Network Working Group B. Liu
Internet Draft S. Jiang
Intended status: Informational Huawei Technologies
Expires: November 17, 2013 C. Byrne
T-Mobile USA
May 16, 2013
Recommendations of Using Unique Local Addresses
draft-ietf-v6ops-ula-usage-recommendations-00.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute working
documents as Internet-Drafts. The list of current Internet-Drafts is
at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 17, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents carefully,
as they describe your rights and restrictions with respect to this
document. Code Components extracted from this document must include
Simplified BSD License text as described in Section 4.e of the Trust
Legal Provisions and are provided without warranty as described in
the Simplified BSD License.
Liu, et al. Expires November 17, 2013 [Page 1]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
Abstract
This document provides guidance of how to use ULA. It analyzes ULA
usage scenarios and recommends use cases where ULA address may be
beneficially used.
Table of Contents
1. Introduction ................................................. 3
2. The analysis of ULA features ................................. 3
2.1. Automatically Generated ................................. 3
2.2. Globally unique.......................................... 3
2.3. Independent address space ............................... 4
2.4. Well known prefix ....................................... 4
2.5. Stable or Temporary Prefix .............................. 4
3. Enumeration of ULA use scenarios ............................. 4
3.1. Isolated network ........................................ 4
3.2. Connected network ....................................... 5
3.2.1. ULA-only Deployment ................................ 5
3.2.2. ULA along with GUA ................................. 6
4. General Guidelines of using ULA .............................. 6
4.1. Do not treat ULA equal to RFC1918 ....................... 6
4.2. Using ULAs in a limited scope ........................... 7
5. ULA usage recommendations .................................... 7
5.1. Used in Isolated Networks ............................... 7
5.2. ULA along with GUA ...................................... 7
5.3. Special Use Cases ....................................... 8
5.3.1. Special routing .................................... 8
5.3.2. Used as NAT64 prefix ............................... 8
5.3.3. Used as identifier ................................. 9
6. Security Considerations ...................................... 9
7. IANA Considerations ......................................... 10
8. Conclusions ................................................. 10
9. References .................................................. 10
9.1. Normative References ................................... 10
9.2. Informative References ................................. 10
10. Acknowledgments ............................................ 11
Liu, et al. Expires November 17, 2013 [Page 2]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
1. Introduction
Unique Local Addresses (ULAs) are defined in [RFC4193] as provider-
independent prefixes that can be used on isolated networks, internal
networks, and VPNs. Although ULAs may be treated like global scope by
applications, normally they should not be used on the publicly
routable internet.
However, the ULAs haven't been widely used since IPv6 hasn't been
widely deployed yet.
The use of ULA addresses in various types of networks has been
confusing to network operators. Some network operators believe ULAs
are not useful at all while other network operators have run ULAs
beneficially in their networks. This document attempts to clarify the
advantages and disadvantages of ULAs and how they can be most
appropriately used.
2. The analysis of ULA features
2.1. Automatically Generated
ULA prefixes could be automatically generated according to the
algorithms described in [RFC4193]. This feature allows automatic
address allocation, which is beneficial for some lightweight systems
and can leverage minimal human management.
2.2. Globally unique
ULA is intended to have an extremely low probability of collision.
Since the hosts assigned with ULA may occasionally be merged into one
network, this uniqueness is necessary. The prefix uniqueness is based
on randomization of 40 bits and is considered random enough to ensure
a high degree of uniqueness (refer to [RFC4193] section 3.2.3 for
details)and make merging of networks simple and without the need to
renumbering overlapping IP address space. Overlapping is cited as a
deficiency with how [RFC1918] addresses were deployed, and ULA was
designed to overcome this deficiency.
Notice that, as described in [RFC4864], in practice, applications may
treat ULAs like global-scope addresses, but address selection
algorithms may need to distinguish between ULAs and ordinary GUA
(Global-scope Unicast Address) to ensure bidirectional communications.
(Note: the new address selection standard has supported this in the
default policy table. [RFC6724])
Liu, et al. Expires November 17, 2013 [Page 3]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
2.3. Independent address space
ULA provides an internal address independence capability in IPv6 that
is similar to how [RFC1918] is commonly used. ULA allows
administrators to configure the internal network of each platform the
same way it is configured in IPv4. But the ability to merge two ULA
networks without renumbering (because of the uniqueness) is a big
advantage over [RFC1918].
