idnits 2.17.1 draft-ietf-vrrp-ipv6-spec-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-25) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([ND]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: When a VRRP router restarts or boots, it SHOULD not send any ND messages with its physical MAC address for the IPv6 address it owns, it should only send ND messages that include Virtual MAC addresses. This may entail: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: A VRRP router SHOULD not forward packets addressed to the IPv6 Address it becomes Master for if it is not the owner. Forwarding these packets would result in unnecessary traffic. Also in the case of LANs that receive packets they transmit (e.g., token ring) this can result in a forwarding loop that is only terminated when the IPv6 TTL expires. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 20, 2001) is 8192 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 2119' is mentioned on line 140, but not defined == Unused Reference: 'RIP' is defined on line 1286, but no explicit reference was found in the text == Unused Reference: 'RFC2119' is defined on line 1295, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2373 (ref. 'ADD-ARH') (Obsoleted by RFC 3513) ** Obsolete normative reference: RFC 2402 (ref. 'AUTH') (Obsoleted by RFC 4302, RFC 4305) ** Downref: Normative reference to an Informational RFC: RFC 1071 (ref. 'CKSM') ** Downref: Normative reference to an Informational RFC: RFC 2281 (ref. 'HSRP') ** Obsolete normative reference: RFC 2463 (ref. 'ICMPv6') (Obsoleted by RFC 4443) -- Possible downref: Non-RFC (?) normative reference: ref. 'IPSTB' ** Obsolete normative reference: RFC 2460 (ref. 'IPv6') (Obsoleted by RFC 8200) -- Possible downref: Non-RFC (?) normative reference: ref. 'IPX' ** Obsolete normative reference: RFC 2461 (ref. 'ND') (Obsoleted by RFC 4861) ** Downref: Normative reference to an Historic RFC: RFC 1469 -- Possible downref: Non-RFC (?) normative reference: ref. 'TKARCH' ** Obsolete normative reference: RFC 2338 (ref. 'VRRP-V4') (Obsoleted by RFC 3768) Summary: 12 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT R. Hinden/Nokia 3 November 20, 2001 5 Virtual Router Redundancy Protocol for IPv6 7 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of [RFC2026]. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/1id-abstracts.html 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html 30 This internet draft expires on May 20, 2002. 32 Abstract 34 This memo defines the Virtual Router Redundancy Protocol (VRRP) for 35 IPv6. It is version three (3) of the protocol. It is based on the 36 original version of VRRP (version 2) for IPv4 that is defined in 37 RFC2338. 39 VRRP specifies an election protocol that dynamically assigns 40 responsibility for a virtual router to one of the VRRP routers on a 41 LAN. The VRRP router controlling the IP address associated with a 42 virtual router is called the Master, and forwards packets sent to 43 this IP address. The election process provides dynamic fail over in 44 the forwarding responsibility should the Master become unavailable. 45 The advantage gained from using VRRP for IPv6 is a quicker switch 46 over to back up routers than can be obtained with standard IPv6 47 Neighbor Discovery [ND] mechanisms. 49 Table of Contents 51 1. Introduction................................................3 52 2. Required Features...........................................5 53 3. VRRP Overview...............................................6 54 4. Sample Configurations.......................................8 55 5. Protocol...................................................11 56 5.1 VRRP Packet Format....................................11 57 5.2 IP Field Descriptions.................................11 58 5.3 VRRP Field Descriptions...............................12 59 6. Protocol State Machine....................................15 60 6.1 Parameters per Virtual Router.........................15 61 6.2 Timers................................................16 62 6.3 State Transition Diagram..............................16 63 6.4 State Descriptions....................................16 64 7. Sending and Receiving VRRP Packets........................21 65 7.1 Receiving VRRP Packets................................21 66 7.2 Transmitting Packets..................................21 67 7.3 Virtual MAC Address...................................22 68 7.4 IPv6 Interface Identifiers............................22 69 8. Operational Issues........................................23 70 8.1 ICMPv6 Redirects......................................23 71 8.2 ND Neighbor Solicitation..............................23 72 8.3 Potential Forwarding Loop.............................24 73 9. Operation over FDDI, Token Ring, and ATM LANE.............24 74 9.1 Operation over FDDI...................................24 75 9.2 Operation over Token Ring.............................24 76 9.3 Operation over ATM LANE...............................25 77 10. Security Considerations...................................26 78 10.1 No Authentication....................................27 79 10.2 Simple Text Password.................................27 80 10.3 IP Authentication Header.............................28 81 11. Intellectual Property.....................................28 82 12. Acknowledgments...........................................29 83 13. IANA Considerations.......................................29 84 14. References................................................29 85 15. Authors' Address..........................................31 86 16. Changes from RFC2338......................................31 88 1. Introduction 90 IPv6 hosts on a LAN will usually learn about one or more default 91 routers by receiving Router Advertisements sent using the IPv6 92 Neighbor Discovery protocol [ND]. The Router Advertisements are 93 multicast periodically at a rate that the hosts will learn about the 94 default routers in a few minutes. They are not sent frequently enough 95 to rely on the absence of the router advertisement to detect router 96 failures. 98 Neighbor Discovery (ND) includes a mechanism called Neighbor 99 Unreachability Detection to detect the failure of a neighbor node 100 (router or host) or the forwarding path to a neighbor. This is done 101 by sending unicast ND Neighbor Solicitation messages to the neighbor 102 node. To reduce the overhead of sending Neighbor Solicitations, they 103 are only sent to neighbors to which the node is actively sending 104 traffic and only after there has been no positive indication that the 105 router is up for a period of time. Using the default parameters in 106 ND, it will take a host about 38 seconds to learn that a router is 107 unreachable before it will switch to another default router. This 108 delay would be very noticeable to users and cause some transport 109 protocol implementations to timeout. 111 While the ND unreachability detection could be speeded up by changing 112 the parameters to be more aggressive (note that the current lower 113 limit for this is 5 seconds), this would have the downside of 114 significantly increasing the overhead of ND traffic. Especially when 115 there are many hosts all trying to determine the reachability of a 116 one of more routers. 