Network Working Group C. Huitema
Internet-Draft R. Draves
Expires: July 2, 2003 Microsoft
M. Bagnulo
UC3M
January 2003
Host-Centric IPv6 Multihoming
draft-huitema-multi6-hosts-02
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 2, 2003.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
A way to solve the issue of site multihoming is to have a separate
site prefix for each connection of the site, and to derive as many
addresses for each hosts. This approach to multi-homing, which we
call Host-Centric IPv6 Multihoming, has the advantage of minimal
impact on the inter-domain routing fabric, since each site prefix can
be aggregated within the larger prefix of a specific provider;
however, it opens a number of issues, which we will discuss in this
memo, including the problem created by the interaction between
ingress filtering and multihoming. We then propose a set of specific
solutions that enable host centric multihoming, and we review how
Huitema, et al. Expires July 2, 2003 [Page 1]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
these solutions meet the requirements of IPv6 site multihoming.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Notations . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 Requirements language . . . . . . . . . . . . . . . . . . . 5
2.2 Reference topology . . . . . . . . . . . . . . . . . . . . . 5
2.3 Site exit router . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Ingress filtering . . . . . . . . . . . . . . . . . . . . . 5
2.5 Site exit anycast identifier . . . . . . . . . . . . . . . . 6
2.6 Site exit anycast address . . . . . . . . . . . . . . . . . 6
3. Host-Centric IPv6 Multihoming issues . . . . . . . . . . . . 7
3.1 Destination address selection . . . . . . . . . . . . . . . 7
3.2 Source address selection . . . . . . . . . . . . . . . . . . 7
3.3 The site exit issue . . . . . . . . . . . . . . . . . . . . 8
3.4 Rapid reaction to topology changes . . . . . . . . . . . . . 9
4. Analysis of solutions to the site exit issue . . . . . . . . 10
4.1 Relaxing the source address checks . . . . . . . . . . . . . 10
4.2 Source address dependent routing . . . . . . . . . . . . . . 11
4.3 Source address selection by the host . . . . . . . . . . . . 13
4.4 Packet rewriting at exit router . . . . . . . . . . . . . . 15
4.5 Comparison of the site exit solutions . . . . . . . . . . . 16
5. Analysis of solutions to provide rapid reaction to
topology changes . . . . . . . . . . . . . . . . . . . . . . 18
5.1 Path selection when establishing a new communication . . . . 18
5.1.1 Externally initiated communications . . . . . . . . . . . . 18
5.1.2 Internally initiated communications . . . . . . . . . . . . 18
5.2 Preserving established communications . . . . . . . . . . . 23
6. Integrating Solutions . . . . . . . . . . . . . . . . . . . 24
6.1 Solution 1: Relaxing source address checks + Intra site
routing system based exit path selection . . . . . . . . . . 24
6.2 Solution 2: Source address Discovery + Intra site
routing system based exit path selection . . . . . . . . . . 24
6.3 Solution 3: Packet Rewriting at site exit + Intra site
routing system based exit path selection . . . . . . . . . . 25
6.4 Solution 4: Host based exit path selection + source
address based routing . . . . . . . . . . . . . . . . . . . 25
6.5 Solution 5: Host based exit path selection + site exit
discovery . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.6 Solution 6: Hybrid approach + source address dependent
routing . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.7 Solution 7: Hybrid approach + source address selection
by the host . . . . . . . . . . . . . . . . . . . . . . . . 27
6.8 Remaining combinations . . . . . . . . . . . . . . . . . . . 27
7. Proposed solution . . . . . . . . . . . . . . . . . . . . . 29
7.1 Multihoming solutions for small sites . . . . . . . . . . . 29
7.1.1 Step 1: preserving functionality for legacy hosts when
Huitema, et al. Expires July 2, 2003 [Page 2]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
becoming multihomed. . . . . . . . . . . . . . . . . . . . . 29
7.1.2 Step 2: Optimizations to enhance the multihoming support . . 31
7.2 Multihoming solution for medium sites . . . . . . . . . . . 36
7.2.1 Reaction to topology changes . . . . . . . . . . . . . . . . 36
7.3 Multihoming solution for big sites . . . . . . . . . . . . . 37
8. Evaluation of Host centric solution and Multihoming
Requirements . . . . . . . . . . . . . . . . . . . . . . . . 39
8.1 Capabilities of IPv4 Multihoming . . . . . . . . . . . . . . 39
8.1.1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . 39
8.1.2 Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . 40
8.1.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . 40
8.1.4 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
8.1.5 Simplicity . . . . . . . . . . . . . . . . . . . . . . . . . 40
8.1.6 Transport-Layer Survivability . . . . . . . . . . . . . . . 40
8.2 Additional Requirements . . . . . . . . . . . . . . . . . . 40
8.2.1 Scalability . . . . . . . . . . . . . . . . . . . . . . . . 40
8.2.2 Impact on Routers . . . . . . . . . . . . . . . . . . . . . 41
8.2.3 Impact on Hosts . . . . . . . . . . . . . . . . . . . . . . 41
8.2.4 Interaction between Hosts and the Routing System . . . . . . 41
8.2.5 Operations and Management . . . . . . . . . . . . . . . . . 41
9. Security Considerations . . . . . . . . . . . . . . . . . . 42
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . 43
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44
References . . . . . . . . . . . . . . . . . . . . . . . . . 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 46
Intellectual Property and Copyright Statements . . . . . . . 47
Huitema, et al. Expires July 2, 2003 [Page 3]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
1. Introduction
There are two basic forms of multihoming, multiple interface per host
and multiple site connections shared by many hosts. This working
group is specifically concerned with site multi-homing. A way to
solve the issue of site multihoming is to have a separate site prefix
for each connection of the site, and to derive as many addresses for
each hosts; this can in fact be supported by a combination of router
renumbering (RFC2894) and Stateless Address Autoconfiguration
(RFC2462). This approach to multi-homing, which we call Host-Centric
IPv6 Multihoming, has the advantage of minimal impact on the inter-
domain routing fabric, since each site prefix can be aggregated
within the larger prefix of a specific provider; however, it opens a
number of issues, which we will discuss in this memo, including the
problem created by the interaction between ingress filtering and
multihoming. We then propose a set of specific solutions that enable
host centric multihoming, and we review how these solutions meet the
requirements of IPv6 site multihoming.
Huitema, et al. Expires July 2, 2003 [Page 4]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
2. Notations
2.1 Requirements language
In this document, the key words "MAY", "MUST", "MUST NOT",
"optional", "recommended", "SHOULD", and "SHOULD NOT", are to be
interpreted as described in [13].
2.2 Reference topology
In the following discussion, we will use this reference topology:
/-- ( A ) ---( ) --- ( C ) --\
X (site X) ( IPv6 ) (Site Y) Y
\-- ( B ) ---( ) --- ( D ) --/
The topology features two hosts, X and Y, whose respective sites are
both multi-homed. Host X has to global IPv6 addresses, which we will
note "A:X" and "B:X", formed by combined the prefixes allocated by
ISP A and B to "site X" with the host identifier of X. Similarly, Y
has two addresses "C:Y" and "D:Y".
We assume that X, when it starts engaging communication with Y, has
learned the addresses C:Y and D:Y, for example because they were
published in the DNS. We do not assume that the DNS is dynamic: there
will be situations in which both C:Y and D:Y are published, while in
fact only one is reachable. We assume that Y, when it receives
packets from X, has only access to information contained in the
packet coming from X, e.g. the source address; we do not assume that
Y can retrieve by external means the set of addresses associated to
X.
2.3 Site exit router
A site exit router is an IPv6 router managing at least one of the
connections between a site and the Internet.
2.4 Ingress filtering
Ingress filtering refers to the verification of the source address of
the IP packets at the periphery of the Internet, typically at the
link between a customer and an ISP. This process, which is described
in [9] is intended to thwart a class of denial of service attacks in
which attackers hide their identity by using a "spoofed" source
address.
Huitema, et al. Expires July 2, 2003 [Page 5]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
2.5 Site exit anycast identifier
A 7 bit anycast identifier whose value is XX. [TBD IANA]
2.6 Site exit anycast address
An IPv6 anycast address built by combining an IPv6 address prefix
allocated to the site with the site exit anycast identifier,
according to the rules specified in [RFC2526]. The proposed used of
this anycast address is detailed in section 5.
Huitema, et al. Expires July 2, 2003 [Page 6]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
3. Host-Centric IPv6 Multihoming issues
Host-Centric IPv6 Multihoming forces hosts to choose the source and
the destination address of the IPv6 packets, in a way that makes the
best usage, or at least a reasonable usage, of the network resource.
