Network Working Group H. Singh
Internet-Draft W. Beebee
Intended status: BCP Cisco Systems, Inc.
Expires: January 1, 2009 June 30, 2008
IPv6 CPE Router Recommendations
draft-wbeebee-ipv6-cpe-router-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 1, 2009.
Abstract
This document recommends IPv6 behavior for Customer Premises
Equipment (CPE) routers in Internet-enabled homes and small offices.
Singh & Beebee Expires January 1, 2009 [Page 1]
Internet-Draft CPE Router Recommendations June 2008
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and Abbreviations . . . . . . . . . . . . . . . . 3
3. Operational Behavior . . . . . . . . . . . . . . . . . . . . . 3
4. Router Initialization . . . . . . . . . . . . . . . . . . . . 4
5. Basic IPv6 Provisioning . . . . . . . . . . . . . . . . . . . 4
5.1. Acquire Link-Local Address . . . . . . . . . . . . . . . . 4
5.2. Process RAs . . . . . . . . . . . . . . . . . . . . . . . 5
5.3. Acquire IPv6 address and other configuration parameters . 5
5.3.1. Details for DHCPv6 Address Acquisition . . . . . . . . 5
5.4. IPv6 Provisioning of home Devices . . . . . . . . . . . . 6
5.5. Stateful DHCPv6 server requirements for the CPE Router . . 6
6. IPv6 Data forwarding . . . . . . . . . . . . . . . . . . . . . 7
6.1. IPv6 Multicast . . . . . . . . . . . . . . . . . . . . . . 7
7. Other IPv6 Features . . . . . . . . . . . . . . . . . . . . . 9
7.1. Path MTU Discovery Support . . . . . . . . . . . . . . . . 9
7.2. Optional support for RIPv6 . . . . . . . . . . . . . . . . 9
7.3. Firewall . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.3.1. Packet filters . . . . . . . . . . . . . . . . . . . . 9
8. Quality Of Service(QoS) . . . . . . . . . . . . . . . . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
12.1. Normative References . . . . . . . . . . . . . . . . . . . 10
12.2. Informative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 13
Singh & Beebee Expires January 1, 2009 [Page 2]
Internet-Draft CPE Router Recommendations June 2008
1. Introduction
This document defines IPv6 features for a residential or small office
router referred to as a CPE Router. This device also needs to
support IPv4, but that work is beyond the scope of this document.
Also, this document does not go into configuration details for the
CPE Router.
The document discusses IPv6 implications for the attached Service
Provider network. The document notes that the CPE Router may be
deployed in home in one of two ways. Either the Service Provider or
the home user may manage this device. When the CPE Router is managed
by the Service Provider, the router may need additional management
and routing properties like a new MIB definition and routing
protocols communicating between the CPE Router and the Service
Provider network. The CPE router has one WAN port to connect to the
Service Provider and one or more LAN interfaces to the home network
devices. Each of WAN or any LAN interface is Ethernet encapsulated.
2. Terminology and Abbreviations
Host - this is a personal computer or any other network device in
a home that connects to the Internet via the CPE Router.
LAN interface(s) - a set of network interfaces on the CPE Router
that are used to connect hosts in the home. This set of ports
could be switched, bridged, or routed.
WLAN interface - an optional wireless access point interface on
the CPE Router used to connect wireless hosts in the home in
either managed or ad-hoc modes.
WAN interface - a single network interface on the CPE Router that
is used to connect the router to the access network of the Service
Provider.
GRE tunnel - Generic Routing Encapsulation tunnel.
SLAAC - StateLess Address Auto Configuration.
IPTV - Internet Protocol TeleVision.
3. Operational Behavior
The CPE Router is a gateway to the Internet for a home. The router
is also intended to provide home networking functionality. The CPE
Singh & Beebee Expires January 1, 2009 [Page 3]
Internet-Draft CPE Router Recommendations June 2008
Router may have a console or web interface for configuration. This
document defines the core set of features that are supported by the
CPE Router, however individual implementations may include value-
added features such as WLAN capability.
