One document matched: draft-ietf-6man-rfc3484-revise-02.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc3484 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3484.xml'>
<!ENTITY rfc3879 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3879.xml'>
<!ENTITY rfc3701 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3701.xml'>
<!ENTITY rfc4193 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4193.xml'>
<!ENTITY rfc4291 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4291.xml'>
<!ENTITY rfc4380 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4380.xml'>
<!ENTITY rfc1918 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1918.xml'>
<!ENTITY rfc1794 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1794.xml'>
<!ENTITY rfc5220 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5220.xml'>
<!ENTITY rfc2827 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2827.xml'>
<!ENTITY ADDRSELOPT PUBLIC 'ADDRSELOPT'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-6man-addr-select-opt.xml'>
<!ENTITY ADDRSELCONS PUBLIC 'ADDRSELCONS'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-6man-addr-select-considerations.xml'>
<!ENTITY NATADDRSEL PUBLIC 'NATADDRSEL'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.denis-v6ops-nat-addrsel.xml'>
<!ENTITY ULACENTRAL PUBLIC 'ULACENTRAL'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-ipv6-ula-central.xml'>
]> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc autobreaks="yes" ?>
<?rfc toc="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<?rfc symrefs="yes" ?>
<?rfc compact="yes" ?>
<rfc category="std" ipr="pre5378Trust200902" docName="draft-ietf-6man-rfc3484-revise-02.txt">
<front>
<title abbrev='RFC3484 Bis'>
Update to RFC 3484 Default Address Selection for IPv6
</title>
<author initials='A.M.' surname="Matsumoto" fullname='Arifumi Matsumoto'>
<organization abbrev='NTT'>NTT SI Lab</organization>
<address>
<postal>
<street>Midori-Cho 3-9-11</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 3334</phone>
<email>arifumi@nttv6.net</email>
</address>
</author>
<author initials='J.K.' surname="Kato" fullname='Jun-ya Kato'>
<organization abbrev='NTT'>NTT SI Lab</organization>
<address>
<postal>
<street>Midori-Cho 3-9-11</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 2939</phone>
<email>kato@syce.net</email>
</address>
</author>
<author initials='T.F.' surname="Fujisaki" fullname='Tomohiro Fujisaki'>
<organization abbrev='NTT'>NTT PF Lab</organization>
<address>
<postal>
<street>Midori-Cho 3-9-11</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 7351</phone>
<email>fujisaki@syce.net</email>
</address>
</author>
<date month="March" year="2011"/>
<!-- <area>Operations and Management</area>
<workgroup>IPv6 Operations Working Group</workgroup> -->
<keyword>Internet-Draft</keyword>
<abstract>
<t>
RFC 3484 describes algorithms for source address selection
and for destination address selection. The algorithms specify
default behavior for all Internet Protocol version 6 (IPv6)
implementations.
This document specifies a set of updates that modify the
algorithms and provide fixes for the identified issues.
</t>
</abstract>
</front>
<middle>
<section title="Introduction"> <!-- 1 -->
<t>
<xref target="RFC4291">The IPv6 addressing architecture </xref> allows
multiple unicast addresses to be assigned to interfaces. Because of
this IPv6 implementations need to handle multiple possible source
and destination addresses when initiating communication.
<xref target="RFC3484">RFC 3484</xref>
specifies the default algorithms, common across all
implementations, for selecting source and destination addresses so
that it is easier to predict the address selection behavior.
</t>
<t>
Since RFC 3484 was published, some issues have been identified with the algorithm specified there. The issues are related to the longest match algorithm used in Rule 9 of Destination address selection breaking DNS round-robin techniques, and prioritization of poor IPv6 connectivity using transition mechanisms over native IPv4 connectivity.
</t>
<t>
There have also been some significant changes to the IPv6 addressing architecture that require changes in the RFC 3484 policy table. Such changes include <xref target="RFC3879">the deprecation of site-local unicast addresses</xref> and the IPv4-compatible IPv6 addresses, the introduction of <xref target="RFC4193">Unique Local Addresses</xref> etc.
</t>
<t>
This document specifies a set of updates that modify the
algorithms and provide fixes for the identified issues.
