summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9663.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc9663.txt')
-rw-r--r--doc/rfc/rfc9663.txt995
1 files changed, 995 insertions, 0 deletions
diff --git a/doc/rfc/rfc9663.txt b/doc/rfc/rfc9663.txt
new file mode 100644
index 0000000..4a5fe38
--- /dev/null
+++ b/doc/rfc/rfc9663.txt
@@ -0,0 +1,995 @@
+
+
+
+
+Internet Engineering Task Force (IETF) L. Colitti
+Request for Comments: 9663 Google, LLC
+Category: Informational J. Linkova, Ed.
+ISSN: 2070-1721 X. Ma, Ed.
+ Google
+ October 2024
+
+
+ Using DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique IPv6
+ Prefixes per Client in Large Broadcast Networks
+
+Abstract
+
+ This document discusses an IPv6 deployment scenario when individual
+ nodes connected to large broadcast networks (such as enterprise
+ networks or public Wi-Fi networks) are allocated unique prefixes via
+ DHCPv6 Prefix Delegation (DHCPv6-PD), as specified in RFC 8415.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are candidates for any level of Internet
+ Standard; see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9663.
+
+Copyright Notice
+
+ Copyright (c) 2024 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Revised BSD License text as described in Section 4.e of the
+ Trust Legal Provisions and are provided without warranty as described
+ in the Revised BSD License.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Requirements Language
+ 3. Terminology
+ 4. Design Principles
+ 5. Applicability and Limitations
+ 6. Routing and Addressing Considerations
+ 6.1. Prefix Pool Allocation
+ 6.2. First-Hop Router Requirements
+ 6.3. Topologies with Multiple First-Hop Routers
+ 6.4. On-Link Communication
+ 7. DHCPv6-PD Server Considerations
+ 8. Prefix Length Considerations
+ 9. Client Mobility
+ 10. Antispoofing and SAVI Interaction
+ 11. Migration Strategies and Co-existence with SLAAC Using Prefixes
+ from the PIO
+ 12. Benefits
+ 13. Privacy Considerations
+ 14. IANA Considerations
+ 15. Security Considerations
+ 16. References
+ 16.1. Normative References
+ 16.2. Informative References
+ Appendix A. Multiple Addresses Considerations
+ Acknowledgements
+ Authors' Addresses
+
+1. Introduction
+
+ Often, broadcast networks such as enterprise or public Wi-Fi
+ deployments place many devices on a shared link with a single on-link
+ prefix. This document describes an alternative deployment model
+ where individual devices obtain prefixes from the network. This
+ provides two important advantages.
+
+ First, it offers better scalability. Unlike IPv4, IPv6 allows hosts
+ to have multiple addresses, and this is the case in most deployments
+ (see Appendix A for more details). However, increasing the number of
+ addresses introduces scalability issues on the network
+ infrastructure. Network devices need to maintain various types of
+ tables and hashes (Neighbor Cache on first-hop routers, Neighbor
+ Discovery Proxy caches on Layer 2 devices, etc.). On Virtual
+ eXtensible Local Area Network (VXLAN) networks [RFC7348], each
+ address might be represented as a route. This means, for example,
+ that if every client has 10 addresses instead of one, the network
+ must support 10 times more routes, etc. If an infrastructure
+ device's resources are exhausted, the device might drop some IPv6
+ addresses from the corresponding tables, while the address owner
+ might still be using the address to send traffic. This leads to
+ traffic being discarded and a degraded customer experience.
+ Providing every host with one prefix allows the network to maintain
+ only one entry per device, while still providing the device the
+ ability to use an arbitrary number of addresses.
+
+ Second, this deployment model provides the ability to extend the
+ network. In IPv4, a device that connects to the network can provide
+ connectivity to subtended devices by using NAT. With DHCPv6 Prefix
+ Delegation (DHCPv6-PD) [RFC8415], such a device can similarly extend
+ the network, but unlike IPv4 NAT, it can provide its subtended
+ devices with full end-to-end connectivity.
+
+ Another method of deploying unique prefixes per device is documented
+ in [RFC8273]. Similarly, the standard deployment model in cellular
+ IPv6 networks [RFC6459] provides a unique prefix to every device.
+ However, providing a unique prefix per device is very uncommon in
+ enterprise-style networks, where nodes are usually connected to
+ broadcast segments such as VLANs and each link has a single on-link
+ prefix assigned. This document takes a similar approach to
+ [RFC8273], but allocates the prefix using DHCPv6-PD.
+
+ This document focuses on the behavior of the network. Host behavior
+ is not defined in this document.
+
+2. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+3. Terminology
+
+ Node: a device that implements IPv6 [RFC8200]
+
+ Host: any node that is not a router [RFC8200]
+
+ Client: a node that connects to a network and acquires addresses.
+ The node may wish to obtain addresses for its own use, or it may
+ be a router that wishes to extend the network to its physical or
+ virtual subsystems, or both. It may be either a host or a router
+ as defined by [RFC8200].
+
+ AP: (wireless) Access Point
+
+ DHCPv6 IA_NA: Identity Association for Non-temporary Addresses
+ (Section 21.4 of [RFC8415])
+
+ DHCPv6 IA_PD: Identity Association for Prefix Delegation
+ (Section 21.21 of [RFC8415])
+
+ DHCPv6-PD: DHCPv6 Prefix Delegation [RFC8415]; a mechanism to
+ delegate IPv6 prefixes to clients.
