One document matched: draft-ietf-6man-rfc3484-revise-03.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc3484 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3484.xml'>
<!ENTITY rfc3879 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3879.xml'>
<!ENTITY rfc3701 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3701.xml'>
<!ENTITY rfc4193 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4193.xml'>
<!ENTITY rfc4291 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4291.xml'>
<!ENTITY rfc4380 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4380.xml'>
<!ENTITY rfc1918 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1918.xml'>
<!ENTITY rfc1794 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1794.xml'>
<!ENTITY rfc5220 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5220.xml'>
<!ENTITY rfc2827 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2827.xml'>
<!ENTITY rfc6052 PUBLIC ''
'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6052.xml'>
<!ENTITY ADDRSELOPT PUBLIC 'ADDRSELOPT'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-6man-addr-select-opt.xml'>
<!ENTITY ADDRSELCONS PUBLIC 'ADDRSELCONS'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.chown-addr-select-considerations.xml'>
<!ENTITY NATADDRSEL PUBLIC 'NATADDRSEL'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.denis-v6ops-nat-addrsel.xml'>
<!ENTITY ULACENTRAL PUBLIC 'ULACENTRAL'
'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-ipv6-ula-central.xml'>
]> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc autobreaks="yes" ?>
<?rfc toc="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<?rfc symrefs="yes" ?>
<?rfc compact="yes" ?>
<rfc category="std" ipr="pre5378Trust200902" docName="draft-ietf-6man-rfc3484-revise-03.txt">
<front>
<title abbrev='RFC3484 Bis'>
Update to RFC 3484 Default Address Selection for IPv6
</title>
<author initials='A.M.' surname="Matsumoto" fullname='Arifumi Matsumoto'>
<organization abbrev='NTT'>NTT SI Lab</organization>
<address>
<postal>
<street>Midori-Cho 3-9-11</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 3334</phone>
<email>arifumi@nttv6.net</email>
</address>
</author>
<author initials='J.K.' surname="Kato" fullname='Jun-ya Kato'>
<organization abbrev='NTT'>NTT SI Lab</organization>
<address>
<postal>
<street>Midori-Cho 3-9-11</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 2939</phone>
<email>kato@syce.net</email>
</address>
</author>
<author initials='T.F.' surname="Fujisaki" fullname='Tomohiro Fujisaki'>
<organization abbrev='NTT'>NTT PF Lab</organization>
<address>
<postal>
<street>Midori-Cho 3-9-11</street>
<city>Musashino-shi</city>
<region>Tokyo</region>
<code>180-8585</code>
<country>Japan</country>
</postal>
<phone>+81 422 59 7351</phone>
<email>fujisaki@syce.net</email>
</address>
</author>
<date month="June" year="2011"/>
<!-- <area>Operations and Management</area>
<workgroup>IPv6 Operations Working Group</workgroup> -->
<keyword>Internet-Draft</keyword>
<abstract>
<t>
RFC 3484 describes algorithms for source address selection
and for destination address selection. The algorithms specify
default behavior for all Internet Protocol version 6 (IPv6)
implementations.
This document specifies a set of updates that modify the
algorithms and fix the known defects.
</t>
</abstract>
</front>
<middle>
<section title="Introduction"> <!-- 1 -->
<t>
<xref target="RFC4291">The IPv6 addressing architecture </xref> allows
multiple unicast addresses to be assigned to interfaces. Because of
this IPv6 implementations need to handle multiple possible source
and destination addresses when initiating communication
<xref target="RFC3484">RFC 3484</xref>.
specifies the default algorithms, common across all
implementations, for selecting source and destination addresses so
that it is easier to predict the address selection behavior.
</t>
<t>
After RFC 3484 was specified, some issues have been identified with the algorithm specified there. The issues are related to the longest match algorithm used in Rule 9 of Destination address selection breaking DNS round-robin techniques, and prioritization of poor IPv6 connectivity using transition mechanisms over native IPv4 connectivity.
</t>
<t>
There have also been some significant changes to the IPv6 addressing architecture that require changes in the RFC 3484 policy table. Such changes include <xref target="RFC3879">the deprecation of site-local unicast addresses</xref> and the IPv4-compatible IPv6 addresses, the introduction of <xref target="RFC4193">Unique Local Addresses</xref> etc.
</t>
<t>
This document specifies a set of updates that modify the
algorithms and fix the known defects.