</t>
</section>
<section title="Specification"> <!-- 2 -->
<section title="Changes related to the default policy table"> <!-- 2.1 -->
<t>
The default policy table is defined in RFC 3484 Section 2.1 as follows:
</t>
<figure>
<artwork>
Prefix Precedence Label
::1/128 50 0
::/0 40 1
2002::/16 30 2
::/96 20 3
::ffff:0:0/96 10 4
</artwork>
</figure>
<t>
The changes that should be included into the default
policy table are those rules that are universally useful
and do no harm in every reasonable network environment.
The changes we should consider for the default policy table
are listed in this sub-section.
</t>
<t>
The policy table is defined to be configurable.
If the local site policy needs to be different
changes can be put into the policy table
manually or by using the
auto-configuration mechanism proposed as
<xref target="I-D.ietf-6man-addr-select-opt">a DHCP option</xref>.
</t>
<section title="ULAs in the policy table" anchor="ULA">
<t>
<xref target="RFC5220">RFC 5220</xref> Section 2.1.4, 2.2.2, and 2.2.3 describes address
selection problems related to <xref target="RFC4193">ULAs</xref>.
These problems can be solved by either changing the scope of
ULAs to site-local, or by adding an entry to the default policy
table entry that has its own label for ULAs.
</t>
<t>
ULAs has been specified with a global scope because the reachability
of the ULAs was intended to be restricted by the routing
system. Since a ULA will not be exposed outside of its
reachability domain, if a ULA is available as a candidate
destination address, it can be expected to be reachable. In fact,
such ULA to ULA communication is often desired
(in particular in sites where ULAs are intended to provide stable
addresses when the global prefix may be changing)
and thus needs to be prioritized.
</t>
<t>
Therefore, the scope of ULA should be kept global, and
prioritization of ULA to ULA communication should be
implemented in the policy table,
by assigning a specific label for ULAs using fc00::/7.
</t>
</section>
<section title="Teredo in the policy table" anchor="Teredo">
<t>
<xref target="RFC4380">Teredo</xref> is defined and has
been assigned 2001::/32.
This address block should be assigned its own label in the policy table.
Teredo's priority should be less than or equal to 6to4,
considering its characteristic of being a transitional
tunnel mechanism.
Windows already implements this.
</t>
</section>
<section title="Deprecated addresses in the policy table" anchor="deprecated">
<t>
IPv4-compatible IPv6 addresses are
<xref target="RFC4291"> deprecated</xref>.
IPv6 site-local unicast addresses are
<xref target="RFC3879"> deprecated</xref>.
Moreover, the 6bone testing address has also
been phased out<xref target="RFC3701"></xref>.
The issue is how we treat these outdated addresses.
</t>
</section>
<section title="Renewed default policy table" anchor="renewed">
<t>
After applying these updates, the default policy
table becomes:
</t>
<figure>
<artwork>
Prefix Precedence Label
::1/128 60 0
fc00::/7 50 1
::/0 40 2
::ffff:0:0/96 30 3
2002::/16 20 4
2001::/32 10 5
::/96 1 10
fec::/16 1 11
3ffe::/16 1 12
</artwork>
</figure>
</section>
</section>
<section title="The longest matching rule" anchor="localdnsrr"> <!-- 2.2 -->
<t>
This issue is related to a problem with the longest
matching rule, as reported by Dave Thaler.
It is a malfunction of the DNS round-robin technique.
It is common for both IPv4 and IPv6.
</t>
<t>
When a destination address DA, DB, and the source address of DA
Source(DA) are on the same subnet and Source(DA) == Source(DB),
DNS round robin load-balancing cannot function.
By considering prefix lengths that are longer than the subnet prefix,
this rule establishes preference between addresses that have no
substantive differences between them.
The rule functions as an arbitrary tie-breaker between the hosts
in a round robin, causing a given host to always prefer a given
member of the round robin.
</t>
<t>
By limiting the calculation of common prefixes to a maximum length
equal to the length of the subnet prefix of the source address,
rule 9 can continue to favor hosts that are nearby in the network
hierarchy without arbitrarily sorting addresses within a given network.
This modification could be written as follows:
</t>
<t>
Rule 9: Use longest matching prefix.