Hosts must first select a destination address, and will then perform
source address selection. Source address selection must be consistent
with ingress filtering, which is sometime implemented at network
interfaces: we call this the "site exit" issue. Destination address
selection is often based on incomplete or obsolete information, which
can be harmful if, for example, hosts fail to notice that one of the
site's connections is suddenly made unavailable. In any case, we must
also consider "low budget" hosts, and make sure that these hosts can
get some benefits from multihoming without enduring too much cost.
3.1 Destination address selection
It is fairly common for hosts to have to choose between multiple
destination addresses for a peer. TCP performs this choice when the
connection is instantiated; SCTP may perform similar choices through
the life-time of the connection; UDP may perform this choice either
for each packet, or at the beginning of an association. We may debate
whether hosts have sufficient information to perform a valid choice,
and it is a complex debate. Some very simple appliances probably
never will have any information; large servers potentially have tons
of information available; personal computers are somewhere in
between. It is not unrealistic to expect progress in this area,
either by communication between the hosts and the routers, by sharing
of experience between hosts, or maybe by innovative application
design that would for example implement a file transfer by parallel
retrieval of fraction of the file from multiple sources. At worst, a
host can always try the proposed addresses one by one, and pick the
first one that actually works -- not very elegant, but definitely
workable.
3.2 Source address selection
The source address selection in most hosts immediately follows the
destination address selection. When a host has multiple interfaces,
the normal procedure is to select the address, then identify the
interface over which packets bound to that address will be routed,
and finally selects a source address associated to that interface.
When the hosts has multiple addresses attached to an interface, which
is the case with host centric IPv6 multihoming, the host could in
theory pick any of these addresses, or at least any of those that
have an appropriate scope. In our example topology, supposing that X
has selected the destination address "C:Y", it can choose as source
address either "A:X" or "B:X".
Huitema, et al. Expires July 2, 2003 [Page 7]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
Choosing the source address will affect the reverse path of the
connection, as the source address of the message will become the
destination address of the responses. This may be a serious matter in
asymmetric applications like web access, in which the bulk of the
data is sent by the server to the client. If the multiple addresses
correspond to different ISP, the hosts should normally pick the
source address that will provide the best performances. As for
destination address selection, we may expect that the host will have
some knowledge of the effect of choosing one or the other address,
for example by observing that web pages are served faster through one
address than through the other.
3.3 The site exit issue
A special complication appears when the ISPs who serve the multihomed
site perform "source address selection." In our generic
configuration, we assume that X is served by ISP A and B, and thus
can be reached by the addresses A:X and B:X. We also we assume that Y
is served by ISP C and D, and thus can be reached by the addresses
C:Y and D:Y. To communicate with Y, X will choose the destination
address that appears to be easier to reach, for example D:Y; then, it
will choose the source address that provides the most efficient
reverse path, say A:X.
Suppose now that the ISP connections at Site X are managed by two
different site exit routers, RXA and RXB, and that there is a similar
configuration at Site Y, with routers RYC and RYD.
/-- ( A ) ---( ) --- ( C ) --\
(RXA) ( ) (RYC)
X (site X) ( IPv6 ) (Site Y) Y
(RXB) ( ) (RYD)
\-- ( B ) ---( ) --- ( D ) --/
Within Site X, the interior routing will decide which of RXA or RXB
is the preferred exit router for the destination "D:Y"; similarly,
within Site Y, the interior routing will decide which of RYC or RYD
is the preferred exit for destination A:X. If the chosen exit router
at Site X is RXA, the packet will flow freely to RYD; If the chosen
exit router at Site Y is RYD, the response will also flow freely.
However, if the exit routers are RXB or RYC, and if the ISPs perform
ingress filtering, we have a problem: ISP B sees a packet coming from
RXB, whose source address does not match the prefix assigned by B to
X; ISP C, similarly, sees a packet whose match the prefix assigned by
that ISP to Y. If either of these ISPs decides to drop the packet,
the communication will be broken.
Huitema, et al. Expires July 2, 2003 [Page 8]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
3.4 Rapid reaction to topology changes
Network conditions change over time. In order to meet the performance
requirement, we must allow the use of the best path at any time; In
order to meet the "redundancy" requirement, we have to make sure that
if a network connection breaks, the corresponding prefix is not used
as either a source or a destination address.
We may assume that the destination address selection algorithm
mentioned in 3.1 will naturally result in the selection by X of an
appropriate address for Y; X may for example try in turn the
addresses C:Y and D:Y, and retain the address for which a response
comes back. However, we must make sure that X selects a source
address that will be reachable: for example, if the link to ISP A
fails, X must make sure that it uses as source address B:X, not A:X.
Huitema, et al. Expires July 2, 2003 [Page 9]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
4. Analysis of solutions to the site exit issue
The site exit issue is caused by ingress filtering at the site
egress. In this section, we will analyse four ways to solve the
issue: somehow relax the source address check, implement source
address dependent routing, ask hosts to pick "the right" source
address, or ask routers to somehow rewrite the packets so that it can
pass the source address checks. We will then compare the proposed
solutions, in order to prepare a recommendation.
4.1 Relaxing the source address checks
An obvious way to avoid failures due to ingress filtering is to
simply make sure that all the addresses used by the hosts of a given
site will be considered acceptable by each of the site's providers.
In our site X example, that would mean that provider A would accept
addresses of the form "B:X" as valid, and that provider B will in
turn accept addresses of the form "A:X" as valid.
One way to achieve this is simply to ask the service provider to turn
off source address checks on the site connection. This requires a
substantial amount of trust between the provider and the site, as
source address checks are in effect delegated to the site routers.
One possible way to achieve this trust is to make sure that the site
routers, or possibly the site firewalls, meet a quality level
specified by the provider.
Another way to achieve this relaxed level of checking is to check
source addresses against a list of "authorized prefixes" for the site
connection, rather than simply the single prefix delegated by the
provider. This solution requires that the site communicates the
authorized prefixes to the provider, either through a management
interface or through a routing protocol. This is obviously more
complex than simply lifting the controls, and in fact ends up with a
very similar requirement of trust: the provider has to be believe
that the site will transmit the right prefixes.
A special case occurs when the site exit is an "automatic tunnel"
interface, such as 6to4 or Shipworm. Source address control for
automatic tunnels is delegated to the "other side" of the tunnel, in
practice to a very large number of relay routers located across the
Internet. Checks are based on the correlation between the IPv6 source
address and the IPv4 source address used in the tunneling protocol.
Asking each potential end of the tunnel to relax its checks is not
realistic; in practice, this means that the exit routers will have to
obtain the right to use as source address a privileged IPv4 address,
such as the 6to4 anycast address or the Shipworm anycast address;
this will imply a negotiation with the provider of the IPv4 service.
Huitema, et al. Expires July 2, 2003 [Page 10]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
In conclusion, relaxing the source address checks requires some form
of explicit trust between the site and its providers. There is no
doubt that this level of trust will exist in many cases; there is
also no doubt that there will be many cases in which the provider is
unwilling to grant this trust, particularly in the case of small
sites, such as for example home networks dual-homes to a DSL provider
and a cable network provider.
4.2 Source address dependent routing
Another solution to the site exit problem is to perform some kind of
source routing within the site, so that the site exit is effectively
a function of the source address in the packet. Current routers
generally do not implement any kind of source address dependent
routing; this implies that this solution would have to be "rolled in"
progressively in the site, following a generic schema such as:
Multiple site exits
| | | |
-----+-----+-----+-----+-----
( )
( Source based routing domain )
( )
----+----+----+----+----+----
( )
( Generic routing domain )
( )
-----------------------------
In this schema, all site exit routers are connected to a source based
routing domain. Packets initiated in the generic routing domain and
bound to an "out of site" address are passed to the nearest access
point to the source based routing domain, using classic "hot potato"
routing. The routers in the source based routing domain maintain as
many parallel routing tables as there are valid source prefixes, and
would choose a route that is a function of both the source and the
destination address; the packets exit the site through the "right"
router. There are multiple possible implementations of this general
concept.
The simplest implementation is to have only one exit router for the
site; this exit router chooses the exit link on the basis of the
source address in the packet. This simple implementation might be
adequate for very small sites, but introduces a single point of
failure, and thus fails to meet the "redundancy" requirement of
multihoming.
Huitema, et al. Expires July 2, 2003 [Page 11]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
In the most complex set up, each router of the site would maintain as
many parallel routing tables as there are valid source prefixes, and
would choose a route that is a function of both the source and the
destination address. This solution enables "shortest path" routing
and can provide an arbitrary level of redundancy. However,
maintaining parallel routing tables requires a massive re-engineering
of routers and routing protocols, and thus would be hard to deploy in
the short term.
