One document matched: draft-ietf-ipngwg-router-renum-04.txt
Differences from draft-ietf-ipngwg-router-renum-03.txt
IPng Working Group Matt Crawford
Internet Draft Fermilab
Bob Hinden
Nokia
August 7, 1998
Router Renumbering for IPv6
<draft-ietf-ipngwg-router-renum-04.txt>
Status of this Memo
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
To view the entire list of current Internet-Drafts, please check the
``1id-abstracts.txt'' listing contained in the Internet Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern
Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific
Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
Distribution of this memo is unlimited.
1. Abstract
IPv6 Neighbor Discovery and Address Autoconfiguration conveniently
make initial assignments of address prefixes to hosts. Aside from
the problem of connection survival across a renumbering event, these
two mechanisms also simplify the reconfiguration of hosts when the
set of valid prefixes changes.
This document defines a mechanism called Router Renumbering ("RR")
which allows address prefixes on routers to be configured and
reconfigured almost as easily as the combination of Neighbor
Discovery and Address Autoconfiguration works for hosts. It
provides a means for a network manager to make updates to the
prefixes used by and advertised by IPv6 routers throughout a site.
Expires February 12, 1999 Crawford & Hinden [Page 1]
Internet Draft Router Renumbering August 7, 1998
2. Functional Overview
Router Renumbering Command packets contain a sequence of Prefix
Control Operations (PCOs). Each PCO specifies an operation, a
Match-Prefix, and zero or more Use-Prefixes. A router processes
each PCO in sequence, checking each of its interfaces for an address
or prefix which matches the Match-Prefix. For every interface on
which a match is found, the operation is applied. The operation is
one of ADD, CHANGE, or SET-GLOBAL to instruct the router to
respectively add the Use-Prefixes to the set of configured prefixes,
remove the prefix which matched the Match-Prefix and replace it with
the Use-Prefixes, or replace all global-scope prefixes with the
Use-Prefixes. If the set of Use-Prefixes in the PCO is empty, the
ADD operation does nothing and the other two reduce to deletions.
Additional information for each Use-Prefix is included in the Prefix
Control Operation: the valid and preferred lifetimes to be included
in Router Advertisement Prefix Information Options [ND], and either
the L and A flags for the same option, or an indication that they
are to be copied from the prefix that matched the Match-Prefix.
It is possible to instruct routers to create new prefixes by
combining the Use-Prefixes in a PCO with some portion of the
existing prefix which matched the Match-Prefix. This simplifies
certain operations which are expected to be among the most common.
For every Use-Prefix, the PCO specifies a number of bits which
should be copied from the existing address or prefix which matched
the Match-Prefix and appended to the use-prefix prior to configuring
the new prefix on the interface. The copied bits are zero or more
bits from the positions immediately after the length of the Use-
Prefix. If subnetting information is in the same portion of the old
and new prefixes, this synthesis allows a single Prefix Control
Operation to define a new global prefix on every router in a site,
while preserving the subnetting structure.
Because of the power of the Router Renumbering mechanism, each RR
message includes a sequence number and an authenticator to guard
against replays. Each single Prefix Control Operation is idempotent
and so could be retransmitted for improved reliability, as long as
the sequence number is current, without concern about multiple
processing. However, non-idempotent combinations of PCOs can easily
be constructed and messages containing such combinations could not
be safely reprocessed. Therefore, all routers are required to guard
against processing an RR message more than once. To allow reliable
verification that Commands have been received and processed by
routers, a mechanism for duplicate-command notification to the
management station is included.
Expires February 12, 1999 Crawford & Hinden [Page 2]
Internet Draft Router Renumbering August 7, 1998
Possibly a network manager will want to perform more renumbering, or
exercise more detailed control, than can be expressed in a single
Router Renumbering packet on the available media. The RR mechanism
is most powerful when RR packets are multicast, so IP fragmentation
is undesirable. For these reasons, each RR packet contains a
"Segment Number". All RR packets which have a Sequence Number
greater than or equal to the highest value seen (for each valid
key), and which pass the authentication check, are valid and must be
processed. However, a router must keep track of the Segment Numbers
of RR messages already processed and avoid reprocessing a message
whose Sequence Number and Segment Number match a previously
processed message. (This list of processed segment numbers is reset
when a new highest Sequence Number is seen.)
The Segment Number does not impose an ordering on packet processing.
If a specific sequence of operations is desired, it may be achieved
by ordering the PCOs in a single RR Command message or through the
Sequence Number field.
