One document matched: draft-ietf-6man-addr-select-opt-11.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2460 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2460.xml'>
<!ENTITY rfc3315 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3315.xml'>
<!ENTITY rfc3484 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3484.xml'>
<!ENTITY rfc4291 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4291.xml'>
<!ENTITY rfc4861 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4861.xml'>
<!ENTITY rfc4941 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4941.xml'>
<!ENTITY rfc5220 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5220.xml'>
<!ENTITY rfc5221 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5221.xml'>
<!ENTITY rfc6724 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6724.xml'>
<!ENTITY DTCONS PUBLIC 'DTCONS'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-6man-addr-select-considerations.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc autobreaks="yes" ?>
<?rfc toc="no" ?>
<?rfc compact="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc symrefs="yes" ?>
<rfc category="std" ipr="pre5378Trust200902" docName="draft-ietf-6man-addr-select-opt-11.txt">
<front>
<title abbrev='DHCPv6 Address Selection Policy Opt'>
Distributing Address Selection Policy using DHCPv6
</title>
<author initials='A.M.' surname="Matsumoto" fullname='Arifumi Matsumoto'>
<organization abbrev='NTT'>NTT NT Lab</organization>
<address>
<postal>
<street>3-9-11 Midori-Cho</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 3334</phone>
<email>arifumi@nttv6.net</email>
</address>
</author>
<author initials='T.F.' surname="Fujisaki" fullname='Tomohiro Fujisaki'>
<organization abbrev='NTT'>NTT NT Lab</organization>
<address>
<postal>
<street>3-9-11 Midori-Cho</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 7351</phone>
<email>fujisaki@nttv6.net</email>
</address>
</author>
<author initials='T.C.' surname="Chown" fullname='Tim Chown'>
<organization abbrev='University of Southampton'>University of Southampton</organization>
<address>
<postal>
<street>Southampton, Hampshire SO17 1BJ</street>
<country>United Kingdom</country>
</postal>
<email>tjc@ecs.soton.ac.uk</email>
</address>
</author>
<date month="August" year="2013"/>
<area>Internet</area>
<workgroup>6man Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
RFC 6724 defines default address selection mechanisms for IPv6 that allow nodes to select an appropriate address when faced with multiple source and/or destination addresses to choose between.
RFC 6724 allows for the future definition of methods to administratively configure the address selection policy information.
This document defines a new DHCPv6 option for such configuration, allowing a site administrator to distribute address selection policy overriding the default address selection parameters and policy table, and thus to control the address selection behavior of nodes in their site.
</t>
</abstract>
</front>
<middle>
<section title="Introduction"> <!-- 1 -->
<t>
<xref target="RFC6724"/> describes default algorithms for selecting an address when a node has multiple destination and/or source addresses to choose from by using an address selection policy.
In Section 2 of RFC 6724, it is suggested that the default policy table may be administratively configured to suit the specific needs of a site.
This specification defines a new DHCPv6 option for such configuration.
</t>
<t>
Some problems were identified with the default address selection policy as originally defined in <xref target="RFC3484" />. As a result, RFC 3484 was updated and obsoleted by <xref target="RFC6724" />.
While this update corrected a number of issues identifed from operational experience, it is unlikely that any default policy will suit all scenarios, and thus mechanisms to control the source address selection policy will be necessary.
Requirements for those mechanisms are described in <xref target="RFC5221"/>, while solutions are discussed in <xref target="I-D.ietf-6man-addr-select-considerations"/>.
Those documents have helped shape the improvements in the default address selection algorithm in <xref target="RFC6724"/> as well as the requirements for the DHCPv6 option defined in this specification.
</t>
<section title="Conventions Used in This Document">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119"/>.
</t>
</section>
<section title="Terminology">
<t>
This document uses the terminology defined in <xref target="RFC2460"/> and the DHCPv6 specification defined in <xref target="RFC3315"/>
</t>
</section>
</section>
<section title="Address Selection options"> <!-- 2 -->
<t>The Address Selection option provides the address selection policy table, and some other configuration parameters.</t>
<t>
An Address Selection option contains zero or more policy table options.
Multiple policy table options in an Address Selection option constitute a single policy table.
When an Address Selection option does not contain a policy table option, it may be used to just convey the A and P flags.
