IETF IPv6 Working Group                                       S. Thomson
Internet-Draft                                                     Cisco
Expires: August 9, 2004                                        T. Narten
                                                                     IBM
                                                               T. Jinmei
                                                                 Toshiba
                                                              H. Soliman
                                                    Flarion Technologies
                                                        February 9, 2004


                IPv6 Stateless Address Autoconfiguration
                   draft-ietf-ipv6-rfc2462bis-00.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 9, 2004.

Copyright Notice

   Copyright (C) The Internet Society (2004). All Rights Reserved.

Abstract

   This document specifies the steps a host takes in deciding how to
   autoconfigure its interfaces in IP version 6. The autoconfiguration
   process includes creating a link-local address and verifying its
   uniqueness on a link, determining what information should be
   autoconfigured (addresses, other information, or both), and in the
   case of addresses, whether they should be obtained through the
   stateless mechanism, the stateful mechanism, or both.  This document



Thomson, et al.          Expires August 9, 2004                 [Page 1]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   defines the process for generating a link-local address, the process
   for generating global addresses via stateless address
   autoconfiguration, and the Duplicate Address Detection procedure. The
   details of autoconfiguration using the stateful protocol are
   specified elsewhere.

Table of Contents

   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.    TERMINOLOGY  . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.1   Requirements . . . . . . . . . . . . . . . . . . . . . . . .  7
   3.    DESIGN GOALS . . . . . . . . . . . . . . . . . . . . . . . .  7
   4.    PROTOCOL OVERVIEW  . . . . . . . . . . . . . . . . . . . . .  8
   4.1   Site Renumbering . . . . . . . . . . . . . . . . . . . . . . 10
   5.    PROTOCOL SPECIFICATION . . . . . . . . . . . . . . . . . . . 11
   5.1   Node Configuration Variables . . . . . . . . . . . . . . . . 11
   5.2   Autoconfiguration-Related Variables  . . . . . . . . . . . . 12
   5.3   Creation of Link-Local Addresses . . . . . . . . . . . . . . 12
   5.4   Duplicate Address Detection  . . . . . . . . . . . . . . . . 13
   5.4.1 Message Validation . . . . . . . . . . . . . . . . . . . . . 14
   5.4.2 Sending Neighbor Solicitation Messages . . . . . . . . . . . 15
   5.4.3 Receiving Neighbor Solicitation Messages . . . . . . . . . . 15
   5.4.4 Receiving Neighbor Advertisement Messages  . . . . . . . . . 16
   5.4.5 When Duplicate Address Detection Fails . . . . . . . . . . . 17
   5.5   Creation of Global Addresses . . . . . . . . . . . . . . . . 17
   5.5.1 Soliciting Router Advertisements . . . . . . . . . . . . . . 17
   5.5.2 Absence of Router Advertisements . . . . . . . . . . . . . . 17
   5.5.3 Router Advertisement Processing  . . . . . . . . . . . . . . 18
   5.5.4 Address Lifetime Expiry  . . . . . . . . . . . . . . . . . . 20
   5.6   Configuration Consistency  . . . . . . . . . . . . . . . . . 21
   5.7   Retaining Configured Addresses for Stability . . . . . . . . 21
   6.    SECURITY CONSIDERATIONS  . . . . . . . . . . . . . . . . . . 21
   7.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
         Normative References . . . . . . . . . . . . . . . . . . . . 22
         Informative References . . . . . . . . . . . . . . . . . . . 22
         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 23
   A.    LOOPBACK SUPPRESSION & DUPLICATE ADDRESS DETECTION . . . . . 24
   B.    CHANGES SINCE RFC 1971 . . . . . . . . . . . . . . . . . . . 25
   C.    CHANGE HISTORY . . . . . . . . . . . . . . . . . . . . . . . 26
   D.    OPEN ISSUES  . . . . . . . . . . . . . . . . . . . . . . . . 27
         Intellectual Property and Copyright Statements . . . . . . . 28










Thomson, et al.          Expires August 9, 2004                 [Page 2]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


1. Introduction

   This document specifies the steps a host takes in deciding how to
   autoconfigure its interfaces in IP version 6. The autoconfiguration
   process includes creating a link-local address and verifying its
   uniqueness on a link, determining what information should be
   autoconfigured (addresses, other information, or both), and in the
   case of addresses, whether they should be obtained through the
   stateless mechanism, the stateful mechanism, or both.  This document
   defines the process for generating a link-local address, the process
   for generating global addresses via stateless address
   autoconfiguration, and the Duplicate Address Detection procedure. The
   details of autoconfiguration using the stateful protocol are
   specified elsewhere.

   IPv6 defines both a stateful and stateless address autoconfiguration
   mechanism. Stateless autoconfiguration requires no manual
   configuration of hosts, minimal (if any) configuration of routers,
   and no additional servers.  The stateless mechanism allows a host to
   generate its own addresses using a combination of locally available
   information and information advertised by routers. Routers advertise
   prefixes that identify the subnet(s) associated with a link, while
   hosts generate an "interface identifier" that uniquely identifies an
   interface on a subnet. An address is formed by combining the two. In
   the absence of routers, a host can only generate link-local
   addresses. However, link-local addresses are sufficient for allowing
   communication among nodes attached to the same link.

   In the stateful autoconfiguration model, hosts obtain interface
   addresses and/or configuration information and parameters from a
   server.  Servers maintain a database that keeps track of which
   addresses have been assigned to which hosts. The stateful
   autoconfiguration protocol allows hosts to obtain addresses, other
   configuration information or both from a server.  Stateless and
   stateful autoconfiguration complement each other. For example, a host
   can use stateless autoconfiguration to configure its own addresses,
   but use stateful autoconfiguration to obtain other information.
   Stateful autoconfiguration for IPv6 is the subject of DHCPv6 [7].

   The stateless approach is used when a site is not particularly
   concerned with the exact addresses hosts use, so long as they are
   unique and properly routable. The stateful approach is used when a
   site requires tighter control over exact address assignments. Both
   stateful and stateless address autoconfiguration may be used
   simultaneously. The site administrator specifies which type of
   autoconfiguration to use through the setting of appropriate fields in
   Router Advertisement messages [5].




Thomson, et al.          Expires August 9, 2004                 [Page 3]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   IPv6 addresses are leased to an interface for a fixed (possibly
   infinite) length of time. Each address has an associated lifetime
   that indicates how long the address is bound to an interface. When a
   lifetime expires, the binding (and address) become invalid and the
   address may be reassigned to another interface elsewhere in the
   Internet. To handle the expiration of address bindings gracefully, an
   address goes through two distinct phases while assigned to an
   interface. Initially, an address is "preferred", meaning that its use
   in arbitrary communication is unrestricted. Later, an address becomes
   "deprecated" in anticipation that its current interface binding will
   become invalid. While in a deprecated state, the use of an address is
   discouraged, but not strictly forbidden.  New communication (e.g.,
   the opening of a new TCP connection) should use a preferred address
   when possible.  A deprecated address should be used only by
   applications that have been using it and would have difficulty
   switching to another address without a service disruption.

