draft-ietf-6man-rfc3484-revise-03.txt   draft-ietf-6man-rfc3484-revise-04.txt 
Network Working Group A. Matsumoto Network Working Group A. Matsumoto
Internet-Draft J. Kato Internet-Draft J. Kato
Intended status: Standards Track T. Fujisaki Intended status: Standards Track T. Fujisaki
Expires: December 12, 2011 NTT Expires: January 2, 2012 NTT
June 10, 2011 T. Chown
University of Southampton
July 1, 2011
Update to RFC 3484 Default Address Selection for IPv6 Update to RFC 3484 Default Address Selection for IPv6
draft-ietf-6man-rfc3484-revise-03.txt draft-ietf-6man-rfc3484-revise-04.txt
Abstract Abstract
RFC 3484 describes algorithms for source address selection and for RFC 3484 describes algorithms for source address selection and for
destination address selection. The algorithms specify default destination address selection. The algorithms specify default
behavior for all Internet Protocol version 6 (IPv6) implementations. behavior for all Internet Protocol version 6 (IPv6) implementations.
This document specifies a set of updates that modify the algorithms This document specifies a set of updates that modify the algorithms
and fix the known defects. and fix the known defects.
Status of this Memo Status of this Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 12, 2011. This Internet-Draft will expire on January 2, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 34 skipping to change at page 2, line 36
2.1.2. Teredo in the policy table . . . . . . . . . . . . . . 4 2.1.2. Teredo in the policy table . . . . . . . . . . . . . . 4
2.1.3. 6to4, Teredo, and IPv4 prioritization . . . . . . . . 4 2.1.3. 6to4, Teredo, and IPv4 prioritization . . . . . . . . 4
2.1.4. Deprecated addresses in the policy table . . . . . . . 5 2.1.4. Deprecated addresses in the policy table . . . . . . . 5
2.1.5. Renewed default policy table . . . . . . . . . . . . . 5 2.1.5. Renewed default policy table . . . . . . . . . . . . . 5
2.2. The longest matching rule . . . . . . . . . . . . . . . . 5 2.2. The longest matching rule . . . . . . . . . . . . . . . . 5
2.3. Utilize next-hop for source address selection . . . . . . 6 2.3. Utilize next-hop for source address selection . . . . . . 6
2.4. Private IPv4 address scope . . . . . . . . . . . . . . . . 6 2.4. Private IPv4 address scope . . . . . . . . . . . . . . . . 6
2.5. Deprecation of site-local unicast address . . . . . . . . 7 2.5. Deprecation of site-local unicast address . . . . . . . . 7
3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.1. Normative References . . . . . . . . . . . . . . . . . . . 7 5.1. Normative References . . . . . . . . . . . . . . . . . . . 8
5.2. Informative References . . . . . . . . . . . . . . . . . . 8 5.2. Informative References . . . . . . . . . . . . . . . . . . 8
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 9 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 9
Appendix B. Past Discussion . . . . . . . . . . . . . . . . . . . 9 Appendix B. Past Discussion . . . . . . . . . . . . . . . . . . . 9
B.1. The longest match rule . . . . . . . . . . . . . . . . . . 9 B.1. The longest match rule . . . . . . . . . . . . . . . . . . 9
B.2. NAT64 prefix issue . . . . . . . . . . . . . . . . . . . . 10 B.2. NAT64 prefix issue . . . . . . . . . . . . . . . . . . . . 10
B.3. ISATAP issue . . . . . . . . . . . . . . . . . . . . . . . 10
Appendix C. Revision History . . . . . . . . . . . . . . . . . . 10 Appendix C. Revision History . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
The IPv6 addressing architecture [RFC4291] allows multiple unicast The IPv6 addressing architecture [RFC4291] allows multiple unicast
addresses to be assigned to interfaces. Because of this IPv6 addresses to be assigned to interfaces. Because of this IPv6
implementations need to handle multiple possible source and implementations need to handle multiple possible source and
destination addresses when initiating communication RFC 3484 destination addresses when initiating communication. RFC 3484
[RFC3484]. specifies the default algorithms, common across all [RFC3484] specifies the default algorithms, common across all
implementations, for selecting source and destination addresses so implementations, for selecting source and destination addresses so
that it is easier to predict the address selection behavior. that it is easier to predict the address selection behavior.
