DNA Working Group S. Narayanan Internet-Draft Panasonic Expires: October 18, 2005 G. Daley Monash University CTIE N. Montavont LSIIT - ULP April 19, 2005 Detecting Network Attachment in IPv6 - Best Current Practices for hosts. draft-ietf-dna-hosts-00.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 18, 2005. Copyright Notice Copyright (C) The Internet Society (2005). All Rights Reserved. Abstract Hosts experiencing rapid link-layer changes may require further IP configuration change detection procedures than more traditional fixed hosts. DNA is defined as the process by which a host collects appropriate information and detects the identity of its currently attached link to ascertains the validity of its IP configuration. Narayanan, et al. Expires October 18, 2005 [Page 1]
Internet-Draft DNAv6 BCP for hosts April 2005 This document details best current practice for Detecting Network Attachment in IPv6 hosts using existing Neighbor Discovery procedures. Since there is no explicit link identification mechanism in the existing Neighbor Discovery for IP Version 6, the document describes implicit mechanisms for identifying the current link. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Structure of this Document . . . . . . . . . . . . . . . . 4 2. Terms and Abbreviations . . . . . . . . . . . . . . . . . . . 5 3. Background & Motivation for DNA . . . . . . . . . . . . . . . 5 3.1 Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Detecting Network Attachment Steps . . . . . . . . . . . . . . 6 4.1 Making use of Prior Information . . . . . . . . . . . . . 6 4.2 Duplicate Address Detection . . . . . . . . . . . . . . . 7 4.3 Link identification . . . . . . . . . . . . . . . . . . . 8 4.3.1 Same link . . . . . . . . . . . . . . . . . . . . . . 8 4.3.2 Link change . . . . . . . . . . . . . . . . . . . . . 8 4.4 Multicast Listener State . . . . . . . . . . . . . . . . . 8 4.5 Reachability detection . . . . . . . . . . . . . . . . . . 9 5. Initiation of DNA Procedures . . . . . . . . . . . . . . . . . 10 5.1 Actions Upon Hint Reception . . . . . . . . . . . . . . . 10 5.2 Hints Due to Network Layer Messages . . . . . . . . . . . 10 5.3 Handling Hints from Other Layers . . . . . . . . . . . . . 11 5.4 Timer Based Hints . . . . . . . . . . . . . . . . . . . . 12 5.5 Simultaneous Hints . . . . . . . . . . . . . . . . . . . . 12 5.6 Hint Validity and Hysteresis . . . . . . . . . . . . . . . 13 5.7 Hint Management for Inactive Hosts . . . . . . . . . . . . 13 6. IP Hosts Configuration . . . . . . . . . . . . . . . . . . . . 14 6.1 Router and Prefix list . . . . . . . . . . . . . . . . . . 14 6.2 IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . 15 6.2.1 Autoconfiguration . . . . . . . . . . . . . . . . . . 15 6.2.2 Dynamic Host Configuration . . . . . . . . . . . . . . 15 6.3 Neighbor cache . . . . . . . . . . . . . . . . . . . . . . 16 6.4 Mobility Management . . . . . . . . . . . . . . . . . . . 16 7. Complications to Detecting Network Attachment . . . . . . . . 17 7.1 Packet Loss . . . . . . . . . . . . . . . . . . . . . . . 17 7.2 Router Configurations . . . . . . . . . . . . . . . . . . 17 7.3 Overlapping Coverage . . . . . . . . . . . . . . . . . . . 17 7.4 Multicast Snooping . . . . . . . . . . . . . . . . . . . . 18 7.5 Link Partition . . . . . . . . . . . . . . . . . . . . . . 18 Narayanan, et al. Expires October 18, 2005 [Page 2]
Internet-Draft DNAv6 BCP for hosts April 2005 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 8.1 Authorization and Detecting Network Attachment . . . . . . 19 8.2 Addressing . . . . . . . . . . . . . . . . . . . . . . . . 19 9. Constants . . . . . . . . . . . . . . . . . . . . . . . . . . 20 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 20 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 11.1 Normative References . . . . . . . . . . . . . . . . . . . . 20 11.2 Informative References . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22 A. Example State Transition Diagram . . . . . . . . . . . . . . . 23 B. Analysis of Configuration Algorithms . . . . . . . . . . . . . 24 C. DNA With Fast Handovers for Mobile IPv6 . . . . . . . . . . . 26 D. DNA with Candidate Access Router Discovery . . . . . . . . . . 26 Intellectual Property and Copyright Statements . . . . . . . . 27 Narayanan, et al. Expires October 18, 2005 [Page 3]
Internet-Draft DNAv6 BCP for hosts April 2005 1. Introduction When operating in changing environments, IPv6 hosts may experience variations in reachability or configuration state over time. For hosts accessing the Internet over wireless media, such changes may be caused by changes in wireless propagation or host motion. Detecting Network Attachment (DNA) in IPv6 is the task of checking for changes in the validity of a host's IP configuration [15]. Changes may occur on establishment or disconnection of a link-layer. For newly connected interfaces, they may be on a link different from the existing configuration of the node. In these and other cases, IP addressing and default routing configuration of the node may be invalid, which prevents packet transfer. DNA uses IPv6 Neighbour Discovery to provide information about the reachability and identity of the link. DNA focuses on determining whether the current configuration is valid, leaving the actual practice of re-configuration to other subsystems, if the current configuration is invalid. This document presents the best current practices for IPv6 hosts to address the task of Detecting Network Attachment in changing and wireless environments. 1.1 Structure of this Document Section 3 of this document provides a background and motivation for Detecting Network Attachment. Elaboration of specific practices for hosts in detecting network attachment continues in Section 4, while Section 5 discuss the initiation of DNA procedures. Section 4 describes how to safely determine network attachment with minimal signaling, across a range of environments. Section 8 Provides security considerations, and details a number of issues which arise due to wireless connectivity and the changeable nature of DNA hosts' Internet connections. This document has a number of appendixes. Appendix A provides an example state machine for DNA describing knowledge and belief based on the prior listed recommendations. A brief analysis of two known configuration algorithms LCS (Lazy Configuration Switching) and ECS (Eager Configuration Switching) is presented in Appendix B. The final two (Appendix C and Appendix D) Narayanan, et al. Expires October 18, 2005 [Page 4]
