simpler prefix delegation
Pekka Savola <pekkas@netcore.fi> Thu, 18 March 2004 08:56 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA27988 for <ipv6-archive@odin.ietf.org>; Thu, 18 Mar 2004 03:56:43 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3tK2-0004Eh-K5 for ipv6-archive@odin.ietf.org; Thu, 18 Mar 2004 03:56:15 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2I8uEIv016283 for ipv6-archive@odin.ietf.org; Thu, 18 Mar 2004 03:56:14 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3tK1-0004EX-Vd for ipv6-web-archive@optimus.ietf.org; Thu, 18 Mar 2004 03:56:14 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA27935 for <ipv6-web-archive@ietf.org>; Thu, 18 Mar 2004 03:56:11 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B3tJz-0001Gm-00 for ipv6-web-archive@ietf.org; Thu, 18 Mar 2004 03:56:11 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B3tJ1-00017s-00 for ipv6-web-archive@ietf.org; Thu, 18 Mar 2004 03:55:12 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1B3tI4-0000zG-00 for ipv6-web-archive@ietf.org; Thu, 18 Mar 2004 03:54:12 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3tGw-0003nU-O4; Thu, 18 Mar 2004 03:53:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B3tGH-0003jL-7C for ipv6@optimus.ietf.org; Thu, 18 Mar 2004 03:52:21 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA27792 for <ipv6@ietf.org>; Thu, 18 Mar 2004 03:52:18 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B3tGE-0000ko-00 for ipv6@ietf.org; Thu, 18 Mar 2004 03:52:18 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B3tFH-0000df-00 for ipv6@ietf.org; Thu, 18 Mar 2004 03:51:20 -0500
Received: from netcore.fi ([193.94.160.1]) by ietf-mx with esmtp (Exim 4.12) id 1B3tEr-0000VS-00 for ipv6@ietf.org; Thu, 18 Mar 2004 03:50:54 -0500
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i2I8oLY27064; Thu, 18 Mar 2004 10:50:21 +0200
Date: Thu, 18 Mar 2004 10:50:21 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: ipv6@ietf.org
cc: skylane@etri.re.kr, erik.nordmark@sun.com
Subject: simpler prefix delegation
Message-ID: <Pine.LNX.4.44.0403181040540.26360-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Hi, This started from me looking at draft-bykim-ipv6-hpd-01.txt, what it was before that, DHCPv6 + PD, a few proposals at v6ops for integrated prefix delegation, etc.. -- I couldn't help thinking, "there must be an easier way to delegate an IPv6 prefix in the simplest setups (e.g., when v6 connectivity is obtained through a tunnel) -- DHCPv6 is way too heavy-weight". This is where I got. Thoughts appreciated. Problems with the spec (draft-bykim-ipv6-hpd-01.txt) ---------------------- I think this is a useful continuation of Brian/Jim's Automatic Prefix Delegation work. All the problems in the world are not necessarily solved by DHCPv6... so I think developing an extremely simple PD protocol could be very useful. The applicability area I see for this are the cases where DHCPv6 is not being used, especially when the ISP wants to offer IPv6 support very simply, using a tunnel. However, this document goes into a bit too complex direction. There are multiple problems with the approach as-is: - Why use PrefixCnt, and not PrefixLen when sending the Delegator Query? The most important thing is the length of the desired prefix, not the number of them, after all. The whole PrefixCnt thing seems fishy to me, all in all -- the same information can be obtained by using an appropriate PrefixLen! - Similarly, PrefixDiff doesn't seem to be all that useful. - CGA security does not work unless you use Signature options from SEND as well, so that can be scrapped. - 2 roundtrips are needed, with 4 different messages to get a prefix: a bit too many for my taste. - The draft makes confusion about "built-in routing". That sort of thing is integrated with prefix delegation in any case: you can't have it without -- as static routes are set in any case. This seems unnecessary to mention here. - The scope is not clear; why would one need hierarchical prefix delegation where one would not use routing? That is, if one gets a /64, it cannot be delegated (in a meaningful way) forward. If one gets a /48 (e.g., on a home network), why would one need to delegate it forward -- are there routers there, requesting smaller prefixes -- I hope not! And in an Enterprise, you want to set this up manually in any case. So the whole hierarchical part appears to be really fishy, and should be removed unless clear justification is found. So -- I think think the spec has suffered from a serious feature creep, with little regard to the actual user needs. But, I'd still propose to go forward with this (or another document, started from scratch), in an entirely different format and design tradeoffs, as described below. I could write it, but I would prefer if someone else wanted to work on this (too many things in progress at the moment.) Current model is basically like: -------------------------------- 1. Delegator Query, looking up the delegators and signalling the number of prefixes solicited (no prefix length?). 