Skip to main content

Problem Statement for Default Address Selection in Multi-Prefix Environments: Operational Issues of RFC 3484 Default Rules
RFC 5220

Revision differences

Document history

Date Rev. By Action
2020-01-21
09 (System) Received changes through RFC Editor sync (added Verified Errata tag)
2015-10-14
09 (System) Notify list changed from v6ops-chairs@ietf.org, draft-ietf-v6ops-addr-select-ps@ietf.org to (None)
2012-08-22
09 (System) post-migration administrative database adjustment to the No Objection position for Jari Arkko
2012-08-22
09 (System) post-migration administrative database adjustment to the No Objection position for Tim Polk
2008-07-15
09 Cindy Morgan State Changes to RFC Published from RFC Ed Queue by Cindy Morgan
2008-07-15
09 Cindy Morgan [Note]: 'RFC 5220' added by Cindy Morgan
2008-07-15
09 (System) RFC published
2008-07-14
09 (System) IANA Action state changed to No IC from In Progress
2008-06-17
09 (System) IANA Action state changed to In Progress
2008-06-17
09 Cindy Morgan State Changes to RFC Ed Queue from Approved-announcement sent by Cindy Morgan
2008-06-17
09 Cindy Morgan IESG state changed to Approved-announcement sent
2008-06-17
09 Cindy Morgan IESG has approved the document
2008-06-17
09 Cindy Morgan Closed "Approve" ballot
2008-06-17
09 Ron Bonica State Changes to Approved-announcement to be sent from IESG Evaluation by Ron Bonica
2008-06-17
09 Ron Bonica State Changes to IESG Evaluation from Approved-announcement to be sent by Ron Bonica
2008-06-17
09 Ron Bonica State Changes to Approved-announcement to be sent from IESG Evaluation by Ron Bonica
2008-06-17
09 Ron Bonica State Changes to IESG Evaluation from Approved-announcement to be sent by Ron Bonica
2008-06-17
09 (System) New version available: draft-ietf-v6ops-addr-select-ps-09.txt
2008-06-16
09 Ron Bonica State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Ron Bonica
2008-06-16
09 Jari Arkko [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Discuss by Jari Arkko
2008-06-16
09 Jari Arkko
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an …
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

In Setion 2.1.6 change:
  This case is an example of site-local or global prioritization
to:
  This case is an example of site-local or global unicast prioritization

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.
2008-06-16
09 Jari Arkko
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an …
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

In Setion 2.1.6 change:
  This case is an example of site-local or global prioritization
to:
  This case is an example of site-local or global unicast prioritization

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-06-16
09 Jari Arkko
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an …
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

In Setion 2.1.6 change:
  This case is an example of site-local or global prioritization
to:
  This case is an example of site-local or global unicast prioritization

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-06-16
09 Jari Arkko
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an …
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

In Setion 2.1.6 change:
  This case is an example of site-local or global prioritization
to:
  This case is an example of site-local or global unicast prioritization

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.5.  Site Renumbering
>
>    RFC 4192 [RFC4192] describes a recommended procedure for renumbering
>    a network from one prefix to another.  An autoconfigured address has
>    a lifetime, so by stopping advertisement of the old prefix, the
>    autoconfigured address is eventually invalidated.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 7]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    However, invalidating the old prefix takes a long time.  You cannot
>    stop routing to the old prefix as long as the old prefix is not
>    removed from the host.  This can be a tough issue for ISP network
>    administrators.
>
>                              +-----+---+
>                              | Gateway |
>                              +----+----+
>                                    |  2001:db8:b::/64  (new)
>                                    |  2001:db8:a::/64 (old)
>                          ------+---+----------
>                                |
>                            +--+-----+ 2001:db8:b::EUI64  (new)
>                            | Host-A | 2001:db8:a::EUI64 (old)
>                            +--------+
>
>                                [Fig. 5]
>

> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-06-16
09 Jari Arkko
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an …
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

In Setion 2.1.6 change:
  This case is an example of site-local or global prioritization
to:
  This case is an example of site-local or global unicast prioritization

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.5.  Site Renumbering
>
>    RFC 4192 [RFC4192] describes a recommended procedure for renumbering
>    a network from one prefix to another.  An autoconfigured address has
>    a lifetime, so by stopping advertisement of the old prefix, the
>    autoconfigured address is eventually invalidated.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 7]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    However, invalidating the old prefix takes a long time.  You cannot
>    stop routing to the old prefix as long as the old prefix is not
>    removed from the host.  This can be a tough issue for ISP network
>    administrators.
>
>                              +-----+---+
>                              | Gateway |
>                              +----+----+
>                                    |  2001:db8:b::/64  (new)
>                                    |  2001:db8:a::/64 (old)
>                          ------+---+----------
>                                |
>                            +--+-----+ 2001:db8:b::EUI64  (new)
>                            | Host-A | 2001:db8:a::EUI64 (old)
>                            +--------+
>
>                                [Fig. 5]
>
> 2.1.6.  Multicast Source Address Selection
>
>    This case is an example of Site-local or Global prioritization.  When
>    you send a multicast packet across site-borders, the source address
>    of the multicast packet must be a global scope address.  The longest

ULA's as defined in RFC4193 are global scope.  This document even says that in Section 2.2.3 paragraph 2.

>    matching algorithm, however, selects a ULA if the sending host has
>    both a ULA and a global address.
>
> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-06-16
09 Jari Arkko
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an …
[Ballot comment]
Please run a spell check, e.g., "addtional".

Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.5.  Site Renumbering
>
>    RFC 4192 [RFC4192] describes a recommended procedure for renumbering
>    a network from one prefix to another.  An autoconfigured address has
>    a lifetime, so by stopping advertisement of the old prefix, the
>    autoconfigured address is eventually invalidated.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 7]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    However, invalidating the old prefix takes a long time.  You cannot
>    stop routing to the old prefix as long as the old prefix is not
>    removed from the host.  This can be a tough issue for ISP network
>    administrators.
>
>                              +-----+---+
>                              | Gateway |
>                              +----+----+
>                                    |  2001:db8:b::/64  (new)
>                                    |  2001:db8:a::/64 (old)
>                          ------+---+----------
>                                |
>                            +--+-----+ 2001:db8:b::EUI64  (new)
>                            | Host-A | 2001:db8:a::EUI64 (old)
>                            +--------+
>
>                                [Fig. 5]
>
> 2.1.6.  Multicast Source Address Selection
>
>    This case is an example of Site-local or Global prioritization.  When
>    you send a multicast packet across site-borders, the source address
>    of the multicast packet must be a global scope address.  The longest

ULA's as defined in RFC4193 are global scope.  This document even says that in Section 2.2.3 paragraph 2.

>    matching algorithm, however, selects a ULA if the sending host has
>    both a ULA and a global address.
>
> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-06-16
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Please fix issues from Bob Hinden's review …
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Please fix issues from Bob Hinden's review (attached as a comment).
2008-06-16
09 Jari Arkko
[Ballot comment]
Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

Bob Hinden's review (remaining parts): …
[Ballot comment]
Section 2.1.4 use fd0 and fd00. These are not the same thing. A typo, or an intentional difference?

Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.5.  Site Renumbering
>
>    RFC 4192 [RFC4192] describes a recommended procedure for renumbering
>    a network from one prefix to another.  An autoconfigured address has
>    a lifetime, so by stopping advertisement of the old prefix, the
>    autoconfigured address is eventually invalidated.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 7]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    However, invalidating the old prefix takes a long time.  You cannot
>    stop routing to the old prefix as long as the old prefix is not
>    removed from the host.  This can be a tough issue for ISP network
>    administrators.
>
>                              +-----+---+
>                              | Gateway |
>                              +----+----+
>                                    |  2001:db8:b::/64  (new)
>                                    |  2001:db8:a::/64 (old)
>                          ------+---+----------
>                                |
>                            +--+-----+ 2001:db8:b::EUI64  (new)
>                            | Host-A | 2001:db8:a::EUI64 (old)
>                            +--------+
>
>                                [Fig. 5]
>
> 2.1.6.  Multicast Source Address Selection
>
>    This case is an example of Site-local or Global prioritization.  When
>    you send a multicast packet across site-borders, the source address
>    of the multicast packet must be a global scope address.  The longest

ULA's as defined in RFC4193 are global scope.  This document even says that in Section 2.2.3 paragraph 2.

>    matching algorithm, however, selects a ULA if the sending host has
>    both a ULA and a global address.
>
> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-06-16
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.5 (Site Renumbering) says:

  RFC …
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.5 (Site Renumbering) says:

  RFC 4192 [RFC4192] describes a recommended procedure for renumbering
  a network from one prefix to another.  An autoconfigured address has
  a lifetime, so by stopping advertisement of the old prefix, the
  autoconfigured address is eventually invalidated.

  However, invalidating the old prefix takes a long time.  You cannot
  stop routing to the old prefix as long as the old prefix is not
  removed from the host.  This can be a tough issue for ISP network
  administrators.

  There is a technique of advertising the prefix with the preferred
  lifetime zero, however, RFC 4862 [RFC4862] 5.5.4 allows the use of a
  deprecated address for a new outgoing connection.  So, this technique
  isn't always perfect.

I would like the above text to be changed to "... 5.5.4 does not
absolutely prohibit the use of a deprecated address for a new outgoing
connection due to limitations relating to what applications are capable
of doing." RFC 4862 does say SHOULD NOT use deprecated address, after
all...

Please fix issues from Bob Hinden's review (attached as a comment).
2008-06-12
08 (System) New version available: draft-ietf-v6ops-addr-select-ps-08.txt
2008-06-12
07 (System) New version available: draft-ietf-v6ops-addr-select-ps-07.txt
2008-05-14
06 (System) New version available: draft-ietf-v6ops-addr-select-ps-06.txt
2008-04-21
05 (System) New version available: draft-ietf-v6ops-addr-select-ps-05.txt
2008-04-17
09 Tim Polk [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Discuss by Tim Polk
2008-02-27
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few …
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

But if we look at the IANA registry:

  2000::/3              Global Unicast          [RFC4291]      [3]
  4000::/3              Reserved by IETF        [RFC4291]
  6000::/3              Reserved by IETF        [RFC4291]
  8000::/3              Reserved by IETF        [RFC4291]
  A000::/3              Reserved by IETF        [RFC4291]
  C000::/3              Reserved by IETF        [RFC4291]
  E000::/4              Reserved by IETF        [RFC4291]
  F000::/5              Reserved by IETF        [RFC4291]
  F800::/6              Reserved by IETF        [RFC4291]
  FC00::/7              Unique Local Unicast    [RFC4193]
  FE00::/9              Reserved by IETF        [RFC4291]
  FE80::/10            Link Local Unicast      [RFC4291]
  FEC0::/10            Reserved by IETF        [RFC3879]      [4]
  FF00::/8              Multicast              [RFC4291]

Given that 2000 < FC00 and that above FC00 we have only two reserved
blocks (FE00 and FEC0), presumably you must mean a situation where
one of these reserved blocks are allocated for Global Unicast use?
I don't understand how the first bit affects this situation. Please
clarify. In an e-mail you wrote:

  About longest match, please think about the following case:
  dst addr= 8000::1
  src addr= 2001:1::1 and fd00:1::1(ULA)
 
  Here the source address will be fd00:1::1, because the matching
  bit length is 0 (2001:1::1) and 1(fd00:1::1).

This makes it clearer for me. Please include some of this in the spec.

Section 2.1.5 (Site Renumbering) says:

  RFC 4192 [RFC4192] describes a recommended procedure for renumbering
  a network from one prefix to another.  An autoconfigured address has
  a lifetime, so by stopping advertisement of the old prefix, the
  autoconfigured address is eventually invalidated.

  However, invalidating the old prefix takes a long time.  You cannot
  stop routing to the old prefix as long as the old prefix is not
  removed from the host.  This can be a tough issue for ISP network
  administrators.

  There is a technique of advertising the prefix with the preferred
  lifetime zero, however, RFC 4862 [RFC4862] 5.5.4 allows the use of a
  deprecated address for a new outgoing connection.  So, this technique
  isn't always perfect.

I would like the above text to be changed to "... 5.5.4 does not
absolutely prohibit the use of a deprecated address for a new outgoing
connection due to limitations relating to what applications are capable
of doing." RFC 4862 does say SHOULD NOT use deprecated address, after
all...

Please fix issues from Bob Hinden's review (attached as a comment).
2008-02-27
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few …
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

But if we look at the IANA registry:

  2000::/3              Global Unicast          [RFC4291]      [3]
  4000::/3              Reserved by IETF        [RFC4291]
  6000::/3              Reserved by IETF        [RFC4291]
  8000::/3              Reserved by IETF        [RFC4291]
  A000::/3              Reserved by IETF        [RFC4291]
  C000::/3              Reserved by IETF        [RFC4291]
  E000::/4              Reserved by IETF        [RFC4291]
  F000::/5              Reserved by IETF        [RFC4291]
  F800::/6              Reserved by IETF        [RFC4291]
  FC00::/7              Unique Local Unicast    [RFC4193]
  FE00::/9              Reserved by IETF        [RFC4291]
  FE80::/10            Link Local Unicast      [RFC4291]
  FEC0::/10            Reserved by IETF        [RFC3879]      [4]
  FF00::/8              Multicast              [RFC4291]

Given that 2000 < FC00 and that above FC00 we have only two reserved
blocks (FE00 and FEC0), presumably you must mean a situation where
one of these reserved blocks are allocated for Global Unicast use?
I don't understand how the first bit affects this situation. Please
clarify.

Section 2.1.5 (Site Renumbering) says:

  RFC 4192 [RFC4192] describes a recommended procedure for renumbering
  a network from one prefix to another.  An autoconfigured address has
  a lifetime, so by stopping advertisement of the old prefix, the
  autoconfigured address is eventually invalidated.

  However, invalidating the old prefix takes a long time.  You cannot
  stop routing to the old prefix as long as the old prefix is not
  removed from the host.  This can be a tough issue for ISP network
  administrators.

