draft-ietf-6man-ipv6only-flag-03.txt   draft-ietf-6man-ipv6only-flag-04.txt 
Network Working Group R. Hinden Network Working Group R. Hinden
Internet-Draft Check Point Software Internet-Draft Check Point Software
Updates: 5175 (if approved) B. Carpenter Updates: 4861, 5175 (if approved) B. Carpenter
Intended status: Standards Track Univ. of Auckland Intended status: Standards Track Univ. of Auckland
Expires: April 19, 2019 October 16, 2018 Expires: May 9, 2019 November 5, 2018
IPv6 Router Advertisement IPv6-Only Flag IPv6 Router Advertisement IPv6-Only Flag
draft-ietf-6man-ipv6only-flag-03 draft-ietf-6man-ipv6only-flag-04
Abstract Abstract
This document specifies a Router Advertisement Flag to indicate to This document specifies a Router Advertisement Flag to indicate to
hosts that the administrator has configured the router to advertise hosts that the administrator has configured the router to advertise
that the link is IPv6-Only. This document updates RFC5175. that the link is IPv6-Only. This document updates RFC4861 and
RFC5175.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 19, 2019. This Internet-Draft will expire on May 9, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 10 skipping to change at page 2, line 10
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
3. Applicability Statements . . . . . . . . . . . . . . . . . . 4 3. Applicability Statements . . . . . . . . . . . . . . . . . . 4
4. IPv6-Only Definition . . . . . . . . . . . . . . . . . . . . 4 4. IPv6-Only Definition . . . . . . . . . . . . . . . . . . . . 5
5. IPv6-Only Flag . . . . . . . . . . . . . . . . . . . . . . . 5 5. IPv6-Only Flag . . . . . . . . . . . . . . . . . . . . . . . 5
6. Router and Operational Considerations . . . . . . . . . . . . 6 6. Router and Operational Considerations . . . . . . . . . . . . 6
7. Host Behavior Considerations . . . . . . . . . . . . . . . . 6 7. Host Behavior Considerations . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8
11. Change log [RFC Editor: Please remove] . . . . . . . . . . . 8 11. Change log [RFC Editor: Please remove] . . . . . . . . . . . 9
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
12.1. Normative References . . . . . . . . . . . . . . . . . . 10 12.1. Normative References . . . . . . . . . . . . . . . . . . 11
12.2. Informative References . . . . . . . . . . . . . . . . . 11 12.2. Informative References . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Appendix A. Implementaton Status . . . . . . . . . . . . . . . . 13
A.1. FreeBSD Implementation . . . . . . . . . . . . . . . . . 13
A.2. Test using Scapy . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document specifies a Router Advertisement Flag to indicate to This document specifies a Router Advertisement Flag to indicate to
hosts that the administrator has configured the router to advertise hosts that the administrator has configured the router to advertise
that the link is IPv6-Only. The flag does not apply to non-default that the link is IPv6-Only. The flag only applies to IPv6 default
IPv6 routers. routers.
Hosts that support IPv4 and IPv6, usually called dual stack hosts, Hosts that support IPv4 and IPv6, usually called dual stack hosts,
need to also work efficiently on IPv6 only links. That is, a link need to also work efficiently on IPv6-Only links, i.e, links where
where there are no IPv4 routers and/or IPv4 services. Dual stack is there are no IPv4 routers and/or IPv4 services. Dual stack is the
the default configuration for most current host operating systems default configuration for most current host operating systems such as
such as Windows 10, IOS, Android, Linux, and BSD, as well as devices Windows 10, iOS, Android, Linux, and BSD, as well as devices such as
such as printers. Monitoring of an IPv6-only link, for example at some printers. Monitoring of an IPv6-Only link, for example at the
the IETF 100 meeting in Singapore, shows that current dual stack IETF 100 meeting in Singapore, shows that current dual stack hosts
hosts will create local auto-configured IPv4 addresses and attempt to will create local auto-configured IPv4 addresses and attempt to reach
reach IPv4 services, even though they cannot configure a normal IPv4 services, even though they cannot configure a normal address
address using DHCP. This may be a problem for several reasons, using DHCP. This may be a problem for several reasons, depending on
depending on the equipment in use and its configuration, especially the equipment in use and its configuration, especially on large
on large wireless networks: wireless networks:
o It may result in an undesirable level of wasted Layer 2 broadcast o It may result in an undesirable level of wasted Layer 2 broadcast
traffic. traffic.