</t>
<t>
When DA and DB belong to the same address family
(both are IPv6 or both are IPv4):
If CommonPrefixLen(DA & Netmask(Source(DA)), Source(DA))
> CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)),
then prefer DA.
Similarly, if CommonPrefixLen(DA & Netmask(Source(DA)), Source(DA))
< CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)), then prefer DB.
</t>
</section>
<section title="Utilize next-hop for source address selection"> <!-- 2.3 -->
<t>
RFC 3484 source address selection rule 5 states that the address that is
attached to the outgoing interface should be preferred as the source address.
This rule is reasonable considering the prevalence of Ingress Filtering
described in <xref target="RFC2827">BCP 38</xref>.
This is because an upstream network provider usually assumes it receives
those packets from customers that will use the delegated addresses
as their source addresses.
</t>
<t>
This rule, however, is not effective in an environment such
as described in RFC 5220 Section 2.1.1, where a host has
multiple upstream routers on the same link and has addresses
delegated from each upstream on single interface.
</t>
<t>
So, a new rule 5.1 that utilizes next-hop information for source address
selection is inserted just after the rule 5.
</t>
<t>
Rule 5.1: Use an address assigned by the selected next-hop.
</t>
<t>
If SA is assigned by the selected next-hop that will be used to send to D
and SB is assigned by a different next-hop, then prefer SA.
Similarly, if SB is assigned by the next-hop that will be used to
send to D and SA is assigned by a different next-hop, then prefer SB.
</t>
</section>
<section title="Private IPv4 address scope"> <!-- 2.4 -->
<t>
When a packet goes through a NAT, its source or destination address
can get replaced with another address with a different scope. It
follows that the result of the source address selection algorithm
may be different when the original address is replaced with the
NATed address.
</t>
<t>
The algorithm currently specified in RFC 3484 is based on the
assumption that a source address with a small scope cannot reach a
destination address with a larger scope. This assumption does not
hold if private IPv4 addresses and a NAT are used to reach public
IPv4 addresses.
</t>
<t>
Due to this assumption, in the presence of both NATed private IPv4
address and transitional addresses (like 6to4 and Teredo), the host
will choose the transitional IPv6 address to access dual-stack
peers <xref target="I-D.denis-v6ops-nat-addrsel"></xref>.
Choosing transitional IPv6
connectivity over native IPv4 connectivity is not desirable.
</t>
<t>
This issue can be fixed by changing the address scope of private
IPv4 addresses to global. Such a change has already been implemented
in some OSes.
</t>
</section>
<section title="Deprecation of site-local unicast address" anchor="sitelocal"> <!-- 2.5 -->
<t>
RFC 3484 contains a few "site-local unicast" and
"fec::" descriptions.
It's better to remove examples related to site-local
unicast address, or change examples to use ULAs.
Points that need to be re-written are:
</t>
<list style="hanging">
<t>
- the 2nd paragraph in RFC 3484 Section 3.1 describing the scope comparison mechanism.
</t>
<t>
- RFC 3484 Section 10 containing examples for site-local address.
</t>
</list>
</section>
</section>
<section title="Security Considerations"> <!-- 4 -->
<t>
No security risk is found that degrades RFC 3484.
</t>
</section>
<section title="IANA Considerations"> <!-- 5 -->
<t>
An address type number for the policy table may have to be
assigned by IANA.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc1794;
&rfc1918;
&rfc3484;
&rfc3701;
&rfc3879;
&rfc4193;
&rfc4291;
&rfc4380;
&rfc5220;
</references>
<references title="Informative References">
&rfc2827;
&NATADDRSEL;
&ULACENTRAL;
&ADDRSELOPT;
&ADDRSELCONS;
</references>
<section title="Acknowledgements">
<t>
The authors would like to thank to Dave Thaler, Pekka Savola,
Remi Denis-Courmont and the members of 6man's address selection
design team for their invaluable contributions to this document.
</t>
</section>
<section title="Discussion">
<section title="Centrally assigned ULA">
<t>
<list style="hanging">
<t hangText="Discussion:">
Centrally assigned ULA
<xref target="I-D.ietf-ipv6-ula-central"></xref>
is proposed, and assigned fc00::/8.
Using the different labels for fc00::/8 and fd00::/8
makes sense if we can assume the same kind of
address block is assigned in the same or adjacent
network.
