idnits 2.17.1 draft-sarikaya-6man-sadr-overview-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 31, 2015) is 3313 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2629' is defined on line 595, but no explicit reference was found in the text == Unused Reference: 'RFC3971' is defined on line 609, but no explicit reference was found in the text == Unused Reference: 'RFC4191' is defined on line 612, but no explicit reference was found in the text == Unused Reference: 'RFC4605' is defined on line 615, but no explicit reference was found in the text == Unused Reference: 'RFC4861' is defined on line 620, but no explicit reference was found in the text == Unused Reference: 'RFC4862' is defined on line 624, but no explicit reference was found in the text == Unused Reference: 'RFC6106' is defined on line 633, but no explicit reference was found in the text == Outdated reference: A later version (-10) exists of draft-ietf-homenet-hncp-04 ** Obsolete normative reference: RFC 2629 (Obsoleted by RFC 7749) ** Downref: Normative reference to an Informational RFC: RFC 3022 ** Obsolete normative reference: RFC 6106 (Obsoleted by RFC 8106) ** Downref: Normative reference to an Experimental RFC: RFC 6296 ** Downref: Normative reference to an Informational RFC: RFC 7157 == Outdated reference: A later version (-07) exists of draft-baker-ipv6-isis-dst-src-routing-02 == Outdated reference: A later version (-02) exists of draft-baker-rtgwg-src-dst-routing-use-cases-01 == Outdated reference: A later version (-02) exists of draft-ietf-mif-mpvd-dhcp-support-01 == Outdated reference: A later version (-03) exists of draft-ietf-mif-mpvd-ndp-support-01 == Outdated reference: A later version (-01) exists of draft-naderi-ipv6-probing-00 == Outdated reference: A later version (-03) exists of draft-sarikaya-6man-sadr-ra-00 == Outdated reference: A later version (-01) exists of draft-sarikaya-dhc-6man-dhcpv6-sadr-00 Summary: 5 errors (**), 0 flaws (~~), 17 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Sarikaya, Ed. 3 Internet-Draft Huawei USA 4 Intended status: Standards Track March 31, 2015 5 Expires: October 2, 2015 7 Source Address Dependent Routing and Source Address Selection for IPv6 8 Hosts 9 draft-sarikaya-6man-sadr-overview-06 11 Abstract 13 This document presents the source address dependent routing from the 14 host perspective. Multihomed hosts and hosts with multiple 15 interfaces are considered. Different architectures are introduced 16 and with their help, why source address selection and next hop 17 resolution in view of source address dependent routing is needed is 18 explained. The document concludes with an informative guidelines on 19 the different solution approaches. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on October 2, 2015. 38 Copyright Notice 40 Copyright (c) 2015 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 3. SADR Scenarios . . . . . . . . . . . . . . . . . . . . . . . 4 58 4. Analysis of Source Address Dependent Routing . . . . . . . . 8 59 4.1. Scenarios Analysis . . . . . . . . . . . . . . . . . . . 8 60 4.2. Provisioning Domains and SADR . . . . . . . . . . . . . . 10 61 5. Guidelines on Standardization Work . . . . . . . . . . . . . 10 62 5.1. Source Address Selection Rule 5.5 . . . . . . . . . . . . 11 63 5.2. Router Advertisement Option . . . . . . . . . . . . . . . 11 64 5.3. Router Advertisement Option Set . . . . . . . . . . . . . 12 65 5.4. Other Solutions . . . . . . . . . . . . . . . . . . . . . 12 66 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 67 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 68 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 69 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 70 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 71 9.2. Informative References . . . . . . . . . . . . . . . . . 15 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 74 1. Introduction 76 BCP 38 recommends ingress traffic routing to prohibit Denial of 77 Service (DoS) attacks, i.e. datagrams which have source addresses 78 that do not match with the network where the host is attached are 79 discarded [RFC2827]. Avoiding packets to be dropped because of 80 ingress filtering is difficult especially in multihomed networks 81 where the host receives more than one prefix from the connected 82 Internet Service Providers (ISP) and may have more than one source 83 addresses. Based on BCP 38, BCP 84 introduced recommendations on the 84 routing system for multihomed networks [RFC3704]. 