One document matched: draft-ietf-v6ops-design-choices-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-ietf-v6ops-design-choices-01"
ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title abbrev="IPv6 Design Choices">Design Choices for IPv6
Networks</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Philip Matthews" initials="P." surname="Matthews">
<organization>Alcatel-Lucent</organization>
<address>
<postal>
<street>600 March Road</street>
<!-- Reorder these if your country does things differently -->
<city>Ottawa</city>
<region>Ontario</region>
<code>K2K 2E6</code>
<country>Canada</country>
</postal>
<phone>+1 613-784-3139</phone>
<email>philip_matthews@magma.ca</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Victor Kuarsingh" initials="V." surname="Kuarsingh">
<organization>Dyn</organization>
<address>
<postal>
<street>150 Dow Street</street>
<city>Manchester</city>
<region>NH</region>
<code>03101</code>
<country>USA</country>
</postal>
<phone/>
<facsimile/>
<email>victor@jvknet.com</email>
<uri/>
</address>
</author>
<date month="March" year="2014"/>
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill
in the current day for you. If only the current year is specified, xml2rfc will fill
in the current day and month for you. If the year is not the current one, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
purpose of calculating the expiry date). With drafts it is normally sufficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Operations and Management</area>
<workgroup>V6OPS Working Group</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword/>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>This document presents advice on the design choices that arise when
designing IPv6 networks (both dual-stack and IPv6-only). The intended
audience is someone designing an IPv6 network who is knowledgeable about
best current practices around IPv4 network design, and wishes to learn
the corresponding practices for IPv6.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>This document presents advice on the design choices that arise when
designing IPv6 networks (both dual-stack and IPv6-only). The intended
audience is someone designing an IPv6 network who is knowledgeable about
best current practices around IPv4 network design, and wishes to learn
the corresponding practices for IPv6.</t>
<t>The focus of the document is on design choices where there are
differences between IPv4 and IPv6, either in the range of possible
alternatives (e.g. the extra possibilities introduced by link-local
addresses in IPv6) or the recommended alternative. The document presents
the alternatives and discusses the pros and cons in detail. Where
consensus currently exists around the best practice, this is documented;
otherwise the document simply summarizes the current state of the
discussion. Thus this document serves to both to document the reasoning
behind best current practices for IPv6, and to allow a designer to make
an intelligent choice where no such consensus exists.</t>
<t>This document does not present advice on strategies for adding IPv6
to a network, nor does it discuss transition mechanisms. For advice in
these areas, see <xref target="RFC6180"/> for general advice, <xref
target="RFC6782"/> for wireline service providers, <xref
target="RFC6342"/> for mobile network providers, <xref
target="RFC5963"/> for exchange point operators, <xref
target="RFC6883"/> for content providers, and both <xref
target="RFC4852"/> and <xref
target="I-D.ietf-v6ops-enterprise-incremental-ipv6"/> for enterprises.