After RFC 3484 was specified, some issues have been identified with Since RFC 3484 was specified, some issues have been identified with
the algorithm specified there. The issues are related to the longest the algorithms specified there. The issues include the longest match
match algorithm used in Rule 9 of Destination address selection algorithm used in Rule 9 of destination address selection breaking
breaking DNS round-robin techniques, and prioritization of poor IPv6 DNS round-robin techniques, and prioritization of poor IPv6
connectivity using transition mechanisms over native IPv4 connectivity using transition mechanisms over native IPv4
connectivity. connectivity.
There have also been some significant changes to the IPv6 addressing There have also been some significant changes to the IPv6 addressing
architecture that require changes in the RFC 3484 policy table. Such architecture that require changes in the RFC 3484 policy table. Such
changes include the deprecation of site-local unicast addresses changes include the deprecation of site-local unicast addresses
[RFC3879] and the IPv4-compatible IPv6 addresses, the introduction of [RFC3879] and of IPv4-compatible IPv6 addresses, and the introduction
Unique Local Addresses [RFC4193] etc. of Unique Local Addresses [RFC4193].
This document specifies a set of updates that modify the algorithms This document specifies a set of updates that modify the algorithms
and fix the known defects. and fix the known defects.
2. Specification 2. Specification
2.1. Changes related to the default policy table 2.1. Changes related to the default policy table
The default policy table is defined in RFC 3484 Section 2.1 as The default policy table is defined in RFC 3484 Section 2.1 as
follows: follows:
Prefix Precedence Label Prefix Precedence Label
::1/128 50 0 ::1/128 50 0
::/0 40 1 ::/0 40 1
2002::/16 30 2 2002::/16 30 2
::/96 20 3 ::/96 20 3
::ffff:0:0/96 10 4 ::ffff:0:0/96 10 4
The changes that should be included into the default policy table are The changes that should be included into the default policy table are
those rules that are universally useful and do no harm in every those rules that are universally useful and do no harm in every
reasonable network envionment. The changes we should consider for reasonable network environment. The changes we should consider for
the default policy table are listed in this sub-section. the default policy table are listed in this sub-section.
The policy table is defined to be configurable. The changes that are The policy table is defined to be configurable. The changes that are
useful not universally but locally can be put into the policy table useful locally but not universally can be put into the policy table
manually or by using the auto-configuration mechanism proposed as a manually or by using the policy distribution mechanism proposed as a
DHCP option [I-D.ietf-6man-addr-select-opt]. DHCP option [I-D.ietf-6man-addr-select-opt].
2.1.1. ULA in the policy table 2.1.1. ULA in the policy table
RFC 5220 [RFC5220] Section 2.1.4, 2.2.2, and 2.2.3 describes address RFC 5220 [RFC5220] sections 2.1.4, 2.2.2, and 2.2.3 describe address
selection problems related to ULA [RFC4193]. These problems can be selection problems related to ULAs [RFC4193]. These problems can be
solved by either changing the scope of ULA to site-local, or by solved by either changing the scope of ULAs to site-local, or by
adding an entry for default policy table entry that has its own label adding an entry for the default policy table that has its own label
for ULA. for ULAs.
Centrally assigned ULA [I-D.ietf-ipv6-ula-central] is proposed, and Centrally assigned ULAs [I-D.ietf-ipv6-ula-central] have been
is assigned fc00::/8. Using the different labels for fc00::/8 and proposed, and are assigned fc00::/8. Using the different labels for
fd00::/8 makes sense if we assume the same kind of address block is fc00::/8 and fd00::/8 makes sense if we assume the same kind of
assigned in the same or adjacent network. However, we cannot expect address block is assigned in the same or adjacent network. However,
that the type of ULA address block and network adjancency commonly we cannot expect that the type of ULA address block and network
have any relationships. adjacency commonly have any relationships.
