diff options
Diffstat (limited to 'doc/rfc/rfc6250.txt')
-rw-r--r-- | doc/rfc/rfc6250.txt | 1403 |
1 files changed, 1403 insertions, 0 deletions
diff --git a/doc/rfc/rfc6250.txt b/doc/rfc/rfc6250.txt new file mode 100644 index 0000000..5cbb82e --- /dev/null +++ b/doc/rfc/rfc6250.txt @@ -0,0 +1,1403 @@ + + + + + + +Internet Architecture Board (IAB) D. Thaler +Request for Comments: 6250 May 2011 +Category: Informational +ISSN: 2070-1721 + + + Evolution of the IP Model + +Abstract + + This RFC attempts to document various aspects of the IP service model + and how it has evolved over time. In particular, it attempts to + document the properties of the IP layer as they are seen by upper- + layer protocols and applications, especially properties that were + (and, at times, still are) incorrectly perceived to exist as well as + properties that would cause problems if changed. The discussion of + these properties is organized around evaluating a set of claims, or + misconceptions. Finally, this document provides some guidance to + protocol designers and implementers. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Architecture Board (IAB) + and represents information that the IAB has deemed valuable to + provide for permanent record. Documents approved for publication by + the IAB are not a candidate for any level of Internet Standard; see + Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6250. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. + + + + + +Thaler & IAB Informational [Page 1] + +RFC 6250 Evolution of the IP Model May 2011 + + +Table of Contents + + 1. Introduction ....................................................3 + 2. The IP Service Model ............................................4 + 2.1. Links and Subnets ..........................................5 + 3. Common Application Misconceptions ...............................5 + 3.1. Misconceptions about Routing ...............................5 + 3.1.1. Claim: Reachability is symmetric ....................5 + 3.1.2. Claim: Reachability is transitive ...................6 + 3.1.3. Claim: Error messages can be received in + response to data packets ............................7 + 3.1.4. Claim: Multicast is supported within a link .........7 + 3.1.5. Claim: IPv4 broadcast is supported ..................8 + 3.1.6. Claim: Multicast/broadcast is less expensive + than replicated unicast .............................8 + 3.1.7. Claim: The end-to-end latency of the first + packet to a destination is typical ..................8 + 3.1.8. Claim: Reordering is rare ...........................9 + 3.1.9. Claim: Loss is rare and probabilistic, not + deterministic .......................................9 + 3.1.10. Claim: An end-to-end path exists at a + single point in time ..............................10 + 3.1.11. Discussion ........................................10 + 3.2. Misconceptions about Addressing ...........................11 + 3.2.1. Claim: Addresses are stable over long + periods of time ....................................11 + 3.2.2. Claim: An address is four bytes long ...............12 + 3.2.3. Claim: A host has only one address on one interface 12 + 3.2.4. Claim: A non-multicast/broadcast address + identifies a single host over a long period of time 13 + 3.2.5. Claim: An address can be used as an + indication of physical location ....................14 + 3.2.6. Claim: An address used by an application is + the same as the address used for routing ...........14 + 3.2.7. Claim: A subnet is smaller than a link .............14 + 3.2.8. Claim: Selecting a local address selects + the interface ......................................15 + 3.2.9. Claim: An address is part of an on-link + subnet prefix ......................................15 + 3.2.10. Discussion ........................................15 + 3.3. Misconceptions about Upper-Layer Extensibility ............16 + 3.3.1. Claim: New transport-layer protocols can + work across the Internet ...........................16 + 3.3.2. Claim: If one stream between a pair of + addresses can get through, then so can another .....17 + 3.3.3. Discussion .........................................17 + 3.4. Misconceptions about Security .............................17 + 3.4.1. Claim: Packets are unmodified in transit ...........17 + + + +Thaler & IAB Informational [Page 2] + +RFC 6250 Evolution of the IP Model May 2011 + + + 3.4.2. Claim: Packets are private .........................18 + 3.4.3. Claim: Source addresses are not forged .............18 + 3.4.4. Discussion .........................................18 + 4. Security Considerations ........................................18 + 5. Conclusion .....................................................19 + 6. Acknowledgements ...............................................20 + 7. IAB Members at the Time of This Writing ........................20 + 8. IAB Members at the Time of Approval ............................20 + 9. References .....................................................20 + 9.1. Normative References ......................................20 + 9.2. Informative References ....................................21 + +1. Introduction + + Since the Internet Protocol was first published as [IEN028] in 1978, + IP has provided a network-layer connectivity service to upper-layer + protocols and applications. The basic IP service model was + documented in the original IENs (and subsequently in the RFCs that + obsolete them). However, since the mantra has been "Everything Over + IP", the IP service model has evolved significantly over the past 30 + years to enable new behaviors that the original definition did not + envision. For example, by 1989 there was already some confusion and + so [RFC1122] clarified many things and extended the model. In 2004, + [RFC3819] advised link-layer protocol designers on a number of issues + that affect upper layers and is the closest in intent to this + document. Today's IP service model is not well documented in a + single place, but is either implicit or discussed piecemeal in many + different RFCs. As a result, today's IP service model is actually + not well known, or at least is often misunderstood. + + In the early days of IP, changing or extending the basic IP service + model was easier since it was not as widely deployed and there were + fewer implementations. Today, the ossification of the Internet makes + evolving the IP model even more difficult. Thus, it is important to + understand the evolution of the IP model for two reasons: + + 1. To clarify what properties can and cannot be depended upon by + upper-layer protocols and applications. There are many + misconceptions on which applications may be based and which are + problematic. + + 2. To document lessons for future evolution to take into account. + It is important that the service