Internet-Draft DNAv6 BCP for hosts April 2005 look at existing experimental protocols that may be used to provide DNA processes with access network information before arrival on a new link. 2. Terms and Abbreviations There is an existing DNA terminology draft [22]. At this stage, it is unclear if this draft or the mobility terminology [23] draft need to be referenced, or specific terms need to be placed in this document. While the mobility terminology draft may be applicable, the focus of this draft upon mobile hosts may be distracting for DNA. Comments on this issue are welcome. 3. Background & Motivation for DNA Hosts on the Internet may be connected by various media. It has become common that hosts have access through wireless media and are mobile, and have a variety of interfaces through which internet connectivity is provided. The frequency of configuration change for wireless and nomadic devices are high due to the vagaries of wireless propagation or the motion of the hosts themselves. Detecting Network Attachment is a strategy to assist such rapid configuration changes by determining whether they are required. Due to these frequent link-layer changes, an IP configuration change detection mechanism for DNA needs to be efficient and rapid to avoid unnecessary configuration delays upon link-change. In an wireless environment, there will typically be a trade-off between configuration delays and the channel bandwidth utilized or host's energy used to transmit packets. This trade-off affects choices as to whether hosts probe for configuration information, or wait for network information. DNA seeks to assist hosts by providing information about network state, which may allow hosts to appropriately make decisions regarding such trade-offs. Even though DNA is restricted to determining whether change is needed, in some circumstances the process of obtaining information for the new configuration may occur simultaneously with the detection to improve the efficiency of these two steps. 3.1 Issues The following features of RFC 2461 make the detection of link identity difficult: Narayanan, et al. Expires October 18, 2005 [Page 5]
Internet-Draft DNAv6 BCP for hosts April 2005 Routers are not required to include all the prefixes they support in a single router advertisement message [1]. The default router address is link-local address and hence may only be unique within one link [1]. While neighbor cache entries are valid only on a single link, link-local addresses may be duplicated across many links, and only global addressing MAY be used to identify if there is a link change. 4. Detecting Network Attachment Steps 4.1 Making use of Prior Information A device that has recently been attached to a particular wireless base station may still have state regarding the IP configuration valid for use on that link. This allows a host to begin any configuration procedures before checking the ongoing validity and security of the parameters. The experimental protocols FMIPv6 [19] and CARD [20] each provide ways to generate such information using network-layer signaling, before arrival on a link. These are respectively described in Appendix C and Appendix D. Additionally, the issue is the same when a host disconnects from one cell and returns to it immediately, or movement occurs between a pair of cells (the ping-pong effect). A IP host MAY store L2 to L3 mapping information for the links for a period of time in order to use the information in the future. For example, in 802.11 networks, IP hosts MAY store the L2 address of the access points and the corresponding list of prefixes available for future use. When a host attaches itself to a new L2 link, if the corresponding stored prefix list doesn't contain the prefix it is using, the host SHOULD conclude that it has changed link and initiate new configuration procedure. If the host finds the prefix it is using in the stored list of prefixes, a host MAY conclude that it is on the same link. In this case, the host MUST undertake Duplicate Address Detection [3][8] to confirm that there are no duplicate addresses on the link. The host MUST age this cached information based on the possibility that the link's configuration has changed and MUST NOT store information beyond either the remaining router or address lifetime or (at the outside) MAC_CACHE_TIME time-units. Extreme care MUST be taken in making use of existing prior Narayanan, et al. Expires October 18, 2005 [Page 6]
Internet-Draft DNAv6 BCP for hosts April 2005 information. If the assumptions attached to the stored configuration are incorrect the configuration cost may be increased, or even cause disruption of services to other devices. Hosts MUST NOT cause any disruption of the IP connectivity to other devices due to the invalidity or staleness of their configuration. 4.2 Duplicate Address Detection When a host connects to a new link, it needs to create a link-local address. But as the link-local address must be unique on a link, Duplication Address Detection (DAD) MUST be performed [3] by sending NS targeted at the link-local address undergoing validation. Optimistic Duplicate Address Detection allows addresses to be used while they are being checked, without marking addresses as tentative. Procedures defined in optimistic DAD [8] ensure that persistent invalid neighbour cache entries are not created. This may allow faster DNA procedures, by avoiding use of unspecified source addresses in RS's and consequently allowing unicast Router Advertisements responses [8]. It is RECOMMENDED that hosts follow the recommendations of optimistic DAD [8] to reduce the DAD delay. While hosts performing DNA do not know if they have arrived on a new link, they SHOULD treat their addresses as if they were. This means that link-local addresses SHOULD be treated as either optimistic or tentative, and globally unique addresses SHOULD NOT be used in a way which creates neighbor cache state on their peers, while DNA procedures are underway. The different treatment of IP addressing comes from the fact that on the global addresses cannot have an address conflict if they move to a topologically incorrect network where link-local addresses may. Even though global addresses will not collide, the incorrect creation of neighbor cache entries on legacy peers may cause them some harm. In the case that the host has not changed link and if the time elapsed since the hint is less than the DAD completion time (minus a packet transmission and propagation time), the host MAY reclaim the address by sending Neighbor Advertisement messages as if another host had attempted DAD while the host was away. This will prevent DAD completion by another node upon NA reception. If a host has not been present on a link to defend its address, and has been absent for a full DAD delay (minus transmission time) the host MUST undertake the full DAD procedure for each address from that link it wishes to configure [3][8]. Narayanan, et al. Expires October 18, 2005 [Page 7]