+
+ ND: Neighbor Discovery [RFC4861]
+
+ NUD: Neighbor Unreachability Detection [RFC4861]
+
+ PIO: Prefix Information Option [RFC4862]
+
+ SLAAC: IPv6 Stateless Address Autoconfiguration [RFC4862]
+
+4. Design Principles
+
+ Instead of all clients on a given link forming addresses from the
+ same shared prefix assigned to that link, this deployment model
+ operates as described below:
+
+ * A device acts as a DHCPv6-PD client and requests a prefix via
+ DHCPv6-PD by sending an IA_PD request.
+
+ * The server delegates a prefix to the client and the delegated
+ prefix is installed into the routing table of the first-hop router
+ as a route pointing to the client's link-local address. The
+ first-hop router can act as a DHCPv6 relay and snoop DHCPv6 Reply
+ messages from an off-link DHCPv6 server, or it can act as a DHCPv6
+ server itself. In both cases, it can install the route locally,
+ and if the network is running a dynamic routing protocol,
+ distribute the route or the entire prefix pool into the protocol.
+
+ * For the router and all other infrastructure devices, the delegated
+ prefix is considered off-link, so traffic to that prefix does not
+ trigger any ND packets, other than the minimum ND required to
+ sustain Neighbor Unreachability Detection (NUD) for the client's
+ link-local address.
+
+ * The device can use the delegated prefix in various ways. For
+ example, it can form addresses, as described in requirement WAA-7
+ of [RFC7084]. It can also extend the network, as described in
+ [RFC7084] or [RFC7278].
+
+ An example scenario is shown in Figure 1. Note that the prefix
+ lengths used in the example are /64 because that is the prefix length
+ currently supported by SLAAC and is not otherwise required by the
+ proposed deployment model.
+
+ +------------------------------------------------------------------+
+ | DHCPv6 Servers |
+ | Pool 3fff:0:d::/48 for clients on 2001:db8:ff::/64 link |
+ +------------+---------------------+----------------------------+--+
+ ^ | | ^ |
+ | | | | |
+ +-------+------+---------------------+--------------------+-------+---+
+ | DHCPv6| | IPv6 Network DHCPv6 | | |
+ |Relay-Forward | Relay-Forward | |
+ | ^ v Route for 3fff:0:d::/48 ^ v |
+ | | DHCPv6 | | | DHCPv6 |
+ | | Relay-Reply | | | Relay-Reply|
+ | | | | | | | |
+ +------+-------+--+----------+------------+------+-------+--------+---+
+ | | | | | | | |
+ | v | v v | | v
+ +----+----------+---------------+ +---------+-------+------------+
+ | First-hop router/DHCPv6 relay | | First-hop Router/DHCPv6 relay|
+ | 3fff:0:d:1::/64 -> fe80::aa | | 3fff:0:d:1::/64 -> fe80::aa |
+ | 3fff:0:d:2::/64 -> fe80::cc | | 3fff:0:d:2::/64 -> fe80::cc |
+ +------------+----------+-------+ +--------+----------------+----+
+ ^ | | Shared IPv6 link | ^ |
+ | | | 2001:db8:ff::/64 | | |
+ | | -+-----+-----------+---------+-----+- | |
+ | | | | | | |
+ | | | +---------------+-------------+ | DHCPv6 |
+ DHCPv6 | | | Client B (no DHCPv6-PD) | | Request v
+ Request | | |link-local address fe80::b | | ^ DHCPv6
+ ^ | | |global address 2001:db8:ff::b| | | Reply
+ | | | +-----------------------------+ | | |
+ | v | | | v
+ | DHCPv6 | +--------------------+--+----------+
+ | Reply | | Client C |
+ | | | | link-local address fe80::cc |
+ | | | | delegated prefix 3fff:0:d:2::/64 |
+ | | | +------------+-------------------+-+
+ | v | | |
+ +---+-------------+----------------------+ | Router |
+ | Client A | | Advertisement |
+ | link-local address: fe80::aa | | containing PIO v
+ | delegated prefix: 3fff:0:d:1::/64 | | 3fff:0:d:2::/64
+ | +----------------+ +----------------+ | -+---------+-----------
+ | | virtual system | | virtual system | | |
+ | | 3fff:0:d:1::de | | 3fff:0:d:1::ad | | +------+----------+
+ | | 3fff:0:d:1::ca | | 3fff:0:d:1::fe | | | Tethered device |
+ | +----------------+ +----------------+ | | 3fff:0:d:2::66 |
+ | | +-----------------+
+ +----------------------------------------+
+
+ Figure 1: An Example Topology with Two First-Hop Routers
+
+5. Applicability and Limitations
+
+ Delegating a unique prefix per client provides all the benefits of
+ both SLAAC and DHCPv6 address allocation, but at the cost of greater
+ address-space usage. This design would substantially benefit some
+ networks (see Section 12) in which the additional cost of an
+ additional service (such as DHCPv6 Prefix Delegation) and allocation
+ of a larger amount of address space can easily be justified.
+ Examples of such networks include but are not limited to:
+
+ * Large-scale networks where even three to five addresses per client
+ might introduce scalability issues.
+
+ * Networks with a high number of virtual hosts, so physical devices
+ require multiple addresses.
+
+ * Managed networks where extensive troubleshooting, device traffic
+ logging, or forensics might be required.
+
+ In smaller networks, such as home networks or small enterprises with
+ smaller address space and a lower number of clients, SLAAC is a
+ simpler and often preferred option.
+
+6. Routing and Addressing Considerations
+
+6.1. Prefix Pool Allocation
+
+ One simple deployment model is to assign a dedicated prefix pool to
+ each link. The prefixes from each link's pool are only issued to
+ requesting clients on the link; if clients move to another link, they
+ will obtain a prefix from the pool associated with the new link (see
+ Section 9).