model remain consistent, rather + than evolving in two opposing directions. It is sometimes the + case in IETF Working Groups today that directions are considered + or even taken that would change the IP service model. Doing this + without understanding the implications on applications can be + dangerous. + + + +Thaler & IAB Informational [Page 3] + +RFC 6250 Evolution of the IP Model May 2011 + + + This RFC attempts to document various aspects of the IP service model + and how it has evolved over time. In particular, it attempts to + document the properties of the IP layer, as seen by upper-layer + protocols and applications, especially properties that were (and at + times still are) incorrectly perceived to exist. It also highlights + properties that would cause problems if changed. + +2. The IP Service Model + + In this document, we use the term "IP service model" to refer to the + model exposed by IP to higher-layer protocols and applications. This + is depicted in Figure 1 by the horizontal line. + + +-------------+ +-------------+ + | Application | | Application | + +------+------+ +------+------+ + | | + +------+------+ +------+------+ + | Upper-Layer | | Upper-Layer | + | Protocol | | Protocol | + +------+------+ +------+------+ + | | + ------------------------------------------------------------------ + | | + +--+--+ +-----+ +--+--+ + | IP | | IP | | IP | + +--+--+ +--+--+ +--+--+ + | | | + +-----+------+ +-----+------+ +-----+------+ + | Link Layer | | Link Layer | | Link Layer | + +-----+------+ +--+-----+---+ +-----+------+ + | | | | + +---------------------+ +--------------------+ + + Source Destination + + IP Service Model + + Figure 1 + + The foundation of the IP service model today is documented in Section + 2.2 of [RFC0791]. Generally speaking, IP provides a connectionless + delivery service for variable size packets, which does not guarantee + ordering, delivery, or lack of duplication, but is merely best effort + (although some packets may get better service than others). Senders + can send to a destination address without signaling a priori, and + receivers just listen on an already provisioned address, without + signaling a priori. + + + +Thaler & IAB Informational [Page 4] + +RFC 6250 Evolution of the IP Model May 2011 + + + Architectural principles of the IP model are further discussed in + [RFC1958] and in Sections 5 and 6 of [NEWARCH]. + +2.1. Links and Subnets + + Section 2.1 of [RFC4903] discusses the terms "link" and "subnet" with + respect to the IP model. + + A "link" in the IP service model refers to the topological area + within which a packet with an IPv4 Time to Live (TTL) or IPv6 Hop + Limit of 1 can be delivered. That is, where no IP-layer forwarding + (which entails a TTL/Hop Limit decrement) occurs between two nodes. + + A "subnet" in the IP service model refers to the topological area + within which addresses from the same subnet prefix are assigned to + interfaces. + +3. Common Application Misconceptions + + Below is a list of properties that are often assumed by applications + and upper-layer protocols, but which have become less true over time. + +3.1. Misconceptions about Routing + +3.1.1. Claim: Reachability is symmetric + + Many applications assume that if a host A can contact a host B, then + the reverse is also true. Examples of this behavior include request- + response patterns, which require reverse reachability only after + forward reachability, as well as callbacks (e.g., as used by the File + Transfer Protocol (FTP) [RFC0959]). + + Originally, it was the case that reachability was symmetric (although + the path taken may not be), both within a link and across the + Internet. With the advent of technologies such as Network Address + Translators (NATs) and firewalls (as in the following example + figure), this can no longer be assumed. Today, host-to-host + connectivity is challenging if not impossible in general. It is + relatively easy to initiate communication from hosts (A-E in the + example diagram) to servers (S), but not vice versa, nor between + hosts A-E. For a longer discussion on peer-to-peer connectivity, see + Appendix A of [RFC5694]. + + + + + + + + + +Thaler & IAB Informational [Page 5] + +RFC 6250 Evolution of the IP Model May 2011 + + + __________ ___ ___ + / \ ___ ___ / \ ____|FW |__A + / \ ___ / \ _____|NAT|__| | |___| + | |__|NAT|__| | |___| | |__B + | | |___| | |__C \___/ + | | \___/ ___ + S__| Internet | ___ ___ / \ + | | ___ / \ _____|NAT|__| |__D + | |__|FW |__| | |___| | | + | | |___| | |__E \___/ + \ / \___/ + \__________/ + + Figure 2 + + However, it is still the case that if a request can be sent, then a + reply to that request can generally be received, but an unsolicited + request in the other direction may not be received. [RFC2993] + discusses this in more detail. + + There are also links (e.g., satellite) that were defined as + unidirectional links and hence an address on such a link results in + asymmetric reachability. [RFC3077] explicitly addresses this problem + for multihomed hosts by tunneling packets over another interface in + order to restore symmetric reachability. + + Finally, even with common wireless networks such as 802.11, this + assumption may not be true, as discussed in Section 5.5 of + [WIRELESS]. + +3.1.2. Claim: Reachability is transitive + + Many applications assume that if a host A can contact host B, and B + can contact C, then host A can contact C. Examples of this behavior + include applications and protocols that use referrals. + + Originally, it was the case that reachability was transitive, both + within a link and across the Internet. With the advent of + technologies such as NATs and firewalls and various routing policies, + this can no longer be assumed across the Internet, but it is often + still true within a link. As a result, upper-layer protocols and + applications may be relying on transitivity within a link. However, + some radio technologies, such as 802.11 ad hoc mode, violate this + assumption within a link. + + + + + + + +Thaler & IAB Informational [Page 6] + +RFC 6250 Evolution of the IP Model May 2011 + + +3.1.3. Claim: Error messages can be received in response to data + packets + + Some upper-layer protocols and applications assume that ICMP error + messages will be received in response to packets sent that cannot be + delivered. Examples of this include the use of Path MTU Discovery + [RFC1191] [RFC1981] relying on messages indicating packets were too + big, and traceroute and the use of expanding ring search [RFC1812] + relying on messages indicating packets reached their TTL/Hop Limit. + + Originally, this assumption largely held, but many ICMP senders then + chose to rate-limit responses in order to mitigate denial-of-service + attacks, and many firewalls now block ICMP messages entirely. For