There is a "Test" flag which indicates that all routers should
simulate processing of the RR message and not perform any actual
reconfiguration. A separate "Report" flag instructs routers to send
a Router Renumbering Result message back to the source of the RR
Command message indicating the actual or simulated result of the
operations in the RR Command message.
The effect or simulated effect of an RR Command message may also
reported to network management by means outside the scope of this
document, regardless of the value of the "Report" flag.
3. Definitions
3.1. Terminology
Address
This term always refers to a 128-bit IPv6 address [AARCH]. When
referring to bits within an address, they are numbered from 0 to
127, with bit 0 being the first bit of the Format Prefix.
Prefix
A prefix can be understood as an address plus a length, the
latter being an integer in the range 0 to 128 indicating how many
leading bits are significant. When referring to bits within a
prefix, they are numbered in the same way as the bits of an
address. For example, the significant bits of a prefix whose
length is L are the bits numbered 0 through L-1, inclusive.
Expires February 12, 1999 Crawford & Hinden [Page 3]
Internet Draft Router Renumbering August 7, 1998
Match
An address A "matches" a prefix P whose length is L if the first
L bits of A are identical with the first L bits of P. (Every
address matches a prefix of length 0.) A prefix P1 with length
L1 matches a prefix P2 of length L2 if L1 >= L2 and the first L2
bits of P1 and P2 are identical.
Prefix Control Operation
This is the smallest individual unit of Router Renumbering
operation. A Router Renumbering Command packet includes zero or
more of these, each comprising one matching condition, called a
Match-Prefix Part, and zero or more substitution specifications,
called Use-Prefix Parts.
Match-Prefix
This is a Prefix against which a router compares the addresses
and prefixes configured on its interfaces.
Use-Prefix
The prefix and associated information which is to be configured
on a router interface when certain conditions are met.
Matched Prefix
The existing prefix or address which matched a Match-Prefix.
New Prefix
A prefix constructed from a Use-Prefix, possibly including some
of the Matched Prefix.
Recorded Sequence Number
The highest sequence number found in a valid, authenticated
message with a given key MUST be recorded in non-volatile storage
along with that key.
Note that "matches" is a transitive relation but not symmetric. If
two prefixes match each other, they are identical.
3.2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KWORD].
Expires February 12, 1999 Crawford & Hinden [Page 4]
Internet Draft Router Renumbering August 7, 1998
3.3. Authentication Algorithms
All implementations MUST support HMAC-MD5 [HMAC] for authentication.
Additional algorithms MAY be supported.
4. Message Format
There are two types of Router Renumbering messages: Commands, which
are sent to routers, and Results, which are sent by routers. The
two types of messages are distinguished the ICMPv6 "Code" field and
differ in the contents of the "Message Body" field.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ IPv6 header, extension headers /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ ICMPv6 & RR Header (16 octets) /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ RR Message Body /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ Authentication Data (16 octets for HMAC-MD5) /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Router Renumbering Message Format
Router Renumbering messages are carried in ICMPv6 packets with
Type = 138. The RR message comprises
An RR header, containing the ICMPv6 header, the sequence and
segment numbers and information about the authentication key and
the location and length of the authentication data within the
packet.
The RR Message Body, of variable length;
The authentication data, with length dependent on the
authentication type. The length of HMAC-MD5 authentication data
is 16 octets.
Expires February 12, 1999 Crawford & Hinden [Page 5]
Internet Draft Router Renumbering August 7, 1998
All fields marked "reserved" or "res" MUST be set to zero on
generation of an RR message. During processing of the message they
MUST be included in the authentication check, but otherwise ignored.
All implementations which generate Router Renumbering Command
messages MUST support sending them to the All Routers multicast
address with link and site scopes, and to unicast addresses of
link-local and site-local formats. All routers MUST be capable of
receiving RR messages sent to those multicast addresses and to any
of their link local and site local unicast addresses.
Implementations SHOULD support sending and receiving RR messages
addressed to other unicast addresses.
4.1. Router Renumbering Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SequenceNumber |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SegmentNumber | Flags | MaxDelay | AuthLen |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AuthOffset | KeyID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Type 138 (decimal), the ICMPv6 type value assigned to Router
Renumbering
Code 0 for a Router Renumbering Command
1 for a Router Renumbering Result
Checksum The ICMPv6 checksum, as specified in [ICMPV6]. The
checksum covers the IPv6 pseudo-header and all fields of
the RR message from the Type field through the
Authentication Data. (For purposes of calculating and
verifying the Authentication Data, the ICMPv6 checksum
field is considered to be zero.)