+
+ This is very similar to how address pools are allocated when using
+ DHCP to assign individual addresses (e.g., DHCPv4 or DHCPv6 IA_NA),
+ where each link has a dedicated pool of addresses, and clients on the
+ link obtain addresses from the pool. In this model, the network can
+ route the entire pool to the link's first-hop routers, and the
+ routers do not need to advertise individual delegated prefixes into
+ the network's dynamic routing protocol.
+
+ Other deployment models, such as prefix pools shared over multiple
+ links or routers, are possible but are not described in this
+ document.
+
+6.2. First-Hop Router Requirements
+
+ In large networks, DHCPv6 servers are usually centralized and reached
+ via DHCPv6 relays co-located with the first-hop routers. To delegate
+ IPv6 prefixes to clients, the first hop routers need to implement
+ DHCPv6 relay functions and meet the requirements defined in
+ [RFC8987]. In particular, per Section 4.2 of [RFC8987], the first-
+ hop router must maintain a local routing table that contains all
+ prefixes delegated to clients.
+
+ With the first-hop routers performing DHCPv6 relay functions, the
+ proposed design neither requires any subsequent relays in the path
+ nor introduces any requirements (e.g., snooping) for such subsequent
+ relays, if they are deployed.
+
+ To ensure that routes to the delegated prefixes are preserved even if
+ a relay is rebooted or replaced, the operator MUST ensure that all
+ relays in the network infrastructure support DHCPv6 Bulk Leasequery
+ as defined in [RFC5460]. While Section 4.3 of [RFC8987] lists
+ keeping active prefix delegations in persistent storage as an
+ alternative to DHCPv6 Bulk Leasequery, relying on persistent storage
+ has the following drawbacks:
+
+ * In a network with multiple relays, network state can change
+ significantly while the relay is rebooting (new prefixes might be
+ delegated or some prefixes might be expiring, etc).
+
+ * Persistent storage might not be preserved if the router is
+ physically replaced.
+
+ Another mechanism for first-hop routers to obtain information about
+ delegated prefixes is by using Active Leasequery [RFC7653], though
+ this is not yet widely supported.
+
+6.3. Topologies with Multiple First-Hop Routers
+
+ In a topology with redundant first-hop routers, all the routers need
+ to relay DHCPv6 traffic, install the delegated prefixes into their
+ routing tables and, if needed, advertise those prefixes to the
+ network.
+
+ If the first-hop routers obtain information about delegated prefixes
+ by snooping DHCPv6 Reply messages sent by the server, then all the
+ first-hop routers must be able to snoop these messages. This is
+ possible if the client multicasts the DHCPv6 messages it sends to the
+ server. The server will receive one copy of the client message
+ through each first-hop relay, and will reply unicast to each of them
+ via the relay (or chain of relays) from which it received the
+ message. Thus, all first-hop relays will be able to snoop the
+ replies. Per Section 14 of [RFC8415], clients always use multicast
+ unless the server uses the Server Unicast option to explicitly allow
+ unicast communication ([RFC8415], Section 21.12). Therefore, in
+ topologies with multiple first-hop routers, the DHCPv6 servers MUST
+ be configured not to use the Server Unicast option. It should be
+ noted that [RFC8415bis] deprecates the Server Unicast option
+ precisely because it is not compatible with topologies with multiple
+ first-hop relays.
+
+ To recover from crashes or reboots, relays can use Bulk Leasequery or
+ Active Leasequery to issue a QUERY_BY_RELAY_ID with the ID(s) of the
+ other relay(s), as configured by the operator. Additionally, some
+ vendors provide vendor-specific mechanisms to synchronize state
+ between DHCP relays.
+
+6.4. On-Link Communication
+
+ For security reasons, some networks block on-link device-to-device
+ traffic at Layer 2 to prevent communication between clients on the
+ same link. In this case, delegating a prefix to each client doesn't
+ affect traffic flows, as all traffic is sent to the first-hop router
+ anyway. Depending on the network security policy, the router may
+ allow or drop the traffic.
+
+ If the network does allow peer-to-peer communication, the PIO for the
+ on-link prefix is usually advertised with the L-bit set to 1
+ [RFC4861]. As a result, all addresses from that prefix are
+ considered on-link, and traffic to those destinations is sent
+ directly (not via routers). If such a network delegates prefixes to
+ clients (as described in this document), then each client will
+ consider other client's destination addresses to be off-link, because
+ those addresses are from the delegated prefixes and are no longer
+ within the on-link prefix. When a client sends traffic to another
+ client, packets will initially be sent to the default router. The
+ router will respond with an ICMPv6 redirect message (Section 4.5 of
+ [RFC4861]). If the client receives and accepts the redirect, then
+ traffic can flow directly from device to device. Therefore, the
+ administrator deploying the solution described in this document
+ SHOULD ensure that the first-hop routers can send ICMPv6 redirects
+ (the routers are configured to do so and the security policies permit
+ those messages).
+
+7. DHCPv6-PD Server Considerations
+
+ This document does not introduce any changes to the DHCPv6 protocol
+ itself. However, for the proposed solution to work correctly, the
+ DHCPv6-PD server needs to be configured as follows:
+
+ * The server MUST follow recommendations from [RFC8168] on
+ processing prefix-length hints.
+
+ * The server MUST provide a prefix short enough for the client to
+ extend the network to at least one interface and allow nodes on
+ that interface to obtain addresses via SLAAC. The server MAY
+ provide more address space to clients that ask for it, either by
+ delegating multiple such prefixes, or by delegating a single
+ prefix of a shorter length. It should be noted that [RFC8168]
+ allows the server to provide a prefix shorter than the prefix-
+ length hint value received from the client.
