Network Working Group H. Singh Internet-Draft W. Beebee Intended status: BCP Cisco Systems, Inc. Expires: January 1, 2009 June 30, 2008 IPv6 CPE Router Recommendations draft-wbeebee-ipv6-cpe-router-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 1, 2009. Abstract This document recommends IPv6 behavior for Customer Premises Equipment (CPE) routers in Internet-enabled homes and small offices. Singh & Beebee Expires January 1, 2009 [Page 1]
Internet-Draft CPE Router Recommendations June 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology and Abbreviations . . . . . . . . . . . . . . . . 3 3. Operational Behavior . . . . . . . . . . . . . . . . . . . . . 3 4. Router Initialization . . . . . . . . . . . . . . . . . . . . 4 5. Basic IPv6 Provisioning . . . . . . . . . . . . . . . . . . . 4 5.1. Acquire Link-Local Address . . . . . . . . . . . . . . . . 4 5.2. Process RAs . . . . . . . . . . . . . . . . . . . . . . . 5 5.3. Acquire IPv6 address and other configuration parameters . 5 5.3.1. Details for DHCPv6 Address Acquisition . . . . . . . . 5 5.4. IPv6 Provisioning of home Devices . . . . . . . . . . . . 6 5.5. Stateful DHCPv6 server requirements for the CPE Router . . 6 6. IPv6 Data forwarding . . . . . . . . . . . . . . . . . . . . . 7 6.1. IPv6 Multicast . . . . . . . . . . . . . . . . . . . . . . 7 7. Other IPv6 Features . . . . . . . . . . . . . . . . . . . . . 9 7.1. Path MTU Discovery Support . . . . . . . . . . . . . . . . 9 7.2. Optional support for RIPv6 . . . . . . . . . . . . . . . . 9 7.3. Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.3.1. Packet filters . . . . . . . . . . . . . . . . . . . . 9 8. Quality Of Service(QoS) . . . . . . . . . . . . . . . . . . . 9 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 12.1. Normative References . . . . . . . . . . . . . . . . . . . 10 12.2. Informative References . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 13 Singh & Beebee Expires January 1, 2009 [Page 2]
Internet-Draft CPE Router Recommendations June 2008 1. Introduction This document defines IPv6 features for a residential or small office router referred to as a CPE Router. This device also needs to support IPv4, but that work is beyond the scope of this document. Also, this document does not go into configuration details for the CPE Router. The document discusses IPv6 implications for the attached Service Provider network. The document notes that the CPE Router may be deployed in home in one of two ways. Either the Service Provider or the home user may manage this device. When the CPE Router is managed by the Service Provider, the router may need additional management and routing properties like a new MIB definition and routing protocols communicating between the CPE Router and the Service Provider network. The CPE router has one WAN port to connect to the Service Provider and one or more LAN interfaces to the home network devices. Each of WAN or any LAN interface is Ethernet encapsulated. 2. Terminology and Abbreviations Host - this is a personal computer or any other network device in a home that connects to the Internet via the CPE Router. LAN interface(s) - a set of network interfaces on the CPE Router that are used to connect hosts in the home. This set of ports could be switched, bridged, or routed. WLAN interface - an optional wireless access point interface on the CPE Router used to connect wireless hosts in the home in either managed or ad-hoc modes. WAN interface - a single network interface on the CPE Router that is used to connect the router to the access network of the Service Provider. GRE tunnel - Generic Routing Encapsulation tunnel. SLAAC - StateLess Address Auto Configuration. IPTV - Internet Protocol TeleVision. 3. Operational Behavior The CPE Router is a gateway to the Internet for a home. The router is also intended to provide home networking functionality. The CPE Singh & Beebee Expires January 1, 2009 [Page 3]
