rfc9131xml2.original.xml   rfc9131.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2119.xml">
<!ENTITY RFC3756 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.3756.xml">
<!ENTITY RFC4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4033.xml">
<!ENTITY RFC4291 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4291.xml">
<!ENTITY RFC4429 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4429.xml">
<!ENTITY RFC4541 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4541.xml">
<!ENTITY RFC4861 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4861.xml">
<!ENTITY RFC4862 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4862.xml">
<!ENTITY RFC6052 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6052.xml">
<!ENTITY RFC6105 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6105.xml">
<!ENTITY RFC6146 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6146.xml">
<!ENTITY RFC6147 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6147.xml">
<!ENTITY RFC6583 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6583.xml">
<!ENTITY RFC6775 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6775.xml">
<!ENTITY RFC6877 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.6877.xml">
<!ENTITY RFC7050 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7050.xml">
<!ENTITY RFC7225 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7225.xml">
<!ENTITY RFC7556 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7556.xml">
<!ENTITY RFC7858 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7858.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8174.xml">
<!ENTITY RFC8305 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8305.xml">
<!ENTITY RFC8505 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8505.xml">
<!ENTITY RFC8981 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8981.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc tocompact="yes"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc subcompact="no" ?>
<rfc ipr="trust200902"
obsoletes=""
category="std"
updates="4861"
docName="draft-ietf-6man-grand-07">
<!-- category values: std, bcp, info, exp, and historic -->
<!-- ***** FRONT MATTER ***** --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" obsoletes="" u pdates="4861" docName="draft-ietf-6man-grand-07" number="9131" submissionType="I ETF" category="std" consensus="true" xml:lang="en" tocInclude="true" symRefs="t rue" sortRefs="true" version="3">
<front> <front>
<!-- The abbreviated title is used in the page header - it is only necessary <title abbrev="Gratuitous ND">Gratuitous Neighbor Discovery: Creating Neighb
if the or Cache Entries on First&nbhy;Hop Routers</title>
full title is longer than 39 characters --> <seriesInfo name="RFC" value="9131"/>
<title abbrev="Gratuitous ND">Gratuitous Neighbor Discovery: Creating Neighb
or Cache Entries on First-Hop Routers</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<author fullname="Jen Linkova" initials="J." surname="Linkova"> <author fullname="Jen Linkova" initials="J." surname="Linkova">
<organization>Google</organization> <organization>Google</organization>
<address> <address>
<postal> <postal>
<street>1 Darling Island Rd</street> <street>1 Darling Island Rd</street>
<city>Pyrmont</city> <city>Pyrmont</city>
<region>NSW</region> <region>NSW</region>
<code>2009</code> <code>2009</code>
<country>AU</country> <country>Australia</country>
</postal> </postal>
<phone></phone>
<email>furry@google.com</email> <email>furry@google.com</email>
</address> </address>
</author> </author>
<date year="2021" month="September"/>
<date/>
<!-- If the month and year are both specified and are the current ones, xml2
rfc will fill
in the current day for you. If only the current year is specified, xml2
rfc will fill
in the current day and month for you. If the year is not the current one
, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not sp
ecified for the
purpose of calculating the expiry date). With drafts it is normally suf
ficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Internet</area> <area>Internet</area>
<workgroup>IPv6 Maintenance</workgroup> <workgroup>IPv6 Maintenance</workgroup>
<!-- WG name at the upperleft corner of the doc, <keyword>IPv6</keyword>
IETF is fine for individual submissions. <keyword>SLAAC</keyword>
If this element is not present, the default is "Network Working Group", <keyword>stateless address autoconfiguration</keyword>
which is used by the RFC Editor as a nod to the history of the IETF. -- <keyword>neighbor advertisement</keyword>
>
<keyword>template</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract> <abstract>
<t> <t>
Neighbor Discovery (RFC4861) is used by IPv6 nodes to determi Neighbor Discovery (RFC 4861) is used by IPv6 nodes to deter