Nor does the document cover the ins and outs of creating an IPv6
addressing plan; for advice in this area, see <xref
target="RFC5375"/>.</t>
<t>This document focuses on unicast network design only. It does not
cover multicast, nor supporting infrastructure such as DNS.</t>
<t>The current version is still work in progress, and it is expected
that the presentation and discussion of additional design choices will
be added as the document matures.</t>
</section>
<section title="Design Choices">
<t>This section consists of a list of specific design choices a network
designer faces when designing an IPv6-only or dual-stack network, along
with guidance and advice to the designer when making a choice.</t>
<section title="Mix IPv4 and IPv6 on the Same Link?">
<t>Should IPv4 and IPv6 traffic be logically separated on a link? That
is:<list style="letters">
<t>Mix IPv4 and IPv6 traffic on the same layer 2 connection,
OR</t>
<t>Separate IPv4 and IPv6 by using separate physical or logical
links (e.g., two physical links or two VLANs on the same
link)?</t>
</list></t>
<t>Option (a) implies a single layer 3 interface at each end with both
IPv4 and IPv6 addresses; while option (b) implies two layer 3
interfaces, one for IPv4 addresses and one with IPv6 addresses.</t>
<t>The advantages of option (a) include:<list style="symbols">
<t>Requires only half as many layer 3 interfaces as option (b),
thus providing better scaling;</t>
<t>May require fewer physical ports, thus saving money;</t>
<t>Can make the QoS implementation much easier (for example,
rate-limiting the combined IPv4 and IPv6 traffic to or from a
customer);</t>
<t>Provides better support for the expected future of increasing
IPv6 traffic and decreasing IPv4 traffic;</t>
<t>And is generally conceptually simpler.</t>
</list>For these reasons, there is a pretty strong consensus in the
operator community that option (a) is the preferred way to go.</t>
<t>However, there can be times when option (b) is the pragmatic
choice. Most commonly, option (b) is used to work around limitations
in network equipment. One big example is the generally poor level of
support today for individual statistics on IPv4 traffic vs IPv6
traffic when option (a) is used. Other, device-specific, limitations
exist as well. It is expected that these limitations will go away as
support for IPv6 matures, making option (b) less and less attractive
until the day that IPv4 is finally turned off.</t>
<t>Most networks today use option (a) wherever possible.</t>
</section>
<section title="Links with Only Link-Local Addresses?">
<t>Should the link:<list style="letters">
<t>Use only link-local addresses (“unnumbered”),
OR</t>
<t>Have global or unique-local addresses assigned in addition to
link-locals?</t>
</list></t>
<t>There are two advantages of unnumbered links. The first advantage
is ease of configuration. In a network with a large number of
unnumbered links, the operator can just enable an IGP on each router,
without going through the tedious process of assigning and tracking
the addresses for each link. The second advantage is security. Since
link-local addresses are unroutable, the associated interfaces cannot
be attacked from an off-link device. This implies less effort around
maintaining security ACLs.</t>
<t>Countering this advantage are various disadvantages to unnumbered
links in IPv6:<list style="symbols">
<t>It is not possible to ping an interface that has only a
link-local address from a device that is not directly attached to
the link. Thus, to troubleshoot, one must typically log into a
device that is directly attached to the device in question, and
execute the ping from there.</t>
<t>A traceroute passing over the unnumbered link will return the
loopback or system address of the router, rather than the address
of the interface itself.</t>
<t>On some devices, by default the link-layer address of the
interface is derived from the MAC address assigned to interface.
When this is done, swapping out the interface hardware (e.g.
interface card) will cause the link-layer address to change. In
some cases (peering config, ACLs, etc) this may require additional
changes. However, many devices allow the link-layer address of an
interface to be explicitly configured, which avoids this
issue.</t>
<t>The practice of naming router interfaces using DNS names is
difficult-to-impossible when using LLAs only.</t>
<t>It is not possible to identify the interface or link (in a
database, email, etc) by just giving its address.</t>
</list></t>
<t>For more discussion on the pros and cons, see <xref
