All,
I fail to submit a revision of my draft by cutoff, and
could not post it right now.
So I attached a draft to this e-mail.
I'm sorry that it does not reflect the discussion of this
thread greatly. I hope to have comments.
Kindest regards,
Network Working Group A. Matsumoto
Internet-Draft T. Fujisaki
Intended status: Standards Track NTT
Expires: September 17, 2009 R. Hiromi
Intec Netcore
K. Kanayama
INTEC Systems
March 16, 2009
Things To Be Considered for RFC 3484 Revision
draft-arifumi-6man-rfc3484-revise-01.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 17, 2009.
Copyright Notice
Matsumoto, et al. Expires September 17, 2009 [Page 1]
�
Internet-Draft RFC3484 Revise March 2009
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
RFC 3484 has several known issues to be fixed mainly because of the
deprecation of IPv6 site-local unicast address and the coming of ULA.
Additionally, the rule 9 of the destination address selection rules,
namely the longest matching rule, is known for its adverse effect on
the round robin DNS technique. This document covers these essential
points to be modified and proposes possible useful changes to be
included in the revision of RFC 3484.
Matsumoto, et al. Expires September 17, 2009 [Page 2]
�
Internet-Draft RFC3484 Revise March 2009
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Problem Example . . . . . . . . . . . . . . . . . . . . . 4
2. Proposed Changes to RFC 3484 . . . . . . . . . . . . . . . . . 5
2.1. To remove site-local unicast address . . . . . . . . . . . 5
2.2. To change default policy table . . . . . . . . . . . . . . 6
2.3. To change ULA address scope to site-local . . . . . . . . 6
2.4. To add descriptions for source address selection for
multicast packet . . . . . . . . . . . . . . . . . . . . . 7
2.5. To make address type dependent control possible . . . . . 7
2.6. To disable or restrict RFC 3484 Section 6 Rule 9 . . . . . 7
2.7. To change private IPv4 address scope . . . . . . . . . . . 8
3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6.1. Normative References . . . . . . . . . . . . . . . . . . . 9
6.2. Informative References . . . . . . . . . . . . . . . . . . 10
Appendix A. Appendix. Revision History . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
Matsumoto, et al. Expires September 17, 2009 [Page 3]
�
Internet-Draft RFC3484 Revise March 2009
1. Introduction
RFC 3484 [RFC3484] defines default address selection rules for IPv6
and IPv4. Because of the deprecation of IPv6 site-local unicast
address and the coming of ULA, [RFC4193] these rules in RFC 3484 are
known to cause communication failures depending on the network
environment.
Additionally, there was a discussion at v6ops and ietf mailing lists
that the rule 9 of the destination address selection has a serious
adverse effect on the round robin DNS technique. [RFC1794] RFC 3484
defines that the destination address selection rule 9 should be
applied to both IPv4 and IPv6, which spoils the DNS based load
balancing technique that is widely used in the IPv4 Internet today.
Remi Denis-Courmont summarized NAT related address selection problems
and possible solutions in [I-D.denis-v6ops-nat-addrsel].
Problems related to IPv6 and IPv4 address selection are described in
RFC 5220 [RFC5220]. Some of them can be fixed by updating RFC 3484,
and others should not.
This document covers these essential points to be modified and
proposes possible useful changes to be included in the revision of
RFC 3484.
1.1. Problem Example
When an enterprise has IPv4 Internet connectivity but does not yet
have IPv6 Internet connectivity, and the enterprise wants to provide
site-local IPv6 connectivity, ULA is the best choice for site-local
IPv6 connectivity. Each employee host will have both an IPv4 global
or private address and a ULA. Here, when this host tries to connect
to Host-C that has registered both A and AAAA records in the DNS, the
host will choose AAAA as the destination address and ULA for the
source address. This will clearly result in a connection failure.