On the other hand, many organizations have security policies and
architectures based around the local-only routing of [RFC1918]
addresses and those policies may directly map to ULA. ULA can be used
for internal communications without having any permanent or only
intermittent Internet connectivity. And it needs no registration so
that it can support on-demand usage and does not carry any RIR
documentation burden or disclosures.
2.4. Well known prefix
The prefixes of ULAs are well known and they are easy to be
identified and easy to be filtered.
This feature may be convenient to management of security policies and
troubleshooting. For example, the administrators can decide what
parameters have to be assembled or transmitted globally, by a
separate function, through an appropriate gateway/firewall, to the
Internet or to the telecom network.
2.5. Stable or Temporary Prefix
A ULA prefix can be generated once, at installation time or "factory
reset", and then never change unless the network manager wants to
change. Alternatively, it could be regenerated regularly, if desired
for some reason.
3. Enumeration of ULA use scenarios
In this section, we cover possible ULA use cases. Some of them might
have been discussed in other documents and are briefly reviewed in
this document as well as other potential valid usage is discussed.
3.1. Isolated network
IP is used ubiquitously. Some networks like RS-485, or other type of
industrial control bus, or even non-networked digital interface like
MIL-STD-1397 began to use IP protocol. In such kind of networks, the
Liu, et al. Expires November 17, 2013 [Page 4]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
system might lack the ability/requirement of connecting to the
Internet.
Besides, some networks are explicitly designed to not connect to the
internet. These networks may include machine-to-machine (e.g.
vehichle networks), sensor networks, or other types of SCADA networks
which may include very large numbers of addresses and explicitly
prohibited from connect to the global internet (electricity
meters...).
Since the serious disadvantages and impact on applications by
ambiguous address space have been well documented in [RFC1918], ULA
is a straightforward way to assign the IP addresses in these kinds of
networks with minimal administrative cost or burden. And since ULA
support multiple subnets, it is scalable. For example, when we assign
vehicles with ULA addresses, it is then possible to separate in-
vehicle embedded networks into different subnets depending on real-
time requirements, devices types, services and more.
3.2. Connected network
3.2.1. ULA-only Deployment
In some situations, hosts/interfaces are assigned with ULA-only, but
the networks need to communicate with the outside. For example, just
like many implementations of private IPv4 address space [RFC1918].
One important reason of using private address space is the lack of
IPv4 addresses, but this it is not an issue any more in IPv6. Another
reason is regarding with security, private address space is designed
by some administrators as one layer of a multilayer security. Such
design is also applicable in IPv6 with using ULAs [RFC4864].
ULA-only in connected network may include the following two models.
o Using Network Prefix Translation
Network Prefix Translation (NPTv6) [RFC6296] is an experimental
specification that provides a stateless one to one mapping between
internal addresses and external addresses.
In some very constrained situations(for example, in the sensors), the
network needs ULA as the on-demand and stable addressing which
doesn't need much code to support address assignment mechanisms like
DHCP or full ND (Note: surely it needs SLAAC). If the network also
needs to connect to the outside, then there can be an NPTv6 gateway
which is not subject to extreme resource constraints. Especially when
Liu, et al. Expires November 17, 2013 [Page 5]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
a lightweight isolated network needs to add Internet connectivity,
this is quite a straightforward and efficient way.
o Using application-layer proxies
The proxies terminate the network-layer connectivity of the hosts and
delegate the outgoing/incoming connections.
There may be some scenarios that need this kind of deployment for
some special purpose (strict application access control, content
monitoring, e.g.).
3.2.2. ULA along with GUA
There are two classes of network probably to use ULA with GUA
addresses:
o Home network. Home networks are normally assigned with one or more
globally routed PA prefixes to connect to the uplink of some an
ISP. And besides, they may need internal routed networking even
when the ISP link is down. Then ULA is a proper tool to fit the
requirement. And in [RFC6204], it requires the CPE to support ULA.
o Enterprise network. An enterprise network is usually a managed
network with one or more PA prefixes or with a PI prefix, all of
which are globally routed. The ULA could be used for internal
connectivity redundancy and better internal connectivity or
isolation of certain functions like OAM of servers.
4. General Guidelines of using ULA
4.1. Do not treat ULA equal to RFC1918
ULA and [RFC1918] are similar in some aspects. The most obvious one
is as described in section 2.1.3 that ULA provides an internal
address independence capability in IPv6 that is similar to how
[RFC1918] is commonly used.