86 Recommendations on the routing system for ingress filtering such as 87 in BCP 84 inevitably involve source address checks. This leads us to 88 the source address dependent routing. Source address dependent 89 routing is an issue especially when the host is connected to a 90 multihomed network and is communicating with another host in another 91 multihomed network. In such a case, the communication can be broken 92 in both directions if ISPs apply ingress filtering and the datagrams 93 contain wrong source addresses 94 [I-D.huitema-multi6-ingress-filtering]. 96 Hosts with simultaneously active interfaces receive multiple prefixes 97 and have multiple source addresses. Datagrams originating from such 98 hosts carry greats risks to be dropped due to ingress filtering. 99 Source address selection algorithm needs to be careful to try to 100 avoid ingress filtering on the next-hop router [RFC6724]. 102 Many use cases have been reported for source/destination routing in 103 [I-D.baker-rtgwg-src-dst-routing-use-cases]. These use cases clearly 104 indicate that the multihomed host or Customer Premises Equipment 105 (CPE) router needs to be configured with correct source prefixes/ 106 addresses so that it can route packets upstream correctly to avoid 107 ingress filtering applied by an upstream ISP to drop the packets. 109 In multihomed networks there is a need to do source address based 110 routing if some providers are performing the ingress filtering 111 defined in BCP38 [RFC2827]. This requires the routers to consider 112 the source addresses as well as the destination addresses in 113 determining the next hop to send the packet to. 115 Based on the use cases defined in 116 [I-D.baker-rtgwg-src-dst-routing-use-cases], the routers may be 117 informed about the source addresses to use in routing using 118 extensions to the routing protocols like IS-IS defined in 119 [ISO.10589.1992] [I-D.baker-ipv6-isis-dst-src-routing] and OSPF 120 defined in [RFC5340] [I-D.baker-ipv6-ospf-dst-src-routing]. In this 121 document we describe the use cases for source address dependent 122 routing from the host perspective. 124 There are two cases. A host may have a single interface with 125 multiple addresses (from different prefixes or /64s). Each address 126 or prefix is connected to or coming from different exit routers, and 127 this case can be called multi-prefix multihoming (MPMH). A host may 128 have simultaneously connected multiple interfaces where each 129 interface is connected to a different exit router and this case can 130 be called multi-prefix multiple interface (MPMI). 132 It should be noted that Network Address and Port Translation (NAPT) 133 [RFC3022] in IPv4 and IPv6-to-IPv6 Network Prefix Translation (NPTv6) 134 [RFC6296] in IPv6 implement the functions of source address selection 135 and next-hop resolution and as such they address multihoming (and 136 hosts with multiple interfaces) requirements arising from source 137 address dependent routing [RFC7157]. In this case, the gateway 138 router or CPE router does the source address and next hop selection 139 for all the hosts connected to the router. However, for end-to-end 140 connectivity, NAPT and NPTv6 should be avoided and because of this, 141 NAPT and NPTv6 are left out of scope in this document. 143 2. Terminology 145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 147 document are to be interpreted as described in [RFC2119]. 149 3. SADR Scenarios 151 Source address dependent routing can be facilitated at the host with 152 proper next hop and source address selection. For this, each router 153 connected to different interfaces of the host uses Router 154 Advertisements to distribute default route, next hop as well as 155 source address/prefix information to the host. 157 The use case shown in Figure 1 is multi-prefix multi interface use 158 case where rtr1 and rtr2 represent customer premises equipment/ 159 routers (CPE) and there are exit routers in both network 1 and 160 network 2. The issue in this case is ingress filtering. If the 161 packets from the host communicating with a remote destination are 162 routed to the wrong exit router, i.e. carry wrong source address, 163 they will get dropped. 165 +------+ +------+ ___________ 166 | | | | / \ 167 | |-----| rtr1 |=====/ network \ 168 | | | | \ 1 / 169 | | +------+ \___________/ 170 | | 171 | host | 172 | | 173 | | +------+ ___________ 174 | | | | / \ 175 | |=====| rtr2 |=====/ network \ 176 | | | | \ 2 / 177 +------+ +------+ \___________/ 179 Figure 1: Multiple Interfaced Host with Two CPE Routers 181 There is a variant of Figure 1 that is often referred to as a 182 corporate VPN, i.e., a secure tunnel from the host to a router 183 attached to a corporate network. In this case rtr2 gives access 184 directly to the corporate network, and the link from the host to rtr2 185 is a secure tunnel (for example an IPsec tunnel). The interface is 186 therefore a virtual interface, with its own IP address assigned by 187 the corporate network. 