Matsumoto, et al. Expires September 17, 2009 [Page 4]
�
Internet-Draft RFC3484 Revise March 2009
+--------+
| Host-C | AAAA = 2001:db8::80
+-----+--+ A = 192.47.163.1
|
============
| Internet |
============
| no IPv6 connectivity
+----+----+
| Gateway |
+----+----+
|
| fd01:2:3::/48 (ULA)
| 192.0.2.0/24
++--------+
| Router |
+----+----+
| fd01:2:3:4::/64 (ULA)
| 192.0.2.240/28
------+---+----------
|
+-+----+ fd01:2:3:4::100 (ULA)
| Host | 192.0.2.245
+------+
[Fig. 1]
This problem can be solved by changing the scope of ULA to site-
local, or by adding one entry to the default policy table that sets
lower priority for ULA than IPv4 address.
This problem was mentioned at ipv6 mailing lists by Pekka Savola.
2. Proposed Changes to RFC 3484
2.1. To remove site-local unicast address
RFC3484 contains a few "site-local unicast" and "fec::" description.
It's better to remove examples related to site-local unicast address,
or change examples to use ULA. Possible points to be re-written are
below.
- 2nd paragraph in Section 3.1 describes scope comparison
mechanism.
Matsumoto, et al. Expires September 17, 2009 [Page 5]
�
Internet-Draft RFC3484 Revise March 2009
- Section 10 contains examples for site-local address.
2.2. To change default policy table
The default rule today is:
Prefix Precedence Label
::1/128 50 0
::/0 40 1
2002::/16 30 2
::/96 20 3
::ffff:0:0/96 10 4
The changes that should be included into the default policy table are
those rules that are universally useful and do no harm in every
reasonable network envionment. The changes we should consider for
the default policy table are as follows. The policy table is defined
to be configurable. The changes that are useful not universally but
locally can be put into the policy table manually or by using the
auto-configuration mechanism proposed as a DHCP option
[I-D.fujisaki-dhc-addr-select-opt].
- IPv4-compatible IPv6 address is deprecated. [RFC4291] (However,
should we keep this entry for the sake of backward compatibility
?)
- Teredo [RFC4380] is defined and has 2001::/32. Teredo's
priority should be less or equal to 6to4, considering its
characteristic of tunnel mechanism. About Windows, this point is
already in the implementation.
When we apply these changes, the default policy table looks like
this.
Prefix Precedence Label
::1/128 50 0
::/0 30 2
2002::/16 20 3
::ffff:0:0/96 10 4
2001::/32 5 5 (For Teredo)
Teredo has the worst precedence. This means that, for IPv4-IPv6
dual-stack host, Teredo address will be used only when the
destination host has an IPv6 address only.
2.3. To change ULA address scope to site-local
RFC 5220 Section 2.1.4, 2.2.2, and 2.2.3 describes address selection
problems related to ULA. These problems can be solved by changing
the scope of ULA to site-local.
Matsumoto, et al. Expires September 17, 2009 [Page 6]
�
Internet-Draft RFC3484 Revise March 2009
2.4. To add descriptions for source address selection for multicast
packet
For example, we have to pay attention to source address selection for
a multicast packet. As described in RFC 5220 Section 2.1.6, by
default, ULA will be chosen for a multicast packet of any scope.
This issue cannot be solved by changing a RFC 3484 rule. This is
because, multicast and unicast have different sets of scope and it is
site-dependent which unicast address scope is appropriate for the
site's multicast scope. Therefore, this issue can be solved, for
example, by configuring the policy table per-site.
2.5. To make address type dependent control possible
It is hard to define default preferences for these address types, RA-
based, DHCP-based, manual-based, and privacy extention address,
because the appropriate preference value depends on the usage of
these addresses, but not on address types themselves. It is the
policy table where you can control host's address selection behavior.
For example, You can set priority on RFC 3041 [RFC3041] address
(privacy extension) by putting a line in policy table specifying RFC
3041 address by 128-bit prefixlen and continuing to update policy
table according to RFC 3041 address re-generation. But, this is
surely troublesome for users and implementers.
One idea is to update RFC 3484 policy table definition so that it can
handle meta addresses like privacy, DHCPv6 generated, RA generated,
manually generated (and even Home Address ?)
To prefer privacy address by default, and to prefer RA-generated
address for site internal, the policy table will look like this.
