IETF IPv6 Working Group S. Thomson Internet-Draft Cisco Expires:
August 9,December 13, 2004 T. Narten IBM T. Jinmei Toshiba H. Soliman Flarion Technologies February 9,June 14, 2004 IPv6 Stateless Address Autoconfiguration draft-ietf-ipv6-rfc2462bis-00.txtdraft-ietf-ipv6-rfc2462bis-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 9,December 13, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes creating a link-local address and verifying its uniqueness on a link, determining what information shouldcan be autoconfigured (addresses, other information, or both), and in the case of addresses, whether they shouldcan be obtained through the stateless mechanism, the stateful mechanism, or both. This document defines the process for generating a link-local address, the process for generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure. The details of autoconfiguration using the stateful protocol areis specified elsewhere.in RFC 3315 and RFC 3736. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. TERMINOLOGY . . . . . . . . . . . . . . . . . . . . . . . . 45 2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7 3. DESIGN GOALS . . . . . . . . . . . . . . . . . . . . . . . . 7 4. PROTOCOL OVERVIEW . . . . . . . . . . . . . . . . . . . . . 8 4.1 Site Renumbering . . . . . . . . . . . . . . . . . . . . . . 10 5. PROTOCOL SPECIFICATION . . . . . . . . . . . . . . . . . . . 11 5.1 Node Configuration Variables . . . . . . . . . . . . . . . . 11 5.2 Autoconfiguration-Related VariablesStructures . . . . . . . . . . . . 12 5.3 Creation of Link-Local Addresses . . . . . . . . . . . . . . 12 5.4 Duplicate Address Detection . . . . . . . . . . . . . . . . 13 5.4.1 Message Validation . . . . . . . . . . . . . . . . . . . . . 14 5.4.2 Sending Neighbor Solicitation Messages . . . . . . . . . . . 1514 5.4.3 Receiving Neighbor Solicitation Messages . . . . . . . . . . 15 5.4.4 Receiving Neighbor Advertisement Messages . . . . . . . . . 16 5.4.5 When Duplicate Address Detection Fails . . . . . . . . . . . 17 5.5 Creation of Global Addresses . . . . . . . . . . . . . . . . 17 5.5.1 Soliciting Router Advertisements . . . . . . . . . . . . . . 17 5.5.2 Absence of Router Advertisements . . . . . . . . . . . . . . 17 5.5.3 Router Advertisement Processing . . . . . . . . . . . . . . 18 5.5.4 Address Lifetime Expiry . . . . . . . . . . . . . . . . . . 20 5.6 Configuration Consistency . . . . . . . . . . . . . . . . . 21 5.7 Retaining Configured Addresses for Stability . . . . . . . . 21 6. SECURITY CONSIDERATIONS . . . . . . . . . . . . . . . . . . 21 7. IANA CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . 22 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 Normative References . . . . . . . . . . . . . . . . . . . . 22 Informative References . . . . . . . . . . . . . . . . . . . 2223 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 23 A. LOOPBACK SUPPRESSION & DUPLICATE ADDRESS DETECTION . . . . . 24 B. CHANGES SINCE RFC 1971 . . . . . . . . . . . . . . . . . . . 2526 C. CHANGE HISTORY . . . . . . . . . . . . . . . . . . . . . . . 26 D. OPEN ISSUES . . . . . . . . . . . . . . . . . . . . . . . . 27Intellectual Property and Copyright Statements . . . . . . . 2829 1. Introduction This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes creating a link-local address and verifying its uniqueness on a link, determining what information shouldcan be autoconfigured (addresses, other information, or both), and in the case of addresses, whether they shouldcan be obtained through the stateless mechanism, the stateful mechanism, or both. This document defines the process for generating a link-local address, the process for generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure. The details of autoconfiguration using the stateful protocol areis specified elsewhere.in RFC 3315  and RFC 3736 . IPv6 defines both a stateful and stateless address autoconfiguration mechanism. Stateless autoconfiguration requires no manual configuration of hosts, minimal (if any) configuration of routers, and no additional servers. The stateless mechanism allows a host to generate its own addresses using a combination of locally available information and information advertised by routers. Routers advertise prefixes that identify the subnet(s) associated with a link, while hosts generate an "interface identifier" that uniquely identifies an interface on a subnet. An address is formed by combining the two. In the absence of routers, a host can only generate link-local addresses. However, link-local addresses are sufficient for allowing communication among nodes attached to the same link. In the stateful autoconfiguration model, hosts obtain interface addresses and/or configuration information and parameters from a DHCPv6 server. Servers maintain a database that keeps track of which addresses have been assigned to which hosts. The stateful autoconfiguration protocol allows hosts to obtain addresses, other configuration information or both from a server. Stateless and stateful autoconfiguration complement each other. For example, a host can use stateless autoconfiguration to configure its own addresses, but use stateful autoconfiguration to obtain other information. StatefulTo obtain other configuration information without configuring addresses in the stateful autoconfiguration for IPv6model, a subset of DHCPv6 will be used . While the model is called "stateful" here in order to highlight the contrast to the stateless protocol defined in this document, the subjectintended protocol is also defined to work in a stateless fashion. This is based on a result, through operational experiments, that all known "other" configuration information can be managed by a stateless server, that is, a server that does not maintain state of DHCPv6 .each client that the server provides with the configuration information. The stateless approach is used when a site is not particularly concerned with the exact addresses hosts use, so long as they are unique and properly routable. The stateful approach is used when a site requires tighter control over exact address assignments. Both stateful and stateless address autoconfiguration may be used simultaneously. The site administrator specifies which type of autoconfiguration to useis available through the setting of appropriate fields in Router Advertisement messages . IPv6 addresses are leased to an interface for a fixed (possibly infinite) length of time. Each address has an associated lifetime that indicates how long the address is bound to an interface. When a lifetime expires, the binding (and address) become invalid and the address may be reassigned to another interface elsewhere in the Internet. To handle the expiration of address bindings gracefully, an address goes through two distinct phases while assigned to an interface. Initially, an address is "preferred", meaning that its use in arbitrary communication is unrestricted. Later, an address becomes "deprecated" in anticipation that its current interface binding will become invalid. While in a deprecated state, the use of an address is discouraged, but not strictly forbidden. New communication (e.g., the opening of a new TCP connection) should use a preferred address when possible. A deprecated address should be used only by applications that have been using it and would have difficulty switching to another address without a service disruption. To ensure that all configured addresses are likely to be unique on a given link, nodes run a "duplicate address detection" algorithm on addresses before assigning them to an interface. The Duplicate Address Detection algorithm is performed on all addresses, independent of whether they are obtained via stateless or stateful autoconfiguration. This document defines the Duplicate Address Detection algorithm. The autoconfiguration process specified in this document applies only to hosts and not routers. Since host autoconfiguration uses information advertised by routers, routers will need to be configured by some other means. However, it is expected that routers will generate link-local addresses using the mechanism described in this document. In addition, routers are expected to successfully pass the Duplicate Address Detection procedure described in this document on all addresses prior to assigning them to an interface. Section 2 provides definitions for terminology used throughout this document. Section 3 describes the design goals that lead to the current autoconfiguration procedure. Section 4 provides an overview of the protocol, while Section 5 describes the protocol in detail. 