</t>
<t>The format of the Address Selection option is given below.</t>
<figure><artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_ADDRSEL | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |A|P| |
+-+-+-+-+-+-+-+-+ POLICY TABLE OPTIONS |
| (variable length) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Address Selection option format
</artwork></figure>
<t>
<list style='hanging' hangIndent='5'>
<t hangText="option-code:"> OPTION_ADDRSEL (TBD).
<vspace blankLines='1' />
</t>
<t hangText="option-len:">
The total length of the Reserved field, A, P flags, and POLICY TABLE OPTIONS in octets.
<vspace blankLines='1' />
</t>
<t hangText="Reserved:">
Reserved field.
The server MUST set this value to zero and the client MUST ignore its content.
<vspace blankLines='1' />
</t>
<t hangText="A:">
Automatic Row Addition flag.
This flag toggles the Automatic Row Addition flag at client hosts, which is described in section 2.1 of <xref target="RFC6724"></xref>.
If this flag is set to 1, it does not change client host behavior, that is, a client MAY automatically add additional site-specific rows to the policy table.
If set to 0, the Automatic Row Addition flag is disabled, and a client SHOULD NOT automatically add rows to the policy table.
If the option contains a POLICY TABLE option, this flag is meaningless, and automatic row addition SHOULD NOT be performed against the distributed policy table.
<vspace blankLines='1' />
</t>
<t hangText="P:">
Privacy Preference flag.
This flag toggles the Privacy Preference flag on client hosts, which is described in section 5 of <xref target="RFC6724"></xref>.
If this flag is set to 1, it does not change client host behavior, that is, a client will prefer temporary addresses <xref target="RFC4941"></xref>.
If set to 0, the Privacy Preference flag is disabled, and a client will prefer public addresses.
<vspace blankLines='1' />
</t>
<t hangText="POLICY TABLE OPTIONS:">
Zero or more Address Selection Policy Table options, as described below.
This option corresponds to a row in the policy table defined in section 2.1 of <xref target="RFC6724"></xref>.
<vspace blankLines='1' />
</t>
</list>
</t>
<figure><artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_ADDRSEL_TABLE | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| label | precedence | prefix-len | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| prefix (variable length) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Address Selection Policy Table option format
</artwork></figure>
<t>
<list style='hanging' hangIndent='5'>
<t hangText="option-code:"> OPTION_ADDRSEL_TABLE (TBD).
<vspace blankLines='1' />
</t>
<t hangText="option-len:">
The total length of the label field, precedence field, prefix-len field, and prefix field.
<vspace blankLines='1' />
</t>
<t hangText="label:">
An 8-bit unsigned integer; this value is for correlation of source address prefixes and destination address prefixes.
This field is used to deliver a label value in the <xref target="RFC6724" /> policy table.
<vspace blankLines='1' />
</t>
<t hangText="precedence:">
An 8-bit unsigned integer; this value is used for sorting destination addresses.
This field is used to to deliver a precedence value in <xref target="RFC6724" /> policy table.
<vspace blankLines='1' />
</t>
<t hangText="prefix-len:">
An 8-bit unsigned integer; the number of leading bits in the prefix that are valid. The value ranges from 0 to 128.
<vspace blankLines='1' />
</t>
<t hangText="prefix:">
A variable-length field containing an IP address or the prefix of an IP address.
An IPv4-mapped address <xref target="RFC4291"/> must be used to represent an IPv4 address as a prefix value.
This field is padded with zeros up to the nearest octet boundary when prefix-len is not divisible by 8.
This can be expressed using the following equation: (prefix-len + 7)/8
So the length of this field should be between 0 and 16 bytes.
For example, the prefix 2001:db8::/60 would be encoded with an prefix-len of 60, the prefix would be 8 octets and would contains octets 20 01 0d b8 00 00 00 00.
<vspace blankLines='1' />
</t>
</list>
</t>
</section>
<section title="Processing the Address Selection option"> <!-- 3 -->
<t>This section describes how to process a received Address Selection option at the DHCPv6 client.</t>
<t>
This option's concept is to serve as a hint for a node about how to behave in the network.
Ultimately, while the node's administrator can control how to deal with the received policy information, the implementation SHOULD follow the method described below uniformly, to ease troubleshooting and to reduce operational costs.
</t>
<section title="Handling local configurations">
<t>
<xref target="RFC6724" /> defines two flags (A, P) and the default policy table.
