Cisco Systems

Santa Barbara 93117 California USA fred@cisco.com

Department of Computer Science University of Auckland PB 92019 Auckland 1142 New Zealand brian.e.carpenter@gmail.com

Internet IPv6 Maintenance This note describes expected IPv6 host behavior in a network that has more than one prefix, each allocated by an upstream network that implements BCP 38 ingress filtering, when the host has multiple routers to choose from. It also applies to other scenarios such as the usage of stateful firewalls that effectively act as address-based filters. This host behavior may interact with source address selection in a given implementation, but logically follows it. Given that the network or host is, or appears to be, multihomed with multiple provider-allocated addresses, that the host has elected to use a source address in a given prefix, and that some but not all neighboring routers are advertising that prefix in their Router Advertisement Prefix Information Options, this document specifies to which router a host should present its transmission. It updates RFC 4861.

This note describes the expected behavior of an IPv6 host in a network that has more than one prefix, each allocated by an upstream network that implements BCP 38 ingress filtering, and in which the host is presented with a choice of routers. It expects that the network will implement some form of egress routing, so that packets sent to a host outside the local network from a given ISP's prefix will go to that ISP. If the packet is sent to the wrong egress, it is liable to be discarded by the BCP 38 filter. However, the mechanics of egress routing once the packet leaves the host are out of scope. The question here is how the host interacts with that network. BCP 38 filtering by ISPs is not the only scenario where such behavior is valuable. The combination of existing recommendations for home gateways can also result in such filtering. Another case is when the connections to the upstream networks include stateful firewalls, such that return packets in a stream will be discarded if they do not return via the firewall that created state for the outgoing packets. A similar cause of such discards is unicast reverse path forwarding (uRPF) . In this document, the term "filter" is used for simplicity to cover all such cases. In any case, one cannot assume the host to be aware whether an ingress filter, a stateful firewall, or any other type of filter is in place. Therefore, the only safe solution is to implement the features defined in this document. Note that, apart from ensuring that a message with a given source address is given to a first-hop router that appears to know about the prefix in question, this specification is consistent with . Nevertheless, implementers of Sections 5.2, 6.2.3, 6.3.4 and 8 of RFC 4861 will need to extend their implementations accordingly. This specification is fully consistent with and implementers will need to add support for its Rule 5.5. Hosts that do not support these features may fail to communicate in the presence of filters as described above.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

A host receives prefixes in a Router Advertisement, which goes on to identify whether they are usable by SLAAC . When no prefixes are usable for SLAAC, the Router Advertisement would normally signal the availability of DHCPv6 and the host would use it to configure its addresses. In the latter case (or if both SLAAC and DHCPv6 are used on the same link for some reason) it will be generally the case that the configured addresses match one of the prefixes advertised in a Router Advertisement that are supposed to be in that link. The simplest multihomed network implementation in which a host makes choices among routers might be a LAN with one or more hosts on it and two or more routers, one for each upstream network, or a host that is served by disjoint networks on separate interfaces. In such a network, especially the latter, there is not necessarily a routing protocol, and the two routers may not even know that the other is a router as opposed to a host, or may be configured to ignore its presence. One might expect that the routers may or may not receive each other's RAs and form an address in the other router's prefix (which is not per , but is implemented by some stub router implementations). However, all hosts in such a network might be expected to create an address in each prefix so advertised.

If there is no routing protocol among those routers, there is no mechanism by which packets can be deterministically forwarded between the routers (as described in BCP 84) in order to avoid filters. Even if there was routing, it would result in an indirect route, rather than a direct route originating with the host; this is not "wrong", but can be inefficient. Therefore the host would do well to select the appropriate router itself. Since the host derives fundamental default routing information from the Router Advertisement, this implies that, in any network with hosts using multiple prefixes, each prefix SHOULD be advertised via a Prefix Information Option (PIO) by one of the attached routers, even if addresses are being assigned using DHCPv6. A router that advertises a prefix indicates that it is able to appropriately route packets with source addresses within that prefix, regardless of the setting of the L and A flags in the PIO. In some circumstances both L and A might be zero. Although this does not violate the existing standard , such a PIO has not previously been common, and it is possible that existing host implementations simply ignore such a PIO or that a router implementation rejects such a PIO as a configuration error. Newer implementations that support this mechanism will need to be updated accordingly: a host SHOULD NOT ignore a PIO simply because both L and A flags are cleared; a router SHOULD be able to send such a PIO.