2. TERMINOLOGY IP - Internet Protocol Version 6. The terms IPv4 and IPv6 are used only in contexts where necessary to avoid ambiguity. node - a device that implements IP. router - a node that forwards IP packets not explicitly addressed to itself. host - any node that is not a router. upper layer - a protocol layer immediately above IP. Examples are transport protocols such as TCP and UDP, control protocols such as ICMP, routing protocols such as OSPF, and internet or lower-layer protocols being "tunneled" over (i.e., encapsulated in) IP such as IPX, AppleTalk, or IP itself. link - a communication facility or medium over which nodes can communicate at the link layer, i.e., the layer immediately below IP. Examples are Ethernets (simple or bridged); PPP links; X.25, Frame Relay, or ATM networks; and internet (or higher) layer "tunnels", such as tunnels over IPv4 or IPv6 itself. interface - a node's attachment to a link. packet - an IP header plus payload. address - an IP-layer identifier for an interface or a set of interfaces. unicast address - an identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. multicast address - an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address. anycast address - an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" one, according to the routing protocol's measure of distance). See the IPv6 addressing architecture . solicited-node multicast address - a multicast address to which Neighbor Solicitation messages are sent. The algorithm for computing the address is given in RFC 2461 . link-layer address - a link-layer identifier for an interface. Examples include IEEE 802 addresses for Ethernet links and E.164 addresses for ISDN links. link-local address - an address having link-only scope that can be used to reach neighboring nodes attached to the same link. All interfaces have a link-local unicast address. global address - an address with unlimited scope. communication - any packet exchange among nodes that requires that the address of each node used in the exchange remain the same for the duration of the packet exchange. Examples are a TCP connection or a UDP request-response. tentative address - an address whose uniqueness on a link is being verified, prior to its assignment to an interface. A tentative address is not considered assigned to an interface in the usual sense. An interface discards received packets addressed to a tentative address, but accepts Neighbor Discovery packets related to Duplicate Address Detection for the tentative address. preferred address - an address assigned to an interface whose use by upper layer protocols is unrestricted. Preferred addresses may be used as the source (or destination) address of packets sent from (or to) the interface. deprecated address - An address assigned to an interface whose use is discouraged, but not forbidden. A deprecated address should no longer be used as a source address in new communications, but packets sent from or to deprecated addresses are delivered as expected. A deprecated address may continue to be used as a source address in communications where switching to a preferred address causes hardship to a specific upper-layer activity (e.g., an existing TCP connection). valid address - a preferred or deprecated address. A valid address may appear as the source or destination address of a packet, and the internet routing system is expected to deliver packets sent to a valid address to their intended recipients. invalid address - an address that is not assigned to any interface. A valid address becomes invalid when its valid lifetime expires. Invalid addresses should not appear as the destination or source address of a packet. In the former case, the internet routing system will be unable to deliver the packet, in the laterlatter case the recipient of the packet will be unable to respond to it. preferred lifetime - the length of time that a valid address is preferred (i.e., the time until deprecation). When the preferred lifetime expires, the address becomes deprecated. valid lifetime - the length of time an address remains in the valid state (i.e., the time until invalidation). The valid lifetime must be greater thenthan or equal to the preferred lifetime. When the valid lifetime expires, the address becomes invalid. interface identifier - a link-dependent identifier for an interface that is (at least) unique per link . Stateless address autoconfiguration combines an interface identifier with a prefix to form an address. From address autoconfiguration's perspective, an interface identifier is a bit string of known length. The exact length of an interface identifier and the way it is created is defined in a separate link-type specific document that covers issues related to the transmission of IP over a particular link type (e.g., IPv6 over Ethernet ). Note that the address architecture  also defines the length of the interface identifiers for some set of addresses, but the two sets of definitions must be consistent. In many cases, the identifier will be derived from the interface's link-layer address. 2.1 Requirements The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC 2119 . 3. DESIGN GOALS Stateless autoconfiguration is designed with the following goals in mind: o Manual configuration of individual machines before connecting them to the network should not be required. Consequently, a mechanism is needed that allows a host to obtain or create unique addresses for each of its interfaces. Address autoconfiguration assumes that each interface can provide a unique identifier for that interface (i.e., an "interface identifier"). In the simplest case, an interface identifier consists of the interface's link-layer address. An interface identifier can be combined with a prefix to form an address. o Small sites consisting of a set of machines attached to a single link should not require the presence of a stateful server or router as a prerequisite for communicating. Plug-and-play communication is achieved through the use of link-local addresses. Link-local addresses have a well-known prefix that identifies the (single) shared link to which a set of nodes attach. A host forms a link-local address by appending its interface identifier to the link-local prefix. o A large site with multiple networks and routers should not require the presence of a stateful address configuration server. In order to generate global addresses, hosts must determine the prefixes that identify the subnets to which they attach. Routers generate periodic Router Advertisements that include options listing the set of active prefixes on a link. o Address configuration should facilitate the graceful renumbering of a site's machines. For example, a site may wish to renumber all of its nodes