+
+ * If the server receives the same Solicit message from the same
+ client multiple times through multiple relays, it MUST reply to
+ all of them with the same prefix(es). This ensures that all the
+ relays will correctly configure routes to the delegated prefixes.
+
+ * The server MUST NOT send the Server Unicast option to the client
+ unless the network topology guarantees that no client is connected
+ to a link with multiple relays (see Section 6.3).
+
+ * In order to ensure uninterrupted connectivity when a first-hop
+ router crashes or reboots, the server MUST support Bulk Leasequery
+ or Active Leasequery.
+
+ As most operators have some experience with IPv4, they can use a
+ similar approach for choosing the pool size and the timers (such as
+ T1 and T2 timers). In particular, the following factors should be
+ taken into account:
+
+ * the expected maximum number of clients;
+
+ * the average duration of client connections;
+
+ * how mobile the clients are (a network where all clients are
+ connected to a single wired VLAN might choose longer timers than a
+ network where clients can switch between multiple wireless
+ networks);
+
+ * how often clients are expected to reconnect to the network (for
+ example, a corporate authenticated Wi-Fi network might be using
+ longer timers than an open public Wi-Fi).
+
+ DHCPv6 servers that delegate prefixes can interface with Dynamic DNS
+ infrastructure to automatically populate reverse DNS using wildcard
+ records, similarly to what is described in Section 2.2 of [RFC8501].
+ Networks that also wish to populate forward DNS cannot do so
+ automatically based only on DHCPv6 prefix delegation transactions,
+ but they can do so in other ways, such as by supporting DHCPv6
+ address registration as described in [ADDR-NOTIFICATION].
+
+ Some additional recommendations driven by security and privacy
+ considerations are discussed in Section 15 and Section 13.
+
+8. Prefix Length Considerations
+
+ Delegating a prefix of sufficient size to use SLAAC allows the client
+ to extend the network, providing limitless addresses to IPv6 nodes
+ connected to it (e.g., virtual machines or tethered devices), because
+ all IPv6 hosts are required to support SLAAC [RFC8504].
+ Additionally, even clients that support other forms of address
+ assignment require SLAAC for some functions, such as forming
+ dedicated addresses for the use of 464XLAT (see Section 6.3 of
+ [RFC6877]).
+
+ At the time of writing, the only prefix size that will allow devices
+ to use SLAAC is 64 bits. Also, as noted in [RFC7421], using an
+ interface identifier (IID) shorter than 64 bits and a subnet prefix
+ longer than 64 bits is outside the current IPv6 specifications.
+ Choosing longer prefixes would require the client and any connected
+ system to use other address assignment mechanisms. This would limit
+ the applicability of the proposed solution, as other mechanisms are
+ not currently supported by many hosts.
+
+ For the same reasons, a prefix length of /64 or shorter is required
+ to extend the network as described in [RFC7084] (see requirement
+ L-2), and a prefix length of /64 is required to provide global
+ connectivity for stub networks as per [SNAC-SIMPLE].
+
+ Assigning a prefix of sufficient size to support SLAAC is possible on
+ large networks. In general, any network that numbers clients from an
+ IPv4 prefix of length X (e.g., X=/18, X=/24) would require an IPv6
+ prefix of length X+32 (e.g., X=/40, X=/56) to provide a /64 prefix to
+ every device. As an example, Section 9.2 of [RFC7934] suggests that
+ even a very large network that assigns every single one of the 16
+ million IPv4 addresses in 10.0.0.0/8 would only need an IPv6 /40. A
+ /40 prefix is a small amount of address space: there are 32 times
+ more /40s in the current IPv6 unicast range 2000::/3 than there are
+ IPv4 addresses. Existing sites that currently use a /48 prefix
+ cannot support more than 64k clients in this model without
+ renumbering, though many networks of such size have Local Internet
+ Registry (LIR) status and can justify bigger address blocks.
+
+ Note that assigning a prefix of sufficient size to support SLAAC does
+ not require that subtended nodes use SLAAC; they can use other
+ address assignment mechanisms as well.
+
+9. Client Mobility
+
+ As per Section 18.2.12 of [RFC8415], when the client moves to a new
+ link, it MUST initiate a Rebind/Reply message exchange. Therefore,
+ when the client moves between network attachment points, it would
+ refresh its delegated prefix the same way it refreshes addresses
+ assigned (via SLAAC or DHCPv6 IA_NA) from a shared on-link prefix:
+
+ * When a client moves from between different attachment points on
+ the same link (e.g., roams between two APs while connected to the
+ same wireless network or moves between two switchports belonging
+ to the same VLAN), the delegated prefix does not change, and the
+ first-hop routers have a route for the prefix with the nexthop set
+ to the client link-local address on that link. As per requirement
+ S-2 in Section 4.3 of [RFC8987], the DHCPv6-relays (the first-hop
+ routers) MUST retain the route for the delegating prefix until the
+ route is released or removed due to expiring DHCP timers.
+ Therefore, if the client reconnects to the same link, the prefix
+ doesn't change.
+
+ * When a client moves to a different link, the DHCPv6 server
+ provides the client with a new prefix, so the behavior is
+ consistent with SLAAC or DHCPv6-assigned addresses, which are also
+ different on the new link.