ne the link-layer addresses of neighboring nodes as well as to discover and main mine the link-layer addresses of neighboring nodes as well as to discover and ma
tain reachability information. This document updates RFC4861 to allow routers to intain reachability information. This document updates RFC 4861 to allow routers
proactively create a Neighbor Cache entry when a new IPv6 address is assigned t to proactively create a Neighbor Cache entry when a new IPv6 address is assigne
o a node. It also updates RFC4861 and recommends nodes to send unsolicited Neigh d to a node. It also updates RFC 4861 and recommends that nodes send unsolicited
bor Advertisements upon assigning a new IPv6 address. The proposed change will m Neighbor Advertisements upon assigning a new IPv6 address. These changes will m
inimize the delay and packet loss when a node initiates connections to an off-li inimize the delay and packet loss when a node initiates connections to an off-li
nk destination from a new IPv6 address. nk destination from a new IPv6 address.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default" anchor="Introduction">
<name>Introduction</name>
<t> <t>
The Neighbor Discovery state machine defined in <xref The Neighbor Discovery state machine defined in <xref
target="RFC4861"/> assumes that communications between IPv6 nodes are in most ca target="RFC4861" format="default"/> assumes that communications between IPv6 no
ses bi-directional and if a node A is trying to communicate to its neighbor, nod des are, in most cases, bidirectional and if a node A is trying to communicate t
e B, the return traffic flows could be expected. So when the node A starts the o its neighbor, node B, the return traffic flows could be expected. So, when no
address resolution process, the target node B would also create an entry contain de A starts the address resolution process, the target node B would also create
ing A's IPv6 and link-layer addresses in its neighbor cache. That entry will be an entry containing A's IPv6 and link-layer addresses in its Neighbor Cache. Tha
used for sending the return traffic to A. t entry will be used for sending the return traffic to A.
</t> </t>
<t> <t>
In particular, section 7.2.5 of <xref target="RFC4861" In particular, <xref target="RFC4861" sectionFormat="o
/> states: f" section="7.2.5"/> states:
"When a valid Neighbor Advertisement is received (eith </t>
er solicited or unsolicited), the Neighbor Cache is searched for the target's en <blockquote>When a valid Neighbor Advertisement is received (either solicited or
try. unsolicited), the Neighbor Cache is searched for the target's entry.
If no entry exists, the advertisement SHOULD be silent If no entry exists, the advertisement <bcp14>SHOULD</b
ly discarded. cp14> be silently discarded.
There is no need to create an entry if none exists, since the recipient has a There is no need to create an entry if none exists, since the recipient has a
pparently not initiated any communication with the target." pparently not initiated any communication with the target.</blockquote>
</t> <t>
<t> While this approach is perfectly suitable for
While this approach is perfectly suitable for h host-to-host on-link communications, it does not work so well when a host sends
ost-to-host on-link communications, it does not work so well when a host sends t traffic to off-link destinations.
raffic to off-link destinations. After joining the network and receiving a Rout
After joining the network and receiving a Route er Advertisement, the host populates its Neighbor Cache with the default router
r Advertisement the host populates its neighbor cache with the default router IP IPv6 and link-layer addresses and is able to send traffic to off-link destinatio
v6 and link-layer addresses and is able to send traffic to off-link destinations ns.
. At the same time, the router does not have any
At the same time the router does not have any c cache entries for the host global addresses yet and only starts address resolut
ache entries for the host global addresses yet and only starts address resolutio ion upon receiving the first packet of the return traffic flow.
n upon receiving the first packet of the return traffic flow. While waiting for the resolution to complete,
While waiting for the resolution to complete ro routers only keep a very small number of packets in the queue, as recommended in
uters only keep a very small number of packets in the queue, as recommended in S <xref target="RFC4861" sectionFormat="of" section="7.2.2"/>.
ection 7.2.2 <xref target="RFC4861"/>. Any additional packets arriving before the resolution process finishes are likel
Any additional packets arriving before the resolution > process finishes are lik y to result in dropped packets.
ely to result in dropped packets It can cause packet loss and performan
It can cause packet loss and performan ce degradation that can be visible to users.