  There is a technique of advertising the prefix with the preferred
  lifetime zero, however, RFC 4862 [RFC4862] 5.5.4 allows the use of a
  deprecated address for a new outgoing connection.  So, this technique
  isn't always perfect.

I would like the above text to be changed to "... 5.5.4 does not
absolutely prohibit the use of a deprecated address for a new outgoing
connection due to limitations relating to what applications are capable
of doing." RFC 4862 does say SHOULD NOT use deprecated address, after
all...

Please fix issues from Bob Hinden's review (attached as a comment).
2008-02-27
09 Jari Arkko
[Ballot comment]
Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem …
[Ballot comment]
Bob Hinden's review (remaining parts):

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.5.  Site Renumbering
>
>    RFC 4192 [RFC4192] describes a recommended procedure for renumbering
>    a network from one prefix to another.  An autoconfigured address has
>    a lifetime, so by stopping advertisement of the old prefix, the
>    autoconfigured address is eventually invalidated.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 7]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    However, invalidating the old prefix takes a long time.  You cannot
>    stop routing to the old prefix as long as the old prefix is not
>    removed from the host.  This can be a tough issue for ISP network
>    administrators.
>
>                              +-----+---+
>                              | Gateway |
>                              +----+----+
>                                    |  2001:db8:b::/64  (new)
>                                    |  2001:db8:a::/64 (old)
>                          ------+---+----------
>                                |
>                            +--+-----+ 2001:db8:b::EUI64  (new)
>                            | Host-A | 2001:db8:a::EUI64 (old)
>                            +--------+
>
>                                [Fig. 5]
>
> 2.1.6.  Multicast Source Address Selection
>
>    This case is an example of Site-local or Global prioritization.  When
>    you send a multicast packet across site-borders, the source address
>    of the multicast packet must be a global scope address.  The longest

ULA's as defined in RFC4193 are global scope.  This document even says that in Section 2.2.3 paragraph 2.

>    matching algorithm, however, selects a ULA if the sending host has
>    both a ULA and a global address.
>
> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
2008-02-25
09 (System) Sub state has been changed to AD Follow up from New Id Needed
2008-02-25
04 (System) New version available: draft-ietf-v6ops-addr-select-ps-04.txt
2008-02-08
09 (System) Removed from agenda for telechat - 2008-02-07
2008-02-07
09 Amy Vezza State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza
2008-02-07
09 David Ward [Ballot Position Update] New position, No Objection, has been recorded by David Ward
2008-02-07
09 Ross Callon [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon
2008-02-07
09 Lisa Dusseault [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault
2008-02-07
09 Jari Arkko
[Ballot comment]
Bob Hinden's review:

I just finished reading through the problem statement draft and have several comments.  In general the document is very imprecise …
[Ballot comment]
Bob Hinden's review:

I just finished reading through the problem statement draft and have several comments.  In general the document is very imprecise in it's use of terminology and in some places comes to a few incorrect conclusions.  It would be good to see this fixed before it is published.

Comments below.

Bob

-------------------

> Abstract
>
>    One physical network can carry multiple logical networks.  Moreover,

Suggest:

One physical link can carry multiple subnets.

Note:  The the use of the physical network and logical network isn't well defined.  I think the authors mean "physical link" and "subnet".  This should be fixed throughout the document.  The terminology in this document should be consistent with RFC4291.


>    we can use multiple physical networks at the same time in a host.  In
>    that environment, end hosts might have multiple IP addresses and be
>    required to use them selectively.  Without an appropriate source/
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 1]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    destination address selection mechanism, the host will experience
>    some trouble in communication.  RFC 3484 defines both the source and

s/RFC 3484 defines both the source and/RFC 3484 defines default source and/

>    destination address selection algorithms, but the multi-prefix
>    environment considered here needs additional rules beyond those of
>    the default operation.  This document describes the possible problems
>    that end hosts could encounter in an environment with multiple
>    logical networks.
>
>
>
> 2.  Problem Statement
>
> 2.1.  Source Address Selection
>
> 2.1.1.  Multiple Routers on Single Interface
>
>                          ==================
>                          |    Internet    |
>                          ==================
>                              |          |
>          2001:db8:1000::/36 |          | 2001:db8:8000::/36
>                        +----+-+      +-+----+
>                        | ISP1 |      | ISP2 |
>                        +----+-+      +-+----+
>                              |          |
>          2001:db8:1000:::/48 |          | 2001:db8:8000::/48
>                      +------+---+ +----+-----+
>                      | Gateway1 | | Gateway2 |
>                      +--------+-+ +-+--------+
>                                |    |
>          2001:db8:1000:1::/64 |    | 2001:db8:8000:1::/64
>                                |    |
>                        -----+-+-----+------
>                              |
>                            +-+----+ 2001:db8:1000:1::EUI64
>                            | Host | 2001:db8:8000:1::EUI64
>                            +------+
>

"Gateway" is not defined in IPv6.  They should be called "Routers".

"2001:db8:1000:1::EUI64" is not a legal IPv6 address or correct.  IPv6 uses "Modified EUI64" to create Interface IDs, not EUI64.  I think the intent was that it be:

  2001:db8:1000:1::IID

but that needs some text explanation as it is by itself not a legal IPv6 address.

These errors occurs throughout the document and should be fixed.

> 2.1.3.  Half-Closed Network Problem
>
>    You can see a second typical source address selection problem in a
>    multihome site with global-closed mixed connectivity like in the
>    figure below.  In this case, Host-A is in a multihomed network and
>    has two IPv6 addresses, one delegated from each of the upstream ISPs.
>    Note that ISP2 is a closed network and does not have connectivity to
>    the Internet.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 5]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | 2001:db8:a000::1
>                            +-----+--+
>                                  |
>                        ==============  +--------+
>                        |  Internet  |  | Host-B | 2001:db8:8000::1
>                        ==============  +--------+
>                              |          |
>            2001:db8:1000:/36 |          | 2001:db8:8000::/36
>                        +----+-+  +-+---++
>                        | ISP1 |  | ISP2 | (Closed Network/VPN tunnel)
>                        +----+-+  +-+----+
>                              |      |
>            2001:db8:1000:/48 |      | 2001:db8:8000::/48
>                            ++-------++
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:1000:1::/64
>                                  |  2001:db8:8000:1::/64
>                        ------+---+----------
>                              |
>                          +--+-----+ 2001:db8:1000:1::EUI64
>                          | Host-A | 2001:db8:8000:1::EUI64
>                          +--------+
>
>                                [Fig. 3]
>
>    You do not need two physical network connections here.  The
>    connection from the Gateway to ISP2 can be a logical link over ISP1
>    and the Internet.
>
>    When Host-A starts the connection to Host-B in ISP2, the source
>    address of a packet that has been sent will be the one delegated from
>    ISP2, that is 2001:db8:8000:1::EUI64, because of rule 8 (longest
>    matching prefix) in RFC 3484.
>
>    Host-C is located somewhere on the Internet and has IPv6 address
>    2001:db8:a000::1.  When Host-A sends a packet to Host-C, the longest
>    matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
>    address.  In this case, the packet goes through ISP1 and may be
>    filtered by ISP1's ingress filter.  Even if the packet is not
>    filtered by ISP1, a return packet from Host-C cannot possibly be
>    delivered to Host-A because the return packet is destined for 2001:
>    db8:8000:1::EUI64, which is closed from the Internet.
>
>    The important point is that each host chooses a correct source
>    address for a given destination address as long as NAT does not exist
>    in the IPv6 world.