o In particular, this may overload switches in multi-segment o Switches in multi-segment wireless networks may create IPv4 state
wireless networks if the switches create IPv4 state for every dual for dual stack hosts (in particular, ARP cache entries to support
stack host. ARP proxying).
o Such traffic may drain battery power on wireless hosts that have o Such traffic may drain battery power on wireless hosts that have
no interest in link-local IPv4, ARP, and DHCPv4 relay traffic, but no interest in link-local IPv4, ARP, and DHCPv4 relay traffic, but
receive unwanted IPv4 packets. [RFC7772] indicates how this risk receive unwanted IPv4 packets. [RFC7772] indicates how this risk
might be quantified. might be quantified.
o Similarly, hosts may waste battery power on futile attempts to o Similarly, hosts may waste battery power on futile attempts to
access services by sending IPv4 packets. access services by sending IPv4 packets.
o On an IPv6-only link, IPv4 might be used for malicious purposes o On an IPv6-Only link, IPv4 might be used for malicious purposes
and pass unnoticed by IPv6-only monitoring mechanisms. and pass unnoticed by IPv6-Only monitoring mechanisms.
In managed networks whose equipment allows it, these problems could In networks with managed infrastructure whose equipment allows it,
be mitigated by configuring the Layer 2 infrastructure to drop IPv4 these problems could be mitigated by configuring the Layer 2
and ARP traffic by filtering Ethertypes 0x0800 and 0x806 infrastructure to drop IPv4 and ARP traffic by filtering Ethertypes
[IANA-Ethertype]. IPv6 uses a different Ethertype, 0x86DD, so this 0x0800 and 0x0806 [IANA-Ethertype]. IPv6 uses a different Ethertype,
filtering will not interfere with IPv6 traffic. Depending on the 0x86DD, so this filtering will not interfere with IPv6 traffic.
equipment details, this would limit the traffic to the link from an Depending on the equipment details, this would limit the traffic to
IPv4 sender to the switch, and would drop all IPv4 and ARP broadcast the link from an IPv4 sender to the switch, and would drop all IPv4
packets at the switch. This document recommends using such and ARP broadcast packets at the switch. This document recommends
mechanisms when available. using such mechanisms when available.
However, hosts transmitting IPv4 packets would still do so, consuming However, hosts transmitting IPv4 packets would still do so, consuming
their own battery power and some radio bandwidth. The intent of this their own battery power and some radio bandwidth. The intent of this
specification is to provide a mechanism that prevents such traffic, specification is to provide a mechanism that prevents such traffic,
and also works on networks without the ability to filter L2 traffic, and also works on networks without the ability to filter L2 traffic,
or where there are portions of a network without the ability to or where there are portions of a network without the ability to
filter L2 traffic. It may also be valuable on unmanaged networks filter L2 traffic. It may also be valuable on unmanaged networks
using routers pre-configured for IPv6-only operations and where Layer using routers pre-configured for IPv6-Only operations and where Layer
2 filtering is unavailable. 2 filtering is unavailable.
An assumption of this document is that no IPv4 DHCP server or relay An assumption of this document is that because it is an IPv6-Only
is active on the link, because it is an IPv6-only link. If this link there is no IPv4 DHCP server or relay active on the link. This
assumption is false, the DHCP option to disable IPv4 stateless auto- further means that the DHCP option to disable IPv4 stateless auto-
configuration [RFC2563] could be used. configuration [RFC2563] can not be used.
The remainder of this document therefore assumes that neither The remainder of this document therefore assumes that neither
effective Layer 2 filtering nor the RFC 2563 DHCP option is effective Layer 2 filtering nor the RFC 2563 DHCP option is
applicable to the link concerned. applicable to the link concerned.