when it switches to a new network service provider. Renumbering is achieved through the leasing of addresses to interfaces and the assignment of multiple addresses to the same interface. Lease lifetimes provide the mechanism through which a site phases out old prefixes. The assignment of multiple addresses to an interface provides for a transition period during which both a new address and the one being phased out work simultaneously. o System administrators need the ability to specify whether stateless autoconfiguration, stateful autoconfiguration, or both should be used.are available. Router Advertisements include flags specifying which mechanisms a host shouldcan use. 4. PROTOCOL OVERVIEW This section provides an overview of the typical steps that take place when an interface autoconfigures itself. Autoconfiguration is performed only on multicast-capable links and begins when a multicast-capable interface is enabled, e.g., during system startup. Nodes (both hosts and routers) begin the autoconfiguration process by generating a link-local address for the interface. A link-local address is formed by appending the interface's identifier to the well-known link-local prefix. Before the link-local address can be assigned to an interface and used, however, a node must attempt to verify that this "tentative" address is not already in use by another node on the link. Specifically, it sends a Neighbor Solicitation message containing the tentative address as the target. If another node is already using that address, it will return a Neighbor Advertisement saying so. If another node is also attempting to use the same address, it will send a Neighbor Solicitation for the target as well. The exact number of times the Neighbor Solicitation is (re)transmitted and the delay time between consecutive solicitations is link-specific and may be set by system management. If a node determines that its tentative link-local address is not unique, autoconfiguration stops and manual configuration of the interface is required. To simplify recovery in this case, it should be possible for an administrator to supply an alternate interface identifier that overrides the default identifier in such a way that the autoconfiguration mechanism can then be applied using the new (presumably unique) interface identifier. Alternatively, link-local and other addresses will need to be configured manually. Once a node ascertains that its tentative link-local address is unique, it assigns the address to the interface. At this point, the node has IP-level connectivity with neighboring nodes. The remaining autoconfiguration steps are performed only by hosts; the (auto)configuration of routers is beyond the scope of this document. The next phase of autoconfiguration involves obtaining a Router Advertisement or determining that no routers are present. If routers are present, they will send Router Advertisements that specify what sort of autoconfiguration a host shouldcan do. If no routers are present,Note that stateful autoconfiguration shouldmay still be invoked.available even if no routers are present. Routers send Router Advertisements periodically, but the delay between successive advertisements will generally be longer than a host performing autoconfiguration will want to wait . To obtain an advertisement quickly, a host sends one or more Router Solicitations to the all-routers multicast group. Router Advertisements contain two flags indicating what type of stateful autoconfiguration (if any) should be performed.is available. A "managed address configuration"configuration (M)" flag indicates whether hosts shouldcan use stateful autoconfiguration  to obtain addresses. An "other stateful configuration"configuration (O)" flag indicates whether hosts shouldcan use stateful autoconfiguration  to obtain additional information (excluding addresses). Router Advertisements also contain zero or more Prefix Information options that contain information used by stateless address autoconfiguration to generate global addresses. It should be noted thatThe details of how a host may use the M flags, including any use of the "on" and "off" transitions for this flag, to control the use of the stateful protocol for address assignment will be described in a separate document. Similarly, the details of how a host may use the O flags, including any use of the "on" and "off" transitions for this flag, to control the use of the stateful protocol for getting other configuration information will be described in a separate document. Router Advertisements also contain zero or more Prefix Information options that contain information used by stateless address autoconfiguration to generate global addresses. It should be noted that the stateless and stateful address autoconfiguration fields in Router Advertisements are processed independently of one another, and a host may use both stateful and stateless address autoconfiguration simultaneously. One Prefix Information option field, the "autonomous address-configuration flag", indicates whether or not the option even applies to stateless autoconfiguration. If it does, additional option fields contain a subnet prefix together with lifetime values indicating how long addresses created from the prefix remain preferred and valid. Because routers generate Router Advertisements periodically, hosts will continually receive new advertisements. Hosts process the information contained in each advertisement as described above, adding to and refreshing information received in previous advertisements. For safety, all addresses must be tested for uniqueness prior to their assignment to an interface. In the case of addresses created through stateless autoconfiguration, however, the uniqueness of an address is determined primarily by the portion of the address formed from an interface identifier. Thus, if a node has already verified the uniqueness of a link-local address, additional addresses created from the same interface identifier need notThe test should individually be tested individually. In contrast,performed on all addresses obtained manuallymanually, via stateless address autoconfiguration, or via stateful address autoconfiguration should be tested for uniqueness individually.autoconfiguration. To accommodate sites that believe the overhead of performing Duplicate Address Detection outweighs its benefits, the use of Duplicate Address Detection can be disabled through the administrative setting of a per-interface configuration flag. To speed the autoconfiguration process, a host may generate its link-local address (and verify its uniqueness) in parallel with waiting for a Router Advertisement. Because a router may delay responding to a Router Solicitation for a few seconds, the total time needed to complete autoconfiguration can be significantly longer if the two steps are done serially. 