189 +------+ +------+ ___________ 190 | |-----| rtr1 | / \ 191 | ==========\\ |=====/ network \ 192 | |-----| || | \ 1 / 193 | | +--||--+ \___________/ 194 | | || 195 | host | || 196 | | || 197 | | +--||--+ ___________ 198 | | | | / corporate \ 199 | | | rtr2 |=====/ network \ 200 | | | | \ 2 / 201 +------+ +------+ \___________/ 203 There are at least two sub-cases: a) Host routes are created such 204 that only traffic directed to the corporate network is sent to rtr2; 205 everything else is sent to rtr2. This case would be simplified by 206 SADR, which could replace the host routes. 208 b) All traffic is sent to rtr2 and then routed to the Internet if 209 necessary. This case doesn't need host routes but leads to 210 unnecessary traffic and latency via rtr2. 212 Our next use case is shown in Figure 2. This use case is a multi- 213 prefix multihoming use case. rtr is CPE router which is connected to 214 two ISPs each advertising their own prefixes. In this case, the host 215 may have a single interface but it receives multiple prefixes from 216 the connected ISPs. Assuming that ISPs apply ingress filtering 217 policy the packets for any external communication from the host 218 should follow source address dependent routing in order to avoid 219 getting dropped. 221 +------+ | 222 | | | 223 | | |=====|(ISP1)|===== 224 | | +------+ | 225 | | | | | 226 | |=====| rtr |=====| 227 | host | | | | 228 | | +------+ | 229 | | | 230 | | | 231 | | |=====|(ISP2)|===== 232 | | | 233 +------+ | 235 Figure 2: Multihomed Host with Multiple CPE Routers 237 A variation of this use case is specialized egress routing. Upstream 238 networks offer different services with specific requirements, e.g. 239 video service. The hosts using this service need to use the 240 service's source and destination addresses. No other service will 241 accept this source address, i.e. those packets will be dropped 242 [I-D.baker-rtgwg-src-dst-routing-use-cases]. 244 ___________ +------+ 245 / \ +------+ | | 246 / network \ | | | | 247 \ 1 /--| rtr1 |----| | 248 \___________/ | | | | +------+ ___________ 249 +------+ | host | | | / \ 250 | |=====| rtr3 |=====/ network \ 251 ___________ | | | | \ 3 / 252 / \ +------+ | | +------+ \___________/ 253 / network \ | | | | 254 \ 2 /--| rtr2 |----| | 255 \___________/ | | | | 256 +------+ | | 257 +------+ 259 Figure 3: multiple Interfaced Host with Three CPE Routers 261 Next use case is shown in Figure 3. It is a variation of multi- 262 prefix multi interface use case above. rtr1, rtr2 and rtr3 are CPE 263 Routers. The networks apply ingress routing. Source address 264 dependent routing should be used to avoid any external communications 265 be dropped. 267 In the homenet scenario given in Figure 4, representing a simple home 268 network, there is a host connected to two CPEs which are connected to 269 ISP1 and ISP2, respectively. Each ISP provides a different prefix. 270 Also each router provides a different prefix to the host. The issue 271 in this scenario is also ingress filtering used by each ISP. 273 +------+ 274 | | +------+ 275 | | | | 276 | |==+==| rtr1 |=====|(ISP1)|===== 277 | | | | | 278 | | | +------+ 279 | host | | 280 | | | 281 | | | +------+ 282 | | | | | 283 | | +==| rtr2 |=====|(ISP2)|===== 284 | | | | 285 +------+ +------+ 287 Figure 4: Simple Home Network with Two CPE Routers 289 The host has to select the source address from the prefixes of ISP1 290 or ISP2 when communicating with other hosts in ISP1 or ISP2. The 291 next issue is to select the correct next hop router, rtr1 or rtr2 292 that can reach the right ISP, ISP1 or ISP2. 294 +------+ | +------+ 295 | | | | | 296 | | |-----| rtrF |=====ISP3 297 | | | | | 298 | | | +------+ 299 | | | 300 | host | | 301 | | | 302 | | +------+ | +------+ 303 | | | | | | |===== ISP2 304 | |=====| rtr |=====|=====| rtrE | 305 | | | | | | |===== ISP1 306 +------+ +------+ + +------+ 308 Figure 5: Shim6 Host with Two Routers 310 The last use case in Figure 5 is also a variation of multi-prefix 311 multihoming use case above. In this case rtrE is connected to two 312 ISPs. All ISPs are assumed to apply ingress routing. The host 313 receives prefixes from each ISP and starts communicating with 314 external hosts, e.g. H1, H2, etc. H1 and H2 may be accessible both 315 from ISP1 and ISP3. 