While the above is true, it seems to me that the problem described is one of have a set of addresses with different reachability.  I don't think any address selection procedure will solve this class of problems with out additional information (either learned or configured) about the reachability of each prefix.  I think it would be better if the problem statement document discussed this.

> 2.1.4.  Combined Use of Global and ULA
>
>                        ============
>                        | Internet |
>                        ============
>                              |
>                              |
>                          +----+----+
>                          |  ISP  |
>                          +----+----+
>                              |
>              2001:db8:a::/48 |
>                          +----+----+
>                          | Gateway |
>                          +-+-----+-+
>                            |    | 2001:db8:a:100::/64
>          fd01:2:3:200:/64 |    | fd01:2:3:100:/64
>                    -----+--+-  -+--+----
>                        |          |
>    fd01:2:3:200::EUI64 |          |      2001:db8:a:100::EUI64
>                    +----+----+    +-+----+ fd01:2:3:100::EUI64
>                    | Printer |    | Host |
>                    +---------+    +------+
>
>                                [Fig. 4]
>
>    As NAP [I-D.ietf-v6ops-nap] describes, using a ULA may be beneficial
>    in some scenarios.  If the ULA is used for internal communication,
>    packets with ULA need to be filtered at the Gateway.
>
>    There is no serious problem related to address selection in this
>    case, because of the dissimilarity between the ULA and the Global
>    Unicast Address.  The longest matching rule of RFC 3484 chooses the
>    correct address for both intra-site and extra-site communication.
>
>    In a few years, however, the longest matching rule will not be able
>    to choose the correct address anymore.  That is the moment when the
>    assignment of those Global Unicast Addresses starts, where the first
>    bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
>    including those whose first bit is 1, are assigned as Global Unicast
>    Addresses.

I don't understand the above paragraph.  What is going to happen in a few years?

>
> 2.1.5.  Site Renumbering
>
>    RFC 4192 [RFC4192] describes a recommended procedure for renumbering
>    a network from one prefix to another.  An autoconfigured address has
>    a lifetime, so by stopping advertisement of the old prefix, the
>    autoconfigured address is eventually invalidated.
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 7]
> Internet-Draft            Address Selection PS              January 2008
>
>
>    However, invalidating the old prefix takes a long time.  You cannot
>    stop routing to the old prefix as long as the old prefix is not
>    removed from the host.  This can be a tough issue for ISP network
>    administrators.
>
>                              +-----+---+
>                              | Gateway |
>                              +----+----+
>                                    |  2001:db8:b::/64  (new)
>                                    |  2001:db8:a::/64 (old)
>                          ------+---+----------
>                                |
>                            +--+-----+ 2001:db8:b::EUI64  (new)
>                            | Host-A | 2001:db8:a::EUI64 (old)
>                            +--------+
>
>                                [Fig. 5]
>
> 2.1.6.  Multicast Source Address Selection
>
>    This case is an example of Site-local or Global prioritization.  When
>    you send a multicast packet across site-borders, the source address
>    of the multicast packet must be a global scope address.  The longest

ULA's as defined in RFC4193 are global scope.  This document even says that in Section 2.2.3 paragraph 2.

>    matching algorithm, however, selects a ULA if the sending host has
>    both a ULA and a global address.
>
> 2.1.7.  Temporary Address Selection
>
>    RFC 3041 [RFC3041] defines a Temporary Address.  The usage of a
>    Temporary Address has both pros and cons.  That is good for viewing
>    web pages or communicating with the general public, but that is bad
>    for a service that uses address-based authentication and for logging
>    purposes.
>
>    If you could turn the temporary address on and off, that would be
>    better.  If you could switch its usage per service(destination
>    address), that would also be better.  The same situation can be found
>    when using HA and CoA in a MobileIP network.

I would think that this is described in detail in RFC3041.  It might be better to cite some of that text or point to it for more information.  I think this is a different class of problem than what we usually think of as "address selection".

>
> 2.2.  Destination Address Selection
>
> 2.2.1.  IPv4 or IPv6 prioritization
>
>    The default policy table gives IPv6 addresses higher precedence than
>    IPv4 addresses.  There seem to be many cases, however, where network
>    administrators want to control the address selection policy of end-
>    hosts the other way around.
>
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 8]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +---------+
>                            | Tunnel  |
>                            | Service |
>                            +--+---++-+
>                                |  ||
>                                |  ||
>                        ===========||==
>                        | Internet || |
>                        ===========||==
>                              |    ||
>                192.0.2.0/24 |    ||
>                        +----+-+  ||
>                        | ISP  |  ||
>                        +----+-+  ||
>                              |    ||
>                IPv4 (Native) |    || IPv6 (Tunnel)
>                192.0.2.0/26 |    ||
>                            ++-----++-+
>                            | Gateway |
>                            +----+----+
>                                  |  2001:db8:a:1::/64
>                                  |  192.0.2.0/28
>                                  |
>                        ------+---+----------
>                              |
>                            +-+----+ 2001:db8:a:1:EUI64
>                            | Host | 192.0.2.2
>                            +------+
>
>                                [Fig. 6]
>
>    In the figure above, a site has native IPv4 and tunneled-IPv6
>    connectivity.  Therefore, the administrator may want to set a higher
>    priority for using IPv4 than using IPv6 because the quality of the
>    tunnel network seems to be worse than that of the native transport.
>
> 2.2.2.  ULA and IPv4 dual-stack environment
>
>    This is a special form of IPv4 and IPv6 prioritization.  When an
>    enterprise has IPv4 Internet connectivity but does not yet have IPv6
>    Internet connectivity, and the enterprise wants to provide site-local
>    IPv6 connectivity, a ULA is the best choice for site-local IPv6
>    connectivity.  Each employee host will have both an IPv4 global or
>    private address and a ULA.  Here, when this host tries to connect to
>    Host-C that has registered both A and AAAA records in the DNS, the
>    host will choose AAAA as the destination address and the ULA for the
>    source address.  This will clearly result in a connection failure.
>
>
>
>
> Matsumoto, et al.        Expires July 31, 2008                [Page 9]
> Internet-Draft            Address Selection PS              January 2008
>
>
>                            +--------+
>                            | Host-C | AAAA = 2001:db8::80
>                            +-----+--+ A    = 192.0.2.1
>                                  |
>                        ============
>                        | Internet |
>                        ============
>                              |  no IPv6 connectivity
>                        +----+----+
>                        | Gateway |
>                        +----+----+
>                              |
>                              | fd01:2:3::/48 (ULA)
>                              | 192.0.2.128/25
>                            ++--------+
>                            | Router  |
>                            +----+----+
>                                  |  fd01:2:3:4::/64 (ULA)
>                                  |  192.0.2.240/28
>                        ------+---+----------
>                              |
>                            +-+----+ fd01:2:3:4::100 (ULA)
>                            | Host | 192.0.2.245
>                            +------+
>
>                                [Fig. 7]
>
> 2.2.3.  ULA or Global Prioritization
>
>    Differentiating services by the client's source address is very
>    common.  IP-address-based authentication is an typical example of
>    this.  Another typical example is a web service that has pages for
>    the public and internal pages for employees or involved parties.  Yet
>    another example is DNS zone splitting.
>
>    However, a ULA and IPv6 global address both have global scope, and
>    RFC3484 default rules do not specify which address should be given
>    priority.  This point makes IPv6 implementation of address-based
>    service differentiation a bit harder.
>
>