Internet-Draft DNAv6 BCP for hosts April 2005 4.3 Link identification 4.3.1 Same link An IP host MUST conclude that it is on the same link if any of the following events happen. Reception of a RA with the prefix known to be on the link from the current default router address, even if it is the link-local address of the router. Reception of a RA from a known router's global address. Reception of data packets addressed to its current global address if the message was sent from or through a device which is known to be fixed (such as a router). A host SHOULD conclude that it is on the same link if any of the following events happen. Reception of a RA with a known prefix on the link. Confirmation of a global address entry with the Router 'R' flag set in its neighbor cache. 4.3.2 Link change A host SHOULD maintain a complete prefix list as recommended by [24] to identify if the link has changed. 4.4 Multicast Listener State Multicast routers on a link are aware of which groups are in use within a link. This information is used to undertake initiation of multicast routing for off-link multicast sources to the link [9][11]. When a node arrives on a link, it may need to send Multicast Listener Discovery (MLD) reports, if the multicast stream is not already being received on the link. If it is an MLDv2 node it SHOULD send state change reports upon arrival on a link [11]. Since the identity of the link is tied to the presence and identity of routers, initiation of these procedures may be undertaken when DNA procedures have been completed. In the absence of received data packets from a multicast stream, it is unlikely that a host will be able to determine if the multicast stream is being received on a new Narayanan, et al. Expires October 18, 2005 [Page 8]
Internet-Draft DNAv6 BCP for hosts April 2005 link, and will have to send state change reports, in addition to responses to periodic multicast queries [9][11]. For link scoped multicast, reporting needs to be done to ensure that packet reception in the link is available due to multicast snoopers. Some interaction is possible when sending messages for the purpose of DNA on a network where multicast snooping is in use. This issue is described in Section 7.4. While RFC2710 [9] specifies that routers may ignore messages from unspecified source addresses RFC 3590 [10] indicates that for the benefit of snooping switches such messages MAY be transmitted. Since DNA procedures are likely to force link-local addresses to be tentative, this means MLD messages may need to be transmitted with unspecified source addresses while link-locals are tentative, in order to complete DNA. This is discussed further in Section 7.4 4.5 Reachability detection If an IP node needs to confirm bi-directional reachability to its default router either a NS-NA or an RS-RA message exchange can be used to conduct reachability testing. It is notable that the choice of whether the messages are addressed to multicast or unicast address will have different reachability implications. The reachability implications from the hosts' perspective for the four different message exchanges defined by RFC 2461 [1] are presented in the table below. The host can confirm bi-directional reachability from the neighbor discovery or router discovery message exchanges except when a multicast RA is received at the host for its RS message. In this case, using IPv6 Neighbour Discovery procedures, the host cannot know whether the multicast RA is in response to its solicitation message or whether it is a periodic un-solicited transmission from the router [1]. +-----------------+----+----+----+-----+ | Exchanges: |Upstream |Downstream| +-----------------+----+----+----+-----+ | multicast NS/NA | Y | Y | +-----------------+----+----+----+-----+ | unicast NS/NA | Y | Y | +-----------------+----+----+----+-----+ | RS/multicast RA | Y | N | +-----------------+----+----+----+-----+ | RS/unicast RA | Y | Y | +-----------------+----+----+----+-----+ Successful exchange of the messages listed in the table indicate the Narayanan, et al. Expires October 18, 2005 [Page 9]
Internet-Draft DNAv6 BCP for hosts April 2005 corresponding links to be operational. Lack of reception of response from the router may indicate that reachability is broken for one or both of the transmission directions or it may indicate an ordinary packet loss event in either direction. Whenever a host receives a hint (see Section 5, after identifying the link, it SHOULD verify partial reachability from its default router to itself. 5. Initiation of DNA Procedures Link change detection procedures are initiated when information is received either directly from the network or from other protocol layers within the host. This information indicates that network reachability or configuration is suspect and is called a hint. Hints MAY be used to update a wireless host's timers or probing behavior in such a way as to assist detection of network attachment. Hints SHOULD NOT be considered to be authoritative for detecting IP configuration change by themselves. In some cases, hints will carry significant information (for example a hint indicating PPP IPv6CP open state [4]), although details of the configuration parameters may be available only after other IP configuration procedures. Implementers are encouraged to treat hints as though they may be incorrect, and require confirmation. Hosts MUST ensure that untrusted hints do not cause unnecessary configuration changes, or significant consumption of host resources or bandwidth. In order to achieve this aim, a host MAY implement hysteresis mechanisms such as token buckets, hint weighting or holddown timers in order to limit the effect of excessive hints (see Section 5.6). 5.1 Actions Upon Hint Reception Upon reception of a hint that link change detection may have occurred, a host MAY send Router Solicitation messages to determine the routers and prefixes which exist on a link. Router Advertisements received as a result of such solicitation have a role in determining if existing configuration is valid, and may be used to construct prefix lists for a new link [24]. 5.2 Hints Due to Network Layer Messages Hint reception may be due to network-layer messages such as unexpected Router Advertisements, multicast listener queries or Narayanan, et al. Expires October 18, 2005 [Page 10]