   To ensure that all configured addresses are likely to be unique on a
   given link, nodes run a "duplicate address detection" algorithm on
   addresses before assigning them to an interface.  The Duplicate
   Address Detection algorithm is performed on all addresses,
   independent of whether they are obtained via stateless or stateful
   autoconfiguration. This document defines the Duplicate Address
   Detection algorithm.

   The autoconfiguration process specified in this document applies only
   to hosts and not routers. Since host autoconfiguration uses
   information advertised by routers, routers will need to be configured
   by some other means. However, it is expected that routers will
   generate link-local addresses using the mechanism described in this
   document. In addition, routers are expected to successfully pass the
   Duplicate Address Detection procedure described in this document on
   all addresses prior to assigning them to an interface.

   Section 2 provides definitions for terminology used throughout this
   document. Section 3 describes the design goals that lead to the
   current autoconfiguration procedure. Section 4 provides an overview
   of the protocol, while Section 5 describes the protocol in detail.

2. TERMINOLOGY

   IP - Internet Protocol Version 6. The terms IPv4 and IPv6 are used
      only in contexts where necessary to avoid ambiguity.

   node - a device that implements IP.






Thomson, et al.          Expires August 9, 2004                 [Page 4]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   router - a node that forwards IP packets not explicitly addressed to
      itself.

   host - any node that is not a router.

   upper layer - a protocol layer immediately above IP. Examples are
      transport protocols such as TCP and UDP, control protocols such as
      ICMP, routing protocols such as OSPF, and internet or lower-layer
      protocols being "tunneled" over (i.e., encapsulated in) IP such as
      IPX, AppleTalk, or IP itself.

   link - a communication facility or medium over which nodes can
      communicate at the link layer, i.e., the layer immediately below
      IP.  Examples are Ethernets (simple or bridged); PPP links; X.25,
      Frame Relay, or ATM networks; and internet (or higher) layer
      "tunnels", such as tunnels over IPv4 or IPv6 itself.

   interface - a node's attachment to a link.

   packet - an IP header plus payload.

   address - an IP-layer identifier for an interface or a set of
      interfaces.

   unicast address - an identifier for a single interface. A packet sent
      to a unicast address is delivered to the interface identified by
      that address.

   multicast address - an identifier for a set of interfaces (typically
      belonging to different nodes). A packet sent to a multicast
      address is delivered to all interfaces identified by that address.

   anycast address - an identifier for a set of interfaces (typically
      belonging to different nodes).  A packet sent to an anycast
      address is delivered to one of the interfaces identified by that
      address (the "nearest" one, according to the routing protocol's
      measure of distance). See the IPv6 addressing architecture [4].

   solicited-node multicast address - a multicast address to which
      Neighbor Solicitation messages are sent. The algorithm for
      computing the address is given in RFC 2461 [5].

   link-layer address - a link-layer identifier for an interface.
      Examples include IEEE 802 addresses for Ethernet links and E.164
      addresses for ISDN links.






Thomson, et al.          Expires August 9, 2004                 [Page 5]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   link-local address - an address having link-only scope that can be
      used to reach neighboring nodes attached to the same link.  All
      interfaces have a link-local unicast address.

   global address - an address with unlimited scope.

   communication - any packet exchange among nodes that requires that
      the address of each node used in the exchange remain the same for
      the duration of the packet exchange.  Examples are a TCP
      connection or a UDP request-response.

   tentative address - an address whose uniqueness on a link is being
      verified, prior to its assignment to an interface.  A tentative
      address is not considered assigned to an interface in the usual
      sense. An interface discards received packets addressed to a
      tentative address, but accepts Neighbor Discovery packets related
      to Duplicate Address Detection for the tentative address.

   preferred address - an address assigned to an interface whose use by
      upper layer protocols is unrestricted. Preferred addresses may be
      used as the source (or destination) address of packets sent from
      (or to) the interface.

   deprecated address - An address assigned to an interface whose use is
      discouraged, but not forbidden.  A deprecated address should no
      longer be used as a source address in new communications, but
      packets sent from or to deprecated addresses are delivered as
      expected.  A deprecated address may continue to be used as a
      source address in communications where switching to a preferred
      address causes hardship to a specific upper-layer activity (e.g.,
      an existing TCP connection).

   valid address - a preferred or deprecated address. A valid address
      may appear as the source or destination address of a packet, and
      the internet routing system is expected to deliver packets sent to
      a valid address to their intended recipients.

   invalid address - an address that is not assigned to any interface. A
      valid address becomes invalid when its valid lifetime expires.
      Invalid addresses should not appear as the destination or source
      address of a packet. In the former case, the internet routing
      system will be unable to deliver the packet, in the later case the
      recipient of the packet will be unable to respond to it.

   preferred lifetime - the length of time that a valid address is
      preferred (i.e., the time until deprecation). When the preferred
      lifetime expires, the address becomes deprecated.




Thomson, et al.          Expires August 9, 2004                 [Page 6]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   valid lifetime - the length of time an address remains in the valid
      state (i.e., the time until invalidation). The valid lifetime must
      be greater then or equal to the preferred lifetime.  When the
      valid lifetime expires, the address becomes invalid.

   interface identifier - a link-dependent identifier for an interface
      that is (at least) unique per link [4]. Stateless address
      autoconfiguration combines an interface identifier with a prefix
      to form an address. From address autoconfiguration's perspective,
      an interface identifier is a bit string of known length.  The
      exact length of an interface identifier and the way it is created
      is defined in a separate link-type specific document that covers
      issues related to the transmission of IP over a particular link
      type (e.g., IPv6 over Ethernet [2]). In many cases, the identifier
      will be derived from the interface's link-layer address.


2.1 Requirements

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in RFC 2119 [3].

