| draft-ietf-v6ops-addr-select-req-07.txt | rfc5221.txt | |||
|---|---|---|---|---|
| IPv6 Operations Working Group A. Matsumoto | Network Working Group A. Matsumoto | |||
| Internet-Draft T. Fujisaki | Request for Comments: 5221 T. Fujisaki | |||
| Intended status: Informational NTT | Category: Informational NTT | |||
| Expires: November 13, 2008 R. Hiromi | R. Hiromi | |||
| Intec NetCore | ||||
| K. Kanayama | K. Kanayama | |||
| Intec Netcore | INTEC Systems | |||
| May 12, 2008 | Requirements for Address Selection Mechanisms | |||
| Requirements for address selection mechanisms | ||||
| draft-ietf-v6ops-addr-select-req-07.txt | ||||
| Status of this Memo | ||||
| By submitting this Internet-Draft, each author represents that any | ||||
| applicable patent or other IPR claims of which he or she is aware | ||||
| have been or will be disclosed, and any of which he or she becomes | ||||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as Internet- | ||||
| Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | ||||
| and may be updated, replaced, or obsoleted by other documents at any | ||||
| time. It is inappropriate to use Internet-Drafts as reference | ||||
| material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | ||||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on November 13, 2008. | ||||
| Copyright Notice | Status of This Memo | |||
| Copyright (C) The IETF Trust (2008). | This memo provides information for the Internet community. It does | |||
| not specify an Internet standard of any kind. Distribution of this | ||||
| memo is unlimited. | ||||
| Abstract | Abstract | |||
| There are some problematic cases when using the default address | There are some problematic cases when using the default address | |||
| selection mechanism which RFC 3484 defines. This document describes | selection mechanism that RFC 3484 defines. This document describes | |||
| additional requirements co-working with RFC 3484 to solve the | additional requirements that operate with RFC 3484 to solve the | |||
| problems. | problems. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction ....................................................2 | |||
| 2. Requirements of Address Selection . . . . . . . . . . . . . . . 3 | 2. Requirements of Address Selection ...............................2 | |||
| 2.1. Effectiveness . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Effectiveness ..............................................2 | |||
| 2.2. Timing . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.2. Timing .....................................................2 | |||
| 2.3. Dynamic Behavior Update . . . . . . . . . . . . . . . . . . 4 | 2.3. Dynamic Behavior Update ....................................3 | |||
| 2.4. Node-Specific Behavior . . . . . . . . . . . . . . . . . . 4 | 2.4. Node-Specific Behavior .....................................3 | |||
| 2.5. Application-Specific Behavior . . . . . . . . . . . . . . . 4 | 2.5. Application-Specific Behavior ..............................3 | |||
| 2.6. Multiple Interface . . . . . . . . . . . . . . . . . . . . 4 | 2.6. Multiple Interface .........................................3 | |||
| 2.7. Central Control . . . . . . . . . . . . . . . . . . . . . . 4 | 2.7. Central Control ............................................3 | |||
| 2.8. Next-hop Selection . . . . . . . . . . . . . . . . . . . . 4 | 2.8. Next-Hop Selection .........................................3 | |||
| 2.9. Compatibility with RFC 3493 . . . . . . . . . . . . . . . . 4 | 2.9. Compatibility with RFC 3493 ................................4 | |||
| 2.10. Compatibility and Interoperability with RFC 3484 . . . . . 5 | 2.10. Compatibility and Interoperability with RFC 3484 ..........4 | |||
| 2.11. Security . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.11. Security ..................................................4 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 3. Security Considerations .........................................4 | |||
| 3.1. List of threats introduced by new address-selection | 3.1. List of Threats Introduced by New Address-Selection | |||
| mechanism . . . . . . . . . . . . . . . . . . . . . . . . . 5 | Mechanism ..................................................4 | |||
| 3.2. List of recommendations in which security mechanism | 3.2. List of Recommendations in Which Security Mechanism | |||