</t>
</section>
<section title="Specification"> <!-- 2 -->
<section title="Changes related to the default policy table"> <!-- 2.1 -->
<t>
The default policy table is defined in RFC 3484 Section 2.1 as follows:
</t>
<figure>
<artwork>
Prefix Precedence Label
::1/128 50 0
::/0 40 1
2002::/16 30 2
::/96 20 3
::ffff:0:0/96 10 4
</artwork>
</figure>
<t>
The changes that should be included into the default
policy table are those rules that are universally useful
and do no harm in every reasonable network envionment.
The changes we should consider for the default policy table
are listed in this sub-section.
</t>
<t>
The policy table is defined to be configurable. The changes
that are useful not universally but locally can be
put into the policy table manually or by using the
auto-configuration mechanism proposed as
<xref target="I-D.ietf-6man-addr-select-opt">a DHCP option</xref>.
</t>
<section title="ULA in the policy table" anchor="ULA">
<t>
<xref target="RFC5220">RFC 5220</xref> Section 2.1.4, 2.2.2, and 2.2.3 describes address
selection problems related to <xref target="RFC4193">ULA</xref>.
These problems can be solved by either changing the scope of
ULA to site-local, or by adding an entry for default policy
table entry that has its own label for ULA.
</t>
<t>
Centrally assigned ULA
<xref target="I-D.ietf-ipv6-ula-central"></xref>
is proposed, and is assigned fc00::/8.
Using the different labels for fc00::/8 and fd00::/8
makes sense if we assume the same kind of
address block is assigned in the same or adjacent network.
However, we cannot expect that the type of ULA address block and
network adjancency commonly have any relationships.
</t>
<t>
Regarding the scope of ULA,
ULA has been specified with a global scope because the reachability
of the ULA was intended to be restricted by the routing
system. Since the ULAs will not be exposed outside of its
reachability domain, if an ULA is available as a candidate
destination address, it can be expected to be reachable.
</t>
<t>
if we change the scope of ULA smaller than global,
we can prioritize ULA to ULA communication over GUA to GUA communication.
At the same time, however, finer-grained configuration of ULA address selection
will be impossible.
For example, even if you want to priorize communication related to the only
/48 ULA prefix used in your site, and do not want to prioritize communication
to any other ULA prefix, such a policy cannot be implemented in the policy table.
So, this draft proposes the use of the policy table to differentiate
ULA from GUA.
</t>
</section>
<section title="Teredo in the policy table" anchor="Teredo">
<t>
<xref target="RFC4380">Teredo</xref> is defined and has
been assigned 2001::/32.
This address block should be assigned its own label in the policy table.
Teredo's priority should be less or equal to 6to4,
considering its characteristic of transitional tunnel mechanism.
About Windows, this is already in the implementation.
</t>
</section>
<section title="6to4, Teredo, and IPv4 prioritization">
<t>
Regarding the prioritization between IPv4 and these
transitional mechanisms, the connectivity of them are known to be worse than IPv4.
These mechiansms are said to be the last resort access to IPv6 resources.
While 6to4 should have higher precedence over Teredo,
in that 6to4 host to 6to4 host communication can be over IPv4,
which can result in more optimal path, and 6to4 does not need NAT traversal.
</t>
</section>
<section title="Deprecated addresses in the policy table" anchor="deprecated">
<t>
IPv4-compatible IPv6 address (::/96) is <xref target="RFC4291"> deprecated</xref>.
IPv6 site-local unicast address (fec0::/10) is <xref target="RFC3879"> deprecated</xref>.
6bone testing address <xref target="RFC3701"></xref> was returned.
</t>
<t>
These addresses were removed from the current specification.
So, it should not be treated differently, especially if we
plan future re-use of these address blocks.
Hense, 6bone testing address block should not be treated specially.
</t>
<t>
Considering the inappropriate use of these address blocks especially in outdated
implementations and bad effects brought by them, it should be labeled
differently from the legitimate address blocks as far as the address block
is reserved by IANA.
</t>
</section>
<section title="Renewed default policy table" anchor="renewed">
<t>
After applying these updates, the default policy table will be:
</t>
<figure>
<artwork>
Prefix Precedence Label
::1/128 60 0
fc00::/7 50 1
::/0 40 2
::ffff:0:0/96 30 3
2002::/16 20 4
2001::/32 10 5
::/96 1 10
fec0::/10 1 11
</artwork>
</figure>
</section>
</section>
<section title="The longest matching rule" anchor="localdnsrr"> <!-- 2.2 -->
<t>
This issue is related to the longest matching rule, which was
found by Dave Thaler.