4.1 Site Renumbering Address leasing facilitates site renumbering by providing a mechanism to time-out addresses assigned to interfaces in hosts. At present, upper layer protocols such as TCP provide no support for changing end-point addresses while a connection is open. If an end-point address becomes invalid, existing connections break and all communication to the invalid address fails. Even when applications use UDP as a transport protocol, addresses must generally remain the same during a packet exchange. Dividing valid addresses into preferred and deprecated categories provides a way of indicating to upper layers that a valid address may become invalid shortly and that future communication using the address will fail, should the address's valid lifetime expire before communication ends. To avoid this scenario, higher layers should use a preferred address (assuming one of sufficient scope exists) to increase the likelihood that an address will remain valid for the duration of the communication. It is up to system administrators to set appropriate prefix lifetimes in order to minimize the impact of failed communication when renumbering takes place. The deprecation period should be long enough that most, if not all, communications are using the new address at the time an address becomes invalid. The IP layer is expected to provide a means for upper layers (including applications) to select the most appropriate source address given a particular destination and possibly other constraints. An application may choose to select the source address itself before starting a new communication or may leave the address unspecified, in which case the upper networking layers will use the mechanism provided by the IP layer to choose a suitable address on the application's behalf. Detailed address selection rules are beyond the scope of this document. 5. PROTOCOL SPECIFICATION Autoconfiguration is performed on a per-interface basis on multicast-capable interfaces. For multihomed hosts, autoconfiguration is performed independently on each interface. Autoconfiguration applies primarily to hosts, with two exceptions. Routers are expected to generate a link-local address using the procedure outlined below. In addition, routers perform Duplicate Address Detection on all addresses prior to assigning them to an interface. 5.1 Node Configuration Variables A node MUST allow the following autoconfiguration-related variable to be configured by system management for each multicast interface: DupAddrDetectTransmits The number of consecutive Neighbor Solicitation messages sent while performing Duplicate Address Detection on a tentative address. A value of zero indicates that Duplicate Address Detection is not performed on tentative addresses. A value of one indicates a single transmission with no follow up retransmissions. Default: 1, but may be overridden by a link-type specific value in the document that covers issues related to the transmission of IP over a particular link type (e.g., IPv6 over Ethernet ). Autoconfiguration also assumes the presence of the variable RetransTimer as defined in RFC 2461 . For autoconfiguration purposes, RetransTimer specifies the delay between consecutive Neighbor Solicitation transmissions performed during Duplicate Address Detection (if DupAddrDetectTransmits is greater than 1), as well as the time a node waits after sending the last Neighbor Solicitation before ending the Duplicate Address Detection process. 5.2 Autoconfiguration-Related Variables A host maintains a number of data structures and flags related to autoconfiguration. In the following, we present conceptual variables and show how they are used to perform autoconfiguration. The specific variables are used for demonstration purposes only, and an implementation is not required to have them, so long as its external behavior is consistent with that described in this document.Structures Beyond the formation of a link-local address and using Duplicate Address Detection, how routers (auto)configure their interfaces is beyond the scope of this document. Hosts maintain the following variables onA host maintains a per-interface basis: ManagedFlag Copied from the M flag field (i.e., the "managed address configuration" flag)list of the most recently received Router Advertisement message.addresses together with their corresponding lifetimes. The flag indicates whether or not addresses are to be configured using the stateful autoconfiguration mechanism. It starts out in a FALSE state. OtherConfigFlag Copied from the O flag field (i.e., the "other stateful configuration" flag) of the most recently received Router Advertisement message. The flag indicates whether or not information other than addresses is to be obtained using the stateful autoconfiguration mechanism. It starts out in a FALSE state. In addition, when the value of the ManagedFlag is TRUE, the value of OtherConfigFlag is implicitly TRUE as well. It is not a valid configuration for a host to use stateful address autoconfiguration to request addresses only, without also accepting other configuration information. A host also maintains a list of addresses together with their corresponding lifetimes. The address list contains both autoconfiguredaddress list contains both autoconfigured addresses and those configured manually. 5.3 Creation of Link-Local Addresses A node forms a link-local address whenever an interface becomes enabled. An interface may become enabled after any of the following events: - The interface is initialized at system startup time. - The interface is reinitialized after a temporary interface failure or after being temporarily disabled by system management. - The interface attaches to a link for the first time. - The interface becomes enabled by system management after having been administratively disabled. A link-local address is formed by prepending the well-known link- local prefix FE80::0  (of appropriate length) to the interface identifier. If the interface identifier has a length of N bits, the interface identifier replaces the right-most N zero bits of the link-local prefix. If the interface identifier is more than 118 bits in length, autoconfiguration fails and manual configuration is required. Note thatThe length of the interface identifiersidentifier is defined in a separate link-type specific document, which should also be consistent with the address architecture  (see Section 2). These documents will typicallycarefully define the length so that link-local addresses can be 64-bits long and basedautoconfigured on EUI-64 identifiers as described in .the link. A link-local address has an infinite preferred and valid lifetime; it is never timed out. 5.4 Duplicate Address Detection Duplicate Address Detection is performed on unicast addresses prior to assigning them to an interface whose DupAddrDetectTransmits variable is greater than zero. Duplicate Address Detection MUST take place on all unicast addresses, regardless of whether they are obtained through stateful, stateless or manual configuration, with the exception of the following cases: IP - Duplicate Address Detection MUST NOT be performed on anycast addresses. IP - Each individual unicast address SHOULD be tested for uniqueness. However, when statelessNote that there are implementations deployed that only perform Duplicate Address Detection for the link-local address autoconfiguration is used,and skip the test for the global address uniqueness is determined solely byusing the same interface identifier, assumingidentifier as that of the link-local address. Whereas this document does not invalidate such implementations, this kind of "optimization" is NOT RECOMMENDED, and new implementations MUST NOT do that optimization. This optimization came from the assumption that subnet prefixes are assigned correctly (i.e., ifall of an interface's addresses are generated from the same identifier, either all addresses or none of them will be duplicates). Thus, for a setidentifier. However, the assumption does actually not stand; new types of addresses formed fromhave been introduced where the sameinterface identifier, it is sufficient to check that the link- local address generated from the identifier is unique on the link. In such cases,identifiers are not necessarily the link-local address MUST be testedsame for uniqueness, and if no duplicate address is detected, an implementation MAY chooseall unicast addresses on a single interface  . Requiring to skipperform Duplicate Address Detection for