3. DESIGN GOALS

   Stateless autoconfiguration is designed with the following goals in
   mind:

   o  Manual configuration of individual machines before connecting them
      to the network should not be required. Consequently, a mechanism
      is needed that allows a host to obtain or create unique addresses
      for each of its interfaces. Address autoconfiguration assumes that
      each interface can provide a unique identifier for that interface
      (i.e., an "interface identifier").  In the simplest case, an
      interface identifier consists of the interface's link-layer
      address. An interface identifier can be combined with a prefix to
      form an address.

   o  Small sites consisting of a set of machines attached to a single
      link should not require the presence of a stateful server or
      router as a prerequisite for communicating.  Plug-and-play
      communication is achieved through the use of link-local addresses.
      Link-local addresses have a well-known prefix that identifies the
      (single) shared link to which a set of nodes attach. A host forms
      a link-local address by appending its interface identifier to the
      link-local prefix.

   o  A large site with multiple networks and routers should not require



Thomson, et al.          Expires August 9, 2004                 [Page 7]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


      the presence of a stateful address configuration server. In order
      to generate global addresses, hosts must determine the prefixes
      that identify the subnets to which they attach.  Routers generate
      periodic Router Advertisements that include options listing the
      set of active prefixes on a link.

   o  Address configuration should facilitate the graceful renumbering
      of a site's machines. For example, a site may wish to renumber all
      of its nodes when it switches to a new network service provider.
      Renumbering is achieved through the leasing of addresses to
      interfaces and the assignment of multiple addresses to the same
      interface.  Lease lifetimes provide the mechanism through which a
      site phases out old prefixes.  The assignment of multiple
      addresses to an interface provides for a transition period during
      which both a new address and the one being phased out work
      simultaneously.

   o  System administrators need the ability to specify whether
      stateless autoconfiguration, stateful autoconfiguration, or both
      should be used.  Router Advertisements include flags specifying
      which mechanisms a host should use.


4. PROTOCOL OVERVIEW

   This section provides an overview of the typical steps that take
   place when an interface autoconfigures itself.  Autoconfiguration is
   performed only on multicast-capable links and begins when a
   multicast-capable interface is enabled, e.g., during system startup.
   Nodes (both hosts and routers) begin the autoconfiguration process by
   generating a link-local address for the interface. A link-local
   address is formed by appending the interface's identifier to the
   well-known link-local prefix.

   Before the link-local address can be assigned to an interface and
   used, however, a node must attempt to verify that this "tentative"
   address is not already in use by another node on the link.
   Specifically, it sends a Neighbor Solicitation message containing the
   tentative address as the target. If another node is already using
   that address, it will return a Neighbor Advertisement saying so. If
   another node is also attempting to use the same address, it will send
   a Neighbor Solicitation for the target as well. The exact number of
   times the Neighbor Solicitation is (re)transmitted and the delay time
   between consecutive solicitations is link-specific and may be set by
   system management.

   If a node determines that its tentative link-local address is not
   unique, autoconfiguration stops and manual configuration of the



Thomson, et al.          Expires August 9, 2004                 [Page 8]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   interface is required.  To simplify recovery in this case, it should
   be possible for an administrator to supply an alternate interface
   identifier that overrides the default identifier in such a way that
   the autoconfiguration mechanism can then be applied using the new
   (presumably unique) interface identifier.  Alternatively, link-local
   and other addresses will need to be configured manually.

   Once a node ascertains that its tentative link-local address is
   unique, it assigns the address to the interface. At this point, the
   node has IP-level connectivity with neighboring nodes.  The remaining
   autoconfiguration steps are performed only by hosts; the
   (auto)configuration of routers is beyond the scope of this document.

   The next phase of autoconfiguration involves obtaining a Router
   Advertisement or determining that no routers are present. If routers
   are present, they will send Router Advertisements that specify what
   sort of autoconfiguration a host should do.  If no routers are
   present, stateful autoconfiguration should be invoked.

   Routers send Router Advertisements periodically, but the delay
   between successive advertisements will generally be longer than a
   host performing autoconfiguration will want to wait [5]. To obtain an
   advertisement quickly, a host sends one or more Router Solicitations
   to the all-routers multicast group.  Router Advertisements contain
   two flags indicating what type of stateful autoconfiguration (if any)
   should be performed. A "managed address configuration" flag indicates
   whether hosts should use stateful autoconfiguration to obtain
   addresses. An "other stateful configuration" flag indicates whether
   hosts should use stateful autoconfiguration to obtain additional
   information (excluding addresses).

   Router Advertisements also contain zero or more Prefix Information
   options that contain information used by stateless address
   autoconfiguration to generate global addresses.  It should be noted
   that the stateless and stateful address autoconfiguration fields in
   Router Advertisements are processed independently of one another, and
   a host may use both stateful and stateless address autoconfiguration
   simultaneously.  One Prefix Information option field, the "autonomous
   address-configuration flag", indicates whether or not the option even
   applies to stateless autoconfiguration.  If it does, additional
   option fields contain a subnet prefix together with lifetime values
   indicating how long addresses created from the prefix remain
   preferred and valid.

   Because routers generate Router Advertisements periodically, hosts
   will continually receive new advertisements. Hosts process the
   information contained in each advertisement as described above,
   adding to and refreshing information received in previous



Thomson, et al.          Expires August 9, 2004                 [Page 9]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   advertisements.

   For safety, all addresses must be tested for uniqueness prior to
   their assignment to an interface.  In the case of addresses created
   through stateless autoconfiguration, however, the uniqueness of an
   address is determined primarily by the portion of the address formed
   from an interface identifier.  Thus, if a node has already verified
   the uniqueness of a link-local address, additional addresses created
   from the same interface identifier need not be tested individually.
   In contrast, all addresses obtained manually or via stateful address
   autoconfiguration should be tested for uniqueness individually. To
   accommodate sites that believe the overhead of performing Duplicate
   Address Detection outweighs its benefits, the use of Duplicate
   Address Detection can be disabled through the administrative setting
   of a per-interface configuration flag.

   To speed the autoconfiguration process, a host may generate its
   link-local address (and verify its uniqueness) in parallel with
   waiting for a Router Advertisement. Because a router may delay
   responding to a Router Solicitation for a few seconds, the total time
   needed to complete autoconfiguration can be significantly longer if
   the two steps are done serially.

4.1 Site Renumbering

   Address leasing facilitates site renumbering by providing a mechanism
   to time-out addresses assigned to interfaces in hosts.  At present,
   upper layer protocols such as TCP provide no support for changing
   end-point addresses while a connection is open. If an end-point
   address becomes invalid, existing connections break and all
   communication to the invalid address fails.  Even when applications
   use UDP as a transport protocol, addresses must generally remain the
   same during a packet exchange.

   Dividing valid addresses into preferred and deprecated categories
   provides a way of indicating to upper layers that a valid address may
   become invalid shortly and that future communication using the
   address will fail, should the address's valid lifetime expire before
   communication ends.  To avoid this scenario, higher layers should use
   a preferred address (assuming one of sufficient scope exists) to
   increase the likelihood that an address will remain valid for the
   duration of the communication.  It is up to system administrators to
   set appropriate prefix lifetimes in order to minimize the impact of
   failed communication when renumbering takes place.  The deprecation
   period should be long enough that most, if not all, communications
   are using the new address at the time an address becomes invalid.

