draft-ietf-6man-addr-select-opt-06.txt   draft-ietf-6man-addr-select-opt-07.txt 
6man Working Group A. Matsumoto 6man Working Group A. Matsumoto
Internet-Draft T. Fujisaki Internet-Draft T. Fujisaki
Intended status: Standards Track NTT Intended status: Standards Track NTT
Expires: March 25, 2013 T. Chown Expires: May 18, 2013 T. Chown
University of Southampton University of Southampton
September 21, 2012 November 14, 2012
Distributing Address Selection Policy using DHCPv6 Distributing Address Selection Policy using DHCPv6
draft-ietf-6man-addr-select-opt-06.txt draft-ietf-6man-addr-select-opt-07.txt
Abstract Abstract
RFC 6724 defines default address selection mechanisms for IPv6 that RFC 6724 defines default address selection mechanisms for IPv6 that
allow nodes to select appropriate address when faced with multiple allow nodes to select appropriate address when faced with multiple
source and/or destination addresses to choose between. The RFC 6724 source and/or destination addresses to choose between. The RFC 6724
allowed for the future definition of methods to administratively allowed for the future definition of methods to administratively
configure the address selection policy information. This document configure the address selection policy information. This document
defines a new DHCPv6 option for such configuration, allowing a site defines a new DHCPv6 option for such configuration, allowing a site
administrator to distribute address selection policy overriding the administrator to distribute address selection policy overriding the
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 25, 2013. This Internet-Draft will expire on May 18, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 15 skipping to change at page 3, line 15
1.2. Terminology 1.2. Terminology
This document uses the terminology defined in [RFC2460] and the This document uses the terminology defined in [RFC2460] and the
DHCPv6 specification defined in [RFC3315] DHCPv6 specification defined in [RFC3315]
2. Address Selection options 2. Address Selection options
The Address Selection option provides the address selection policy The Address Selection option provides the address selection policy
table, and some other configuration parameters. table, and some other configuration parameters.
A address selection option contains zero or more policy table An Address Selection option contains zero or more policy table
options. Multiple policy table options in a Policy Table option options. Multiple Policy Table options in an Address Selection
constitute a single policy table. option constitute a single policy table.
The format of the Address Selection option is given below. The format of the Address Selection option is given below.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_ADDRSEL | option-len | | OPTION_ADDRSEL | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |A|P| | | Reserved |A|P| |
+-+-+-+-+-+-+-+-+ POLICY TABLE OPTIONS | +-+-+-+-+-+-+-+-+ POLICY TABLE OPTIONS |
skipping to change at page 3, line 48 skipping to change at page 3, line 48
Reserved: Reserved field. Server MUST set this value to zero and Reserved: Reserved field. Server MUST set this value to zero and
client MUST ignore its content. client MUST ignore its content.
A: Automatic Row Addition flag. This flag toggles the Automatic A: Automatic Row Addition flag. This flag toggles the Automatic
Row Addition flag at client hosts, which is described in the Row Addition flag at client hosts, which is described in the
section 2.1 in RFC 6724 [RFC6724]. If this flag is set to 1, it section 2.1 in RFC 6724 [RFC6724]. If this flag is set to 1, it
does not change client host behavior, that is, a client MAY does not change client host behavior, that is, a client MAY
automatically add additional site-specific rows to the policy automatically add additional site-specific rows to the policy
table. If set to 0, the Automatic Row Addition flag is table. If set to 0, the Automatic Row Addition flag is
disabled, and a client MAY NOT automatically add rows to the disabled, and a client SHOULD NOT automatically add rows to the
policy table. policy table.
P: Privacy Preference flag. This flag toggles the Privacy P: Privacy Preference flag. This flag toggles the Privacy
Preference flag at client hosts, which is described in the Preference flag at client hosts, which is described in the
section 5 in RFC 6724 [RFC6724]. If this flag is set to 1, it section 5 in RFC 6724 [RFC6724]. If this flag is set to 1, it
does not change client host behavior, that is, a client SHOULD does not change client host behavior, that is, a client will
prefer temporary addresses. If set to 0, the Privacy Preference prefer temporary addresses. If set to 0, the Privacy Preference
flag is disabled, and a client SHOULD prefer public addresses. flag is disabled, and a client will prefer public addresses.
POLICY TABLE OPTIONS: Zero or more Address Selection Policy Table POLICY TABLE OPTIONS: Zero or more Address Selection Policy Table
options described below. options described below.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_ADDRSEL_TABLE | option-len | | OPTION_ADDRSEL_TABLE | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| label | precedence | prefix-len | | | label | precedence | prefix-len | |
skipping to change at page 4, line 46 skipping to change at page 4, line 46
precedence: An 8-bit unsigned integer; this value is used for precedence: An 8-bit unsigned integer; this value is used for
sorting destination addresses. sorting destination addresses.
prefix-len: An 8-bit unsigned integer; the number of leading bits in prefix-len: An 8-bit unsigned integer; the number of leading bits in
the prefix that are valid. The value ranges from 0 to 128. the prefix that are valid. The value ranges from 0 to 128.
prefix: A variable-length field containing an IP address or the prefix: A variable-length field containing an IP address or the
prefix of an IP address. An IPv4-mapped address [RFC4291] must prefix of an IP address. An IPv4-mapped address [RFC4291] must
be used to represent an IPv4 address as a prefix value. The be used to represent an IPv4 address as a prefix value. The
prefix should be zero padded up to the next octet boundary. So prefix should be left aligned, big-endian, and zero padded on
the length of this field should be between 0 and 16 bytes. the right up to the next octet boundary. So the length of this
field should be between 0 and 16 bytes.
3. Appearance of the Address Selection options 3. Appearance of the Address Selection options
The Address Selection options MUST NOT appear in any messages other The Address Selection options MUST NOT appear in any DHCPv6 messages
than the following ones: Solicit, Advertise, Request, Renew, Rebind, other than the following ones: Solicit, Advertise, Request, Renew,
Reconfigure, Information-Request, and Reply. Rebind, Reconfigure, Information-Request, and Reply.
4. Processing the Policy Table option 4. Processing the Policy Table option
This section describes how to process received Policy Table option at This section describes how to process received Policy Table option at
the DHCPv6 client. the DHCPv6 client.
This option's concept is to serve as a hint for a node about how to This option's concept is to serve as a hint for a node about how to
behave in the network. So, basically, it should be up to the node's behave in the network. So, basically, it should be up to the node's
administrator how to deal with the received policy information in the administrator how to deal with the received policy information in the
way described below. way described below.
4.1. Handling of the local policy table 4.1. Handling of the local policy table
RFC 6724 defines the default policy table. Also, a user is usually RFC 6724 defines the default policy table. Also, users are usually
able to configure the policy table to satisfy his requirement. able to configure the policy table to satisfy their own requirements.
The client implementation SHOULD provide the following choices to the The client implementation SHOULD provide the following choices to the
user: user:
a) It receives distributed policy table, and replaces the existing a) replace the existing active policy table with the DHCPv6
policy tables with that. distributed policy table.
b) It preserves the default policy table, or manually configured b) preserve the existing active policy table, whether this be the
policy. default policy table, or user configured policy.
4.2. Handling of the stale policy table 4.2. Handling of the stale policy table
When the information from the DHCP server goes stale, the policy When the information from the DHCP server goes stale, the policy
received form the DHCP server should be removed and the default received form the DHCP server should be deprecated.
policy should be restored.
The received information can be considered stale in several cases, The received information can be considered stale in several cases,
such as, when the interface goes down, the DHCP server does not such as, when the interface goes down, the DHCP server does not
respond for a certain amount of time, and the Information Refresh respond for a certain amount of time, and the Information Refresh
Time is expired. Time is expired.
4.3. Multi-interface situation 4.3. Multi-interface situation
The policy table, and other parameters specified in this document are The policy table, and other parameters specified in this document are
node-global information by its nature. One of the reason is that the node-global information by their nature. One reason being that the
outbound interface is usually chosen after destination address outbound interface is usually chosen after destination address
selection. So, a host cannot make use of multiple address selection selection. So, a host cannot make use of multiple address selection
policy even if they are stored per interface. policies even if they are stored per interface.
Even if the received policy from one source is merged with one from Even if the received policy from one source is merged with one from
another source, the effect of both policy are more or less changed. another source, the effect of both policy are more or less changed.
The policy table is defined as a whole, so the slightest addition/ The policy table is defined as a whole, so the slightest addition/
deletion from the policy table brings a change in semantics of the deletion from the policy table brings a change in semantics of the
policy. policy.
It also should be noted that absence of the distributed policy from a It also should be noted that absence of the distributed policy from a
certain network interface should not be treated as absence of policy certain network interface should not be treated as absence of policy
itself, because it may mean preference for the default address itself, because it may mean preference for the default address
skipping to change at page 6, line 43 skipping to change at page 6, line 43
address selection policies per interface. They can be used address selection policies per interface. They can be used
effectively on such implementations that adopt per-application effectively on such implementations that adopt per-application
interface selection. interface selection.
5. Implementation Considerations 5. Implementation Considerations
o The value 'label' is passed as an unsigned integer, but there is o The value 'label' is passed as an unsigned integer, but there is
no special meaning for the value, that is whether it is a large or no special meaning for the value, that is whether it is a large or
small number. It is used to select a preferred source address small number. It is used to select a preferred source address
prefix corresponding to a destination address prefix by matching prefix corresponding to a destination address prefix by matching
the same label value within the DHCP message. DHCPv6 clients need the same label value within the DHCP message. DHCPv6 clients
to convert this label to a representation specified by each SHOULD convert this label to a representation appropriate for the
implementation (e.g., string). local implementation (e.g., string).
o Currently, the label and precedence values are defined as 8-bit o Currently, the label and precedence values are defined as 8-bit
unsigned integers. In almost all cases, this value will be unsigned integers. In almost all cases, this value will be
enough. enough.
o The maximum number of address selection rules that may be conveyed o The maximum number of address selection rules that may be conveyed
in one DHCPv6 message depends on the prefix length of each rule in one DHCPv6 message depends on the prefix length of each rule
and the maximum DHCPv6 message size defined in RFC 3315. It is and the maximum DHCPv6 message size defined in RFC 3315. It is
possible to carry over 3,000 rules in one DHCPv6 message (maximum possible to carry over 3,000 rules in one DHCPv6 message (maximum
UDP message size). However, it should not be expected that DHCP UDP message size). However, it should not be expected that DHCP
clients, servers and relay agents can handle UDP fragmentation. clients, servers and relay agents can handle UDP fragmentation.
So, the number of the options and the total size of the options Network adiministrators SHOULD consider local limitations to the
should be taken care of. maximum DHCPv6 message size that can be reliably transported via
their specific local infrastructure to end nodes; and therefore
they SHOULD consider the number of options, the total size of the
options, and the resulting DHCPv6 message size, when defining
their Policy Table.
o Since the number of selection rules could be large, an o Since the number of selection rules could be large, an
administrator configuring the policy to be distributed should administrator configuring the policy to be distributed should
consider the resulting DHCPv6 message size. consider the resulting DHCPv6 message size.