A slightly less complex implementation is to connect all exit routers
to the same link, e.g. to what is often referred to as the "DMZ" for
the site. This solution requires that all routers connected to the
DMZ are upgraded to perform source address based routing. This
configuration is less fragile than a single router solution; however,
the single link requirement seems to preclude "geographic redundancy"
between the site exits. It does requires the re-engineering of some
routers, but not necessarily all routers of the site. In practice, it
could be a way to "phase in" the most complex setup described in the
previous paragraph.
A much simpler alternative is to establish a mesh of "tunnels"
between the site exit routers. A site exit router that receives a
packet bound for an out-of-site address would perform a source
address check before forwarding the packet on one of its outgoing
interfaces; if the source address check is positive, the packet will
effectively be sent on the interface; if it is not, the packet would
be "tunneled" to a more adequate router.
The main requirement of the tunneling alternative is that site-exit
routers be able to perform address checks, and that each site exit
router be able to associate to each valid site prefix the address of
a corresponding site exit router. An obvious possibility is to
configure prefixes and corresponding addresses in each router; it
would however be preferable to derive these addresses automatically.
A strong assumption of the IPv6 architecture is that all prefixes of
a site will have the same length; it is thus possible to derive a
prefix from the source address of a "misdirected" packet, by
combining this prefix with a conventional suffix. The suffix should
be chosen to not collide with the subnet numbers used in the site; a
null value will be inadequate, since it could be matched by any
router with knowledge of the prefix, not just the site exit router; a
value of "all ones" could be adequate.
In order to enable tunneling, each router managing a site prefix will
then inject a "host route" for its locally managed prefixes in the
interior routing protocol. Site exit routers performing automatic
tunneling can then use the standard routing procedures to detect
whether the anycast address corresponding to the prefix in use is
Huitema, et al. Expires July 2, 2003 [Page 12]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
reachable; they can automatically reject, rather than tunnel, packets
whose source address does not correspond to a reachable anycast
address.
An inconvenience of the set-up is that some packet will follow a less
than direct path; we will see in the next section how that could be
palliated by host based processing.
Source based routing allows for a large diversity between the site
exits; it also allows for host based policy decision, since a host
can influence the routing of a packet by choosing the appropriate
source address. There is however one drawback of any source address
based scheme, the impossibility to use "asymmetric" path between two
sites:
..................................>
./-- ( A ) ---( ) --- ( C ) --\...
.....>(RXA) ( ) (RYC)....>
X (site X) ( IPv6 ) (Site Y) Y
<.....(RXB) ( ) (RYD)<....
. \-- ( B ) ---( ) --- ( D ) --/...
<...................................
Using source based routing implies that if the host X chooses the
source address B:X, then its packets will exit through router RXB,
never through RXA. This may provide lesser performances if a link is
congested in one direction but not in the other. However, source
based routing would allow four paths, A-C, A-D, B-C and B-D, thus
providing an adequate redundancy and allowing a great deal of
performance optimization.
4.3 Source address selection by the host
The site exit issue would be mitigated if the hosts chose a source
address that would be compatible with the exit point chosen by the
routing protocol, or alternatively if the host tunneled the packet
directly to an adequate exit router.
The first alternative could be called "source address discovery". In
many ways, source address discovery is similar to path MTU discovery.
The two issues are similar: packets that do not meet some criteria
fixed by the network are dropped; the host has to find the cause of
the loss, and to take action in order to make sure that these packets
will be accepted. In the path MTU case, the action is to use shorter
packets; in the ingress filtering case, the action is to present a
different source address.
Huitema, et al. Expires July 2, 2003 [Page 13]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
To implement source address discovery, the hosts would have to
introduce a "preferred source address" parameter in the "destination
cache" mentioned in the Neighbor Discovery standard [3]. The primary
purpose of the cache is to link a destination address to a next hop
neighbor; it is also the repository of per-destination parameters
such as the path MTU; it is the natural repository for the new
parameter. The source prefix in the destination cache would be used
during source address selection, to select an available interface
address that matches the prefix. There will however be cases in which
the prefix is learned after the source address is already selected.
In these cases, the host would have to insert in the packet an "home
address" option that carries the intended source address, as
specified in [11]; the IPv6 source address will be set to the
available interface address that matches the prefix.
As for path MTU discovery, source address discovery requires that the
hosts receive some information from the network, presumably in the
form of an "incorrect source address" ICMP error; the error message
will have to contain information about the packet that triggered the
error, and also information about the source address prefix that
should be used to pass the source address check. In the absence of an
explicit ICMP message, the hosts would have to rely on a trial an
error process, noticing that packets get dropped and trying
retransmissions with alternate source addresses; the experience of
path MTU discovery shows that such processes are awkward and error
prone.
An alternative to source address discovery is "exit router
discovery", i.e. the discovery by the source of the preferred exit
router for a given source address. This requires a slightly different
change to the caches used in neighbor discovery, specifically the
management of a "source exit cache" that associates a specific source
address with an exit router, or maybe the combination of a
destination address and a source address with an exit router. As with
source address discovery, this would be learned through an ICMP
message; this message would not be an error message, but rather a
variation of the redirect message. After receiving such messages, the
host will tunnel to the specified exit point the packets sent from
the source address to the destination; the exit point will
decapsulate these packets and send them over the appropriate exit
link.
The "exit router discovery" procedure appears to be superior to the
"source address discovery." Both solutions require approximately the
same amount of resource in the host, but the exit router discovery
has two advantages: it enables hosts to actually specify the point of
exit from the site, thus giving them a greater amount of "policy
control"; and it does not require third parties to understand and
Huitema, et al. Expires July 2, 2003 [Page 14]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
accept an "home address" option.
We should note that neither "source address discovery" nor "exit
router discovery" are implemented in current hosts. In order to
accomplish the goal expressed in [7] that hosts implementing the
current version of IPv6 can continue to operate in a multi-homed
site, even if they would not take advantage of multihoming; in
consequence, these procedures can only be used as an optional
optimization.
4.4 Packet rewriting at exit router
In section 4.2, we explained how a site exit router that discovers
that a packet bound out of the site has the "wrong" source address
can route the the packet to an alternative exit. Another way to pass
the source the source address check is to modify the packet, which
could in theory be done by replacing the source address, by inserting
a "home address" header, or by encapsulating the packet using "IPv6
in IPv6".
In fact, replacing the source address is not necessarily a good idea,
since this will remove information from the packet; it also requires
some level of cooperation between the exit router and the host, if
only to understand what alternative source addresses can be used by
the host, if any.
One could preserve the information by inserting the "home address"
option defined in [11] before rewriting the source address. After the
insertion of the option, the outgoing parameter will have the
following values:
* IPv6 source address: address of the site egress interface,
* IPv6 destination address: from initial packet,
* IPv6 payload type: "destination option",
* destination option, next header: payload type of initial packet,
* destination option length: length of option, as per [RFC2640],
* home address value: source address of initial packet.
According to [11], the host which receives the packet with the home
address option will behave exactly as if it received a packet from
the initial source address.
An alternative to using the home address option would be to
Huitema, et al. Expires July 2, 2003 [Page 15]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
encapsulate the packet in a new IPv6 header, using "IP in IP". The
source address of the new header will be the address used by the
router on the exit interface, the destination address will be the
original destination, and the payload type will be set to "IPv6."
This alternative is probably easier to implement than the insertion
of a destination option; in particular, routers don't have to be
concerned with the fact that there may already be a destination
option in the incoming packet. It creates a slightly larger overhead,
40 bytes instead of 24.
4.5 Comparison of the site exit solutions
The four solutions that we have reviewed have different advantages
and inconveniences. The may differences are in terms of
deployability, generality, redundancy, policy control, and impact on
existing hosts, i.e. minimal implementations of IPv6 that would use
only one of the available prefix for the site, that would not perform
any more sophisticated logic than picking a destination address at
random among multiple alternatives, and that would not understand any
additional IPv6 option or any additional ICMP message.
The relaxation of source address checks detailed in 4.1 is easy to
deploy, and would not affect minimal hosts. It is a perfectly
reasonable solution for large sites, i.e. the sites that benefit of
IPv4 multihoming today: it should not be more complex to convince a
provider to relax address checks for a particular customer tomorrow,
than to convince today a similar provider to advertise in its routing
table the global IPv4 address of the site. If we choose this
solution, we should choose its simplest implementation, i.e. one in
which the provider completely delegates source address checks to the
site's router or firewalls. This is however not a general solution,
since we cannot expect all sites to convince every provider to relax
their checks.