additionalall unicast addresses derived fromwill make the samealgorithm robust for the current and future such special interface identifier.identifiers. The procedure for detecting duplicate addresses uses Neighbor Solicitation and Advertisement messages as described below. If a duplicate address is discovered during the procedure, the address cannot be assigned to the interface. If the address is derived from an interface identifier, a new identifier will need to be assigned to the interface, or all IP addresses for the interface will need to be manually configured. Note that the method for detecting duplicates is not completely reliable, and it is possible that duplicate addresses will still exist (e.g., if the link was partitioned while Duplicate Address Detection was performed). An address on which the Duplicate Address Detection Procedure is applied is said to be tentative until the procedure has completed successfully. A tentative address is not considered "assigned to an interface" in the traditional sense. That is, the interface must accept Neighbor Solicitation and Advertisement messages containing the tentative address in the Target Address field, but processes such packets differently from those whose Target Address matches an address assigned to the interface. Other packets addressed to the tentative address should be silently discarded. Note that the "other packets" include Neighbor Solicitation and Advertisement messages to the tentative address containing the tentative address in the Target Address field. Such a case should not happen in normal operation, though, since these messages are multicasted in the Duplicate Address Detection Procedure. It should also be noted that Duplicate Address Detection must be performed prior to assigning an address to an interface in order to prevent multiple nodes from using the same address simultaneously. If a node begins using an address in parallel with Duplicate Address Detection, and another node is already using the address, the node performing Duplicate Address Detection will erroneously process traffic intended for the other node, resulting in such possible negative consequences as the resetting of open TCP connections. The following subsections describe specific tests a node performs to verify an address's uniqueness. An address is considered unique if none of the tests indicate the presence of a duplicate address within RetransTimer milliseconds after having sent DupAddrDetectTransmits Neighbor Solicitations. Once an address is determined to be unique, it may be assigned to an interface. 5.4.1 Message Validation A node MUST silently discard any Neighbor Solicitation or Advertisement message that does not pass the validity checks specified in RFC 2461 . A Neighbor Solicitation or Advertisement message that passes these validity checks is called a valid solicitation or valid advertisement, respectively. 5.4.2 Sending Neighbor Solicitation Messages Before sending a Neighbor Solicitation, an interface MUST join the all-nodes multicast address and the solicited-node multicast address of the tentative address. The former ensures that the node receives Neighbor Advertisements from other nodes already using the address; the latter ensures that two nodes attempting to use the same address simultaneously detect each other's presence. To check an address, a node sends DupAddrDetectTransmits Neighbor Solicitations, each separated by RetransTimer milliseconds. The solicitation's Target Address is set to the address being checked, the IP source is set to the unspecified address and the IP destination is set to the solicited-node multicast address of the target address. If the Neighbor Solicitation is going to be the first message to be sent from an interface after interface (re)initialization, the node shouldSHOULD delay joining the solicited-node multicast address by a random delay between 0 and MAX_RTR_SOLICITATION_DELAY as specified in RFC 2461 . This serves to alleviate congestion when many nodes start up on the link at the same time, such as after a power failure, and may help to avoid race conditions when more than one node is trying to solicit for the same address at the same time. Even if the Neighbor Solicitation is not going to be the first message to be sent, the node SHOULD delay joining the solicited-node multicast address by a random delay between 0 and MAX_RTR_SOLICITATION_DELAY if the address being checked is configured by a router advertisement message sent to a multicast address. The delay will avoid similar congestion when multiple nodes are going to configure addresses by receiving a same single multicast router advertisement. Note that the delay for joining the multicast address implicitly means delaying transmission of the corresponding MLD report message .. Since RFC 2710  does not request a random delay to avoid race conditions, just delaying Neighbor Solicitation would cause congestion by the MLD report messages. The congestion would then prevent MLD-snooping switches from working correctly, and, as a result, prevent Duplicate Address Detection from working. The requirement to include the delay for the MLD report in this case avoids this scenario. In order to improve the robustness of the Duplicate Address Detection algorithm, an interface MUST receive and process datagrams sent to the all-nodes multicast address or solicited-node multicast address of the tentative address while the delaying period. This does not necessarily conflict with the requirement that joining the multicast group be delayed. In fact, in some cases it is possible for a node to start listening to the group during the delay period before MLD report transmission. It should be noted, however, that in some link-layer environments, particularly with MLD-snooping switches, no multicast reception will be available until the MLD report is sent. 5.4.3 Receiving Neighbor Solicitation Messages On receipt of a valid Neighbor Solicitation message on an interface, node behavior depends on whether the target address is tentative or not. If the target address is not tentative (i.e., it is assigned to the receiving interface), the solicitation is processed as described in RFC 2461 . If the target address is tentative, and the source address is a unicast address, the solicitation's sender is performing address resolution on the target; the solicitation should be silently ignored. Otherwise, processing takes place as described below. In all cases, a node MUST NOT respond to a Neighbor Solicitation for a tentative address. If the source address of the Neighbor Solicitation is the unspecified address, the solicitation is from a node performing Duplicate Address Detection. If the solicitation is from another node, the tentative address is a duplicate and should not be used (by either node). If the solicitation is from the node itself (because the node loops back multicast packets), the solicitation does not indicate the presence of a duplicate address. Implementor's Note: many interfaces provide a way for upper layers to selectively enable and disable the looping back of multicast packets. The details of how such a facility is implemented may prevent Duplicate Address Detection from working correctly. See the Appendix A for further discussion. The following tests identify conditions under which a tentative address is not unique: - If a Neighbor Solicitation for a tentative address is received prior to having sent one, the tentative address is a duplicate. This condition occurs when two nodes run Duplicate Address Detection simultaneously, but transmit initial solicitations at different times (e.g., by selecting different random delay values before joining the solicited-node multicast address and transmitting an initial solicitation). - If the actual number of Neighbor Solicitations received exceeds the number expected based on the loopback semantics (e.g., the interface does not loopback packet, yet one or more solicitations was received), the tentative address is a duplicate. This condition occurs when two nodes run Duplicate Address Detection simultaneously and transmit solicitations at roughly the same time. 5.4.4 Receiving Neighbor Advertisement Messages On receipt of a valid Neighbor Advertisement message on an interface, node behavior depends on whether the target address is tentative or matches a unicast or anycast address assigned to the interface. If the target address is assigned to the receiving interface, the solicitation is processed as described in RFC 2461 . If the target address is tentative, the tentative address is not unique. 