 Tomek Mrugalski 642 Internet Systems Consortium, Inc. 643 950 Charter Street 644 Redwood City, CA 94063 645 USA 647 Email: tomasz.mrugalski@gmail.com