ce degradation that can be user-visible. </t>
</t> <t>
<t> This document updates the Neighbor Discovery protocol <xref target="RFC4861" for
This document updates the Neighbor Discovery protocol <xref target="RFC4861"/> t mat="default"/> to avoid packet loss in the scenario described above.
o avoid packet loss in the scenario described above. <xref target="changes" format="default"/> discusses the changes and analyzes the
<xref target="changes"/> discusses the changes and analyses the potential impact potential impact, while normative changes to <xref target="RFC4861" format="def
, while normative changes to <xref target="RFC4861"/> are specified in <xref tar ault"/> are specified in <xref target="RFC_UPD" format="default"/>.
get="RFC_UPD"/>.
</t> </t>
<section title="Requirements Language"> <section numbered="true" toc="default">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL <name>Requirements Language</name>
", "SHALL NOT", <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED" "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
, "MAY", and "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
"OPTIONAL" in this document are to be interpreted as des "<bcp14>SHOULD NOT</bcp14>",
cribed in "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document
when, and only when, they appear in all capitals, as show are to be interpreted as described in BCP&nbsp;14
n here.</t> <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
when, they appear in all capitals, as shown here.</t>
</section> </section>
<section title="Terminology"> <section numbered="true" toc="default">
<t> <name>Terminology</name>
Node: a device that implements IP, <xref target="RF <dl newline="false" spacing="normal">
C4861"/>. <dt>Node:</dt><dd>A device that implements IP <xref target="RFC4861" f
</t> ormat="default"/>.</dd>
<t> <dt>Host:</dt><dd>Any node that is not a router <xref target="RFC4861"
Host: any node that is not a router, <xref target=" format="default"/>.</dd>
RFC4861"/>. <dt>ND:</dt><dd>Neighbor Discovery <xref target="RFC4861" format="defa
</t> ult"/>.</dd>
<t> <dt>NC:</dt><dd>Neighbor Cache <xref target="RFC4861" format="default"
ND: Neighbor Discovery, <xref target="RFC4861"/>. />. The Neighbor Cache entry can be in one of five states, as described in <xref
</t> target="RFC4861" sectionFormat="of" section="7.3.2"/>: INCOMPLETE, REACHABLE, S
<t> TALE, DELAY, or PROBE.</dd>
NC: Neighbor Cache, <xref target="RFC4861"/>. The Neighbor <dt>SLAAC:</dt><dd>IPv6 Stateless Address Autoconfiguration <xref targ
Cache entry can be in one of five states, as described in section 7.3.2 of <xref et="RFC4862" format="default"/>.</dd>
target="RFC4861"/>: INCOMPLETE, REACHABLE, STALE, DELAY, PROBE. <dt>NS:</dt><dd>Neighbor Solicitation <xref target="RFC4861" format="d
</t> efault"/>.</dd>
<t> <dt>NA:</dt><dd>Neighbor Advertisement <xref target="RFC4861" format="
SLAAC: IPv6 Stateless Address Autoconfiguration, <xref targ default"/>.</dd>
et="RFC4862"/>. <dt>RS:</dt><dd>Router Solicitation <xref target="RFC4861" format="def
</t> ault"/>.</dd>
<t> <dt>RA:</dt><dd>Router Advertisement <xref target="RFC4861" format="d
NS: Neighbor Solicitation, <xref target="RFC4861"/>. efault"/>.</dd>
</t> <dt>SLLAO:</dt><dd>Source Link-Layer Address Option. An option in the
<t> ND packets containing the link-layer address of the sender of the packet <xref t
NA: Neighbor Advertisement, <xref target="RFC4861"/>. arget="RFC4861" format="default"/>.</dd>
</t> <dt>TLLAO:</dt><dd>Target Link-Layer Address Option. An option in the
<t> ND packets containing the link-layer address of the target <xref target="RFC4861
RS: Router Solicitation, <xref target="RFC4861"/>. " format="default"/>.</dd>
</t> <dt>GUA:</dt><dd>Global Unicast Address <xref target="RFC4291" format=
<t> "default"/>.</dd>
RA: Router Advertisement, <xref target="RFC4861"/>. <dt>DAD:</dt><dd>Duplicate Address Detection <xref target="RFC4862" fo
</t> rmat="default"/>.</dd>
<t> <dt>Preferred Address:</dt><dd>An address assigned to an interface who
SLLAO: Source link-layer Address Option, an option in the N se uniqueness has been verified using DAD and whose use by upper-layer protocols