The core set of IPv6 features for the CPE Router includes
provisioning the CPE Router for IPv6, IPv6 data forwarding including
IPv6 multicast, CPE Router provisioning hosts on its LAN
interface(s), firewall, and QoS behavior. An IPv6 firewall is
discussed briefly in the Firewall section where the section refers
the draft-ietf-v6ops-cpe-simple-security
[I-D.ietf-v6ops-cpe-simple-security] for more details.
4. Router Initialization
Before the CPE Router is initialized, the device must have IPv6
enabled. The CPE Router should support the ability to disable its
IPv6 stack. The CPE Router also has the ability to block or forward
IPv6 traffic to and from the router's LAN interface(s). [RFC2669]
includes a MIB definition to block the IPv4 or IPv6 Ethertype in the
upstream or downstream interface(s) of a device such as the CPE
Router. Some portion of this MIB may need to be modified for use
with the CPE Router.
5. Basic IPv6 Provisioning
We recommend the CPE Router WAN interface acquire its global IPv6
address using DHCPv6 for administrative control of the router.
DHCPv6 IA_PD option can be used as described in [RFC3633]. Any of
DHCPv6, stateless autoconfiguration, or manual configuration may be
supported by the CPE router for IPv6 address configuration of the WAN
interface. Manual configuration is beyond the scope of this
document. The CPE Router first acquires its IPv6 addresses from the
Service Provider along with any other IPv6 configuration. Then the
CPE Router provisions its LAN interface(s) for IPv6 router
functionality. More details for provisioning the CPE Router are
given in the following sections.
5.1. Acquire Link-Local Address
If an interface of the CPE Router is configured for IPv6, when the
interface initializes itself, as per [RFC4862], the CPE Router must
create a link-local address for the interface. We recommend the CPE
Router use the EUI-64 identifier as a link-local address for each of
its interfaces. Refer to EUI-64 details in [RFC4291]. Further, as
per section 5.4 of [RFC4862], since the CPE Router supports link-
Singh & Beebee Expires January 1, 2009 [Page 4]
Internet-Draft CPE Router Recommendations June 2008
layer multicast on all of its interfaces draft-ietf-6man-node-req-bis
[I-D.ietf-6man-node-req-bis], it must perform Duplicate Address
Detection (DAD) on all unicast addresses. If the CPE Router detects
a duplicate address assigned to an interface, the CPE Router must not
send IPv6 packets from the interface.
5.2. Process RAs
The CPE Router must process incoming RAs received on the WAN
interface as specified in section 6.3 of [RFC4861]. The CPE Router
locates routers that reside on the attached WAN link from the
received RAs.
5.3. Acquire IPv6 address and other configuration parameters
The CPE Router must process RAs received on the WAN interface and as
instructed by the RA message, acquire global IPv6 address for WAN
interface using SLAAC or DHCPv6. As per [RFC4861] if the M bit is
set in the RA, the WAN interface must perform DHCPv6- if the O bit is
set in the RA, the WAN interface acquires other configuration
information using stateless DHCPv6 [RFC3736]. If the A bit in the RA
is clear or the RA does not include any Prefix Information Option
(PIO), the WAN interface must not perform SLAAC. IPv6 deployments
that configure RA to not include any PIO are discussed in
draft-ietf-6man-ipv6-subnet-model [I-D.ietf-6man-ipv6-subnet-model].
At any instance in time of the CPE Router operation, the router does
not forward any traffic between its WAN and LAN interface(s) if the
router has not completed IPv6 provisioning process that entails the
WAN and LAN interface(s) successfully acquiring global IPv6
addresses.
5.3.1. Details for DHCPv6 Address Acquisition
If the WAN interface uses DHCPv6, the interface sends a DHCPv6
Solicit message as described in section 17.1.1 of [RFC3315]. The
Solicit message must include an IA_NA option as specified by
[RFC3315], an IA_PD option as specified by [RFC3633], a Reconfigure
Accept option to inform the server that client is willing to accept
Reconfigure message from server, and the Options Request option that
includes the DNS Recursive Name server option as specified in
[RFC3646]. The Solicit may also include the Rapid Commit option if
the CPE Router is willing to accept a 2-message DHCPv6 exchange with
the server.