| should be applied . . . . . . . . . . . . . . . . . . . . . 6 | Should Be Applied ..........................................5 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Normative References ............................................5 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | ||||
| 5.2. Informative References . . . . . . . . . . . . . . . . . . 6 | ||||
| Appendix A. Appendix. Revision History . . . . . . . . . . . . . . 6 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . . . 9 | ||||
| 1. Introduction | 1. Introduction | |||
| Today, the RFC 3484 [RFC3484] mechanism is widely implemented in | Today, the RFC 3484 [RFC3484] mechanism is widely implemented in | |||
| major OSs. However, in many sites, the default address-selection | major OSs. However, in many sites, the default address-selection | |||
| rules are not appropriate, and cause a communication failure. PS | rules are not appropriate, and cause a communication failure. The | |||
| [I-D.ietf-v6ops-addr-select-ps] lists problematic cases that resulted | problem statement (PS) document [RFC5220] lists problematic cases | |||
| from incorrect address selection. | that resulted from incorrect address selection. | |||
| Though RFC 3484 made the address-selection behavior of a host | Though RFC 3484 made the address-selection behavior of a host | |||
| configurable, typical users cannot make use of that because of the | configurable, typical users cannot make use of that because of the | |||
| complexity of the mechanism and lack of knowledge about their network | complexity of the mechanism and lack of knowledge about their network | |||
| topologies. Therefore, an address-selection autoconfiguration | topologies. Therefore, an address-selection autoconfiguration | |||
| mechanism is necessary, especially for unmanaged hosts of typical | mechanism is necessary, especially for unmanaged hosts of typical | |||
| users. | users. | |||
| This document contains requirements for address-selection mechanisms | This document contains requirements for address-selection mechanisms | |||
| that enable hosts to perform appropriate address selection | that enable hosts to perform appropriate address selection | |||
| automatically. | automatically. | |||
| 2. Requirements of Address Selection | 2. Requirements of Address Selection | |||
| Address-selection mechanisms have to fulfill the following eleven | Address-selection mechanisms have to fulfill the following eleven | |||
| requirements. | requirements. | |||
| 2.1. Effectiveness | 2.1. Effectiveness | |||
| The mechanism can modify RFC 3484 default address-selection behavior | The mechanism can modify RFC 3484 default address-selection behavior | |||
| at nodes. As documented in PS [I-D.ietf-v6ops-addr-select-ps], the | at nodes. As documented in the PS [RFC5220], the default rules | |||
| default rules defined in RFC 3484 do not work properly in some | defined in RFC 3484 do not work properly in some environments. | |||
| environments. Therefore, the mechanism has to be able to modify the | Therefore, the mechanism has to be able to modify the address- | |||
| address-selection behavior of a host, and to solve the problematic | selection behavior of a host and to solve the problematic cases | |||
| cases described in the PS document. | described in the PS document. | |||
| 2.2. Timing | 2.2. Timing | |||
| Nodes can perform appropriate address selection when they select | Nodes can perform appropriate address selection when they select | |||
| addresses. | addresses. | |||
| If nodes need to have address-selection information to perform | If nodes need to have address-selection information to perform | |||
| appropriate address selection, then the mechanism has to provide a | appropriate address selection, then the mechanism has to provide a | |||
| function for nodes to obtain the necessary information beforehand. | function for nodes to obtain the necessary information beforehand. | |||
| The mechanism should not degrade usability. The mechanism should not | The mechanism should not degrade usability. The mechanism should not | |||
| enforce long address-selection processing time upon users. | enforce long address-selection processing time upon users. | |||
| Therefore, forcing every consumer user to manipulate address | Therefore, forcing every consumer user to manipulate the address- | |||
| selection policy table is usually not an acceptable solution. So, in | selection policy table is usually not an acceptable solution. So, in | |||