a + longer discussion, see Section 2.1 of [RFC2923]. + + This led to an alternate mechanism for Path MTU Discovery that does + not rely on this assumption being true [RFC4821] and guidance to + firewall administrators ([RFC4890] and Section 3.1.1 of [RFC2979]). + +3.1.4. Claim: Multicast is supported within a link + + [RFC1112] introduced multicast to the IP service model. In this + evolution, senders still just send to a destination address without + signaling a priori, but in contrast to the original IP model, + receivers must signal to the network before they can receive traffic + to a multicast address. + + Today, many applications and protocols use multicast addresses, + including protocols for address configuration, service discovery, + etc. (See [MCAST4] and [MCAST6] for those that use well-known + addresses.) + + Most of these only assume that multicast works within a link and may + or may not function across a wider area. While network-layer + multicast works over most link types, there are Non-Broadcast Multi- + Access (NBMA) links over which multicast does not work (e.g., X.25, + ATM, frame relay, 6to4, Intra-Site Automatic Tunnel Addressing + Protocol (ISATAP), Teredo) and this can interfere with some protocols + and applications. Similarly, there are links such as 802.11 ad hoc + mode where multicast packets may not get delivered to all receivers + on the link. [RFC4861] states: + + Note that all link types (including NBMA) are expected to provide + multicast service for applications that need it (e.g., using + multicast servers). + + and its predecessor [RFC2461] contained similar wording. + + + + +Thaler & IAB Informational [Page 7] + +RFC 6250 Evolution of the IP Model May 2011 + + + However, not all link types today meet this expectation. + +3.1.5. Claim: IPv4 broadcast is supported + + IPv4 broadcast support was originally defined on a link, across a + network, and for subnet-directed broadcast, and it is used by many + applications and protocols. For security reasons, however, [RFC2644] + deprecated the forwarding of broadcast packets. Thus, since 1999, + broadcast can only be relied on within a link. Still, there exist + NBMA links over which broadcast does not work, and there exist some + "semi-broadcast" links (e.g., 802.11 ad hoc mode) where broadcast + packets may not get delivered to all nodes on the link. Another case + where broadcast fails to work is when a /32 or /31 is assigned to a + point-to-point interface (e.g., [RFC3021]), leaving no broadcast + address available. + + To a large extent, the addition of link-scoped multicast to the IP + service model obsoleted the need for broadcast. It is also worth + noting that the broadcast API model used by most platforms allows + receivers to just listen on an already provisioned address, without + signaling a priori, but in contrast to the unicast API model, senders + must signal to the local IP stack (SO_BROADCAST) before they can send + traffic to a broadcast address. However, from the network's + perspective, the host still sends without signaling a priori. + +3.1.6. Claim: Multicast/broadcast is less expensive than replicated + unicast + + Some applications and upper-layer protocols that use multicast or + broadcast do so not because they do not know the addresses of + receivers, but simply to avoid sending multiple copies of the same + packet over the same link. + + In wired networks, sending a single multicast packet on a link is + generally less expensive than sending multiple unicast packets. This + may not be true for wireless networks, where implementations can only + send multicast at the basic rate, regardless of the negotiated rates + of potential receivers. As a result, replicated unicast may achieve + much higher throughput across such links than multicast/broadcast + traffic. + +3.1.7. Claim: The end-to-end latency of the first packet to a + destination is typical + + Many applications and protocols choose a destination address by + sending a message to each of a number of candidates, picking the + first one to respond, and then using that destination for subsequent + communication. If the end-to-end latency of the first packet to each + + + +Thaler & IAB Informational [Page 8] + +RFC 6250 Evolution of the IP Model May 2011 + + + destination is atypical, this can result in a highly non-optimal + destination being chosen, with much longer paths (and hence higher + load on the Internet) and lower throughput. + + Today, there are a number of reasons this is not true. First, when + sending to a new destination there may be some startup latency + resulting from the link-layer or network-layer mechanism in use, such + as the Address Resolution Protocol (ARP), for instance. In addition, + the first packet may follow a different path from subsequent packets. + For example, protocols such as Mobile IPv6 [RFC3775], Protocol + Independent Multicast - Sparse Mode (PIM-SM) [RFC4601], and the + Multicast Source Discovery Protocol (MSDP) [RFC3618] send packets on + one path, and then allow immediately switching to a shorter path, + resulting in a large latency difference. There are various proposals + currently being evaluated by the IETF Routing Research Group that + result in similar path switching. + +3.1.8. Claim: Reordering is rare + + As discussed in [REORDER], [RFC2991], and Section 15 of [RFC3819], + there are a number of effects of reordering. For example, reordering + increases buffering requirements (and jitter) in many applications + and in devices that do packet reassembly. In particular, TCP + [RFC0793] is adversely affected by reordering since it enters fast- + retransmit when three packets are received before a late packet, + which drastically lowers throughput. Finally, some NATs and + firewalls assume that the initial fragment arrives first, resulting + in packet loss when this is not the case. + + Today, there are a number of things that cause reordering. For + example, some routers do per-packet, round-robin load balancing, + which, depending on the topology, can result in a great deal of + reordering. As another example, when a packet is fragmented at the + sender, some hosts send the last fragment first. Finally, as + discussed in Section 3.1.7, protocols that do path switching after + the first packet result in deterministic reordering within the first + burst of packets. + +3.1.9. Claim: Loss is rare and probabilistic, not deterministic + + In the original IP model, senders just send, without signaling the + network a priori. This works to a degree. In practice, the last hop + (and in rare cases, other hops) of the path needs to resolve next hop + information (e.g., the link-layer address of the destination) on + demand, which results in queuing traffic, and if the queue fills up, + some traffic gets dropped. This means