D packets containing the link-layer address of the sender of the packet <xref ta is unrestricted <xref target="RFC4862" format="default"/>. Preferred addresses
rget="RFC4861"/>. may be used as the source address of packets sent from the interface.</dd>
</t> <dt>Optimistic DAD:</dt><dd>A modification of DAD <xref target="RFC442
<t> 9" format="default"/>.</dd>
TLLAO: Target link-layer Address Option, an option in the N </dl>
D packets containing the link-layer address of the target <xref target="RFC4861" </section>
/>. </section>
</t> <section numbered="true" toc="default">
<t> <name>Problem Statement</name>
GUA: Global Unicast Address <xref target="RFC4291"/>. <t>
</t> The most typical scenario when the problem described in this do
cument may arise is a host joining the network, forming a new address, and
<t>
DAD: Duplicate Address Detection, <xref target="RFC4862"/>
.
</t>
<t>
Preferred Address: an address assigned to an interface whose uniqueness has been
verified using DAD and whose use by upper-layer protocols is unrestricted, <xre
f target="RFC4862"/>. Preferred addresses may be used as the source address of p
ackets sent from the interface.
</t>
<t>
Optimistic DAD: a modification of DAD, <xref target="RFC442
9"/>.
</t>
</section>
</section>
<section title="Problem Statement">
<t>
The most typical scenario when the problem may arise is a host j
oining the network, forming a new address and
using that address for accessing the Internet: using that address for accessing the Internet:
</t> </t>
<t> <ol spacing="normal" type="1"><li>
<list style="numbers">
<t>
A host joins the network and receives a Router Advertisement (RA) packet from the first-hop router (either a periodic unsolicited RA or a response to a Router Solicitation sent by the host). A host joins the network and receives a Router Advertisement (RA) packet from the first-hop router (either a periodic unsolicited RA or a response to a Router Solicitation sent by the host).
The RA contains information th e host needs to perform SLAAC and to configure its network stack. The RA contains information th e host needs to perform SLAAC and to configure its network stack.
The RA is sent from the router' The RA is sent from the router
s link-local address to a link-local destination address and may contain the lin 's link-local address to a link-local destination address and may contain the li
k-layer address of the router. nk-layer address of the router.
As a result the host can popula As a result, the host can popu
te its Neighbor Cache with the router's link-local and link-layer addresses. late its Neighbor Cache with the router's link-local and link-layer addresses.
</t> </li>
<t> <li>
The host starts opening connections to off-link destinations. The host starts opening connections to off-link destinations.
A very common use case is a mobile dev ice sending probes to detect the Internet connectivity A very common use case is a mobile dev ice sending probes to detect Internet connectivity
and/or the presence of a captive portal on the network. and/or the presence of a captive portal on the network.
To speed up that process many i To speed up that process, many
mplementations use Optimistic DAD which allows them to send probes before the DA implementations use Optimistic DAD, which allows them to send probes before the
D process is completed. DAD process is completed.
At that moment the devi At that moment, the de
ce neighbor cache contains all information required to send those probes (such a vice's Neighbor Cache contains all information required to send those probes (su
s the default router link-local and link-layer addresses). ch as the default router link-local and link-layer addresses).
The router neighbor cache, how The router's Neighbor Cache, h
ever, might contain an entry for the device link-local owever, might contain an entry for the device's link-local
address (if the device has been performing the address resolution for the router address (if the device has been performing address resolution for the router's l
link-local address), but there are no entries for any of the device's global ad ink-local address), but there are no entries for any of the device's global addr
dresses. esses.