When the CPE Router processes a DHCPv6 response from the server, if
the response message (e.g. ADVERTISE or REPLY) received does not
include an IA_NA option, IA_PD option, or Reconfigure Accept option,
Singh & Beebee Expires January 1, 2009 [Page 5]
Internet-Draft CPE Router Recommendations June 2008
then the CPE Router has failed DHCPv6 address acquisition. If DHCPv6
succeeds, the CPE Router must perform DAD with the IPv6 address
acquired from DHCPv6. If the CPE Router detects a duplicate, the CPE
Router must send a DHCPv6 Decline message to the DHCPv6 server.
The CPE Router may support the Reconfigure Key Authentication
Protocol, as described in section 21.5 of [RFC3315]. The CPE Router
may also support prefix sub-delegation. Prefix sub-delegation
involves DHCPv6 server support with IA_PD on the CPE router and the
ability to provision the server from a DHCPv6 REPLY with IA_PD option
received on the WAN interface.
5.4. IPv6 Provisioning of home Devices
After the IPv6 address configuration for WAN interface is completed,
the CPE Router configures IPv6 address for LAN interface(s). If the
LAN interface(s) are switched or bridged ports, then the CPE Router
assigns a single global IPv6 address to a conceptual virtual
interface serving all the LAN interface(s). If each LAN interface is
a routed port, then the CPE router will assign a global IPV6 address
and unique subnet to each LAN interface. In either case, when the
CPE router needs to assign a single IPv6 address to LAN interface(s)
or multiple IPv6 addresses, the CPE Router redistributes the
addresses and subnets from the prefix received in IA_PD option by the
WAN port.
Once IPv6 address configuration of the LAN interface(s) is complete,
as per [RFC4862], the CPE Router sends Router Advertisements (RA) to
devices in the home. Hosts receiving the RA from LAN interface(s)
will process the RA and perform IPv6 address acquisition. This
document recommends the RA to be configured for stateless
autoconfiguration so that the prefix advertised in the RA is derived
from the IA_PD assigned to the CPE Router by the Service Provider;
the O-bit is also set so that the CPE Router can pass Domain Name
Server(s) IPv6 address(es) to home devices. The CPE Router obtained
the Domain Name Server(s) in OPTION_DNS_SERVERS option from the
DHCPv6 server when the CPE Router WAN interface completed DHCPv6.
The CPE Router may include a stateful DHCPv6 server to assign
addresses to home devices connected via the LAN interface(s) of the
CPE Router. However, we recommend that the CPE Router use SLAAC for
home devices.
5.5. Stateful DHCPv6 server requirements for the CPE Router
The CPE Router may support a stateful DHCPv6 server to serve clients
on the CPE Router LAN interface(s). If the CPE Router needs to
support a stateful DHCPv6 server, then more details will be added to
Singh & Beebee Expires January 1, 2009 [Page 6]
Internet-Draft CPE Router Recommendations June 2008
this section specifying the minimal functionality that the stateful
DHCPv6 server needs to support.
6. IPv6 Data forwarding
Each of the WAN and LAN interface(s) of the CPE Router must have its
own mac address. The CPE Router supports ND protocol on both the WAN
interface and LAN interface(s) to advertise itself as a router to
neighbors in the Service Provider and home networks.
The CPE Router forwards packets between the Service Provider and the
home network. To do this, the CPE Router needs to look up the
destination address of the packet in the routing table and decide
which route to use to forward the packet. Each protocol that the CPE
Router can forward packets for must have a separate routing table.
The CPE Router routing table will be initialized during CPE Router
initialization. The routing table is filled by directly connected,
static, and routing protocol routes.
The CPE Router consumes any packet destined to its WAN or LAN
interface. The CPE Router forwards other packets destined to hosts
attached to CPE Router LAN interface(s). Before forwarding a packet
in any direction from CPE router, the CPE Router will perform a MAC
rewrite operation that rewrites the source L2 address of the packet
with CPE Router's WAN or LAN interface MAC address. Any packet that
is not routable by the CPE Router must be dropped.