317 The host receives multiple provider-allocated IPv6 address prefixes, 318 e.g. P1, P2 and P3 for ISP1, ISP2 and ISP3 and supports shim6 319 protocol [RFC5533]. rtr is a CPE router and the default router for 320 the host. rtr receives OSPF routes and has a default route for rtrE 321 and rtrF. 323 4. Analysis of Source Address Dependent Routing 325 In this section we present an analysis of the scenarios of Section 3 326 and then discuss the relevance of SADR to the provisioning domains. 328 4.1. Scenarios Analysis 330 As in [RFC7157] we assume that the routers in Section 3 use Router 331 Advertisements to distribute default route and source address 332 prefixes supported in each next hop to the hosts or the gateway/CPE 333 router relayes this information to the hosts. 335 Referring to the scenario in Figure 1, source address dependent 336 routing can present a solution to the problem of the host wishes to 337 reach a destination in network 2 and the host may choose rtr1 as the 338 default router. The solution should start with the correct 339 configuration of the host. The host should be configured with the 340 prefixes supported in these next hops. This way the host having 341 received many prefixes will have the correct knowledge in selecting 342 the right source address and next hop when sending packets to remote 343 destinations. 345 Note that similar considerations apply to the scenario in Figure 3. 347 In the configuration of the scenario in Figure 2 also it is useful to 348 configure the host with the prefixes and source address prefixes they 349 support. This will enable the host to select the right prefix when 350 sending packets to the right next hop and avoid any ingress 351 filtering. 353 Source address dependent routing in the use case of specialized 354 egress routing may work as follows. The specialized service router 355 advertizes one or more specific prefixes with appropriate source 356 prefixes, e.g. to the CPE Router, rtr in Figure 2. The CPE router in 357 turn advertizes the specific service's prefixes and source prefixes 358 to the host. This will allow proper configuration at the host so 359 that the host can use the service by sending the packets with the 360 correct source and destination addresses. 362 Let us analyze the use case in Figure 4. If a source address 363 dependent routing protocol is used, the two routers (rtr1 and rtr2) 364 are both able to route traffic correctly, no matter which next-hop 365 router and source address the host selects. In case the host chooses 366 the wrong next hop router, e.g. for ISP2 rtr1 is selected, rtr1 will 367 forward the traffic to rtr2 to be sent to ISP2 and no ingress 368 filtering will happen. 370 Note that home networks are expected to comply with requirements for 371 source address dependent routing and the routers will be configured 372 accordingly, no matter which routing protocol, e.g. OSPF is used 373 [I-D.ietf-homenet-hncp]. 375 This would work but with issues. The host traffic to ISP2 will have 376 to go over two links instead of one, i.e. the link bandwidth will be 377 halved. Another possibility is rtr1 can send an ICMPv6 Redirect 378 message to the host to direct the traffic to rtr2. Host would 379 redirect ISP2 traffic to rtr2. 381 The problem with redirects is that ICMPv6 Redirect message can only 382 convey two addresses, i.e. in this case the router address, or rtr2 383 address and the destination address, or the destination host in ISP2. 384 That means the source address will not be communicated. As a result, 385 the host would send packets to the same destination using both source 386 addresses which causes rtr2 to send a redirect message to rtr1, 387 resulting in ping-pong redirects sent by rtr1 and rtr2. 389 The best solution to these issues is to configure the host with the 390 source address prefixes that the next hop supports. In homenets, 391 each interface of the host can be configured by its next hop router, 392 so that all that is needed is to add the information on source 393 address prefixes. This results in the hosts to select the right 394 router no matter what. 396 Finally, the use case in Figure 5 shows that even though all the 397 routers may have source address dependent routing support, the 398 packets still may get dropped. 400 The host in Figure 5 starts external communication with H1 and sends 401 the first packet with source address P3::iid. Since rtr has a 402 default route to rtrE it will use this default route in sending the 403 host's packet out towards rtrE. rtrE will route this packet to ISP1 404 and the packet will be dropped due to the ingress filtering. 