5.4.5 When Duplicate Address Detection Fails A tentative address that is determined to be a duplicate as described above MUST NOT be assigned to an interface and the node SHOULD log a system management error. If the address is a link-local address formed from an interface identifier based on the hardware address (e.g., EUI-64), the interface SHOULD be disabled. In this case, the IP address duplication probably means duplicate hardware addresses are in use, and trying to recover from it by configuring another IP address will not result in a usable network. In fact, it probably makes things worse by creating problems that are harder to diagnose than just shutting down the interface; the user will see a partially working network where some things work, and other things will not. On the other hand, if the duplicated link-local address is not formed from an interface identifier based on the hardware address, the interface MAY continue to be used. 5.5 Creation of Global Addresses Global addresses are formed by appending an interface identifier to a prefix of appropriate length. Prefixes are obtained from Prefix Information options contained in Router Advertisements. Creation of global addresses and configuration of other parameters as described in this section SHOULD be locally configurable. However, the processing described below MUST be enabled by default. 5.5.1 Soliciting Router Advertisements Router Advertisements are sent periodically to the all-nodes multicast address. To obtain an advertisement quickly, a host sends out Router Solicitations as described in RFC 2461 . 5.5.2 Absence of Router Advertisements IfEven if a link has no routers, a host MUST attempt to usestateful autoconfiguration to obtain addresses and other configuration information. An implementation MAY provide a way to disable the invocation of stateful autoconfiguration in this case, but the default SHOULDinformation may still be enabled. From the perspective of autoconfiguration, a link has no routers if no Router Advertisements are received after having sent a small number of Router Solicitations as described in RFC 2461 . 5.5.3 Router Advertisement Processing On receipt of a valid Router Advertisement (as defined in RFC 2461 ), a host copies the value of the advertisement's M bit into ManagedFlag. If the value of ManagedFlag changes from FALSE to TRUE,available, and hosts may want to use the host is not already running the stateful address autoconfiguration protocol, the host should invoke the stateful address autoconfiguration protocol, requesting both address information and other information. If the value of the ManagedFlag changes from TRUE to FALSE, the host should continue running the stateful address autoconfiguration, i.e., the change in the value of the ManagedFlag has no effect. If the value of the flag stays unchanged, no special action takes place. In particular, a host MUST NOT reinvoke stateful address configuration if it is already participating in the stateful protocol as a result of an earlier advertisement. An advertisement's O flag field is processed in an analogous manner. A host copies the value of the O flag into OtherConfigFlag. If the value of OtherConfigFlag changes from FALSE to TRUE, the host should invoke the stateful autoconfiguration protocol, requesting information (excluding addresses if ManagedFlag is set to FALSE). If the value of the OtherConfigFlag changes from TRUE to FALSE, the host should continue running the stateful address autoconfiguration protocol, i.e., the change in the value of OtherConfigFlag has no effect. If the value of the flag stays unchanged, no special action takes place. In particular, a host MUST NOT reinvoke stateful configuration if it is already participating in the stateful protocol as a result of an earlier advertisement. For each Prefix-Information option in the Router Advertisement: a) If the Autonomous flag is not set, silently ignore the Prefix Information option. b) If the prefix is the link-local prefix, silently ignore the Prefix Information option. c) If the preferred lifetime is greater than the valid lifetime, silently ignore the Prefix Information option. A node MAY wish to log a system management error in this case. d) If the prefix advertised does not match the prefix of an address already in the list, and the Valid Lifetime is not 0, form an address (and add it to the list) by combining the advertised prefix with the link's interface identifier as follows: | 128 - N bits | N bits | +---------------------------------------+------------------------+ | link prefix | interface identifier | +----------------------------------------------------------------+ e) If the advertised prefix matches the prefix of an autoconfigured address (i.e., one obtained via stateless or stateful address autoconfiguration) in the list of addresses associated with the interface, the preferred lifetime of the address is reset to the Preferred Lifetime in the received advertisement. The specific action to perform for the valid lifetime of the address depends on the Valid Lifetime in the received advertisement and the remaining time to the valid lifetime expiration of the previously autoconfigured address. We call the remaining time "RemainingLifetime" in the following discussion: 1. If the received Valid Lifetime is greater than 2 hours or greater than RemainingLifetime, set the valid lifetime of the corresponding address to the advertised Valid Lifetime. 2. If RemainingLifetime is less than or equal to 2 hours, ignore the Prefix Information option with regards to the valid lifetime, unless the Router Advertisement from which this option was obtained has been authenticated (e.g., via IP security ). If the Router Advertisement was authenticated, the valid lifetime of the corresponding address should be set to the Valid Lifetime in the received option. 3. Otherwise, reset the valid lifetime of the corresponding address to two hours. The above rules address a specific denial of service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect. Note that the preferred lifetime of the corresponding address is always reset to the Preferred Lifetime in the received Prefix Information option, regardless of whether the valid lifetime is also reset or ignored. The difference comes from the fact that the possible attack for the preferred lifetime is relatively minor. Additionally, it is even undesirable to ignore the preferred lifetime when a valid administrator wants to deprecate a particular address by sending a short preferred lifetime (and the valid lifetime is ignored by accident). 