Internet-Draft CPE Router Recommendations June 2008 Router may have a console or web interface for configuration. This document defines the core set of features that are supported by the CPE Router, however individual implementations may include value- added features such as WLAN capability. The core set of IPv6 features for the CPE Router includes provisioning the CPE Router for IPv6, IPv6 data forwarding including IPv6 multicast, CPE Router provisioning hosts on its LAN interface(s), firewall, and QoS behavior. An IPv6 firewall is discussed briefly in the Firewall section where the section refers the draft-ietf-v6ops-cpe-simple-security [I-D.ietf-v6ops-cpe-simple-security] for more details. 4. Router Initialization Before the CPE Router is initialized, the device must have IPv6 enabled. The CPE Router should support the ability to disable its IPv6 stack. The CPE Router also has the ability to block or forward IPv6 traffic to and from the router's LAN interface(s). [RFC2669] includes a MIB definition to block the IPv4 or IPv6 Ethertype in the upstream or downstream interface(s) of a device such as the CPE Router. Some portion of this MIB may need to be modified for use with the CPE Router. 5. Basic IPv6 Provisioning We recommend the CPE Router WAN interface acquire its global IPv6 address using DHCPv6 for administrative control of the router. DHCPv6 IA_PD option can be used as described in [RFC3633]. Any of DHCPv6, stateless autoconfiguration, or manual configuration may be supported by the CPE router for IPv6 address configuration of the WAN interface. Manual configuration is beyond the scope of this document. The CPE Router first acquires its IPv6 addresses from the Service Provider along with any other IPv6 configuration. Then the CPE Router provisions its LAN interface(s) for IPv6 router functionality. More details for provisioning the CPE Router are given in the following sections. 5.1. Acquire Link-Local Address If an interface of the CPE Router is configured for IPv6, when the interface initializes itself, as per [RFC4862], the CPE Router must create a link-local address for the interface. We recommend the CPE Router use the EUI-64 identifier as a link-local address for each of its interfaces. Refer to EUI-64 details in [RFC4291]. Further, as per section 5.4 of [RFC4862], since the CPE Router supports link- Singh & Beebee Expires January 1, 2009 [Page 4]
Internet-Draft CPE Router Recommendations June 2008 layer multicast on all of its interfaces draft-ietf-6man-node-req-bis [I-D.ietf-6man-node-req-bis], it must perform Duplicate Address Detection (DAD) on all unicast addresses. If the CPE Router detects a duplicate address assigned to an interface, the CPE Router must not send IPv6 packets from the interface. 5.2. Process RAs The CPE Router must process incoming RAs received on the WAN interface as specified in section 6.3 of [RFC4861]. The CPE Router locates routers that reside on the attached WAN link from the received RAs. 5.3. Acquire IPv6 address and other configuration parameters The CPE Router must process RAs received on the WAN interface and as instructed by the RA message, acquire global IPv6 address for WAN interface using SLAAC or DHCPv6. As per [RFC4861] if the M bit is set in the RA, the WAN interface must perform DHCPv6- if the O bit is set in the RA, the WAN interface acquires other configuration information using stateless DHCPv6 [RFC3736]. If the A bit in the RA is clear or the RA does not include any Prefix Information Option (PIO), the WAN interface must not perform SLAAC. IPv6 deployments that configure RA to not include any PIO are discussed in draft-ietf-6man-ipv6-subnet-model [I-D.ietf-6man-ipv6-subnet-model]. At any instance in time of the CPE Router operation, the router does not forward any traffic between its WAN and LAN interface(s) if the router has not completed IPv6 provisioning process that entails the WAN and LAN interface(s) successfully acquiring global IPv6 addresses. 5.3.1. Details for DHCPv6 Address Acquisition If the WAN interface uses DHCPv6, the interface sends a DHCPv6 Solicit message as described in section 17.1.1 of [RFC3315]. The Solicit message must include an IA_NA option as specified by [RFC3315], an IA_PD option as specified by [RFC3633], a Reconfigure Accept option to inform the server that client is willing to accept Reconfigure message from server, and the Options Request option that includes the DNS Recursive Name server option as specified in [RFC3646]. The Solicit may also include the Rapid Commit option if the CPE Router is willing to accept a 2-message DHCPv6 exchange with the server. When the CPE Router processes a DHCPv6 response from the server, if the response message (e.g. ADVERTISE or REPLY) received does not include an IA_NA option, IA_PD option, or Reconfigure Accept option, Singh & Beebee Expires January 1, 2009 [Page 5]