Regarding the scope of ULA, ULA has been specified with a global Regarding the scope of ULAs, ULAs have been specified with a global
scope because the reachability of the ULA was intended to be scope because the reachability of ULAs was intended to be restricted
restricted by the routing system. Since the ULAs will not be exposed by the routing system. Since the ULAs will not be exposed outside of
outside of its reachability domain, if an ULA is available as a their reachability domain, if a ULA is available as a candidate
candidate destination address, it can be expected to be reachable. destination address, it can be expected to be reachable.
if we change the scope of ULA smaller than global, we can prioritize If we change the scope of ULAs to be smaller than global, we can
ULA to ULA communication over GUA to GUA communication. At the same prioritize ULA to ULA communication over GUA to GUA communication.
time, however, finer-grained configuration of ULA address selection At the same time, however, finer-grained configuration of ULA address
will be impossible. For example, even if you want to priorize selection will be impossible. For example, even if you want to
communication related to the only /48 ULA prefix used in your site, prioritize communication related to the only /48 ULA prefix used in
and do not want to prioritize communication to any other ULA prefix, your site, and do not want to prioritize communication to any other
such a policy cannot be implemented in the policy table. So, this ULA prefix, such a policy cannot be implemented in the policy table.
draft proposes the use of the policy table to differentiate ULA from So, this draft proposes the use of the policy table to differentiate
GUA. ULAs from GUAs.
2.1.2. Teredo in the policy table 2.1.2. Teredo in the policy table
Teredo [RFC4380] is defined and has been assigned 2001::/32. This Teredo [RFC4380] is defined and has been assigned 2001::/32. This
address block should be assigned its own label in the policy table. address block should be assigned its own label in the policy table.
Teredo's priority should be less or equal to 6to4, considering its Teredo's priority should be less than or equal to 6to4, considering
characteristic of transitional tunnel mechanism. About Windows, this its characteristic of being a transitional tunnel mechanism.
is already in the implementation.
2.1.3. 6to4, Teredo, and IPv4 prioritization 2.1.3. 6to4, Teredo, and IPv4 prioritization
Regarding the prioritization between IPv4 and these transitional Regarding the prioritization between IPv4 and these transitional
mechanisms, the connectivity of them are known to be worse than IPv4. mechanisms, their connectivity is known to usually be worse than
These mechiansms are said to be the last resort access to IPv6 IPv4. These mechanisms are said to be the last resort access method
resources. While 6to4 should have higher precedence over Teredo, in to IPv6 resources. 6to4 should have higher precedence than Teredo,
that 6to4 host to 6to4 host communication can be over IPv4, which can given that 6to4 host to 6to4 host communication can be over IPv4
result in more optimal path, and 6to4 does not need NAT traversal. (which can result in a more optimal path) and that 6to4 should not
used behind a NAT device.
2.1.4. Deprecated addresses in the policy table 2.1.4. Deprecated addresses in the policy table
IPv4-compatible IPv6 address (::/96) is deprecated [RFC4291]. IPv6 IPv4-compatible IPv6 addresses (::/96) are deprecated [RFC4291].
site-local unicast address (fec0::/10) is deprecated [RFC3879]. 6bone IPv6 site-local unicast addresses (fec0::/10) are deprecated
testing address [RFC3701] was returned. [RFC3879]. 6bone testing addresses [RFC3701] were returned.
These addresses were removed from the current specification. So, it These addresses were removed from the current specification. So they
should not be treated differently, especially if we plan future re- should not be treated differently, especially if we plan future re-
use of these address blocks. Hense, 6bone testing address block use of these address blocks. The 6bone testing address block should
should not be treated specially. not be treated specially.
Considering the inappropriate use of these address blocks especially Considering the inappropriate use of these address blocks, especially
in outdated implementations and bad effects brought by them, it in outdated implementations and bad effects brought by them, they
should be labeled differently from the legitimate address blocks as should be labeled differently from the legitimate address blocks as
far as the address block is reserved by IANA. long as the address block is reserved by IANA.