Prefix Pref Label
2001:db8:1234::(PRIVACY)/128 30 2
::/0 10 2
2001:db8:1234::(RA):/128 30 1
2001:db8::/48 20 1
2.6. To disable or restrict RFC 3484 Section 6 Rule 9
There was a discussion at v6ops and ietf@xxxxxxxx mailing lists that
the rule 9 of the destination address selection has a serious adverse
effect on the round robin DNS technique. RFC 3484 defines that the
destination address selection rule 9 should be applied to both IPv4
and IPv6, which spoils the DNS based load balancing technique that is
widely used in the IPv4 Internet today.
Matsumoto, et al. Expires September 17, 2009 [Page 7]
�
Internet-Draft RFC3484 Revise March 2009
When the destination address acquired from one FQDN are two or more,
the Rule 9 defines that the longest matching destination and source
address pair should be chosen. As in RFC 1794, the DNS based load
balancing technique is achived by not re-ordering the destination
addresses returned from the DNS server. The Rule 9 defines
deterministic rule for re-ordering at hosts, hence the technique of
RFC 1794 is not available anymore.
Regarding this problem, there was a lot of discussion in IETF and
other places like below.
http://drplokta.livejournal.com/109267.html
http://www.ietf.org/mail-archive/web/ietf/current/msg51874.html
http://www.ietf.org/mail-archive/web/discuss/current/msg01035.html
http://www.ietf.org/mail-archive/web/dnsop/current/msg05847.html
http://lists.debian.org/debian-ctte/2007/11/msg00029.html
http://www.ietf.org/mail-archive/web/ietf/current/msg55991.html
Possible changes to RFC 3484 are as follows:
1. To delete Rule 9 completely.
2. To apply Rule 9 only for IPv6 and not for IPv4. In IPv6,
hiearchical address assignment is general principle, hence the
longest matchin rule is beneficial in many cases. In IPv4, as
stated above, the DNS based load balancing technique is widely
used.
3. To apply Rule 9 for IPv6 conditionally and not for IPv4. When
the length of matching bits of the destination address and the
source address is longer than N, the rule 9 is applied.
Otherwise, the order of the destination addresses do not change.
The N should be configurable and it should be 32 by default.
This is simply because the two sites whose matching bit length is
longer than 32 are probably adjacent.
Now that IPv6 PI address is admitted in some RIRs, hierachical
address assignment is not maintained anymore. It seems that the
longest matching algorithm is not worth the adverse effect of
disalbing the DNS based load balance technique. Therefore, the
proposal 1 or 3 seems to be preferable.
2.7. To change private IPv4 address scope
As detailed in Remi's draft [I-D.denis-v6ops-nat-addrsel], when a
host is in NATed site, and has a private IPv4 address and
transitional addresses like 6to4 and Teredo, the host chooses
transitional IPv6 address to access most of the dual-stack servers.
This is because private IPv4 address is defined to be site-local
scope, and as in RFC 3484, the scope matching rules (Rule 2) set
Matsumoto, et al. Expires September 17, 2009 [Page 8]
�
Internet-Draft RFC3484 Revise March 2009
lower priority for private IPv4 address.
By changing the address scope of private IPv4 address to global, this
problem can be solved.
3. Conclusion
This document lists up several issues that should be included in the
revision of RFC 3484, which are useful universally and do no harm in
reasonable network environments.
The address selection rules that are useful locally can be
implemented, for example, by configuring the policy table. The
policy distribution mechanism [I-D.fujisaki-dhc-addr-select-opt] may
be useful to configure a lot of hosts at a time.
The destination address selection rule 9 will spoil the DNS based
load balancing technique that is widely deployed at least in IPv4.
To keep this functionality in IPv6, the rule 9 have to be deleted or
restricted.
4. Security Considerations
No security risk is found that degrades RFC 3484.
5. IANA Considerations
Address type number for the policy table may have to be assigned by
IANA.
6. References
6.1. Normative References
[RFC1794] Brisco, T., "DNS Support for Load Balancing", RFC 1794,
April 1995.