118 The Virtual Router Redundancy Protocol for IPv6 provides a much 119 faster switch over to an alternate default router than can be 120 obtained using standard ND procedures. Using VRRP a backup router 121 can take over for a failed default router in around three seconds 122 (using VRRP default parameters). This is done with out any 123 interaction with the hosts and a minimum amount of VRRP traffic. 125 VRRP specifies an election protocol that dynamically assigns 126 responsibility for a virtual router to one of the VRRP routers on a 127 LAN. The VRRP router controlling the IP address associated with a 128 virtual router is called the Master, and forwards packets sent to 129 this IP address. The election process provides dynamic fail over in 130 the forwarding responsibility should the Master become unavailable. 132 VRRP provides a function similar to a Cisco Systems, Inc. proprietary 133 protocol named Hot Standby Router Protocol (HSRP) [HSRP] and to a 134 Digital Equipment Corporation, Inc. proprietary protocol named IP 135 Standby Protocol [IPSTB]. 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in [RFC 2119]. 141 The IESG/IETF take no position regarding the validity or scope of any 142 intellectual property right or other rights that might be claimed to 143 pertain to the implementation or use of the technology, or the extent 144 to which any license under such rights might or might not be 145 available. See the IETF IPR web page at http://www.ietf.org/ipr.html 146 for additional information. 148 1.1 Scope 150 The remainder of this document describes the features, design goals, 151 and theory of operation of VRRP for IPv6. The message formats, 152 protocol processing rules and state machine that guarantee 153 convergence to a single Virtual Router Master are presented. 154 Finally, operational issues related to MAC address mapping, handling 155 of Neighbor Discovery requests, generation of ICMPv6 redirect 156 messages, and security issues are addressed. 158 This protocol is intended for use with IPv6 routers only. VRRP for 159 IPv4 is defined in [VRRP-V4]. 161 1.2 Definitions 163 VRRP Router A router running the Virtual Router Redundancy 164 Protocol. It may participate in one or more 165 virtual routers. 167 Virtual Router An abstract object managed by VRRP that acts 168 as a default router for hosts on a shared LAN. 169 It consists of a Virtual Router Identifier and 170 an IPv6 address across a common LAN. A VRRP 171 Router may backup one or more virtual routers. 173 IPv6 Address Owner The VRRP router that has the virtual router's 174 IPv6 address as real interface address. This 175 is the router that, when up, will respond to 176 packets addressed to the IPv6 addresses for 177 ICMPv6 pings, TCP connections, etc. 179 Virtual Router Master The VRRP router that is assuming the 180 responsibility of forwarding packets sent to 181 the IPv6 address associated with the virtual 182 router, and answering ND requests for this 183 IPv6 address. Note that if the IPv6 address 184 owner is available, then it will always become 185 the Master. 187 Virtual Router Backup The set of VRRP routers available to assume 188 forwarding responsibility for a virtual router 189 should the current Master fail. 191 2.0 Required Features 193 This section outlines the set of features that were considered 194 mandatory and that guided the design of VRRP. 196 2.1 IPv6 Address Backup 198 Backup of an IPv6 address is the primary function of the Virtual 199 Router Redundancy Protocol. While providing election of a Virtual 200 Router Master and the additional functionality described below, the 201 protocol should strive to: 203 - Minimize the duration of black holes. 204 - Minimize the steady state bandwidth overhead and processing 205 complexity. 206 - Function over a wide variety of multiaccess LAN technologies 207 capable of supporting IPv6 traffic. 208 - Provide for election of multiple virtual routers on a network for 209 load balancing 210 - Support of multiple logical IPv6 subnets on a single LAN segment. 212 2.2 Preferred Path Indication 214 A simple model of Master election among a set of redundant routers is 215 to treat each router with equal preference and claim victory after 216 converging to any router as Master. However, there are likely to be 217 many environments where there is a distinct preference (or range of 218 preferences) among the set of redundant routers. For example, this 219 preference may be based upon access link cost or speed, router 220 performance or reliability, or other policy considerations. The 221 protocol should allow the expression of this relative path preference 222 in an intuitive manner, and guarantee Master convergence to the most 223 preferential router currently available. 225 2.3 Minimization of Unnecessary Service Disruptions 227 Once Master election has been performed then any unnecessary 228 transitions between Master and Backup routers can result in a 229 disruption in service. The protocol should ensure after Master 230 election that no state transition is triggered by any Backup router 231 of equal or lower preference as long as the Master continues to 232 function properly. 234 Some environments may find it beneficial to avoid the state 235 transition triggered when a router becomes available that is more 236 preferential than the current Master. It may be useful to support an 237 override of the immediate convergence to the preferred path. 239 2.4 Extensible Security 241 The virtual router functionality is applicable to a wide range of 242 internetworking environments that may employ different security 243 policies. The protocol should require minimal configuration and 244 overhead in the insecure operation, provide for strong authentication 245 when increased security is required, and allow integration of new 246 security mechanisms without breaking backwards compatible operation. 248 2.5 Efficient Operation over Extended LANs 250 Sending IPv6 packets on a multiaccess LAN requires mapping from an 251 IPv6 address to a MAC address. The use of the virtual router MAC 252 address in an extended LAN employing learning bridges can have a 253 significant effect on the bandwidth overhead of packets sent to the 254 virtual router. If the virtual router MAC address is never used as 255 the source address in a link level frame then the station location is 256 never learned, resulting in flooding of all packets sent to the 257 virtual router. To improve the efficiency in this environment the 258 protocol should: 1) use the virtual router MAC as the source in a 259 packet sent by the Master to trigger station learning; 2) trigger a 260 message immediately after transitioning to Master to update the 261 station learning; and 3) trigger periodic messages from the Master to 262 maintain the station learning cache. 264 3.0 VRRP Overview 266 VRRP specifies an election protocol to provide the virtual router 267 function described earlier. All protocol messaging is performed 268 using IPv6 multicast datagrams, thus the protocol can operate over a 269 variety of multiaccess LAN technologies supporting IPv6 multicast. 