Also, users are usually able to configure the flags and the policy table to satisfy their own requirements.
</t>
<t>
The client implementation SHOULD provide the following choices to the user.
</t>
<t>
<list style="hanging">
<t hangText="(a)">
replace the existing flags and active policy table with the DHCPv6 distributed flags and policy table.
</t>
<t hangText="(b)">
preserve the existing flags and active policy table, whether this be the default policy table, or user configured policy.
</t>
</list>
</t>
<t>
Choice (a) SHOULD be the default, i.e. that the policy table is not explictly configured by the user.
</t>
</section>
<section title="Handling stale policy tables">
<t>
When the information from the DHCP server goes stale, the policy received from the DHCP server SHOULD be deprecated.
</t>
<t>
The received information can be considered stale in several cases, e.g., when the interface goes down, the DHCP server does not respond for a certain amount of time, and the Information Refresh Time is expired.
</t>
</section>
<section title="Handling multiple interfaces">
<t>
The policy table, and other parameters specified in this document, are node-global information by their nature.
One reason being that the outbound interface is usually chosen after destination address selection.
So a host cannot make use of multiple address selection policies even if they are stored per interface.
</t>
<t>
The policy table is defined as a whole, so the slightest addition/deletion from the policy table brings a change in the semantics of the policy.
</t>
<t>
It also should be noted that the absence of a DHCP-distributed policy from a certain network interface should not infer that the network administrator does not care about address selection policy at all, because it may mean there is a preference to use the default address selection policy.
So, it should be safe to assume that the default address selection policy should be used where no overriding policy is provided.
</t>
<t>
Under the above assumptions, we can specify how to handle received policy as follows.
</t>
<t>
In the absence of distributed policy for a certain network interface, the default address selection policy SHOULD be used.
A node should use Address Selection options by default in any of the following two cases:
</t>
<t>
<list style="hanging">
<t hangText="1:">
A single-homed host SHOULD use default address selection options, where the host belongs exclusively to one administrative network domain, usually through one active network interface.
</t>
<t hangText="2:">
Hosts that use advanced heuristics to deal with multiple received policies that are defined outside the scope of this document SHOULD use Address Selection options.
</t>
</list>
</t>
<t>
Implementations MAY provide configuration options to enable this protocol on a per interface basis.
</t>
<t>
Implementations MAY store distributed address selection policies per interface.
They can be used effectively on implementations that adopt per-application interface selection.
</t>
</section>
</section>
<section title="Implementation Considerations"> <!-- 4 -->
<t>
<list style='symbols'>
<t>
The value 'label' is passed as an unsigned integer, but there is no special meaning for the value, that is whether it is a large or small number.
It is used to select a preferred source address prefix corresponding to a destination address prefix by matching the same label value within the DHCP message.
DHCPv6 clients SHOULD convert this label to a representation appropriate for the local implementation (e.g., string).
<vspace blankLines='1' />
</t>
<t>
The maximum number of address selection rules that may be conveyed in one DHCPv6 message depends on the prefix length of each rule and the maximum DHCPv6 message size defined in <xref target="RFC3315" />.
It is possible to carry over 3,000 rules in one DHCPv6 message (maximum UDP message size).
However, it should not be expected that DHCP clients, servers and relay agents can handle UDP fragmentation.
Network adiministrators SHOULD consider local limitations to the maximum DHCPv6 message size that can be reliably transported via their specific local infrastructure to end nodes; and therefore they SHOULD consider the number of options, the total size of the options, and the resulting DHCPv6 message size, when defining their policy table.
<vspace blankLines='1' />
</t>
</list>
</t>
</section>
<section title="Security Considerations"> <!-- 5 -->
<t>
A rogue DHCPv6 server could issue bogus address selection policies to a client.
This might lead to incorrect address selection by the client, and the affected packets might be blocked at an outgoing ISP because of ingress filtering, incur additional network charges, or be misdirected to an attacker's machine.
Alternatively, an IPv6 transition mechanism might be preferred over native IPv6, even if it is available.
To guard against such attacks, a legitimate DHCPv6 server should communicate through a secure, trusted channel, such as a channel protected by IPsec, SEND and DHCP authentication, as described in section 21 of <xref target="RFC3315" />. A commonly used alternative mitigation is to employ DHCP snooping at Layer 2.