The CPE Router must support the ND protocol specified by [RFC4861].
Proxy Neighbor Advertisements as described in Section 7.2.8 of
[RFC4861] are not applicable to the CPE Router. Also note, as per
section 6.2.8 of [RFC4861] the link-local address on a router should
rarely change, if ever. As per [RFC2460], the CPE Router decrements
the Hop Limit by 1 for any packet it forwards. The packet is
discarded if Hop Limit is decremented to zero and the CPE Router also
sends an ICMP Time Exceeded message to the source of the packet.
6.1. IPv6 Multicast
The CPE Router needs to support multicast clients in the home. These
clients are connected to the CPE Router LAN interface(s). Therefore
the CPE Router must implement IPv6 multicast MLDv2 router
functionality as per [RFC3810] on each of the LAN interface(s).
Further, the IPv6 multicast router also maintains a conceptual
Multicast Client Database for each LAN interface which maintains
multicast client reception state for connected hosts. The CPE Router
builds the Multicast Client Database from MLD Reports messages
arriving at the LAN interface(s) from hosts in the home.
Singh & Beebee Expires January 1, 2009 [Page 7]
Internet-Draft CPE Router Recommendations June 2008
In the CPE Router downstream direction the device needs to forward
multicast data to LAN interface(s). In order to do that, the CPE
Router needs to support being a MLDv2 multicast Listener, defined in
[RFC3810], on the WAN interface. The CPE Router learns IPv6
multicast group membership information received on LAN interface(s)
and proxies the information on the WAN interface to the next upstream
multicast router. Multicast downstream packets arriving at the WAN
interface are forwarded to the respective LAN interface based on
information the CPE Router learned from LAN interface MLDv1/v2
Reports.
The CPE Router also merges all multicast connected client information
from all the LAN interface(s) in a conceptual IPv6 multicast Group
Membership Database. The WAN interface follows section 4.2 of
[RFC3810] to maintain the multicast reception interface state.
Therefore, if an entry in the IPv6 multicast Group Membership
Database changes, the CPE Router reports the change with an
unsolicited MLDv2 Report. Likewise, if the CPE Router WAN interface
is queried by an upstream multicast router, the CPE Router will
respond with information from the Group Membership Database. The
format of records in the Group Membership Database is specified in
section 7.2 of [RFC3810]. A record will exist per LAN interface and
per multicast address joined.
Querier Election rules as described in section 7.6.2 of [RFC3810] do
not apply to the CPE Router since the home network has only one
router. Therefore, the CPE Router must always act as an MLD querier
on its LAN interface(s).
The CPE Router maintains a conceptual Multicast Forwarding
Information Base (MFIB). To forward any multicast packet, the CPE
Router will lookup the multicast group and output interface list in
the MFIB. The CPE Router transmits IPv6 multicast packets out an
interface if and only if at least one receiving host is joined to the
corresponding group on the interface. Entries in the MFIB are added
and updated via the Multicast Client Database and the Group
Membership Database.
Consistent with the above model, the CPE Router may not implement the
router portion of MLDv2 for the WAN interface. Likewise, the LAN
interfaces on the CPE router may not implement an MLDv2 Multicast
Listener. However, if a user at home wants to create a new multicast
group and send multicast data to other nodes on the Service Provider
network, then the WAN port of the CPE Router will need to implement
the router portion of MLDv2 and the LAN port will need to implement
MLDv2 Multicast Listener. Furthermore, in this case, the router
implementation described above should be extended to handle multicast
traffic flowing in the upstream direction.
Singh & Beebee Expires January 1, 2009 [Page 8]
Internet-Draft CPE Router Recommendations June 2008
7. Other IPv6 Features
7.1. Path MTU Discovery Support
GRE tunnels, such as 6-to-4 tunnels (which may be terminated on the
CPE Router), can modify the default Ethernet MTU of 1500 bytes.
Also, in the future, Ethernet Jumbo frames (9000+ bytes) may also be
supported. Since the MTU can vary, a newly initiated TCP stream must
detect the largest packet that can be sent to the destination without
fragmentation. This can be detected using Path MTU Discovery
[RFC1981]. Packets which are too large to be forwarded along the
path from source to destination may generate an ICMPv6 Packet Too Big
message. The CPE Router must route back to the source any ICMPv6
Packet Too Big messages generated anywhere on this path.