406 A solution to this issue could be that rtrE having multiple routes to 407 H1 could use the path through rtrF and could direct the packet to the 408 other route, i.e. rtrF which would reach H1 in ISP3 without being 409 subject to ingress routing 410 [I-D.baker-6man-multiprefix-default-route]. 412 4.2. Provisioning Domains and SADR 414 Consistent set of network configuration information is called 415 provisioning domain (PvD). In case of multi-prefix multihoming 416 (MPMH), more than one provisioning domain is present on a single 417 link. In case of multi-prefix multiple interface (MPMI) 418 environments, elements of the same domain may be present on multiple 419 links. PvD aware nodes support association of configuration 420 information into PvDs and use these PvDs to serve requests for 421 network connections, e.g. chosing the right source address for the 422 packets. PvDs can be constructed from one of more DHCP or Router 423 Advertisement (RA) options carrying such information as PvD identity 424 and PvD container [I-D.ietf-mif-mpvd-ndp-support], 425 [I-D.ietf-mif-mpvd-dhcp-support]. PvDs constructed based on such 426 information are called explicit PvDs [I-D.ietf-mif-mpvd-arch]. 428 Apart from PvD identity, PvD content may be encapsulated in separate 429 RA or DHCP options called PvD Container Option. Examples of such 430 content are defined in [I-D.sarikaya-6man-sadr-ra] and 431 [I-D.sarikaya-dhc-6man-dhcpv6-sadr]. These options are placed in the 432 container options of an explicit PvD. 434 Explicit PvDs may be received from different interfaces. Single PvD 435 may be accessible over one interface or simulatenously accessible 436 over multiple interfaces. Explicit PvDs may be scoped to a 437 configuration related to a particular interface, however in general 438 this may not apply. What matters is PvD ID provided that PvD ID is 439 authenticated by the node even in cases where the node has a single 440 connected interface. The authentication of the PvD ID should meet 441 the level required by the node policy. Single PvD information may be 442 received over multiple interfaces as long as PvD ID is the same. 443 This applies to the router advertisements (RAs) in which case a 444 multi-homed host (that is, with multiple interfaces) should trust a 445 message from a router on one interface to install a route to a 446 different router on another interface. 448 5. Guidelines on Standardization Work 450 We presented many topologies in which a host with multiple interfaces 451 or a multihomed host is connected to various networks or ISPs which 452 in turn may apply ingress routing. Our scenario analysis showed that 453 in order to avoid packets getting dropped due to ingress routing, 454 source address dependent routing is needed. Also, source address 455 dependent routing should be supported by routers throughout a site 456 that has multiple exits. 458 In this section, we provide informative guidelines on different 459 existing and future solutions vis a vis the scenarios presented in 460 Section 3. We start with source address selection rule 5.5 and the 461 scenarios it solves and continue with solutions that state exactly 462 what information hosts need in terms of new router advertisement 463 options for correct source address selection in those scenarios. 465 5.1. Source Address Selection Rule 5.5 467 One possible solution is the default source address selection Rule 468 5.5 in [RFC6724] which recommends to select source addresses 469 advertized by the next hop. Considering the above scenarios, we can 470 state that this rule can solve the problem in Figure 1, Figure 2 and 471 Figure 3. 473 In using Rule 5.5 the following guidelines should be kept in mind. 474 Source address selection rules can be distributed by DHCP server 475 using DHCP Option OPTION_ADDRSEL_TABLE defined in [RFC7078]. 477 In case of DHCP based host configuration, DHCP server can configure 478 only the interface of the host to which it is directly connected. In 479 order for Rule 5.5 to apply on other interfaces the option should be 480 sent on those interfaces as well using [RFC7078]. 