[RFC3484] Draves, R., "Default Address Selection for Internet
Protocol version 6 (IPv6)", RFC 3484, February 2003.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Matsumoto, et al. Expires September 17, 2009 [Page 9]
�
Internet-Draft RFC3484 Revise March 2009
Architecture", RFC 4291, February 2006.
[RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)", RFC 4380,
February 2006.
6.2. Informative References
[I-D.denis-v6ops-nat-addrsel]
Denis-Courmont, R., "Problems with IPv6 source address
selection and IPv4 NATs", draft-denis-v6ops-nat-addrsel-00
(work in progress), February 2009.
[I-D.fujisaki-dhc-addr-select-opt]
Fujisaki, T., Matsumoto, A., Niinobe, S., Hiromi, R., and
K. Kanayama, "Distributing Address Selection Policy using
DHCPv6", draft-fujisaki-dhc-addr-select-opt-07 (work in
progress), March 2009.
[RFC3041] Narten, T. and R. Draves, "Privacy Extensions for
Stateless Address Autoconfiguration in IPv6", RFC 3041,
January 2001.
[RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
"Problem Statement for Default Address Selection in Multi-
Prefix Environments: Operational Issues of RFC 3484
Default Rules", RFC 5220, July 2008.
Appendix A. Appendix. Revision History
01:
The issue of private IPv4 address scope was added.
The issue of ULA address scope was added.
Discussion of longest matching rule was expanded.
Authors' Addresses
Arifumi Matsumoto
NTT PF Lab
Midori-Cho 3-9-11
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81 422 59 3334
Email: arifumi@xxxxxxxxx
Matsumoto, et al. Expires September 17, 2009 [Page 10]
�
Internet-Draft RFC3484 Revise March 2009
Tomohiro Fujisaki
NTT PF Lab
Midori-Cho 3-9-11
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81 422 59 7351
Email: fujisaki@xxxxxxxx
Ruri Hiromi
Intec Netcore, Inc.
Shinsuna 1-3-3
Koto-ku, Tokyo 136-0075
Japan
Phone: +81 3 5665 5069
Email: hiromi@xxxxxxxxxxxx
Ken-ichi Kanayama
INTEC Systems Institute, Inc.
Shimoshin-machi 5-33
Toyama-shi, Toyama 930-0804
Japan
Phone: +81 76 444 8088
Email: kanayama_kenichi@xxxxxxxxxxxxxx
Matsumoto, et al. Expires September 17, 2009 [Page 11]
�
On 2009/03/04, at 23:33, Tim Chown wrote:
On Wed, Mar 04, 2009 at 02:09:22PM +0000, Tony Finch wrote:
It seems that Vista implements RFC 3484 address selection,
including the
requirement to sort IP addresses. This breaks a great deal of
operational
dependence on DNS-based load balancing, as well as being based on an
incorrect understanding of how IP addresses are allocated.
RFC 3484 needs to be updated to delete this rule, so that the order
returned from the DNS is honoured when the client has no better
knowledge
about which address is appropriate.
See
http://drplokta.livejournal.com/109267.html
http://www.ietf.org/mail-archive/web/ietf/current/msg51874.html
http://www.ietf.org/mail-archive/web/discuss/current/msg01035.html
http://www.ietf.org/mail-archive/web/dnsop/current/msg05847.html
http://lists.debian.org/debian-ctte/2007/11/msg00029.html
The issue is mentioned in:
http://www.watersprings.org/pub/id/draft-arifumi-6man-rfc3484-revise-00.txt
"2.5. To disable or restrict RFC 3484 Section 6 Rule 9
There was a discussion at v6ops and ietf@xxxxxxxx mailing lists that
the rule 9 of the destination address selection has a serious
adverse
effect on the round robin DNS technique...."
However the above has expired. Perhaps Arifumi will issue a new
version
before the upcoming cutoff.
--
Tim
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
--
Arifumi Matsumoto
Secure Communication Project
NTT Information Sharing Platform Laboratories
E-mail: arifumi@xxxxxxxxx
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf