💾 Archived View for gmi.noulin.net › rfc › rfc4219.gmi captured on 2022-01-08 at 20:04:44. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Keywords: security threats, internet protocol version 6
Network Working Group E. Lear Request for Comments: 4219 Cisco Systems Category: Informational October 2005 Things Multihoming in IPv6 (MULTI6) Developers Should Think About Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document specifies a set of questions that authors should be prepared to answer as part of a solution to multihoming with IPv6. The questions do not assume that multihoming is the only problem of interest, nor do they demand a more general solution. Table of Contents 1. Introduction ....................................................3 1.1. Reading this Document ......................................3 2. On the Wire Behavior ............................................4 2.1. How will your solution solve the multihoming problem? ......4 2.2. At what layer is your solution applied, and how? ...........4 2.3. Why is the layer you chose the correct one? ................4 2.4. Does your solution address mobility? .......................4 2.5. Does your solution expand the size of an IP packet? ........4 2.6. Will your solution add additional latency? .................4 2.7. Can multihoming capabilities be negotiated end-to-end during a ........................................4 2.8. Do you change the way fragmenting is handled? ..............5 2.9. Are there any layer 2 implications to your proposal? .......5 3. Identifiers and Locators ........................................5 3.1. Uniqueness .................................................5 3.2. Does your solution provide for a split between identifiers and ............................................5 3.3. What is the lifetime of a binding from an identifier to a locator? ...................................5 3.4. How is the binding updated? ................................5 3.5. How does a host know its identity? .........................5 3.6. Can a host have multiple identifiers? ......................5 Lear Informational [Page 1] RFC 4219 MULTI6 Solution Questionnaire October 2005 3.7. If you have separate locators and identifiers, how will they be ...............................................5 3.8. Does your solution create an alternate "DNS-like" service? ...................................................5 3.9. Please describe authentication/authorization ...............6 3.10. Is your mechanism hierarchical? ...........................6 3.11. Middlebox interactions ....................................6 3.12. Are there any implications for scoped addressing? .........6 4. Routing System Interactions .....................................6 4.1. Does your solution change existing aggregation methods? ....6 4.2. Does the solution solve traffic engineering requirements? ..7 4.3. Does the solution offer ways for the site to manage its traffic ................................................7 4.4. If you introduce any new name spaces, do they require aggregation? .......................................7 4.5. Does your solution interact with Autonomous System numbering? .................................................7 4.6. Are there any changes to ICMP error semantics? .............7 5. Name Service Interactions .......................................7 5.1. Please explain the relationship of your solution to DNS ....7 5.2. Please explain interactions with "2-faced" DNS .............7 5.3. Does your solution require centralized registration? .......8 5.4. Have you checked for DNS circular dependencies? ............8 5.5. What if a DNS server itself is multihomed? .................8 5.6. What additional load will be placed on DNS servers? ........8 5.7. Any upstream provider support required? ....................8 5.8. How do you debug connectivity? .............................8 6. Application Concerns and Backward Compatibility .................8 6.1. What application/API changes are needed? ...................8 6.2. Is this solution backward compatible with "old" IP version 6? .................................................9 6.3. Is your solution backward compatible with IPv4? ............9 6.4. Can IPv4 devices take advantage of this solution? ..........9 6.5. What is the impact of your solution on different types of sites? ............................................9 6.6. How will your solution interact with other middleboxes? ...10 6.7. Referrals .................................................10 6.8. Demonstrate use with a real life complex application ......10 7. Legal Concerns .................................................10 8. Security Considerations ........................................10 9. Acknowledgements ...............................................11 10. References ....................................................11 10.1. Normative References .....................................11 10.2. Informative References ...................................11 Lear Informational [Page 2] RFC 4219 MULTI6 Solution Questionnaire October 2005 1. Introduction At the time of this writing