SequenceNumber
An unsigned 32-bit sequence number. The sequence number
MUST be non-decreasing for all messages sent with a
given KeyID, for the lifetime of that key.
Expires February 12, 1999 Crawford & Hinden [Page 6]
Internet Draft Router Renumbering August 7, 1998
SegmentNumber
An unsigned 8-bit field which enumerates different valid
RR messages having the same SequenceNumber and KeyID.
No ordering among RR messages is imposed by the
SegmentNumber.
Flags A combination of one-bit flags. Six are defined and two
bits are reserved.
+-+-+-+-+-+-+-+-+
|T|R|A|S|P| res |
+-+-+-+-+-+-+-+-+
The flags T, R, A and S have defined meanings in an RR
Command message. In a Result message they MUST be
copied from the corresponding Command. The P flag is
meaningful only in a Result message and MUST be zero in
a Command.
T 0 indicates that the router configuration is to be
modified;
1 indicates a "Test" message: processing is to be
simulated and no configuration changes are to be
made.
R 0 indicates that a Result message MUST NOT be sent
(but other forms of logging are not precluded);
1 indicates that the router MUST send a Result
message upon completion of processing the Command
message;
A 0 indicates that the Command MUST NOT be applied to
interfaces which are administratively shut down;
1 indicates that the Command MUST be applied to
interfaces regardless of administrative shutdown
status.
S This flag MUST be ignored unless the router treats
interfaces as belonging to different "sites".
0 indicates that the Command MUST be applied to
interfaces regardless of which site they belong
to;
1 indicates that the Command MUST be applied only to
interfaces which belong to the same site as the
interface to which the Command is addressed. If
the destination address is appropriate for
interfaces belonging to more than one site, then
the Command MUST be applied only to interfaces
Expires February 12, 1999 Crawford & Hinden [Page 7]
Internet Draft Router Renumbering August 7, 1998
belonging to the same site as the interface on
which the Command was received.
P 0 indicates that the Result message contains the
complete report of processing the Command;
1 indicates that the Command message was previously
processed (and is not a Test) and the responding
router is not processing it again. This Result
message MAY have an empty body.
MaxDelay The maximum number of seconds by which a router MUST
delay sending any reply to this Command. Although this
field carries an integral number of seconds, routers
SHOULD generate the random delay between 0 and MaxDelay
with a finer granularity.
AuthLen An unsigned 16-bit field giving the length in octets of
the Authentication Data.
AuthOffset An unsigned 16-bit offset, measured in octets, from the
beginning of the RR message (which is the beginning of
the ICMPv6 header) to the beginning of the
Authentication Data. The smallest valid value for
AuthOffset is 16.
KeyID An unsigned 16-bit field that identifies the key used to
create and verify the Authentication Data for this RR
message. If multiple authentication algorithms are
supported by the implementation, the choice of algorithm
is implicit in the KeyID. If an asymmetric scheme is
used, the public key for verification of received
messages and the private key for signing transmitted
messages are both implied by the KeyID.
4.2. Message Body -- Command Message
The body of an RR Command message is a sequence of zero or more
Prefix Control Operations, each of variable length. The end of the
sequence MAY be located by the AuthOffset field in the RR header.
4.2.1. Prefix Control Operation
A Prefix Control Operation has one Match-Prefix Part of 24 octets,
followed by zero or more Use-Prefix Parts of 32 octets each.
Expires February 12, 1999 Crawford & Hinden [Page 8]
Internet Draft Router Renumbering August 7, 1998
4.2.1.1. Match-Prefix Part
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OpCode | OpLength | Ordinal | MatchLen |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+- -+
| |
+- MatchPrefix -+
| |
+- -+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
OpCode An unsigned 8-bit field specifying the operation to be
performed when the associated MatchPrefix matches an
interface's prefix or address. Values are:
1 the ADD operation
2 the CHANGE operation
3 the SET-GLOBAL operation
OpLength The total length of this Prefix Control Operation, in
units of 8 octets. A valid OpLength will always be of
the form 4N+3, with N equal to the number of UsePrefix
parts (possibly zero).
Ordinal An 8-bit field which MUST have a different value in each
Prefix Control Operation contained in a given RR Command
message. The value is otherwise unconstrained.