271 Each VRRP virtual router has a single well-known MAC address 272 allocated to it. This document currently only details the mapping to 273 networks using the IEEE 802 48-bit MAC address. The virtual router 274 MAC address is used as the source in all periodic VRRP messages sent 275 by the Master router to enable bridge learning in an extended LAN. 277 A virtual router is defined by its virtual router identifier (VRID) 278 and an IPv6 address. A VRRP router may associate a virtual router 279 with its real address on an interface, and may also be configured 280 with additional virtual router mappings and priority for virtual 281 routers it is willing to backup. The mapping between VRID and it's 282 IPv6 address must be coordinated among all VRRP routers on a LAN. 283 However, there is no restriction against reusing a VRID with a 284 different address mapping on different LANs. The scope of each 285 virtual router is restricted to a single LAN. 287 To minimize network traffic, only the Master for each virtual router 288 sends periodic VRRP Advertisement messages. A Backup router will not 289 attempt to preempt the Master unless it has higher priority. This 290 eliminates service disruption unless a more preferred path becomes 291 available. It's also possible to administratively prohibit all 292 preemption attempts. The only exception is that a VRRP router will 293 always become Master of any virtual router associated with address it 294 owns. If the Master becomes unavailable then the highest priority 295 Backup will transition to Master after a short delay, providing a 296 controlled transition of the virtual router responsibility with 297 minimal service interruption. 299 VRRP defines three types of authentication providing simple 300 deployment in insecure environments, added protection against 301 misconfiguration, and strong sender authentication in security 302 conscious environments. Analysis of the protection provided and 303 vulnerability of each mechanism is deferred to Section 10.0 Security 304 Considerations. In addition new authentication types and data can be 305 defined in the future without affecting the format of the fixed 306 portion of the protocol packet, thus preserving backward compatible 307 operation. 309 The VRRP protocol design provides rapid transition from Backup to 310 Master to minimize service interruption, and incorporates 311 optimizations that reduce protocol complexity while guaranteeing 312 controlled Master transition for typical operational scenarios. The 313 optimizations result in an election protocol with minimal runtime 314 state requirements, minimal active protocol states, and a single 315 message type and sender. The typical operational scenarios are 316 defined to be two redundant routers and/or distinct path preferences 317 among each router. A side effect when these assumptions are violated 318 (i.e., more than two redundant paths all with equal preference) is 319 that duplicate packets may be forwarded for a brief period during 320 Master election. However, the typical scenario assumptions are 321 likely to cover the vast majority of deployments, loss of the Master 322 router is infrequent, and the expected duration in Master election 323 convergence is quite small ( << 1 second ). Thus the VRRP 324 optimizations represent significant simplifications in the protocol 325 design while incurring an insignificant probability of brief network 326 degradation. 328 4. Sample Configurations 330 4.1 Sample Configuration 1 332 The following figure shows a simple network with two VRRP routers 333 implementing one virtual router. Note that this example is provided 334 to help understand the protocol, but is not expected to occur in 335 actual practice. 337 +-----------+ +-----------+ 338 | Rtr1 | | Rtr2 | 339 |(MR VRID=1)| |(BR VRID=1)| 340 | | | | 341 VRID=1 +-----------+ +-----------+ 342 IPv6 A -------->* *<--------- IPv6 B 343 | | 344 | | 345 ------------------+------------+-----+--------+--------+--------+-- 346 ^ ^ ^ ^ 347 | | | | 348 (IPv6 A) (IPv6 A) (IPv6 A) (IPv6 A) 349 | | | | 350 +--+--+ +--+--+ +--+--+ +--+--+ 351 | H1 | | H2 | | H3 | | H4 | 352 +-----+ +-----+ +--+--+ +--+--+ 353 Legend: 354 ---+---+---+-- = Ethernet, Token Ring, or FDDI 355 H = Host computer 356 MR = Master Router 357 BR = Backup Router 358 * = IPv6 Address 359 (IPv6) = default router for hosts 361 Eliminating all mention of VRRP (VRID=1) from the figure above leaves 362 it as a typical IPv6 deployment. Each router has a link-local IPv6 363 address on the LAN interface (Rtr1 is assigned IPv6 Link-Local A and 364 Rtr2 is assigned IPv6 Link-Local B), and each host learns a default 365 route from Router Advertisements through one of the routers (in this 366 example they all use Rtr1's IPv6 Link-Local A). 368 Moving to the VRRP environment, each router has the exact same Link- 369 Local IPv6 address. Rtr1 is said to be the IPv6 address owner of 370 IPv6 A, and Rtr2 is the IPv6 address owner of IPv6 B. A virtual 371 router is then defined by associating a unique identifier (the 372 virtual router ID) with the address owned by a router. Finally, the 373 VRRP protocol manages virtual router fail over to a backup router. 375 The example above shows a virtual router configured to cover the IPv6 376 address owned by Rtr1 (VRID=1,IPv6_Address=A). When VRRP is enabled 377 on Rtr1 for VRID=1 it will assert itself as Master, with 378 priority=255, since it is the IPv6 address owner for the virtual 379 router IPv6 address. When VRRP is enabled on Rtr2 for VRID=1 it will 380 transition to Backup, with priority=100, since it is not the IPv6 381 address owner. If Rtr1 should fail then the VRRP protocol will 382 transition Rtr2 to Master, temporarily taking over forwarding 383 responsibility for IPv6 A to provide uninterrupted service to the 384 hosts. 386 Note that in this example IPv6 B is not backed up, it is only used by 387 Rtr2 as its interface address. In order to backup IPv6 B, a second 388 virtual router must be configured. This is shown in the next 389 section. 391 4.2 Sample Configuration 2 393 The following figure shows a configuration with two virtual routers 394 with the hosts spitting their traffic between them. This example is 395 expected to be common in actual practice. 397 +-----------+ +-----------+ 398 | Rtr1 | | Rtr2 | 399 |(MR VRID=1)| |(BR VRID=1)| 400 |(BR VRID=2)| |(MR VRID=2)| 401 VRID=1 +-----------+ +-----------+ VRID=2 402 IPv6 A -------->* *<---------- IPv6 B 403 | | 404 | | 405 ------------------+------------+-----+--------+--------+--------+-- 406 ^ ^ ^ ^ 407 | | | | 408 (IPv6 A) (IPv6 A) (IPv6 B) (IPv6 B) 409 | | | | 410 +--+--+ +--+--+ +--+--+ +--+--+ 411 | H1 | | H2 | | H3 | | H4 | 412 +-----+ +-----+ +--+--+ +--+--+ 413 Legend: 414 ---+---+---+-- = Ethernet, Token Ring, or FDDI 415 H = Host computer 416 MR = Master Router 417 BR = Backup Router 418 * = IPv6 Address 419 (IPv6) = default router for hosts 421 In the example above, half of the hosts have learned a default route 422 through Rtr1's IPv6 A and half are using Rtr2's IPv6 B. The 423 configuration of virtual router VRID=1 is exactly the same as in the 424 first example (see section 4.1), and a second virtual router has been 425 added to cover the IPv6 address owned by Rtr2 (VRID=2, 426 IPv6_Address=B). In this case Rtr2 will assert itself as Master for 427 VRID=2 while Rtr1 will act as a backup. This scenario demonstrates a 428 deployment providing load splitting when both routers are available 429 while providing full redundancy for robustness. 