2.1.5. Renewed default policy table 2.1.5. Renewed default policy table
After applying these updates, the default policy table will be: After applying these updates, the default policy table will be:
Prefix Precedence Label Prefix Precedence Label
::1/128 60 0 ::1/128 60 0
fc00::/7 50 1 fc00::/7 50 1
::/0 40 2 ::/0 40 2
::ffff:0:0/96 30 3 ::ffff:0:0/96 30 3
2002::/16 20 4 2002::/16 20 4
2001::/32 10 5 2001::/32 10 5
::/96 1 10 ::/96 1 10
fec0::/10 1 11 fec0::/10 1 11
2.2. The longest matching rule 2.2. The longest matching rule
This issue is related to the longest matching rule, which was found This issue is related to the longest matching rule, which was found
by Dave Thaler. It is malfunction of DNS round robin technique. It by Dave Thaler. It causes a malfunction of the DNS round robin
is common for both IPv4 and IPv6. technique, as described below. It is common for both IPv4 and IPv6.
When a destination address DA, DB, and the source address of DA When a destination address DA, DB, and the source address of DA
Source(DA) are on the same subnet and Source(DA) == Source(DB), DNS Source(DA) are on the same subnet and Source(DA) == Source(DB), DNS
round robin load-balancing cannot function. By considering prefix round robin load-balancing cannot function. By considering prefix
lengths that are longer than the subnet prefix, this rule establishes lengths that are longer than the subnet prefix, this rule establishes
preference between addresses that have no substantive differences preference between addresses that have no substantive differences
between them. The rule functions as an arbitrary tie-breaker between between them. The rule functions as an arbitrary tie-breaker between
the hosts in a round robin, causing a given host to always prefer a the hosts in a round robin, causing a given host to always prefer a
given member of the round robin. given member of the round robin.
skipping to change at page 6, line 22 skipping to change at page 6, line 22
When DA and DB belong to the same address family (both are IPv6 or When DA and DB belong to the same address family (both are IPv6 or
both are IPv4): If CommonPrefixLen(DA & Netmask(Source(DA)), both are IPv4): If CommonPrefixLen(DA & Netmask(Source(DA)),
Source(DA)) > CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)), Source(DA)) > CommonPrefixLen(DB & Netmask(Source(DB)), Source(DB)),
then prefer DA. Similarly, if CommonPrefixLen(DA & then prefer DA. Similarly, if CommonPrefixLen(DA &
Netmask(Source(DA)), Source(DA)) < CommonPrefixLen(DB & Netmask(Source(DA)), Source(DA)) < CommonPrefixLen(DB &
Netmask(Source(DB)), Source(DB)), then prefer DB. Netmask(Source(DB)), Source(DB)), then prefer DB.
2.3. Utilize next-hop for source address selection 2.3. Utilize next-hop for source address selection
The RFC 3484 source address selection rule 5 defines the address that RFC 3484 source address selection rule 5 says that the address that
is attached to the outgoing interface should be preferred as the is attached to the outgoing interface should be preferred as the
source address. This rule is reasonable considering the prevalence source address. This rule is reasonable considering the prevalence
of Ingress Filtering described in BCP 38 [RFC2827]. This is because of ingress filtering described in BCP 38 [RFC2827]. This is because
an upstream network provider usually assumes it receives those an upstream network provider usually assumes it receives packets from
packets from their customer that have the delegated addresses as the their customer that only have the delegated addresses as the source
source addresses. addresses.
This rule, however, is not effective in such a environment described This rule, however, is not effective in an environment such as that
in RFC 5220 Section 2.1.1, where a host has multiple upstream routers described in RFC 5220 Section 2.1.1, where a host has multiple
on the same link and has addresses delegated from each upstream upstream routers on the same link and has addresses delegated from
routers on single interface. each upstream router on a single interface.
Also, DHCPv6 assigned addresses are not associated like SLAAC
assigned addresses to a next-hop gateway, so implementations usually
can't apply this heuristic in a DHCPv6 network.
