draft-ietf-6man-addr-select-opt-08.txt   draft-ietf-6man-addr-select-opt-09.txt 
6man Working Group A. Matsumoto 6man Working Group A.M. Matsumoto
Internet-Draft T. Fujisaki Internet-Draft T.F. Fujisaki
Intended status: Standards Track NTT Intended status: Standards Track NTT
Expires: July 20, 2013 T. Chown Expires: October 27, 2013 T.C. Chown
University of Southampton University of Southampton
January 16, 2013 April 25, 2013
Distributing Address Selection Policy using DHCPv6 Distributing Address Selection Policy using DHCPv6
draft-ietf-6man-addr-select-opt-08.txt draft-ietf-6man-addr-select-opt-09.txt
Abstract Abstract
RFC 6724 defines default address selection mechanisms for IPv6 that RFC 6724 defines default address selection mechanisms for IPv6 that
allow nodes to select an appropriate address when faced with multiple allow nodes to select an appropriate address when faced with multiple
source and/or destination addresses to choose between. The RFC 6724 source and/or destination addresses to choose between. The RFC 6724
allowed for the future definition of methods to administratively allowed for the future definition of methods to administratively
configure the address selection policy information. This document configure the address selection policy information. This document
defines a new DHCPv6 option for such configuration, allowing a site defines a new DHCPv6 option for such configuration, allowing a site
administrator to distribute address selection policy overriding the administrator to distribute address selection policy overriding the
default address selection parameters and policy table, and thus default address selection parameters and policy table, and thus
control the address selection behavior of nodes in their site. control the address selection behavior of nodes in their site.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 20, 2013. This Internet-Draft will expire on October 27, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 45 skipping to change at page 5, line 7
source address prefixes and destination address prefixes. source address prefixes and destination address prefixes.
precedence: An 8-bit unsigned integer; this value is used for precedence: An 8-bit unsigned integer; this value is used for
sorting destination addresses. sorting destination addresses.
prefix-len: An 8-bit unsigned integer; the number of leading bits in prefix-len: An 8-bit unsigned integer; the number of leading bits in
the prefix that are valid. The value ranges from 0 to 128. the prefix that are valid. The value ranges from 0 to 128.
prefix: A variable-length field containing an IP address or the prefix: A variable-length field containing an IP address or the
prefix of an IP address. An IPv4-mapped address [RFC4291] must prefix of an IP address. An IPv4-mapped address [RFC4291] must
be used to represent an IPv4 address as a prefix value. The be used to represent an IPv4 address as a prefix value. This
prefix should be left aligned, big-endian, and zero padded on field is padded with zeros up to the nearest octet boundary when
the right up to the next octet boundary. So the length of this prefix6-len is not divisible by 8. This can be expressed using
field should be between 0 and 16 bytes. the following equation: (prefix-len+7)/8 So the length of this
field should be between 0 and 16 bytes. For example, the prefix
3. Appearance of the Address Selection options 2001:db8::/60 would be encoded with an prefix-len of 60, the
prefix would be 8 octets and would contains octets 20 01 0d b8
The Address Selection options MUST NOT appear in any DHCPv6 messages 00 00 00 00.
other than the following ones: Solicit, Advertise, Request, Renew,
Rebind, Reconfigure, Information-Request, and Reply.
4. Processing the Policy Table option 3. Processing the Policy Table option
This section describes how to process received Policy Table option at This section describes how to process received Policy Table option at
the DHCPv6 client. the DHCPv6 client.
This option's concept is to serve as a hint for a node about how to This option's concept is to serve as a hint for a node about how to
behave in the network. So, basically, it should be up to the node's behave in the network. So, basically, it should be up to the node's
administrator how to deal with the received policy information in the administrator how to deal with the received policy information in the
way described below. way described below.
4.1. Handling of the local policy table 3.1. Handling of the local policy table
RFC 6724 defines the default policy table. Also, users are usually RFC 6724 defines the default policy table. Also, users are usually
able to configure the policy table to satisfy their own requirements. able to configure the policy table to satisfy their own requirements.