</t> </li>
<t> <li>
Return traffic is received by the firs t-hop router. Return traffic is received by the firs t-hop router.
As the router does not have any cache entry for the host global a As the router does not have any cache entry for the host's globa
ddress yet, the router starts the neighbor discovery process by creating an INCO l address yet, the router starts the Neighbor Discovery process by creating an I
MPLETE cache entry and then sending a Neighbor Solicitation to the Solicited Nod NCOMPLETE cache entry and then sending a Neighbor Solicitation to the solicited-
e Multicast Address (Section 7.3.2 of <xref target="RFC4861"/>). node multicast address (<xref target="RFC4861" sectionFormat="of" section="7.3.2
As per Section 7.2.2 of <xref target="RFC4861"/> Routers MUST buf "/>).
fer at least one data packet and MAY buffer more, while resolving the packet des As per <xref target="RFC4861" sectionFormat="of" section="7.2.2"
tination address. />,
However, most router implementations limit the buffer siz routers <bcp14>MUST</bcp14> buffer at least one data packet and <bcp14>MAY</bcp
e to a few packets only, and some implementations are known to buffer just one p 14> buffer more, while resolving the packet destination address.
acket. However, most router implementations limit the buffer si
So any subsequent packets arriving before the address resolution process is comp ze to a few packets only, and some implementations are known to buffer just one
leted are causing packet loss by replacing older packets in the buffer. packet.
</t> So, any subsequent packets arriving before the address resolution process is com
<t> pleted cause packet loss by replacing older packets in the buffer.
</li>
<li>
If the host sends multiple probes in par allel, in the worst case, it would consider all but one of them failed. If the host sends multiple probes in par allel, in the worst case, it would consider all but one of them failed.
That leads to user-visible delay in conn ecting to the network, especially if the host implements some form of backoff me chanism and does not retransmit the probes as soon as possible. That leads to user-visible delay in conn ecting to the network, especially if the host implements some form of backoff me chanism and does not retransmit the probes as soon as possible.
</t> </li>
</list> </ol>
</t> <t>
<t> This scenario illustrates the problem occurrin
This scenario illustrates the problem occurrin g when the device connects to the network for the first time or after an inactiv
g when the device connects to the network for the first time or after an inactiv ity period long enough for the device's address to be removed from the router's
ity period long enough for the device address to be removed from the router's ne Neighbor Cache.
ighbor cache. However, the same sequence of events happens w
However, the same sequence of events happen wh hen the host starts using a new global address previously unseen by the router,
en the host starts using a new global address previously unseen by the router, s such as a new privacy address <xref target="RFC8981" format="default"/> or if th
uch as a new privacy address <xref target="RFC8981"/> or if the router's Neighbo e router's Neighbor Cache has been flushed.
r Cache has been flushed. </t>
</t> <t>
<t> While in dual-stack networks this problem might be hid
While in dual-stack networks this problem might be hid den by Happy Eyeballs <xref target="RFC8305" format="default"/>, it manifests qu
den by Happy Eyeballs <xref target="RFC8305"/> it manifests quite clearly in IPv ite clearly in IPv6-only environments, especially wireless environments, leading
6-only environments, especially wireless ones, leading to poor user experience a to poor user experience and contributing to a negative perception of IPv6-only
nd contributing to a negative perception of IPv6-only solutions as unstable and solutions as unstable and non-deployable.
non-deployable. </t>
</t> </section>
<section numbered="true" toc="default">
</section> <name>Solution Requirements</name>
<section title="Solution Requirements"> <t>
<t>
It would be highly desirable to improve the Neighbor Discovery m echanics so routers have a usable cache entry for a host address by the time the router receives the first packet for that address. It would be highly desirable to improve the Neighbor Discovery m echanics so routers have a usable cache entry for a host address by the time the router receives the first packet for that address.
