INTERNET-DRAFT Y. Shirasaki Expires: October, 2004 S. Miyakawa T. Yamasaki NTT Communications A. Takenouchi NTT April 27, 2004 A Model of IPv6/IPv4 Dual Stack Internet Access Service draft-shirasaki-dualstack-service-04.txt Status of this Memo This memo provides information to the Internet community. It does not specify an Internet standard of any kind. This memo is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To view the list Internet-Draft Shadow Directories, see http://www.ietf.org/shadow.html. Distribution of this memo is unlimited. The internet-draft will expire in 6 months. The date of expiration will be October 26, 2004. Abstract This memo shows an example of how to provide IPv6 / IPv4 dual stack services to home users. In order to simplify user setup, these services should have a mechanism to configure IPv6 specific parameters automatically. We focus on two basic parameters, the prefix assigned to the user and the addresses of IPv6 DNS servers, and specify the way to deliver them to Customer Premises Equipments (CPE) automatically. This memo is a digest of the user network interface specification of NTT communications' dual stack ADSL access service. Shirasaki, et al. Expires - October 2004 [Page 1] INTERNET-DRAFT Dual stack access April 2004 1. Introduction This memo describes two topics. One is the architecture of IPv6/IPv4 dual stack access service. The other is the automatic configuration function for IPv6 specific parameters. The architecture is mainly targeted at a leased line ADSL service for home users. It assumes that there is a Point-to-Point Protocol (PPP) logical link between CPE and Provider Edge (PE). In order to exclude factors which are specific to access lines from this architecture, we only specify PPP and its upper layers. To satisfy [RFC3177], the length of prefix which is delegated to CPE is /48, but /64 is also a possible option. In this architecture, IPv6/IPv4 dual stack service is specified as follows. o IPv6 and IPv4 connectivities are provided over a single PPP logical link. o IPv6 connectivity is independent of IPv4 connectivity. IPV6CP and IPCP work independently over a single PPP logical link. Figure 1 shows the outline of the service architecture. NTT Communications is providing a commercial service based on this architecture since the Summer 2002. | _____________ [HOST]-+ +-----------+ +----------+ / \ | | Customer | ADSL line | Provider | | ISP core and | +-+ Premises +---------------+ Edge |--| The internet | | | Equipment | to subscriber +-----+----+ \_____________/ [HOST]-+ +-----------+ | | | | +-----+------+ | +-+----------+ | AAA server | | | DNS server | +------------+ | +------------+ +-+--------------+ | NTP server etc.| +----------------+ Figure 1: Dual stack access service architecture The automatic configuration function aims at simplification of user setup. Usually, users have to configure at least two IPv6 specific parameters, prefix(es) assigned to them and IPv6 DNS servers' addresses. The function is composed of two sub-functions as below. Shirasaki, et al. Expires - October 2004 [Page 2] INTERNET-DRAFT Dual stack access April 2004 o Delegation of prefix(es) to be used in the user site o Notification of IPv6 DNS server addresses, and/or other server addresses Section 2 of this memo details user network interface. Section 3 describes an example of connection sequence. 2. User Network Interface In this section, details of the user network interface specification are described. Only PPP over Ethernet (PPPoE) and its upper layers are mentioned. The other layers such as Ethernet and lower layers are out of scope. IPv4 related parameter configuration is also out of scope. 2.1. Below the IP Layer The service uses PPP connection and Challenge Handshake Authentication Protocol (CHAP) authentication to identify each CPE. Both CPE and PE handle both IPCP [RFC1661] and IPV6CP [RFC2472] identically / simultaneously over a single PPP connection. It means either CPE or PE can open/close any Network Control Protocol (NCP) session anytime without any side-effect for each other. It is intended that users can choose between three services, IPv4 only, IPv6 only and IPv4/IPv6 dual stack. A CPE connected to an ADSL line discovers a PE with PPPoE mechanism [RFC2516]. Note that because CPE and PE can negotiate only their interface identifiers with IPV6CP, PE and CPE can use only link-local scope addresses before the prefix delegation mechanism, described below, is run. 2.2. IP Layer After IPV6CP negotiation, the CPE initiates a prefix delegation request. The PE chooses global-scope prefix for the CPE with information from an Authentication, Authorization, and Accounting (AAA) server or local prefix pools, and delegates the prefix to the CPE. Once the prefix is delegated, the prefix is subnetted and assigned to the local interfaces of the CPE. The CPE begins sending router advertisement of the prefixes on each links. Eventually hosts can acquire global-scope prefixes through conventional IPv6 stateless [RFC2462] or stateful auto-configuration mechanisms [RFC3315] etc, and become to communicate using global-scope addresses. 