But ULA is not equal to an IPv6 version of [RFC1918] deployment.
[RFC1918] usually combines with NAT/NAPT for global connectivity. But
it is not necessarily to combine ULAs with any kind of NAT. People
could use ULA for local communications along with global addresses
for global communications (see section 5.2). This is a big advantage
brought by default support of multiple-addresses-per-interface
feature in IPv6. (People might still have requirement of ULA with NAT,
this is discussed in section 3.2.1. But people also should keep in
Liu, et al. Expires November 17, 2013 [Page 6]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
mind that ULA is not intentionally designed for this kind of use
case.)
Another important difference is the ability to merge two ULA networks
without renumbering (because of the uniqueness), which is a big
advantage over [RFC1918].
4.2. Using ULAs in a limited scope
A ULA is by definition a prefix that is never advertised outside a
given domain, and is used within that domain by agreement of those
networked by the domain.
So when using ULAs in a network, the administrators should clearly
set the scope of the ULAs and configure ACLs on relevant border
routers to block them out of the scope. And if internal DNS are
enabled, the administrators might also need to use internal-only DNS
names for ULAs.
5. ULA usage recommendations
5.1. Used in Isolated Networks
As analyzed in section 3.1, ULA is very suitable for isolated
networks. Especially when you have subnets in the isolated networks,
ULA is the best choice.
5.2. ULA along with GUA
For either home networks or enterprise networks, the main purpose of
using ULA along with GUA is to provide a logically local routing
plane separated from the globally routing plane. The benefit is to
ensure stable and specific local communication regardless of the ISP
uplink failure. This benefit is especially meaningful for the home
network or private OAM function in an enterprise.
In some special cases such as renumbering, enterprise administrators
may want to avoid the need to renumber their internal-only, private
nodes when they have to renumber the PA addresses of the whole
network because of changing ISPs, ISPs restructure their address
allocations, or whatever reasons. In these situations, ULA is an
effective tool for the internal-only nodes.
Besides the internal-only nodes, the public nodes can also benefit
from ULA for renumbering. When renumbering, as RFC4192 suggested, it
has a period to keep using the old prefix(es) before the new
prefix(es) is(are) stable. In the process of adding new prefix(es)
Liu, et al. Expires November 17, 2013 [Page 7]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
and deprecating old prefix(es), it is not easy to keep the local
communication immune of global routing plane change. If we use ULA
for the local communication, the separated local routing plane can
isolate the affecting by global routing change.
But for the separated local routing plane, there always be some
argument that in practice the ULA+PA makes terrible operational
complexity. But it is not a ULA-specific problem; the multiple-
addresses-per-interface is an important feature of IPv6 protocol.
Running multiple prefixes in IPv6 might be very common, and we need
to adapt this new operational model than that in IPv4.
Another issue is mentioned in [RFC5220], there is a possibility that
the longest matching rule will not be able to choose the correct
address between ULAs and global unicast addresses for correct intra-
site and extra-site communication. In [RFC6724], it claimed that a
site-specific policy entry can be used to cause ULAs within a site to
be preferred over global addresses.
5.3. Special Use Cases
5.3.1. Special routing
If you have a special routing scenario, of which
[draft-baker-v6ops-b2b-private-routing] is an example, for various
reasons you might want to have routing that you control and is
separate from other routing. In the b2b case, even though two
companies each have at least one ISP, they might choose to also use
direct connectivity that only connects stated machines, such as a
silicon foundry with client engineers that use it. A ULA provides a
simple way to obtain such a prefix that would be used in accordance
with an agreement between the parties.
5.3.2. Used as NAT64 prefix
Since the NAT64 pref64 is just a group of local fake addresses for
the DNS64 to point traffic to a NAT64, the pref64 is a very good use
of ULA. It ensures that only local systems can use the translation
resources of the NAT64 system since the ULA is not globally routable
and helps clearly identify traffic that is locally contained and
destine to a NAT64. Using ULA for Pref64 is deployed and it is an
operational model.
But there's an issue should be noticed. The NAT64 standard [RFC6146)
mentioned the pref64 should align with [RFC6052], in which the IPv4-
Embedded IPv6 Address format was specified. If we pick a /48 for
NAT64, it happened to be a standard 48/ part of ULA (7bit ULA famous
Liu, et al. Expires November 17, 2013 [Page 8]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
prefix+ 1 "L" bit + 40bit Global ID). Then the 40bit of ULA is not
violated to be filled with part of the 32bit IPv4 address. This is
important, because the 40bit assures the uniqueness of ULA, if the
prefix is shorter than /48, the 40bit would be violated, and this may
cause conformance issue. But it is considered that the most common
use case will be a /96 PREF64, or even /64 will be used. So it seems
this issue is not common in current practice.