So, a new rule 5.1 that utilizes next-hop information for source So, a new rule 5.1 that utilizes next-hop information for source
address selection is inserted just after the rule 5. address selection is inserted just after rule 5.
Rule 5.1: Use an address assigned by the selected next-hop. Rule 5.1: Use an address assigned by the selected next-hop.
If SA is assigned by the selected next-hop that will be used to send If SA is assigned by the selected next-hop that will be used to send
to D and SB is assigned by a different next-hop, then prefer SA. to D and SB is assigned by a different next-hop, then prefer SA.
Similarly, if SB is assigned by the next-hop that will be used to Similarly, if SB is assigned by the next-hop that will be used to
send to D and SA is assigned by a different next-hop, then prefer SB. send to D and SA is assigned by a different next-hop, then prefer SB.
2.4. Private IPv4 address scope 2.4. Private IPv4 address scope
skipping to change at page 7, line 11 skipping to change at page 7, line 14
follows that the result of the source address selection algorithm may follows that the result of the source address selection algorithm may
be different when the original address is replaced with the NATed be different when the original address is replaced with the NATed
address. address.
The algorithm currently specified in RFC 3484 is based on the The algorithm currently specified in RFC 3484 is based on the
assumption that a source address with a small scope cannot reach a assumption that a source address with a small scope cannot reach a
destination address with a larger scope. This assumption does not destination address with a larger scope. This assumption does not
hold if private IPv4 addresses and a NAT are used to reach public hold if private IPv4 addresses and a NAT are used to reach public
IPv4 addresses. IPv4 addresses.
Due to this assumption, in the presence of both NATed private IPv4 Due to this assumption, in the presence of both a NATed private IPv4
address and transitional addresses (like 6to4 and Teredo), the host address and a transitional address (like 6to4 or Teredo), the host
will choose the transitional IPv6 address to access dual-stack peers will choose the transitional IPv6 address to access dual-stack peers
[I-D.denis-v6ops-nat-addrsel]. Choosing transitional IPv6 [I-D.denis-v6ops-nat-addrsel]. Choosing transitional IPv6
connectivity over native IPv4 connectivity is not considered to be a connectivity over native IPv4 connectivity, particularly where the
very wise result. transitional connectivity is unmanaged, is not considered to be
generally desirable.
This issue can be fixed by changing the address scope of private IPv4 This issue can be fixed by changing the address scope of private IPv4
addresses to global. Such change has already been implemented in addresses to global.
some OSes.
2.5. Deprecation of site-local unicast address 2.5. Deprecation of site-local unicast address
RFC 3484 contains a few "site-local unicast" and "fec0::" RFC 3484 contains a few "site-local unicast" and "fec0::"
description. It's better to remove examples related to site-local descriptions. It's better to remove examples related to site-local
unicast address, or change examples to use ULA. Possible points to unicast addresses, or change the examples to use ULAs. Possible
be re-written are below. points to be re-written are listed below.
- 2nd paragraph in RFC 3484 Section 3.1 describes scope comparison - 2nd paragraph in RFC 3484 Section 3.1 describes the scope
mechanism. comparison mechanism.
- RFC 3484 Section 10 contains examples for site-local address. - RFC 3484 Section 10 contains examples for site-local addresses.
3. Security Considerations 3. Security Considerations
No security risk is found that degrades RFC 3484. No security risk is found that degrades RFC 3484.
4. IANA Considerations 4. IANA Considerations
Address type number for the policy table may have to be assigned by Address type number for the policy table may have to be assigned by
IANA. IANA.
skipping to change at page 8, line 26 skipping to change at page 8, line 32
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005. Addresses", RFC 4193, October 2005.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006. Architecture", RFC 4291, February 2006.
[RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)", RFC 4380, Network Address Translations (NATs)", RFC 4380,
February 2006. February 2006.
[RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
March 2008.
[RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, [RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
"Problem Statement for Default Address Selection in Multi- "Problem Statement for Default Address Selection in Multi-
Prefix Environments: Operational Issues of RFC 3484 Prefix Environments: Operational Issues of RFC 3484
Default Rules", RFC 5220, July 2008. Default Rules", RFC 5220, July 2008.