Because there is no IPv4 support on IPv6-only routers, the only way Because there is no IPv4 support on an IPv6-Only link, the only way
to notify the dual stack hosts that this link is IPv6-Only is to use to notify the dual stack hosts that this link is IPv6-Only is to use
an IPv6 mechanism. An active notification will be much more precise an IPv6 mechanism. An active notification will be much more precise
than attempting to deduce this fact by the lack of IPv4 responses or than attempting to deduce this fact by the lack of IPv4 responses or
traffic. traffic.
This document therefore defines a mechanism that a router This document therefore defines a mechanism that a router
administrator can use to inform hosts that this is an IPv6-Only link administrator can use to inform hosts that this is an IPv6-Only link
on their default routers such that they can disable IPv4 on this on their default routers such that they can disable IPv4 on this
link, mitigating all of the above problems. link, mitigating all of the above problems. The mechanism is based
on the IPv6 Router Advertisement message because this is a type of
message that is certain to be received by every dual stack host,
regardless of what network management protocols may or may not be in
use.
IPv4-only hosts, and dual-stack hosts that do not recognize the new IPv4-only hosts, and dual-stack hosts that do not recognize the new
flag, may continue to attempt IPv4 operations, in particular IPv4 flag, may continue to attempt IPv4 operations, in particular IPv4
discovery protocols typically sent as link-layer broadcasts. This discovery protocols typically sent as link-layer broadcasts. This
legacy traffic cannot be prevented by any IPv6 mechanism. The value legacy traffic cannot be prevented by any IPv6 mechanism. The value
of the new flag is limited to hosts that recognize it. of the new flag is limited to hosts that recognize it.
A possible subsidiary use of the IPv6-Only flag is using it to A possible subsidiary use of the IPv6-Only flag is using it to
trigger IPv6-Only testing and validation on a link. trigger IPv6-Only testing and validation on a link.
This document specifies a new flag for Router Advertisement Flag This document specifies a new flag for Router Advertisement Flag
[RFC5175]. It updates [RFC5175] to add this flag. [RFC5175]. It updates [RFC5175] to add this flag. It also updates
[RFC4861] to add an additional item to check and report.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Applicability Statements 3. Applicability Statements
This OPTIONAL mechanism is designed to allow administrators to notify This OPTIONAL mechanism is designed to allow administrators to notify
hosts that the link is IPv6-Only. It SHOULD be only used in hosts that the link is IPv6-Only. It SHOULD be only used in
IPv6-Only links (see below for definition). IPv6-Only links (see below for definition). For a VLAN, the
IPv6-Only flag only applies to the specific VLAN on which it was
received.
Dual stack hosts that have a good reason to use IPv4, for example for Dual stack hosts that have a good reason to use IPv4, for example for
a specific IPv4 link-local service, can attempt to do so. Therefore a specific IPv4 link-local service, can attempt to do so. Therefore
respect of the IPv6-Only flag is recommended, not mandatory, for respect of the IPv6-Only flag is recommended, not mandatory, for
hosts. hosts.
Administrators SHOULD only use this mechanism if they are certain Administrators MUST only use this mechanism if they are certain that
that the link is IPv6-Only. For example, in cases where there is a the link is IPv6-Only. For example, in cases where there is a need
need to continue to use IPv4, when there are intended to be IPv4-only to continue to use IPv4, when there are intended to be IPv4-only
hosts or IPv4 routers on the link, setting this flag to 1 is a hosts or IPv4 routers on the link, setting this flag to 1 is a
configuration error. configuration error.
This mechanism is intended to be compatible with link-layer solutions This mechanism is intended to be compatible with link-layer solutions
that filter out IPv4 traffic. that filter out IPv4 traffic.
4. IPv6-Only Definition 4. IPv6-Only Definition
IPv6-Only is defined to mean that no other versions of internet IPv6-Only is defined to mean that no other versions of Internet
protocol than IPv6 are intentionally running directly on the link. Protocol than IPv6 are intentionally in use directly on the link.
Today this effectively simply means that IPv4 is not running on the Today this effectively simply means that IPv4 is not intentionally in
link, and it includes: use on the link, and it includes:
* No IPv4 traffic on the Link * No IPv4 traffic on the link.