>                            +------+
>                            | Host |
>                            +-+--|-+
>                              |  |
>                      ===========|==
>                      | Internet | |
>                      ===========|==
>                            |    |
>                            |    |
>                        +----+-+  +-->+------+
>                        | ISP  +------+  DNS | 2001:db8:a::80
>                        +----+-+  +-->+------+ fc12:3456:789a::80
>                            |    |
>            2001:db8:a::/48 |    |
>        fc12:3456:789a::/48 |    |
>                        +----+----|+
>                        | Gateway ||
>                        +---+-----|+
>                            |    |    2001:db8:a:100::/64
>                            |    |    fc12:3456:789a:100::/64
>                          --+-+---|-----
>                              |  |
>                            +-+---|+ 2001:db8:a:100::EUI64
>                            | Host | fc12:3456:789a:100::EUI64
>                            +------+
>
>                                [Fig. 7]
>
>
> 3.  Conclusion
>
>    We have covered problems related to destination or source address
>    selection.  These problems have their roots in the situation where
>    end-hosts have multiple IP addresses.  In this situation, every end-
>    host must choose an appropriate destination and source address, which
>    cannot be achieved only by routers.
>
>    It should be noted that end-hosts must be informed about routing
>    policies of their upstream networks for appropriate address
>    selection.  A site administrator must consider every possible address
>    false-selection problem and take countermeasures beforehand.
>
>
> 4.  Security Considerations
>
>    When an intermediate router performs policy routing (e.g. source
>    address based routing), inappropriate address selection causes
>    unexpected routing.  For example, in the network described in 2.1.3,
>    when Host-A uses a default address selection policy and chooses an
>    inappropriate address, a packet sent to VPN can be delivered to a
>    location via the Internet.  This issue can lead to packet
>    eavesdropping or session hijack.

Perhaps, but it would require the attacker to have some way of sending the packet back to the correct path in order for a connection to be made.  I am not sure this is possible.
>
>    As documented in the security consideration section in RFC 3484,
>    address selection algorithms expose a potential privacy concern.
>    When a malicious host can make a target host perform address
>    selection, the malicious host can know multiple addresses attached to
>    the target host.  In a case like 2.1.4, if an attacker can make Host
>    to send a multicast packet and the Host performs the default address
>    selection algorithm, the attacker may be able to determine the ULAs
>    attached to the Host.

How would an attacker do this?

>
>    These security risks have roots in inappropriate address selection.
>    Therefore, if a countermeasure is taken, and hosts always select an
>    appropriate address that is suitable to a site's network structure
>    and routing, these risks can be avoided.
>
>
> 5.  IANA Considerations
>
>    This document has no actions for IANA.
>
> 6.  References

I am not sure I can understand why some references are Normative and others are Informative.  They seem to be about the same to me.
2008-02-07
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few …
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

But if we look at the IANA registry:

  2000::/3              Global Unicast          [RFC4291]      [3]
  4000::/3              Reserved by IETF        [RFC4291]
  6000::/3              Reserved by IETF        [RFC4291]
  8000::/3              Reserved by IETF        [RFC4291]
  A000::/3              Reserved by IETF        [RFC4291]
  C000::/3              Reserved by IETF        [RFC4291]
  E000::/4              Reserved by IETF        [RFC4291]
  F000::/5              Reserved by IETF        [RFC4291]
  F800::/6              Reserved by IETF        [RFC4291]
  FC00::/7              Unique Local Unicast    [RFC4193]
  FE00::/9              Reserved by IETF        [RFC4291]
  FE80::/10            Link Local Unicast      [RFC4291]
  FEC0::/10            Reserved by IETF        [RFC3879]      [4]
  FF00::/8              Multicast              [RFC4291]

Given that 2000 < FC00 and that above FC00 we have only two reserved
blocks (FE00 and FEC0), presumably you must mean a situation where
one of these reserved blocks are allocated for Global Unicast use?
I don't understand how the first bit affects this situation. Please
clarify.

Section 2.1.5 (Site Renumbering) says:

  RFC 4192 [RFC4192] describes a recommended procedure for renumbering
  a network from one prefix to another.  An autoconfigured address has
  a lifetime, so by stopping advertisement of the old prefix, the
  autoconfigured address is eventually invalidated.

  However, invalidating the old prefix takes a long time.  You cannot
  stop routing to the old prefix as long as the old prefix is not
  removed from the host.  This can be a tough issue for ISP network
  administrators.

I do not see where the problem is here. You make the preferred
lifetime zero, and eventually hosts will not use this address.

Maybe I'm missing something, please explain.

Section 2.1.7 says:

  when using HA and CoA in a MobileIP network.

Terms HA and CoA have not been defined in this document. Please expand.

Section 4 says:

  can make Host to send a multicast packet and the Host performs

s/Host/host/

Please fix issues from Bob Hinden's review (attached as a comment).
2008-02-07
09 Dan Romascanu [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu
2008-02-07
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few …
[Ballot discuss]
This is a great and much needed document, thanks for writing it.
However, a few issues:

Section 2.1.4 says:

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

But if we look at the IANA registry:

  2000::/3              Global Unicast          [RFC4291]      [3]
  4000::/3              Reserved by IETF        [RFC4291]
  6000::/3              Reserved by IETF        [RFC4291]
  8000::/3              Reserved by IETF        [RFC4291]
  A000::/3              Reserved by IETF        [RFC4291]
  C000::/3              Reserved by IETF        [RFC4291]
  E000::/4              Reserved by IETF        [RFC4291]
  F000::/5              Reserved by IETF        [RFC4291]
  F800::/6              Reserved by IETF        [RFC4291]
  FC00::/7              Unique Local Unicast    [RFC4193]
  FE00::/9              Reserved by IETF        [RFC4291]
  FE80::/10            Link Local Unicast      [RFC4291]
  FEC0::/10            Reserved by IETF        [RFC3879]      [4]
  FF00::/8              Multicast              [RFC4291]

Given that 2000 < FC00 and that above FC00 we have only two reserved
blocks (FE00 and FEC0), presumably you must mean a situation where
one of these reserved blocks are allocated for Global Unicast use?
I don't understand how the first bit affects this situation. Please
clarify.

Section 2.1.5 (Site Renumbering) says:

  RFC 4192 [RFC4192] describes a recommended procedure for renumbering
  a network from one prefix to another.  An autoconfigured address has
  a lifetime, so by stopping advertisement of the old prefix, the
  autoconfigured address is eventually invalidated.