5.5.4 Address Lifetime Expiry A preferred address becomes deprecated when its preferred lifetime expires. A deprecated address SHOULD continue to be used as a source address in existing communications, but SHOULD NOT be used to initiate new communications if an alternate (non-deprecated) address of sufficient scope can easily be used instead. Note that the feasibility of initiating new communication using a non-deprecated address may be an application-specific decision, as only the application may have knowledge about whether the (now) deprecated address was (or still is) in use by the application. For example, if an application explicitly specifies the protocol stack to use a deprecated address as a source address, the protocol stack must accept that; the application might request it because that IP address is used for in higher-level communication and there might be a requirement that the multiple connections in such a grouping use the same pair of IP addresses. IP and higher layers (e.g., TCP, UDP) MUST continue to accept and process datagrams destined to a deprecated address as normal since a deprecated address is still a valid address for the interface. In the case of TCP, this means TCP SYN segments sent to a deprecated address are responded to using the deprecated address as a source address in the corresponding SYN-ACK (if the connection would otherwise be allowed). An implementation MAY prevent any new communication from using a deprecated address, but system management MUST have the ability to disable such a facility, and the facility MUST be disabled by default. Other subtle cases should also be noted about source address selection. For example, the above description does not clarify which address should be used between a deprecated, smaller-scope address and a non-deprecated, enough scope address. The details of the address selection including this case is described in RFC 3484  and beyond the scope of this document. An address (and its association with an interface) becomes invalid when its valid lifetime expires. An invalid address MUST NOT be used as a source address in outgoing communications and MUST NOT be recognized as a destination on a receiving interface. 5.6 Configuration Consistency It is possible for hosts to obtain address information using both stateless and stateful protocols since both may be enabled at the same time. It is also possible that the values of other configuration parameters such as MTU size and hop limit will be learned from both Router Advertisements and the stateful autoconfiguration protocol. If the same configuration information is provided by multiple sources, the value of this information should be consistent. However, it is not considered a fatal error if information received from multiple sources is inconsistent. Hosts accept the union of all information received via the stateless and stateful protocols. If inconsistent information is learned different sources, the most recently obtained values always have precedence over information learned earlier. 5.7 Retaining Configured Addresses for Stability It is reasonable that implementations that have stable storage retain their addresses and the preferred and valid lifetimes if the addresses were acquired using stateless address autoconfiguration. Assuming the lifetimes used are reasonable, this technique implies that a temporary outage (less than the valid lifetime) of a router will never result in the node losing its global address even if the node were to reboot. This will particularly be useful in "zeroconf" environments where nodes are configuring their addresses by stateless address autoconfiguration but all communication is limited within a single link. In such a case, the failure of a "router" (that provides the prefix for address configuration) is not significant, but losing the global addresses might be a pain; it is true that the node can still use link-local addresses for communication within the link, but the node may want to use global addresses when possible, especially when the other nodes use global addresses. When an implementation tries to reuse a retained address after rebooting, it MUST first try to obtain Router Advertisements as described in RFC 2461 and use the retained address only after concluding there are no routers on the link. Additionally, the implementation MUST run Duplicate Address Detection for the address under the criteria described in Section 5.4, as though the address were just configured by stateless address autoconfiguration. The reason for this is because a different host may have started using the address while the rebooting host cannot respond to Duplicate Address Detection from the other host. 6. SECURITY CONSIDERATIONS Stateless address autoconfiguration allows a host to connect to a network, configure an address and start communicating with other nodes without ever registering or authenticating itself with the local site. Although this allows unauthorized users to connect to and use a network, the threat is inherently present in the Internet architecture. Any node with a physical attachment to a network can generate an address (using a variety of ad hoc techniques) that provides connectivity. The use of stateless address autoconfiguration and Duplicate Address Detection opens up the possibility of several denial of service attacks. For example, any node can respond to Neighbor Solicitations for a tentative address, causing the other node to reject the address as a duplicate. A separate document  discusses details about these attacks. These attacks can be addressed by requiring that Neighbor Discovery packets be authenticated . However, it should be noted that  points out the use of IP security is not always feasible depending on network environments. 7. Acknowledgements The authors would like to thank the members of both the IPNG (which is now IPV6) and ADDRCONF working groups for their input. In particular, thanks to Jim Bound, Steve Deering, Richard Draves, and Erik Nordmark. Thanks also goes to John Gilmore for alerting the WG of the "0 Lifetime Prefix Advertisement" denial of service attack vulnerability; this document incorporates changes that address this vulnerability. Normative References  Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998.  Crawford, M., "A Method for the Transmission of IPv6 Packets over Ethernet Networks", RFC 2464, December 1998.  Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997.  Hinden, R. and S. Deering, "Internet Protocol Version (IPv6) Addressing Architecture", RFC 3513, April 2003.  Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. Informative References  Deering, S., "Host Extensions for IP Multicasting", RFC 1112, August 1989.  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.  Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003.  Deering, S., Fenner, W. and B. Haberman, "Multicast Listener Discovery (MLD) for IPv6", RFC 2710, October 1999.  Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor Discovery trust models and threats", draft-ietf-send-psreq-04.txt (work in progress), October 2003.  