The rewriting at exit routers appears to be an inferior solution. It
is not really easier to implement than the "tunneling" variation of
source routing at the exit sites: if a router can detect that a
source address does not pass the checks for a proposed interface, and
if it can encapsulate the packet before forwarding it, then it could
just as well tunnel the packet to the "correct" exit router for the
site. Tunneling the packet to its final destination actually has a
larger impact on the existing hosts than simply tunneling the packet
to another router: we have to assume that the destination host is
willing to accept tunneled packets, which is not an obvious
proposition. Since the packet is tunneled, the destination host has
to trust that the source address in the encapsulated packet is
genuine; in the absence of an authentication header, this is risky
proposition.
Huitema, et al. Expires July 2, 2003 [Page 16]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
When the source address checks cannot be relaxed, the best solution
is probably to perform some kind of source address based routing to
the adequate exit router. In the long term, the IETF may develop
internal routing protocols that take into account the source address
as part of the "reachability information" for a set of destinations;
in the short term, there are no such protocols, and we have to rely
on a tunneling mechanism between site exit routers.
Exit router discovery is a natural complement of the tunneling
mechanism between site exit routers. When an exit router tunnels a
misdirected packet towards another exit, it may send an appropriate
"exit redirection" ICMP message. If the host is a minimal IPv6 host,
the ICMP message will be ignored; further packets will continue using
the same slightly sub-optimal path. On the other hand, if the host
has been upgraded to take advantage of multi-homing, the packets will
be tunneled to the appropriate exit router; they will follow a direct
path to this router.
Huitema, et al. Expires July 2, 2003 [Page 17]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
5. Analysis of solutions to provide rapid reaction to topology changes
In order to fulfill the "redundancy" requirement, a multihoming
solution has to provide the means to identify the available exit
paths towards a given destination and carry packets through it. In
other words, a mechanism to detect unavailable exit paths is
required, so that they are not used. We will analyze the different
mechanisms to perform the path selection in two situations: path
selection when establishing a new communication and path selection
during the lifetime of a communication. These two problems are quite
different, since the timing requirements are different in the two
situations and also requirements imposed in the addresses to be used
are different.
5.1 Path selection when establishing a new communication
5.1.1 Externally initiated communications
We will first analyze the mechanism used by hosts outside the
multihomed site to select among the paths to the multi-homed site. We
have already assumed that the multihomed site will have as many
prefixes as ISPs, and that it will assign multiple addresses to every
host that will benefit from multihoming. It is also assumed that
those addresses will be announced through the DNS.
So, when an external host tries to establish a communication, it will
first obtain all the host's addresses from the DNS. Then it will try
to use one of them and if it succeeds the communication is
established; and if not, it will try with the next
address.Considering that each address is routed through one and only
one provider, the selection of an address implies the selection of a
provider, then it implies the selection of a incoming path to the
multihomed site. So, for external hosts, incoming path failure
detection and incoming path selection is already being performed by
the external host itself and the provided capabilities are enough to
provide support to the multihomed environments. When the host within
the multihomed site replies to the incoming packet, both the
destination and the source addresses are already determined, so no
selection has to be performed by the host in the multi-homed site.
Moreover, since the incoming packet has reached the host within the
multihomed site, and assuming that some mechanism to guarantee
ingress filtering compatibility mechanism is being used, the exit
path will be the same than the ingress path, so it is likely to be
working properly.
5.1.2 Internally initiated communications
We will next analyze the mechanisms required within the multihomed
Huitema, et al. Expires July 2, 2003 [Page 18]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
site to select among the multiple path connecting the site to the
Internet. When a host within the multihomed site sends a packet to a
given external destination address, the exit path through which the
packet will be routed has to be selected. In order to select a path
two mechanisms are needed: a mechanism to discover the available
paths and a mechanism to route the packets through the path
identified as available. We have two elements that may perform these
tasks: the routing system and the host itself.
We will analyze the following possibilities:
The first possibility is to let the intra-site routing system to
perform both tasks.
The second possibility presented is to let the host to do both tasks.
The third possibility is to use the routing system to identify the
available paths and to use a mechanism in the host to force the
routing of packets through the identified path.
The fourth possibility where the host identifies the available path
and the routing system routes the packet through the path identified
by the host doesn't seems a reasonable approach to us, so it will not
be included next.
5.1.2.1 Exit path selection by the intra-site routing system
One possibility is to let the intra-site routing system to perform
the complete exit path selection mechanism. In order to do that,
intra-site routing system requires information about which
destinations are reachable through each one of the exit paths. This
means that each one of the providers has to inform the multi-homed
site which destinations are reachable through him. Normally, the BGP
protocol is used for this task. From the multihomed site perspective,
there are two difficulties with this approach: first, the amount of
information that is to be injected in the intra-site routing system
is important and second, running the BGP protocol is more than a
trivial task. While there are some medium-big multihomed sites that
certainly can deal easily with these two issues, other smaller
multi-homed sites may not deal with them so easily (imagine for
instance a site consisting a few PCs on a single ehternet and a
single router connected to a DSL access and a cable access to the
Internet).
We can explore approaches to try to reduce the amount of routing
information to be injected to the intra-site multi-homed site. The
most aggressive approach would be only to inject a default route
through each of the ISPs. This case works fine when one of the direct
Huitema, et al. Expires July 2, 2003 [Page 19]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
links between the multihomed site and ISP fails, but if we only want
to provide protection for this specific case RFC 3178 provides a
solution that it is simpler overall since it deals with all the
problems for this particular case (like ingress filtering, transport
survivability, etc). So, since we are looking for a solution that
provides better fault tolerance capabilities than RFC 3178, we need
more information to be injected to the intra-site routing system.
We need then alternatives that allow us to obtain better fault
tolerance. A possible approach is to filter the accepted routes based
on the AS path length, as proposed in [12]. By this mechanisms, the
multihomed site would only accept routes with an AS path attribute
whose length is no longer than x ASes. This approach allows reducing
the amount of routing information while still achieving a high level
of fault tolerance. The value of x is a trade-off between the two of
them. As more routing information is injected into the site (higher
x), better path selection will be performed and better fault tolerant
capabilities will be provided by the solution, but at the same time
more resources will be needed within the multihomed site. However,
configuring filters raises the difficulty of running BGP, requiring
additional BGP expertise in the end-site, making the adoption of this
solution harder for small unmanaged sites.
5.1.2.2 Host based exit path selection
An alternative to intra-site routing system exit path selection is to
move exit path selection to the host itself. In order to enable the
host to perform the exit path selection, two mechanisms are needed: a
mechanism to discover available paths and a mechanism that to the
host force the routing of packets through the selected exit path,
overruling intra-site routing system routing.
5.1.2.2.1 Mechanisms to force the routing of packets.
A possible mechanism to let the host force the path of the packets is
to make a tunnel directly to the exit router. In order to do that,
the host must be able to discover the address of the exit router.
Using an "exit router discovery" ICMP message as presented in section
4.3 would be an option. An alternative to tunnels could be the usage
of routing headers. However this is considered an inferior solution
since the routing header would be carried all along the path to the
final destination even if it were not needed.
Another mechanism to enable the host to select the exit path is
available when some form of source address dependent routing is used
within the multihomed site. As it has been presented in section 4.2,
if each exit ISP is associated with one of the available prefixes,
and source address dependent routing is used, selecting the prefix to
Huitema, et al. Expires July 2, 2003 [Page 20]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
be included in the source address implies the selection of the exit
ISP through which the packet will be carried. So, source address
dependent routing can be considered as an option to allow the host to
select the exit path.
5.1.2.2.2 Mechanism to discover available and unavailable paths
A mechanism to identify available paths is just to let the host do
trial and error procedure. That is, in order to reach a certain
destination, the host tries every possible exit path. The procedure
can be carried out either sequentially or in parallel, that is, the
host can try with every path simultaneously or it can try with one
path and if this fails then it tries with another one. The benefits
and drawbacks of these two approaches are clear: the sequential
procedure may take longer to find the available path, but the
parallel procedure consumes more resources since multiple packets are
sent every time an available path has to be discovered.
However, the implementation of a failure detection mechanism based on
sending packets may be trickier than what it may seem. A possible
approach could be to define a new protocol for detecting available
paths that sends probe packets end to end. However, a solution that
doesn't impose changes in hosts outside the multihomed site is
preferred because it is easier to deploy. So, we have to use already
available mechanisms. Among the available choices, we could use ICMP
echo packets to detect path availability. The problem here is the
wide adoption of ICMP filtering because security issues.