that bursty sources can be + problematic (and indeed a single large packet that gets fragmented + becomes such a burst). The problem is rarely observed in practice + + + +Thaler & IAB Informational [Page 9] + +RFC 6250 Evolution of the IP Model May 2011 + + + today, either because the resolution within the last hop happens very + quickly, or because bursty applications are rarer. However, any + protocol that significantly increases such delays or adds new + resolutions would be a change to the classic IP model and may + adversely impact upper-layer protocols and applications that result + in bursts of packets. + + In addition, mechanisms that simply drop the first packet, rather + than queuing it, also break this assumption. Similar to the result + of reordering, they can result in a highly non-optimal destination + being chosen by applications that use the first one to respond. Two + examples of mechanisms that appear to do this are network interface + cards that support a "Wake-on-LAN" capability where any packet that + matches a specified pattern will wake up a machine in a power- + conserving mode, but only after dropping the matching packet, and + MSDP, where encapsulating data packets is optional, but doing so + enables bursty sources to be accommodated while a multicast tree is + built back to the source's domain. + +3.1.10. Claim: An end-to-end path exists at a single point in time + + In classic IP, applications assume that either an end-to-end path + exists to a destination or that the packet will be dropped. In + addition, IP today tends to assume that the packet delay is + relatively short (since the "Time"-to-Live is just a hop count). In + IP's earlier history, the TTL field was expected to also be + decremented each second (not just each hop). + + In general, this assumption is still true today. However, the IRTF + Delay Tolerant Networking Research Group is investigating ways for + applications to use IP in networks where this assumption is not true, + such as store-and-forward networks (e.g., packets carried by vehicles + or animals). + +3.1.11. Discussion + + The reasons why the assumptions listed above are increasingly less + true can be divided into two categories: effects caused by attributes + of link-layer technologies and effects caused by network-layer + technologies. + + RFC 3819 [RFC3819] advises link-layer protocol designers to minimize + these effects. Generally, the link-layer causes are not + intentionally trying to break IP, but rather adding IP over the + technology introduces the problem. Hence, where the link-layer + protocol itself does not do so, when specifying how IP is defined + over such a link protocol, designers should compensate to the maximum + extent possible. As examples, [RFC3077] and [RFC2491] compensate for + + + +Thaler & IAB Informational [Page 10] + +RFC 6250 Evolution of the IP Model May 2011 + + + the lack of symmetric reachability and the lack of link-layer + multicast, respectively. That is, when IP is defined over a link + type, the protocol designers should attempt to restore the + assumptions listed in this document. For example, since an + implementation can distinguish between 802.11 ad hoc mode versus + infrastructure mode, it may be possible to define a mechanism below + IP to compensate for the lack of transitivity over such links. + + At the network layer, as a general principle, we believe that + reachability is good. For security reasons ([RFC4948]), however, it + is desirable to restrict reachability by unauthorized parties; indeed + IPsec, an integral part of the IP model, provides one means to do so. + Where there are issues with asymmetry, non-transitivity, and so + forth, which are not direct results of restricting reachability to + only authorized parties (for some definition of authorized), the IETF + should attempt to avoid or solve such issues. Similar to the + principle outlined in Section 3.9 of [RFC1958], the general theme + when defining a protocol is to be liberal in what effects you accept, + and conservative in what effects you cause. + + However, in being liberal in what effects you accept, it is also + important to remember that diagnostics are important, and being too + liberal can mask problems. Thus, a tussle exists between the desire + to provide a better experience to one's own users or applications and + thus be more successful ([RFC5218]), versus the desire to put + pressure on getting problems fixed. One solution is to provide a + separate "pedantic mode" that can be enabled to see the problems + rather than mask them. + +3.2. Misconceptions about Addressing + +3.2.1. Claim: Addresses are stable over long periods of time + + Originally, addresses were manually configured on fixed machines, and + hence addresses were very stable. With the advent of technologies + such as DHCP, roaming, and wireless, addresses can no longer be + assumed to be stable for long periods of time. However, the APIs + provided to applications today typically still assume stable + addresses (e.g., address lifetimes are not exposed to applications + that get addresses). This can cause problems when addresses become + stale. + + For example, many applications resolve names to addresses and then + cache them without any notion of lifetime. In fact, the classic name + resolution APIs do not even provide applications with the lifetime of + entries. + + + + + +Thaler & IAB Informational [Page 11] + +RFC 6250 Evolution of the IP Model May 2011 + + + Proxy Mobile IPv6 [RFC5213] tries to restore this assumption to some + extent by preserving the same address while roaming around a local + area. The issue of roaming between different networks has been known + since at least 1980 when [IEN135] proposed a mobility solution that + attempted to restore this assumption by adding an additional address + that can be used by applications, which is stable while roaming + anywhere with Internet connectivity. More recent protocols such as + Mobile IPv6 (MIP6) [RFC3775] and the Host Identity Protocol (HIP) + [RFC4423] follow in this same vein. + +3.2.2. Claim: An address is four bytes long + + Many applications and protocols were designed to only support + addresses that are four bytes long. Although this was sufficient for + IPv4, the advent of IPv6 made this assumption invalid and with the + exhaustion of IPv4 address space this assumption will become + increasingly less true. There have been some attempts to try to + mitigate this problem with limited degrees of success in constrained + cases. For example, "Bump-In-the-Stack" [RFC2767] and "Bump-in-the- + API" [RFC3338] attempt to provide four-byte "IPv4" addresses for IPv6 + destinations, but have many limitations including (among a number of + others) all the problems of NATs. + +3.2.3. Claim: A host has only one address on