The direct implication of is that routing protocols used in multihomed networks SHOULD be capable of source-prefix based egress routing, and that multihomed networks SHOULD deploy them.

Default Router Selection is modified as follows: A host SHOULD select default routers for each prefix it is assigned an address in. Routers that have advertised the prefix in its Router Advertisement message SHOULD be preferred over routers that do not advertise the prefix. As a result of doing so, when a host sends a packet using a source address in one of those prefixes and has no history directing it otherwise, it SHOULD send it to the indicated default router. In the "simplest" network described in , that would get it to the only router that is directly capable of getting it to the right ISP. This will also apply in more complex networks, even when more than one physical or virtual interface is involved. In more complex cases, wherein routers advertise RAs for multiple prefixes whether or not they have direct or isolated upstream connectivity, the host is dependent on the routing system already. If the host gives the packet to a router advertising its source prefix, it should be able to depend on the router to do the right thing.

There is an interaction with Default Address Selection. Rule 5.5 of that specification states that the source address used to send to a given destination address should if possible be chosen from a prefix known to be advertised by the first-hop router for that destination. This selection rule would be applicable in a host following the recommendation in the previous paragraph.

There is potential for adverse interaction with any off-link Redirect (Redirect for a GUA destination that is not on-link) message sent by a router in accordance with Section 8 of . Hosts SHOULD apply off-link redirects only for the specific pair of source and destination addresses concerned, so the host's Destination Cache may need to contain appropriate source-specific entries.

Some modern hosts maintain history, in terms of what has previously worked or not worked for a given address or prefix and in some cases the effective window and MSS values for TCP or other protocols. This might include a next hop address for use when a packet is sent to the indicated address. When such a host makes a successful exchange with a remote destination using a particular address pair, and the host has previously received a PIO that matches the source address, then the host SHOULD include the prefix in such history, whatever the setting of the L and A flags in the PIO. On subsequent attempts to communicate with that destination, if it has an address in that prefix at that time, a host MAY use an address in the remembered prefix for the session.

Consider a network where routers on a link run a routing protocol and are configured with the same information. Thus, on each link all routers advertise all prefixes on the link. The assumption that packets will be forwarded to the appropriate egress by the local routing system might cause at least one extra hop in the local network (from the host to the wrong router, and from there to another router on the same link). In a slightly more complex situation such as the disjoint LAN case of , which happens to be one of the authors' home plus corporate home-office configuration, the two upstream routers might be on different LANs and therefore different subnets (e.g., the host is itself multi-homed). In that case, there is no way for the "wrong" router to detect the existence of the "right" router, or to route to it. In such a case it is particularly important that hosts take the responsibility to memorize and select the best first-hop as described in .

This memo asks the IANA for no new parameters.

This document does not create any new security or privacy exposures. It is intended to avoid connectivity issues in the presence of BCP 38 ingress filters or stateful firewalls combined with multihoming. There might be a small privacy improvement, however: with the current practice, a multihomed host that sends packets with the wrong address to an upstream router or network discloses the prefix of one upstream to the other upstream network. This practice reduces the probability of that occurrence.

Comments were received from Jinmei Tatuya and Ole Troan, who have suggested important text, plus Mikael Abrahamsson, Steven Barth, Juliusz Chroboczek, Toerless Eckert, David Farmer, Pierre Pfister, Mark Smith, Dusan Mudric, and James Woodyatt.

2015-08-05 Update text on PIOs, added text on Redirects, and clarified the concept of a "simple" network, 2015-08-13. Clarifications after WG discussions, 2015-08-19. More clarifications after more WG discussions, especially adding stateful firewalls, uRPF, and more precise discussion of RFC 4861, 2015-09-03.