It is malfunction of DNS round robin technique.
It is common for both IPv4 and IPv6.
</t>
<t>
When a destination address DA, DB, and the source address of DA
Source(DA) are on the same subnet and Source(DA) == Source(DB),
DNS round robin load-balancing cannot function.
By considering prefix lengths that are longer than the subnet prefix,
this rule establishes preference between addresses that have no
substantive differences between them.
The rule functions as an arbitrary tie-breaker between the hosts
in a round robin, causing a given host to always prefer a given
member of the round robin.
</t>
<t>
By limiting the calculation of common prefixes to a maximum length
equal to the length of the subnet prefix of the source address,
rule 9 can continue to favor hosts that are nearby in the network
hierarchy without arbitrarily sorting addresses within a given network.
This modification could be written as follows:
</t>
<t>
Rule 9: Use longest matching prefix.
</t>
<t>
When DA and DB belong to the same address family
(both are IPv6 or both are IPv4):
If CommonPrefixLen(DA & Netmask(Source(DA)), Source(DA))
> CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)),
then prefer DA.
Similarly, if CommonPrefixLen(DA & Netmask(Source(DA)), Source(DA))
< CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)), then prefer DB.
</t>
</section>
<section title="Utilize next-hop for source address selection"> <!-- 2.3 -->
<t>
The RFC 3484 source address selection rule 5 defines the address that is
attached to the outgoing interface should be preferred as the source address.
This rule is reasonable considering the prevalence of Ingress Filtering
described in <xref target="RFC2827">BCP 38</xref>.
This is because an upstream network provider usually assumes it receives
those packets from their customer that have the delegated addresses as the
source addresses.
</t>
<t>
This rule, however, is not effective in such a environment described in
RFC 5220 Section 2.1.1, where a host has multiple upstream routers on the
same link and has addresses delegated from each upstream routers on single
interface.
</t>
<t>
So, a new rule 5.1 that utilizes next-hop information for source address
selection is inserted just after the rule 5.
</t>
<t>
Rule 5.1: Use an address assigned by the selected next-hop.
</t>
<t>
If SA is assigned by the selected next-hop that will be used to send to D
and SB is assigned by a different next-hop, then prefer SA.
Similarly, if SB is assigned by the next-hop that will be used to
send to D and SA is assigned by a different next-hop, then prefer SB.
</t>
</section>
<section title="Private IPv4 address scope"> <!-- 2.4 -->
<t>
When a packet goes through a NAT, its source or destination address
can get replaced with another address with a different scope. It
follows that the result of the source address selection algorithm
may be different when the original address is replaced with the
NATed address.
</t>
<t>
The algorithm currently specified in RFC 3484 is based on the
assumption that a source address with a small scope cannot reach a
destination address with a larger scope. This assumption does not
hold if private IPv4 addresses and a NAT are used to reach public
IPv4 addresses.
</t>
<t>
Due to this assumption, in the presence of both NATed private IPv4
address and transitional addresses (like 6to4 and Teredo), the host
will choose the transitional IPv6 address to access dual-stack
peers <xref target="I-D.denis-v6ops-nat-addrsel"></xref>.
Choosing transitional IPv6
connectivity over native IPv4 connectivity is not considered to be
a very wise result.
</t>
<t>
This issue can be fixed by changing the address scope of private
IPv4 addresses to global. Such change has already been implemented
in some OSes.
</t>
</section>
<section title="Deprecation of site-local unicast address" anchor="sitelocal"> <!-- 2.5 -->
<t>
RFC 3484 contains a few "site-local unicast" and "fec0::" description.
It's better to remove examples related to site-local
unicast address, or change examples to use ULA.
Possible points to be re-written are below.
</t>
<t>
<list style="hanging">
<t>
- 2nd paragraph in RFC 3484 Section 3.1 describes scope comparison mechanism.
</t>
<t>
- RFC 3484 Section 10 contains examples for site-local address.
</t>
</list>
</t>
</section>
</section>
<section title="Security Considerations"> <!-- 4 -->
<t>
No security risk is found that degrades RFC 3484.