431 5.0 Protocol 433 The purpose of the VRRP packet is to communicate to all VRRP routers 434 the priority and the state of the Master router associated with the 435 Virtual Router ID. 437 VRRP packets are sent encapsulated in IPv6 packets. They are sent to 438 the IPv6 multicast address assigned to VRRP. 440 5.1 VRRP Packet Format 442 This section defines the format of the VRRP packet and the relevant 443 fields in the IPv6 header. 445 0 1 2 3 446 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 447 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 448 |Version| Type | Virtual Rtr ID| Priority | (reserved) | 449 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 450 | Auth Type | Adver Int | Checksum | 451 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 452 | | 453 + + 454 | | 455 + IPv6 Address + 456 | | 457 + + 458 | | 459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 460 | Authentication Data (1) | 461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 | Authentication Data (2) | 463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 5.2 IPv6 Field Descriptions 467 5.2.1 Source Address 469 The IPv6 link-local address of the interface the packet is being sent 470 from. 472 5.2.2 Destination Address 474 The IPv6 multicast address as assigned by the IANA for VRRP is: 476 FF02:0:0:0:0:0:XXXX:XXXX 478 This is a link-local scope multicast address. Routers MUST NOT 479 forward a datagram with this destination address regardless of its 480 Hop Limit. 482 5.2.3 Hop Limit 484 The Hop Limit MUST be set to 255. A VRRP router receiving a packet 485 with the Hop Limit not equal to 255 MUST discard the packet. 487 5.2.4 Next Header 489 The IPv6 Next Header protocol assigned by the IANA for VRRP is 112 490 (decimal). 492 5.3 VRRP Field Descriptions 494 5.3.1 Version 496 The version field specifies the VRRP protocol version of this packet. 497 This document defines version 3. 499 5.3.2 Type 501 The type field specifies the type of this VRRP packet. The only 502 packet type defined in this version of the protocol is: 504 1 ADVERTISEMENT 506 A packet with unknown type MUST be discarded. 508 5.3.3 Virtual Rtr ID (VRID) 510 The Virtual Router Identifier (VRID) field identifies the virtual 511 router this packet is reporting status for. 513 5.3.4 Priority 515 The priority field specifies the sending VRRP router's priority for 516 the virtual router. Higher values equal higher priority. This field 517 is an 8 bit unsigned integer field. 519 The priority value for the VRRP router that owns the IPv6 address 520 associated with the virtual router MUST be 255 (decimal). 522 VRRP routers backing up a virtual router MUST use priority values 523 between 1-254 (decimal). The default priority value for VRRP routers 524 backing up a virtual router is 100 (decimal). 526 The priority value zero (0) has special meaning indicating that the 527 current Master has stopped participating in VRRP. This is used to 528 trigger Backup routers to quickly transition to Master without having 529 to wait for the current Master to timeout. 531 5.3.5 Reserved 533 This field MUST be set to zero on transmission and ignored on 534 reception. 536 5.3.6 Authentication Type 538 The authentication type field identifies the authentication method 539 being utilized. Authentication type is unique on a Virtual Router 540 basis. The authentication type field is an 8 bit unsigned integer. 541 A packet with unknown authentication type or that does not match the 542 locally configured authentication method MUST be discarded. 544 The authentication methods currently defined are: 546 0 - No Authentication 547 1 - Simple Text Password 548 2 - IP Authentication Header 550 5.3.6.1 No Authentication 552 The use of this authentication type means that VRRP protocol 553 exchanges are not authenticated. The contents of the Authentication 554 Data field should be set to zero on transmission and ignored on 555 reception. 557 5.3.6.2 Simple Text Password 559 The use of this authentication type means that VRRP protocol 560 exchanges are authenticated by a clear text password. The contents 561 of the Authentication Data field should be set to the locally 562 configured password on transmission. There is no default password. 563 The receiver MUST check that the Authentication Data in the packet 564 matches its configured authentication string. Packets that do not 565 match MUST be discarded. 567 Note that there are security implications to using Simple Text 568 password authentication, and one should see the Security 569 Consideration section of this document. 571 5.3.6.3 IP Authentication Header 573 The use of this authentication type means the VRRP protocol exchanges 574 are authenticated using the mechanisms defined by the IP 575 Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within ESP 576 and AH" [HMAC]. Keys may be either configured manually or via a key 577 distribution protocol. 579 If a packet is received that does not pass the authentication check 580 due to a missing authentication header or incorrect message digest, 581 then the packet MUST be discarded. The contents of the 582 Authentication Data field should be set to zero on transmission and 583 ignored on reception. 585 5.3.7 Advertisement Interval (Adver Int) 587 The Advertisement interval indicates the time interval (in seconds) 588 between ADVERTISEMENTS. The default is 1 second. This field is used 589 for troubleshooting misconfigured routers. 591 5.3.8 Checksum 593 The checksum field is used to detect data corruption in the VRRP 594 message. 596 The checksum is the 16-bit one's complement of the one's complement 597 sum of the entire VRRP message starting with the version field and a 598 "pseudo-header" as defined in section 8.1 of RFC2460 [IPv6]. The 599 next header field in the "pseudo-header" should be set to 112 600 (decimal) for VRRP. For computing the checksum, the checksum field 601 is set to zero. See RFC1071 for more detail [CKSM]. 603 5.3.9 IPv6 Address 605 The IPv6 link-local address associated with the virtual router. 607 5.3.10 Authentication Data 609 The authentication string is currently only utilized for simple text 610 authentication, similar to the simple text authentication found in 611 the Open Shortest Path First routing protocol [OSPF]. It is up to 8 612 characters of plain text. If the configured authentication string is 613 shorter than 8 bytes, the remaining space MUST be zero-filled. Any 614 VRRP packet received with an authentication string that does not 615 match the locally configured authentication string MUST be discarded. 616 The authentication string is unique on a per interface basis. 618 There is no default value for this field. 