MatchLen An 8-bit unsigned integer between 0 and 128 inclusive
specifying the number of initial bits of MatchPrefix
which are significant in matching.
MatchPrefix The 128-bit prefix to be compared with each interface's
prefix or address.
Expires February 12, 1999 Crawford & Hinden [Page 9]
Internet Draft Router Renumbering August 7, 1998
4.2.1.2. Use-Prefix Part
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UseLen | KeepLen | FlagMask | RAFlags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Valid Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Preferred Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V|P| reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+- -+
| |
+- UsePrefix -+
| |
+- -+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
UseLen An 8-bit unsigned integer less than or equal to 128
specifying the number of initial bits of UsePrefix to
use in creating a new prefix for an interface.
KeepLen An 8-bit unsigned integer less than or equal to (128-
UseLen) specifying the number of bits of the prefix or
address which matched the associated Match-Prefix which
should be retained in the new prefix. The retained bits
are those at positions UseLen through (UseLen+KeepLen-1)
in the matched address or prefix, and they are copied to
the same positions in the New Prefix.
FlagMask An 8-bit mask. A 1 bit in any position means that the
corresponding flag bit in a Router Advertisement (RA)
Prefix Information Option for the New Prefix should be
set from the RAFlags field in this Use-Prefix Part. A 0
bit in the FlagMask means that the RA flag bit for the
New Prefix should be copied from the corresponding RA
flag bit of the Matched Prefix.
RAFlags An 8 bit field which, under control of the FlagMask
field, may be used to initialize the flags in Router
Advertisement Prefix Information Options [ND] which
advertise the New Prefix. Note that only two flags have
Expires February 12, 1999 Crawford & Hinden [Page 10]
Internet Draft Router Renumbering August 7, 1998
defined meanings to date: the L (on-link) and A
(autonomous configuration) flags. These flags occupy
the two leftmost bit positions in the RAFlags field,
corresponding to their position in the Prefix
Information Option.
Valid Lifetime
A 32-bit unsigned integer which is the number of seconds
for which the New Prefix will be valid [ND, SAA].
Preferred Lifetime
A 32-bit unsigned integer which is the number of seconds
for which the New Prefix will be preferred [ND, SAA].
V A 1-bit flag indicating that the valid lifetime of the
New Prefix MUST be effectively decremented in real time.
P A 1-bit flag indicating that the preferred lifetime of
the New Prefix MUST be effectively decremented in real
time.
UsePrefix The 128-bit Use-prefix which either becomes or is used
in forming (if KeepLen is nonzero) the New Prefix. It
MUST NOT have the form of a multicast or link-local
address [AARCH].
4.3. Message Body -- Result Message
The body of an RR Result message is a sequence of zero or more Match
Reports of 24 octets. An RR Command message with the "R" flag set
will elicit an RR Result message containing one Match Report for
each Prefix Control Operation, for each different prefix it matches
on each interface. The Match Report has the following format.
Expires February 12, 1999 Crawford & Hinden [Page 11]
Internet Draft Router Renumbering August 7, 1998
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reserved |F| Ordinal | MatchedLen |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| InterfaceIndex |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+- -+
| |
+- MatchedPrefix -+
| |
+- -+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
F A one-bit flag which, when set, indicates that one or
more Use-Prefix parts from the associated PCO were not
honored by the router because of attempted formation of
a forbidden prefix format, such as a multicast or
loopback address.
Ordinal Copied from the Prefix Control Operation whose
MatchPrefix matched the MatchedPrefix on the interface
indicated by InterfaceIndex.
MatchedLen The length of the Matched Prefix.
InterfaceIndex
The router's numeric designation of the interface on
which the MatchedPrefix was configured. This MUST be
the same as the value of ipv6IfIndex which designates
that index in the SNMP IPv6 MIB General Group [IPV6MIB].
It is possible for a Result message to be larger than the Command
message which elicited it. Such a Result message may have to be
fragmented for transmission. If so, it SHOULD be fragmented to the
IPv6 minimum required MTU [IPV6].
4.4. Authentication
The authentication covers the following fields, which are to be
treated as contiguous data for the purpose of computing and
Expires February 12, 1999 Crawford & Hinden [Page 12]
Internet Draft Router Renumbering August 7, 1998
verifying the AuthData.
The IPv6 source address,
The IPv6 destination address,
The ICMPv6 and RR Header,
The RR Message Body (which may be empty).