Internet-Draft CPE Router Recommendations June 2008 then the CPE Router has failed DHCPv6 address acquisition. If DHCPv6 succeeds, the CPE Router must perform DAD with the IPv6 address acquired from DHCPv6. If the CPE Router detects a duplicate, the CPE Router must send a DHCPv6 Decline message to the DHCPv6 server. The CPE Router may support the Reconfigure Key Authentication Protocol, as described in section 21.5 of [RFC3315]. The CPE Router may also support prefix sub-delegation. Prefix sub-delegation involves DHCPv6 server support with IA_PD on the CPE router and the ability to provision the server from a DHCPv6 REPLY with IA_PD option received on the WAN interface. 5.4. IPv6 Provisioning of home Devices After the IPv6 address configuration for WAN interface is completed, the CPE Router configures IPv6 address for LAN interface(s). If the LAN interface(s) are switched or bridged ports, then the CPE Router assigns a single global IPv6 address to a conceptual virtual interface serving all the LAN interface(s). If each LAN interface is a routed port, then the CPE router will assign a global IPV6 address and unique subnet to each LAN interface. In either case, when the CPE router needs to assign a single IPv6 address to LAN interface(s) or multiple IPv6 addresses, the CPE Router redistributes the addresses and subnets from the prefix received in IA_PD option by the WAN port. Once IPv6 address configuration of the LAN interface(s) is complete, as per [RFC4862], the CPE Router sends Router Advertisements (RA) to devices in the home. Hosts receiving the RA from LAN interface(s) will process the RA and perform IPv6 address acquisition. This document recommends the RA to be configured for stateless autoconfiguration so that the prefix advertised in the RA is derived from the IA_PD assigned to the CPE Router by the Service Provider; the O-bit is also set so that the CPE Router can pass Domain Name Server(s) IPv6 address(es) to home devices. The CPE Router obtained the Domain Name Server(s) in OPTION_DNS_SERVERS option from the DHCPv6 server when the CPE Router WAN interface completed DHCPv6. The CPE Router may include a stateful DHCPv6 server to assign addresses to home devices connected via the LAN interface(s) of the CPE Router. However, we recommend that the CPE Router use SLAAC for home devices. 5.5. Stateful DHCPv6 server requirements for the CPE Router The CPE Router may support a stateful DHCPv6 server to serve clients on the CPE Router LAN interface(s). If the CPE Router needs to support a stateful DHCPv6 server, then more details will be added to Singh & Beebee Expires January 1, 2009 [Page 6]
Internet-Draft CPE Router Recommendations June 2008 this section specifying the minimal functionality that the stateful DHCPv6 server needs to support. 6. IPv6 Data forwarding Each of the WAN and LAN interface(s) of the CPE Router must have its own mac address. The CPE Router supports ND protocol on both the WAN interface and LAN interface(s) to advertise itself as a router to neighbors in the Service Provider and home networks. The CPE Router forwards packets between the Service Provider and the home network. To do this, the CPE Router needs to look up the destination address of the packet in the routing table and decide which route to use to forward the packet. Each protocol that the CPE Router can forward packets for must have a separate routing table. The CPE Router routing table will be initialized during CPE Router initialization. The routing table is filled by directly connected, static, and routing protocol routes. The CPE Router consumes any packet destined to its WAN or LAN interface. The CPE Router forwards other packets destined to hosts attached to CPE Router LAN interface(s). Before forwarding a packet in any direction from CPE router, the CPE Router will perform a MAC rewrite operation that rewrites the source L2 address of the packet with CPE Router's WAN or LAN interface MAC address. Any packet that is not routable by the CPE Router must be dropped. The CPE Router must support the ND protocol specified by [RFC4861]. Proxy Neighbor Advertisements as described in Section 7.2.8 of [RFC4861] are not applicable to the CPE Router. Also note, as per section 6.2.8 of [RFC4861] the link-local address on a router should rarely change, if ever. As per [RFC2460], the CPE Router decrements the Hop Limit by 1 for any packet it forwards. The packet is discarded if Hop Limit is decremented to zero and the CPE Router also sends an ICMP Time Exceeded message to the source of the packet. 