620 6. Protocol State Machine 622 6.1 Parameters per Virtual Router 624 VRID Virtual Router Identifier. Configured item 625 in the range 1-255 (decimal). There is no 626 default. 628 Priority Priority value to be used by this VRRP 629 router in Master election for this virtual 630 router. The value of 255 (decimal) is 631 reserved for the router that owns the IPv6 632 address associated with the virtual router. 633 The value of 0 (zero) is reserved for Master 634 router to indicate it is releasing 635 responsibility for the virtual router. The 636 range 1-254 (decimal) is available for VRRP 637 routers backing up the virtual router. The 638 default value is 100 (decimal). 640 IPv6_Address The IPv6 link-local address associated with 641 this virtual router. Configured item. No 642 default. 644 Advertisement_Interval Time interval between ADVERTISEMENTS 645 (seconds). Default is 1 second. 647 Skew_Time Time to skew Master_Down_Interval in 648 seconds. Calculated as: 650 ( (256 - Priority) / 256 ) 652 Master_Down_Interval Time interval for Backup to declare Master 653 down (seconds). Calculated as: 655 (3 * Advertisement_Interval) + Skew_time 657 Preempt_Mode Controls whether a higher priority Backup 658 router preempts a lower priority Master. 659 Values are True to allow preemption and 660 False to prohibit preemption. Default is 661 True. 663 Note: Exception is that the router that owns 664 the IPv6 address associated with the virtual 665 router always preempts independent of the 666 setting of this flag. 668 Authentication_Type Type of authentication being used. Values 669 are defined in section 5.3.6. 671 Authentication_Data Authentication data specific to the 672 Authentication_Type being used. 674 6.2 Timers 676 Master_Down_Timer Timer that fires when ADVERTISEMENT has not 677 been heard for Master_Down_Interval. 679 Adver_Timer Timer that fires to trigger sending of 680 ADVERTISEMENT based on 681 Advertisement_Interval. 683 6.3 State Transition Diagram 685 +---------------+ 686 +--------->| |<-------------+ 687 | | Initialize | | 688 | +------| |----------+ | 689 | | +---------------+ | | 690 | | | | 691 | V V | 692 +---------------+ +---------------+ 693 | |---------------------->| | 694 | Master | | Backup | 695 | |<----------------------| | 696 +---------------+ +---------------+ 698 6.4 State Descriptions 700 In the state descriptions below, the state names are identified by 701 {state-name}, and the packets are identified by all upper case 702 characters. 704 A VRRP router implements an instance of the state machine for each 705 virtual router election it is participating in. 707 6.4.1 Initialize 709 The purpose of this state is to wait for a Startup event. If a 710 Startup event is received, then: 712 - If the Priority = 255 (i.e., the router owns the IPv6 address 713 associated with the virtual router) 715 o Send an ADVERTISEMENT 716 o Send an unsolicited ND Neighbor Advertisement with the Router 717 Flag (R) set, the Solicited Flag (S) unset, the Override flag 718 (O) set, the Target Address set to the IPv6 link-local address 719 of the Virtual Router, and the Target Link Layer address set to 720 the virtual router MAC address. 721 o Set the Adver_Timer to Advertisement_Interval 722 o Transition to the {Master} state 724 else 726 o Set the Master_Down_Timer to Master_Down_Interval 727 o Transition to the {Backup} state 729 endif 731 6.4.2 Backup 733 The purpose of the {Backup} state is to monitor the availability and 734 state of the Master Router. 736 While in this state, a VRRP router MUST do the following: 738 - MUST NOT respond to ND Neighbor Solicitation messages for the IPv6 739 address associated with the virtual router. 741 - MUST NOT send ND Router Advertisement messages for the virtual 742 router. 744 - MUST discard packets with a destination link layer MAC address 745 equal to the virtual router MAC address. 747 - MUST NOT accept packets addressed to the IPv6 address associated 748 with the virtual router. 750 - If a Shutdown event is received, then: 752 o Cancel the Master_Down_Timer 753 o Transition to the {Initialize} state 755 endif 757 - If the Master_Down_Timer fires, then: 759 o Send an ADVERTISEMENT 760 o Compute and join the Solicited-Node multicast address [ADD-ARH] 761 for the link-local IPv6 address of the Virtual Router. 762 o Send an unsolicited ND Neighbor Advertisement with the Router 763 Flag (R) set, the Solicited Flag (S) unset, the Override flag 764 (O) set, the Target Address set to the IPv6 link-local address 765 of the Virtual Router, and the Target Link Layer address set to 766 the virtual router MAC address. 767 o Set the Adver_Timer to Advertisement_Interval 768 o Transition to the {Master} state 770 endif 772 - If an ADVERTISEMENT is received, then: 774 If the Priority in the ADVERTISEMENT is Zero, then: 776 o Set the Master_Down_Timer to Skew_Time 778 else: 780 If Preempt_Mode is False, or If the Priority in the 781 ADVERTISEMENT is greater than or equal to the local 782 Priority, then: 784 o Reset the Master_Down_Timer to Master_Down_Interval 786 else: 788 o Discard the ADVERTISEMENT 790 endif 791 endif 792 endif 794 6.4.3 Master 796 While in the {Master} state the router functions as the forwarding 797 router for the IPv6 address associated with the virtual router. 799 While in this state, a VRRP router MUST do the following: 801 - MUST be a member of the Solicited-Node multicast address for the 802 IPv6 link-local address associated with the virtual router. 804 - MUST respond to ND Neighbor Solicitation message for the IPv6 805 address associated with the virtual router. 807 - MUST send ND Router Advertisements for the virtual router. 809 - MUST respond to ND Router Solicitation message for the virtual 810 router. 812 - MUST forward packets with a destination link layer MAC address 813 equal to the virtual router MAC address. 815 - MUST NOT accept packets addressed to the IPv6 address associated 816 with the virtual router if it is not the IPv6 address owner. 818 - MUST accept packets addressed to the IPv6 address associated with 819 the virtual router if it is the IPv6 address owner. 821 - If a Shutdown event is received, then: 823 o Cancel the Adver_Timer 824 o Send an ADVERTISEMENT with Priority = 0 825 o Transition to the {Initialize} state 827 endif 829 - If the Adver_Timer fires, then: 831 o Send an ADVERTISEMENT 832 o Reset the Adver_Timer to Advertisement_Interval 834 endif 836 - If an ADVERTISEMENT is received, then: 838 If the Priority in the ADVERTISEMENT is Zero, then: 840 o Send an ADVERTISEMENT 841 o Reset the Adver_Timer to Advertisement_Interval 843 else: 845 If the Priority in the ADVERTISEMENT is greater than the 846 local Priority, 847 or 848 If the Priority in the ADVERTISEMENT is equal to the local 849 Priority and the IPv6 Address of the sender is greater than 850 the local IPv6 Address, then: 852 o Cancel Adver_Timer 853 o Set Master_Down_Timer to Master_Down_Interval 854 o Transition to the {Backup} state 856 else: 858 o Discard ADVERTISEMENT 860 endif 861 endif 862 endif 864 7. Sending and Receiving VRRP Packets 866 7.1 Receiving VRRP Packets 868 Performed the following functions when a VRRP packet is received: 870 - MUST verify that the IPv6 Hop Limit is 255. 