+
+ In theory, DHCPv6 servers can delegate the same prefix to the same
+ client even if the client changes the attachment points. However,
+ while allowing the client to keep the same prefix while roaming
+ between links might provide some benefits for the client, it is not
+ feasible without changing DHCPv6 relay behavior: after the client
+ moves to a new link, the DHCPv6 relays would retain the route
+ pointing to the client's link-local address on the old link for the
+ duration of DHCPv6 timers (see requirement S-2, Section 4.3 of
+ [RFC8987]). As a result, the first-hop routers would have two routes
+ for the same prefix pointing to different links, causing connectivity
+ issues for the client.
+
+ It should be noted that addressing clients from a shared on-link
+ prefix also does not allow clients to keep addresses while roaming
+ between links, so the proposed solution is not different in that
+ regard. In addition to that, different links often have different
+ security policies applied (for example, corporate internal networks
+ versus guest networks), hence clients on different links need to use
+ different prefixes.
+
+10. Antispoofing and SAVI Interaction
+
+ Enabling unicast Reverse Path Forwarding (uRPF) [RFC3704] on the
+ first-hop router interfaces towards clients provides the first layer
+ of defense against spoofing. A spoofed packet sent by a malicious
+ client would be dropped by the router unless the spoofed address
+ belongs to a prefix delegated to another client on the same
+ interface. Therefore the malicious client can only spoof addresses
+ already delegated to another client on the same link or another
+ client's link-local address.
+
+ Source Address Validation Improvement (SAVI) [RFC7039] provides more
+ reliable protection against address spoofing. Administrators
+ deploying the proposed solution on SAVI-enabled infrastructure SHOULD
+ ensure that SAVI perimeter devices support DHCPv6-PD snooping to
+ create the correct binding for the delegated prefixes (see
+ [RFC7513]). Using FCFS SAVI [RFC6620] to protect link-local
+ addresses and create SAVI bindings for DHCPv6-PD assigned prefixes
+ would prevent spoofing.
+
+ Some infrastructure devices do not implement SAVI as defined in
+ [RFC7039]; instead, they perform other forms of address tracking and
+ snooping for security or performance improvement purposes (e.g., ND
+ proxy). This is very common behavior for wireless devices (such as
+ access points and controllers). Administrators SHOULD ensure that
+ such devices are able to snoop DHCPv6-PD packets so the traffic from
+ the delegated prefixes is not dropped.
+
+ It should be noted that using DHCPv6-PD makes it harder for an
+ attacker to select the spoofed source address. When all clients are
+ using the same shared link to form addresses, the attacker might
+ learn addresses used by other clients by listening to multicast
+ Neighbor Solicitations and Neighbor Advertisements. In DHCPv6-PD
+ environments, however, the attacker can only learn about other
+ clients' global addresses by listening to multicast DHCPv6 messages,
+ which are not transmitted so often, and may not be received by the
+ client at all because they are sent to multicast groups that are
+ specific to DHCPv6 servers and relays.
+
+11. Migration Strategies and Co-existence with SLAAC Using Prefixes
+ from the PIO
+
+ It would be beneficial for the network to explicitly indicate its
+ support of DHCPv6-PD for connected clients.
+
+ * In small networks (e.g., home networks), where the number of
+ clients is not too high, the number of available prefixes becomes
+ a limiting factor. If every phone or laptop in a home network
+ were to request a unique prefix suitable for SLAAC, the home
+ network might run out of prefixes, if the prefix allocated to the
+ Customer Premises Equipment (CPE) by its ISP is too long. For
+ example, if an ISP delegates a /60, the CPE would only be able to
+ delegate fifteen /64 prefixes to clients. So while the enterprise
+ network administrator might want all phones in the network to
+ request a prefix, it would be highly undesirable for the same
+ phone to request a prefix when connecting to a home network.
+
+ * When the network supports both a unique prefix per client and a
+ PIO with A=1 as address assignment methods, it's highly desirable
+ for the client NOT to use the PIO prefix to form global addresses
+ and instead only use the prefix delegated via DHCPv6-PD. Starting
+ both SLAAC using the PIO prefix and DHCPv6-PD, and then
+ deprecating the SLAAC addresses after receiving a delegated prefix
+ would be very disruptive for applications. If the client
+ continues to use addresses formed from the PIO prefix, it would
+ not only undermine the benefits of the proposed solution (see
+ Section 12), but it would also introduce complexity and
+ unpredictability in the source address selection. Therefore, the
+ client needs to know what address assignment method to use and
+ whether or not to use the prefix in the PIO, if the network
+ provides the PIO with the 'A' flag set.
+
+ The deployment model described in this document does not require the
+ network to signal support of DHCPv6-PD: for example, devices acting
+ as compatible routers [RFC7084] will be able to receive prefixes via
+ DHCPv6-PD even without such signaling. Also, some clients may decide
+ to start DHCPv6-PD and acquire prefixes if they detect that the
+ network does not provide addresses via SLAAC. To fully achieve the
+ benefits described in this section, [PIO-PFLAG] defines a new PIO
+ flag to signal that DHCPv6-PD is the preferred method of obtaining
+ prefixes.
+
+12. Benefits
+
+ The proposed solution provides the following benefits:
+
+ * Network device resources (e.g., memory) need to scale to the
+ number of devices, not the number of IPv6 addresses. The first-
+ hop routers have a single route per device pointing to the
+ device's link-local address. This can potentially enable hardware
+ cost savings; for example, if hardware such as wireless LAN
+ controllers is limited to supporting only a specific number of
+ client addresses, or in VXLAN deployments where each client
+ address consumes one routing table entry.
+
+ * The cost of having multiple addresses is offloaded to the clients.
+ Hosts are free to create and use as many addresses as they need
+ without imposing any additional costs onto the network.