| this case, some kind of autoconfiguration mechanism is desirable. | this case, some kind of autoconfiguration mechanism is desirable. | |||
| 2.3. Dynamic Behavior Update | 2.3. Dynamic Behavior Update | |||
| The address-selection behavior of nodes can be dynamically updated. | The address-selection behavior of nodes can be dynamically updated. | |||
| When the network structure changes and the address-selection behavior | When the network structure changes and the address-selection behavior | |||
| has to be changed accordingly, a network administrator can modify the | has to be changed accordingly, a network administrator can modify the | |||
| address-selection behavior of nodes. | address-selection behavior of nodes. | |||
| skipping to change at page 4, line 36 | skipping to change at page 3, line 36 | |||
| 2.6. Multiple Interface | 2.6. Multiple Interface | |||
| The mechanism can support those nodes equipped with multiple | The mechanism can support those nodes equipped with multiple | |||
| interfaces. The mechanism has to assume that nodes have multiple | interfaces. The mechanism has to assume that nodes have multiple | |||
| interfaces and makes address selection of those nodes work | interfaces and makes address selection of those nodes work | |||
| appropriately. | appropriately. | |||
| 2.7. Central Control | 2.7. Central Control | |||
| The address selection behavior of nodes can be centrally controlled. | The address-selection behavior of nodes can be centrally controlled. | |||
| A site administrator or a service provider could determine or could | A site administrator or a service provider could determine or could | |||
| have effect on the address-selection behavior at their users' hosts. | have an effect on the address-selection behavior at their users' | |||
| hosts. | ||||
| 2.8. Next-hop Selection | 2.8. Next-Hop Selection | |||
| The mechanism can control next-hop-selection behavior at hosts or | The mechanism can control next-hop-selection behavior at hosts or | |||
| cooperate with other routing mechanisms, such as routing protocols | cooperate with other routing mechanisms, such as routing protocols | |||
| and RFC 4191 [RFC4191]. If the address-selection mechanism is used | and RFC 4191 [RFC4191]. If the address-selection mechanism is used | |||
| with a routing mechanism, the two mechanisms have to be able to work | with a routing mechanism, the two mechanisms have to be able to work | |||
| synchronously. | synchronously. | |||
| 2.9. Compatibility with RFC 3493 | 2.9. Compatibility with RFC 3493 | |||
| The mechanism can allow an application that uses the basic socket | The mechanism can allow an application that uses the basic socket | |||
| interface defined in RFC 3493 [RFC3493] to work correctly. That is, | interface defined in RFC 3493 [RFC3493] to work correctly. That is, | |||
| with the basic socket interface the application can select | with the basic socket interface the application can select | |||
| appropriate source and destination addresses and can communicate with | appropriate source and destination addresses and can communicate with | |||
| the destination host. This requirement does not necessarily mean | the destination host. This requirement does not necessarily mean | |||
| that OS protocol stack and socket libraries should not be changed. | that OS protocol stack and socket libraries should not be changed. | |||
| 2.10. Compatibility and Interoperability with RFC 3484 | 2.10. Compatibility and Interoperability with RFC 3484 | |||
| The mechanism is compatible with RFC 3484. Now that RFC 3484 is | The mechanism is compatible with RFC 3484. Now that RFC 3484 is | |||
| widely implemented, it may be most preferrable that a new address | widely implemented, it is preferable that a new address selection | |||
| selection mechanism does not conflict with the address selection | mechanism does not conflict with the address selection mechanisms | |||
| mechanisms defined in RFC 3484. | defined in RFC 3484. | |||
| If the solution mechanism changes or replaces the address selection | If the solution mechanism changes or replaces the address-selection | |||
| mechanism defined in RFC 3484, interoperability has to be retained. | mechanism defined in RFC 3484, interoperability has to be retained. | |||
| That is, a host with the new solution mechanism and a host with the | That is, a host with the new solution mechanism and a host with the | |||