871 - MUST verify the VRRP version is 3 872 - MUST verify that the received packet contains the complete VRRP 873 packet (including fixed fields, IPv6 Address, and Authentication 874 Data). 875 - MUST verify the VRRP checksum 876 - MUST verify that the VRID is configured on the receiving 877 interface and the local router is not the IPv6 Address owner 878 (Priority equals 255 (decimal)). 879 - MUST verify that the Auth Type matches the locally configured 880 authentication method for the virtual router and perform that 881 authentication method 883 If any one of the above checks fails, the receiver MUST discard the 884 packet, SHOULD log the event and MAY indicate via network management 885 that an error occurred. 887 - MAY verify that the IPv6 Address matches the IPv6_Address 888 configured for the VRID. 890 If the above check fails, the receiver SHOULD log the event and MAY 891 indicate via network management that a misconfiguration was detected. 892 If the packet was not generated by the address owner (Priority does 893 not equal 255 (decimal)), the receiver MUST drop the packet, 894 otherwise continue processing. 896 - MUST verify that the Adver Interval in the packet is the same as 897 the locally configured for this virtual router 899 If the above check fails, the receiver MUST discard the packet, 900 SHOULD log the event and MAY indicate via network management that a 901 misconfiguration was detected. 903 7.2 Transmitting VRRP Packets 905 The following operations MUST be performed when transmitting a VRRP 906 packet. 908 - Fill in the VRRP packet fields with the appropriate virtual 909 router configuration state 910 - Compute the VRRP checksum 911 - Set the source MAC address to Virtual Router MAC Address 912 - Set the source IPv6 address to interface link-local IPv6 address 913 - Set the IPv6 protocol to VRRP 914 - Send the VRRP packet to the VRRP IP multicast group 916 Note: VRRP packets are transmitted with the virtual router MAC 917 address as the source MAC address to ensure that learning bridges 918 correctly determine the LAN segment the virtual router is attached 919 to. 921 7.3 Virtual Router MAC Address 923 The virtual router MAC address associated with a virtual router is an 924 IEEE 802 MAC Address in the following format: 926 00-00-5E-00-01-{VRID} (in hex in internet standard bit-order) 928 The first three octets are derived from the IANA's OUI. The next two 929 octets (00-01) indicate the address block assigned to the VRRP 930 protocol. {VRID} is the VRRP Virtual Router Identifier. This 931 mapping provides for up to 255 VRRP routers on a network. 933 7.4 IPv6 Interface Identifiers 935 IPv6 Routers running VRRP MUST create their Interface Identifiers in 936 the normal manner (e.g., RFC2464 "Transmission of IPv6 Packets over 937 Ethernet"). They MUST NOT use the Virtual Router MAC address to 938 create the Modified EUI-64 identifiers. 940 This VRRP specification describes how to advertise and resolve the 941 VRRP routers IPv6 link local address into the Virtual Router MAC 942 address. 944 8. Operational Issues 946 8.1 ICMPv6 Redirects 948 ICMPv6 Redirects may be used normally when VRRP is running between a 949 group of routers [ICMPv6]. This allows VRRP to be used in 950 environments where the topology is not symmetric. 952 The IPv6 source address of an ICMPv6 redirect should be the address 953 the end host used when making its next hop routing decision. If a 954 VRRP router is acting as Master for virtual router(s) containing 955 addresses it does not own, then it must determine which virtual 956 router the packet was sent to when selecting the redirect source 957 address. One method to deduce the virtual router used is to examine 958 the destination MAC address in the packet that triggered the 959 redirect. 961 It may be useful to disable Redirects for specific cases where VRRP 962 is being used to load share traffic between a number of routers in a 963 symmetric topology. 965 8.2 ND Neighbor Solicitation 967 When a host sends an ND Neighbor Solicitation message for the virtual 968 router IPv6 address, the Master virtual router MUST respond to the ND 969 Neighbor Solicitation message with the virtual MAC address for the 970 virtual router. The Master virtual router MUST NOT respond with its 971 physical MAC address. This allows the client to always use the same 972 MAC address regardless of the current Master router. 974 When a VRRP router restarts or boots, it SHOULD not send any ND 975 messages with its physical MAC address for the IPv6 address it owns, 976 it should only send ND messages that include Virtual MAC addresses. 977 This may entail: 979 - When configuring an interface, VRRP routers should send an 980 unsolicitated ND Neighbor Advertisement message containing the 981 virtual router MAC address for the IPv6 address on that interface. 983 - At system boot, when initializing interfaces for VRRP operation; 984 delay all ND Router and Neighbor Advertisements and Solicitation 985 messages until both the IPv6 address and the virtual router MAC 986 address are configured. 988 8.3 Potential Forwarding Loop 990 A VRRP router SHOULD not forward packets addressed to the IPv6 991 Address it becomes Master for if it is not the owner. Forwarding 992 these packets would result in unnecessary traffic. Also in the case 993 of LANs that receive packets they transmit (e.g., token ring) this 994 can result in a forwarding loop that is only terminated when the IPv6 995 TTL expires. 997 One such mechanism for VRRP routers is to add/delete a reject host 998 route for each adopted IPv6 address when transitioning to/from MASTER 999 state. 1001 9. Operation over FDDI, Token Ring, and ATM LANE 1003 9.1 Operation over FDDI 1005 FDDI interfaces remove from the FDDI ring frames that have a source 1006 MAC address matching the device's hardware address. Under some 1007 conditions, such as router isolations, ring failures, protocol 1008 transitions, etc., VRRP may cause there to be more than one Master 1009 router. If a Master router installs the virtual router MAC address 1010 as the hardware address on a FDDI device, then other Masters' 1011 ADVERTISEMENTS will be removed from the ring during the Master 1012 convergence, and convergence will fail. 1014 To avoid this an implementation SHOULD configure the virtual router 1015 MAC address by adding a unicast MAC filter in the FDDI device, rather 1016 than changing its hardware MAC address. This will prevent a Master 1017 router from removing any ADVERTISEMENTS it did not originate. 1019 9.2 Operation over Token Ring 1021 Token ring has several characteristics that make running VRRP 1022 difficult. These include: 1024 - In order to switch to a new master located on a different bridge 1025 token ring segment from the previous master when using source 1026 route bridges, a mechanism is required to update cached source 1027 route information. 1029 - No general multicast mechanism supported across old and new token 1030 ring adapter implementations. While many newer token ring adapters 1031 support group addresses, token ring functional address support is 1032 the only generally available multicast mechanism. Due to the 1033 limited number of token ring functional addresses these may 1034 collide with other usage of the same token ring functional 1035 addresses. 