5.2. Informative References 5.2. Informative References
[I-D.chown-addr-select-considerations] [I-D.chown-addr-select-considerations]
Chown, T., "Considerations for IPv6 Address Selection Chown, T., "Considerations for IPv6 Address Selection
Policy Changes", draft-chown-addr-select-considerations-03 Policy Changes", draft-chown-addr-select-considerations-03
(work in progress), July 2009. (work in progress), July 2009.
[I-D.denis-v6ops-nat-addrsel] [I-D.denis-v6ops-nat-addrsel]
Denis-Courmont, R., "Problems with IPv6 source address Denis-Courmont, R., "Problems with IPv6 source address
selection and IPv4 NATs", draft-denis-v6ops-nat-addrsel-00 selection and IPv4 NATs", draft-denis-v6ops-nat-addrsel-00
(work in progress), February 2009. (work in progress), February 2009.
[I-D.ietf-6man-addr-select-opt] [I-D.ietf-6man-addr-select-opt]
Matsumoto, A., Fujisaki, T., and J. Kato, "Distributing Matsumoto, A., Fujisaki, T., Kato, J., and T. Chown,
Address Selection Policy using DHCPv6", "Distributing Address Selection Policy using DHCPv6",
draft-ietf-6man-addr-select-opt-00 (work in progress), draft-ietf-6man-addr-select-opt-01 (work in progress),
December 2010. June 2011.
[I-D.ietf-ipv6-ula-central] [I-D.ietf-ipv6-ula-central]
Hinden, R., "Centrally Assigned Unique Local IPv6 Unicast Hinden, R., "Centrally Assigned Unique Local IPv6 Unicast
Addresses", draft-ietf-ipv6-ula-central-02 (work in Addresses", draft-ietf-ipv6-ula-central-02 (work in
progress), June 2007. progress), June 2007.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000. Address Spoofing", BCP 38, RFC 2827, May 2000.
skipping to change at page 9, line 27 skipping to change at page 9, line 37
Courmont and the members of 6man's address selection design team for Courmont and the members of 6man's address selection design team for
their invaluable contributions to this document. their invaluable contributions to this document.
Appendix B. Past Discussion Appendix B. Past Discussion
This section summarizes discussions we had before related to address This section summarizes discussions we had before related to address
selection mechanisms. selection mechanisms.
B.1. The longest match rule B.1. The longest match rule
RFC 3484 defines that the destination address selection rule 9 should RFC 3484 defines that destination address selection rule 9 should be
be applied to both IPv4 and IPv6, which spoils the DNS based load applied to both IPv4 and IPv6, which spoils the DNS-based load
balancing technique that is widely used in the IPv4 Internet today. balancing technique that is widely used in the IPv4 Internet today.
When two or more destination addresses are acquired from one FQDN, When two or more destination addresses are acquired from one FQDN,
the rule 9 defines that the longest matching destination and source rule 9 states that the longest matching destination and source
address pair should be chosen. As in RFC 1794, the DNS based load address pair should be chosen. As in RFC 1794, the DNS-based load
balancing technique is achived by not re-ordering the destination balancing technique is achieved by not re-ordering the destination
addresses returned from the DNS server. The Rule 9 defines addresses returned from the DNS server. Rule 9 defines a
deterministic rule for re-ordering at hosts, hence the technique of deterministic rule for re-ordering hosts, hence the technique
RFC 1794 is not available anymore. described in RFC 1794 is not available anymore.
Regarding this problem, there was discussion in IETF and other places Regarding this problem, there was discussion in IETF and other places
like below. like below.
Discussion: The possible changes to RFC 3484 are as follows: Discussion: The possible changes to RFC 3484 are as follows:
1. To delete Rule 9 completely. 1. To delete Rule 9 completely.
2. To apply Rule 9 only for IPv6 and not for IPv4. In IPv6, 2. To apply Rule 9 only for IPv6 and not for IPv4. In IPv6,
hiearchical address assignment is general principle, hence the hierarchical address assignment generally used at present, hence
longest matchin rule is beneficial in many cases. In IPv4, as the longest matching rule is beneficial in many cases. In IPv4,
stated above, the DNS based load balancing technique is widely as stated above, the DNS based load balancing technique is widely
used. used.