+
+ * If all clients connected to the given link support this mode of
+ operation and can generate addresses from the delegated prefixes,
+ there is no reason to advertise a common prefix assigned to that
+ link in the PIO with the 'A' flag set. Therefore, it is possible
+ to remove the global shared prefix from that link and the router
+ interface completely, so no global addresses are on-link for the
+ link. This would lead to reducing the attack surface for Neighbor
+ Discovery attacks described in [RFC6583].
+
+ * DHCPv6-PD logs and routing tables obtained from first-hop routers
+ provide complete information on IPv6 to MAC mapping, which can be
+ used for forensics and troubleshooting. Such information is much
+ less dynamic than the ND cache; therefore, it's much easier for an
+ operator to collect and process it.
+
+ * A dedicated prefix per client allows the network administrator to
+ create security policies per device (such as ACLs) even if the
+ client is using temporary addresses. This mitigates one of the
+ issues described in [IPv6-ADDRESS].
+
+ * Fate sharing: all global addresses used by a given client are
+ routed as a single prefix. Either all of them work or none of
+ them work, which makes failures easier to diagnose and mitigate.
+
+ * Lower level of multicast traffic: less Neighbor Discovery
+ [RFC4861] multicast packets, as the routers need to resolve only
+ the clients' link-local addresses. Also, there is no Duplicate
+ Address Detection (DAD) traffic except for the clients' link-local
+ addresses.
+
+ * Ability to extend the network transparently. If the network
+ delegates to the client a prefix of sufficient size to support
+ SLAAC, the client can provide connectivity to other hosts, as is
+ possible in IPv4 with NAT (e.g., by acting as an IPv6 Customer
+ Edge (CE) router as described in [RFC7084]).
+
+13. Privacy Considerations
+
+ If an eavesdropper or information collector is aware that a given
+ client is using the proposed mechanism, then they may be able to
+ track the client based on its prefix. The privacy implications of
+ this are equivalent to the privacy implications of networks using
+ stateful DHCPv6 address assignment: in both cases, the IPv6 addresses
+ are determined by the server, either because the server assigns a
+ full 128-bit address in a shared prefix, or because the server
+ determines what prefix is delegated to the client. Administrators
+ deploying the proposed mechanism can use similar methods to mitigate
+ the impact as the ones used today in networks that use stateful
+ DHCPv6 address assignment.
+
+ Except for networks (such as datacenter networks) where hosts do not
+ need temporary addresses [RFC8981], the network SHOULD:
+
+ * Ensure that when a client requests a prefix, the prefix is
+ randomly assigned and not allocated deterministically.
+
+ * Use short prefix lifetimes (e.g., hours) to ensure that when a
+ client disconnects and reconnects it gets a different prefix.
+
+ * Allow the client to have more than one prefix at the same time.
+ This allows the client to rotate prefixes using a mechanism
+ similar to temporary addresses, but that operates on prefixes
+ instead of on individual addresses. In this case, the prefix's
+ lifetime MUST be short enough to allow the client to use a
+ reasonable rotation interval without using too much address space.
+ For example, if every 24 hours the client asks for a new prefix
+ and stops renewing the old prefix, and the Valid Lifetime of
+ delegated prefixes is one hour, then the client will consume two
+ prefixes for one hour out of 24 hours, and thus will consume just
+ under 1.05 prefixes on average.
+
+14. IANA Considerations
+
+ This document has no IANA actions.
+
+15. Security Considerations
+
+ A malicious (or just misbehaving) client might attempt to exhaust the
+ DHCPv6-PD pool by sending a large number of requests with differing
+ DHCP Unique Identifiers (DUIDs). To prevent a misbehaving client
+ from denying service to other clients, the DHCPv6 server or relay
+ MUST support limiting the number of prefixes delegated to a given
+ client at any given time.
+
+ Networks can protect against malicious clients by authenticating
+ devices using tokens that cannot be spoofed (e.g., 802.1x
+ authentication) and limiting the number of link-local addresses or
+ MAC addresses that each client is allowed to use. Note that this is
+ not a new issue, as the same attack might be implemented using DHCPv4
+ or DHCPv6 IA_NA requests; in particular, while it is unlikely for
+ clients to be able to exhaust an IA_NA address pool, clients using
+ IA_NA can exhaust other resources such as DHCPv6 and routing
+ infrastructure resources such as server RAM, ND cache entries,
+ Ternary Content-Addressable Memory (TCAM) entries, SAVI entries, etc.
+
+ A malicious client might request a prefix and then release it very
+ quickly, causing routing convergence events on the relays. The
+ impact of this attack can be reduced if the network rate-limits the
+ amount of broadcast and multicast messages from the client.
+
+ Delegating the same prefix for the same client introduces privacy
+ concerns. The proposed mitigation is discussed in Section 13.
+
+ Spoofing scenarios and prevention mechanisms are discussed in
+ Section 10.
+
+16. References
+
+16.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
+ Addresses", RFC 4193, DOI 10.17487/RFC4193, October 2005,
+ <https://www.rfc-editor.org/info/rfc4193>.
+
+ [RFC5460] Stapp, M., "DHCPv6 Bulk Leasequery", RFC 5460,
+ DOI 10.17487/RFC5460, February 2009,
+ <https://www.rfc-editor.org/info/rfc5460>.
+
+ [RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS
+ SAVI: First-Come, First-Served Source Address Validation
+ Improvement for Locally Assigned IPv6 Addresses",
+ RFC 6620, DOI 10.17487/RFC6620, May 2012,
+ <https://www.rfc-editor.org/info/rfc6620>.
+
+ [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
+ Combination of Stateful and Stateless Translation",
+ RFC 6877, DOI 10.17487/RFC6877, April 2013,
+ <https://www.rfc-editor.org/info/rfc6877>.