   The IP layer is expected to provide a means for upper layers



Thomson, et al.          Expires August 9, 2004                [Page 10]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   (including applications) to select the most appropriate source
   address given a particular destination and possibly other
   constraints.  An application may choose to select the source address
   itself before starting a new communication or may leave the address
   unspecified, in which case the upper networking layers will use the
   mechanism provided by the IP layer to choose a suitable address on
   the application's behalf.

   Detailed address selection rules are beyond the scope of this
   document.

5. PROTOCOL SPECIFICATION

   Autoconfiguration is performed on a per-interface basis on
   multicast-capable interfaces.  For multihomed hosts,
   autoconfiguration is performed independently on each interface.
   Autoconfiguration applies primarily to hosts, with two exceptions.
   Routers are expected to generate a link-local address using the
   procedure outlined below. In addition, routers perform Duplicate
   Address Detection on all addresses prior to assigning them to an
   interface.

5.1 Node Configuration Variables

   A node MUST allow the following autoconfiguration-related variable to
   be configured by system management for each multicast interface:

   DupAddrDetectTransmits

      The number of consecutive Neighbor Solicitation messages sent
      while performing Duplicate Address Detection on a tentative
      address. A value of zero indicates that Duplicate Address
      Detection is not performed on tentative addresses. A value of one
      indicates a single transmission with no follow up retransmissions.

      Default: 1, but may be overridden by a link-type specific value in
      the document that covers issues related to the transmission of IP
      over a particular link type (e.g., IPv6 over Ethernet [2]).

      Autoconfiguration also assumes the presence of the variable
      RetransTimer as defined in RFC 2461 [5]. For autoconfiguration
      purposes, RetransTimer specifies the delay between consecutive
      Neighbor Solicitation transmissions performed during Duplicate
      Address Detection (if DupAddrDetectTransmits is greater than 1),
      as well as the time a node waits after sending the last Neighbor
      Solicitation before ending the Duplicate Address Detection
      process.




Thomson, et al.          Expires August 9, 2004                [Page 11]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


5.2 Autoconfiguration-Related Variables

   A host maintains a number of data structures and flags related to
   autoconfiguration. In the following, we present conceptual variables
   and show how they are used to perform autoconfiguration. The specific
   variables are used for demonstration purposes only, and an
   implementation is not required to have them, so long as its external
   behavior is consistent with that described in this document.

   Beyond the formation of a link-local address and using Duplicate
   Address Detection, how routers (auto)configure their interfaces is
   beyond the scope of this document.

   Hosts maintain the following variables on a per-interface basis:

   ManagedFlag

      Copied from the M flag field (i.e., the "managed address
      configuration" flag) of the most recently received Router
      Advertisement message. The flag indicates whether or not addresses
      are to be configured using the stateful autoconfiguration
      mechanism. It starts out in a FALSE state.

   OtherConfigFlag

      Copied from the O flag field (i.e., the "other stateful
      configuration" flag) of the most recently received Router
      Advertisement message. The flag indicates whether or not
      information other than addresses is to be obtained using the
      stateful autoconfiguration mechanism. It starts out in a FALSE
      state.

      In addition, when the value of the ManagedFlag is TRUE, the value
      of OtherConfigFlag is implicitly TRUE as well. It is not a valid
      configuration for a host to use stateful address autoconfiguration
      to request addresses only, without also accepting other
      configuration information.

   A host also maintains a list of addresses together with their
   corresponding lifetimes. The address list contains both
   autoconfigured addresses and those configured manually.

5.3 Creation of Link-Local Addresses

   A node forms a link-local address whenever an interface becomes
   enabled.  An interface may become enabled after any of the following
   events:




Thomson, et al.          Expires August 9, 2004                [Page 12]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   -  The interface is initialized at system startup time.

   -  The interface is reinitialized after a temporary interface failure
      or after being temporarily disabled by system management.

   -  The interface attaches to a link for the first time.

   -  The interface becomes enabled by system management after having
      been administratively disabled.

   A link-local address is formed by prepending the well-known link-
   local prefix FE80::0 [4] (of appropriate length) to the interface
   identifier. If the interface identifier has a length of N bits, the
   interface identifier replaces the right-most N zero bits of the
   link-local prefix.  If the interface identifier is more than 118 bits
   in length, autoconfiguration fails and manual configuration is
   required. Note that interface identifiers will typically be 64-bits
   long and based on EUI-64 identifiers as described in [4].

5.4 Duplicate Address Detection

   Duplicate Address Detection is performed on unicast addresses prior
   to assigning them to an interface whose DupAddrDetectTransmits
   variable is greater than zero. Duplicate Address Detection MUST take
   place on all unicast addresses, regardless of whether they are
   obtained through stateful, stateless or manual configuration, with
   the exception of the following cases:

   -  Duplicate Address Detection MUST NOT be performed on anycast
      addresses.

   -  Each individual unicast address SHOULD be tested for uniqueness.
      However, when stateless address autoconfiguration is used, address
      uniqueness is determined solely by the interface identifier,
      assuming that subnet prefixes are assigned correctly (i.e., if all
      of an interface's addresses are generated from the same
      identifier, either all addresses or none of them will be
      duplicates). Thus, for a set of addresses formed from the same
      interface identifier, it is sufficient to check that the link-
      local address generated from the identifier is unique on the link.
      In such cases, the link-local address MUST be tested for
      uniqueness, and if no duplicate address is detected, an
      implementation MAY choose to skip Duplicate Address Detection for
      additional addresses derived from the same interface identifier.

   The procedure for detecting duplicate addresses uses Neighbor
   Solicitation and Advertisement messages as described below. If a
   duplicate address is discovered during the procedure, the address



Thomson, et al.          Expires August 9, 2004                [Page 13]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   cannot be assigned to the interface. If the address is derived from
   an interface identifier, a new identifier will need to be assigned to
   the interface, or all IP addresses for the interface will need to be
   manually configured.  Note that the method for detecting duplicates
   is not completely reliable, and it is possible that duplicate
   addresses will still exist (e.g., if the link was partitioned while
   Duplicate Address Detection was performed).

   An address on which the Duplicate Address Detection Procedure is
   applied is said to be tentative until the procedure has completed
   successfully.  A tentative address is not considered "assigned to an
   interface" in the traditional sense. That is, the interface must
   accept Neighbor Solicitation and Advertisement messages containing
   the tentative address in the Target Address field, but processes such
   packets differently from those whose Target Address matches an
   address assigned to the interface. Other packets addressed to the
   tentative address should be silently discarded. Note that the "other
   packets" include Neighbor Solicitation and Advertisement messages to
   the tentative address containing the tentative address in the Target
   Address field. Such a case should not happen in normal operation,
   though, since these messages are multicasted in the Duplicate Address
   Detection Procedure.