The client implementation SHOULD provide the following choices to the The client implementation SHOULD provide the following choices to the
user: user:
a) replace the existing active policy table with the DHCPv6 a) replace the existing active policy table with the DHCPv6
distributed policy table. distributed policy table.
b) preserve the existing active policy table, whether this be the b) preserve the existing active policy table, whether this be the
default policy table, or user configured policy. default policy table, or user configured policy.
4.2. Handling of the stale policy table 3.2. Handling of the stale policy table
When the information from the DHCP server goes stale, the policy When the information from the DHCP server goes stale, the policy
received form the DHCP server should be deprecated. received form the DHCP server should be deprecated.
The received information can be considered stale in several cases, The received information can be considered stale in several cases,
such as, when the interface goes down, the DHCP server does not such as, when the interface goes down, the DHCP server does not
respond for a certain amount of time, and the Information Refresh respond for a certain amount of time, and the Information Refresh
Time is expired. Time is expired.
4.3. Multi-interface situation 3.3. Multi-interface situation
The policy table, and other parameters specified in this document are The policy table, and other parameters specified in this document are
node-global information by their nature. One reason being that the node-global information by their nature. One reason being that the
outbound interface is usually chosen after destination address outbound interface is usually chosen after destination address
selection. So, a host cannot make use of multiple address selection selection. So, a host cannot make use of multiple address selection
policies even if they are stored per interface. policies even if they are stored per interface.
Even if the received policy from one source is merged with one from Even if the received policy from one source is merged with one from
another source, the effect of both policy are more or less changed. another source, the effect of both policy are more or less changed.
The policy table is defined as a whole, so the slightest addition/ The policy table is defined as a whole, so the slightest addition/
deletion from the policy table brings a change in semantics of the deletion from the policy table brings a change in semantics of the
skipping to change at page 6, line 37 skipping to change at page 6, line 43
The above restrictions do not preclude implementations from providing The above restrictions do not preclude implementations from providing
configuration options to enable this option on a certain network configuration options to enable this option on a certain network
interface. interface.
Nor, they do not preclude implementations from storing distributed Nor, they do not preclude implementations from storing distributed
address selection policies per interface. They can be used address selection policies per interface. They can be used
effectively on such implementations that adopt per-application effectively on such implementations that adopt per-application
interface selection. interface selection.
5. Implementation Considerations 4. Implementation Considerations
o The value 'label' is passed as an unsigned integer, but there is o The value 'label' is passed as an unsigned integer, but there is
no special meaning for the value, that is whether it is a large or no special meaning for the value, that is whether it is a large or
small number. It is used to select a preferred source address small number. It is used to select a preferred source address
prefix corresponding to a destination address prefix by matching prefix corresponding to a destination address prefix by matching
the same label value within the DHCP message. DHCPv6 clients the same label value within the DHCP message. DHCPv6 clients
SHOULD convert this label to a representation appropriate for the SHOULD convert this label to a representation appropriate for the
local implementation (e.g., string). local implementation (e.g., string).
o Currently, the label and precedence values are defined as 8-bit o Currently, the label and precedence values are defined as 8-bit
skipping to change at page 7, line 18 skipping to change at page 7, line 22
possible to carry over 3,000 rules in one DHCPv6 message (maximum possible to carry over 3,000 rules in one DHCPv6 message (maximum
UDP message size). However, it should not be expected that DHCP UDP message size). However, it should not be expected that DHCP
clients, servers and relay agents can handle UDP fragmentation. clients, servers and relay agents can handle UDP fragmentation.
Network adiministrators SHOULD consider local limitations to the Network adiministrators SHOULD consider local limitations to the
maximum DHCPv6 message size that can be reliably transported via maximum DHCPv6 message size that can be reliably transported via
their specific local infrastructure to end nodes; and therefore their specific local infrastructure to end nodes; and therefore
they SHOULD consider the number of options, the total size of the they SHOULD consider the number of options, the total size of the
options, and the resulting DHCPv6 message size, when defining options, and the resulting DHCPv6 message size, when defining
their Policy Table. their Policy Table.
o Since the number of selection rules could be large, an 5. Security Considerations
administrator configuring the policy to be distributed should
consider the resulting DHCPv6 message size.