Internet-Draft DNAv6 BCP for hosts April 2005 ICMPv6 error messages [1][9][6]. In these cases, the authenticity of the messages MUST be verified before expending resources to initiate DNA procedure. When a host arrives on a new link, hints received due to external IP packets will typically be due to multicast messages. A delay before receiving these messages is likely as in most cases intervals between All-Hosts multicast messages are tightly controlled [1][6]. Regardless of this, actions based on multicast reception from untrusted sources are dangerous due to the threat of transmitter impersonation. This issue is discussed further in Section 8. State changes within the network-layer itself may initiate link-change detection procedures. Existing subsystems for router and neighbor discovery, address leasing and multicast reception maintain their own timers and state variables. Changes to the state of one or more of these mechanisms may hint that link change has occurred, and initiate detection of network attachment. 5.3 Handling Hints from Other Layers Timeouts and state change at other protocol layers may provide hints of link change to network attachment detection systems. Two examples of such state change are TCP retransmission timeout and completion of link-layer access procedures. While hints from other protocol layers originate from within the host's own stack, the network layer SHOULD NOT treat hints from other protocol layers as authoritative indications of link change. This is because state changes within other protocol layers may be triggered by untrusted messages, come from compromised sources (for example 802.11 WEP Encryption [21]) or be inaccurate with regard to network-layer state. While these hints come from the host's own stack, the causes for such hints may be due to packet reception or non-reception events at the originating layers. As such, it may be possible for other devices to instigate hint delivery on a host or multiple hosts deliberately, in order to prompt packet transmission, or configuration modification. This ability to create hints may even extend to the parameters supplied with a hint that give indications of the network's status. Therefore, hosts SHOULD NOT change their configuration state based on hints from other protocol layers. A host MAY choose to adopt an appropriate link change detection strategy based upon hints received from other layers, with suitable caution and hysteresis, as described in Section 5.6. Narayanan, et al. Expires October 18, 2005 [Page 11]
Internet-Draft DNAv6 BCP for hosts April 2005 5.4 Timer Based Hints When receiving messages from upper and lower layers, or when maintaining reachability information for routers or hosts, timers may expire due to non-reception of messages. In some cases the expiry of these timers may be a good hint that DNA procedures are necessary. Hosts SHOULD NOT start DNA procedures simply because a data link is idle, in accordance with [1]. Hosts MAY act on hints associated with non-reception of expected signaling or data. Since DNA is likely to be used when communicating with devices over wireless links, suitable resilience to packet loss SHOULD be incorporated into either the hinting mechanism, or the DNA initiation system. Notably, non-reception of data associated with end-to-end communication over the Internet may be caused by reception errors at either end or because of network congestion. Hosts SHOULD NOT act immediately on packet loss indications, delaying until it is clear that the packet losses aren't caused by transient events. Use of the Advertisement Interval Option specified in [5] follows these principles. Routers sending this option indicate the maximum interval between successive router advertisements. Hosts receiving this option monitor for multiple successive packet losses and initiate change discovery. 5.5 Simultaneous Hints While some link-layer hints may be generated by individual actions, other events which generate hints may affect a number of devices simultaneously. It is possible that hints arrive synchronously on multiple hosts at the same time. For example, if a wireless base station goes down, all the hosts on that base station are likely to initiate link-layer configuration strategies after losing track of the last beacon or pilot signal from the base station. As described in [1][6], a host SHOULD delay randomly before acting on a widely receivable advertisement, in order to avoid response implosion. Where a host considers it may be on a new link and learns this from a hint generated by a multicast message, the host SHOULD defer 0-1000ms in accordance with [1][3]. Please note though that a single desynchronization is required for any number of transmissions subsequent to a hint, regardless of which messages need to be sent. Narayanan, et al. Expires October 18, 2005 [Page 12]