   It should also be noted that Duplicate Address Detection must be
   performed prior to assigning an address to an interface in order to
   prevent multiple nodes from using the same address simultaneously. If
   a node begins using an address in parallel with Duplicate Address
   Detection, and another node is already using the address, the node
   performing Duplicate Address Detection will erroneously process
   traffic intended for the other node, resulting in such possible
   negative consequences as the resetting of open TCP connections.

   The following subsections describe specific tests a node performs to
   verify an address's uniqueness.  An address is considered unique if
   none of the tests indicate the presence of a duplicate address within
   RetransTimer milliseconds after having sent DupAddrDetectTransmits
   Neighbor Solicitations. Once an address is determined to be unique,
   it may be assigned to an interface.

5.4.1 Message Validation

   A node MUST silently discard any Neighbor Solicitation or
   Advertisement message that does not pass the validity checks
   specified in RFC 2461 [5]. A Neighbor Solicitation or Advertisement
   message that passes these validity checks is called a valid
   solicitation or valid advertisement, respectively.





Thomson, et al.          Expires August 9, 2004                [Page 14]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


5.4.2 Sending Neighbor Solicitation Messages

   Before sending a Neighbor Solicitation, an interface MUST join the
   all-nodes multicast address and the solicited-node multicast address
   of the tentative address. The former ensures that the node receives
   Neighbor Advertisements from other nodes already using the address;
   the latter ensures that two nodes attempting to use the same address
   simultaneously detect each other's presence.

   To check an address, a node sends DupAddrDetectTransmits Neighbor
   Solicitations, each separated by RetransTimer milliseconds. The
   solicitation's Target Address is set to the address being checked,
   the IP source is set to the unspecified address and the IP
   destination is set to the solicited-node multicast address of the
   target address.

   If the Neighbor Solicitation is going to be the first message to be
   sent from an interface after interface (re)initialization, the node
   should delay joining the solicited-node multicast address by a random
   delay between 0 and MAX_RTR_SOLICITATION_DELAY as specified in RFC
   2461 [5]. This serves to alleviate congestion when many nodes start
   up on the link at the same time, such as after a power failure, and
   may help to avoid race conditions when more than one node is trying
   to solicit for the same address at the same time.

   Note that the delay for joining the multicast address implicitly
   means delaying transmission of the corresponding MLD report message
   [9]. Since RFC 2710 [9] does not request a random delay to avoid race
   conditions, just delaying Neighbor Solicitation would cause
   congestion by the MLD report messages. The congestion would then
   prevent MLD-snooping switches from working correctly, and, as a
   result, prevent Duplicate Address Detection from working. The
   requirement to include the delay for the MLD report in this case
   avoids this scenario.

   In order to improve the robustness of the Duplicate Address Detection
   algorithm, an interface MUST receive and process datagrams sent to
   the all-nodes multicast address or solicited-node multicast address
   of the tentative address while the delaying period. This does not
   necessarily conflict with the requirement that joining the multicast
   group be delayed. In fact, in some cases it is possible for a node to
   start listening to the group during the delay period before MLD
   report transmission. It should be noted, however, that in some
   link-layer environments, particularly with MLD-snooping switches, no
   multicast reception will be available until the MLD report is sent.

5.4.3 Receiving Neighbor Solicitation Messages




Thomson, et al.          Expires August 9, 2004                [Page 15]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   On receipt of a valid Neighbor Solicitation message on an interface,
   node behavior depends on whether the target address is tentative or
   not.  If the target address is not tentative (i.e., it is assigned to
   the receiving interface), the solicitation is processed as described
   in RFC 2461 [5].  If the target address is tentative, and the source
   address is a unicast address, the solicitation's sender is performing
   address resolution on the target; the solicitation should be silently
   ignored.  Otherwise, processing takes place as described below. In
   all cases, a node MUST NOT respond to a Neighbor Solicitation for a
   tentative address.

   If the source address of the Neighbor Solicitation is the unspecified
   address, the solicitation is from a node performing Duplicate Address
   Detection. If the solicitation is from another node, the tentative
   address is a duplicate and should not be used (by either node). If
   the solicitation is from the node itself (because the node loops back
   multicast packets), the solicitation does not indicate the presence
   of a duplicate address.

   Implementor's Note: many interfaces provide a way for upper layers to
   selectively enable and disable the looping back of multicast packets.
   The details of how such a facility is implemented may prevent
   Duplicate Address Detection from working correctly. See the Appendix
   A for further discussion.

   The following tests identify conditions under which a tentative
   address is not unique:

   -  If a Neighbor Solicitation for a tentative address is received
      prior to having sent one, the tentative address is a duplicate.
      This condition occurs when two nodes run Duplicate Address
      Detection simultaneously, but transmit initial solicitations at
      different times (e.g., by selecting different random delay values
      before joining the solicited-node multicast address and
      transmitting an initial solicitation).

   -  If the actual number of Neighbor Solicitations received exceeds
      the number expected based on the loopback semantics (e.g., the
      interface does not loopback packet, yet one or more solicitations
      was received), the tentative address is a duplicate. This
      condition occurs when two nodes run Duplicate Address Detection
      simultaneously and transmit solicitations at roughly the same
      time.


5.4.4 Receiving Neighbor Advertisement Messages

   On receipt of a valid Neighbor Advertisement message on an interface,



Thomson, et al.          Expires August 9, 2004                [Page 16]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   node behavior depends on whether the target address is tentative or
   matches a unicast or anycast address assigned to the interface.  If
   the target address is assigned to the receiving interface, the
   solicitation is processed as described in RFC 2461 [5]. If the target
   address is tentative, the tentative address is not unique.

5.4.5 When Duplicate Address Detection Fails

   A tentative address that is determined to be a duplicate as described
   above MUST NOT be assigned to an interface and the node SHOULD log a
   system management error. If the address is a link-local address
   formed from an interface identifier based on the hardware address
   (e.g., EUI-64), the interface SHOULD be disabled. In this case, the
   IP address duplication probably means duplicate hardware addresses
   are in use, and trying to recover from it by configuring another IP
   address will not result in a usable network. In fact, it probably
   makes things worse by creating problems that are harder to diagnose
   than just shutting down the interface; the user will see a partially
   working network where some things work, and other things will not. On
   the other hand, if the duplicated link-local address is not formed
   from an interface identifier based on the hardware address, the
   interface MAY continue to be used.