6.1. IPv6 Multicast The CPE Router needs to support multicast clients in the home. These clients are connected to the CPE Router LAN interface(s). Therefore the CPE Router must implement IPv6 multicast MLDv2 router functionality as per [RFC3810] on each of the LAN interface(s). Further, the IPv6 multicast router also maintains a conceptual Multicast Client Database for each LAN interface which maintains multicast client reception state for connected hosts. The CPE Router builds the Multicast Client Database from MLD Reports messages arriving at the LAN interface(s) from hosts in the home. Singh & Beebee Expires January 1, 2009 [Page 7]
Internet-Draft CPE Router Recommendations June 2008 In the CPE Router downstream direction the device needs to forward multicast data to LAN interface(s). In order to do that, the CPE Router needs to support being a MLDv2 multicast Listener, defined in [RFC3810], on the WAN interface. The CPE Router learns IPv6 multicast group membership information received on LAN interface(s) and proxies the information on the WAN interface to the next upstream multicast router. Multicast downstream packets arriving at the WAN interface are forwarded to the respective LAN interface based on information the CPE Router learned from LAN interface MLDv1/v2 Reports. The CPE Router also merges all multicast connected client information from all the LAN interface(s) in a conceptual IPv6 multicast Group Membership Database. The WAN interface follows section 4.2 of [RFC3810] to maintain the multicast reception interface state. Therefore, if an entry in the IPv6 multicast Group Membership Database changes, the CPE Router reports the change with an unsolicited MLDv2 Report. Likewise, if the CPE Router WAN interface is queried by an upstream multicast router, the CPE Router will respond with information from the Group Membership Database. The format of records in the Group Membership Database is specified in section 7.2 of [RFC3810]. A record will exist per LAN interface and per multicast address joined. Querier Election rules as described in section 7.6.2 of [RFC3810] do not apply to the CPE Router since the home network has only one router. Therefore, the CPE Router must always act as an MLD querier on its LAN interface(s). The CPE Router maintains a conceptual Multicast Forwarding Information Base (MFIB). To forward any multicast packet, the CPE Router will lookup the multicast group and output interface list in the MFIB. The CPE Router transmits IPv6 multicast packets out an interface if and only if at least one receiving host is joined to the corresponding group on the interface. Entries in the MFIB are added and updated via the Multicast Client Database and the Group Membership Database. Consistent with the above model, the CPE Router may not implement the router portion of MLDv2 for the WAN interface. Likewise, the LAN interfaces on the CPE router may not implement an MLDv2 Multicast Listener. However, if a user at home wants to create a new multicast group and send multicast data to other nodes on the Service Provider network, then the WAN port of the CPE Router will need to implement the router portion of MLDv2 and the LAN port will need to implement MLDv2 Multicast Listener. Furthermore, in this case, the router implementation described above should be extended to handle multicast traffic flowing in the upstream direction. Singh & Beebee Expires January 1, 2009 [Page 8]