+
+ [RFC7084] Singh, H., Beebee, W., Donley, C., and B. Stark, "Basic
+ Requirements for IPv6 Customer Edge Routers", RFC 7084,
+ DOI 10.17487/RFC7084, November 2013,
+ <https://www.rfc-editor.org/info/rfc7084>.
+
+ [RFC8168] Li, T., Liu, C., and Y. Cui, "DHCPv6 Prefix-Length Hint
+ Issues", RFC 8168, DOI 10.17487/RFC8168, May 2017,
+ <https://www.rfc-editor.org/info/rfc8168>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8273] Brzozowski, J. and G. Van de Velde, "Unique IPv6 Prefix
+ per Host", RFC 8273, DOI 10.17487/RFC8273, December 2017,
+ <https://www.rfc-editor.org/info/rfc8273>.
+
+ [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A.,
+ Richardson, M., Jiang, S., Lemon, T., and T. Winters,
+ "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
+ RFC 8415, DOI 10.17487/RFC8415, November 2018,
+ <https://www.rfc-editor.org/info/rfc8415>.
+
+ [RFC8981] Gont, F., Krishnan, S., Narten, T., and R. Draves,
+ "Temporary Address Extensions for Stateless Address
+ Autoconfiguration in IPv6", RFC 8981,
+ DOI 10.17487/RFC8981, February 2021,
+ <https://www.rfc-editor.org/info/rfc8981>.
+
+ [RFC8987] Farrer, I., Kottapalli, N., Hunek, M., and R. Patterson,
+ "DHCPv6 Prefix Delegating Relay Requirements", RFC 8987,
+ DOI 10.17487/RFC8987, February 2021,
+ <https://www.rfc-editor.org/info/rfc8987>.
+
+16.2. Informative References
+
+ [ADDR-NOTIFICATION]
+ Kumari, W., Krishnan, S., Asati, R., Colitti, L., Linkova,
+ J., and S. Jiang, "Registering Self-generated IPv6
+ Addresses using DHCPv6", Work in Progress, Internet-Draft,
+ draft-ietf-dhc-addr-notification-13, 16 May 2024,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-dhc-
+ addr-notification-13>.
+
+ [IPv6-ADDRESS]
+ Gont, F. and G. Gont, "Implications of IPv6 Addressing on
+ Security Operations", Work in Progress, Internet-Draft,
+ draft-ietf-opsec-ipv6-addressing-00, 2 June 2023,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-opsec-
+ ipv6-addressing-00>.
+
+ [PIO-PFLAG]
+ Colitti, L., Linkova, J., Ma, X., and D. Lamparter,
+ "Signaling DHCPv6 Prefix per Client Availability to
+ Hosts", Work in Progress, Internet-Draft, draft-ietf-6man-
+ pio-pflag-11, 4 October 2024,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-6man-
+ pio-pflag-11>.
+
+ [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
+ Networks", BCP 84, RFC 3704, DOI 10.17487/RFC3704, March
+ 2004, <https://www.rfc-editor.org/info/rfc3704>.
+
+ [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
+ "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
+ DOI 10.17487/RFC4861, September 2007,
+ <https://www.rfc-editor.org/info/rfc4861>.
+
+ [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
+ Address Autoconfiguration", RFC 4862,
+ DOI 10.17487/RFC4862, September 2007,
+ <https://www.rfc-editor.org/info/rfc4862>.
+
+ [RFC6459] Korhonen, J., Ed., Soininen, J., Patil, B., Savolainen,
+ T., Bajko, G., and K. Iisakkila, "IPv6 in 3rd Generation
+ Partnership Project (3GPP) Evolved Packet System (EPS)",
+ RFC 6459, DOI 10.17487/RFC6459, January 2012,
+ <https://www.rfc-editor.org/info/rfc6459>.
+
+ [RFC6583] Gashinsky, I., Jaeggli, J., and W. Kumari, "Operational
+ Neighbor Discovery Problems", RFC 6583,
+ DOI 10.17487/RFC6583, March 2012,
+ <https://www.rfc-editor.org/info/rfc6583>.
+
+ [RFC7039] Wu, J., Bi, J., Bagnulo, M., Baker, F., and C. Vogt, Ed.,
+ "Source Address Validation Improvement (SAVI) Framework",
+ RFC 7039, DOI 10.17487/RFC7039, October 2013,
+ <https://www.rfc-editor.org/info/rfc7039>.
+
+ [RFC7278] Byrne, C., Drown, D., and A. Vizdal, "Extending an IPv6
+ /64 Prefix from a Third Generation Partnership Project
+ (3GPP) Mobile Interface to a LAN Link", RFC 7278,
+ DOI 10.17487/RFC7278, June 2014,
+ <https://www.rfc-editor.org/info/rfc7278>.
+
+ [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
+ L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
+ eXtensible Local Area Network (VXLAN): A Framework for
+ Overlaying Virtualized Layer 2 Networks over Layer 3
+ Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
+ <https://www.rfc-editor.org/info/rfc7348>.
+
+ [RFC7421] Carpenter, B., Ed., Chown, T., Gont, F., Jiang, S.,
+ Petrescu, A., and A. Yourtchenko, "Analysis of the 64-bit
+ Boundary in IPv6 Addressing", RFC 7421,
+ DOI 10.17487/RFC7421, January 2015,
+ <https://www.rfc-editor.org/info/rfc7421>.
+
+ [RFC7513] Bi, J., Wu, J., Yao, G., and F. Baker, "Source Address
+ Validation Improvement (SAVI) Solution for DHCP",
+ RFC 7513, DOI 10.17487/RFC7513, May 2015,
+ <https://www.rfc-editor.org/info/rfc7513>.