5.5 Creation of Global Addresses

   Global addresses are formed by appending an interface identifier to a
   prefix of appropriate length. Prefixes are obtained from Prefix
   Information options contained in Router Advertisements. Creation of
   global addresses and configuration of other parameters as described
   in this section SHOULD be locally configurable. However, the
   processing described below MUST be enabled by default.

5.5.1 Soliciting Router Advertisements

   Router Advertisements are sent periodically to the all-nodes
   multicast address. To obtain an advertisement quickly, a host sends
   out Router Solicitations as described in RFC 2461 [5].

5.5.2 Absence of Router Advertisements

   If a link has no routers, a host MUST attempt to use stateful
   autoconfiguration to obtain addresses and other configuration
   information. An implementation MAY provide a way to disable the
   invocation of stateful autoconfiguration in this case, but the
   default SHOULD be enabled.  From the perspective of
   autoconfiguration, a link has no routers if no Router Advertisements
   are received after having sent a small number of Router Solicitations
   as described in RFC 2461 [5].



Thomson, et al.          Expires August 9, 2004                [Page 17]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


5.5.3 Router Advertisement Processing

   On receipt of a valid Router Advertisement (as defined in RFC 2461
   [5]), a host copies the value of the advertisement's M bit into
   ManagedFlag. If the value of ManagedFlag changes from FALSE to TRUE,
   and the host is not already running the stateful address
   autoconfiguration protocol, the host should invoke the stateful
   address autoconfiguration protocol, requesting both address
   information and other information.  If the value of the ManagedFlag
   changes from TRUE to FALSE, the host should continue running the
   stateful address autoconfiguration, i.e., the change in the value of
   the ManagedFlag has no effect.  If the value of the flag stays
   unchanged, no special action takes place. In particular, a host MUST
   NOT reinvoke stateful address configuration if it is already
   participating in the stateful protocol as a result of an earlier
   advertisement.

   An advertisement's O flag field is processed in an analogous manner.
   A host copies the value of the O flag into OtherConfigFlag. If the
   value of OtherConfigFlag changes from FALSE to TRUE, the host should
   invoke the stateful autoconfiguration protocol, requesting
   information (excluding addresses if ManagedFlag is set to FALSE).  If
   the value of the OtherConfigFlag changes from TRUE to FALSE, the host
   should continue running the stateful address autoconfiguration
   protocol, i.e., the change in the value of OtherConfigFlag has no
   effect. If the value of the flag stays unchanged, no special action
   takes place. In particular, a host MUST NOT reinvoke stateful
   configuration if it is already participating in the stateful protocol
   as a result of an earlier advertisement.

   For each Prefix-Information option in the Router Advertisement:

    a) If the Autonomous flag is not set, silently ignore the Prefix
      Information option.

    b) If the prefix is the link-local prefix, silently ignore the
      Prefix Information option.

    c) If the preferred lifetime is greater than the valid lifetime,
      silently ignore the Prefix Information option. A node MAY wish to
      log a system management error in this case.

    d) If the prefix advertised does not match the prefix of an address
      already in the list, and the Valid Lifetime is not 0, form an
      address (and add it to the list) by combining the advertised
      prefix with the link's interface identifier as follows:

      |            128 - N bits               |       N bits           |



Thomson, et al.          Expires August 9, 2004                [Page 18]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


      +---------------------------------------+------------------------+
      |            link prefix                |  interface identifier  |
      +----------------------------------------------------------------+

    e) If the advertised prefix matches the prefix of an autoconfigured
      address (i.e., one obtained via stateless or stateful address
      autoconfiguration) in the list of addresses associated with the
      interface, the preferred lifetime of the address is reset to the
      Preferred Lifetime in the received advertisement. The specific
      action to perform for the valid lifetime of the address depends on
      the Valid Lifetime in the received advertisement and the remaining
      time to the valid lifetime expiration of the previously
      autoconfigured address. We call the remaining time
      "RemainingLifetime" in the following discussion:

      1.  If the received Valid Lifetime is greater than 2 hours or
          greater than RemainingLifetime, set the valid lifetime of the
          corresponding address to the advertised Valid Lifetime.

      2.  If RemainingLifetime is less than or equal to 2 hours, ignore
          the Prefix Information option with regards to the valid
          lifetime, unless the Router Advertisement from which this
          option was obtained has been authenticated (e.g., via IP
          security [1]). If the Router Advertisement was authenticated,
          the valid lifetime of the corresponding address should be set
          to the Valid Lifetime in the received option.

      3.  Otherwise, reset the valid lifetime of the corresponding
          address to two hours.


      The above rules address a specific denial of service attack in
      which a bogus advertisement could contain prefixes with very small
      Valid Lifetimes. Without the above rules, a single unauthenticated
      advertisement containing bogus Prefix Information options with
      short Valid Lifetimes could cause all of a node's addresses to
      expire prematurely. The above rules ensure that legitimate
      advertisements (which are sent periodically) will "cancel" the
      short Valid Lifetimes before they actually take effect.

      Note that the preferred lifetime of the corresponding address is
      always reset to the Preferred Lifetime in the received Prefix
      Information option, regardless of whether the valid lifetime is
      also reset or ignored. The difference comes from the fact that the
      possible attack for the preferred lifetime is relatively minor.
      Additionally, it is even undesirable to ignore the preferred
      lifetime when a valid administrator wants to deprecate a
      particular address by sending a short preferred lifetime (and the



Thomson, et al.          Expires August 9, 2004                [Page 19]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


      valid lifetime is ignored by accident).


5.5.4 Address Lifetime Expiry

   A preferred address becomes deprecated when its preferred lifetime
   expires. A deprecated address SHOULD continue to be used as a source
   address in existing communications, but SHOULD NOT be used to
   initiate new communications if an alternate (non-deprecated) address
   of sufficient scope can easily be used instead.

   Note that the feasibility of initiating new communication using a
   non-deprecated address may be an application-specific decision, as
   only the application may have knowledge about whether the (now)
   deprecated address was (or still is) in use by the application. For
   example, if an application explicitly specifies the protocol stack to
   use a deprecated address as a source address, the protocol stack must
   accept that; the application might request it because that IP address
   is used for in higher-level communication and there might be a
   requirement that the multiple connections in such a grouping use the
   same pair of IP addresses.

   IP and higher layers (e.g., TCP, UDP) MUST continue to accept and
   process datagrams destined to a deprecated address as normal since a
   deprecated address is still a valid address for the interface. In the
   case of TCP, this means TCP SYN segments sent to a deprecated address
   are responded to using the deprecated address as a source address in
   the corresponding SYN-ACK (if the connection would otherwise be
   allowed).

   An implementation MAY prevent any new communication from using a
   deprecated address, but system management MUST have the ability to
   disable such a facility, and the facility MUST be disabled by
   default.

