DHC Working Group T. Fujisaki Internet-Draft A. Matsumoto Expires: December 15, 2006 J. Kato S. Niinobe NTT June 13, 2006 Distributing Default Address Selection Policy using DHCPv6 draft-fujisaki-dhc-addr-select-opt-02.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 15, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes a new DHCPv6 option for distributing default address selection policy information defined in RFC3484 to a client. With this option, site administrators can distribute address selection policy to control the node's address selection behavior. Fujisaki, et al. Expires December 15, 2006 [Page 1] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 1. Introduction RFC3484 [RFC3484] describes algorithms for selecting a default address when a node has multiple destination and/or source addresses by using an address selection policy. However, there are some problems with the default address selection policy in RFC3484 [ID.arifumi-v6ops-addr-select-ps], and administrators can change the node's address selection behavior by distributing the policy. Practical usages are described in [ID.arifumi-ipv6-policy-dist]. This document describes an option for distributing default address selection policy information using DHCPv6. 2. Terminology This document uses the terminology defined in [RFC2460] and the DHCP specification defined in [RFC3315] 3. Default Address Selection Policy Option The Default Address Selection Policy Option provides policy information for address selection rules. Specifically, it transmits a set of IPv6 source and destination address prefixes and some parameters that are used to control address selection as described in RFC 3484. Each end node is expected to configure its policy table, as described in RFC 3484, in a manner consistent with the Default Address Selection Policy option information. The format of the Default Address Selection Policy option is given below: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_DASP | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | label | precedence | zone-index | prefix-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Prefix (Variable Length) | | | Fujisaki, et al. Expires December 15, 2006 [Page 2] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | label | precedence | zone-index | prefix-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Prefix (Variable Length) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | label | precedence | zone-index | prefix-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Prefix (Variable Length) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [Fig. 1] Fields: option-code: OPTION_DASP (TBD) option-len: The total length of the label fields, precedence fields, zone-index fields, prefix-len fields, and prefix fields in octets. label: An 8-bit unsigned integer; this value is used to make a combination of source address prefixes and destination address prefixes. precedence: An 8-bit unsigned integer; this value is used for sorting destination addresses. zone-index: An 8-bit unsigned integer; this value is used to specify zones for scoped addresses. prefix-len: An 8-bit unsigned integer; the number of leading bits in the prefix that are valid. The value ranges from 0 to 128. The Prefix field is 0, 4, 8, 12, or 16 octets, depending on the length. Fujisaki, et al. Expires December 15, 2006 [Page 3] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 Prefix: A variable-length field containing an IP address or the prefix of an IP address. IPv4-mapped address [mapped] must be used to represent an IPv4 address as a prefix value. 4. Appearance of this Option The Default Address Selection Policy option MUST NOT appear in any messages other than the following ones : Solicit, Advertise, Request, Renew, Rebind, Information-Request, and Reply. 5. Implementation Considerations o The value 'label' is passed as an unsigned integer, but there is no special meaning for the value, that is whether it is a large or small number. It is used to select a preferred source address prefix corresponding to a destination address prefix by matching the same label value within this DHCP message. DHCPv6 clients need to convert this label to a representation specified by each implementation (e.g., string). o Currently, the value label, precedence, and zone indices are defined as 8-bit unsigned integers. In almost all cases, this value will be enough. o The 'precedence' is used to sort destination addresses. There might be some cases where precedence values will conflict when a client already has a selection policy configured or a client receives multiple policies from multiple DHCP servers (e.g., when a home gateway in a user network is connected to multiple upstream ISPs). In such cases, manual configuration of the policy will be necessary. 6. Discussion o The 'zone index' value is used to specify a particular zone for scoped addresses. This can be used effectively to control address selection in the site scope (e.g., to tell a node to use a specified source address corresponding to a site-scoped multicast address). However, in some cases such as a link-local scope address, the value specifying one zone is only meaningful locally within that node. There might be some cases where the administrator knows which clients are on the network and wants specific interfaces to be used though. However, it is hard to use Fujisaki, et al. Expires December 15, 2006 [Page 4] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 this value in general case. o We also proposed a policy distribution option using a Router Advertisement message defined in RFC2461 [RFC2461]. There was a discussion that using DHCPv6 was more suitable to distribute a selection policy, because such policy should be distributed under the site administrator's centralized control. o There may be some demands to control the use of temporary addresses described in RFC3041 [RFC3041] (e.g., informing not to use a temporary address when it communicate within the an organization's network). Since a temporary address cannot represent as an IPv6 address and its prefix, some semantics to specify the temporary address will be necessary to control it (such as a flag to indicate a temporary address or a special representation for temporary address in prefix field). 7. Security Considerations A rogue DHCPv6 server could issue bogus default address selection policies to a client. This might lead to incorrect address selection by the client, and the affected packets might be blocked at an outgoing ISP because of ingress filtering. To guard against such attacks, both DCHP clients and servers SHOULD use DHCP authentication, as described in section 21 of RFC 3315, "Authentication of DHCP messages." 8. IANA Considerations IANA is requested to assign option codes to OPTION_DASP from the option-code space as defined in section "DHCPv6 Options" of RFC 3315. Appendix A. RFC3484 implementation status Today, many operating systems implement address selection mechanism defined in RFC3484. Many of them, however, implement the specification partially. We summarize current implementation status of RFC 3484 at http://www.nttv6.net/dass/. 9. References [ID.arifumi-ipv6-policy-dist] Matsumoto, A., Fujisaki, T., and J. Kato, "Practical Fujisaki, et al. Expires December 15, 2006 [Page 5] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 Usages of Default Address Selection Policy Distribution", draft-arifumi-ipv6-policy-dist-01.txt (Work In Progress) (work in progress), June 2006. [ID.arifumi-v6ops-addr-select-ps] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, "Problem Statement of Default Address Selection in Multi- prefix Environment: Operational Issues of RFC3484 Default Rules", draft-arifumi-v6ops-addr-select-ps-00.txt (Work In Progress) (work in progress), June 2006. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [RFC3041] Narten, T. and R. Draves, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3484] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. Fujisaki, et al. Expires December 15, 2006 [Page 6] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 Authors' Addresses Tomohiro Fujisaki NTT PF Lab 3-9-11 Midori-Cho Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 7351 Email: fujisaki.tomohiroi@lab.ntt.co.jp Arifumi Matsumoto NTT PF Lab 3-9-11 Midori-Cho Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 3334 Email: arifumi@nttv6.net Jun-ya Kato NTT PF Lab 3-9-11 Midori-Cho Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 2939 Email: kato@syce.net Shirou Niinobe NTT PF Lab 3-9-11 Midori-Cho Musashino-shi, Tokyo 180-8585 Japan Phone: +81 422 59 4949 Email: nin@syce.net Fujisaki, et al. Expires December 15, 2006 [Page 7] Internet-Draft DHCPv6 Address Selection Policy Opt June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Fujisaki, et al. Expires December 15, 2006 [Page 8]