target="I-D.ietf-opsec-lla-only"/>.</t>
<t>Today, most operators use numbered links (option b).</t>
</section>
<section title="Link-Local Next-Hop in a Static Route?">
<t>What form of next-hop address should one use in a static
route?<list style="letters">
<t>Use the far-end’s link-local address as the next-hop
address, OR</t>
<t>Use the far-end’s GUA/ULA address as the next-hop
address?</t>
</list></t>
<t>Recall that the IPv6 specs for OSPF <xref target="RFC5340"/> and
ISIS <xref target="RFC5308"/> dictate that they always use link-locals
for next-hop addresses. For static routes, <xref target="RFC4861"/>
section 8 says:<list style="empty">
<t>A router MUST be able to determine the link-local address for
each of its neighboring routers in order to ensure that the target
address in a Redirect message identifies the neighbor router by
its link-local address. For static routing, this requirement
implies that the next-hop router's address should be specified
using the link-local address of the router.</t>
</list></t>
<t>This implies that using a GUA or ULA as the next hop will prevent a
router from sending Redirect messages for packets that "hit" this
static route. All this argues for using a link-local as the next-hop
address in a static route.</t>
<t>However, there are two cases where using a link-local address as
the next-hop clearly does not work. One is when the static route is an
indirect (or multi-hop) static route. The second is when the static
route is redistributed into another routing protocol. In these cases,
the above text from RFC 4861 notwithstanding, either a GUA or ULA must
be used.</t>
<t>Furthermore, many network operators are concerned about the
dependency of the default link-local address on an underlying MAC
address, as described in the previous section.</t>
<t>Today most operators use GUAs as next-hop addresses.</t>
</section>
<section title="Separate or Combined eBGP Sessions?">
<t>For a dual-stack peering connection where eBGP is used as the
routing protocol, then one can either:<list style="letters">
<t>Use one BGP session to carry both IPv4 and IPv6 routes, OR</t>
<t>Use two BGP sessions, a session over IPv4 carrying IPv4 routes
and a session over IPv6 carrying IPv6 routes.</t>
</list></t>
<t>The main advantage of (a) is a reduction in the number of BGP
sessions compared with (b).</t>
<t>However, there are a number of concerns with option (a):<list
style="symbols">
<t>On most existing implementations, adding or removing an address
family to an established BGP session will cause the router to tear
down and re-establish the session. Thus adding the IPv6 family to
an existing session carrying just IPv4 routes will disrupt the
session, and the eventual removal of IPv4 from the dual IPv4/IPv6
session will also disrupt the session. This disruption problem
will persist until something similar to <xref
target="I-D.ietf-idr-dynamic-cap"/> or <xref
target="I-D.ietf-idr-bgp-multisession"/> is widely deployed.</t>
<t>Whatever selection you make for the underlying transport
protocol (v4 or v6) will likely look funny at some date. Using two
sessions is appropriate both now and in the future.</t>
<t>Carrying (for example) IPv6 routes over IPv4 means that route
information is transported over a different transport plane than
the data packets themselves. If v6 connectivity goes down locally
without v4 also going down, then v6 routes will still be
exchanged, thus leading to a blackhole.</t>
<t>In some implementations, carrying v4 routes in a BGP session
over v6 transport (or vica-versa) results in the BGP next-hops in
the wrong address family, which must be fixed using routing policy
before the routes can be used.</t>
</list></t>
<t>Given these disadvantages, option (b) is the better choice in most
situations, and this is the choice selected in most networks
today.</t>
</section>
<section title="eBGP Endpoints: Global or Link-Local Addresses?">
<t>When running eBGP over IPv6, there are two options for the
addresses to use at each end of the eBGP session (or more properly,
the underlying TCP session):<list style="letters">
<t>Use link-local addresses for the eBGP session, OR</t>
<t>Use global addresses for the eBGP session.</t>
</list></t>
<t>Note that the choice here is the addresses to use for the eBGP
sessions, and not whether the link itself has global (or unique-local)
addresses. In particular, it is quite possible for the eBGP session to
use link-local addresses even when the link has global addresses.</t>
<t>The big attraction for option (a) is security: an eBGP session