+
+ [RFC7653] Raghuvanshi, D., Kinnear, K., and D. Kukrety, "DHCPv6
+ Active Leasequery", RFC 7653, DOI 10.17487/RFC7653,
+ October 2015, <https://www.rfc-editor.org/info/rfc7653>.
+
+ [RFC7934] Colitti, L., Cerf, V., Cheshire, S., and D. Schinazi,
+ "Host Address Availability Recommendations", BCP 204,
+ RFC 7934, DOI 10.17487/RFC7934, July 2016,
+ <https://www.rfc-editor.org/info/rfc7934>.
+
+ [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+ (IPv6) Specification", STD 86, RFC 8200,
+ DOI 10.17487/RFC8200, July 2017,
+ <https://www.rfc-editor.org/info/rfc8200>.
+
+ [RFC8415bis]
+ Mrugalski, T., Volz, B., Richardson, M., Jiang, S., and T.
+ Winters, "Dynamic Host Configuration Protocol for IPv6
+ (DHCPv6)", Work in Progress, Internet-Draft, draft-ietf-
+ dhc-rfc8415bis-05, 8 July 2024,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-dhc-
+ rfc8415bis-05>.
+
+ [RFC8501] Howard, L., "Reverse DNS in IPv6 for Internet Service
+ Providers", RFC 8501, DOI 10.17487/RFC8501, November 2018,
+ <https://www.rfc-editor.org/info/rfc8501>.
+
+ [RFC8504] Chown, T., Loughney, J., and T. Winters, "IPv6 Node
+ Requirements", BCP 220, RFC 8504, DOI 10.17487/RFC8504,
+ January 2019, <https://www.rfc-editor.org/info/rfc8504>.
+
+ [SNAC-SIMPLE]
+ Lemon, T. and J. Hui, "Automatically Connecting Stub
+ Networks to Unmanaged Infrastructure", Work in Progress,
+ Internet-Draft, draft-ietf-snac-simple-05, 8 July 2024,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-snac-
+ simple-05>.
+
+Appendix A. Multiple Addresses Considerations
+
+ While a typical IPv4 host normally has only one IPv4 address per
+ interface, an IPv6 device almost always has multiple addresses
+ assigned to its interface. At the very least, a host can be expected
+ to have one link-local address, one temporary address, and, in most
+ cases, one stable global address. On a network providing NAT64
+ service, an IPv6-only host running the 464XLAT customer-side
+ translator (CLAT) [RFC6877] would use a dedicated 464XLAT address,
+ configured via SLAAC (see Section 6.3 of [RFC6877]), which brings the
+ total number of addresses to four. Other common scenarios where the
+ number of addresses per host interface might increase significantly
+ include but are not limited to:
+
+ * Devices running containers or namespaces: each container or
+ namespace would have multiple addresses as described above. As a
+ result, a device running just a few containers in a bridge mode
+ can easily have 20 or more IPv6 addresses on the given link.
+
+ * Networks assigning multiple prefixes to a given link: multihomed
+ networks, networks using Unique Local IPv6 Unicast Addresses (ULA,
+ [RFC4193]) and non-ULA prefixes together, or networks performing a
+ graceful renumbering from one prefix to another.
+
+ [RFC7934] discusses this aspect and explicitly states that IPv6
+ deployments SHOULD NOT limit the number of IPv6 addresses a host can
+ have. However, it has been observed that networks often do limit the
+ number of on-link addresses per device, likely in an attempt to
+ protect network resources and prevent DoS attacks.
+
+ The most common scenario of network-imposed limitations is ND proxy.
+ Many enterprise-scale wireless solutions implement ND proxy to reduce
+ the amount of broadcast and multicast downstream (AP to clients)
+ traffic and provide SAVI functions. To perform ND proxy, a device
+ usually maintains a table containing IPv6 and MAC addresses of
+ connected clients. At least some implementations have hardcoded
+ limits on how many IPv6 addresses per single MAC such a table can
+ contain. When the limit is exceeded, the behavior is implementation
+ dependent. Some vendors just fail to install an N+1 address to the
+ table. Others delete the oldest entry for this MAC and replace it
+ with the new address. In any case, the affected addresses lose
+ network connectivity without receiving any implicit signal, with
+ traffic being silently dropped.
+
+Acknowledgements
+
+ Thanks to Harald Alvestrand, Nick Buraglio, Brian Carpenter, Tim
+ Chown, Roman Danyliw, Gert Doering, David Farmer, Fernando Gont, Joel
+ Halpern, Nick Hilliard, Bob Hinden, Martin Hunek, Erik Kline, Warren
+ Kumari, David Lamparter, Andrew McGregor, Tomek Mrugalski, Alexandre
+ Petrescu, Jurgen Schonwalder, Pascal Thubert, Ole Troan, Eric Vyncke,
+ Eduard Vasilenko, Timothy Winters, Chongfeng Xie, and Peter Yee for
+ the discussions, their input, and all contributions.
+
+Authors' Addresses
+
+ Lorenzo Colitti
+ Google, LLC
+ Shibuya 3-21-3,
+ Japan
+ Email: lorenzo@google.com
+
+
+ Jen Linkova (editor)
+ Google
+ 1 Darling Island Rd
+ Pyrmont New South Wales 2009
+ Australia
+ Email: furry13@gmail.com, furry@google.com
+
+
+ Xiao Ma (editor)
+ Google
+ Shibuya 3-21-3,
+ Japan
+ Email: xiaom@google.com