Internet-Draft DNAv6 BCP for hosts April 2005 Additional delays are only required if in response to messages received from the network which are themselves multicast, and it is not possible to identify which of the receivers the packet is in response to. In link-layers where sufficient serialization occurs after an event experienced by multiple hosts, each host MAY avoid the random delays before sending solicitations specified in [1]. 5.6 Hint Validity and Hysteresis Anecdotal evidence from the initial Detecting Network Attachment BoF indicated that hints received at the network layer often did not correspond to changes in IP connectivity [18]. In some cases, hints could be generated at an elevated rate, which didn't reflect actual changes in IP configuration. In other cases, hints were received prior to the availability of the medium for network-layer packets. Additionally, since packet reception at the network and other layers are a source for hints, it is possible for traffic patterns on the link to create hints, through chance or malicious intent. Therefore, it may be necessary to classify hint sources and types for their relevance and recent behavior. When experiencing a large number of hints, a host SHOULD employ hysteresis techniques to prevent excessive use of network resources. The host MAY change the weight of particular hints, to devalue them if their accuracy has been poor, they suggest invalid configurations, or are suspicious (refer to Section 8). It is notable, that such hysteresis may cause sub-optimal change detection performance, and may themselves be used to block legitimate hint reception. 5.7 Hint Management for Inactive Hosts If a host does not expect to send or receive packets soon, it MAY choose to defer detection of network attachment. This may preserve resources on latent hosts, by removing any need for packet transmission when a hint is received. These hosts SHOULD delay 0-1000ms before sending a solicitation, and MAY choose to wait up to twice the advertised Router Advertisement Interval (plus the random delay) before sending a solicitation [5]. When deferring this signaling, the host therefore relies upon the Narayanan, et al. Expires October 18, 2005 [Page 13]
Internet-Draft DNAv6 BCP for hosts April 2005 regular transmission of unsolicited advertisements for timely detection of link change. One benefit of inactive hosts' deferral of DNA procedures is that herd-like host configuration testing is mitigated when base-station failure or simultaneous motion occur. When latent hosts defer DNA tests, the number of devices actively probing for data simultaneously is reduced to those hosts which currently support active data sessions. When a device begins sending packets, it will be necessary to test bidirectional reachability with the router (whose current Neighbor Cache state is STALE). As described in [1], the host will delay before probing to allow for the probability that upper layer packet reception confirms reachability. In some circumstances, a node will not use an interface for a long time before it chooses to send upper layer traffic. The reachability information available to the host is therefore likely to be out-of-date. On links where bidirectional reachability is not inferred by multicast RA reception, a host transmitting upper-layer data MAY initiate reachability detection without the delays specified in IPv6 Neighbour Discovery [1]. Conversely, if packet transmission is due to network state or received messages, then the full delays described in [1] SHOULD be observed. 6. IP Hosts Configuration Various protocols within IPv6 provide their own configuration processes. A host will have collected various configuration information using these protocols during its presence on a link. Following is the list of steps the host needs to take if a link-change has occured. Invalidationof router and prefix list Invalidation of IPv6 addresses Removing neighbor cache entries Initiating mobility signaling The following sub-sections eloborate on these steps. 6.1 Router and Prefix list Router Discovery is designed to provide hosts with a set of locally Narayanan, et al. Expires October 18, 2005 [Page 14]
Internet-Draft DNAv6 BCP for hosts April 2005 configurable prefixes and default routers. These may then be configured by hosts for access to the Internet [1]. It allows hosts to discover routers and manage lists of eligible next hop gateways, and is based on IPv6 Neighbor Discovery. When one of the routers in the router list is determined to be no longer reachable, its destination cache entry is removed, and new router is selected from the list. If the currently configured router is unreachable, it is quite likely that other devices on the same link are no longer reachable. On determining that link-change has occurred, the default router list SHOULD have entries removed which are related to unreachable routers, and consequently these routers' destination cache entries SHOULD be removed [1]. If no eligible default routers are in the default router list, Router Solicitations MAY be sent, in order to discover new routers. 6.2 IPv6 Addresses 6.2.1 Autoconfiguration Unicast source addresses are required to send all packets on the Internet, except a restricted subset of local signaling such as router and neighbor solicitations. In dynamic environments, hosts need to undertake automatic configuration of addresses, and select which addresses to use based on prefix information advertised in Router Advertisements. Such configurations may be based on either Stateless Address Autoconfiguration [3] or DHCPv6 [13]. For any configured address, Duplicate Address Detection (DAD) MUST be performed [3]. DAD defines that an address is treated tentatively until either series of timeouts expire after probe transmissions or an address owner defends its address. Tentative addresses cannot modify peers' neighbor cache entries, nor can they receive packets. As described in Section 4.2, messages used in DNA signaling should be treated as unconfirmed, due to the chance of link change. Optimistic DAD is designed to allow use of addressing while they are being checked for validity. Careful use of these addresses may contribute to faster DNA operation [8]. 6.2.2 Dynamic Host Configuration Dynamic Host Configuration Procedures for IPv6 define their own detection procedures [13]. In order to check if the current set of Narayanan, et al. Expires October 18, 2005 [Page 15]