</t>
<t>
Another threat surrounds the potential privacy concern as
described in the security considerations section of <xref target="RFC6724" />, whereby an attacker can send packets with different source addresses to a destination to solicit different source addresses in the responses from that destination.
This issue will not be modified by the introduction of this option, regardless of whether the host is multihomed or not.
</t>
</section>
<section title="IANA Considerations"> <!-- 6 -->
<t>
IANA is requested to assign option codes to OPTION_ADDRSEL and OPTION_ADDRSEL_TABLE from the "DHCP Option Codes" registry (http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xml).
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc3315;
&rfc6724;
</references>
<references title="Informative References">
&rfc3484;
&DTCONS;
&rfc2460;
&rfc4291;
&rfc4941;
&rfc5220;
&rfc5221;
</references>
<section title="Acknowledgements">
<t>
Authors would like to thank to Dave Thaler, Pekka Savola, Remi Denis-Courmont, Francois-Xavier Le Bail, Ole Troan, Bob Hinden, Dmitry Anipko, Ray Hunter, Rui Paulo, Brian E Carpenter, Tom Petch, and the members of 6man's address selection design team for their invaluable contributions to this document.
</t>
</section>
<section title="Examples">
<t>
<xref target="RFC5220" /> gives several cases where address selection problems happen.
This section contains some examples for solving those cases by using the DHCP option defined in this text to update the hosts' policy table in a network accordingly. There is also some discussion of example policy tables in sections 10.3 to 10.7 of RFC 6724.
</t>
<section title="Ingress Filtering Problem">
<t>In the case described in section 2.1.2 of <xref target="RFC5220" />, the following policy table should be distributed, when Router performs static routing and directs the default route to ISP1 as per Figure 2.
By putting the same label value to all IPv6 addresses (::/0) and the local subnet (2001:db8:1000:1::/64), a host picks a source address in this subnet to send a packet via the default route.
</t>
<figure><artwork>
Prefix Precedence Label
::1/128 50 0
::/0 40 1
2001:db8:1000:1::/64 45 1
2001:db8:8000:1::/64 45 14
::ffff:0:0/96 35 4
2002::/16 30 2
2001::/32 5 5
fc00::/7 3 13
::/96 1 3
fec0::/10 1 11
3ffe::/16 1 12
</artwork></figure>
</section>
<section title="Half-Closed Network Problem">
<t>
In the case described in section 2.1.3 of <xref target="RFC5220" />, the following policy table should be distributed.
By splitting the closed network prefix (2001:db8:8000::/36) from all IPv6 addresses (::/0) and giving different labels, the closed network prefix will only be used when packets are destined for the closed network.
</t>
<figure><artwork>
Prefix Precedence Label
::1/128 50 0
::/0 40 1
2001:db8:8000::/36 45 14
::ffff:0:0/96 35 4
2002::/16 30 2
2001::/32 5 5
fc00::/7 3 13
::/96 1 3
fec0::/10 1 11
3ffe::/16 1 12
</artwork></figure>
</section>
<section title="IPv4 or IPv6 Prioritization">
<t>
In the case described in section 2.2.1 of <xref target="RFC5220" />, the following policy table should be distributed to prioritize IPv6.
This case is also described in <xref target="RFC6724" />
</t>
<figure><artwork>
Prefix Precedence Label
::1/128 50 0
::/0 40 1
::ffff:0:0/96 100 4
2002::/16 30 2
2001::/32 5 5
fc00::/7 3 13
::/96 1 3
fec0::/10 1 11
3ffe::/16 1 12
</artwork></figure>
</section>
<section title="ULA or Global Prioritization">
<t>
In the case described in section 2.2.3 of <xref target="RFC5220" />, the following policy table should be distributed, or Automatic Row Addition flag should be set to 1.
By splitting the ULA in this site (fc12:3456:789a::/48) from all IPv6 addresses (::/0) and giving it higher precendence, the ULA will be used to connect to servers in the same site.
</t>
<figure><artwork>
Prefix Precedence Label
::1/128 50 0
fc12:3456:789a::/48 45 14
::/0 40 1
::ffff:0:0/96 35 4
2002::/16 30 2
2001::/32 5 5
fc00::/7 3 13
::/96 1 3
fec0::/10 1 11
3ffe::/16 1 12
</artwork></figure>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 13:39:17 |