* No IPv4 routers on the Link * No IPv4 routers on the link.
* No DHCPv4 servers on the Link * No DHCPv4 servers on the link.
* No IPv4 accessible services on the Link * No IPv4 accessible services on the link.
* All IPv4 and ARP traffic may be blocked at Layer 2 by the * All IPv4 and ARP traffic may be blocked at Layer 2 by the
administrator administrator.
It is expected that on IPv6-Only networks it will be common for It is expected that on IPv6-Only networks it will be common to access
access to IPv4 external services to be reached by techniques such as to IPv4 external services by techniques such as NAT64 [RFC6146] and
NAT64 [RFC6146] and DNS64 [RFC6147] at the edge of the network. This DNS64 [RFC6147] at the edge of the network. This is beyond the
is beyond the scope of this document. scope of this document.
Note that IPv6-Only provides no information about other network Note that IPv6-Only provides no information about other network
protocols than IP running directly over the link layer. It is out of protocols than IP (and ARP) in use directly over the link layer. It
scope of this specification whether any such protocol is running on is out of scope of this specification whether any such protocol is in
the link or whether any protocol is tunneled over IPv6. use on the link or whether any protocol is tunneled over IPv6.
5. IPv6-Only Flag 5. IPv6-Only Flag
RFC5175 currently defines the flags in the NDP Router Advertisement RFC5175 currently defines the flags in the NDP Router Advertisement
message and these flags are registered in the IANA IPv6 ND Router message and these flags are registered in the IANA IPv6 ND Router
Advertisement flags Registry [IANA-RF]. This currently contains the Advertisement flags Registry [IANA-RF]. This currently contains the
following one-bit flags defined in published RFCs: following one-bit flags defined in published RFCs:
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
skipping to change at page 5, line 43 skipping to change at page 6, line 5
M Managed Address Configuration Flag [RFC4861] M Managed Address Configuration Flag [RFC4861]
O Other Configuration Flag [RFC4861] O Other Configuration Flag [RFC4861]
H Mobile IPv6 Home Agent Flag [RFC3775] H Mobile IPv6 Home Agent Flag [RFC3775]
Prf Router Selection Preferences [RFC4191] Prf Router Selection Preferences [RFC4191]
P Neighbor Discovery Proxy Flag [RFC4389] P Neighbor Discovery Proxy Flag [RFC4389]
R Reserved R Reserved
This document defines bit 6 to be the IPv6-Only Flag: This document defines bit 6 to be the IPv6-Only Flag:
6 IPv6-Only Flag S IPv6-Only Flag
This flag has two values. These are: This flag has two values. These are:
0 This is not an IPv6-Only link 0 This is not an IPv6-Only link
1 This is an IPv6-Only link 1 This is an IPv6-Only link
RFC 5175 requires that unused flag bits be set to zero. Therefore, a RFC 5175 requires that unused flag bits be set to zero. Therefore, a
router that does not support the new flag will not appear to assert router that does not support the new flag will not appear to assert
that this is an IPv6-Only link. that this is an IPv6-Only link.
Hosts receiving the Router Advertisement SHOULD only process this Hosts receiving the Router Advertisement SHOULD only process this
flag if the advertising router is a Default Router. Specifically, if flag if the advertising router is a Default Router. Specifically, if
the Lifetime field in the Router Advertisement is not zero, otherwise the Lifetime field in the Router Advertisement is not zero, otherwise
it SHOUD be ignored. This is done to allow some IPv6 routers to it SHOULD be ignored. This is done to allow some IPv6 routers to
advertise information without being a Default Router and providing advertise information without being a Default Router and providing
IPv6 connectivity. IPv6 connectivity.
Note that although this mechanism uses one of only two reserved flag Note that although this mechanism uses one of only two reserved flag
bits in the RA, an extension mechanism is defined in Section 4 of bits in the RA, an extension mechanism is defined in Section 4 of
[RFC5175] in case additional flags are ever required for future [RFC5175] in case additional flags are ever required for future
extensions. extensions. It should be noted that since RFC5175 was published in
2008, no new RA flags have been assigned in the IANA registry.
