Nippon Telegraph and Telephone Corporation
PF Labs. IPv6 Group

Summary and Status of Default Address Selection for IPv6

This page is an introduction of our "distributing mechanism of Default Address Selection Policy" and implementation status of "Default Address Selection for Internet Protocol version 6 (IPv6)" RFC 3484.

ChangeLog

RFC3484 Implementation Status on Major OSes

About default address selection rules, please refer to RFC 3484.
For now, we focus on implementation of Policy Table defined in RFC 3484.

Policy Table Implementation Status

OSConfigurable TableSrc Addr SelectionDst Addr SelectionZone IndexDefault Policy Table
FreeBSD 5.3R [bigsmile] [bigsmile] [bigsmile]- [bigsmile]
Windows XP SP2 [bigsmile] [bigsmile] [bigsmile]- [bigsmile]
Solaris 10 [bigsmile]--- [bigsmile]
Linux 2.6.11 [sad] [sad] [sad] [sad] [sad]
MacOSX Tiger [sad] [sad] [sad] [sad] [sad]


[bigsmile]:
implemented
[sad]:
not implemented
-:
not confirmed

Configurable Table:
Whether this OS has user-configurable Policy Table or not.
Src Addr Selection:
Source address selection reflects Policy Table. (Rule5,6)
Dst Addr Selection:
Destination address selection reflects Policy Table. (Rule5,6)
Zone Index:
Policy Table can have address(prefix) with zone-index.
Default Policy Table:
Default Policy Table defined in RFC 3484 is implemented.

Testing Environment

We confirmed the results above by looking at OS source code and conducting a simple test. We checked OS source code of FreeBSD(5.3R) and Linux(2.6.11.8).

OS dependent notes

FreeBSD

Windows

Solaris

Linux

MacOSX

Our Proposal

As described above, RFC 3484 address selection mechanism is implemented on major OSes. There is, however, no mechanism to automatically configure Policy Table like routing protocol for routing table. It is almost non-sense to force every user to configure Policy Table manually, to inform users of not small amount of policies and to make them change Policy Table configuration every time the backbone topology or address space changes. So we propose a mechanism to distribute address selection policy. Here, we describe the protocol of our mechanism first, and then illustrate practical examples that benefit from our proposing protocol.

DHCPv6 Default Address Selection Option

(Please refer to draft-fujisaki-dhc-addr-select-opt-00.txt for more information.)

Here describes a new Dynamic Host Configuration Protocol for the IPv6 (DHCPv6) option for distributing default address selection policy information to a client. Each end node is expected to configure its policy table, as described in RFC 3484, in a manner consistent with the Default Address Selection Policy option information.

option-code:
OPTION_DASP (TBD)
option-len:
The total length of the label fields, precedence fields, zone-index fields, prefix-len fields, and prefix fields in octets.
label:
An 8-bit unsigned integer; this value is used to make a combination of source address prefixes and destination address prefixes.
precedence:
An 8-bit unsigned integer; this value is used for sorting destination addresses.
zone-index:
An 8-bit unsigned integer; this value is used to specify zones for scoped addresses.
prefix-len:
An 8-bit unsigned integer; the number of leading bits in the prefix that are valid. The value ranges from 0 to 128. The Prefix field is 0, 4, 8, 12, or 16 octets, depending on the length.
Prefix:
A variable-length field containing an IP address or the prefix of an IP address. IPv4-mapped address [mapped] must be used to represent an IPv4 address as a prefix value.

Practical Usage of Our Distribution Mechanism

This paragraph describes some practical usages of default address selection policy distribution mechanism proposed in the previous section. Default address selection policies are originated by ISPs or by network administrators and are delivered to each end node. These policies are stored at end nodes in the form of default address selection policy table. This mechanism is effective in many cases, such as IPv4 and IPv6 dual-stack environment and other multiple address environment. Every end node is guided by the policy in selecting an appropriate destination and source addresses.

Case1: IPv4 or IPv6 Prioritization

The default policy table gives IPv6 addresses higher precedence than IPv4 addresses. There seems to be a lot of cases, however, where network administrators want to control end nodes address selection policy otherwise.

                     +---------+
                     | Tunnel  |
                     | Server  |
                     +--+---++-+
                        |   ||
                        |   ||
                 ===========||==
                 | Internet || |
                 ===========||==
                      |     ||
          10.2.0.0/16 |     ||
                 +----+-+   ||
                 | ISP  |   ||
                 +----+-+   ||
                      |     ||
        IPv4 (Native) |     || IPv6 (Tunnel)
         10.2.30.0/32 |     ||
                     ++-----++-+
                     | Gateway |
                     +----+----+
                          |  2001:db8:a:1::/64
                          |  192.168.0.0/24
                     DHCP |  
                ------+---+----------
                      |
                    +-+----+ 2001:db8:a:1:EUI64
                    | Host | 192.168.0.100
                    +------+

In the figure above, a site has native IPv4 and tunneled IPv6 connectivity. So, the administrator of this site knows communication quality of IPv6 is much worse than IPv4. This kind of problem can be solved by applying the following policy table to hosts.