  However, invalidating the old prefix takes a long time.  You cannot
  stop routing to the old prefix as long as the old prefix is not
  removed from the host.  This can be a tough issue for ISP network
  administrators.

I do not see where the problem is here. You make the preferred
lifetime zero, and eventually hosts will not use this address.

Maybe I'm missing something, please explain.

Section 2.1.7 says:

  when using HA and CoA in a MobileIP network.

Terms HA and CoA have not been defined in this document. Please expand.

Section 4 says:

  can make Host to send a multicast packet and the Host performs

s/Host/host/
2008-02-07
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it. However, a few issues:

Section 2.1.4 says:

  In a few …
[Ballot discuss]
This is a great and much needed document, thanks for writing it. However, a few issues:

Section 2.1.4 says:

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

But if we look at the IANA registry:

  2000::/3              Global Unicast          [RFC4291]      [3]
  4000::/3              Reserved by IETF        [RFC4291]
  6000::/3              Reserved by IETF        [RFC4291]
  8000::/3              Reserved by IETF        [RFC4291]
  A000::/3              Reserved by IETF        [RFC4291]
  C000::/3              Reserved by IETF        [RFC4291]
  E000::/4              Reserved by IETF        [RFC4291]
  F000::/5              Reserved by IETF        [RFC4291]
  F800::/6              Reserved by IETF        [RFC4291]
  FC00::/7              Unique Local Unicast    [RFC4193]
  FE00::/9              Reserved by IETF        [RFC4291]
  FE80::/10            Link Local Unicast      [RFC4291]
  FEC0::/10            Reserved by IETF        [RFC3879]      [4]
  FF00::/8              Multicast              [RFC4291]

Given that 2000 < FC00 and that above FC00 we have only two reserved blocks (FE00 and FEC0), presumably you must mean a situation where one of these reserved blocks are allocated for Global Unicast use? I don't understand how the first bit affects this situation. Please clarify.

Section 2.1.5 (Site Renumbering) says:

  RFC 4192 [RFC4192] describes a recommended procedure for renumbering
  a network from one prefix to another.  An autoconfigured address has
  a lifetime, so by stopping advertisement of the old prefix, the
  autoconfigured address is eventually invalidated.

  However, invalidating the old prefix takes a long time.  You cannot
  stop routing to the old prefix as long as the old prefix is not
  removed from the host.  This can be a tough issue for ISP network
  administrators.

I do not see where the problem is here. You make the preferred lifetime zero, and eventually hosts will not use this address.

Maybe I'm missing something, please explain.

Section 2.1.7 says:

  when using HA and CoA in a MobileIP network.

Terms HA and CoA have not been defined in this document. Please expand.

Section 4 says:

  can make Host to send a multicast packet and the Host performs

s/Host/host/
2008-02-07
09 Jari Arkko
[Ballot discuss]
This is a great and much needed document, thanks for writing it. However, a few issues:

Section 2.1.4 says:

  In a few …
[Ballot discuss]
This is a great and much needed document, thanks for writing it. However, a few issues:

Section 2.1.4 says:

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

But if we look at the IANA registry:

  2000::/3              Global Unicast          [RFC4291]      [3]
  4000::/3              Reserved by IETF        [RFC4291]
  6000::/3              Reserved by IETF        [RFC4291]
  8000::/3              Reserved by IETF        [RFC4291]
  A000::/3              Reserved by IETF        [RFC4291]
  C000::/3              Reserved by IETF        [RFC4291]
  E000::/4              Reserved by IETF        [RFC4291]
  F000::/5              Reserved by IETF        [RFC4291]
  F800::/6              Reserved by IETF        [RFC4291]
  FC00::/7              Unique Local Unicast    [RFC4193]
  FE00::/9              Reserved by IETF        [RFC4291]
  FE80::/10            Link Local Unicast      [RFC4291]
  FEC0::/10            Reserved by IETF        [RFC3879]      [4]
  FF00::/8              Multicast              [RFC4291]

Given that 2000 < FC00 and that above FC00 we have only two reserved blocks (FE00 and FEC0), presumably you must mean a situation where one of these reserved blocks are allocated for Global Unicast use? I don't understand how the first bit affects this situation. Please clarify.
2008-02-07
09 Jari Arkko [Ballot Position Update] New position, Discuss, has been recorded by Jari Arkko
2008-02-07
09 Lars Eggert [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert
2008-02-06
09 Chris Newman [Ballot comment]
Ron,

The document write-up on the ballot is structured oddly and
is missing the document quality section.  Please try to fix this.
2008-02-06
09 Chris Newman [Ballot Position Update] New position, No Objection, has been recorded by Chris Newman
2008-02-06
09 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley
2008-02-06
09 Amanda Baber IANA Evaluation comments:

As described in the IANA Considerations section, we understand
this document to have NO IANA Actions.
2008-02-05
09 Tim Polk
[Ballot discuss]
In general, I found this document to be  easy to understand and quite useful.  This
does a nice job of laying out specific …
[Ballot discuss]
In general, I found this document to be  easy to understand and quite useful.  This
does a nice job of laying out specific scenarios and identifying the shortcomings of
the curent RFC 3484 address selection algorithms.

I did have problems with two specific statements, though.  These problems should
be straightforward to correct...

The last paragraph in section 2.1.3:

  The important point is that each host chooses a correct source
  address for a given destination address as long as NAT does not exist
  in the IPv6 world.

I have two problems with this statement.  (1) It is my understanding that
NATs *do* exist in the IPv6 world, and (2) I don't understand why the
statement needs to be qualified.  Wouldn't it be correct to simply state
the following?

  The important point is that each host chooses a correct source
  address for a given destination address.

If not, I would like to understand the impact of v6 nats on this problem!

The last two paragraphs in section 2.1.4 state:

  There is no serious problem related to address selection in this
  case, because of the dissimilarity between the ULA and the Global
  Unicast Address.  The longest matching rule of RFC 3484 chooses the
  correct address for both intra-site and extra-site communication.

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

According to http://www.iana.org/assignments/ipv6-address-space
"IANA unicast address assignments are currently limited to the IPv6
unicast address range of 2000::/3." There is a lot of unassigned IPv6
address space for Global Unicat Addresses whose first bit is 0, so "in
a few years" could be a stretch!  I would suggest a weaker statement,
along the following lines:

  This case does not presently create an address selection problem
  because of the dissimilarity between the ULA and currently allocated Global
  Unicast Addresses.  The longest matching rule of RFC 3484 chooses the
  correct address for both intra-site and extra-site communication.

  However, the longest matching rule will not be able to reliably choose 
  the correct address after the first assignment of Global Unicast Addresses
  where the first bit is 1.  In RFC 4291 [RFC4291], almost all address spaces
  of IPv6, including those whose first bit is 1, are assigned as Global Unicast
  Addresses.
2008-02-05
09 Tim Polk
[Ballot discuss]
In general, I found this document to be quite useful.  I did have problems with two specific statements, though.  These problems should be …
[Ballot discuss]
In general, I found this document to be quite useful.  I did have problems with two specific statements, though.  These problems should be straightforward to correct...