It is most common that ULA Pref64 will be deployed on a single
internal network, where the clients and the NAT64 share a common
internal network. ULA will not be effective as Pref64 when the access
network must use an Internet transit to receive the translation
service of a NAT64 since the ULA will not route across the internet.
5.3.3. Used as identifier
Since ULA could be self-generated and easily grabbed from the
standard IPv6 stack, it is very suitable to be used as identifiers by
the up layer applications. And since ULA is not intended to be
globally routed, it is not harmful to the routing system.
Such kind of benefit has been utilized in real implementations. For
example, in [RFC6281], the protocol BTMM (Back To My Mac) needs to
assign a topology-independent identifier to each client host
according to the following considerations:
o TCP connections between two end hosts wish to survive in network
changes.
o Sometimes one needs a constant identifier to be associated with a
key so that the Security Association can survive the location
changes.
It should be noticed again that in theory ULA has the possibility of
collision. However, the probability is desirable small enough and
could be ignored by most of the cases when used as identifiers.
6. Security Considerations
Security considerations regarding ULAs, in general, please refer to
the ULA specification [RFC4193].
Also refer to [RFC4864], which shows how ULAs help with local network
protection.
Liu, et al. Expires November 17, 2013 [Page 9]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
7. IANA Considerations
IANA considerations should be updated to point to RFC4193 in a
similar manner to section 4.
8. Conclusions
ULA is a useful tool, it could be successfully deployed in a diverse
set of circumstances including large private machine-to-machine type
networks, enterprise networks with private systems, and within
service providers to limit Internet communication with non-public
services such as caching DNS servers and NAT64 translation resources.
Some of the deployment is already in real production networks.
We should eliminate the misunderstanding that ULA is just an IPv6
version of [RFC1918]. The features of ULA could be beneficial for
various use cases.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP14, March 1997.
[RFC4193] Hinden, R., B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
9.2. Informative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",BCP 5,
RFC 1918, February 1996.
[RFC4864] Van de Velde, G., Hain, T., Droms, R., Carpenter, B., and
E. Klein, "Local Network Protection for IPv6", RFC 4864,
May 2007.
[RFC5220] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama,
"Problem Statement for Default Address Selection in Multi-
Prefix Environments: Operational Issues of RFC 3484 Default
Rules", RFC 5220, July 2008.
[RFC6281] Cheshire, S., Zhu, Z., Wakikawa, R., and L. Zhang,
"Understanding Apple's Back to My Mac (BTMM) Service", RFC
6281, June 2011.
Liu, et al. Expires November 17, 2013 [Page 10]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
[RFC6296] Wasserman, M., and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, June 2011.
[RFC6724] Thaler, D., Draves, R., Matsumoto, A., and Tim Chown,
"Default Address Selection for Internet Protocol version 6
(IPv6)", RFC 6724, September, 2012.
[draft-baker-v6ops-b2b-private-routing]
F. Baker, "Business to Business Private Routing", Expired
10. Acknowledgments
Many valuable comments were received in the mail list, especially
from Fred Baker, Brian Carpenter, Victor Kuarsingh, Alexandru
Petrescu, Mikael Abrahamsson, Jong-Hyouk Lee, Doug Barton, Owen
Delong, Anders Brandt and Wesley George.
This document was prepared using 2-Word-v2.0.template.dot.
Liu, et al. Expires November 17, 2013 [Page 11]
Internet-Draft draft-ietf-v6ops-ula-usage-recommendations-00 May 2013
Authors' Addresses
Bing Liu
Huawei Technologies Co., Ltd
Huawei Q14 Building, No.156 Beiqing Rd.,
Zhong-Guan-Cun Environmental Protection Park, Beijing
P.R. China
EMail: leo.liubing@huawei.com
Sheng Jiang
Huawei Technologies Co., Ltd
Huawei Q14 Building, No.156 Beiqing Rd.,
Zhong-Guan-Cun Environmental Protection Park, Beijing
P.R. China
EMail: jiangsheng@huawei.com
Cameron Byrne
T-Mobile USA
Bellevue, Washington 98006
USA
Email: cameron.byrne@t-mobile.com