Before generating the AuthData, all fields of the RR header and all
the PCOs are filled in, except that the ICMPv6 checksum field is set
to zero. AuthLen will be an algorithm-dependent constant and
AuthOffset will be equal to the length in octets of the RR message,
not including the AuthData, the IPv6 header or any extension
headers, but including the ICMPv6 header.
When checking the AuthData, the ICMPv6 checksum must be treated as
zero.
4.4.1. HMAC-MD5
When the key and algorithm associated with the KeyID indicate that
HMAC-MD5 authentication is to be used, the AuthData is generated in
accordance with RFC 2104 [HMAC] and RFC 1321 [MD5]. AuthLen will be
16.
4.4.2. IPSEC
The KeyID value zero is reserved to indicate that no Authentication
is done on the Router Renumbering message itself. An RR message
with Key ID zero MUST have AuthLen equal to zero and AuthOffset
equal to the total length of the ICMPv6/RR header plus the RR
message body. Such a message MUST be authenticated at the IP layer
[SECARCH].
As IPsec anti-replay processing may interact badly with the Router
Renumbering reliability mechanism, IPsec's anti-reply services MUST
NOT be used. Sequence Numbers and Segment Numbers of IPsec-
authenticated Commands MUST be recorded in association the with
KeyID of zero. This information need not be cleared when a new
Security Association is created, but some means of clearing it MUST
be provided.
Note that while Router Renumbering Commands are intended to be most
commonly sent to multicast addresses, "IPsec SA management
mechanisms currently are defined only for unicast SAs." [SECARCH]
Expires February 12, 1999 Crawford & Hinden [Page 13]
Internet Draft Router Renumbering August 7, 1998
5. Message Processing
Processing of received Router Renumbering Result messages is
entirely implementation-defined.
Processing of received Router Renumbering Command messages consists
of three parts: header check, authentication check, and execution.
5.1. Header Check
The ICMPv6 checksum, type and code are presumed to have been checked
before a Router Renumbering module receives a Command to process.
An an implementation environment where this may not be the case,
these checks MUST be made at this point in the processing.
If the ICMPv6 length derived from the IPv6 length is less than 16
octets, the message MUST be discarded and SHOULD be logged to
network management.
If the IPv6 destination address is neither an All Routers multicast
address [AARCH] nor one of the receiving router's unicast addresses,
the message MUST be discarded and SHOULD be logged to network
management.
Then, the existence and validity of the key indicated by the KeyID
are checked. If KeyID and AuthLen are zero and the message was not
authenticated by IP layer security, or if KeyID is not zero and does
not indicate a valid key, or if the value of AuthLen is not correct
for the indicated key, then the message MUST be discarded and SHOULD
be logged to network management.
Next, the SequenceNumber is compared to the Recorded Sequence Number
for the specified key. (If no messages have been received and
accepted using this key, the Recorded Sequence Number is zero.)
This comparison is done with the two numbers considered as unsigned
integers, not as DNS-style serial numbers. If the SequenceNumber is
less than the Recorded Sequence Number for the key, the message MUST
be discarded and SHOULD be logged to network management.
Finally, if the SequenceNumber in the message is greater than the
Recorded Sequence Number or the T flag is set, skip to the
Authentication Check. Otherwise the SegmentNumber MUST now be
checked. If a correctly authenticated message with the same KeyID,
SequenceNumber and SegmentNumber has not already been processed,
skip to the Authentication Check. Otherwise, this Command is a
duplicate and not a Test Command. If the R flag is not set, the
duplicate message MUST be discarded and SHOULD NOT be logged to
Expires February 12, 1999 Crawford & Hinden [Page 14]
Internet Draft Router Renumbering August 7, 1998
network management. If R is set, an RR Result message with the P
flag set MUST be scheduled for transmission to the source address of
the Command after a random time uniformly distributed between 0 and
MaxDelay seconds. The body of that Result message MUST either be
empty or be a saved copy of the Result message body generated by
processing of the previous message with the same KeyID,
SequenceNumber and SegmentNumber. After scheduling the Result
message, the Command MUST be discarded without further processing.
5.2. Authentication Check
The authentication check is performed over the data listed in
section 4.4. If the computed authentication value is not equal to
the AuthData in the received packet, the authentication check fails.
If the authentication check fails, the message MUST be discarded and
SHOULD be logged to network management.
If the authentication check passes, and the SequenceNumber is
greater than the Recorded Sequence Number for the key, then the list
of processed SegmentNumbers and the set of saved Result messages, if
any, MUST be cleared and the Recorded Sequence Number MUST be
updated to the value used in the current message, regardless of
subsequent processing errors.