The other available option is to use data packets as probes. The main
problem here is that not all applications are bi-directional, so
there may be cases when no packets will return but the path is
available. However, we consider that an important number of
applications are bi-directional, so we will explore this possibility
(Note that we are not considering the multicast case here, where the
unidirectional flows are more common). So, a path failure detection
mechanism based on data packets stores the exit path information
corresponding to a destination address in a cache, the exit path
cache. The information contained in this cache depends on the
mechanism that is used to force the routing of the packet by the
host. If the tunnel mechanism is used, the address of the exit router
and the source address to be included are cached. If source address
based routing is used, only the source address to be used is cached.
So when a packet is to be sent to a certain destination address, the
exit path cache is searched for an exit path corresponding to the
destination address. If no exit path is found in the cache, the host
has no knowledge about the available paths, so it has to start the
failure detection procedure by sending packets through all the
available paths. As we have seen, such procedure can be performed
Huitema, et al. Expires July 2, 2003 [Page 21]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
sequentially or in parallel, but in any case packets will be sent
through the available paths and the host will wait for replies. When
the first reply is received (whether because packets through all
available paths have been sent simultaneously or because packets
through different exit paths have been sent and a timeout has
occurred, so the packet has been retransmitted through an alternative
destination), the exit path used is stored in the exit path cache and
following packets are sent through the same exit path. Exit path
cache entries have a finite lifetime. An Exit path cache entry
lifetime is extended every time that a packet is received coming from
the corresponding exit path. When an Exit path entry lifetime
expires, the failure detection procedure is performed when new
packets arrive for such destination.
A case that has to be considered is when no reply packets for a given
destination are received from any exit path. Such behavior may have
two causes: the application generates unidirectional traffic, so no
packets are supposed to arrive or all the paths are down. In any of
the two cases the mechanism can do anything to select the exit path,
so when such situation is detected, a random exit path has to be
selected and used. So an exit path entry is generated with a random
path and with a certain lifetime. So, when the lifetime expires, the
failure detection mechanism is performed again, so that if the case
was that all exit paths were down, the mechanism can detect when one
of the paths is up again. Note that this would cause additional
overhead for unidirectional applications, so the failure detection
mechanism should not be performed very often i.e. the lifetime should
not be very low.
5.1.2.3 Hybrid approach: Routing system based failure detection and host
based exit path selection
An alternative approach is to obtain the information about available
paths from the routing system but let the host to force the routing
of packets through the identified exit path. The benefit of this
approach is that the routing information injection into the
intra-site routing system is required because the exit path is
selected by the host.
This hybrid approach requires a mechanism to convey the path
availability information from the routing system to the hosts.
Considering the amount of information involved, we consider that it
is better to limit the path information stored in the hosts to the
information concerning the path that the host is currently using.
There are two approaches that can be used at this point.
One possible approach is to define a new protocol to let the host to
query a server for the correct exit path to be used to reach a
Huitema, et al. Expires July 2, 2003 [Page 22]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
certain destination, for example as defined in [16]. The server would
have to be configured with enough information to answer those
queries. For instance the server has to know all the BGP information
that is received from each one of the ISPs, the associated prefix and
the address of the corresponding exit router. So, when a host wants
to initiate a communication with an unknown destination address, it
queries the server and obtains the exit path to be used. Then the
host itself forces the packet to be routed through the exit path.
An alternative option is to let the exit routers to inform the host
about the correct exit path to be used. In this case, only the exit
routers are running BGP. So when a host sends a packet to a new
destination, it randomly selects the exit path. More likely, the host
will randomly select a source address and won't tunnel the packet, so
that the packet is carried to the default route. In case that the
destination contained in the packet is not reachable through the ISP
whose prefix has been included as source address, but the exit router
knows because of BGP that it is reachable through an alternative exit
router, the exit router will send an ICMP error message containing
the exit path information back to the host.
A particular case of this approach can be used when the failure has
occurred in the direct link. In this case, the exit router can detect
the outage and considering that no destination is reachable through
this ISP, simply deprecate the prefix. This approach is only an
optimization since it does not address the general case.
5.2 Preserving established communications
Multiple solution for preserving established communications have been
proposed such as HIP, SIM, ODT, LIN6, MAST, NOID, CB64. Many of these
approaches mainly focus on how to present an unchanged IP address to
the upper layers through changes in the address used to actually
reach the host. However, not only such mechanism is required in order
to preserve established communications, but a mechanism to perform
path selection is also required (both a mechanism to identify
available paths and a mechanism to force the routing of packets
through the identified path are required). Additionally, a mechanism
to solve the site exit issue may be needed in those solutions.
Next version of this document will include an analysis of which
mechanism can be used to select paths during the lifetime of a
communication and how such mechanisms can interoperate with the
proposed solutions.
Huitema, et al. Expires July 2, 2003 [Page 23]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
6. Integrating Solutions
In this section we will integrate solutions, combining a site exit
issue solution with a path selection solution. Next we will present
what we consider to be the most natural combinations of a solution
for the site exit issue and an exit path selection mechanism. Other
combinations may be possible but they don't seem very natural so far.
Perhaps future versions of this document will consider them if it
seems appropriate.
6.1 Solution 1: Relaxing source address checks + Intra site routing
system based exit path selection
The site exit issue is addressed relaxing the source address checks
at the ISP, since the required level of trust exists between the site
and the ISPs. The exit path selection is addressed using BGP and
injecting some of the information into the intra-site routing system.
Since BGP expertise is available, appropriate filters can be
configured.
Requirements:
- enough level of trust between the site and the ISPs in order to
relax the source address check
- enough expertise to run BGP and configure appropriate filters
- enough resources to import part of the global routing table into
intra-site routing system
Suitable for: big/medium sites
6.2 Solution 2: Source address Discovery + Intra site routing system
based exit path selection
The host generates packet with one if its source address and then the
packet is routed according the information available at the
intra-site routing. When the packet reaches the site border router,
it verifies the source address. If the source address is compatible
with the selected ISP, the packet is forwarded as it is, if not, the
exit router discards the packet and sends an ICMP error message back
to host containing the appropriate source address for the selected
destination.
Requirements:
- enough expertise to run BGP and configure appropriate filters
Huitema, et al. Expires July 2, 2003 [Page 24]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
- enough resources to import part of the global routing table into
intra-site routing system
- Required modifications: all hosts within the multihomed site have
to be modified to implement the processing of the ICMP error in order
to work properly. Communications initiated by hosts within the
multihomed not implementing such processing will fail when selecting
the wrong source address. Those hosts will not obtain even the level
of service they would obtain in a single homed site.
Suitable for: big/medium sites
6.3 Solution 3: Packet Rewriting at site exit + Intra site routing
system based exit path selection
The host generates packet with one of its source address and then the
packet is routed according the information available at the
intra-site routing. When the packet reaches the site border router,
it verifies the source address. If the source address is compatible
with the selected ISP, the packet is forwarded as it is, if not, the
exit router rewrites the source address of the packet with a new
prefix compatible with the exit ISP.
Requirements:
- enough expertise to run BGP and configure appropriate filters
- enough resources to import part of the global routing table into
intra-site routing system
- Required modifications: all hosts within the multihomed site have
to be modified to implement a mechanism to recognize reply packets
with modified destination address as valid replies to the initial
packet. Communications initiated by hosts within the multihomed site
not implementing such mechanism will fail when using a source address
that is rewritten at site exit. Those hosts will not obtain even the
level of service they would obtain in a single homed site. Additional
modification in applications and/or external hosts may be required.
Suitable for: big/medium sites
6.4 Solution 4: Host based exit path selection + source address based
routing
In this case, an exit path is determined by the source address
selected included in the packet. So, the host can force the routing
of a packet through an exit path just by selecting the source
address. So, the host determines which paths are available by sending
Huitema, et al. Expires July 2, 2003 [Page 25]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
packets with different source addresses. If reply packets arrive, the
path associated with the destination address included in the reply
packet is available, so the address is introduced in the site exit
path cache.
Requirements:
- Configuration of source address dependent routing. This can be
configured site wide or just at the site exit routers. In the second
case, a mesh of tunnels between of the site exit router has also to
be configured
- Required modifications: implementation of the path discovery
mechanism in the hosts of the multihomed site in order to benefit
from multihoming. Hosts not implementing such mechanism can configure
a single source address and behave as they were in a single homed
site. Source address dependent routing is supported by some router
vendor.