The last paragraph in section 2.1.3:

  The important point is that each host chooses a correct source
  address for a given destination address as long as NAT does not exist
  in the IPv6 world.

I have two problems with this statement.  (1) It is my understanding that
NATs *do* exist in the IPv6 world, and (2) I don't understand why the
statement needs to be qualified.  Wouldn't it be correct to simply state
the following?

  The important point is that each host chooses a correct source
  address for a given destination address.

If not, I would like to understand the impact of v6 nats on this problem!

The last two paragraphs in section 2.1.4 states:

  There is no serious problem related to address selection in this
  case, because of the dissimilarity between the ULA and the Global
  Unicast Address.  The longest matching rule of RFC 3484 chooses the
  correct address for both intra-site and extra-site communication.

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

According to http://www.iana.org/assignments/ipv6-address-space
"IANA unicast address assignments are currently limited to the IPv6
unicast address range of 2000::/3." There is a lot of unassigned IPv6
address space for Global Unicat Addresses whose first bit is 0, so "in
a few years" could be a stretch!  I would suggest a weaker statement,
along the following lines:

  This case does not presently create an address selection problem
  because of the dissimilarity between the ULA and currently allocated Global
  Unicast Addresses.  The longest matching rule of RFC 3484 chooses the
  correct address for both intra-site and extra-site communication.

  However, the longest matching rule will not be able to reliably choose 
  the correct address after the first assignment of Global Unicast Addresses
  where the first bit is 1.  In RFC 4291 [RFC4291], almost all address spaces
  of IPv6, including those whose first bit is 1, are assigned as Global Unicast
  Addresses.
2008-02-05
09 Tim Polk
[Ballot discuss]
In general, I found this document to be quite useful.  I did have problems with two specific statements, though.  These problems should be …
[Ballot discuss]
In general, I found this document to be quite useful.  I did have problems with two specific statements, though.  These problems should be straightforward to correct...

The last paragraph in section 2.1.3:

  The important point is that each host chooses a correct source
  address for a given destination address as long as NAT does not exist
  in the IPv6 world.

I have two problems with this statement.  (1) It is my understanding that
NATs *do* exist in the IPv6 world, and (2) I don't understand why the
statement needs to be qualified.  Wouldn't it be correct to simply state
the following?

  The important point is that each host chooses a correct source
  address for a given destination address.

If not, I would like to understand the impact of v6 nats on this problem!

The last two paragraphs in section 2.1.4 states:

  There is no serious problem related to address selection in this
  case, because of the dissimilarity between the ULA and the Global
  Unicast Address.  The longest matching rule of RFC 3484 chooses the
  correct address for both intra-site and extra-site communication.

  In a few years, however, the longest matching rule will not be able
  to choose the correct address anymore.  That is the moment when the
  assignment of those Global Unicast Addresses starts, where the first
  bit is 1.  In RFC 4291 [RFC4291], almost all address spaces of IPv6,
  including those whose first bit is 1, are assigned as Global Unicast
  Addresses.

According to http://www.iana.org/assignments/ipv6-address-space
"IANA unicast address assignments are currently limited to the IPv6
unicast address range of 2000::/3." There is a lot of unassigned IPv6
address space for Global Unicat Addresses whose first bit is 0, so "in
a few years" could be a stretch!  I would suggest a weaker statement,
along the following lines:

  This case does not presently create an address selection problem
  because of the dissimilarity between the ULA and currently allocated Global
  Unicast Addresses.  The longest matching rule of RFC 3484 chooses the
  correct address for both intra-site and extra-site communication.

  However, the longest matching rule will not be able to reliably choose 
  the correct address after the first assignment of Global Unicast Addresses
  where the first bit is 1.  In RFC 4291 [RFC4291], almost all address spaces
  of IPv6, including those whose first bit is 1, are assigned as Global Unicast
  Addresses.
2008-02-05
09 Tim Polk [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk
2008-01-29
09 Ron Bonica Placed on agenda for telechat - 2008-02-07 by Ron Bonica
2008-01-29
09 Ron Bonica [Ballot Position Update] New position, Yes, has been recorded for Ronald Bonica
2008-01-29
09 Ron Bonica Ballot has been issued by Ron Bonica
2008-01-29
09 Ron Bonica Created "Approve" ballot
2008-01-29
09 (System) Ballot writeup text was added
2008-01-29
09 (System) Last call text was added
2008-01-29
09 (System) Ballot approval text was added
2008-01-29
09 Ron Bonica State Changes to IESG Evaluation from AD Evaluation::AD Followup by Ron Bonica
2008-01-28
03 (System) New version available: draft-ietf-v6ops-addr-select-ps-03.txt
2007-12-28
09 Ron Bonica State Changes to AD Evaluation::AD Followup from Publication Requested by Ron Bonica
2007-12-28
09 Ron Bonica
The document is very well written. The following are a couple of comments.

1) Do the authors want this document to be published as PS …
The document is very well written. The following are a couple of comments.

1) Do the authors want this document to be published as PS or INFORMATIONAL. The tracker says INFORMATIONAL, but the document says STANDARDS TRACK. I recommend INFORMATIONAL.

2) Does Section 2.1.7 belong in the docuent. The rest of Section 2.1 talks about specific routing and forwarding problems. Section 2.1.7 talks about semantic(?) issues.
2007-12-05
09 Dinara Suleymanova
PROTO Write-up

> (1.a) Who is the Document Shepherd for this document?

Fred baker

> Has the Document Shepherd personally reviewed this version of the …
PROTO Write-up

> (1.a) Who is the Document Shepherd for this document?

Fred baker

> Has the Document Shepherd personally reviewed this version of the
> document and, in particular, does he or she believe this version is
> ready for forwarding to the IESG for publication?

Yes, and yes.

> (1.b) Has the document had adequate review both from key WG members
> and from key non-WG members? Does the Document Shepherd have any
> concerns about the depth or breadth of the reviews that have been
> performed?

The document process with this and the associated requirements
document has been rather complex. RFC 3484 is implemented in a
variety of OS's, but it has been too difficult to use operationally
for several reasons. This is the reason that the discussion has started.

Yes, there has been a great deal of working group discussion and
review, most of it face to face or offline.

> (1.c) Does the Document Shepherd have concerns that the document
> needs more review from a particular or broader perspective, e.g.,
> security, operational complexity, someone familiar with AAA,
> internationalization or XML?

It is operational people who are writing and discussing the document,
so I don't believe that further operational review is required. I
also believe that it doesn't bring up issues of the other types
mentioned here.

> (1.d) Does the Document Shepherd have any specific concerns or
> issues with this document that the Responsible Area Director and/or
> the IESG should be aware of? For example, perhaps he or she is
> uncomfortable with certain parts of the document, or has concerns
> whether there really is a need for it. In any event, if the WG has
> discussed those issues and has indicated that it still wishes to
> advance the document, detail those concerns here. Has an IPR
> disclosure related to this document been filed? If so, please
> include a reference to the disclosure and summarize the WG
> discussion and conclusion on this issue.