one interface + + Although many applications assume this (e.g., by calling a name + resolution function such as gethostbyname and then just using the + first address returned), it was never really true to begin with, even + if it was the common case. Even [RFC0791] states: + + ... provision must be made for a host to have several physical + interfaces to the network with each having several logical + Internet addresses. + + However, this assumption is increasingly less true today, with the + advent of multiple interfaces (e.g., wired and wireless), dual-IPv4/ + IPv6 nodes, multiple IPv6 addresses on the same interface (e.g., + link-local and global), etc. Similarly, many protocol specifications + such as DHCP only describe operations for a single interface, whereas + obtaining host-wide configuration from multiple interfaces presents a + merging problem for nodes in practice. Too often, this problem is + simply ignored by Working Groups, and applications and users suffer + as a result from poor merging algorithms. + + One use of protocols such as MIP6 and HIP is to make this assumption + somewhat more true by adding an additional "address" that can be the + one used by such applications, and the protocol will deal with the + complexity of multiple physical interfaces and addresses. + + + +Thaler & IAB Informational [Page 12] + +RFC 6250 Evolution of the IP Model May 2011 + + +3.2.4. Claim: A non-multicast/broadcast address identifies a single + host over a long period of time + + Many applications and upper-layer protocols maintain a communication + session with a destination over some period of time. If that address + is reassigned to another host, or if that address is assigned to + multiple hosts and the host at which packets arrive changes, such + applications can have problems. + + In addition, many security mechanisms and configurations assume that + one can block traffic by IP address, implying that a single attacker + can be identified by IP address. If that IP address can also + identify many legitimate hosts, applying such a block can result in + denial of service. + + [RFC1546] introduced the notion of anycast to the IP service model. + It states: + + Because anycasting is stateless and does not guarantee delivery of + multiple anycast datagrams to the same system, an application + cannot be sure that it is communicating with the same peer in two + successive UDP transmissions or in two successive TCP connections + to the same anycast address. + + The obvious solutions to these issues are to require applications + which wish to maintain state to learn the unicast address of their + peer on the first exchange of UDP datagrams or during the first + TCP connection and use the unicast address in future + conversations. + + The issues with anycast are further discussed in [RFC4786] and + [ANYCAST]. + + Another mechanism by which multiple hosts use the same address is as + a result of scoped addresses, as defined for both IPv4 [RFC1918] + [RFC3927] and IPv6 [RFC4007]. Because such addresses can be reused + within multiple networks, hosts in different networks can use the + same address. As a result, a host that is multihomed to two such + networks cannot use the destination address to uniquely identify a + peer. For example, a host can no longer use a 5-tuple to uniquely + identify a TCP connection. This is why IPv6 added the concept of a + "zone index". + + Yet another example is that, in some high-availability solutions, one + host takes over the IP address of another failed host. + + See [RFC2101], [RFC2775], and [SHARED-ADDRESSING] for additional + discussion on address uniqueness. + + + +Thaler & IAB Informational [Page 13] + +RFC 6250 Evolution of the IP Model May 2011 + + +3.2.5. Claim: An address can be used as an indication of physical + location + + Some applications attempt to use an address to infer some information + about the physical location of the host with that address. For + example, geo-location services are often used to provide targeted + content or ads. + + Various forms of tunneling have made this assumption less true, and + this will become increasingly less true as the use of IPv4 NATs for + large networks continues to increase. See Section 7 of + [SHARED-ADDRESSING] for a longer discussion. + +3.2.6. Claim: An address used by an application is the same as the + address used for routing + + Some applications assume that the address the application uses is the + same as that used by routing. For example, some applications use raw + sockets to read/write packet headers, including the source and + destination addresses in the IP header. As another example, some + applications make assumptions about locality (e.g., whether the + destination is on the same subnet) by comparing addresses. + + Protocols such as Mobile IPv6 and HIP specifically break this + assumption (in an attempt to restore other assumptions as discussed + above). Recently, the IRTF Routing Research Group has been + evaluating a number of possible mechanisms, some of which would also + break this assumption, while others preserve this assumption near the + edges of the network and only break it in the core of the Internet. + + Breaking this assumption is sometimes referred to as an "identifier/ + locator" split. However, as originally defined in 1978 ([IEN019], + [IEN023]), an address was originally defined as only a locator, + whereas names were defined to be the identifiers. However, the TCP + protocol then used addresses as identifiers. + + Finally, in a liberal sense, any tunneling mechanism might be said to + break this assumption, although, in practice, applications that make + this assumption will continue to work, since the address of the + inside of the tunnel is still used for routing as expected. + +3.2.7. Claim: A subnet is smaller than a link + + In the classic IP model, a "subnet" is smaller than, or equal to, a + "link". Destinations with addresses in the same on-link subnet + prefix can be reached with TTL (or Hop Count) = 1. Link-scoped + multicast packets, and all-ones broadcast packets will be delivered + (in a best-effort fashion) to all listening nodes on the link. + + + +Thaler & IAB Informational [Page 14] + +RFC 6250 Evolution of the IP Model May 2011 + + + Subnet broadcast packets will be delivered (in a best effort fashion) + to all listening nodes in the subnet. There have been some efforts + in the past (e.g., [RFC0925], [RFC3069]) to allow multi-link subnets + and change the above service model, but the adverse impact on + applications that have such assumptions recommend against changing + this assumption. + + [RFC4903] discusses this topic in more detail and surveys a number of + protocols and applications that depend on this assumption. + Specifically, some applications assume that, if a destination