</t>
<t>
However, the way of assignment and network adjancency
may not have any relationships.
</t>
</list>
</t>
</section>
<section title="6to4, Teredo, and IPv4 prioritization">
<t>
<list style="hanging">
<t hangText="Discussion:">
Regarding the prioritization between IPv4 and these
transitional mechanisms, their connectivity quality
is recently known to be worse than IPv4.
These mechiansms are said to be the last resort access to IPv6
resources. The 6to4 should have higher precedence over Teredo,
in that 6to4 host to 6to4 host communication runs over IPv4,
which can result in a more optimal path,
and 6to4 does not need NAT traversal.
</t>
</list>
</t>
</section>
<section title="Deprecated address">
<t>
<list style="hanging">
<t hangText="Discussion:">
These addresses were removed from the current
specification. So, they should not be
treated differently, especially if we
think about future re-use of these
address blocks.
</t>
<t></t>
<t>
Considering the inappropriate use of these
address blocks, especially in outdated
implementations, and bad effects caused by
them, however, they should be labeled
differently from the legitimate address blocks.
</t>
<t>
Or should we keep this entry for the sake of backward compatibility?
</t>
</list>
</t>
</section>
<section title="The longest match rule"> <!-- 2.6 -->
<t>
RFC 3484 defines that the destination address selection
rule 9 should be applied to both IPv4 and IPv6, which spoils
the DNS based load balancing technique that is widely used
in the IPv4 Internet today.
</t>
<t>
When two or more destination addresses are acquired from one FQDN,
rule 9 states that the longest matching
destination and source address pair should be chosen.
As stated in RFC 1794, the DNS based load balancing technique
is achieved by not re-ordering the destination addresses
returned from the DNS server. Rule 9 defines
a deterministic rule for re-ordering at hosts, hence
the technique of RFC 1794 is not available anymore.
</t>
<t>
Regarding this problem, there was discussion in
the IETF and other places that led to some different options
being suggested, as listed below.
</t>
<t>
Discussion: The possible changes to RFC 3484 are as follows:
</t>
<list style="numbers">
<t>
To delete Rule 9 completely.
</t>
<t>
To apply Rule 9 only for IPv6 and not for IPv4.
In IPv6, hierarchical address assignment is a general
principle, hence the longest matching rule is
beneficial in many cases. In IPv4, as stated above,
the DNS based load balancing technique is widely
used.
</t>
<t>
To apply Rule 9 for IPv6 conditionally and not for IPv4.
When the length of matching bits of the destination
address and the source address is longer than N,
rule 9 is applied. Otherwise, the order of the
destination addresses do not change.
The N should be configurable and it should be 32
by default. This is simply because the two sites whose
matching bit length is longer than 32 are probably
adjacent.
</t>
</list>
<t>
Now that IPv6 PI addressing is being assigned by some RIRs, hierachical
address assignment is not fully maintained anymore. It seems that
the longest matching algorithm may not be worth the adverse effect
of disalbing the DNS based load balance technique.
</t>
</section>
</section>
<section title="Revision History">
<t>02:
<list style="hanging">
<t>Suresh Krishnan's comments were incorporated.</t>
<t>A new source address selection rule that utilizes the next-hop information is
included in Section 2.3</t>
</list>
</t>
<t>01:
<list style="hanging">
<t>Restructured to contain only the actual changes to RFC 3484.</t>
</list>
</t>
<t>00:
<list style="hanging">
<t>Published as a 6man working group item.</t>
</list>
</t>
<t>03:
<list style="hanging">
<t>Added acknowledgements.</t>
<t>Added longest matching algorithm malfunction regarding local DNS round robin.</t>
<t>The proposed changes section was restructured.</t>
<t>The issue of 6to4/Teredo and IPv4 prioritization was included.</t>
<t>The issue of deprecated addresses was added.</t>
<t>The renewed default policy table was changed accordingly.</t>
</list>
</t>
<t>02:
<list style="hanging">
<t>Added the reference to address selection design
team's proposal.</t>
</list>
</t>
<t>01:
<list style="hanging">
<t>The issue of private IPv4 address scope was added.</t>
<t>The issue of ULA address scope was added.</t>
<t>Discussion of longest matching rule was expanded.</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 06:18:48 |