Park, S., Madanapalli, S. and O. Rao, "IPv6 DAD Consideration for 802.11 Environment", draft-park-ipv6-dad-problem-wlan-00.txt (work in progress), July 2003. Authors' Addresses Susan Thomson Cisco Systems EMail: firstname.lastname@example.org Thomas Narten IBM Corporation P.O. Box 12195 Research Triangle Park, NC 27709-2195 USA Phone: +1 919-254-7798 EMail: email@example.com Tatuya Jinmei Corporate Research & Development Center, Toshiba Corporation 1 Komukai Toshiba-cho, Saiwai-ku Kawasaki-shi, Kanagawa 212-8582 Japan Phone: +81 44-549-2230 EMail: firstname.lastname@example.org Hesham Soliman Flarion Technologies EMail: H.Soliman@flarion.com Appendix A. LOOPBACK SUPPRESSION & DUPLICATE ADDRESS DETECTION Determining whether a received multicast solicitation was looped back to the sender or actually came from another node is implementation- dependent. A problematic case occurs when two interfaces attached to the same link happen to have the same identifier and link-layer address, and they both send out packets with identical contents at roughly the same time (e.g., Neighbor Solicitations for a tentative address as part of Duplicate Address Detection messages). Although a receiver will receive both packets, it cannot determine which packet was looped back and which packet came from the other node by simply comparing packet contents (i.e., the contents are identical). In this particular case, it is not necessary to know precisely which packet was looped back and which was sent by another node; if one receives more solicitations than were sent, the tentative address is a duplicate. However, the situation may not always be this straightforward. The IPv4 multicast specification  recommends that the service interface provide a way for an upper-layer protocol to inhibit local delivery of packets sent to a multicast group that the sending host is a member of. Some applications know that there will be no other group members on the same host, and suppressing loopback prevents them from having to receive (and discard) the packets they themselves send out. A straightforward way to implement this facility is to disable loopback at the hardware level (if supported by the hardware), with packets looped back (if requested) by software. On interfaces in which the hardware itself suppresses loopbacks, a node running Duplicate Address Detection simply counts the number of Neighbor Solicitations received for a tentative address and compares them with the number expected. If there is a mismatch, the tentative address is a duplicate. In those cases where the hardware cannot suppress loopbacks, however, one possible software heuristic to filter out unwanted loopbacks is to discard any received packet whose link-layer source address is the same as the receiving interface's. There is even a link-layer specification that requires to discard any such packets . Unfortunately, use of that criteria also results in the discarding of all packets sent by another node using the same link-layer address. Duplicate Address Detection will fail on interfaces that filter received packets in this manner: o If a node performing Duplicate Address Detection discards received packets having the same source link-layer address as the receiving interface, it will also discard packets from other nodes also using the same link-layer address, including Neighbor Advertisement and Neighbor Solicitation messages required to make Duplicate Address Detection work correctly. This particular problem can be avoided by temporarily disabling the software suppression of loopbacks while a node performs Duplicate Address Detection, if it is possible to disable the suppression. o If a node that is already using a particular IP address discards received packets having the same link-layer source address as the interface, it will also discard Duplicate Address Detection-related Neighbor Solicitation messages sent by another node also using the same link-layer address. Consequently, Duplicate Address Detection will fail, and the other node will configure a non-unique address. Since it is generally impossible to know when another node is performing Duplicate Address Detection, this scenario can be avoided only if software suppression of loopback is permanently disabled. Thus, to perform Duplicate Address Detection correctly in the case where two interfaces are using the same link-layer address, an implementation must have a good understanding of the interface's multicast loopback semantics, and the interface cannot discard received packets simply because the source link-layer address is the same as the interfaces. It should also be noted that a link-layer specification can conflict with the condition necessary to make Duplicate Address Detection work. Appendix B. CHANGES SINCE RFC 1971 o Changed document to use term "interface identifier" rather than "interface token" for consistency with other IPv6 documents. o Clarified definition of deprecated address to make clear it is OK to continue sending to or from deprecated addresses. o Added rules to Section 5.5.3 Router Advertisement processing to address potential denial-of-service attack when prefixes are advertised with very short Lifetimes. o Clarified wording in Section 5.5.4 to make clear that all upper layer protocols must process (i.e., send and receive) packets sent to deprecated addresses. Appendix C. CHANGE HISTORY Changes since RFC 2462 are: o Fixed a typo in Section 2. o Updated references and categorized them into normative and informative ones. o Removed redundant code in denial of service protection in Section 5.5.3. o Clarified that a unicasted NS or NA should be discarded while performing Duplicate Address Detection. o Replaced the word "StoredLifetime" with "RemainingLifetime" with a precise definition to avoid confusion. o Removed references to site-local and revise wording around the keyword. o Added a note about source address selection with regards to deprecated vs insufficient-scope addresses, etc. Added a reference to RFC 3484 for further details. o Clarified what "new communication" means in Section 5.5.4. o Added a new subsection (5.7) to mention the possibility to use stable storage to retain configured addresses for stability. o Revised the Security Considerations section with a refence to the send requirement document and a note that the use of IP security is not always feasible. o Added a note with a reference in Appendix A about the case where a link-layer filtering conflicts with a condition to make DAD work correctly. o Specified that a node performing Duplicate Address Detection delay joining the solicited-node multicast group, not just delay sending Neighbor Solicitations, explaining the detailed reason. o Clarified the reason why the interface should be disabled after an address duplicate is detected. Also clarified that the interface may continue to be used if the interface identifier is not based on the hardware address. o Clarified that the preferred lifetime for an existing configured address is always reset to the advertised value by Router Advertisement. o Updated the description of interface identifier considering the latest format. Appendix D. OPEN ISSUES Semi-Open Issues (resolutions were proposed, but they may need further discussions): o [2462bis issue 271] An implementation may want to use stable storage for autoconfigured addresses. o [2462bis issue 274] There is conflict with the Multicast Listener Discovery specification about random delay for the first packet. o [2462bis issue 278] Whether a router (not a host) can autoconfigure itself using the stateless autoconfiguration protocol may need to be discussed. Open Issues (resolutions have not been proposed yet): o [2462bis issue 275] Many DAD related issues have been discussed, including whether it is okay to omit DAD in some environments or whether DAD can be replaced with DIID (duplicate interface ID detection). o [2462bis issue 277] The semantics of the M/O flags is not very clear. 1. the text needs to be updated to use RFC 2119 keywords 2. which keywords? 3. what is "the stateful configuration protocol"? 4. if the answer to the previous question is DHCPv6, should this specification more explicitly reference the configuration-only version of DHCPv6 in the description of the 'O'flag? o [2462bis issue 281] It is not very clear whether this document always require a 64-bit Interface ID. Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.mechanism.