address + is in the same on-link subnet prefix as the local machine, then + therefore packets can be sent with TTL=1, or that packets can be + received with TTL=255, or link-scoped multicast or broadcast can be + used to reach the destination. + +3.2.8. Claim: Selecting a local address selects the interface + + Some applications assume that binding to a given local address + constrains traffic reception to the interface with that address, and + that traffic from that address will go out on that address's + interface. However, Section 3.3.4.2 of [RFC1122] defines two models: + the Strong End System (or strong host) model where this is true, and + the Weak End System (or weak host) model where this is not true. In + fact, any router is inherently a weak host implementation, since + packets can be forwarded between interfaces. + +3.2.9. Claim: An address is part of an on-link subnet prefix + + To some extent, this was never true, in that there were cases in IPv4 + where the "mask" was 255.255.255.255, such as on a point-to-point + link where the two endpoints had addresses out of unrelated address + spaces, and no on-link subnet prefix existed on the link. However, + this didn't stop many platforms and applications from assuming that + every address had a "mask" (or prefix) that was on-link. The + assumption of whether a subnet is on-link (in which case one can send + directly to the destination after using ARP/ND) or off-link (in which + case one just sends to a router) has evolved over the years, and it + can no longer be assumed that an address has an on-link prefix. In + 1998, [RFC2461] introduced the distinction as part of the core IPv6 + protocol suite. This topic is discussed further in [ON-OFF-LINK], + and [RFC4903] also touches on this topic with respect to the service + model seen by applications. + +3.2.10. Discussion + + Section 4.1 of RFC 1958 [RFC1958] states: "In general, user + applications should use names rather than addresses". + + + + +Thaler & IAB Informational [Page 15] + +RFC 6250 Evolution of the IP Model May 2011 + + + We emphasize the above point, which is too often ignored. Many + commonly used APIs unnecessarily expose addresses to applications + that already use names. Similarly, some protocols are defined to + carry addresses, rather than carrying names (instead of or in + addition to addresses). Protocols and applications that are already + dependent on a naming system should be designed in such a way that + they avoid or minimize any dependence on the notion of addresses. + + One challenge is that many hosts today do not have names that can be + resolved. For example, a host may not have a fully qualified domain + name (FQDN) or a Domain Name System (DNS) server that will host its + name. + + Applications that, for whatever reason, cannot use names should be + IP-version agnostic. + +3.3. Misconceptions about Upper-Layer Extensibility + +3.3.1. Claim: New transport-layer protocols can work across the + Internet + + IP was originally designed to support the addition of new transport- + layer protocols, and [PROTOCOLS] lists many such protocols. + + However, as discussed in [WAIST-HOURGLASS], NATs and firewalls today + break this assumption and often only allow UDP and TCP (or even just + HTTP). + + Hence, while new protocols may work from some places, they will not + necessarily work from everywhere, such as from behind such NATs and + firewalls. + + Since even UDP and TCP may not work from everywhere, it may be + necessary for applications to support "HTTP failover" modes. The use + of HTTP as a "transport of last resort" has become common (e.g., + [BOSH] among others) even in situations where it is sub-optimal, such + as in real-time communications or where bidirectional communication + is required. Also, the IETF HyBi Working Group is now in the process + of designing a standards-based solution for layering other protocols + on top of HTTP. As a result of having to support HTTP failover, + applications may have to be engineered to sustain higher latency. + + + + + + + + + + +Thaler & IAB Informational [Page 16] + +RFC 6250 Evolution of the IP Model May 2011 + + +3.3.2. Claim: If one stream between a pair of addresses can get + through, then so can another + + Some applications and protocols use multiple upper-layer streams of + data between the same pair of addresses and initiated by the same + party. Passive-mode FTP [RFC0959], and RTP [RFC3550], are two + examples of such protocols, which use separate streams for data + versus control channels. + + Today, there are many reasons why this may not be true. Firewalls, + for example, may selectively allow/block specific protocol numbers + and/or values in upper-layer protocol fields (such as port numbers). + Similarly, middleboxes such as NATs that create per-stream state may + cause other streams to fail once they run out of space to store + additional stream state. + +3.3.3. Discussion + + Section 5.1 of [NEWARCH] discusses the primary requirements of the + original Internet architecture, including Service Generality. It + states: + + This goal was to support the widest possible range of + applications, by supporting a variety of types of service at the + transport level. Services might be distinguished by speed, + latency, or reliability, for example. Service types might include + virtual circuit service, which provides reliable, full-duplex byte + streams, and also datagram service, which delivers individual + packets with no guarantees of reliability or ordering. The + requirement for datagram service was motivated by early ARPAnet + experiments with packet speech (using IMP Type 3 messages). + + The reasons that the assumptions in this section are becoming less + true are due to network-layer (or higher-layer) techniques being + introduced that interfere with the original requirement. Generally, + these are done either in the name of security or as a side effect of + solving some other problem such as address shortage. Work is needed + to investigate ways to restore the original behavior while still + meeting today's security requirements. + +3.4. Misconceptions about Security + +3.4.1. Claim: Packets are unmodified in transit + + Some applications and upper-layer protocols assume that a packet is + unmodified in transit, except for a few well-defined fields (e.g., + TTL). Examples of this behavior include protocols that define their + own integrity-protection mechanism such as a checksum. + + + +Thaler & IAB Informational [Page 17] + +RFC 6250 Evolution of the IP Model May 2011 + + + This assumption is broken by NATs as discussed in [RFC2993] and other + middleboxes that modify the contents of packets. There are many + tunneling technologies (e.g., [RFC4380]) that attempt to restore this + assumption to some extent. + + The IPsec architecture [RFC4301] added security to the IP model, + providing a way to address this problem without changing + applications, although transport-mode IPsec is not currently widely + used over the Internet. + +3.4.2. Claim: Packets are private + + The assumption that data is private has never really been true. + However, many old applications and protocols (e.g., FTP) transmit + passwords or other sensitive data in the clear. + + IPsec provides a way to address this problem without changing + applications, although it is not yet widely deployed, and doing + encryption/decryption for all packets can be computationally + expensive. + +3.4.3. Claim: Source addresses are not forged + + Most applications and protocols use the source address of some + incoming packet when generating a response, and hence assume that it + has not been forged (and as a result can often be vulnerable to + various types of attacks such as reflection attacks). + + Various mechanisms that restore this assumption include, for example, + IPsec and Cryptographically Generated Addresses (CGAs) [RFC3972]. + +3.4.4. Discussion + + A good discussion of threat models and common tools can be found in + [RFC3552]. Protocol designers and applications developers are + encouraged to be familiar with that document. + +4. Security Considerations + + This document discusses assumptions about the IP service model made + by many applications and upper-layer protocols. Whenever these + assumptions are broken, if the application or upper-layer protocol + has some security-related behavior that is based on the assumption, + then security can be affected. + + + + + + + +Thaler & IAB Informational [Page 18] + +RFC 6250 Evolution of the IP Model May 2011 + + + For example, if an application assumes that binding to the IP address + of a "trusted" interface means that it will never receive traffic + from an "untrusted" interface, and that assumption is broken (as + discussed in Section 3.2.8), then an attacker could get access to + private information. + + As a result, great care should be taken when expanding the extent to + which an assumption is false. On the other hand, application and + upper-layer protocol developers should carefully consider the impact + of basing their security on any of the assumptions enumerated in this + document. + + It is also worth noting that many of the changes that have occurred + over time (e.g., firewalls, dropping directed broadcasts, etc.) that + are discussed in this document were done in the interest of improving + security at the expense of breaking some applications. + +5. Conclusion + + Because a huge number of applications already exist that use TCP/IP + for business-critical operations, any changes to the service model + need to be done with extreme care. Extensions that merely add + additional optional functionality without impacting any existing + applications are much safer than extensions that change one or more + of the core assumptions discussed above. Any changes to the above + assumptions should only be done in accordance with some mechanism to + minimize or mitigate the risks of breaking mission-critical + applications. Historically, changes have been done without regard to + such considerations and, as a result, the situation for applications + today is already problematic. The key to maintaining an + interoperable Internet is documenting and maintaining invariants that + higher layers can depend on, and being very judicious with changes. + + In general, lower-layer protocols should document the contract they + provide to higher layers; that is, what assumptions the upper layer + can rely on (sometimes this is done in the form of an applicability + statement). Conversely, higher-layer protocols should document the + assumptions they rely on from the lower layer (sometimes this is done + in the form of requirements). + + We must also recognize that a successful architecture often evolves + as success brings growth and as technology moves forward. As a + result, the various assumptions made should be periodically reviewed + when updating protocols. + + + + + + + +Thaler & IAB Informational [Page 19] + +RFC 6250 Evolution of the IP Model May 2011 + + +6. Acknowledgements + + Chris Hopps, Dow Street, Phil Hallam-Baker, and others provided + helpful discussion on various points that led to this document. Iain + Calder, Brian Carpenter, Jonathan Rosenberg, Erik Nordmark, Alain + Durand, and Iljitsch van Beijnum also provided valuable feedback. + +7. IAB Members at the Time of This Writing + + Loa Andersson + Gonzalo Camarillo + Stuart Cheshire + Russ Housley + Olaf Kolkman + Gregory Lebovitz + Barry Leiba + Kurtis Lindqvist + Andrew Malis + Danny McPherson + David Oran + Dave Thaler + Lixia Zhang + +8. IAB Members at the Time of Approval + + Bernard Aboba + Marcelo Bagnulo + Ross Callon + Spencer Dawkins + Russ Housley + John Klensin + Olaf Kolkman + Danny McPherson + Jon Peterson + Andrei Robachevsky + Dave Thaler + Hannes Tschofenig + + +9. References + +9.1. Normative References + + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + September 1981. + + [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, + RFC 1112, August 1989. + + + +Thaler & IAB Informational [Page 20] + +RFC 6250 Evolution of the IP Model May 2011 + + + [RFC1122] Braden, R., "Requirements for Internet Hosts - + Communication Layers", STD 3, RFC 1122, October 1989. + + [RFC1546] Partridge, C., Mendez, T., and W. Milliken, "Host + Anycasting Service", RFC 1546, November 1993. + + [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor + Discovery for IP Version 6 (IPv6)", RFC 2461, + December 1998. + + [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts + in Routers", BCP 34, RFC 2644, August 1999. + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, December 2005. + + [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, + "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, + September 2007. + +9.2. Informative References + + [ANYCAST] McPherson, D. and D. Oran, "Architectural Considerations + of IP Anycast", Work in Progress, February 2010. + + [BOSH] Paterson, I., Smith, D., Saint-Andre, P., and J. Moffitt, + "Bidirectional-streams Over Synchronous HTTP (BOSH)", + XEP 0124, 2010, + <http://xmpp.org/extensions/xep-0124.html>. + + [IEN019] Shoch, J., "A note on Inter-Network Naming, Addressing, + and Routing", IEN 19, January 1978, + <http://www.rfc-editor.org/ien/ien19.txt>. + + [IEN023] Cohen, D., "On Names, Addresses and Routings", IEN 23, + January 1978, <http://www.rfc-editor.org/ien/ien23.txt>. + + [IEN028] Postel, J., "Draft Internetwork Protocol Specification", + IEN 28, February 1978, + <http://www.rfc-editor.org/ien/ien28.pdf>. + + [IEN135] Sunshine, C. and J. Postel, "Addressing Mobile Hosts in + the ARPA Internet Environment", IEN 