     Prefix        Precedence Label
     ::1/128               50     0
     ::/0                  40     1
     2002::/16             30     2
     ::/96                 20     3
     ::ffff:0:0/96        100     4

The administrator can indicate that IPv4 should take precendence over IPv6, while keeping to provide both IPv4 and IPv6 connectivity, by delivering DHCPv6 Default Address Selection Option that includes the policy above.

Case2: ULA or Global Prioritization

By default, the scope of these addresses is global. Also, unlike site-locals, a site may have more than one of these prefixes and use them at the same time.

By making use of this characteristics, you can achieve strong and simple access control. Like the figure below, a web server has both ULA and Global IPv6 addresses. A host in this site also has both addresses.

By configuring client address based access control at the web server, a client with ULA gets in internal only web pages and a client with Global address gets access to only public web pages. As it is relatively easy to reject packets with ULA source address getting into the site at border router, this kind of access control seems to be reliable.

                     +------+
                     | Host |
                     +-+--|-+
                       |  |
               ===========|==
               | Internet | |
               ===========|==
                     |    |
                     |    |   
                +----+-+  +-->+------+
                | ISP  +------+  Web | 2001:db8:a::80
                +----+-+  +-->+------+ fc12:3456:789a::80
 DHCP-PD             |    | 
     2001:db8:a::/48 |    |
 fc12:3456:789a::/48 |    |
                +----+----|+
                | Gateway ||
                +---+-----|+
                    |     |    2001:db8:a:100::/64
               DHCP |     |    fc12:3456:789a:100:/64
                  --+-+---|-----
                      |   |
                    +-+---|+ 2001:db8:a:100:EUI64
                    | Host | fc12:3456:789a:100:EUI64
                    +------+

If you want to make in-site hosts to get into internal web site, you should deliver the following policies to them from the gateway.

     Prefix        Precedence Label
     ::1/128               50     0
     fc00::/7              40     1
     ::/0                  30     2
     ::ffff:0:0/96         10     3

Case3: Multicast Source Address Selection

This case is an example of Site-local or Global prioritization. When you send a multicast packet across site-borders, the source address of the multicast packet has to be a global scope address. The longest matching algorithm, however, selects a ULA address, if a sending host has both an ULA and a global addresses.

The following policy fixes this incongruity. For site-scope multicast, the destination address is in ff05::/16, and the source address should be ULA. For global-scope multicast, the destination address is in ff0e::/16, and the source address will be global unicast address.

     Prefix        Precedence Label
     ff05::/16             10     5
     fc00::/7              10     5  
     ff0e::/16             10     6
     2000::/3              10     6

Case4: Global and Closed Mixed Connectivity

You can see another typical source address selection problem in a site with global-closed mixed connectivity like the figure below. In this case, Host-A is in a multihomed network and has two IPv6 addresses delegated from each of up-stream ISPs. Note that ISP2 is closed network and doesn't have connectivity to the Internet.

                       +--------+
                       | Host-C | 3ffe:503:c:1:EUI64
                       +-----+--+
                             |
                    ==============  +--------+
                    |  Internet  |  | Host-B | 3ffe:1800::EUI64
                    ==============  +--------+
                         |           |
           2001:db8::/32 |           | 3ffe:1800::/32
                    +----+-+   +-+---++
                    | ISP1 |   | ISP2 | (Closed Network / VPN tunnel)
                    +----+-+   +-+----+
                 DHCP-PD |       | DHCP-PD
         2001:db8:a::/48 |       | 3ffe:1800:a::/48
                        ++-------++
                        | Gateway |
                        +----+----+
                             |  2001:db8:a:1::/64
                             |  3ffe:1800:a:1::/64
                        DHCP |
                   ------+---+----------
                         |
                      +--+-----+ 2001:db8:a:1:EUI64
                      | Host-A | 3ffe:1800:a:1:EUI64
                      +--------+

Host-C is located somewhere in the Internet and has an IPv6 address 3ffe:503:c:1:EUI64. When Host-A sends a packet to Host-C, longest matching algorithm chooses 3ffe:1800:a:1:EUI64 for the source address. In this case, the packet goes through ISP1 and may be filtered by ISP1's ingress filter. Even if the packet isn't filtered by ISP1 fortunately, a return packet from Host-C won't possibly reach at Host-A, because the return packet is destined for 3ffe:1800:a:1:EUI64, which is closed from the Internet.

In this case, the source address selection problem will be solved, if Host-A has the following policy table and the gateway has an appropriate routing table.

     Prefix        Precedence    Label
     2001:db8::/32         10      100
     ::/0                  10      100
     2001:db8:a:1::/64     10      100
     3ffe:1800::/32        10      200
     3ffe:1800:a:1::/64    10      200

Only the ISP1 and ISP2 know what policy Host-A should have, so we propose that ISPs should deliver their policy information to their customers in the form of DHCPv6 option that we stated above.

Case5: Renumbering Site Prefix

This mechanism is useful for smooth IPv6 address renumbering.

Standardization History

RFC3484

Policy Table Distribution

Contacts

  Tomohiro Fujisaki
  Jun-ya Kato
  Shirou Niinobe
  Arifumi Matsumoto

  NTT PF Lab
  3-9-11 Midori-Cho
  Musashino-shi, Tokyo  180-8585
  Japan
  Phone: +81 422 59 7351
last modified: 2006-12-27 (¿å) 14:14:49
contact:fujisaki at syce dot net, arifumi at nttv6 dot net