1037 Due to these difficulties, the preferred mode of operation over token 1038 ring will be to use a token ring functional address for the VRID 1039 virtual MAC address. Token ring functional addresses have the two 1040 high order bits in the first MAC address octet set to B'1'. They 1041 range from 03-00-00-00-00-80 to 03-00-02-00-00-00 (canonical format). 1042 However, unlike multicast addresses, there is only one unique 1043 functional address per bit position. The functional addresses 1044 addresses 03-00-00-10-00-00 through 03-00-02-00-00-00 are reserved 1045 by the Token Ring Architecture [TKARCH] for user-defined 1046 applications. However, since there are only 12 user-defined token 1047 ring functional addresses, there may be other non-IP protocols using 1048 the same functional address. Since the Novell IPX [IPX] protocol uses 1049 the 03-00-00-10-00-00 functional address, operation of VRRP over 1050 token ring will avoid use of this functional address. In general, 1051 token ring VRRP users will be responsible for resolution of other 1052 user-defined token ring functional address conflicts. 1054 VRIDs are mapped directly to token ring functional addresses. In 1055 order to decrease the likelihood of functional address conflicts, 1056 allocation will begin with the largest functional address. Most non- 1057 IP protocols use the first or first couple user-defined functional 1058 addresses and it is expected that VRRP users will choose VRIDs 1059 sequentially starting with 1. 1061 VRID Token Ring Functional Address 1062 ---- ----------------------------- 1063 1 03-00-02-00-00-00 1064 2 03-00-04-00-00-00 1065 3 03-00-08-00-00-00 1066 4 03-00-10-00-00-00 1067 5 03-00-20-00-00-00 1068 6 03-00-40-00-00-00 1069 7 03-00-80-00-00-00 1070 8 03-00-00-01-00-00 1071 9 03-00-00-02-00-00 1072 10 03-00-00-04-00-00 1073 11 03-00-00-08-00-00 1075 Or more succinctly, octets 3 and 4 of the functional address are 1076 equal to (0x4000 >> (VRID - 1)) in non-canonical format. 1078 Since a functional address cannot be used used as a MAC level source 1079 address, the real MAC address is used as the MAC source address in 1080 VRRP advertisements. This is not a problem for bridges since packets 1081 addressed to functional addresses will be sent on the spanning-tree 1082 explorer path [802.1D]. 1084 The functional address mode of operation MUST be implemented by 1085 routers supporting VRRP on token ring. 1087 Additionally, routers MAY support unicast mode of operation to take 1088 advantage of newer token ring adapter implementations that support 1089 non-promiscuous reception for multiple unicast MAC addresses and to 1090 avoid both the multicast traffic and usage conflicts associated with 1091 the use of token ring functional addresses. Unicast mode uses the 1092 same mapping of VRIDs to virtual MAC addresses as Ethernet. However, 1093 one important difference exists. ND request/reply packets contain the 1094 virtual MAC address as the source MAC address. The reason for this is 1095 that some token ring driver implementations keep a cache of MAC 1096 address/source routing information independent of the ND cache. 1097 Hence, these implementations need have to receive a packet with the 1098 virtual MAC address as the source address in order to transmit to 1099 that MAC address in a source-route bridged network. 1101 Unicast mode on token ring has one limitation that should be 1102 considered. If there are VRID routers on different source-route 1103 bridge segments and there are host implementations that keep their 1104 source-route information in the ND cache and do not listen to 1105 gratuitous NDs, these hosts will not update their ND source-route 1106 information correctly when a switch-over occurs. The only possible 1107 solution is to put all routers with the same VRID on the same source- 1108 bridge segment and use techniques to prevent that bridge segment from 1109 being a single point of failure. These techniques are beyond the 1110 scope this document. 1112 For both the multicast and unicast mode of operation, VRRP 1113 advertisements sent to 224.0.0.18 should be encapsulated as described 1114 in [RFC1469]. 1116 9.3 Operation over ATM LANE 1118 Operation of VRRP over ATM LANE on routers with ATM LANE interfaces 1119 and/or routers behind proxy LEC's are beyond the scope of this 1120 document. 1122 10. Security Considerations 1124 VRRP is designed for a range of internetworking environments that may 1125 employ different security policies. The protocol includes several 1126 authentication methods ranging from no authentication, simple clear 1127 text passwords, and strong authentication using IP Authentication 1128 with MD5 HMAC. The details on each approach including possible 1129 attacks and recommended environments follows. 1131 Independent of any authentication type VRRP includes a mechanism 1132 (setting TTL=255, checking on receipt) that protects against VRRP 1133 packets being injected from another remote network. This limits most 1134 vulnerabilities to local attacks. 1136 The security measures discussed in the following sections only 1137 provide various kinds of authentication. No confidentiality is 1138 provided. Confidentiality is not necessary for the correct operation 1139 of VRRP and there is no information in the VRRP messages that must be 1140 kept secret from other nodes on the LAN. 1142 10.1 No Authentication 1144 The use of this authentication type means that VRRP protocol 1145 exchanges are not authenticated. This type of authentication SHOULD 1146 only be used in environments were there is minimal security risk and 1147 little chance for configuration errors (e.g., two VRRP routers on a 1148 LAN). 1150 10.2 Simple Text Password 1152 The use of this authentication type means that VRRP protocol 1153 exchanges are authenticated by a simple clear text password. 1155 This type of authentication is useful to protect against accidental 1156 misconfiguration of routers on a LAN. It protects against routers 1157 inadvertently backing up another router. A new router must first be 1158 configured with the correct password before it can run VRRP with 1159 another router. This type of authentication does not protect against 1160 hostile attacks where the password can be learned by a node snooping 1161 VRRP packets on the LAN. The Simple Text Authentication combined 1162 with the TTL check makes it difficult for a VRRP packet to be sent 1163 from another LAN to disrupt VRRP operation. 1165 This type of authentication is RECOMMENDED when there is minimal risk 1166 of nodes on a LAN actively disrupting VRRP operation. If this type 1167 of authentication is used the user should be aware that this clear 1168 text password is sent frequently, and therefore should not be the 1169 same as any security significant password. 1171 10.3 IP Authentication Header 1173 The use of this authentication type means the VRRP protocol exchanges 1174 are authenticated using the mechanisms defined by the IP 1175 Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within ESP 1176 and AH", [HMAC]. This provides strong protection against 1177 configuration errors, replay attacks, and packet 1178 corruption/modification. 