[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                            N. Ward
Internet-Draft                                           Braintrust Ltd.
Intended status: Standards Track                           March 4, 2009
Expires: September 5, 2009


             IPv6 Autoconfig Filtering on Ethernet Switches
           draft-nward-ipv6-autoconfig-filtering-ethernet-00

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 5, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   Many ethernet switch vendors provide features for filtering IPv4
   address assignment services - i.e.  DHCP, Bootp.  This document
   describes what is necessary for a switch to provide the same level of



Ward                    Expires September 5, 2009               [Page 1]

Internet-Draft          IPv6 Autoconfig Filtering             March 2009


   filtering for IPv6, as a standard on which operators can base
   equipment selection decisions.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
     2.1.  Router Advertisements . . . . . . . . . . . . . . . . . . . 4
     2.2.  DHCPv6 Replies  . . . . . . . . . . . . . . . . . . . . . . 4
   3.  Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
     3.1.  Requests  . . . . . . . . . . . . . . . . . . . . . . . . . 5
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Normative References  . . . . . . . . . . . . . . . . . . . . . 6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 6




























Ward                    Expires September 5, 2009               [Page 2]

Internet-Draft          IPv6 Autoconfig Filtering             March 2009


1.  Introduction

   IPv6 provides several ways of assigning addresses to IPv6 capable
   hosts.  These are the prefix field in Router Advertisement (RA)
   messages, and stateful DHCPv6.  In IPv4, we can filter DHCP and Bootp
   servers in ethernet switches, allowing only our authorised
   configuration servers to provide autoconfiguration information to
   hosts.  Few ethernet switches provide similar functionality for IPv6
   autoconfiguration services, and many hosts already listen for RA
   messages and then subsequent to receiving and RA message either
   configure addressing statelessly, or statefully with DHCPv6.

   This represents a problem for many networks, for which the only
   solution at present is to filter out all IPv6 packets from their
   ethernet network.

   This document describes how to filter RA and DHCPv6 messages so that
   autoconfiguration can be provided only by authorised hosts and/or
   switch ports.


2.  Protocols

   In order to filter IPv6 packets, some level of understanding of the
   IPv6, ICMPv6 and UDP protocols is required by the switch.  The
   following fields are analysed so need to be understood by the switch:

   1) Ethertype in the ethernet header (always 0x86DD)

   2) Source MAC address in the ethernet header

   3) Destination MAC address in the ethernet header

   4) Version in the IPv6 header (always 6)

   5) Source IPv6 address in the IPv6 header

   6) Destination IPv6 address in the IPv6 header

   7) Next-header in the IPv6 header

   8) Type and Code in the ICMPv6 header

   9) UDP source port

   10) UDP destination port





Ward                    Expires September 5, 2009               [Page 3]

Internet-Draft          IPv6 Autoconfig Filtering             March 2009


2.1.  Router Advertisements

   Router advertisement messages SHOULD only be sent by routers, and so
   should enter a switch only from a port with a router, and/or from a
   router's link-local IPv6 address or ethernet MAC address.  Router
   advertisements can be sent unsolicited (periodically) to multicast
   IPv6 and MAC addresses, or solicited (on demand) to a specific MAC
   and IPv6 destination.

   The characteristics of a router advertisement message are:

   +-------------------+-----------------------------------------------+
   | Field             | Value                                         |
   +-------------------+-----------------------------------------------+
   | Source MAC        | Router;s MAC address                          |
   | Address           |                                               |
   | Destination MAC   | 33:33:00:00:00:01 for unsolicited, a host's   |
   |                   | MAC address for solicited                     |
   | Source IPv6       | Router's IPv6 link-local address              |
   | Address           |                                               |
   | Destination IPv6  | FF01::1 for unsolicited, an address in        |
   | Address           | FE80::/64 for solicited                       |
   | Next-header       | 58                                            |
   | ICMPv6 Type       | 134                                           |
   | ICMPv6 Code       | 0                                             |
   +-------------------+-----------------------------------------------+

   Unique to router advertisements is the ICMPv6 type, 134.

2.2.  DHCPv6 Replies

   DHCPv6 reply messages SHOULD only be sent by DHCPv6 servers and
   relays, and so should only enter a switch from a port with a DHCPv6
   server or relay, and/or from a DHCPv6 server or relay's link-local
   IPv6 address or ethernet MAC address.

   The characteristics of a DHCPv6 reply message are:

   +-----------------------+-------------------------------------------+
   | Field                 | Value                                     |
   +-----------------------+-------------------------------------------+
   | Source MAC Address    | DHCPv6 server or relay's MAC address      |
   | Source IPv6 Address   | DHCPv6 server or relay's link-local IPv6  |
   |                       | address                                   |
   | Destination IPv6      | An address in FE80::/64                   |
   | Address               |                                           |
   | Next-header           | 17                                        |
   | UDP source port       | 547                                       |



Ward                    Expires September 5, 2009               [Page 4]

Internet-Draft          IPv6 Autoconfig Filtering             March 2009


   | UDP destination port  | 546                                       |
   +-----------------------+-------------------------------------------+

   Unique to DHCPv6 replies is the UDP source and destination ports, 547
   and 546 respectively.


3.  Filtering

   An ethernet switch MUST be able to be configured to filter Router
   Advertisement and DHCPv6 reply messages under one or both of the
   following conditions:

   a) The source MAC address is not configured to belong to a router, or
   DHCPv6 server or relay.

   b) The source IPv6 link-local address is not configured to belong to
   a router, or DHCPv6 server or relay.

   c) The ethernet frame was not received on a port configured to as
   authorised to receive these messages.

3.1.  Requests

   It may be desirable for a switch to only transmit Router Solicitation
   and DHCPv6 request messages out a port if it is configured as a port
   having a router, DHCPv6 server or relay.  Comment is sought for this.


4.  IANA Considerations

   This document makes no request of IANA.

   Note to RFC Editor: this section may be removed on publication as an
   RFC.


5.  Security Considerations

   This document describes filtering features for ethernet switches, so
   improves security of IPv6 auto configuration in switched ethernet
   environments.

   It is unknown if this document introduces any security issues.







Ward                    Expires September 5, 2009               [Page 5]

Internet-Draft          IPv6 Autoconfig Filtering             March 2009


6.  Acknowledgements

   Discussion on the NANOG mailing list.


7.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.


Author's Address

   Nathan Ward
   Braintrust Ltd.
   Level 1, 206 Symonds St.
   Auckland,   1010
   NZ

   Phone: +64-21-431675
   Email: nward@braintrust.co.nz






























Ward                    Expires September 5, 2009               [Page 6]


Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/