using link-local addresses is impossible to attack from a device that
is off-link. This provides very strong protection against TCP RST and
similar attacks. Though there are other ways to get an equivalent
level of security (e.g. GTSM <xref target="RFC5082"/>, MD5 <xref
target="RFC5925"/>, or ACLs), these other ways require additional
configuration which can be forgotten or potentially
mis-configured.</t>
<t>However, there are a number of small disadvantages to using
link-local addresses:<list style="symbols">
<t>Using link-local addresses only works for single-hop eBGP
sessions; it does not work for multi-hop sessions.</t>
<t>One must use “next-hop self” at both endpoints,
otherwise redistributing routes learned via eBGP into iBGP will
not work. (Some products enable “next-hop self” in
this situation automatically).</t>
<t>Operators and their tools are used to referring to eBGP
sessions by address only, something that is not possible with
link-local addresses.</t>
<t>If one is configuring parallel eBGP sessions for IPv4 and IPv6
routes, then using link-local addresses for the IPv6 session
introduces an extra difference between the two sessions which
could otherwise be avoided.</t>
<t>On some products, an eBGP session using a link-local address is
more complex to configure than a session that use a global
address.</t>
<t>If hardware or other issues cause one to move the cable to a
different local interface, then reconfiguration is required at
both ends: at the local end because the interface has changed (and
with link-local addresses, the interface must always be specified
along with the address), and at the remote end because the
link-local address has likely changed. (Contrast this with using
global addresses, where less re-configuration is required at the
local end, and no reconfiguration is required at the remote
end).</t>
<t>Finally, a strict interpretation of RFC 2545 can be seen as
forbidding running eBGP between link-local addresses, as RFC 2545
requires the BGP next-hop field to contain at least a global
address.</t>
</list>For these reasons, most operators today choose to have their
eBGP sessions use global addresses.</t>
</section>
<section title="IGP Choice">
<t>One of the main decisions for an IPv6 implementor is the choice of
IGP (Interior Gateway Protocol) within the network. The primary
choices are the IETF protocols of RIP <xref target="RFC2080"/>, OSPF
<xref target="RFC2328"/> <xref target="RFC5340"/> and IS-IS <xref
target="RFC5120"/> <xref target="RFC5308"/>, though some operators may
consider non-IETF protocols. Here we limit our discussion to the pros
and cons of OSPF vs. IS-IS.</t>
<t>Considering just OSPF vs. IS-IS, the options are:<list
style="letters">
<t>Use OSPFv2 for IPv4 and OSPFv3 for IPv6, OR</t>
<t>Use OSPFv3 for both IPv4 and IPv6, OR</t>
<t>Use OSPFv2 for IPv4, and IS-IS for IPv6, OR</t>
<t>Use IS-IS for IPv4 and IPv6, OR</t>
<t>Use IS-IS for IPv4 and OSPFv3 for IPv6.</t>
</list></t>
<t>Note that options (a), (c), and (e) involve running two different
routing protocols, while options (b) and (d) involve running just one
routing protocol.</t>
<t><list style="symbols">
<t>A big factor in the choice is the protocol the operator is
currently using for routing IPv4. Option (e) is unlikely to be a
good choice for an operator currently using OSPF for IPv4 routing,
and similarly option (a) is unlikely to be a good choice for an
operator currently using IS-IS.</t>
<t>A pro for options (a), (c), and (e), which use two routing
protocols, is that they give a hard separation between IPv4 and
IPv6 routing. Thus a problem with one protocol or one set of
routes is unlikely to affect the other.</t>
<t>There are two cons for options (a), (c), and (e). One con is
that two sets of all the protocol mechanisms need to be
maintained. On a larger modern router, this is unlikely to be a
problem, but on some edge devices this might be an issue. The
second con is that some operational staff must be familiar with
both protocols. For many routing problems, the protocols are
sufficiently similar that they can be considered identical, but
some problems require a detailed knowledge of the differences.</t>
<t>Option (b) requires the use of new protocol extensions that
allow OSPFv3 to also route IPv4. At the time of writing, these
extensions are still quite new.</t>
</list></t>
</section>
</section>
<section title="General Observations">
<t>There are two themes that run though many of the design choices in
this document. This section presents some general discussion on these