there are quite a number of proposed solutions to the problem of multihoming within IPv6, and related problems such as the locator/identifier split. This document contains several sets of questions that attempt to focus these solutions on operational problems. This document does not suggest methods to solve the problem. Rather, we simply want to ensure that while solving a problem the medicine is not worse than the cure. We focus on practical operational problems that both single-homed and multihomed deployments may face. It is the hope of the author that perhaps the authors of other proposed solutions will use this document to identify gaps in their solutions, and cooperate to close those gaps. 1.1. Reading this Document The questions are organized along the following lines: o changes to on the wire behavior; o routing system interactions; o identifier/mapping split; o application concerns and backward compatibility; o name service interactions; o legal concerns; and o security considerations. In reality many questions cut across all of these concerns. For instance, the identifier / locator split has substantial application implications, and every area has security considerations. Unless it is blatantly obvious, each question contains some reasoning as to why it is being asked. It is envisioned that no solution will answer every question with completeness, but that there will be tradeoffs to be made. The answers by the various designers of solutions will hopefully shed some light on which tradeoffs we as a community wish to make. It would seem silly for people who have written detailed answers to these questions to have to repeat the exercise. Therefore, a simple reference to existing documents will suffice, so long as the answer is complete. If it is not complete, then feel free to reference it and add what text is necessary to make the answer complete. This document presumes a familiarity with RFC 3582 [2], and does not attempt to repeat the requirements work gathered there. Lear Informational [Page 3] RFC 4219 MULTI6 Solution Questionnaire October 2005 2. On the Wire Behavior 2.1. How will your solution solve the multihoming problem? Please scope the problem you are attempting to solve and what you are not attempting to solve. 2.2. At what layer is your solution applied, and how? Is it applied in every packet? If so, what fields are used? 2.3. Why is the layer you chose the correct one? Each layer has its benefits and tradeoffs. For instance, transport layer solutions would require that EVERY transport be modified, while IP layer solutions may entail expansion of the packet or a change to the pseudo-header (thus requiring changes to the transport layer). 2.4. Does your solution address mobility? If so, how are rendezvous handled? Can your solution handle both locators changing at the same time? If so, please explain. Should it? If not, how will your solution interact with MOBILEIP-V6 [3] (MIPv6) 2.5. Does your solution expand the size of an IP packet? Expanding the size of an IP packet may cause excessive fragmentation in some circumstances. 2.6. Will your solution add additional latency? Latency is an important factor in many applications, including voice. Any substantial amount of additional latency, including session initiation would be highly undesirable. 2.7. Can multihoming capabilities be negotiated end-to-end during a connection? If the proposal introduces additional overhead, can the information be somehow piggybacked on messages that are already used? This would be useful in order to keep connection setup constant. Please also indicate any drawbacks that might apply due to this piggybacking. Lear Informational [Page 4] RFC 4219 MULTI6 Solution Questionnaire October 2005 2.8. Do you change the way fragmenting is handled? If you use a shim approach, do you fragment above or below the shim? How are fragments identified, so that they can be reassembled? If you use any additional names, do they need to be associated with fragments? If not, why not? If so, how will that happen? 2.9. Are there any layer 2 implications to your proposal? While IPv6 has a simplified approach to layer 2, perhaps you unsimplified it. If so, please provide details. 3. Identifiers and Locators 3.1. Uniqueness 3.2. Does your solution provide for a split between identifiers and locators? 3.3. What is the lifetime of a binding from an identifier to a locator? 3.4. How is the binding updated? Will transport connections remain up when new paths become available or when old ones become unavailable? How does the end node discover these events? 3.5. How does a host know its identity? If you are establishing a new identity, how does the host learn it? 3.6. Can a host have multiple identifiers? If so, how does an application choose an identity? 3.7. If you have separate locators and identifiers, how will they be mapped? Does the mapping work in both directions? How would someone debugging a network determine which end stations are involved? 