</t>
</section>
<section title="IANA Considerations"> <!-- 5 -->
<t>
Address type number for the policy table may have to be
assigned by IANA.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc1794;
&rfc1918;
&rfc3484;
&rfc3701;
&rfc3879;
&rfc4193;
&rfc4291;
&rfc4380;
&rfc5220;
</references>
<references title="Informative References">
&rfc2827;
&rfc6052;
&NATADDRSEL;
&ULACENTRAL;
&ADDRSELOPT;
&ADDRSELCONS;
</references>
<section title="Acknowledgements">
<t>
Authors would like to thank to Dave Thaler, Pekka Savola,
Remi Denis-Courmont and the members of 6man's address selection
design team for their invaluable contributions to this document.
</t>
</section>
<section title="Past Discussion">
<t>
This section summarizes discussions we had before related to address selection mechanisms.
</t>
<section title="The longest match rule">
<t>
RFC 3484 defines that the destination address selection
rule 9 should be applied to both IPv4 and IPv6, which spoils
the DNS based load balancing technique that is widely used
in the IPv4 Internet today.
</t>
<t>
When two or more destination addresses are acquired from one FQDN,
the rule 9 defines that the longest matching
destination and source address pair should be chosen.
As in RFC 1794, the DNS based load balancing technique
is achived by not re-ordering the destination addresses
returned from the DNS server. The Rule 9 defines
deterministic rule for re-ordering at hosts, hence
the technique of RFC 1794 is not available anymore.
</t>
<t>
Regarding this problem, there was discussion in
IETF and other places like below.
</t>
<t>
Discussion: The possible changes to RFC 3484 are as follows:
</t>
<t>
<list style="numbers">
<t>
To delete Rule 9 completely.
</t>
<t>
To apply Rule 9 only for IPv6 and not for IPv4.
In IPv6, hiearchical address assignment is general
principle, hence the longest matchin rule is
beneficial in many cases. In IPv4, as stated above,
the DNS based load balancing technique is widely
used.
</t>
<t>
To apply Rule 9 for IPv6 conditionally and not for IPv4.
When the length of matching bits of the destination
address and the source address is longer than N,
the rule 9 is applied. Otherwise, the order of the
destination addresses do not change.
The N should be configurable and it should be 32
by default. This is simply because the two sites whose
matching bit length is longer than 32 are probably
adjacent.
</t>
</list>
</t>
<t>
Now that IPv6 PI address is admitted in some RIRs, hierachical
address assignment is not maintained anymore. It seems that
the longest matching algorithm may not worth the adverse effect
of disalbing the DNS based load balance technique.
</t>
<t>
After long discussion, however we could not reach any consensus here.
That means, we cannot change the current rules for this issue.
</t>
</section>
<section title="NAT64 prefix issue">
<t>
NAT64 WKP was newly defined<xref target="RFC6052"></xref>.
It depends site by site whether NAT64 should be preferred over IPv4,
in other words NAT44, or NAT44 over NAT64.
So, this issue of site local policy should be solved by policy
distribution mechanism.
</t>
</section>
</section>
<section title="Revision History">
<t>03:
<list style="hanging">
<t>ULA address selection issue was expanded.</t>
<t>6to4, Teredo and IPv4 priorization issue was elaborated.</t>
<t>Deperecated address blocks in policy table section was elaborated.</t>
<t>In appendix, NAT64 prefix issue was added.</t>
</list>
</t>
<t>02:
<list style="hanging">
<t>Suresh Krishnan's suggestions for better english sentences were incorporated.</t>
<t>A new source address selection rule that utilizes the next-hop information is
included in Section 2.3.</t>
<t>Site local address prefix was corrected.</t>
</list>
</t>
<t>01:
<list style="hanging">
<t>Re-structured to contain only the actual changes to RFC 3484.</t>
</list>
</t>
<t>00:
<list style="hanging">
<t>Published as a 6man working group item.</t>
</list>
</t>
<t>03:
<list style="hanging">
<t>Added acknowledgements.</t>
<t>Added longest matching algorithm malfunction regarding local DNS round robin.</t>
<t>The proposed changes section was re-structured.</t>
<t>The issue of 6to4/Teredo and IPv4 prioritization was included.</t>
<t>The issue of deprecated addresses was added.</t>
<t>The renewed default policy table was changed accordingly.</t>
</list>
</t>
<t>02:
<list style="hanging">
<t>Added the reference to address selection design
team's proposal.</t>
</list>
</t>
<t>01:
<list style="hanging">
<t>The issue of private IPv4 address scope was added.</t>
<t>The issue of ULA address scope was added.</t>
<t>Discussion of longest matching rule was expanded.</t>
</list>
</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 05:14:44 |