Internet-Draft DNAv6 BCP for hosts April 2005 configuration is valid, a host can send a 'Confirm' message with a sample of its current configuration, which is able to be responded to by any DHCP relay on a link. If the replying relay knows it is not on the same link, it may respond, indicating that the host's configuration is invalid. Current use of this technique is hampered by the lack of wide scale deployment of DHCPv6 and hence the detection mechanism doesn't work when the host moves to a link which doesn't contain DHCP relays or servers. Upon link change, any configuration learned from DHCP which is link or administrative domain specific may have become invalid. Subsequent operation of DHCP on the new link may therefore be necessary. 6.3 Neighbor cache Neighbor caches allow for delivery of packets to peers on the same link. Neighbor cache entries are created by router or neighbor discovery signaling, and may be updated either by upper-layer reachability confirmations or explicit neighbor discovery exchanges. In order to determine which link-layer address a peer is at, nodes send solicitations to the link-local solicited-node multicast address of their peer. If hosts are reachable on this address, then they will respond to the solicitation with a unicast response. Information from these responses are stored in neighbour cache entries. When link change occurs, the reachability of all existing neighbor cache entries is likely to be invalidated, if link change prevents packet reception from an old link. For these links, the neighbor cache entries SHOULD be removed when a host moves to a new link (although it MAY be possible to keep keying and authorization information for such hosts cached on a least-recently-used basis [7]). Reachability of a single node may support the likelihood of reaching the rest of the link, for example if a particular access technology relays such messages through wireless base stations. 6.4 Mobility Management Mobile IPv6 provides global mobility signaling for hosts wishing to preserve sessions when their configured address becomes topologically incorrect [5]. This system relies upon signaling messages and tunnel movement to provide reachability at a constant address, while Narayanan, et al. Expires October 18, 2005 [Page 16]
Internet-Draft DNAv6 BCP for hosts April 2005 directing packets to its visited network. The Mobile IPv6 RFC3775 [5] defines 'movement detection' procedures, which themselves rely upon Neighbor Discovery, to initiate mobility signaling. These procedures allow for some modification of Neighbor Discovery to enable faster change or movement detection. When a host identifies that it is on a new link, if it is Mobile-IPv6 enabled host, it MAY initiate mobility signaling with its home agent and correspondent node. 7. Complications to Detecting Network Attachment Detection of network attachment procedures can be delayed or may be incorrect due to different factors. As the reachability testing mainly relies on timeout, packet loss or different router configurations may lead to erroneous conclusions. This section gives some examples where complications may interfere with DNA processing. 7.1 Packet Loss Generally, packet loss introduces significant delays in validation of current configuration or discovery of new configuration. Because most of the protocols rely on timeout to consider that a peer is not reachable anymore, packet loss may lead to erroneous conclusions. Additionally, packet loss rates for particular transmission modes (multicast or unicast) may differ, meaning that particular classes of DNA tests have higher chance of failure due to loss. Hosts SHOULD attempt to verify tests through retransmission where packet loss is prevalent. 7.2 Router Configurations Each router can have its own configuration with respect to sending RA, and the treatment of router and neighbor solicitations. Different timers and constants might be used by different routers, such as the delay between Router Advertisements or delay before replying to an RS. If a host is changing is IPv6 link, the new router on that link may have a different configuration and may introduce more delay than the previous default router of the host. The time needed to discover the new link can then be longer than expected by the host. 7.3 Overlapping Coverage If a host can be attached to different links at the same time with the same interface, the host will probably listen to different routers, at least one on each link. To be simultaneously attached to Narayanan, et al. Expires October 18, 2005 [Page 17]
Internet-Draft DNAv6 BCP for hosts April 2005 several links may be very valuable for a MN when it moves from one access network to another. If the node can still be reachable through its old link while configuring the interface for its new link, packet loss can be minimized. Such a situation may happen in a wireless environment if the link layer technology allows the MN to be simultaneously attached to several points of attachment and if the coverage area of access points are overlapping. For the purposes of DNA, the different links should not be classified as a unique link. Because if one router or an entire link where the node is attached comes down doesn't mean that the other link is also down. 7.4 Multicast Snooping When a host is participating in DNA on a link where multicast snooping is in use, multicast packets may not be delivered to the LAN-segment to which the host is attached until MLD signaling has been performed [9][11][17]. Where DNA relies upon multicast packet delivery (for example, if a router needs to send a Neighbor Solicitation to the host), its function will be degraded until after an MLD report is sent. Where it is possible that multicast snooping is in operation, hosts MUST send MLD group joins (MLD reports) for solicited nodes' addresses swiftly after starting DNA procedures. 7.5 Link Partition Link partitioning occurs when a link's internal switching or relaying hardware fails, or if the internal communications within a link are prevented due to topology changes or wireless propagation. When a host is on a link which partitions, only a subset of the addresses or devices it is communicating with may still be available. Where link partitioning is rare (for example, with wired communication between routers on the link), existing router and neighbor discovery procedures may be sufficient for detecting change. 8. Security Considerations Detecting Network Attachment is a mechanism which allows network messages to change the node's belief about its IPv6 configuration state. As such, it is important that the need for rapid testing of link change does not lead to situations where configuration is invalidated by malicious third parties, nor that information passed to configuration processes exposes the host to other attacks. Since DNA relies heavily upon IPv6 Neighbor Discovery,the threats which are applicable to those procedures also affect Detecting Narayanan, et al. Expires October 18, 2005 [Page 18]