At this point, if T is set and R is not set, the message MAY be
discarded without further processing.
5.3. Execution
For each applicable router interface, as determined by the A and S
flags, the Prefix Control Operations in an RR Command message must
be carried out in order of appearance. The relative order of PCO
processing among different interfaces is not specified.
If the T flag is set, create a copy of each interface's
configuration on which to operate, because the results of processing
a PCO may affect the processing of subsequent PCOs. Note that if
all operations are performed on one interface before proceeding to
another interface, only one interface-configuration copy will be
required at a time.
If the R flag is set in the RR header, begin constructing an RR
Result message. The RR header is completely determined at this time
except for the Checksum and AuthOffset.
Expires February 12, 1999 Crawford & Hinden [Page 15]
Internet Draft Router Renumbering August 7, 1998
For each interface and for each Prefix Control Operation, each
prefix configured on that interface is tested to determine whether
it matches (as defined in section 3.1) the MatchPrefix of the PCO.
The prefixes are tested in an arbitrary order. Any new prefix
configured on an interface by the effect of a given PCO MUST NOT be
tested against that PCO, but MUST be tested against any subsequent
PCOs in the same RR Command message.
Under a certain condition the addresses on an interface are also
tested to see whether any of them matches the MatchPrefix. If and
only if a configured prefix "P" does not match the MatchPrefix "M"
but M does match P (this can happen only if M is longer than P),
then those addresses on that interface which match P MUST be tested
to determine whether any of them matches M. If any such address
does match M, process the PCO as if P matched M, but when forming
New Prefixes, if KeepLen is non-zero, bits are copied from the
address. This special case allows a PCO to be easily targeted to a
single specific interface in a network.
If P does not match M, processing is finished for this combination
of PCO, interface and prefix. Continue with another prefix on the
same interface if there are any more prefixes which have not been
tested against this PCO and were not created by the action of this
PCO. If no such prefixes remain on the current interface, continue
processing with the next PCO on the same interface, or with another
interface.
If P does match M, either directly or because a configured address
which matches P also matches M, then P is the Matched Prefix.
Perform the following steps.
If the Command has the R flag set, add a Match Report to
the Result message being constructed.
If the OpCode is CHANGE, mark P for deletion from the
current interface.
If the OpCode is SET-GLOBAL, mark all global-scope
prefixes on the current interface for deletion.
If there are any Use-Prefix parts in the current PCO, form
the New Prefixes. Discard any New Prefix which has a
forbidden format, and if the R flag is set in the command,
set the F flag in the Match Report for this PCO and
interface. Forbidden prefix formats include, at a
minimum, multicast, unspecified and loopback addresses.
[AARCH] Any implementation MAY forbid, or allow the
network manager to forbid other formats as well.
Expires February 12, 1999 Crawford & Hinden [Page 16]
Internet Draft Router Renumbering August 7, 1998
For each New Prefix which is already configured on the
current interface, unmark that prefix for deletion and
update the lifetimes and RA flags. For each New Prefix
which is not already configured, add the prefix and, if
appropriate, configure an address with that prefix.
Delete any prefixes which are still marked for deletion,
together with any addresses which match those prefixes but
do not match any prefix which is not marked for deletion.
After processing all the Prefix Control Operations on all the
interfaces, an implementation MUST record the SegmentNumber of the
packet in a list associated with the KeyID and SequenceNumber.
If the Command has the R flag set, compute the AuthData and append
it to the Result message, fill in the AuthOffset and Checksum and
schedule the Result message for transmission after a random time
uniformly distributed between 0 and MaxDelay seconds. A copy of the
Result message MAY be saved to be retransmitted in response to a
duplicate Command.
The only Neighbor Discovery [ND] parameters which can be affected by
Router Renumbering are the following.
A router's addresses and advertised prefixes, including the
prefix lengths.
The flag bits (L and A, and any which may be defined in the
future) and the valid and preferred lifetimes which appear in a
Router Advertisement Prefix Information Option.
The unnamed property of the lifetimes, which specifies whether
they are fixed or decrementing.
Other internal router information, such as the time until the next
unsolicited Router Advertisement or MIB variables MAY be affected as
needed.
6. Key Management
As with all security methods using keys, it is necessary to change
the RR Authentication Key on a regular basis. To provide RR
functionality during key changes, implementations MUST be able to
store and use more than one Authentication Key at the same time.