Internet-Draft CPE Router Recommendations June 2008 7. Other IPv6 Features 7.1. Path MTU Discovery Support GRE tunnels, such as 6-to-4 tunnels (which may be terminated on the CPE Router), can modify the default Ethernet MTU of 1500 bytes. Also, in the future, Ethernet Jumbo frames (9000+ bytes) may also be supported. Since the MTU can vary, a newly initiated TCP stream must detect the largest packet that can be sent to the destination without fragmentation. This can be detected using Path MTU Discovery [RFC1981]. Packets which are too large to be forwarded along the path from source to destination may generate an ICMPv6 Packet Too Big message. The CPE Router must route back to the source any ICMPv6 Packet Too Big messages generated anywhere on this path. 7.2. Optional support for RIPv6 The CPE Router may support RIPv6 routing protocol [RFC2080] so that RIPv6 operates between the CPE Router and the Service Provider network. RIPv6 has scaling and security implications for the Service Provider network where one Service Provider router may terminate several tens of thousands of CPE routers. However, RIPv6 does provide one solution from the CPE Router to the Service Provider network for prefix route injection. 7.3. Firewall The CPE Router must support an IPv6 Firewall feature. The firewall may include features like access-control lists. The firewall may support interpretation or recognition of most IPv6 extension header information including inspecting fragmentation header. The firewall needs to support stateful and stateless Packet Filters as follows. 7.3.1. Packet filters The CPE Router needs to support packet filtering based on IP headers, extended headers, UDP and TCP ports etc. There are numerous filters mentioned (section 3.2) in draft-ietf-v6ops-cpe-simple-security [I-D.ietf-v6ops-cpe-simple-security], like some that allow IKE, IPSec packets while another filter may block Teredo packets. 8. Quality Of Service(QoS) The CPE router may map the IPv6 Traffic Class field from [RFC2460] to individual queues of different priority to provide differentiated classes of service for traffic either destined to the LAN or WAN interfaces (e.g. for IPTV service). Singh & Beebee Expires January 1, 2009 [Page 9]
Internet-Draft CPE Router Recommendations June 2008 9. Security Considerations Security considerations of a CPE router are covered by draft-ietf-v6ops-cpe-simple-security [I-D.ietf-v6ops-cpe-simple-security]. 10. IANA Considerations None. 11. Acknowledgements Thanks (in alphabetical order) to Bernie Volz for his initial input on the document. 12. References 12.1. Normative References [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007. 12.2. Informative References [I-D.ietf-6man-ipv6-subnet-model] Singh, H., Beebee, W., and E. Nordmark, "IPv6 Subnet Model: the Relationship between Links and Subnet Prefixes", draft-ietf-6man-ipv6-subnet-model-00 (work in progress), May 2008. [I-D.ietf-6man-node-req-bis] Loughney, J., "IPv6 Node Requirements RFC 4294-bis", draft-ietf-6man-node-req-bis-01 (work in progress), February 2008. [I-D.ietf-v6ops-cpe-simple-security] Woodyatt, J., "Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service", draft-ietf-v6ops-cpe-simple-security-02 (work in progress), February 2008. [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery for IP version 6", RFC 1981, August 1996. Singh & Beebee Expires January 1, 2009 [Page 10]
Internet-Draft CPE Router Recommendations June 2008 [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, January 1997. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC2669] St. Johns, M., "DOCSIS Cable Device MIB Cable Device Management Information Base for DOCSIS compliant Cable Modems and Cable Modem Termination Systems", RFC 2669, August 1999. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC3646] Droms, R., "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 2003. [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6", RFC 3736, April 2004. [RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007. Authors' Addresses Hemant Singh Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: +1 978 936 1622 Email: shemant@cisco.com URI: http://www.cisco.com/ Singh & Beebee Expires January 1, 2009 [Page 11]
Internet-Draft CPE Router Recommendations June 2008 Wes Beebee Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: +1 978 936 2030 Email: wbeebee@cisco.com URI: http://www.cisco.com/ Singh & Beebee Expires January 1, 2009 [Page 12]
Internet-Draft CPE Router Recommendations June 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Singh & Beebee Expires January 1, 2009 [Page 13]