Suitable for: small sites
6.5 Solution 5: Host based exit path selection + site exit discovery
In this case, hosts within the multihomed site tries to discover the
available exit path by generating packets with different source
address. In the case that the exit isp corresponds to the selected
source address, the packet is forwarded through the isp. If not, the
packet is discarded and an ICMP error message containing the
appropriate exit router is sent back to the host. The host then
retries forcing the routing of the packet, tunneling it directly to
the exit router. The host identifies available paths when it receives
reply packets. The host then stores the information about the source
address and optionally about the exit router to be used in the site
exit path cache.
Requirements:
- Required modifications: implementation of the ICMP error generation
mechanism in the routers. Implementation of the path discovery
mechanism and the processing of the ICMP error in the hosts.
Communications initiated by hosts within the multihomed not
implementing such mechanism will fail when using an incompatible
source address. Those hosts will not obtain even the level of service
they would obtain in a single homed site.
Suitable for: small sites
Huitema, et al. Expires July 2, 2003 [Page 26]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
6.6 Solution 6: Hybrid approach + source address dependent routing
In this case, a server or the exit router has the information about
the correct site exit router and source address to be used for a
given destination. So, the host within the multihomed site contacts
the server and obtains the correct site exit router and the
appropriate source address. Then the hosts sends packets with the
appropriate source address so that it routed trough the correct exit
router,
Requirements:
- enough expertise to run BGP and configure appropriate filters
- enough resources to import part of the global routing table into
intra-site routing system
- Required Modifications: the exit router or a server has to inform
the host about the correct source address. So both the router and
hosts has to be modified to implement the mechanism
Suitable for: medium sites
6.7 Solution 7: Hybrid approach + source address selection by the host
In this case, a server or the exit router has the information about
the correct site exit router and source address to be used for a
given destination. So, the host within the multihomed site contacts
the server and obtains the correct site exit router and the
appropriate source address. Then the host sends packets with the
appropriate source address tunneling it to the correct exit router,
Requirements:
- enough expertise to run BGP and configure appropriate filters
- enough resources to import part of the global routing table into
intra-site routing system
- Required Modifications: the exit router or a server has to inform
the host about the correct exit path. So both the router and hosts
has to be modified to implement the mechanism
Suitable for: medium sites
6.8 Remaining combinations
The remaining combinations of site exit issue solutions with site
Huitema, et al. Expires July 2, 2003 [Page 27]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
exit path selections mechanism are considered no to naturally match
together.
For instance, it is considered that sites that obtain the level of
trust required from its provider to relax the source address checks
will prefer to run BGP to obtain the available path information
rather than using a host based or hybrid approach.
In source address dependent routing and in site exit discovery
approaches to the site exit issue, it is the host itself who selects
the exit path (using the source address or tunneling). This type of
mechanism seems hardly compatible with intra-site routing system exit
path selection, since it is no longer the intra-site routing system
that selects the exit path but it is the host through the source
address who performs that selection.
Huitema, et al. Expires July 2, 2003 [Page 28]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
7. Proposed solution
In order to implement the host centric multihoming solution, we must
solve the issues presented in the previous section. In this section,
we will present the recommended ways to solve the site exit issue and
how to trigger rapid reactions to failures.
We will next present different solutions for different scenarios. As
we have concluded from our analysis presented above, different
solutions have different requirements and are then suitable for
different type of scenarios. We will consider three different
scenarios:
- multihoming for small sites
- multihoming for medium sites
- multihoming for big sites
7.1 Multihoming solutions for small sites
It is not likely that small sites can obtain some form of source
address check relaxation from their IPSs, so an alternative solution
to deal with the site exit issue is to be used. It is also considered
that in general, small sites don't have neither the expertise nor the
resources required to run BGP, so an alternative mechanism to react
to topology changes is required. We think that the host based
approach is the mechanism that better suits the requirements of the
small sites.
We will next present a set of mechanism and tools to enable
multihoming is small sites.
The goal is to propose a roadmap to adopt multihoming that preserves
existent functionalities and adds new functionalities progressively.
This would allow legacy systems to keep on working exactly the same
way they did before multihoming adoption and then add new features to
enable multihoming benefits
7.1.1 Step 1: preserving functionality for legacy hosts when becoming
multihomed.
Suppose that a single homed site becomes multihomed. The problem here
is that the site exit issue will affect communications of the newly
multihomed site. So, the first step is to deploy a solution for the
site exit issue as simple as possible that does not require updating
the hosts of the site, and if possible does not requires updating
other equipment. Using such solutions, legacy hosts within the
Huitema, et al. Expires July 2, 2003 [Page 29]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
multihomed site will work as if they were in a singlehomed site. That
is, they will not obtain multihoming benfits, but at least they will
not fail because of multihoming. This solution also allows then
attaching legacy hosts to the site and they will work as if they were
in a singlehomed site.
In line with the analysis presented in the previous section, our
recommendation is to enable multihoming by establishing tunnels
between the site exit routers. In order to implement this solution,
we must define a way to convey the site exit addresses to the various
routers in the site; the simplest solution, which we propose here,
uses an anycast address that is arithmetically derived from the
sites' prefixes.
7.1.1.1 Site exit anycast address
The site exit anycast address solution assumes that all of the sites
prefixes have the same length L; it also assume that we can define a
conventional "subnet" associated to the prefix. The proposed solution
is to compose the anycast address by appending an "all 1" suffix to
the site prefix:
<----- L bits -----> <---- 128 - L bits ----->
+-------------------+-------------------------+
| Valid site prefix | 1111...............1111 |
+-------------------+-------------------------+
-- Site exit anycast address --
Each site exit router that can forward to the outside packets whose
source address is derived from a specific site prefix will advertise
reachability of the corresponding site exit anycast address through
the routing mechanism.
7.1.1.2 Tunneling to the appropriate exit
Site exit routers are expected to perform necessary source address
checks before forwarding any packet on a site exit link. The site
exit router must check the source address first, in order to avoid
local packets being routed to a black hole. If the result of the
check is positive, the packet will be forwarded. If the result is
negative, the router will derive a "site exit anycast address" from
the source address of the incoming packet. If the anycast address is
unreachable, the incoming packet will have to be discarded. If the
anycast address is reachable, the incoming packet will be tunneled
towards that address.
Huitema, et al. Expires July 2, 2003 [Page 30]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
It is accepted that tunneling mechanism introduces additional
overhead, but it is recommended because its fast deployability.
However, in the long run, a mechanism based on source address
dependent routing will provide better performance. Such mechanism can
be gradually deployed as presented in section 4.2
7.1.2 Step 2: Optimizations to enhance the multihoming support
7.1.2.1 Site exit router discovery
A problem with the approach presented in the previous section is that
packets may be routed through a suboptimal path, because they are
initially routed towards a site exit router and if the source address
doesn't match, this site exit will send the packet through a tunnel
to an alternative exit router. This problem can be solved using a
Site exit redirection ICMP message. This ICMP error would be
generated by the site exit routers when they receive a packet whose
source address doesn't match with the exit ISP. So, after forwarding
the packet through a tunnel to the appropriate site exit, the router
generates a Site exit redirection ICMP message to inform the
originating host about the correct site exit router for this
destination and source address combination.
7.1.2.1.1 Site exit redirection ICMP message
Routers send site exit redirect packets to inform a host of a better
exit path on the path to a destination.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source prefix length | Redirection life time |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Site Exit Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options ...
+-+-+-+-+-+-+-+-+-+-+-+-
Huitema, et al. Expires July 2, 2003 [Page 31]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
IP Fields:
Source Address: An address assigned to the router from which this
message is sent; SHOULD be a site local address whenever one is
available.
Destination Address: The Source Address of the packet that triggered
the redirect.
Hop Limit: 255
Authentication Header: If a Security Association for the IP
Authentication Header exists between the sender and the destination
address, then the sender SHOULD include this header.
ICMP Fields:
Type: TBD, IANA
Code: 0
Checksum: The ICMP checksum. See [14].
Prefix length: The length of the source address prefix, in bits,
expressed as a 16 bit integer, transmitted in network order, i.e.
most significant byte first.
Redirection lifetime: The number of seconds during which the
redirection should remain in effect, expressed as a 16 bit integer,
in network byte order.
Site Exit Address: An IP address of the preferred exit router touse
for packets sent using as source address the IPv6 destination of this
packet, or using any source address whose prefix matches the first
"prefix length" bits of this packet's IPv6 destination.
Possible options:
Redirected Header: As much as possible of the IP packet that
triggered the sending of the Redirect without making the redirect
packet exceed 1280 octets.