6. Router and Operational Considerations 6. Router and Operational Considerations
Default IPv6 routers that are on an IPv6-Only link SHOULD be Default IPv6 routers that are on an IPv6-Only link SHOULD be
configured to set the IPv6-Only flag to 1 on interfaces on this link. configured by the administrator to set the IPv6-Only flag to 1 on
In all other cases the flag SHOULD NOT be set to 1. interfaces on this link. In all other cases the flag SHOULD NOT be
set to 1.
The intent is that the administrator of the router configures the The intent is that the administrator of the router configures the
router to set the IPv6-Only flag if she/he wants to tell the hosts on router to set the IPv6-Only flag if she/he wants to tell the hosts on
the link that the link is IPv6-Only. This is a configuration flag, the link that the link is IPv6-Only. This is a configuration flag,
it is not something that the router decides on it's own. Routers MAY it is not something that the router decides on its own. Routers MAY
log a configuration error if the flag is set and IPv4 is still active log a configuration error if the flag is set and IPv4 is still active
on the routers interface to the link. on the router's interface to the link.
Operators of large IPv6-only wireless links are advised to also use Routers implementing this document SHOULD log to system or network
management inconsistent setting of the IPv6-Only flag. This extends
the behaviour specified in Section 6.2.7 of [RFC4861].
Operators of large IPv6-Only wireless links are advised to also use
Layer 2 techniques to drop IPv4 and ARP packets (Ethertypes 0x0800 Layer 2 techniques to drop IPv4 and ARP packets (Ethertypes 0x0800
and 0x806) at all switches, and to ensure that IPv4 and ARP features and 0x0806) at all switches, and to ensure that IPv4 and ARP features
are disabled in all switches. are disabled in all switches.
7. Host Behavior Considerations 7. Host Behavior Considerations
If there are multiple IPv6 default routers on a link, they might send If there are multiple IPv6 default routers on a link, they might send
different values of the flag. If at least one IPv6 default router different values of the flag. If at least one IPv6 default router
sends the flag with value 0, a dual stack host SHOULD NOT assume that sends the flag with value 0, a dual stack host MUST NOT assume that
the link is IPv6-Only. If all IPv6 default routers send the flag the link is IPv6-Only. If all IPv6 default routers send the flag
with value 1, a dual stack host SHOULD assume that this is an with value 1, a dual stack host SHOULD assume that this is an
IPv6-Only link. IPv6-Only link.
A host that receives only RAs with the flag set to 1 SHOULD NOT A host that receives only RAs with the flag set to 1 SHOULD NOT
attempt any IPv4 operations, unless it subsequently receives at least attempt any IPv4 operations, unless it subsequently receives at least
one RA with the flag set to zero. As soon as such an RA is received, one RA with the flag set to zero. As soon as such an RA is received,
IPv4 operations SHOULD be started. IPv4 operations MAY be started.
A host MAY choose to delay all IPv4 operations at start-up until a A host MAY delay all IPv4 operations at start-up or reconnection
reasonable time has elapsed for RA messages to arrive. If all RAs until a reasonable time has elapsed for RA messages to arrive. If
received have the flag set, a host SHOULD also choose to not attempt all RAs received have the flag set to 1, a host SHOULD NOT attempt
IPv4 operations until an application asks it to, specifically delay IPv4 operations.
performing DHCPV4 until it gets a request from an application to use
IPv4. This would avoid attempting to obtain IPv4 addresses if there
are no applications trying to use IPv4.
In all of the above, the flag's value is considered valid for the In all of the above, the flag's value is considered valid for the
lifetime of the default router concerned, unless a subsequent RA lifetime of the default router concerned, unless a subsequent RA
delivers a different flag value. If a default router expires (i.e., delivers a different flag value. If a default router expires (i.e.,
no RA is received that refreshes its lifetime), the host must remove no RA is received that refreshes its lifetime), the host must remove
this router's flag value from consideration. If the result is that this router's flag value from consideration. If the result is that
all surviving default routers have the flag set to 1, the host SHOULD all surviving default routers have the flag set to 1, the host SHOULD
assume that the link is IPv6-Only. In other words, at any given assume that the link is IPv6-Only. In other words, at any given
time, the state of the flag as seen by the host is the logical AND of time, the state of the flag as seen by the host is the logical AND of
the flags sent by all unexpired default IPv6 routers. the flags sent by all unexpired default IPv6 routers on the link.