| mechanism of RFC 3484 have to be interoperable. | mechanism of RFC 3484 have to be interoperable. | |||
| 2.11. Security | 2.11. Security | |||
| The mechanism works without any security problems. Possible security | The mechanism works without any security problems. Possible security | |||
| threats are described in Security Considerations section of this | threats are described in the Security Considerations section of this | |||
| document. | document. | |||
| 3. Security Considerations | 3. Security Considerations | |||
| 3.1. List of threats introduced by new address-selection mechanism | 3.1. List of Threats Introduced by New Address-Selection Mechanism | |||
| There will be some security incidents when combining these | There will be some security incidents when combining the requirements | |||
| requirements described in Section 2 into a protocol. In particular, | described in Section 2 into a protocol. In particular, there are 3 | |||
| there are 3 types of threats, "Leakage", "Hijacking", and "Denial of | types of threats: leakage, hijacking, and denial of service. | |||
| Services". | ||||
| 1. Tapping from malicious nodes to collect the network policy | 1. Leakage: Malicious nodes may tap to collect the network policy | |||
| information and leak them to unauthorized parties. | information and leak it to unauthorized parties. | |||
| 2. Hijacking of nodes made possible by malicious injection of | ||||
| illegitimate policy information: RFC 3484 defines both of source | 2. Hijacking: Nodes may be hijacked by malicious injection of | |||
| illegitimate policy information. RFC 3484 defines both a source | ||||
| and destination selection algorithm. An attacker able to inject | and destination selection algorithm. An attacker able to inject | |||
| malicious policy information could redirect packets sent by a | malicious policy information could redirect packets sent by a | |||
| victim node to an intentionally chosen server that would scan the | victim node to an intentionally chosen server that would scan the | |||
| victim node activities to find out exploit code. Once exploit | victim node activities to find vulnerable code. Once vulnerable | |||
| code is found the attacker can take control of the victim node. | code is found, the attacker can take control of the victim node. | |||
| 3. Denial of Service Attack on the ability of nodes to communicate | ||||
| in the absence of the address selection policy: An attacker could | ||||
| launch a flooding attack on the controller to prevent it to | ||||
| deliver the address selection policy information to nodes, thus | ||||
| preventing these nodes to appropriately communicate in the | ||||
| absence of that information. | ||||
| 3.2. List of recommendations in which security mechanism should be | 3. Denial of Service: This is an attack on the ability of nodes to | |||
| applied | communicate in the absence of the address-selection policy. An | |||
| attacker could launch a flooding attack on the controller to | ||||
| prevent it from delivering the address selection policy | ||||
| information to nodes, thus preventing those nodes from | ||||
| appropriately communicating. | ||||
| The source address selection protocol should be afforded security | 3.2. List of Recommendations in Which Security Mechanism Should Be | |||
| services listed below. It is preferable that these security services | Applied | |||
| are afforded via use of existing protocols (e.g., IPsec). | ||||
| The address selection mechanism should be afforded security services | ||||
| listed below. It is preferable that these security services are | ||||
| afforded via use of existing protocols (e.g., IPsec). | ||||
| 1. Integrity of the network policy information itself and the | 1. Integrity of the network policy information itself and the | |||
| messages exchanged in the protocol. This is a countermeasure | messages exchanged in the protocol. This is a countermeasure | |||
| against "Leakage", "Hijacking", and "Denial of Services". | against leakage, hijacking, and denial of service. | |||
| 2. Authentication and authorization of parties involved in the | ||||
| protocol. This is a countermeasure against "Leakage" and | ||||
| "Hijacking". | ||||
| 4. IANA Considerations | ||||
| This document has no actions for IANA. | ||||
| 5. References | ||||
| 5.1. Normative References | 2. Authentication and authorization of parties involved in the | |||