7.1.2.1.2 Host behavior
Hosts can be programmed to perform "exit router discovery", i.e.
associate to a source and destination address pair the address of the
preferred exit router, and then tunnel packets directly to that exit
router. Hosts will learn the address of the exit router through ICMP
Huitema, et al. Expires July 2, 2003 [Page 32]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
"site exit redirection" messages.
Any redirection message poses a potential threat, since it can be
used by third parties to misdirect and possibly capture traffic. In a
secure set-up, hosts will establish a security association with the
exit routers, and will only accept site exit redirection messages
that are properly secured by an authentication header. In the absence
of a security association, the host may perform a number of checks
before accepting a site exit ICMP message:
* check that the IPv6 source address is a site local address, or at a
minimum that it corresponds to a local prefix;
* check that the prefix length has a realistic value, e.g. at least
48 bits;
* check that the Site Exit Address matches the site prefix being
redirected;
* select a redirection life time that is the minimum of the ICMP
value and a locally selected maximum duration.
Since site exit discovery is a routing optimization, hosts should
balance the routing gain with the possible security risk.
7.1.2.2 Rapid reaction to failures
7.1.2.2.1 Direct link failures
In order to react to local failures, we must establish a
communication channel that quickly signals these failures to the
hosts. The logical channel to use is the "router advertisement"
message, which the routers use to communicate to hosts the list of
available prefixes. We propose here to use the "preferred" and
"valid" flags in these prefixes to signal to hosts the addresses that
should, or should not, be used as source address at anay given time.
This solution is sufficient when the site is composed of a single
link; for more complex site, we propose to use the "router
renumbering" mechanism to maintain an up-to-date list of available
prefixes.
7.1.2.2.1.1 Use of Router advertisements
The router advertisement messages are defined in [3]; their use for
address configuration is defined in [4]. As specified in [3], the
router advertisements include a variable number of Prefix Information
parameters. Each Prefix Information parameter specifies:
Huitema, et al. Expires July 2, 2003 [Page 33]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
* an address prefix value,
* an "on-link" flag, used in neighbor discovery,
* an "autonomous" flag, used for autonomous address configuration,
* the "valid" lifetime,
* the "preferred" lifetime.
We propose to use the "preferred" lifetime to indicate whether
addresses derived from the prefix can be used as source address in
multihomed networks. When a prefix is temporarily not available
routers MUST advertise a null preferred lifetime for that prefix.
In conformance with section 5.5.4 of [3], the hosts will notice that
the formerly preferred address becomes deprecated when its preferred
lifetime expires. They will not use the deprecated addresses in new
communications if an alternate (non-deprecated) address is available
and has sufficient scope.
Manipulating the preferred lifetime only solves part of our problem,
since according to [3] the hosts should continue to use the "valid"
source address in existing communications. To actually maintain the
transport sessions that used the now unavailable link, we will need
host improvements that are described in a later section.
7.1.2.2.1.2 Use of Router Renumbering
In order to advertise a null preferred lifetime for a specific
prefix, the sites routers must be able to learn about that prefix. A
possibility is to use the "Router renumbering" protocol [6][RFC2894]
to pass this information. The protocol allows an authorized agent, in
that case the egress site, to update the list of prefixes advertised
by the site's routers. The protocol can be used to change parameters
associated to a prefix, such as the preferred lifetime.
7.1.2.2.2 Reaction to other failures modes
Based on the analysis presented in section 5 and 6, we recommend the
adoption of a host based exit path selection mechanism to enable the
hosts within the multihoming site to react to topology changes.
Considering that we are recommending a solution for the site exit
issue based on source address dependent routing, we can assume that
the exit ISP is determined by the source address included in the
packet. So, in order to force the routing of a packet through a
particular ISP, the host only has to set the appropriate source
Huitema, et al. Expires July 2, 2003 [Page 34]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
address. As described in section 5, the proposed mechanism to
identify available paths will be based on the trial and error
procedure.
The following mechanism is to be implemented in host in order to
react to topology changes.
7.1.2.2.2.1 Exit Path Cache
An Exit Path Cache is created in the hosts. Each entry contain for a
Destination Address, information about the corresponding Source
Address and a lifetime.
Exit Path Cache entry creation process:
When the host receives a packet containing a Source Address SA and a
Destination Address DA, the Exit Path Cache is searched for an entry
that contains SA Destination Address field.
- If such entry is found, the Source Address is verified.
-- If the Source Address contains DA, then the lifetime of the entry
is extended.
-- If the Source Address is other than DA, then the cache entry is
updated and DA is stored in the Source Address field. The lifetime of
the entry is extended. (would this break some apps?)
- If the entry is not found, the entry is created, with SA as the
Destination Address and DA as the Source Address. The entry is
blocked from changes for a certain period to avoid that multiple
answers used in the next section produce suboptimal behavior. (the
other option would be not to modify existent (valid) cache entries
when packets with a different DA are received)
7.1.2.2.2.2 Initiating new communications
When a host attempts to initiate a communication with a certain
destination address D, it first verifies if an Exit Path Cache entry
exists for that destination address D. If it does exists, the host
obtains the source address to be used form it.
If no entry exists for that destination address D, the host generates
multiple packets, one per available source address, sends them and
sets a timer.
If a reply packet is received, the cache entry is created as
described in the previous section. Following packets addressed to
Huitema, et al. Expires July 2, 2003 [Page 35]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
that destination will use the discovered source address if the
applications does not sets the source address to be used.
If the timer expires before any packets containing D as source
address are received, this may mean that there is no exit path
available to reach destination D or that the application generates an
unidirectional flow, so no packets are to be received. In any case,
the issue cannot be addressed at this level, so the recommended
behavior is that the host simply selects one source address S and use
it for the packets addressed to destination D. In order to avoid the
procedure to restart, a Exit Path Cache entry has to be created for
this destination address, containing the selected source address.
7.1.2.2.2.3 Presering established communications
TBD
7.2 Multihoming solution for medium sites
Medium sites are likely to be capable of running BGP but they may not
be able to obtain enough trust from their ISP to relax the source
address checks. So, medium sites could use the mechanisms proposed
for small sites, but they are likely to benefit by integrating BGP in
the multihoming solution.
So the recommended integration of BGP capabilities in the proposed
small site solution basically affects the mechanism used to react to
topology changes affecting non-direct links.
This means that the solution for the site exit issue recommended for
medium sites is also a mesh of tunnels as presented in section 7.2.1
allowing a smooth transition to multihoming without interfering with
the installed base within the multihomed site. Also we recommend the
usage of Neighbor Advertisement and Neighbor Renumbering to convey
information about direct link outages by deprecating the
correspondent prefix, as presented in section 7.2.2.1.1.
7.2.1 Reaction to topology changes
The proposed solution requires that the site exit routers run BGP
with their correspondent providers. By doing so, exit router have
information about reachable destinations through their directly
connected ISP. Moreover, through IBGP sessions with the other site
exit routers, they have information about reachable destination
through the other ISPs.
An Exit Path Cache is created in the hosts. Each entry contain for
each Destination Address, information about the corresponding Source
Huitema, et al. Expires July 2, 2003 [Page 36]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
Address and a lifetime.
Exit path Cache entries are created when the host receives a packet
as described in section 7.2.2.1.2.1
So when a host attempts to initiate a communication with a certain
destination address D, it first verifies if an Exit Path Cache entry
exists for that destination address D. If it does exists, the host
obtains the source address to be used from it.
If no entry exists for that destination address D, the host just
selects one of the possible source addresses and includes it in the
packet.
When the packet reaches the site exit router the following situations
are possible:
1. The destination is reachable through this site exit router and its
directly connected ISP and the source address contains the prefix
corresponding to the connected ISP. In this case, the site router
forwards the packet through its directly connected ISP.
2. The source address contained in the packet corresponds to another
exit router and the destination is reachable through the other site
exit router (the one that corresponds to the source address). In this
case, the router tunnels the packet to the correct site exit router
and sends a Site exit redirection ICMP message (as defined in
7.2.2.1.1) back to the host, so that the host can send following
packets directly to the correct exit router.
3. The destination is not reachable through the ISP that corresponds
to the source address included in the packet, but it is reachable
through another ISP. In this case, this packet has to be discarded
and the host has to be informed that an alternative source address
has to be used. The router then sends a Source Address Error message
back to the host, informing it about the source address to be used to
reach that d estination. A new Exit Path Cache entry is created
containing the source and destination address.
4. The destination is unreachable through any of the ISPs, so the
packet is discarded and an ICMP Destination Unreachable error message
is sent back to the host.