6. Security Considerations 6. Security Considerations
A rogue DHCPv6 server could issue bogus address selection policies to A rogue DHCPv6 server could issue bogus address selection policies to
a client. This might lead to incorrect address selection by the a client. This might lead to incorrect address selection by the
client, and the affected packets might be blocked at an outgoing ISP client, and the affected packets might be blocked at an outgoing ISP
because of ingress filtering. Alternatively, an IPv6 transition because of ingress filtering, incur additional network charges, or be
mechanism might be preferred over native IPv6, even if it is misdirected to an attacker's machine. Alternatively, an IPv6
available. To guard against such attacks, a legitimate DHCPv6 server transition mechanism might be preferred over native IPv6, even if it
should be communicated through a secure, trusted channel, such as a is available. To guard against such attacks, a legitimate DHCPv6
channel protected by IPsec, SEND and DHCP authentication, as server should communicate through a secure, trusted channel, such as
a channel protected by IPsec, SEND and DHCP authentication, as
described in section 21 of RFC 3315, described in section 21 of RFC 3315,
Another threat is about privacy concern. As in the security Another threat is about privacy concern. As in the security
consideration section of RFC 6724, at least a part of, the address consideration section of RFC 6724, at least a part of, the address
selection policy stored in a host can be leaked by a packet from a selection policy stored in a host can be leaked by a packet from a
remote host. This issue will not be degraded regardless of the remote host. This issue will not be modified by the introduction of
introduction of this option, or regardless of whether the host is this option, regardless of whether the host is multihomed or not.
multihomed or not.
7. IANA Considerations 7. IANA Considerations
IANA is requested to assign option codes to OPTION_ADDRSEL , IANA is requested to assign option codes to OPTION_ADDRSEL and
OPTION_ADDRSEL_TABLE, and OPTION_ADDRSEL_ZONE from the option-code OPTION_ADDRSEL_TABLE from the option-code space as defined in section
space as defined in section "DHCPv6 Options" of RFC 3315. "DHCPv6 Options" of RFC 3315.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-6man-stable-privacy-addresses]
Gont, F., "A method for Generating Stable Privacy-Enhanced
Addresses with IPv6 Stateless Address Autoconfiguration
(SLAAC)", draft-ietf-6man-stable-privacy-addresses-00
(work in progress), May 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003. IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3484] Draves, R., "Default Address Selection for Internet [RFC3484] Draves, R., "Default Address Selection for Internet
Protocol version 6 (IPv6)", RFC 3484, February 2003. Protocol version 6 (IPv6)", RFC 3484, February 2003.
skipping to change at page 9, line 15 skipping to change at page 9, line 13
Default Rules", RFC 5220, July 2008. Default Rules", RFC 5220, July 2008.
[RFC5221] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, [RFC5221] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
"Requirements for Address Selection Mechanisms", RFC 5221, "Requirements for Address Selection Mechanisms", RFC 5221,
July 2008. July 2008.
Appendix A. Acknowledgements Appendix A. Acknowledgements
Authors would like to thank to Dave Thaler, Pekka Savola, Remi Denis- Authors would like to thank to Dave Thaler, Pekka Savola, Remi Denis-
Courmont, Francois-Xavier Le Bail, Ole Troan, Bob Hinden, Dmitry Courmont, Francois-Xavier Le Bail, Ole Troan, Bob Hinden, Dmitry
Anipko, and the members of 6man's address selection design team for Anipko, Ray Hunter, Rui Paulo, Brian E Carpenter, Tom Petch, and the
their invaluable contributions to this document. members of 6man's address selection design team for their invaluable
contributions to this document.
Appendix B. Past Discussion Appendix B. Past Discussion
o The 'zone index' value is used to specify a particular zone for o The 'zone index' value is used to specify a particular zone for
scoped addresses. This can be used effectively to control address scoped addresses. This can be used effectively to control address
selection in the site scope (e.g., to tell a node to use a selection in the site scope (e.g., to tell a node to use a
specified source address corresponding to a site-scoped multicast specified source address corresponding to a site-scoped multicast
address). However, in some cases such as a link-local scope address). However, in some cases such as a link-local scope
address, the value specifying one zone is only meaningful locally address, the value specifying one zone is only meaningful locally
within that node. There might be some cases where the within that node. There might be some cases where the
 End of changes. 23 change blocks. 
50 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/