This also means that if all default routers have set the flag, the This also means that if all default routers on the link have set the
flag for the host is thereby set. If the lifetimes of all the flag, the resulting host state for the link is IPv6-Only. If the
routers subsequently expire, then the state of the flag for the host lifetimes of all the routers on the link subsequently expire, then
becomes cleared. the host state for the link is not IPv6-Only.
8. IANA Considerations 8. IANA Considerations
IANA is requested to assign the new Router Advertisement flag defined IANA is requested to assign the new Router Advertisement flag defined
in Section 5 of this document. Bit 6 is the next available bit in in Section 5 of this document. Bit 6 is the next available bit in
this registry, IANA is requested to use this bit unless there is a this registry, IANA is requested to use this bit unless there is a
reason to use another bit in this registry. reason to use another bit in this registry.
IANA is also requested to register this new flag bit in the IANA IPv6 IANA is also requested to register this new flag bit in the IANA IPv6
ND Router Advertisement flags Registry [IANA-RF]. ND Router Advertisement flags Registry [IANA-RF].
skipping to change at page 7, line 50 skipping to change at page 8, line 15
9. Security Considerations 9. Security Considerations
This document shares the security issues with other parts of IPv6 This document shares the security issues with other parts of IPv6
Neighbor Discovery. [RFC6104] discusses certain attacks and Neighbor Discovery. [RFC6104] discusses certain attacks and
mitigations. General techniques to protect Router Advertisement mitigations. General techniques to protect Router Advertisement
traffic such as Router Guard [RFC6105] are useful in protecting traffic such as Router Guard [RFC6105] are useful in protecting
against these vulnerabilities. against these vulnerabilities.
A bad actor could use this mechanism to attempt turn off IPv4 service A bad actor could use this mechanism to attempt turn off IPv4 service
on a link that is intentionally using IPv4, by sending Router on a link that is intentionally using IPv4, by sending Router
Advertisements with the IPv6-Only Flag set to 1. In that case, as Advertisements with the IPv6-Only flag set to 1. In that case, as
long as there are one or more routers sending Router Advertisements long as there are one or more routers sending Router Advertisements
with this Flag set to 0, they would override this attack given the with this flag set to 0, they would override this attack given the
mechanism in Section 5. Specifically a host would only turn off IPv4 mechanism in Section 5. Specifically a host would only turn off IPv4
service if it wasn't hearing any Router Advertisement with the Flag service if it wasn't hearing any Router Advertisement with the flag
set to 0. If the advice in Section 6 is followed, this attack will set to 0. If the advice in Section 6 is followed, this attack will
fail. In a situation where the bad actor has control of all routers fail. In a situation where the bad actor has control of all routers
on the link and sends Router Advertisements with the IPv6-Only Flag on the link and sends Router Advertisements with the IPv6-Only flag
set to 1 from all of them, the attack will succeed, but so will many set to 1 from all of them, the attack will succeed, but so will many
other forms of router-based attack. other forms of router-based attack.
Conversely, a bad actor could use this mechanism to turn on, or Conversely, a bad actor could use this mechanism to turn on, or
pretend to turn on, IPv4 service on an IPv6-only link, by sending pretend to turn on, IPv4 service on an IPv6-Only link, by sending
Router Advertisements with the Flag set to 0. However, this is Router Advertisements with the flag set to 0. However, this is
really no different than what such a bad actor can do anyway, if they really no different than what such a bad actor can do anyway, if they
have the ability to configure a bogus router in the first place. The have the ability to configure a bogus router in the first place. The
advice in Section 6 will minimize such an attack by limiting it to a advice in Section 6 will minimize such an attack by limiting it to a
single link. single link.
Note that manipulating the Router Preference [RFC4191] will not Note that manipulating the Router Preference [RFC4191] will not
affect either of these attacks: any IPv6-Only Flag of 0 will always affect either of these attacks: any IPv6-Only flag of 0 will always
override all Flags set to 1. override all flags set to 1.