6. Security Considerations
A rogue DHCPv6 server could issue bogus address selection policies to A rogue DHCPv6 server could issue bogus address selection policies to
a client. This might lead to incorrect address selection by the a client. This might lead to incorrect address selection by the
client, and the affected packets might be blocked at an outgoing ISP client, and the affected packets might be blocked at an outgoing ISP
because of ingress filtering, incur additional network charges, or be because of ingress filtering, incur additional network charges, or be
misdirected to an attacker's machine. Alternatively, an IPv6 misdirected to an attacker's machine. Alternatively, an IPv6
transition mechanism might be preferred over native IPv6, even if it transition mechanism might be preferred over native IPv6, even if it
is available. To guard against such attacks, a legitimate DHCPv6 is available. To guard against such attacks, a legitimate DHCPv6
server should communicate through a secure, trusted channel, such as server should communicate through a secure, trusted channel, such as
a channel protected by IPsec, SEND and DHCP authentication, as a channel protected by IPsec, SEND and DHCP authentication, as
described in section 21 of RFC 3315, described in section 21 of RFC 3315,
Another threat is about privacy concern. As in the security Another threat is about privacy concern. As in the security
consideration section of RFC 6724, at least a part of, the address consideration section of RFC 6724, at least a part of, the address
selection policy stored in a host can be leaked by a packet from a selection policy stored in a host can be leaked by a packet from a
remote host. This issue will not be modified by the introduction of remote host. This issue will not be modified by the introduction of
this option, regardless of whether the host is multihomed or not. this option, regardless of whether the host is multihomed or not.
7. IANA Considerations 6. IANA Considerations
IANA is requested to assign option codes to OPTION_ADDRSEL and IANA is requested to assign option codes to OPTION_ADDRSEL and
OPTION_ADDRSEL_TABLE from the option-code space as defined in section OPTION_ADDRSEL_TABLE from the option-code space as defined in section
"DHCPv6 Options" of RFC 3315. "DHCPv6 Options" of RFC 3315.
8. References 7. References
8.1. Normative References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003. IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3484] Draves, R., "Default Address Selection for Internet [RFC3484] Draves, R., "Default Address Selection for Internet
Protocol version 6 (IPv6)", RFC 3484, February 2003. Protocol version 6 (IPv6)", RFC 3484, February 2003.
[RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown,
"Default Address Selection for Internet Protocol Version 6 "Default Address Selection for Internet Protocol Version 6
(IPv6)", RFC 6724, September 2012. (IPv6)", RFC 6724, September 2012.
8.2. Informative References 7.2. Informative References
[I-D.ietf-6man-addr-select-considerations] [I-D.ietf-6man-addr-select-considerations]
Chown, T. and A. Matsumoto, "Considerations for IPv6 Chown, T. and A. Matsumoto, "Considerations for IPv6
Address Selection Policy Changes", Address Selection Policy Changes", draft-ietf-6man-addr-
draft-ietf-6man-addr-select-considerations-04 (work in select-considerations-05 (work in progress), April 2013.
progress), October 2011.
[I-D.ietf-6man-addr-select-sol] [I-D.ietf-6man-addr-select-sol]
Matsumoto, A., Fujisaki, T., and R. Hiromi, "Solution Matsumoto, A., Fujisaki, T., and R. Hiromi, "Solution
approaches for address-selection problems", approaches for address-selection problems", draft-ietf-
draft-ietf-6man-addr-select-sol-03 (work in progress), 6man-addr-select-sol-03 (work in progress), March 2010.
March 2010.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S.E. and R.M. Hinden, "Internet Protocol, Version
(IPv6) Specification", RFC 2460, December 1998. 6 (IPv6) Specification", RFC 2460, December 1998.
[RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W.
Stevens, "Basic Socket Interface Extensions for IPv6", Stevens, "Basic Socket Interface Extensions for IPv6", RFC
RFC 3493, February 2003. 3493, February 2003.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006. Architecture", RFC 4291, February 2006.
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
Extensions for Stateless Address Autoconfiguration in Extensions for Stateless Address Autoconfiguration in
IPv6", RFC 4941, September 2007. IPv6", RFC 4941, September 2007.
[RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, [RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
"Problem Statement for Default Address Selection in Multi- "Problem Statement for Default Address Selection in Multi-
 End of changes. 21 change blocks. 
42 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/