1180 This type of authentication is RECOMMENDED when there is limited 1181 control over the administration of nodes on a LAN. While this type 1182 of authentication does protect the operation of VRRP, there are other 1183 types of attacks that may be employed on shared media links (e.g., 1184 generation of bogus ND replies) that are independent from VRRP and 1185 are not protected. 1187 Specifically, although securing VRRP prevents unauthorized machines 1188 from taking part in the election protocol, it does not protect hosts 1189 on the network from being deceived. For example, a gratuitous ND 1190 reply from what purports to be the virtual router's IPv6 address can 1191 redirect traffic to an unauthorized machine. Similarly, individual 1192 connections can be diverted by means of forged ICMPv6 Redirect 1193 messages. 1195 11. Intellectual Property 1197 The IETF takes no position regarding the validity or scope of any 1198 intellectual property or other rights that might be claimed to 1199 pertain to the implementation or use of the technology described in 1200 this document or the extent to which any license under such rights 1201 might or might not be available; neither does it represent that it 1202 has made any effort to identify any such rights. Information on the 1203 IETF's procedures with respect to rights in standards-track and 1204 standards-related documentation can be found in BCP-11. Copies of 1205 claims of rights made available for publication and any assurances of 1206 licenses to be made available, or the result of an attempt made to 1207 obtain a general license or permission for the use of such 1208 proprietary rights by implementors or users of this specification can 1209 be obtained from the IETF Secretariat. 1211 The IETF invites any interested party to bring to its attention any 1212 copyrights, patents or patent applications, or other proprietary 1213 rights which may cover technology that may be required to practice 1214 this standard. Please address the information to the IETF Executive 1215 Director. 1217 The IETF has been notified of intellectual property rights claimed in 1218 regard to some or all of the specification contained in this 1219 document. For more information consult the online list of claimed 1220 rights. 1222 12. Acknowledgments 1224 This specification is based on RFC2238. The authors of RFC2238 are 1225 S. Knight, D. Weaver, D. Whipple, R. Hinden, D. Mitzel, P. Hunt, P. 1226 Higginson, M. Shand, and A. Lindem. 1228 The author of this document would also like to thank Erik Nordmark, 1229 Thomas Narten, and Steve Deering for their his helpful suggestions. 1231 13. IANA Considerations 1233 VRRP for IPv6 needs an IPv6 link-local scope multicast address 1234 assigned by the IANA for this specification. The IPv6 multicast 1235 address should be of the following form: 1237 FF02:0:0:0:0:0:XXXX:XXXX 1239 The values assigned address should be entered into section 5.2.2. 1241 A convenient assignment of this link-local scope multicast would be: 1243 FF02:0:0:0:0:0:0:12 1245 as this would be consistent with the IPv4 assignment for VRRP. 1247 14. References 1249 [802.1D] International Standard ISO/IEC 10038: 1993, ANSI/IEEE Std 1250 802.1D, 1993 edition. 1252 [ADD-ARH] Hinden, R., S. Deering, "IP Version 6 Addressing 1253 Architecture", RFC2373, July 1988. 1255 [AUTH] Kent, S., R. Atkinson, "IP Authentication Header", RFC2402, 1256 November 1998. 1258 [CKSM] Braden, R., D. Borman, C. Partridge, "Computing the 1259 Internet Checksum", RFC1071, September 1988. 1261 [HMAC] Madson, C., R. Glenn, "The Use of HMAC-MD5-96 within ESP 1262 and AH", RFC2403, November 1998. 1264 [HSRP] Li, T., B. Cole, P. Morton, D. Li, "Cisco Hot Standby 1265 Router Protocol (HSRP)", RFC2281, March 1998. 1267 [ICMPv6] Conta, A., S. Deering, "Internet Control Message Protocol 1268 (ICMPv6) for the Internet Protocol Version 6 (IPv6)", 1269 RFC2463, December 1998. 1271 [IPSTB] Higginson, P., M. Shand, "Development of Router Clusters to 1272 Provide Fast Failover in IP Networks", Digital Technical 1273 Journal, Volume 9 Number 3, Winter 1997. 1275 [IPv6] Deering, S., R. Hinden, "Internet Protocol, Version 6 1276 (IPv6) Specification", RFC2460, December 1998. 1278 [IPX] Novell Incorporated., "IPX Router Specification", Version 1279 1.10, October 1992. 1281 [ND] Narten, T., E. Nordmark, W. Simpson, "Neighbor Discovery 1282 for IP Version 6 (IPv6)", RFC2461, December 1998. 1284 [OSPF] Moy, J., "OSPF version 2", RFC2328, STD0054, April 1998. 1286 [RIP] Malkin, G., "RIP Version 2", RFC2453, STD0056, November 1287 1998. 1289 [RFC1469] Pusateri, T., "IP Multicast over Token Ring Local Area 1290 Networks", RFC1469, June 1993. 1292 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 1293 3", RFC2026, BCP00009, October 1996. 1295 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1296 Requirement Levels", RFC2119, BCP0014, March 1997. 1298 [TKARCH] IBM Token-Ring Network, Architecture Reference, Publication 1299 SC30-3374-02, Third Edition, (September, 1989). 1301 [VRRP-V4] Knight, S., et. al., "Virtual Router Redundancy Protocol", 1302 RFC2338, April 1998. 1304 15. Author's Address 1306 Robert Hinden Phone: +1 650 625-2004 1307 Nokia EMail: hinden@iprg.nokia.com 1308 313 Fairchild Drive 1309 Mountain View, CA 94043 1310 USA 1312 16. Changes from RFC2338 1314 - General rewrite to change protocol to provide virtual router 1315 functionality from IPv4 to IPv6. Specific changes include: 1316 o Increment VRRP version to 3. 1317 o Change packet format to support an 128-bit IPv6 address. 1318 o Change to only support one router address (instead of multiple 1319 addresses). This included removing address count field from 1320 header. 1321 o Rewrote text to specify IPv6 Neighbor Discovery mechanisms 1322 instead of ARP. 1323 o Changed state machine actions to use Neighbor Discovery 1324 mechanisms. This includes sending unsolicited Neighbor 1325 Advertisements, Receiving Neighbor Solicitations, joining the 1326 appropriate solicited node multicast group, sending Router 1327 Advertisements, and receiving Router Solicitations. 1328 - Revised the section 4 examples text with a clearer description of 1329 mapping of IPv6 address owner, priorities, etc. 1330 - Clarify the section 7.1 text describing address list validation. 1331 - Corrected text in Preempt_Mode definition. 1332 - Changed authentication to be per Virtual Router instead of per 1333 Interface. 1334 - Added new subsection (9.3) stating that VRRP over ATM LANE is 1335 beyond the scope of this document. 1336 - Clarified text describing received packet length check. 1337 - Clarified text describing received authentication check. 1338 - Clarified text describing VRID verification check. 1339 - Added new subsection (8.4) describing need to not forward packets 1340 for adopted IPv6 addresses. 1341 - Added clarification to the security considerations section. 1342 - Added reference for computing the internet checksum. 1343 - Updated references and author information.