Internet-Draft DNAv6 BCP for hosts April 2005 Network Attachment. These threats are described in [12]. Some additional threats are outlined below. 8.1 Authorization and Detecting Network Attachment Hosts connecting to the Internet over wireless media may be exposed to a variety of network configurations with differing robustness, controls and security. When a host is determining if link change has occurred, it may receive messages from devices with no advertised security mechanisms purporting to be routers, nodes sending signed router advertisements but with unknown delegation, or routers whose credentials need to be checked [12]. Where a host wishes to configure an unsecured router, it SHOULD at least confirm bidirectional reachability with the device, and it MUST mark the device as unsecured as described in [7]. In any case, a secured router SHOULD be preferred over an unsecured one, except where other factors (unreachability) make the router unsuitable. Since secured routers' advertisement services may be subject to attack, alternative (secured) reachability mechanisms from upper layers, or secured reachability of other devices known to be on the same link may be used to check reachability in the first instance. 8.2 Addressing While a DNA host is checking attachment, and observing DAD, it may receive a DAD defense NA from an unsecured source. SEND says that DAD defenses MAY be accepted even from non SEND nodes for the first configured address [7]. While this is a valid action in the case where a host collides with another address owner after arrival on a new link, In the case that the host returns immediately to the same link, such a DAD defense NA message can only be a denial-of-service attempt. If a non-SEND node forges a DAD defense for an address which is still in peers' neighbor cache entries, a host may send a SEND protected unicast neighbor solicitation without a source link-layer address option to one its peers (which also uses SEND). If this peer is reachable, it will not have registered the non-SEND DAD defense NA in its neighbor cache, and will send a direct NA back to the soliciting host. Such an NA reception disproves the DAD defense NA's validity. Therefore, a SEND host performing DNA which receives a DAD defense Narayanan, et al. Expires October 18, 2005 [Page 19]
Internet-Draft DNAv6 BCP for hosts April 2005 from a non-SEND node SHOULD send a unicast Neighbor Solicitation to a STALE or REACHABLE secure neighbor cache entry, omitting source link-layer address options. In this case, the host should pick an entry which is likely to have a corresponding entry on the peer. If the host responds within a RetransTimer interval, then the DAD defense was an attack, and the host SHOULD inform its systems administrator without disabling the address. 9. Constants MAC_CACHE_TIME: 30 minutes 10. Acknowledgments JinHyeock Choi and Erik Nordmark have done lots of work regarding inference of link identity through sets of prefixes. Bernard Aboba's work on DNA for IPv4 significantly influenced this document. 11. References 11.1 Normative References [1] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Thomson, S. and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998. [4] Haskin, D. and E. Allen, "IP Version 6 over PPP", RFC 2472, December 1998. [5] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [6] Conta, A. and S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC2463 2463, December 1998. [7] Arkko, J., Kempf, J., Sommerfeld, B., Zill, B. and P. Nikander, "SEcure Neighbor Discovery (SEND)", draft-ietf-send-ndopt-05 (work in progress), April 2004. [8] Moore, N., "Optimistic Duplicate Address Detection for IPv6", draft-ietf-ipv6-optimistic-dad-02 (work in progress), September 2004. Narayanan, et al. Expires October 18, 2005 [Page 20]
Internet-Draft DNAv6 BCP for hosts April 2005 11.2 Informative References [9] Deering, S., Fenner, W. and B. Haberman, "Multicast Listener Discovery (MLD) for IPv6", RFC 2710, October 1999. [10] Haberman, B., "Source Address Selection for the Multicast Listener Discovery (MLD) Protocol", RFC 3590, September 2003. [11] Vida, R. and L. Costa, "Multicast Listener Discovery Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. [12] Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, May 2004. [13] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [14] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture", RFC 3513, April 2003. [15] Choi, J., "Detecting Network Attachment in IPv6 Goals", draft-ietf-dna-goals-04 (work in progress), December 2004. [16] Fikouras, N A., K"onsgen, A J. and C. G"org, "Accelerating Mobile IP Hand-offs through Link-layer Information", Proceedings of the International Multiconference on Measurement, Modelling, and Evaluation of Computer-Communication Systems (MMB) 2001, September 2001. [17] Christensen, M., Kimball, K. and F. Solensky, "Considerations for IGMP and MLD Snooping Switches", draft-ietf-magma-snoop-11 (work in progress), May 2004. [18] Kniveton, T J. and B C. Pentland, "Session minutes of the Detecting Network Attachment (DNA) BoF", Proceedings of the fifty-seventh Internet Engineering Task Force Meeting IETF57, July 2003. [19] Koodli, R., "Fast Handovers for Mobile IPv6", draft-ietf-mipshop-fast-mipv6-01 (work in progress), February 2004. [20] Liebsch, M., "Candidate Access Router Discovery", draft-ietf-seamoby-card-protocol-06 (work in progress), January 2004. [21] O'Hara, B. and G. Ennis, "Wireless LAN Medium Access Control Narayanan, et al. Expires October 18, 2005 [Page 21]