   Other subtle cases should also be noted about source address
   selection. For example, the above description does not clarify which
   address should be used between a deprecated, smaller-scope address
   and a non-deprecated, enough scope address. The details of the
   address selection including this case is described in RFC 3484 [8]
   and beyond the scope of this document.

   An address (and its association with an interface) becomes invalid
   when its valid lifetime expires.  An invalid address MUST NOT be used
   as a source address in outgoing communications and MUST NOT be
   recognized as a destination on a receiving interface.





Thomson, et al.          Expires August 9, 2004                [Page 20]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


5.6 Configuration Consistency

   It is possible for hosts to obtain address information using both
   stateless and stateful protocols since both may be enabled at the
   same time.  It is also possible that the values of other
   configuration parameters such as MTU size and hop limit will be
   learned from both Router Advertisements and the stateful
   autoconfiguration protocol.  If the same configuration information is
   provided by multiple sources, the value of this information should be
   consistent. However, it is not considered a fatal error if
   information received from multiple sources is inconsistent. Hosts
   accept the union of all information received via the stateless and
   stateful protocols. If inconsistent information is learned different
   sources, the most recently obtained values always have precedence
   over information learned earlier.

5.7 Retaining Configured Addresses for Stability

   It is reasonable that implementations that have stable storage retain
   their addresses and the preferred and valid lifetimes if the
   addresses were acquired using stateless address autoconfiguration.
   Assuming the lifetimes used are reasonable, this technique implies
   that a temporary outage (less than the valid lifetime) of a router
   will never result in the node losing its global address even if the
   node were to reboot. This will particularly be useful in "zeroconf"
   environments where nodes are configuring their addresses by stateless
   address autoconfiguration but all communication is limited within a
   single link. In such a case, the failure of a "router" (that provides
   the prefix for address configuration) is not significant, but losing
   the global addresses might be a pain; it is true that the node can
   still use link-local addresses for communication within the link, but
   the node may want to use global addresses when possible, especially
   when the other nodes use global addresses.

   When an implementation tries to reuse a retained address after
   rebooting, it MUST first try to obtain Router Advertisements as
   described in RFC 2461[5] and use the retained address only after
   concluding there are no routers on the link. Additionally, the
   implementation MUST run Duplicate Address Detection for the address
   under the criteria described in Section 5.4, as though the address
   were just configured by stateless address autoconfiguration. The
   reason for this is because a different host may have started using
   the address while the rebooting host cannot respond to Duplicate
   Address Detection from the other host.

6. SECURITY CONSIDERATIONS

   Stateless address autoconfiguration allows a host to connect to a



Thomson, et al.          Expires August 9, 2004                [Page 21]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   network, configure an address and start communicating with other
   nodes without ever registering or authenticating itself with the
   local site.  Although this allows unauthorized users to connect to
   and use a network, the threat is inherently present in the Internet
   architecture. Any node with a physical attachment to a network can
   generate an address (using a variety of ad hoc techniques) that
   provides connectivity.

   The use of stateless address autoconfiguration and Duplicate Address
   Detection opens up the possibility of several denial of service
   attacks. For example, any node can respond to Neighbor Solicitations
   for a tentative address, causing the other node to reject the address
   as a duplicate. A separate document [10] discusses details about
   these attacks. These attacks can be addressed by requiring that
   Neighbor Discovery packets be authenticated [1]. However, it should
   be noted that [10] points out the use of IP security is not always
   feasible depending on network environments.

7. Acknowledgements

   The authors would like to thank the members of both the IPNG (which
   is now IPV6) and ADDRCONF working groups for their input. In
   particular, thanks to Jim Bound, Steve Deering, Richard Draves, and
   Erik Nordmark.  Thanks also goes to John Gilmore for alerting the WG
   of the "0 Lifetime Prefix Advertisement" denial of service attack
   vulnerability; this document incorporates changes that address this
   vulnerability.

Normative References

   [1]  Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402,
        November 1998.

   [2]  Crawford, M., "A Method for the Transmission of IPv6 Packets
        over Ethernet Networks", RFC 2464, December 1998.

   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", RFC 2119, March 1997.

   [4]  Hinden, R. and S. Deering, "Internet Protocol Version (IPv6)
        Addressing Architecture", RFC 3513, April 2003.

   [5]  Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery for
        IP Version 6 (IPv6)", RFC 2461, December 1998.

Informative References

   [6]   Deering, S., "Host Extensions for IP Multicasting", RFC 1112,



Thomson, et al.          Expires August 9, 2004                [Page 22]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


         August 1989.

   [7]   Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
         Carney, "Dynamic Host Configuration Protocol for IPv6
         (DHCPv6)", RFC 3315, July 2003.

   [8]   Draves, R., "Default Address Selection for Internet Protocol
         version 6 (IPv6)", RFC 3484, February 2003.

   [9]   Deering, S., Fenner, W. and B. Haberman, "Multicast Listener
         Discovery (MLD) for IPv6", RFC 2710, October 1999.

   [10]  Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor
         Discovery trust models and threats",
         draft-ietf-send-psreq-04.txt (work in progress), October 2003.

   [11]  Park, S., Madanapalli, S. and O. Rao, "IPv6 DAD Consideration
         for 802.11 Environment",
         draft-park-ipv6-dad-problem-wlan-00.txt (work in progress),
         July 2003.


Authors' Addresses

   Susan Thomson
   Cisco Systems

   EMail: sethomso@cisco.com


   Thomas Narten
   IBM Corporation
   P.O. Box 12195
   Research Triangle Park, NC  27709-2195
   USA

   Phone: +1 919-254-7798
   EMail: narten@us.ibm.com


   Tatuya Jinmei
   Corporate Research & Development Center, Toshiba Corporation
   1 Komukai Toshiba-cho, Saiwai-ku
   Kawasaki-shi, Kanagawa  212-8582
   Japan

   Phone: +81 44-549-2230
   EMail: jinmei@isl.rdc.toshiba.co.jp



Thomson, et al.          Expires August 9, 2004                [Page 23]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   Hesham Soliman
   Flarion Technologies

   EMail: H.Soliman@flarion.com

Appendix A. LOOPBACK SUPPRESSION & DUPLICATE ADDRESS DETECTION

   Determining whether a received multicast solicitation was looped back
   to the sender or actually came from another node is implementation-
   dependent.  A problematic case occurs when two interfaces attached to
   the same link happen to have the same identifier and link-layer
   address, and they both send out packets with identical contents at
   roughly the same time (e.g., Neighbor Solicitations for a tentative
   address as part of Duplicate Address Detection messages). Although a
   receiver will receive both packets, it cannot determine which packet
   was looped back and which packet came from the other node by simply
   comparing packet contents (i.e., the contents are identical). In this
   particular case, it is not necessary to know precisely which packet
   was looped back and which was sent by another node; if one receives
   more solicitations than were sent, the tentative address is a
   duplicate. However, the situation may not always be this
   straightforward.