482 The default source address selection Rule 5.5 solves that problem 483 when an application sends a packet with an unspecified source 484 address. In the presence of two default routes, one route will be 485 chosen, and Rule 5.5 will make sure the right source address is used. 487 When the application selects a source address, i.e. the source 488 address is chosen before next-hop selection, even though the source 489 address is a way for the application to select the exit point, in 490 this case that purpose will not be served. In the presence of 491 multiple default routes, one will be picked, ignoring the source 492 address which was selected by the application because it is known 493 that IPv6 implementations are not required to remember which next- 494 hops advertised which prefixes. Therefore, the next-hop router may 495 not be the correct one, and the packets may be filtered. 497 This implies that the hosts should register which next-hop router 498 announced each prefix. 500 5.2. Router Advertisement Option 502 There is a need to configure the host not only with the prefixes but 503 also with the source prefixes the next hop routers support. Such a 504 configuration may avoid the host getting ingress/egress policy error 505 messages such as ICMP source address failure message. 507 If host configuration is done using router advertisement messages 508 then there is a need to define new router advertisement options for 509 source address dependent routing. These options include Route Prefix 510 with Source Address/Prefix Option. Other options such as Next Hop 511 Address with Route Prefix option and Next Hop Address with Source 512 Address and Route Prefix option will be considered in Section 5.3. 514 As we observed in Section 4.1, the scenario in Figure 4 can be solved 515 by defining a new router advertisement option, i.e. Route Prefix with 516 Source Address/Prefix Option as defined in 517 [I-D.sarikaya-6man-sadr-ra]. 519 If host configuration is done using DHCP then there is a need to 520 define new DHCP options for Route Prefix with Source Address/Prefix. 521 As mentioned above, DHCP server configuration is interface specific. 522 New DHCP options for source address dependent routing such as route 523 prefix and source prefix need to be configured for each interface 524 separately. 526 The scenario in Figure 4 can be solved by defining a new DHCP option, 527 i.e. Route Prefix with Source Address/Prefix Option, if DHCP 528 configuration is a must [I-D.sarikaya-dhc-6man-dhcpv6-sadr]. 530 5.3. Router Advertisement Option Set 532 The source address selection rule 5.5 may possibly be a solution for 533 selecting the right source addresses for each next hop but there are 534 cases where the next hop routers on each interface of the host are 535 not known by the host initially. Such use cases are out of scope. 536 Guidelines for use cases that require router advertisement option set 537 involving third party next hop addresses are also out of scope. 539 5.4. Other Solutions 541 So far we have singled out the scenario in Figure 5. All the above 542 solutions do not work in this case. This brings us the issue of IP 543 path probing [I-D.naderi-ipv6-probing]. 545 For a given destination, the host selects a source address and a next 546 hop and sends its packet. When the selected path fails, in case of 547 IP probing, the host can probe all available paths until finding one 548 that works. 550 The guideline in probing is Source Address Dependent Routing (SADR) 551 should be used, i.e. it is a necessary tool. Basically, SADR saves 552 time in eliminating wrong paths, i.e. sending the packets to the 553 wrong exit router. If SADR is not taken into account correctly the 554 host will end up wasting resources trying to explore paths that are 555 certain to fail. 557 6. Security Considerations 559 This document describes some use cases and thus brings no new 560 security risks to the Internet. 562 7. IANA Considerations 564 None. 566 8. Acknowledgements 568 In writing this document, we benefited from the ideas expressed by 569 the electronic mail discussion participants on 6man Working Group: 570 Brian Carpenter, Ole Troan, Pierre Pfister, Alex Petrescu, Ray 571 Hunter, Lorenzo Colitti and others. Pierre Pfister proposed the 572 scenario in Figure 4 as well as some text for Rule 5.5. The text on 573 corporate VPN in Section 3 was provided by Brian Carpenter. 575 9. References 577 9.1. Normative References 579 [I-D.ietf-homenet-hncp] 580 Stenberg, M., Barth, S., and P. Pfister, "Home Networking 581 Control Protocol", draft-ietf-homenet-hncp-04 (work in 582 progress), March 2015. 584 [ISO.10589.1992] 585 International Organization for Standardization, 586 "Intermediate system to intermediate system intra-domain- 587 routing routine information exchange protocol for use in 588 conjunction with the protocol for providing the 589 connectionless-mode Network Service (ISO 8473), ISO 590 Standard 10589", ISO ISO.10589.1992, 1992. 