2.3. Prefix Delegation Shirasaki, et al. Expires - October 2004 [Page 3] INTERNET-DRAFT Dual stack access April 2004 PE delegates prefixes to CPE by DHCPv6 [RFC3315] with prefix delegation options [RFC3633]. The model of sequence for prefix delegation is as follows: o A CPE requests prefix(es) from a PE by sending a DHCPv6 Solicit message which has a link-local source address negotiated by IPV6CP, mentioned in the previous section, and includes an IA_PD option. o An AAA server notifies prefix(es) to the PE, or the PE chooses prefix(es) from its local pool and the PE returns an Advertise message which contains an IA_PD option and IA_PD Prefix options. The prefix-length in the IA_PD Prefix option is 48. o The CPE chooses prefix(es) and sends a Request message containing an IA_PD option and IA_PD Prefix options for chosen prefix(es) back to the PE. o The PE confirms the prefix(es) in the Request message and returns a Reply message. If IPV6CP is terminated or restarted by any reason, CPE must initiate a Rebind/Reply message exchange as described in [RFC3633]. 2.4. Address Assignment CPE assigns global-scope /64 prefixes subnetted from the delegated prefix to its downstream interfaces. In the case where the delegated prefix has infinite lifetimes, the preferred and valid lifetimes of assigned /64 prefixes should be their default values in [RFC2461]. Because a link-local address is already assigned to CPE's upstream interface, global-scope address assignment for that interface is optional. 2.5. Routing CPE and PE use static routing between them, and no routing protocol traffic is necessary. CPE configures its PPPoE logical interface or the link-local address of PE as IPv6 default gateway automatically after the prefix delegation exchange. When CPE receives packets which are destined for the addresses in the delegated /48 prefix, CPE must not forward the packets to a PE. CPE should return ICMPv6 Destination Unreachable message to a source Shirasaki, et al. Expires - October 2004 [Page 4] INTERNET-DRAFT Dual stack access April 2004 address or silently discard the packets, when the original packet is destined for the unassigned prefix in the delegated prefix. (e.g. CPE should install a reject route or null interface as next hop for the delegated prefix.) 2.6. Obtaining Addresses of DNS Servers The service provides IPv6 recursive DNS servers in the ISP site. PE notifies the global unicast addresses of these servers with Domain Name Server option, which is described in [RFC3646], in Advertise/Reply messages on the prefix delegation message exchange. Devices connected to user network may know recursive DNS server address with the mechanism described in [RFC3736]. The CPE may serve as a local DNS proxy server and include its address into the DNS server address list. This is easy to implement, because it is an analogy of IPv4 SOHO router (192.168.0.1 is a DNS proxy server and a default router in most sites). 2.7. Miscellaneous Information PE may notify other IPv6 enabled server addresses such as Network Time Protocol servers [OPT-NTP], SIP servers [RFC3319], etc. in an Advertise/Reply messages on the prefix delegation message exchange if those are available. 2.8. Connectivity Monitoring ICMPv6 Echo Request will be sent to user network for connectivity monitoring in the service. CPE must return single IPv6 Echo Reply packet when it receives ICMPv6 Echo Request packet. The health check packets are destined for subnet-router anycast address for the delegated prefix. The old document of APNIC IPv6 address assignment policy required that APNIC could ping the subnet anycast address to check an address usage. To achieve this requirement, for example, once the prefix 3ffe:ffff:ffff::/48 is delegated, the CPE must reply to the ICMPv6 Echo Request destined for 3ffe:ffff:ffff:: anytime while IPV6CP and DHCPv6-PD for upstream is up. Because some implementations couldn't reply when 3ffe:ffff:ffff::/64 was assigned to its downstream physical interface and the interface is down, such implementation should assign 3ffe:ffff:ffff::/64 for loopback interface, which is always up, and 3ffe:ffff:ffff:1::/64, 3ffe:ffff:ffff:2::/64, etc. for physical interfaces. Shirasaki, et al. Expires - October 2004 [Page 5] INTERNET-DRAFT Dual stack access April 2004 3. An Example of Connection Sequence Following figure is an example of normal link-up sequence from start of PPPoE to start of IPv6/IPv4 communications. IPv4 communication becomes available after IPCP negotiation. IPv6 communication with link-local scope addresses