   The IPv4 multicast specification [6] recommends that the service
   interface provide a way for an upper-layer protocol to inhibit local
   delivery of packets sent to a multicast group that the sending host
   is a member of. Some applications know that there will be no other
   group members on the same host, and suppressing loopback prevents
   them from having to receive (and discard) the packets they themselves
   send out.  A straightforward way to implement this facility is to
   disable loopback at the hardware level (if supported by the
   hardware), with packets looped back (if requested) by software.  On
   interfaces in which the hardware itself suppresses loopbacks, a node
   running Duplicate Address Detection simply counts the number of
   Neighbor Solicitations received for a tentative address and compares
   them with the number expected. If there is a mismatch, the tentative
   address is a duplicate.

   In those cases where the hardware cannot suppress loopbacks, however,
   one possible software heuristic to filter out unwanted loopbacks is
   to discard any received packet whose link-layer source address is the
   same as the receiving interface's. There is even a link-layer
   specification that requires to discard any such packets [11].
   Unfortunately, use of that criteria also results in the discarding of
   all packets sent by another node using the same link-layer address.
   Duplicate Address Detection will fail on interfaces that filter
   received packets in this manner:




Thomson, et al.          Expires August 9, 2004                [Page 24]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   o  If a node performing Duplicate Address Detection discards received
      packets having the same source link-layer address as the receiving
      interface, it will also discard packets from other nodes also
      using the same link-layer address, including Neighbor
      Advertisement and Neighbor Solicitation messages required to make
      Duplicate Address Detection work correctly. This particular
      problem can be avoided by temporarily disabling the software
      suppression of loopbacks while a node performs Duplicate Address
      Detection, if it is possible to disable the suppression.

   o  If a node that is already using a particular IP address discards
      received packets having the same link-layer source address as the
      interface, it will also discard Duplicate Address
      Detection-related Neighbor Solicitation messages sent by another
      node also using the same link-layer address. Consequently,
      Duplicate Address Detection will fail, and the other node will
      configure a non-unique address. Since it is generally impossible
      to know when another node is performing Duplicate Address
      Detection, this scenario can be avoided only if software
      suppression of loopback is permanently disabled.

   Thus, to perform Duplicate Address Detection correctly in the case
   where two interfaces are using the same link-layer address, an
   implementation must have a good understanding of the interface's
   multicast loopback semantics, and the interface cannot discard
   received packets simply because the source link-layer address is the
   same as the interfaces. It should also be noted that a link-layer
   specification can conflict with the condition necessary to make
   Duplicate Address Detection work.

Appendix B. CHANGES SINCE RFC 1971

   o  Changed document to use term "interface identifier" rather than
      "interface token" for consistency with other IPv6 documents.

   o  Clarified definition of deprecated address to make clear it is OK
      to continue sending to or from deprecated addresses.

   o  Added rules to Section 5.5.3 Router Advertisement processing to
      address potential denial-of-service attack when prefixes are
      advertised with very short Lifetimes.

   o  Clarified wording in Section 5.5.4 to make clear that all upper
      layer protocols must process (i.e., send and receive) packets sent
      to deprecated addresses.






Thomson, et al.          Expires August 9, 2004                [Page 25]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


Appendix C. CHANGE HISTORY

   Changes since RFC 2462 are:

   o  Fixed a typo in Section 2.

   o  Updated references and categorized them into normative and
      informative ones.

   o  Removed redundant code in denial of service protection in Section
      5.5.3.

   o  Clarified that a unicasted NS or NA should be discarded while
      performing Duplicate Address Detection.

   o  Replaced the word "StoredLifetime" with "RemainingLifetime" with a
      precise definition to avoid confusion.

   o  Removed references to site-local and revise wording around the
      keyword.

   o  Added a note about source address selection with regards to
      deprecated vs insufficient-scope addresses, etc. Added a reference
      to RFC 3484 for further details.

   o  Clarified what "new communication" means in Section 5.5.4.

   o  Added a new subsection (5.7) to mention the possibility to use
      stable storage to retain configured addresses for stability.

   o  Revised the Security Considerations section with a refence to the
      send requirement document and a note that the use of IP security
      is not always feasible.

   o  Added a note with a reference in Appendix A about the case where a
      link-layer filtering conflicts with a condition to make DAD work
      correctly.

   o  Specified that a node performing Duplicate Address Detection delay
      joining the solicited-node multicast group, not just delay sending
      Neighbor Solicitations, explaining the detailed reason.

   o  Clarified the reason why the interface should be disabled after an
      address duplicate is detected. Also clarified that the interface
      may continue to be used if the interface identifier is not based
      on the hardware address.

   o  Clarified that the preferred lifetime for an existing configured



Thomson, et al.          Expires August 9, 2004                [Page 26]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


      address is always reset to the advertised value by Router
      Advertisement.

   o  Updated the description of interface identifier considering the
      latest format.


Appendix D. OPEN ISSUES

   Semi-Open Issues (resolutions were proposed, but they may need
   further discussions):

   o  [2462bis issue 271] An implementation may want to use stable
      storage for autoconfigured addresses.

   o  [2462bis issue 274] There is conflict with the Multicast Listener
      Discovery specification about random delay for the first packet.

   o  [2462bis issue 278] Whether a router (not a host) can
      autoconfigure itself using the stateless autoconfiguration
      protocol may need to be discussed.

   Open Issues (resolutions have not been proposed yet):

   o  [2462bis issue 275] Many DAD related issues have been discussed,
      including whether it is okay to omit DAD in some environments or
      whether DAD can be replaced with DIID (duplicate interface ID
      detection).

   o  [2462bis issue 277] The semantics of the M/O flags is not very
      clear.

      1.  the text needs to be updated to use RFC 2119 keywords

      2.  which keywords?

      3.  what is "the stateful configuration protocol"?

      4.  if the answer to the previous question is DHCPv6, should this
          specification more explicitly reference the configuration-only
          version of DHCPv6 in the description of the 'O'flag?

   o  [2462bis issue 281] It is not very clear whether this document
      always require a 64-bit Interface ID.







Thomson, et al.          Expires August 9, 2004                [Page 27]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2004). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION



Thomson, et al.          Expires August 9, 2004                [Page 28]


Internet-Draft    IPv6 Stateless Address Autoconfiguration February 2004


   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.











































Thomson, et al.          Expires August 9, 2004                [Page 29]