3.8. Does your solution create an alternate "DNS-like" service? If you use mechanisms other than DNS, first, why was DNS not appropriate? Also, how will this other mechanism interact with DNS? What are its scaling properties? Lear Informational [Page 5] RFC 4219 MULTI6 Solution Questionnaire October 2005 3.9. Please describe authentication/authorization How are bindings authenticated and authorized. What technology do you build on for this mechanism? 3.10. Is your mechanism hierarchical? Please describe the hierarchical breakdown. 3.11. Middlebox interactions What are the implications for firewalls? What are the interactions with Network Address Translation (NAT)? What are the interactions with web caches? What complications are introduced with your solution? For instance, are there implication for ingress filters? If so, what are they? When considering this question, there are really two issues. First, will middleboxes impede your solution by rewriting headers in some way, as NATs do for IP addresses, and web caches do at higher layers? Second, is there a way in which middleboxes are actually part of your solution? In particular, are they required? This would be the case, for example, with Generalized Structure Element (GSE) (8+8). 3.12. Are there any implications for scoped addressing? Please see RFC 3513 [1]. How does your mechanism interact with multicast? How does your solution interact with link-local addressing How does your solution interact with Son-Of-Sitelocal (whatever that will be)? 4. Routing System Interactions 4.1. Does your solution change existing aggregation methods? Routing on the Internet scales today because hosts and networks can be aggregated into a relatively small number of entries. Does your solution change the way in which route aggregation occurs? Lear Informational [Page 6] RFC 4219 MULTI6 Solution Questionnaire October 2005 4.2. Does the solution solve traffic engineering requirements? One of the significant goals of IPv4 multihoming solutions has been the ability to perform traffic engineering based on appropriately adjusting the BGP advertisements. If the prefixes used by such sites was be aggregated (particularly beyond the site"s border), the site"s ability to perform traffic engineering would be diminished. 4.3. Does the solution offer ways for the site to manage its traffic flows? If so, how? Is this controllable on a per-host basis, or on a per-site basis? 4.4. If you introduce any new name spaces, do they require aggregation? Is it desirable or required that, in order to scale distribution of any mapping information, an aggregation method be introduced? 4.5. Does your solution interact with Autonomous System numbering? If your solution involves address prefixes distributed using BGP4+, does it interact with the use of AS numbers and, if so, how? Will it require additional AS numbers? 4.6. Are there any changes to ICMP error semantics? Do you create new codes? If so, why and what do they mean? Will a host that is not aware of your scheme see them? 5. Name Service Interactions 5.1. Please explain the relationship of your solution to DNS If your solution uses new names for identifiers, please explain what mappings are defined, and how they are performed? If there are any additional administrative requirements, such as new zones or RR types to manage, please explain them as well. 5.2. Please explain interactions with "2-faced" DNS 2-faced DNS is used so that hosts behind a NAT get one address for internal hosts, while hosts outside the NAT get another. Similar mechanisms are used for application layer gateways, such as SOCKS [5]. Lear Informational [Page 7] RFC 4219 MULTI6 Solution Questionnaire October 2005 5.3. Does your solution require centralized registration? For instance, if you are using the DNS, what will be the top level domain, and how will the name space distribute through it? Also, how will the centralized registration be managed? 5.4. Have you checked for DNS circular dependencies? If you are using the DNS in your solution, is it required for connectivity? What happens if the DNS fails? Can communication between the DNS resolver and the server make use of your solution? What about between the application and the resolver? 5.5. What if a DNS server itself is multihomed? If a link fails or a service is dropped, how will it impact DNS? Again, are there any dependency loops? Perhaps diagram out your dependencies to make sure. 5.6. What additional load will be placed on DNS servers? Can the load be distributed? Remember that DNS is optimized for READ operations. 5.7. Any upstream provider support required? If so, please describe. For instance, currently reverse mappings are delegated down from upstream providers. How would this work with your solution? 5.8. How do you debug connectivity? How would tools like ping and traceroute need to be enhanced? What additional tools would prove useful or necessary? For instance, if there is an id/locator split, can one ping an identifier? If so, what gets returned? 6. Application Concerns and Backward Compatibility 6.1. What application/API changes are needed? Will old code work with the new mechanism? For instance, what about code that uses gethostbyname()? Will getaddrinfo() need to change? What about other API calls? Lear Informational [Page 8] RFC 4219 MULTI6 Solution Questionnaire October 2005 There are several possible approaches. For instance, a multihoming service could attempt to require no changes to the API, in which case it is possible that IP addresses might become opaque blobs that work with the API, but might break operational assumptions that applications make about addresses. Consider the case of a web server that wants to log IP addresses. How will it accomplish this task? Another approach is to have some sort of compatibility library for legacy applications, but also provide a richer calling interface for transparency. Yet another approach would be to only provide the new functionality to those applications that make use of a new calling interface. One useful exercise would be to provide code fragments that demonstrate any API changes. 6.2. Is this solution backward compatible with "old" IP version 6? Can it be deployed incrementally? Please describe how. Does your solution impose requirements on non-multihomed/non-mobile hosts? What happens if someone plugs in a normal IPv6 node? 6.3. Is your solution backward compatible with IPv4? How will your mechanism interact with 6to4 gateways and IPv4 hosts? 6.4. Can IPv4 devices take advantage of this solution? Can the same mechanism somehow be used on the existing network? N.B. this is NOT a primary consideration, but perhaps a side benefit of a particular solution. 6.5. What is the impact of your solution on different types of sites? What will the impact of your solution be on the following types of systems? o single homed sites o small multihomed sites o large multihomed sites o ad-hoc sites o short lived connections (think aggregator wireless ISPs) Lear Informational [Page 9] RFC 4219 MULTI6 Solution Questionnaire October 2005 In particular, consider ongoing administration, renumbering events, and mobile work forces. 6.6. How will your solution interact with other middleboxes? 6.7. Referrals How will your solution handle referrals, such as those within FTP or various conferencing or other peer to peer systems? Referrals exist within various other protocols, such as so-called "peer to peer" applications. Note that referrals might suffer three types of failure: firewall and NAT - Is there failure just as what FTP active mode experiences today with relatively simple firewalls? time-based - Is there something ephemeral about the nature of the solution that might cause a referral (such as a URL) to fail over time, more so than what we have today? location-based - If the binding varies based on where the parties are in the network, and if one moves, will they no longer be able to find each other? 6.8. Demonstrate use with a real life complex application Provide a detailed walk-through of SIP + Real Time Streaming Protocol (SIP+RTSP) when one or several of the peers are multihomed. How does your analysis change when encrypted RTSP is used or when SIP with S/MIME end-to-end (e2e) signalling is used? 7. Legal Concerns Are you introducing a namespace that might involve mnemonics? Doing so might introduce trademark concerns. If so, how do you plan to address such concerns? Are there any organizations required to manage a new name space? If so, please describe what they are and how the method will scale. 8. Security Considerations How secure should a multi6 solution be? This is a reasonable question for each solution to answer. The author opines that the worst case should be no worse than what we have today. For example, would a multi6 solution open up a host, on either end of a communication, to a time-based attack? Any such risks should be clearly stated by the authors. Considerable time should be spent on threat analysis. Please see [4] for more details. Lear Informational [Page 10] RFC 4219 MULTI6 Solution Questionnaire October 2005 As IP addresses can often be tied to individuals, are there any auditing or privacy concerns introduced by your solution? 9. Acknowledgements The author wishes to acknowledge everyone in the multi6 group and elsewhere that is putting forward proposals. It is easy to ask questions like the ones found in this document. It is quite a bit harder to develop running code to answer them. Marcelo Bagnulo, Kurt Erik Lindqvist, Joe Touch, Patrik Faltstrom, Brian Carpenter, and Iljitsch van Beijnum provided input to this document. 10. References 10.1. Normative References [1] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture", RFC 3513, April 2003. [2] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site- Multihoming Architectures", RFC 3582, August 2003. [3] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [4] Nordmark, E., "Threats Relating to IPv6 Multihoming Solutions", RFC 4218, October 2005. 10.2. Informative References [5] Kitamura, H., "A SOCKS-based IPv6/IPv4 Gateway Mechanism", RFC 3089, April 2001. Author's Address Eliot Lear Cisco Systems GmbH Glatt-com, 2nd Floor CH-8301 Glattzentrum ZH Switzerland EMail: lear@cisco.com Lear Informational [Page 11] RFC 4219 MULTI6 Solution Questionnaire October 2005 Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Lear Informational [Page 12]