Internet-Draft DNAv6 BCP for hosts April 2005 (MAC) and Physical Layer (PHY) Specifications", ANSI/IEEE Std 802.11, 1999. [22] Yamamoto, S., "Detecting Network Attachment Terminology", draft-yamamoto-dna-term-00 (work in progress), February 2004. [23] Manner, J. and M. Kojo, "Mobility Related Terminology", draft-ietf-seamoby-mobility-terminology-06 (work in progress), February 2004. [24] Choi, J. and E. Nordmark, "DNA with unmodified routers: Prefix list based approach", draft-jinchor-dna-cpl-00.txt (work in progress), June 2004. [25] Choi, J. and G. Daley, "Detecting Network Attachment in IPv6 Goals", draft-ietf-dna-goals-04.txt (work in progress), December 2004. Authors' Addresses Sathya Narayanan Panasonic Digital Networking Lab Two Research Way, 3rd Floor Princeton, NJ 08536 USA Phone: 609 734 7599 EMail: sathya@Research.Panasonic.COM URI: Greg Daley Centre for Telecommunications and Information Engineering Department of Electrical adn Computer Systems Engineering Monash University Clayton, Victoria 3800 Australia Phone: +61 3 9905 4655 EMail: greg.daley@eng.monash.edu.au Narayanan, et al. Expires October 18, 2005 [Page 22]
Internet-Draft DNAv6 BCP for hosts April 2005 Nicolas Montavont LSIIT - Univerity Louis Pasteur Pole API, bureau C444 Boulevard Sebastien Brant Illkirch 67400 FRANCE Phone: (33) 3 90 24 45 87 EMail: montavont@dpt-info.u-strasbg.fr URI: http://www-r2.u-strasbg.fr/~montavont/ Appendix A. Example State Transition Diagram Below is an example state diagram which indicates relationships between the practices in this document. +---------+ +----------+ | Test |< - - - - -| Init |===> |Reachable|<-\ | Config |\ +---------+ +----------+ \ | \ New ^ \ | ID | \ V \ | | +---------+ +----------+ | | *Idle | \--| Link ID | | | |<==========| Check | | +---------+Same ID +----------+ | ^ |Hint Creds^ | Timer| |Recv OK | | | | | | | | | | | V | | +----------+ Hint +----------+ | |Hysteresis| Recv | Authorize| | | |<--\ | Check | | +----------+ \-/ +----------+ | | ^ | | |Threshold RA | |Bad / | Recv| |Auth / V | V / +----------+ Solicit +----------+L | Init |=========>| Hint | | DNA |<=========|Hysteresis| +----------+ Timer +----------+ Narayanan, et al. Expires October 18, 2005 [Page 23]
Internet-Draft DNAv6 BCP for hosts April 2005 Appendix B. Analysis of Configuration Algorithms Hosts that travel in wireless IPv6 networks of unknown topology must determine appropriate procedures in order to minimize detection latency or preserve energy resources. If a host is prepared to accept any received Router Advertisement for configuring a default router, then it will complete link change detection more quickly than a device that explicitly checks for the current router's unreachability. This mechanism is called Eager Configuration Switching [16]. It may cause unnecessary configuration operations, especially if unsolicited advertisements from multiple routers on a link are received containing disjoint sets of prefixes. In this case, a configuration per distinct set will result [1]. Additionally, use of only unsolicited Router Advertisements may cause detection or configuration of links where routers are unable to receive packets from the host. Reachability testing SHOULD be done in accordance with [1]. Another alternative, which reduces the problem associated with disjoint prefixes, only allows eager switching after link-layer hint indicating that a cell change has occurred. Although another router on the link may respond faster than the currently configured default router, it will not lead to erroneous detection if the router was previously seen before the link-layer hint was processed. An alternative mechanism is called Lazy Configuration Switching [16]. This algorithm checks that the currently configured router is reachable before indicating configuration change. In this case, new configuration will be delayed until a timeout occurs, if the currently configured router is unreachable. Since the duration of such a timeout will significantly extend the duration to detect link change, this procedure is best used if the cell change to link change ratio is very low. For example, if the expected time to: Successfully test reachability (with NS/NA) is N Test unreachability with a timeout is T Receive a Router Advertisement is R Reconfigure the host is C Then the probability of L3 link change given a L2 point of attachment has changed is Narayanan, et al. Expires October 18, 2005 [Page 24]
Internet-Draft DNAv6 BCP for hosts April 2005 p = (Number of L3 links)/(Number of L2 Point of attachment) The probability of received RA being from a router different from the current access router is p1 = (sum of all (nr - 1)/ NR) Where nr is the number of routers in each L3 link and NR is the total number of routers in the whole network under study. Note that if you don't have multiple routers in the same L3 link, then all the (nr - 1) will be zero leading to p1 = 0 Then the mean cost of Eager Configuration switching is: Cost(ECS)= (R + C) * (p + p1) And the cost of Lazy switching is: Cost(LCS)= (T + R + C) * p + (1 - p) * N The mean cost due to Lazy Configuration Switching is lower than that of Eager Configuration Switching if: ( T + R + C ) * p + (1 - p) * N < (R + C) * (p + p1) Using the indicative figures: N=100ms T=1000ms R=100ms C=500ms The values for p where LCS is better than ECS are: p * (1000 + 100 + 500 )ms + < (500 + 100)ms * (1 - p)*100ms (p + p1) 1600ms * p + 100ms - 100ms * p < 600ms * (p + p1) 900ms * p + 100 ms < 600ms * p1 when p1 = 30% Narayanan, et al. Expires October 18, 2005 [Page 25]
Internet-Draft DNAv6 BCP for hosts April 2005 900 * p + 100 < 180 900 * p < 80 p < 0.0888 For these parameters, the Lazy Configuration Switching has better performance if the mean number of cells a device resides in before it has a link change is > 11. It may be noted that these costs are indicative of a system which requires a retransmission timeout of 1000ms to test unreachability, routers respond with unicast Router Advertisements, and DAD is neglected or has only 100ms of cost. If the reconfiguration cost is C=1000ms you will have 900 * p + 100 ms < 1100 * p1 if p1 = 30 % 900 * p < 230 p < 0.2555 For these parameters, the Lazy Configuration Switching has better performance if the mean number of cells a device resides in before it has a link change is between 3 & 4. This system describes a similar one to that above, except that in this case, the delays due to DAD or configuration are the default value of 1000ms. Appendix C. DNA With Fast Handovers for Mobile IPv6 TBD Appendix D. DNA with Candidate Access Router Discovery TBD Narayanan, et al. Expires October 18, 2005 [Page 26]
Internet-Draft DNAv6 BCP for hosts April 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Narayanan, et al. Expires October 18, 2005 [Page 27]