The Authentication Keys SHOULD NOT be stored or transmitted using
algorithms or protocols that have known flaws. Implementations MUST
Expires February 12, 1999 Crawford & Hinden [Page 17]
Internet Draft Router Renumbering August 7, 1998
support the storage of more than one key at the same time, MUST
associate a specific lifetime (start and end times) and a key
identifier with each key, and MUST support manual key distribution
(e.g., manual entry of the key, key lifetime, and key identifier on
the router console).
An infinite key lifetime SHOULD NOT be allowed. If infinite
lifetimes are allowed, manual deletion of valid keys MUST be
supported; otherwise manual deletion SHOULD be supported. The
implementation MAY automatically delete expired keys.
7. Usage Examples
This section sketches some sample applications of Router
Renumbering.
7.1. Maintaining Global-Scope Prefixes
A simple use of the Router Renumbering mechanism, and one which is
expected to to be common, is the maintenance of a set of global
prefixes with a subnet structure that matches that of the site's
site-local address assignments. In the steady state this would
serve to keep the Preferred and Valid lifetimes set to their desired
values. During a renumbering transition, similar Command messages
can add new prefixes and/or delete old ones. An outline of a
suitable Command message follows. Fields not listed are presumed
set to suitable values. This Command assumes all router interfaces
to be maintained already have site-local [AARCH] addresses.
IPv6 Header
Next Header = 58 (ICMPv6)
Source Address = (Management Station)
Destination Address = FF05::2 (All Routers, site-local scope)
ICMPv6/RR Header
Type = 138 (Router Renumbering), Code = 0 (Command)
Flags = 60 hex (R, A)
AuthOffset = 32 N + 24 (assuming N global prefixes)
First (and only) PCO:
Match-Prefix Part
OpCode = 3 (SET-GLOBAL)
OpLength = 4 N + 3 (assuming N global prefixes)
Ordinal = 0 (arbitrary)
MatchLen = 10
Expires February 12, 1999 Crawford & Hinden [Page 18]
Internet Draft Router Renumbering August 7, 1998
MatchPrefix = FEC0::0
First Use-Prefix Part
UseLen = 48 (Length of TLA ID + RES + NLA ID [AARCH])
KeepLen = 16 (Length of SLA (subnet) ID [AARCH])
FlagMask, RAFlags, Lifetimes, V & P flags -- as desired
UsePrefix = First global /48 prefix
. . .
Nth Use-Prefix Part
UseLen = 48
KeepLen = 16
FlagMask, RAFlags, Lifetimes, V & P flags -- as desired
UsePrefix = Last global /48 prefix
This will cause N global prefixes to be set (or updated) on each
applicable interface. On each interface, the SLA ID (subnet) field
of each global prefix will be copied from the existing site-local
prefix.
7.2. Renumbering a Subnet
A subnet can be gracefully renumbered by setting the valid and
preferred timers on the old prefix to a short value and having them
run down, while concurrently adding adding the new prefix. Later,
the expired prefix is deleted. The first step is described by the
following RR Command.
IPv6 Header
Next Header = 58 (ICMPv6)
Source Address = (Management Station)
Destination Address = FF05::2 (All Routers, site-local scope)
ICMPv6/RR Header
Type = 138 (Router Renumbering), Code = 0 (Command)
Flags = 60 hex (R, A)
AuthOffset = 88
First (and only) PCO:
Match-Prefix Part
OpCode = 2 (CHANGE)
OpLength = 11 (reflects 2 Use-Prefix Parts)
Ordinal = 0 (arbitrary)
MatchLen = 64
Expires February 12, 1999 Crawford & Hinden [Page 19]
Internet Draft Router Renumbering August 7, 1998
MatchPrefix = Old /64 prefix
First Use-Prefix Part
UseLen = 0
KeepLen = 64 (this retains the old prefix value intact)
FlagMask = 0, RAFlags = 0
Valid Lifetime = 28800 seconds (8 hours)
Preferred Lifetime = 7200 seconds (2 hours)
V flag = 1, P flag = 1
UsePrefix = 0::0
Second Use-Prefix Part
UseLen = 64
KeepLen = 0
FlagMask = 0, RAFlags = 0
Lifetimes, V & P flags -- as desired
UsePrefix = New /64 prefix
The second step, deletion of the old prefix, can be done by an RR
Command with the same Match-Prefix Part (except for an OpLength
reduced from 11 to 3) and no Use-Prefix Parts. Any temptation to
set KeepLen = 64 in the second Use-Prefix Part above should be
resisted, as it would instruct the router to sidestep address
configuration.