two themes.</t>
<section title="Use of Link-Local Addresses">
<t>The proper use of link-local addresses is a common theme in the
IPv6 network design choices. Link-layer addresses are, of course,
always present in an IPv6 network, but current network design practice
mostly ignores them, despite efforts such as <xref
target="I-D.ietf-opsec-lla-only"/>.</t>
<t>There are three main reasons for this current practice:</t>
<t><list style="symbols">
<t>Network operators are concerned about the volatility of
link-local addresses based on MAC addresses, despite the fact that
this concern can be overcome by manually-configuring link-local
addresses;</t>
<t>It is impossible to ping a link-local address from a device
that is not on the same subnet. This is a troubleshooting
disadvantage, though it can also be viewed as a security
advantage.</t>
<t>Most operators are currently running networks that carry both
IPv4 and IPv6 traffic, and wish to harmonize their IPv4 and IPv6
design and operational practices where possible.</t>
</list></t>
</section>
<section title="Separation of IPv4 and IPv6">
<t>Currently, most operators are running or planning to run networks
that carry both IPv4 and IPv6 traffic. Hence the question: To what
degree should IPv4 and IPv6 be kept separate? As can be seen above,
this breaks into two sub-questions: To what degree should IPv4 and
IPv6 traffic be kept separate, and to what degree should IPv4 and IPv6
routing information be kept separate?</t>
<t>The general consensus around the first question is that IPv4 and
IPv6 traffic should generally be mixed together. This recommendation
is driven by the operational simplicity of mixing the traffic, plus
the general observation that the service being offered to the end user
is Internet connectivity and most users do not know or care about the
differences between IPv4 and IPv6. Thus it is very desirable to mix
IPv4 and IPv6 on the same link to the end user. On other links,
separation is possible but more operationally complex, though it does
occasionally allow the operator to work around limitations on network
devices. The situation here is roughly comparable to IP and MPLS
traffic: many networks mix the two traffic types on the same links
without issues.</t>
<t>By contrast, there is more of an argument for carrying IPv6 routing
information over IPv6 transport, while leaving IPv4 routing
information on IPv4 transport. By doing this, one gets fate-sharing
between the control and data plane for each IP protocol version: if
the data plane fails for some reason, then often the control plane
will too.</t>
</section>
</section>
<section title="IANA Considerations">
<t>This document makes no requests of IANA.</t>
</section>
<section title="Security Considerations">
<t>(TBD)</t>
</section>
<section title="Acknowledgements">
<t>Many, many people in the V6OPS working group provided comments and
suggestions that made their way into this document. A partial list
includes: Rajiv Asati, Fred Baker, Michael Behringer, Marc Blanchet, Ron
Bonica, Randy Bush, Cameron Byrne, Brian Carpenter, KK Chittimaneni, Tim
Chown, Lorenzo Colitti, Gert Doering, Bill Fenner, Kedar K Gaonkar,
Chris Grundemann, Steinar Haug, Ray Hunter, Joel Jaeggli, Victor
Kuarsingh, Ivan Pepelnjak, Alexandru Petrescu, Rob Shakir, Mark Smith,
Jean-Francois Tremblay, Tina Tsou, Dan York, and Xuxiaohu.</t>
<t>The authors would also like to thank Pradeep Jain and Alastair
Johnson for helpful comments on a very preliminary version of this
document.</t>
</section>
<!-- This PI places the pagebreak correctly (before the section title) in the text output. -->
<?rfc needLines="8" ?>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Informative References">
<?rfc include="reference.RFC.2080"?>
<?rfc include="reference.RFC.2328"?>
<?rfc include="reference.RFC.4852"?>
<?rfc include="reference.RFC.4861"?>
<?rfc include="reference.RFC.5082"?>
<?rfc include="reference.RFC.5120"?>
<?rfc include="reference.RFC.5308"?>
<?rfc include="reference.RFC.5340"?>
<?rfc include="reference.RFC.5375"?>
<?rfc include="reference.RFC.5925"?>
<?rfc include="reference.RFC.5963"?>
<?rfc include="reference.RFC.6180"?>
<?rfc include="reference.RFC.6342"?>
<?rfc include="reference.RFC.6782"?>
<?rfc include="reference.RFC.6883"?>
<?rfc include="reference.I-D.ietf-idr-dynamic-cap"?>
<?rfc include="reference.I-D.ietf-idr-bgp-multisession"?>
<?rfc include="reference.I-D.ietf-opsec-lla-only"?>
<?rfc include="reference.I-D.ietf-v6ops-enterprise-incremental-ipv6"?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:58:21 |