becomes possible after IPV6CP negotiation. IPv6 communication with global-scope addresses becomes possible after prefix delegation and conventional IPv6 address configuration mechanism. IPCP is independent of IPV6CP and prefix delegation. CPE PE | | |----------PADI-------->| \ |<---------PADO---------| | PPPoE |----------PADR-------->| | Discovery Stage |<---------PADS---------| / | | |---Configure-Request-->| \ |<--Configure-Request---| | PPP Link Establishment Phase |<----Configure-Ack-----| | (LCP) |-----Configure-Ack---->| / | | |<------Challenge-------| \ |-------Response------->| | PPP Authentication Phase (CHAP) |<-------Success--------| / | | |---Configure-Request-->| \ |<--Configure-Request---| | |<----Configure-Nak-----| | PPP Network Layer Protocol Phase |<----Configure-Ack-----| | (IPCP) |---Configure-Request-->| | |<----Configure-Ack-----| / | | |---Configure-Request-->| \ |<--Configure-Request---| | PPP Network Layer Protocol Phase |<----Configure-Ack-----| | (IPV6CP) |-----Configure-Ack---->| / | | |--------Solicit------->| \ |<------Advertise-------| | DHCPv6 |--------Request------->| | |<--------Reply---------| / | | Figure 2: An example of connection sequence 4. Security Considerations Shirasaki, et al. Expires - October 2004 [Page 6] INTERNET-DRAFT Dual stack access April 2004 In this architecture, PE and CPE trusts the point-to-point link between them, where one trusts that there is no man-in-the-middle, and trusts PPPoE authentication. Because of this, the DHCP authentication is not considered necessary and is not used. The service provides always-on global-scope prefix for users. Each device connected to user network has global-scope addresses. Without any packet filters, devices might be accessible from outside of the user network in that case. CPE and each device involved in the service should have functionality against unauthorized accesses such as stateful inspection packet filter. Relationship between CPE and devices connected to user network for this problem should be considered in the future. 5. Acknowledgments Thanks for the input and review by Tatsuya Sato, Hideki Mouri, Koichiro Fujimoto, Hiroki Ishibashi, Ralph Droms, Ole Troan, Pekka Savola, and IPv6-ops-IAJapan members. Normative References [RFC3177] IAB and IESG, "IAB/IESG Recommendations on IPv6 Address Allocations to Sites", RFC 3177, September 2001. [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", RFC 1661, July 1994 [RFC2472] Haskin, D. and Allen, E., "IP Version 6 over PPP", RFC 2472, December 1998. [RFC2516] Mamakos, L., "A Method for Transmitting PPP Over Ethernet (PPPoE)", RFC 2516, February 1999. [RFC2462] Thomson, S. and Narten, T., "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998. [RFC3315] Droms, R., "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3633] Troan, O. and Droms, R., "IPv6 Prefix Options for Dynamic Host Shirasaki, et al. Expires - October 2004 [Page 7] INTERNET-DRAFT Dual stack access April 2004 Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC2461] Narten, T., Nordmark, E. and Simpson, W., "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [RFC3646] Droms, R., "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 2003. [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6", RFC 3736, April 2004. [OPT-NTP] Vijayabhaskar, A.K., "Simple Network Time Protocol Configuration Option for DHCPv6", draft-ietf-dhc-dhcpv6-opt-sntp-00 (work in progress), November 2003. [RFC3319] Schulzrinne, H. and Volz, B., "Dynamic Host Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP) Servers", RFC 3319, July 2003. Informative References [PD-Req] Miyakawa, S. and Droms, R., "Requirements for IPv6 prefix delega- tion", draft-ietf-ipv6-prefix-delegation-requirement-04 (work in progress), February 2004. Shirasaki, et al. Expires - October 2004 [Page 8] INTERNET-DRAFT Dual stack access April 2004 Authors' Addresses Yasuhiro Shirasaki NTT Communications Corporation Tokyo Opera City Tower 21F 3-20-2 Nishi-Shinjuku, Shinjuku-ku Tokyo 163-1421, Japan E-mail: yasuhiro@nttv6.jp Shin Miyakawa, Ph. D NTT Communications Corporation Tokyo Opera City Tower 21F 3-20-2 Nishi-Shinjuku, Shinjuku-ku Tokyo 163-1421, Japan E-mail: miyakawa@nttv6.jp Toshiyuki Yamasaki NTT Communications Corporation 1-1-6 Uchisaiwaicho, Chiyoda-ku Tokyo 100-8019, Japan E-mail: t.yamasaki@ntt.com Ayako Takenouchi NTT Cyber Solutions Laboratories, NTT Corporation 3-9-11 Midori-Cho, Musashino-Shi Tokyo 180-8585, Japan E-mail: takenouchi.ayako@lab.ntt.co.jp Shirasaki, et al. Expires - October 2004 [Page 9] INTERNET-DRAFT Dual stack access April 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF Shirasaki, et al. Expires - October 2004 [Page 10] INTERNET-DRAFT Dual stack access April 2004 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Shirasaki, et al. Expires - October 2004 [Page 11]