3. To apply Rule 9 for IPv6 conditionally and not for IPv4. When 3. To apply Rule 9 for IPv6 conditionally and not for IPv4. When
the length of matching bits of the destination address and the the length of matching bits of the destination address and the
source address is longer than N, the rule 9 is applied. source address is longer than N, rule 9 is applied. Otherwise,
Otherwise, the order of the destination addresses do not change. the order of the destination addresses do not change. The value
The N should be configurable and it should be 32 by default. of N should be configurable and it should be 32 by default. This
This is simply because the two sites whose matching bit length is is simply because the two sites whose matching bit length is
longer than 32 are probably adjacent. longer than 32 are probably adjacent.
Now that IPv6 PI address is admitted in some RIRs, hierachical Now that IPv6 PI addresses are being introduced by RIRs, hierarchical
address assignment is not maintained anymore. It seems that the address assignment is not always maintained anymore. It seems that
longest matching algorithm may not worth the adverse effect of the longest matching algorithm may not worth the adverse effect of
disalbing the DNS based load balance technique. disabling the DNS-based load balance technique.
After long discussion, however we could not reach any consensus here.
That means, we cannot change the current rules for this issue.
B.2. NAT64 prefix issue B.2. NAT64 prefix issue
NAT64 WKP was newly defined[RFC6052]. It depends site by site The NAT64 WKP has recently been defined[RFC6052]. It depends site by
whether NAT64 should be preferred over IPv4, in other words NAT44, or site whether NAT64 should be preferred over IPv4, in other words
NAT44 over NAT64. So, this issue of site local policy should be NAT44, or NAT44 over NAT64. So, the issue of local site policy
solved by policy distribution mechanism. should be solved by manual policy table changes locally, or by use of
the proposed DHCP-based policy distribution mechanism.
B.3. ISATAP issue
Where a site is using ISATAP [RFC5214], there is generally no way to
differentiate an ISATAP address from a native address without
interface information. However, a site will assign a prefix for its
ISATAP overlay, and can choose to add an entry for that prefix to the
policy table if it wishes to change the default preference for that
prefix.
Appendix C. Revision History Appendix C. Revision History
04:
Added comment about ISATAP.
03: 03:
ULA address selection issue was expanded. ULA address selection issue was expanded.
6to4, Teredo and IPv4 priorization issue was elaborated. 6to4, Teredo and IPv4 prioritization issue was elaborated.
Deperecated address blocks in policy table section was elaborated. Deprecated address blocks in policy table section was elaborated.
In appendix, NAT64 prefix issue was added. In appendix, NAT64 prefix issue was added.
02: 02:
Suresh Krishnan's suggestions for better english sentences were Suresh Krishnan's suggestions for better english sentences were
incorporated. incorporated.
A new source address selection rule that utilizes the next-hop A new source address selection rule that utilizes the next-hop
information is included in Section 2.3. information is included in Section 2.3.
Site local address prefix was corrected. Site local address prefix was corrected.
01: 01:
skipping to change at line 510 skipping to change at page 12, line 21
Email: kato@syce.net Email: kato@syce.net
Tomohiro Fujisaki Tomohiro Fujisaki
NTT PF Lab NTT PF Lab
Midori-Cho 3-9-11 Midori-Cho 3-9-11
Musashino-shi, Tokyo 180-8585 Musashino-shi, Tokyo 180-8585
Japan Japan
Phone: +81 422 59 7351 Phone: +81 422 59 7351
Email: fujisaki@syce.net Email: fujisaki@syce.net
Tim Chown
University of Southampt on
Southampton, Hampshire SO17 1BJ
United Kingdom
Email: tjc@ecs.soton.ac.uk
 End of changes. 44 change blocks. 
116 lines changed or deleted 137 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/