| protocol. This is a countermeasure against Leakage and | ||||
| Hijacking. | ||||
| [I-D.ietf-v6ops-addr-select-ps] | 4. Normative References | |||
| Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, | ||||
| "Problem Statement of Default Address Selection in Multi- | ||||
| prefix Environment: Operational Issues of RFC3484 Default | ||||
| Rules", draft-ietf-v6ops-addr-select-ps-05 (work in | ||||
| progress), April 2008. | ||||
| [RFC3484] Draves, R., "Default Address Selection for Internet | [RFC3484] Draves, R., "Default Address Selection for Internet | |||
| Protocol version 6 (IPv6)", RFC 3484, February 2003. | Protocol version 6 (IPv6)", RFC 3484, February 2003. | |||
| [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. | |||
| Stevens, "Basic Socket Interface Extensions for IPv6", | Stevens, "Basic Socket Interface Extensions for IPv6", RFC | |||
| RFC 3493, February 2003. | 3493, February 2003. | |||
| [RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and | [RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and | |||
| More-Specific Routes", RFC 4191, November 2005. | More-Specific Routes", RFC 4191, November 2005. | |||
| 5.2. Informative References | [RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, | |||
| "Problem Statement for Default Address Selection in | ||||
| Appendix A. Appendix. Revision History | Multi-Prefix Environments: Operational Issues of RFC 3484 | |||
| Default Rules", RFC 5220, July 2008. | ||||
| 01: | ||||
| Other than policy table distribution approach, the solution | ||||
| section included several solutions discussed at 67th IETF meeting. | ||||
| 02: | ||||
| The description and evaluation of solution approaches were | ||||
| separated into a new document called | ||||
| draft-arifumi-v6ops-addr-select-sol-00. | ||||
| 03: | ||||
| Security Considerations section was rewritten according to | ||||
| comments from SECDIR. | ||||
| 04: | ||||
| A new requirement item "Compatibility with RFC 3493" was added, | ||||
| which reflected a comment from Remi Denis-Courmont at the v6ops | ||||
| mailing list. | ||||
| 05: | ||||
| A new requirement item "Security" was added. Security | ||||
| Considerations section was rewritten according to comments from | ||||
| SECDIR. | ||||
| 06: | ||||
| A new requirement item "Compatibility and Interoperability with | ||||
| RFC 3484" was added in response to comments from Tim Polk. | ||||
| 07: | ||||
| A couple of textual and typographical changes were made in | ||||
| response to comments from Alfred Hoenes. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Arifumi Matsumoto | Arifumi Matsumoto | |||
| NTT PF Lab | NTT PF Lab | |||
| Midori-Cho 3-9-11 | Midori-Cho 3-9-11 | |||
| Musashino-shi, Tokyo 180-8585 | Musashino-shi, Tokyo 180-8585 | |||
| Japan | Japan | |||
| Phone: +81 422 59 3334 | Phone: +81 422 59 3334 | |||
| Email: arifumi@nttv6.net | EMail: arifumi@nttv6.net | |||
| Tomohiro Fujisaki | Tomohiro Fujisaki | |||
| NTT PF Lab | NTT PF Lab | |||
| Midori-Cho 3-9-11 | Midori-Cho 3-9-11 | |||
| Musashino-shi, Tokyo 180-8585 | Musashino-shi, Tokyo 180-8585 | |||
| Japan | Japan | |||
| Phone: +81 422 59 7351 | Phone: +81 422 59 7351 | |||
| Email: fujisaki@nttv6.net | EMail: fujisaki@nttv6.net | |||
| Ruri Hiromi | Ruri Hiromi | |||
| Intec Netcore, Inc. | Intec Netcore, Inc. | |||
| Shinsuna 1-3-3 | Shinsuna 1-3-3 | |||
| Koto-ku, Tokyo 136-0075 | Koto-ku, Tokyo 136-0075 | |||
| Japan | Japan | |||
| Phone: +81 3 5665 5069 | Phone: +81 3 5665 5069 | |||
| Email: hiromi@inetcore.com | EMail: hiromi@inetcore.com | |||
| Ken-ichi Kanayama | Ken-ichi Kanayama | |||
| Intec Netcore, Inc. | INTEC Systems Institute, Inc. | |||
| Shinsuna 1-3-3 | Shimoshin-machi 5-33 | |||
| Koto-ku, Tokyo 136-0075 | Toyama-shi, Toyama 930-0804 | |||
| Japan | Japan | |||
| Phone: +81 3 5665 5069 | Phone: +81 76 444 8088 | |||
| Email: kanayama_kenichi@intec-si.co.jp | EMail: kanayama_kenichi@intec-si.co.jp | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| skipping to change at page 9, line 44 | skipping to change at line 300 | |||
| attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
| ietf-ipr@ietf.org. | ietf-ipr@ietf.org. | |||
| Acknowledgment | ||||
| Funding for the RFC Editor function is provided by the IETF | ||||
| Administrative Support Activity (IASA). | ||||
| End of changes. 32 change blocks. | ||||
| 158 lines changed or deleted | 93 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||