7.3. Key Changes
Using a new authentication key while a previously used key is still
valid can open the possibility of a replay attack. The processing
rules as given in section 5 specify that routers keep track of the
highest sequence number seen for each key, and that messages with
that key and sequence number remain valid until either a higher
sequence number is seen or the key expires. The difficulty arises
when a new key is used to send a message which supersedes the last
message sent with another still-valid key. That older message can
still be replayed.
This vulnerability can be avoided in practice by sending a "NO-OP"
Command message with the old key and a valid new sequence number
before using a newer key. This message will then become the only
one which can be replayed with the old key. Examples of NO-OP
messages are one which contains no Prefix Control Operations, or one
with the T flag set. As with any other RR Command, the NO-OP SHOULD
be repeated until it is confidently determined that all relevant
routers have processed it.
Clearly a management station must keep track of the highest sequence
Expires February 12, 1999 Crawford & Hinden [Page 20]
Internet Draft Router Renumbering August 7, 1998
number it has used for each authentication key, at least to the
extent of being able to generate a larger value when needed. A
timestamp may make a good sequence number.
8. Security Considerations
The Router Renumbering mechanism proposed here is very powerful and
prevention of spoofing it is important. Replay of old messages must
be prevented, except in the narrow case of idempotent messages which
are still valid at the time of replay. We believe the
authentication mechanisms included in this specification achieve the
necessary protections, so long as authentication keys are not
compromised.
Authentication keys must be as well protected as is any other access
method that allows reconfiguration of a site's routers.
Distribution of keys must not expose them or permit alteration, and
key lifetimes must be limited.
If the messages of several different protocols use the same
authentication mechanism then it's possible for one authenticated
message body to be grafted onto a different set of headers and cause
at least some confusion, and possibly worse. One solution to this
problem is never to use the same set of keys for two different
protocols.
9. Acknowledgments
This protocol was designed by Matt Crawford based on an idea of
Robert Hinden and Geert Jan de Groot. Several other members of the
IPNG Working Group contributed useful comments, in particular
members of the DIGITAL UNIX IPv6 team.
10. References
[AARCH]
R. Hinden, S. Deering, "IP Version 6 Addressing Architecture",
Currently draft-ietf-ipngwg-addr-arch-v2-07.txt.
[HMAC]
H. Krawczyk, M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for
Message Authentication", RFC 2104.
[ICMPV6]
A. Conta, S. Deering, "Internet Control Message Protocol
(ICMPv6) for the Internet Protocol Version 6 (IPv6)", currently
Expires February 12, 1999 Crawford & Hinden [Page 21]
Internet Draft Router Renumbering August 7, 1998
draft-ietf-ipngwg-icmp-v2-01.txt.
[SECARCH]
S. Kent, R. Atkinson, "Security Architecture for the Internet
Protocol", currently draft-ietf-ipsec-arch-sec-07.txt.
[IPV6]
S. Deering, R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", currently draft-ietf-ipngwg-ipv6-spec-v2-02.txt.
[IPV6MIB]
D. Haskin, S. Onishi, "Management Information Base for IP
Version 6: Textual Conventions and General Group", currently
draft-ietf-ipngwg-ipv6-mib-04.txt.
[KWORD]
S. Bradner, "Key words for use in RFCs to Indicate Requirement
Levels," RFC 2119.
[MD5] R. Rivest, "The MD5 Message-Digest Algorithm", RFC 1321.
[ND] T. Narten, E. Nordmark, W. Simpson, "Neighbor Discovery for
IP Version 6 (IPv6)", currently draft-ietf-ipngwg-
discovery-v2-03.txt.
[SAA] S. Thomson, T. Narten, "IPv6 Stateless Address
Autoconfiguration", draft-ietf-ipngwg-addrconf-v2-02.txt.
11. Authors' Addresses
Matt Crawford Robert M. Hinden
Fermilab MS 368 Nokia
PO Box 500 232 Java Drive
Batavia, IL 60510 Sunnyvale, CA 94089
USA USA
Phone: +1 630 840 3461 Phone: +1 408 990 2004
Email: crawdad@fnal.gov Email: hinden@ipsilon.com
Expires February 12, 1999 Crawford & Hinden [Page 22]
| PAFTECH AB 2003-2026 | 2026-04-23 06:24:54 |