7.2. Optional support for RIPv6
The CPE Router may support RIPv6 routing protocol [RFC2080] so that
RIPv6 operates between the CPE Router and the Service Provider
network. RIPv6 has scaling and security implications for the Service
Provider network where one Service Provider router may terminate
several tens of thousands of CPE routers. However, RIPv6 does
provide one solution from the CPE Router to the Service Provider
network for prefix route injection.
7.3. Firewall
The CPE Router must support an IPv6 Firewall feature. The firewall
may include features like access-control lists. The firewall may
support interpretation or recognition of most IPv6 extension header
information including inspecting fragmentation header. The firewall
needs to support stateful and stateless Packet Filters as follows.
7.3.1. Packet filters
The CPE Router needs to support packet filtering based on IP headers,
extended headers, UDP and TCP ports etc. There are numerous filters
mentioned (section 3.2) in draft-ietf-v6ops-cpe-simple-security
[I-D.ietf-v6ops-cpe-simple-security], like some that allow IKE, IPSec
packets while another filter may block Teredo packets.
8. Quality Of Service(QoS)
The CPE router may map the IPv6 Traffic Class field from [RFC2460] to
individual queues of different priority to provide differentiated
classes of service for traffic either destined to the LAN or WAN
interfaces (e.g. for IPTV service).
Singh & Beebee Expires January 1, 2009 [Page 9]
Internet-Draft CPE Router Recommendations June 2008
9. Security Considerations
Security considerations of a CPE router are covered by
draft-ietf-v6ops-cpe-simple-security
[I-D.ietf-v6ops-cpe-simple-security].
10. IANA Considerations
None.
11. Acknowledgements
Thanks (in alphabetical order) to Bernie Volz for his initial input
on the document.
12. References
12.1. Normative References
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
12.2. Informative References
[I-D.ietf-6man-ipv6-subnet-model]
Singh, H., Beebee, W., and E. Nordmark, "IPv6 Subnet
Model: the Relationship between Links and Subnet
Prefixes", draft-ietf-6man-ipv6-subnet-model-00 (work in
progress), May 2008.
[I-D.ietf-6man-node-req-bis]
Loughney, J., "IPv6 Node Requirements RFC 4294-bis",
draft-ietf-6man-node-req-bis-01 (work in progress),
February 2008.
[I-D.ietf-v6ops-cpe-simple-security]
Woodyatt, J., "Recommended Simple Security Capabilities in
Customer Premises Equipment for Providing Residential
IPv6 Internet Service",
draft-ietf-v6ops-cpe-simple-security-02 (work in
progress), February 2008.
[RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery
for IP version 6", RFC 1981, August 1996.
Singh & Beebee Expires January 1, 2009 [Page 10]
Internet-Draft CPE Router Recommendations June 2008
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
January 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC2669] St. Johns, M., "DOCSIS Cable Device MIB Cable Device
Management Information Base for DOCSIS compliant Cable
Modems and Cable Modem Termination Systems", RFC 2669,
August 1999.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633,
December 2003.
[RFC3646] Droms, R., "DNS Configuration options for Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
December 2003.
[RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol
(DHCP) Service for IPv6", RFC 3736, April 2004.
[RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery
Version 2 (MLDv2) for IPv6", RFC 3810, June 2004.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
Authors' Addresses
Hemant Singh
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
Phone: +1 978 936 1622
Email: shemant@cisco.com
URI: http://www.cisco.com/
Singh & Beebee Expires January 1, 2009 [Page 11]
Internet-Draft CPE Router Recommendations June 2008
Wes Beebee
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
Phone: +1 978 936 2030
Email: wbeebee@cisco.com
URI: http://www.cisco.com/
Singh & Beebee Expires January 1, 2009 [Page 12]
Internet-Draft CPE Router Recommendations June 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Singh & Beebee Expires January 1, 2009 [Page 13]