The new flag is neutral from an IPv6 privacy viewpoint, since it does The new flag is neutral from an IPv6 privacy viewpoint, since it does
not affect IPv6 operations in any way. From an IPv4 privacy not affect IPv6 operations in any way. From an IPv4 privacy
viewpoint, it has the potential benefit of suppressing unnecessary viewpoint, it has the potential benefit of suppressing unnecessary
traffic that might reveal the existence of a host and the correlation traffic that might reveal the existence of a host and the correlation
between its hardware and IPv4 addresses. It should be noted that between its hardware and IPv4 addresses. It should be noted that
hosts that don't support this flag are not protected from IPv4-based hosts that don't support this flag are not protected from IPv4-based
attacks. attacks.
10. Acknowledgments 10. Acknowledgments
A closely related proposal was published earlier as A closely related proposal was published earlier as
[I-D.ietf-sunset4-noipv4]. [I-D.ietf-sunset4-noipv4].
Helpful comments were received from Lorenzo Colitti, David Farmer, Helpful comments were received from Lorenzo Colitti, David Farmer,
Fernando Gont, Nick Hilliard, Erik Kline, Jen Linkova, Veronika Fernando Gont, Nick Hilliard, Lee Howard, Erik Kline, Jen Linkova,
McKillop, George Michaelson, Michael Richardson, Mark Smith, Barbara Veronika McKillop, George Michaelson, Alexandre Petrescu, Michael
Stark, Tatuya Jinmei, Ole Troan, James Woodyatt, and other members of Richardson, Mark Smith, Barbara Stark, Tatuya Jinmei, Ole Troan,
the 6MAN working group. James Woodyatt, Bjoern Zeeb, and other members of the 6MAN working
group.
Bjoern Zeeb has also produced a variant of this proposal and proposed Bjoern Zeeb has also produced a variant of this proposal and proposed
an IPv6 transition plan in [I-D.bz-v4goawayflag]. an IPv6 transition plan in [I-D.bz-v4goawayflag].
11. Change log [RFC Editor: Please remove] 11. Change log [RFC Editor: Please remove]
draft-ietf-6man-ipv6only-flag-04, 2018-November-4:
* Added text to Section 1 explaining why the mechanism is based
on Router Advertisements.
* Added text to Section 3 that for a VLAN, the IPv6-Only flag
only applies to the specific VLAN on which it was received.
* Changed Section 3 that administrators MUST only use this
mechanism if they are certain that the link is IPv6-Only,
instead of SHOULD.
* Added ARP to Section 4 protocols that the IPv6-Only flag
applies to.
* Renamed the IPv6-Only flag label from "6" to "S".
* Added pointers to Section 7.2.7 of RFC4861 in Section 6.
* Added that RFC4861 is also updated by Section 6 for routers
implementing this flag.
* Changed Section 7 from SHOULD NOT to MUST NOT.
* Added Appendix A on implementations and testing.
* Many small clarifications based on IPv6 list discussion and
editorial changes.
draft-ietf-6man-ipv6only-flag-03, 2018-October-16: draft-ietf-6man-ipv6only-flag-03, 2018-October-16:
* Reorganized text about problem statement and applicability * Reorganized text about problem statement and applicability
* Added note about shortage of flag bits * Added note about shortage of flag bits
* Clarified text about logging configuration error in Section 6 * Clarified text about logging configuration error in Section 6
* Editorial changes. * Editorial changes.
draft-ietf-6man-ipv6only-flag-02, 2018-August-14: draft-ietf-6man-ipv6only-flag-02, 2018-August-14:
* Added text to Section 9 to clarify that hosts not supporting * Added text to Section 9 to clarify that hosts not supporting
this flag are not protected from IPv4-based attacks. this flag are not protected from IPv4-based attacks.
* Editorial changes. * Editorial changes.
draft-ietf-6man-ipv6only-flag-01, 2018-June-29: draft-ietf-6man-ipv6only-flag-01, 2018-June-29:
* Added text to section that defines what IPv6-Only includes to * Added text to section that defines what IPv6-Only includes to
clarify that only other version of the Internet protocol are in clarify that only other version of the Internet Protocol are in
scope. scope.