2. Response w/ nmber of prefixes and prefix len difference (how?) 3. Prefix Request to request prefixes (not telling which) 4. Response w/ prefix delegated Return: prefix returned message -- replied with prefix returned. Renewal: renewal message. As you see, there are a lot of different messages, with different subcodes: really difficult to understand.. Proposal -------- Instead, use Neighbor Discovery messages rather than directly putting them on top of ICMPv6. This gives the benefit of being able to use all the functions of SEND without any specification, as SEND only protects neighbor discovery messages (and all of them, if you just plug in the signatures etc!). [[ the features in double brackets are ones that could be easily added, but IMHO I'm not sure whether that is worth the effort. ]] Now, the messages could be like: Prefix Solicitation: sent to "all-prefix-delegators" link-local multicast address or a unicast address (learned using means outside the scope of this memo; but link local) * addresses checked to be link-local, TTL=255. (same for all the messages.) * Includes PrefixLen field, indicating the preference for the prefix length * Includes a "Test" flag: if given, the routers does not actually delegate the prefix, only show which prefix they would have given. (This can be used to pick among the routers, as well as learn which kind of prefixes/lengths they would be giving. But the point is that if there are multiple routers which are willing to give you a prefix, why not get prefix from each unless explicitly desiring otherwise?) * Includes a "No Refresh" flag: if given, do not refresh the existing prefixes, but allocate new ones; the old ones continue to be used. If not given, refresh the old prefixes (if delegated) or allocate new ones (if no existing delegation). * [[ no PrefixCnt field, as this seems unnecessary -- just use PrefixLen or ask again -- but could be plugged in later if deemed necessary ]] * [[ no authentication/user identification options; authentication is assumed to be obtained on the link layer. However, it is possible to include Authentication type and length fields (1 octet each) which can be used to piggyback different kinds of authentication information, later on if needed. Authentication could also be done with SEND. ]] * [[ one could have "reverse DNS delegation requested" flag here as well, with an option which could encode DNS server address(es), but I don't think that's really important for mainstream use.]] Prefix Delegation: sent to the unicast link-local address of solicitor * includes Test flag, to indicate whether delegation was really done * [[ could also have reverse DNS delegated flag, as described above, but IMHO doesn't seem to be really important for now.]] * includes the prefix(es) delegated to the user. [[ each prefix could have a lifetime as well; lifetime of zero means "not specified" -- no refreshing is needed as long as NUD works. If lifetime not specified, the lifetime of RAs on downstream interfaces SHOULD NOT be greater than 7200 seconds. ]] [[ Prefix Maintenance: miscellaneous messages * code 0: return the prefix; used by the solicitor to give back a prefix, either when ceasing to use it or when refusing the prefix delegation. ]] -- could be used for serious DoS unless authenticated. The solicititor SHOULD run NUD on the interface. If NUD fails to the routers which have delegated prefix(es), MAY send a Prefix Solicitation message with "No Refresh" not set (to know whether the delegation exists; if it doesn't, to get a new one). If some other indication has been received that the interface has went up/down, may similarly re-initiate the procedure. Would this seem to make sense? This also fulfills the prefix delegation requirements draft's requirements pretty well AFAICS. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: simpler prefix delegation Pekka Savola
- simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Ole Troan
- Re: simpler prefix delegation Ole Troan
- Re: simpler prefix delegation Laurent.Clevy
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Pekka Savola
- RE: simpler prefix delegation BINET David FTRD/DMI/CAE
- Re: simpler prefix delegation Alain Durand
- Re: simpler prefix delegation Brian E Carpenter
- Re: simpler prefix delegation Christian Strauf
- RE: simpler prefix delegation Byung-Yeob Kim
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Pekka Savola
- Re: simpler prefix delegation Ole Troan
- RE: simpler prefix delegation Christian Huitema
- Re: simpler prefix delegation JINMEI Tatuya / 神明達哉
- Re: simpler prefix delegation Erik Nordmark
- Re: simpler prefix delegation Fred Templin
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Wataru Kawakami -ipv4-
- Re: simpler prefix delegation Ole Troan
- RE: simpler prefix delegation matthew.ford
- Re: simpler prefix delegation Ralph Droms
- Re: simpler prefix delegation Shin Miyakawa