Source Address Error message format:TBD
7.3 Multihoming solution for big sites
A big site is likely to have enough expertise and resources available
Huitema, et al. Expires July 2, 2003 [Page 37]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
to run BGP. Also, it seems likely that a big site can obtain the
required level of trust from its providers to relax the source
address checks. So, big sites are likely to adopt a multihoming
solution based on these two mechanisms, the relaxation of source
address checks and the usage of BGP and the intra-site routing system
to select the exit path.
Source address check relaxation allows a big site to become
multi-homing without prejudice to legacy hosts within the multi-homed
site. Those hosts can still work properly as if they were in a single
homed site.
BGP provides information about what path reaches the selected
destination. However, in case that one of the ISPs is down, the
corresponding address is unreachable, meaning that such address is
not to be used as a source address by hosts within the multihomed
site that establish new communications, becuase there is no route
available for return packets. In this case, a similar (but
simplified) mechanism to the one proposed in the previous section
about reaction to topology changes for medium sites is to be used.
This mechanism is simpler becuase no ingress filtering considerations
are involved, so the situation described in point 2 in the section
above is no longer relevant.
Huitema, et al. Expires July 2, 2003 [Page 38]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
8. Evaluation of Host centric solution and Multihoming Requirements
The MULTI6 working group has elaborated a list of requirements for a
multi-homing solution that is detailed in [7]. In this section, we
will review how the host centric approach to IPv6 multihoming meets
these requirements, which are distributed in two subsections:
matching the capabilities of IPv4 multihoming, and meeting additional
requirements.
8.1 Capabilities of IPv4 Multihoming
8.1.1 Redundancy
The solution presented here can provide protection against:
o Physical link failure,
o Logical link failure,
o Routing protocol failure,
o Transit provider failure, and
o Exchange failure.
Basic redundancy is provided by the availability of multiple
addresses, that can be tried in turn, and by a reliance on classic
destination based routing protocols. We assume that if an address is
reachable, the routing protocol will find a path that leads to it; at
worst, the host will have to perform several transmission trials,
using different addresses, until the destination is reached.
On the reverse path, redundancy is based on the selection of an
appropriate source address. The "preferred lifetime" mechanism allows
even the simplest hosts to learn which addresses are robust enough to
be used.
Destination and source selection provide a protection against a
failure of the site access link, which is catalogued in the
requirements as Physical link failure, or Logical link failure. The
availability of multiple destination addresses provides a protection
against Routing protocol failure, Transit provider failure, and
Exchange failure on the forward path: the communication will succeed
if at least one of the destination addresses can be routed. The
protection against such failures on the reverse path is provided if
multiple source addresses are tried.
Huitema, et al. Expires July 2, 2003 [Page 39]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
8.1.2 Load Sharing
An enterprise can distribute the inbound traffic by manipulating the
"preference" associated to various addresses in the DNS, e.g. by
using mechanisms such as MX records or SRV records.
8.1.3 Performance
Performance enhancements can be obtained by appropriate development
of destination address selection and source address selection
algorithms.
8.1.4 Policy
Classes of applications may be shifted to a specific provider by
appropriate use of DNS records associated to specific services. For
example, the NNTP traffic could be directed to the specific server
"nntp.example.com", and the enterprise could decide to only advertise
for that server an address provided by one of its providers.
The Policy table defined in [15] allows to prefer a certain source
address rather than others. Considering that the source address
determines the exit path, the policy table allows to express the
prefered exit path.
8.1.5 Simplicity
Host centric multihoming is simple to deploy, since it does not
require any cooperation between the site and its providers, or in
fact between the various providers. The main requirement is to
advertise an up-to-date list of prefixes in the router
advertisements; this can be automated using the router renumbering
protocol.
8.1.6 Transport-Layer Survivability
TBD
8.2 Additional Requirements
8.2.1 Scalability
The host centric multihoming system does not impose any unreasonable
requirements on the routing system: the sites use multiple addresses,
but each of these addresses can be aggregated under the prefixes of
their respective providers.
Huitema, et al. Expires July 2, 2003 [Page 40]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
8.2.2 Impact on Routers
The solution requires two changes to IPv6 router implementations. In
order to avoid the problems caused by ingress filtering and
filtering, site exit routers should implement the "home address
insertion" procedure. In order to quickly signal to hosts any change
in the sites' connectivity, the site routers should implement the
"router renumbering" procedures, and the exit routers should be able
to use that procedure if a physical or logical link becomes
unavailable.
8.2.3 Impact on Hosts
The solution does not destroy IPv6 connectivity for a legacy host
implementing [1], [2], [5] and other basic IPv6 specifications
current in January 2004. Such hosts may not be taking the full
benefit from multihoming; in particular, their transport connections
may not survive the failure of a site connection. However, the
preferred lifetime mechanism guarantees that after a re- homing
event, the new connections of these basic hosts will follow an
available path.
Hosts will take better advantage of multi-homing if they implement
better destination address and source address selection algorithms,
exit router discovery, as well as a "binding update" solution for the
survival of transport connections. Each of these is a logically
separate function that can be added to existing functions.
The solution does not require changes to the socket API and/or the
transport layer; such changes may however be required if the host
wants to implement a combined selection of the source and destination
addresses, which is an optional additional function. The solution
allows host or application change to enhance session survivability.
8.2.4 Interaction between Hosts and the Routing System
The interaction between a site's hosts and its routing system is
limited to the normal processing of router advertisements.
Upgraded host will be able to obtain additional information from the
routing system through the newly defined ICMP messages.
8.2.5 Operations and Management
It is possible to monitor and configure the multihoming system.
Huitema, et al. Expires July 2, 2003 [Page 41]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
9. Security Considerations
The use of a site exit redirection ICMP message could potentially be
used to redirect and intercept traffic; secure hosts should only
accept such messages if they are properly authenticated.
Huitema, et al. Expires July 2, 2003 [Page 42]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
10. IANA Considerations
This document requests allocation by IANA of 2 new ICMPv6 message
types.
Huitema, et al. Expires July 2, 2003 [Page 43]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
11. Acknowledgements
This memo incorporates text from a previous draft submitted by
Richard Draves.
We acknowledge Alberto Garcia Martinez and Cedric de Launois for
their reviews and comments.
Huitema, et al. Expires July 2, 2003 [Page 44]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
References
[1] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 2373, July 1998.
[2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998.
[3] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery
for IP Version 6 (IPv6)", RFC 2461, December 1998.
[4] Thomson, S. and T. Narten, "IPv6 Stateless Address
Autoconfiguration", RFC 2462, December 1998.
[5] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
Socket Interface Extensions for IPv6", RFC 2553, March 1999.
[6] Crawford, M., "Router Renumbering for IPv6", RFC 2894, August
2000.
[7] Abley, J., Black, B. and V. Gill, "Goals for IPv6
Site-Multihoming Architectures", RFC 3582, August 2003.
[8] Crawford, M. and C. Huitema, "DNS Extensions to Support IPv6
Address Aggregation and Renumbering", RFC 2874, July 2000.
[9] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", RFC 2267, January 1998.
[10] Thomson, S. and C. Huitema, "DNS Extensions to support IP
version 6", RFC 1886, December 1995.
[11] Johnson, D., "Mobility support in IPv6", Internet Draft , June
2003.
[12] van Beijnum, I., "BGP", , 2002.
[13] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[14] Conta, A. and S. Deering, "Internet Control Message Protocol
(ICMPv6) for the Internet Protocol Version 6 (IPv6)
Specification", RFC 2463, December 1998.
[15] Draves, R., "Default Address Selection for Internet Protocol
version 6 (IPv6)", RFC 3484, February 2003.
Huitema, et al. Expires July 2, 2003 [Page 45]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
[16] de Launois, C. and O. Bonaventure, "NAROS : Host-Centric IPv6
Multihoming with Traffic Engineering", RFC 3484, May 2003.
Authors' Addresses
Christian Huitema
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
Phone:
EMail: huitema@microsoft.com
URI:
Richard Draves
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
Phone:
EMail: richdr@microsoft.com
URI:
Marcelo Bagnulo
Universidad Carlos III de Madrid
Av. Universidad 30
Leganes, Madrid 28911
SPAIN
Phone: 34 91 6249500
EMail: marcelo@it.uc3m.es
URI: http://www.it.uc3m.es
Huitema, et al. Expires July 2, 2003 [Page 46]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Huitema, et al. Expires July 2, 2003 [Page 47]
Internet-Draft Host-Centric IPv6 Multihoming January 2003
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Huitema, et al. Expires July 2, 2003 [Page 48]