One document matched: draft-nward-ipv6-autoconfig-filtering-ethernet-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
]>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std"
docName="draft-nward-ipv6-autoconfig-filtering-ethernet-00"
ipr="trust200902">
<front>
<title abbrev="IPv6 Autoconfig Filtering">IPv6 Autoconfig Filtering on
Ethernet Switches</title>
<author fullname="Nathan Ward" initials="N." surname="Ward">
<organization>Braintrust Ltd.</organization>
<address>
<postal>
<street>Level 1, 206 Symonds St.</street>
<city>Auckland</city>
<region></region>
<code>1010</code>
<country>NZ</country>
</postal>
<phone>+64-21-431675</phone>
<email>nward@braintrust.co.nz</email>
</address>
</author>
<date month="March" year="2009" />
<abstract>
<t>Many ethernet switch vendors provide features for filtering IPv4
address assignment services - i.e. DHCP, Bootp. This document describes
what is necessary for a switch to provide the same level of filtering
for IPv6, as a standard on which operators can base equipment selection
decisions.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>IPv6 provides several ways of assigning addresses to IPv6 capable
hosts. These are the prefix field in Router Advertisement (RA) messages,
and stateful DHCPv6. In IPv4, we can filter DHCP and Bootp servers in
ethernet switches, allowing only our authorised configuration servers to
provide autoconfiguration information to hosts. Few ethernet switches
provide similar functionality for IPv6 autoconfiguration services, and
many hosts already listen for RA messages and then subsequent to
receiving and RA message either configure addressing statelessly, or
statefully with DHCPv6.</t>
<t>This represents a problem for many networks, for which the only
solution at present is to filter out all IPv6 packets from their
ethernet network.</t>
<t>This document describes how to filter RA and DHCPv6 messages so that
autoconfiguration can be provided only by authorised hosts and/or switch
ports.</t>
</section>
<section title="Protocols">
<t>In order to filter IPv6 packets, some level of understanding of the
IPv6, ICMPv6 and UDP protocols is required by the switch. The following
fields are analysed so need to be understood by the switch:</t>
<t>1) Ethertype in the ethernet header (always 0x86DD)</t>
<t>2) Source MAC address in the ethernet header</t>
<t>3) Destination MAC address in the ethernet header</t>
<t>4) Version in the IPv6 header (always 6)</t>
<t>5) Source IPv6 address in the IPv6 header</t>
<t>6) Destination IPv6 address in the IPv6 header</t>
<t>7) Next-header in the IPv6 header</t>
<t>8) Type and Code in the ICMPv6 header</t>
<t>9) UDP source port</t>
<t>10) UDP destination port</t>
<section title="Router Advertisements">
<t>Router advertisement messages SHOULD only be sent by routers, and
so should enter a switch only from a port with a router, and/or from a
router's link-local IPv6 address or ethernet MAC address. Router
advertisements can be sent unsolicited (periodically) to multicast
IPv6 and MAC addresses, or solicited (on demand) to a specific MAC and
IPv6 destination.</t>
<t>The characteristics of a router advertisement message are:</t>
<texttable>
<ttcol>Field</ttcol>
<ttcol>Value</ttcol>
<c>Source MAC Address</c>
<c>Router;s MAC address</c>
<c>Destination MAC</c>
<c>33:33:00:00:00:01 for unsolicited, a host's MAC address for
solicited</c>
<c>Source IPv6 Address</c>
<c>Router's IPv6 link-local address</c>
<c>Destination IPv6 Address</c>
<c>FF01::1 for unsolicited, an address in FE80::/64 for
solicited</c>
<c>Next-header</c>
<c>58</c>
<c>ICMPv6 Type</c>
<c>134</c>
<c>ICMPv6 Code</c>
<c>0</c>
</texttable>
<t>Unique to router advertisements is the ICMPv6 type, 134.</t>
</section>
<section title="DHCPv6 Replies">
<t>DHCPv6 reply messages SHOULD only be sent by DHCPv6 servers and
relays, and so should only enter a switch from a port with a DHCPv6
server or relay, and/or from a DHCPv6 server or relay's link-local
IPv6 address or ethernet MAC address.</t>
<t>The characteristics of a DHCPv6 reply message are:</t>
<texttable>
<ttcol>Field</ttcol>
<ttcol>Value</ttcol>
<c>Source MAC Address</c>
<c>DHCPv6 server or relay's MAC address</c>
<c>Source IPv6 Address</c>
<c>DHCPv6 server or relay's link-local IPv6 address</c>
<c>Destination IPv6 Address</c>
<c>An address in FE80::/64</c>
<c>Next-header</c>
<c>17</c>
<c>UDP source port</c>
<c>547</c>
<c>UDP destination port</c>
<c>546</c>
</texttable>
<t>Unique to DHCPv6 replies is the UDP source and destination ports,
547 and 546 respectively.</t>
</section>
</section>
<section title="Filtering">
<t>An ethernet switch MUST be able to be configured to filter Router
Advertisement and DHCPv6 reply messages under one or both of the
following conditions:</t>
<t>a) The source MAC address is not configured to belong to a router, or
DHCPv6 server or relay.</t>
<t>b) The source IPv6 link-local address is not configured to belong to
a router, or DHCPv6 server or relay.</t>
<t>c) The ethernet frame was not received on a port configured to as
authorised to receive these messages.</t>
<section title="Requests">
<t>It may be desirable for a switch to only transmit Router
Solicitation and DHCPv6 request messages out a port if it is
configured as a port having a router, DHCPv6 server or relay. Comment
is sought for this.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
<t>Note to RFC Editor: this section may be removed on publication as an
RFC.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>This document describes filtering features for ethernet switches, so
improves security of IPv6 auto configuration in switched ethernet
environments.</t>
<t>It is unknown if this document introduces any security issues.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>Discussion on the NANOG mailing list.</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2119;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 03:14:08 |