RFC 3484 has been difficult to use, and there is therefore a solution
needed. The development of the solution is expected to occur in 6man.
A problem statement and a requirements document are appropriate to
guide that discussion.

> (1.e) How solid is the WG consensus behind this document? Does it
> represent the strong concurrence of a few individuals, with others
> being silent, or does the WG as a whole understand and agree with it?

The working group seems to have a consensus around the problem and
the requirements. The solution is not agreed to yet.

> (1.f) Has anyone threatened an appeal or otherwise indicated
> extreme discontent? If so, please summarise the areas of conflict
> in separate email messages to the Responsible Area Director. (It
> should be in a separate email because this questionnaire is entered
> into the ID Tracker.)

no.

> (1.g) Has the Document Shepherd personally verified that the
> document satisfies all ID nits? (See http://www.ietf.org/ID-
> Checklist.html and http://tools.ietf.org/tools/idnits/).
> Boilerplate checks are not enough; this check needs to be thorough.
> Has the document met all formal review criteria it needs to, such
> as the MIB Doctor, media type and URI type reviews?

Yes, it does. The idnits tool complains about the use of db8:8000,
apparently checking for RFC 3849's 2001:DB8. The paragraph in
question is:

Host-C is located somewhere on the Internet and has IPv6 address
2001:db8:a000::1. When Host-A sends a packet to Host-C, the longest
matching algorithm chooses 2001:db8:8000:1::EUI64 for the source
address. In this case, the packet goes through ISP1 and may be
filtered by ISP1's ingress filter. Even if the packet is not
filtered by ISP1, a return packet from Host-C cannot possibly be
delivered to Host-A because the return packet is destined for 2001:
db8:8000:1::EUI64, which is closed from the Internet.

As you can see, the address wrapped around an end of line, and is
therefore not a real issue.

> (1.h) Has the document split its references into normative and
> informative? Are there normative references to documents that are
> not ready for advancement or are otherwise in an unclear state? If
> such normative references exist, what is the strategy for their
> completion? Are there normative references that are downward
> references, as described in [RFC3967]? If so, list these downward
> references to support the Area Director in the Last Call procedure
> for them [RFC3967].

the references are indeed split into normative and informational
references. there is no down-rev reference.

> (1.i) Has the Document Shepherd verified that the document IANA
> consideration section exists and is consistent with the body of the
> document? If the document specifies protocol extensions, are
> reservations requested in appropriate IANA registries? Are the IANA
> registries clearly identified? If the document creates a new
> registry, does it define the proposed initial contents of the
> registry and an allocation procedure for future registrations? Does
> it suggest a reasonable name for the new registry? See [RFC2434].
> If the document describes an Expert Review process has Shepherd
> conferred with the Responsible Area Director so that the IESG can
> appoint the needed Expert during the IESG Evaluation?

This document has no actions for IANA, and says as much.

> (1.j) Has the Document Shepherd verified that sections of the
> document that are written in a formal language, such as XML code,
> BNF rules, MIB definitions, etc., validate correctly in an
> automated checker?

there are no such sections.

> (1.k) The IESG approval announcement includes a Document
> Announcement Write-Up. Please provide such a Document Announcement
> Write-Up? Recent examples can be found in the "Action"
> announcements for approved documents. The approval announcement
> contains the following sections:

> Technical Summary: Relevant content can frequently be found in the
> abstract and/or introduction of the document. If not, this may be
> an indication that there are deficiencies in the abstract or
> introduction.

One physical network can carry multiple logical networks. Moreover,
we can use multiple physical networks at the same time in a
host. In
that environment, end hosts might have multiple IP addresses and be
required to use them selectively. Without an appropriate source/
destination address selection mechanism, the host will experience
some trouble in communication. RFC 3484 defines both the source and
destination address selection algorithms, but the multi-prefix
environment considered here needs additional rules beyond those of
the default operation. This document describes the possible
problems
that end hosts could encounter in an environment with multiple
logical networks.

> Working Group Summary: Was there anything in WG process that is
> worth noting? For example, was there controversy about particular
> points or were there decisions where the consensus was particularly
> rough?

The problem statement and requirements have been thoroughly discussed
and seem to have a reasonably strong consensus. The proposed solution
is not yet agreed to.

> Document Quality: Are there existing implementations of the
> protocol? Have a significant number of vendors indicated their plan
> to implement the specification? Are there any reviewers that merit
> special mention as having done a thorough review, e.g., one that
> resulted in important changes or a conclusion that the document had
> no substantive issues? If there was a MIB Doctor, Media Type or
> other expert review, what was its course (briefly)? In the case of
> a Media Type review, on what date was the request posted?




idnits 2.05.02

tmp/draft-ietf-v6ops-addr-select-ps-02.txt:
tmp/draft-ietf-v6ops-addr-select-ps-02.txt(327): Found possible IPv6
address 'db8:8000:1::0' in position 4; this doesn't match RFC3849's
suggested 2001:DB8::/32 address range or RFC4193's Unique Local
Address range FC00::/7.
--> db8:8000:1::EUI64, which is closed from the Internet.
^
tmp/draft-ietf-v6ops-addr-select-ps-02.txt(680): Appendix start:
Appendix A. Appendix. Revision History.
Appendix start: Appendix A. Appendix. Revision History

Checking boilerplate required by RFC 3978 and 3979, updated by RFC
4748
:

- ------------------------------------------------------------------------
- ----

No issues found here.

Checking nits according to http://www.ietf.org/ietf/1id-
guidelines.txt:

- ------------------------------------------------------------------------
- ----

No issues found here.

Checking nits according to http://www.ietf.org/ID-Checklist.html:

- ------------------------------------------------------------------------
- ----

** There are 1 instance of lines with non-RFC3849-compliant IPv6
addresses
in the document. If these are example addresses, they should
be changed.


Miscellaneous warnings:

- ------------------------------------------------------------------------
- ----

No issues found here.

Checking references for intended status: Proposed Standard

- ------------------------------------------------------------------------
- ----

(See RFC 3967 for information about using normative references to
lower-maturity documents in RFCs)

== Outdated reference: draft-ietf-v6ops-nap has been published as
RFC 4864

-- Obsolete informational reference (is this intentional?): RFC 3041
(Obsoleted by RFC 4941)


Summary: 1 error (**), 1 warning (==), 1 comment (--).
2007-12-05
09 Dinara Suleymanova Draft Added by Dinara Suleymanova in state Publication Requested
2007-10-12
02 (System) New version available: draft-ietf-v6ops-addr-select-ps-02.txt
2007-08-02
09 Samuel Weiler Request for Early review by SECDIR Completed. Reviewer: Tero Kivinen.
2007-07-06
09 Samuel Weiler Request for Early review by SECDIR is assigned to Tero Kivinen
2007-07-06
09 Samuel Weiler Request for Early review by SECDIR is assigned to Tero Kivinen
2007-04-05
01 (System) New version available: draft-ietf-v6ops-addr-select-ps-01.txt
2006-11-10
00 (System) New version available: draft-ietf-v6ops-addr-select-ps-00.txt