135, March 1980, + <http://www.rfc-editor.org/ien/ien135.txt>. + + [MCAST4] Internet Assigned Numbers Authority, "IPv4 Multicast + Addresses", + <http://www.iana.org/assignments/multicast-addresses>. + + + +Thaler & IAB Informational [Page 21] + +RFC 6250 Evolution of the IP Model May 2011 + + + [MCAST6] Internet Assigned Numbers Authority, "INTERNET PROTOCOL + VERSION 6 MULTICAST ADDRESSES", + <http://www.iana.org/assignments/ + ipv6-multicast-addresses>. + + [NEWARCH] Clark, D., et al., "New Arch: Future Generation Internet + Architecture", Air Force Research Laboratory Technical + Report AFRL-IF-RS-TR-2004-235, August 2004, <http:// + www.dtic.mil/cgi-bin/ + GetTRDoc?AD=ADA426770&Location=U2&doc=GetTRDoc.pdf>. + + [ON-OFF-LINK] + Singh, H., Beebee, W., and E. Nordmark, "IPv6 Subnet + Model", Work in Progress, February 2008. + + [PROTOCOLS] + Internet Assigned Numbers Authority, "Protocol Numbers", + <http://www.iana.org/assignments/protocol-numbers>. + + [REORDER] Bennett, J., Partridge, C., and N. Shectman, "Packet + reordering is not pathological network behavior", IEEE/ACM + Transactions on Networking, Vol. 7, No. 6, December 1999. + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, + RFC 793, September 1981. + + [RFC0925] Postel, J., "Multi-LAN address resolution", RFC 925, + October 1984. + + [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", + STD 9, RFC 959, October 1985. + + [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, + November 1990. + + [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", + RFC 1812, June 1995. + + [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and + E. Lear, "Address Allocation for Private Internets", + BCP 5, RFC 1918, February 1996. + + [RFC1958] Carpenter, B., "Architectural Principles of the Internet", + RFC 1958, June 1996. + + [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery + for IP version 6", RFC 1981, August 1996. + + + + +Thaler & IAB Informational [Page 22] + +RFC 6250 Evolution of the IP Model May 2011 + + + [RFC2101] Carpenter, B., Crowcroft, J., and Y. Rekhter, "IPv4 + Address Behaviour Today", RFC 2101, February 1997. + + [RFC2491] Armitage, G., Schulter, P., Jork, M., and G. Harter, "IPv6 + over Non-Broadcast Multiple Access (NBMA) networks", + RFC 2491, January 1999. + + [RFC2767] Tsuchiya, K., HIGUCHI, H., and Y. Atarashi, "Dual Stack + Hosts using the "Bump-In-the-Stack" Technique (BIS)", + RFC 2767, February 2000. + + [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, + February 2000. + + [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", + RFC 2923, September 2000. + + [RFC2979] Freed, N., "Behavior of and Requirements for Internet + Firewalls", RFC 2979, October 2000. + + [RFC2991] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and + Multicast Next-Hop Selection", RFC 2991, November 2000. + + [RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993, + November 2000. + + [RFC3021] Retana, A., White, R., Fuller, V., and D. McPherson, + "Using 31-Bit Prefixes on IPv4 Point-to-Point Links", + RFC 3021, December 2000. + + [RFC3069] McPherson, D. and B. Dykes, "VLAN Aggregation for + Efficient IP Address Allocation", RFC 3069, February 2001. + + [RFC3077] Duros, E., Dabbous, W., Izumiyama, H., Fujii, N., and Y. + Zhang, "A Link-Layer Tunneling Mechanism for + Unidirectional Links", RFC 3077, March 2001. + + [RFC3338] Lee, S., Shin, M-K., Kim, Y-J., Nordmark, E., and A. + Durand, "Dual Stack Hosts Using "Bump-in-the-API" (BIA)", + RFC 3338, October 2002. + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, July 2003. + + [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC + Text on Security Considerations", BCP 72, RFC 3552, + July 2003. + + + +Thaler & IAB Informational [Page 23] + +RFC 6250 Evolution of the IP Model May 2011 + + + [RFC3618] Fenner, B. and D. Meyer, "Multicast Source Discovery + Protocol (MSDP)", RFC 3618, October 2003. + + [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support + in IPv6", RFC 3775, June 2004. + + [RFC3819] Karn, P., Bormann, C., Fairhurst, G., Grossman, D., + Ludwig, R., Mahdavi, J., Montenegro, G., Touch, J., and L. + Wood, "Advice for Internet Subnetwork Designers", BCP 89, + RFC 3819, July 2004. + + [RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic + Configuration of IPv4 Link-Local Addresses", RFC 3927, + May 2005. + + [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", + RFC 3972, March 2005. + + [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and + B. Zill, "IPv6 Scoped Address Architecture", RFC 4007, + March 2005. + + [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through + Network Address Translations (NATs)", RFC 4380, + February 2006. + + [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol + (HIP) Architecture", RFC 4423, May 2006. + + [RFC4601] Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas, + "Protocol Independent Multicast - Sparse Mode (PIM-SM): + Protocol Specification (Revised)", RFC 4601, August 2006. + + [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast + Services", BCP 126, RFC 4786, December 2006. + + [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU + Discovery", RFC 4821, March 2007. + + [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering + ICMPv6 Messages in Firewalls", RFC 4890, May 2007. + + [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, + June 2007. + + [RFC4948] Andersson, L., Davies, E., and L. Zhang, "Report from the + IAB workshop on Unwanted Traffic March 9-10, 2006", + RFC 4948, August 2007. + + + +Thaler & IAB Informational [Page 24] + +RFC 6250 Evolution of the IP Model May 2011 + + + [RFC5213] Gundavelli, S., Leung, K., Devarapalli, V., Chowdhury, K., + and B. Patil, "Proxy Mobile IPv6", RFC 5213, August 2008. + + [RFC5218] Thaler, D. and B. Aboba, "What Makes For a Successful + Protocol?", RFC 5218, July 2008. + + [RFC5694] Camarillo, G. and IAB, "Peer-to-Peer (P2P) Architecture: + Definition, Taxonomies, Examples, and Applicability", + RFC 5694, November 2009. + + [SHARED-ADDRESSING] + Ford, M., Boucadair, M., Durand, A., Levis, P., and P. + Roberts, "Issues with IP Address Sharing", Work + in Progress, March 2011. + + [WAIST-HOURGLASS] + Rosenberg, J., "UDP and TCP as the New Waist of the + Internet Hourglass", Work in Progress, February 2008. + + [WIRELESS] + Kotz, D., Newport, C., and C. Elliott, "The mistaken + axioms of wireless-network research", Dartmouth College + Computer Science Technical Report TR2003-467, July 2003, < + http://www.cs.dartmouth.edu/cms_file/SYS_techReport/337/ + TR2003-467.pdf>. + +Authors' Addresses + + Dave Thaler + One Microsoft Way + Redmond, WA 98052 + USA + + Phone: +1 425 703 8835 + EMail: dthaler@microsoft.com + + + Internet Architecture Board + + EMail: iab@iab.org + + + + + + + + + + + +Thaler & IAB Informational [Page 25] + |