* Added clarification if the lifetime of all routers expire. * Added clarification if the lifetime of all routers expire.
* Editorial changes. * Editorial changes.
draft-ietf-6man-ipv6only-flag-00, 2018-May-21: draft-ietf-6man-ipv6only-flag-00, 2018-May-21:
* Changed the file name to draft-ietf-6man-ipv6only-flag to match * Changed the file name to draft-ietf-6man-ipv6only-flag to match
the current tile and that it is a w.g. draft. the current tile and that it is a w.g. draft.
* Added new section that defines what IPv6-Only includes. * Added new section that defines what IPv6-Only includes.
* Expanded description of using Layer 2 filter to block IPv4 and * Expanded description of using Layer 2 filter to block IPv4 and
skipping to change at page 12, line 16 skipping to change at page 12, line 47
Beijnum, "DNS64: DNS Extensions for Network Address Beijnum, "DNS64: DNS Extensions for Network Address
Translation from IPv6 Clients to IPv4 Servers", RFC 6147, Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
DOI 10.17487/RFC6147, April 2011, <https://www.rfc- DOI 10.17487/RFC6147, April 2011, <https://www.rfc-
editor.org/info/rfc6147>. editor.org/info/rfc6147>.
[RFC7772] Yourtchenko, A. and L. Colitti, "Reducing Energy [RFC7772] Yourtchenko, A. and L. Colitti, "Reducing Energy
Consumption of Router Advertisements", BCP 202, RFC 7772, Consumption of Router Advertisements", BCP 202, RFC 7772,
DOI 10.17487/RFC7772, February 2016, <https://www.rfc- DOI 10.17487/RFC7772, February 2016, <https://www.rfc-
editor.org/info/rfc7772>. editor.org/info/rfc7772>.
[Scapy_RA]
"Router Advertisements with scapy (NETLAB)",
<https://samsclass.info/124/proj11/proj9xN-scapy-ra.html>.
Appendix A. Implementaton Status
At the time this document was written there is one implementation and
a few comparability tests.
A.1. FreeBSD Implementation
A FreeBSD implementation was written by Bjoern Zeeb. It can be found
at:
https://lists.freebsd.org/pipermail/svn-src-
head/2018-October/119360.html
Summary:
This change defines the RA "6" (IPv6-Only) flag which routers may
advertise, kernel logic to check if all routers on a link have the
flag set and accordingly update a per-interface flag.
If all routers agree that it is an IPv6-only link,
ether_output_frame(), based on the interface flag, will filter out
all ETHERTYPE_IP/ARP frames, drop them, and return EAFNOSUPPORT to
upper layers.
The change also updates ndp to show the "6" flag, ifconfig to
display the IPV6_ONLY nd6 flag if set, and rtadvd to allow
announcing the flag.
The code was tested with 2 FreeBSD IPv6 routers, a FreeBSD laptop
on ethernet as well as wifi, and with Win10 and OSX clients (which
did not fall over with the "6" flag set but not understood).
A.2. Test using Scapy
Independent tests have been done using [Scapy_RA] by Alexandre
Petrescu and Brian Carpenter to verify that setting the IPv6-Only
Flag did not break legacy hosts. Both verified that setting this
flag did not cause any adverse effects on Windows 10 and Android.
Authors' Addresses Authors' Addresses
Robert M. Hinden Robert M. Hinden
Check Point Software Check Point Software
959 Skyway Road 959 Skyway Road
San Carlos, CA 94070 San Carlos, CA 94070
USA USA
Email: bob.hinden@gmail.com Email: bob.hinden@gmail.com
Brian Carpenter Brian Carpenter
Department of Computer Science Department of Computer Science
University of Auckland University of Auckland
PB 92019 PB 92019
Auckland 1142 Auckland 1142
New Zealand New Zealand
Email: brian.e.carpenter@gmail.com Email: brian.e.carpenter@gmail.com
 End of changes. 50 change blocks. 
105 lines changed or deleted 182 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/