592 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 593 Requirement Levels", BCP 14, RFC 2119, March 1997. 595 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 596 June 1999. 598 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 599 Defeating Denial of Service Attacks which employ IP Source 600 Address Spoofing", BCP 38, RFC 2827, May 2000. 602 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 603 Address Translator (Traditional NAT)", RFC 3022, January 604 2001. 606 [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed 607 Networks", BCP 84, RFC 3704, March 2004. 609 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 610 Neighbor Discovery (SEND)", RFC 3971, March 2005. 612 [RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and 613 More-Specific Routes", RFC 4191, November 2005. 615 [RFC4605] Fenner, B., He, H., Haberman, B., and H. Sandick, 616 "Internet Group Management Protocol (IGMP) / Multicast 617 Listener Discovery (MLD)-Based Multicast Forwarding 618 ("IGMP/MLD Proxying")", RFC 4605, August 2006. 620 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 621 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 622 September 2007. 624 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 625 Address Autoconfiguration", RFC 4862, September 2007. 627 [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF 628 for IPv6", RFC 5340, July 2008. 630 [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming 631 Shim Protocol for IPv6", RFC 5533, June 2009. 633 [RFC6106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, 634 "IPv6 Router Advertisement Options for DNS Configuration", 635 RFC 6106, November 2010. 637 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 638 Translation", RFC 6296, June 2011. 640 [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, 641 "Default Address Selection for Internet Protocol Version 6 642 (IPv6)", RFC 6724, September 2012. 644 [RFC7078] Matsumoto, A., Fujisaki, T., and T. Chown, "Distributing 645 Address Selection Policy Using DHCPv6", RFC 7078, January 646 2014. 648 [RFC7157] Troan, O., Miles, D., Matsushima, S., Okimoto, T., and D. 649 Wing, "IPv6 Multihoming without Network Address 650 Translation", RFC 7157, March 2014. 652 9.2. Informative References 654 [I-D.baker-6man-multiprefix-default-route] 655 Baker, F., "Multiprefix IPv6 Routing for Ingress Filters", 656 draft-baker-6man-multiprefix-default-route-00 (work in 657 progress), November 2007. 659 [I-D.baker-ipv6-isis-dst-src-routing] 660 Baker, F. and D. Lamparter, "IPv6 Source/Destination 661 Routing using IS-IS", draft-baker-ipv6-isis-dst-src- 662 routing-02 (work in progress), October 2014. 664 [I-D.baker-ipv6-ospf-dst-src-routing] 665 Baker, F., "IPv6 Source/Destination Routing using OSPFv3", 666 draft-baker-ipv6-ospf-dst-src-routing-03 (work in 667 progress), August 2013. 669 [I-D.baker-rtgwg-src-dst-routing-use-cases] 670 Baker, F., "Requirements and Use Cases for Source/ 671 Destination Routing", draft-baker-rtgwg-src-dst-routing- 672 use-cases-01 (work in progress), October 2014. 674 [I-D.huitema-multi6-ingress-filtering] 675 Huitema, C., "Ingress filtering compatibility for IPv6 676 multihomed sites", draft-huitema-multi6-ingress- 677 filtering-00 (work in progress), October 2004. 679 [I-D.ietf-mif-mpvd-arch] 680 Anipko, D., "Multiple Provisioning Domain Architecture", 681 draft-ietf-mif-mpvd-arch-11 (work in progress), March 682 2015. 684 [I-D.ietf-mif-mpvd-dhcp-support] 685 Krishnan, S., Korhonen, J., and S. Bhandari, "Support for 686 multiple provisioning domains in DHCPv6", draft-ietf-mif- 687 mpvd-dhcp-support-01 (work in progress), March 2015. 689 [I-D.ietf-mif-mpvd-ndp-support] 690 Korhonen, J., Krishnan, S., and S. Gundavelli, "Support 691 for multiple provisioning domains in IPv6 Neighbor 692 Discovery Protocol", draft-ietf-mif-mpvd-ndp-support-01 693 (work in progress), February 2015. 695 [I-D.naderi-ipv6-probing] 696 Naderi, H. and B. Carpenter, "Experience with IPv6 path 697 probing", draft-naderi-ipv6-probing-00 (work in progress), 698 October 2014. 700 [I-D.sarikaya-6man-sadr-ra] 701 Sarikaya, B., "IPv6 RA Options for Source Address 702 Dependent Routing", draft-sarikaya-6man-sadr-ra-00 (work 703 in progress), March 2015. 705 [I-D.sarikaya-dhc-6man-dhcpv6-sadr] 706 Sarikaya, B., "DHCPv6 Route Options for Source Address 707 Dependent Routing", draft-sarikaya-dhc-6man-dhcpv6-sadr-00 708 (work in progress), December 2014. 710 Author's Address 712 Behcet Sarikaya (editor) 713 Huawei USA 714 5340 Legacy Dr. Building 175 715 Plano, TX 75024 717 Email: sarikaya@ieee.org