In particular: In particular:
<list style="symbols"> </t>
<t> <ul spacing="normal">
<li>
If the router does not have a Neighbor Cache en try for the address, a STALE entry needs to be created proactively, prior to arr ival of the first packet intended for that address. If the router does not have a Neighbor Cache en try for the address, a STALE entry needs to be created proactively, prior to arr ival of the first packet intended for that address.
</t> </li>
<t> <li>
The solution needs to work for Optimistic addre The solution needs to work for Optimistic Addre
sses as well. sses as well.
Devices implementing the Optimistic DAD usually Devices implementing Optimistic DAD usually att
attempt to minimize the delay in connecting to the network and therefore are mo empt to minimize the delay in connecting to the network and therefore are more l
re likely to be affected by the problem described in this document. ikely to be affected by the problem described in this document.
</t> </li>
<t> <li>
In case of duplicate addresses present in the n In the case of duplicate addresses present in t
etwork, the proposed solution should not override the existing entry. he network, the solution should not override the existing entry.
</t> </li>
<t> <li>
In topologies with multiple first-hop routers t In topologies with multiple first-hop routers,
he cache needs to be updated on all of them, as traffic might be asymmetric: out the cache needs to be updated on all of them, as traffic might be asymmetric: ou
going flows leaving the network via one router while the return traffic enters t tgoing flows leaving the network via one router while the return traffic enters
he segment via another one. the segment via another one.
</t> </li>
</list> </ul>
<t>
In addition, the solution must not exacerbate issues des
cribed in <xref target="RFC6583" format="default"/> and needs to be compatible w
ith the recommendations provided in <xref target="RFC6583" format="default"/>.
</t>
</section>
<section anchor="changes" numbered="true" toc="default">
<name>Changes to Neighbor Discovery</name>
<t>
The following changes are required to minimize the delay i
n creating new entries in a router's Neighbor Cache:
</t>
<ul spacing="normal">
<li>
A node sends unsolicited NAs upon assigning
a new IPv6 address to its interface.
</li>
<li>
A router creates a new cache entry upon rec
eiving an unsolicited NA from a host.
</li>
</ul>
<t>
The following sections discuss these changes in more detai
l.
Normative changes are specified in <xref target="RFC_UPD" format="default"/>
.
</t>
<section anchor="hosts" numbered="true" toc="default">
<name>Nodes Sending Gratuitous Neighbor Advertisements</name>
<t>
<xref target="RFC4861" sectionFormat="of" section=
"7.2.6"/> discusses using unsolicited Neighbor
Advertisements to inform node neighbors of the new
link-layer address quickly.
The same mechanism could be used to notify the nod
e neighbors about the new network-layer
address as well: the node can send unsolicited Nei
ghbor Advertisements upon assigning a new IPv6 address to its interface.
</t> </t>
<t> <t>
In addition the solution must not exacerbate issues des cribed in <xref target="RFC6583"/> and needs to be compatible with the recommend ations provided in <xref target="RFC6583"/>. To minimize potential disruption in the case of du plicate addresses, the node should not set the Override flag for a preferred add ress and must not set the Override flag if the address is in the Optimistic stat e <xref target="RFC4429" format="default"/>.
</t> </t>
</section> <t>
As the main purpose of sending unsolicited NAs upo
<section anchor="changes" title="Changes to Neighbor Discovery"> n configuring a new address is to proactively create a Neighbor Cache entry on t
<t> he first-hop routers, the gratuitous NAs are sent to the all-routers multicast a
The following changes are required to minimize the delay in ddress (ff02::2). Limiting the recipients to routers only would help reduce the
creating new entries in a router neighbor cache multicast noise level.
<list style="symbols"> If the link-layer devices are performing Multicast
<t> Listener Discovery (MLD) snooping <xref target="RFC4541" format="default"/>, th
A node sends unsolicited NAs upon assigning en those unsolicited NAs will only be sent to routers on the given network segme
a new IPv6 address to its interface. nt/link, instead of being flooded to all nodes.
</t> </t>
<t> <t>
A router creates a new cache entry upon rece It should be noted that the mechanism discussed he
iving an unsolicited NA from a host. re does not cause any significant increase in multicast traffic.
</t> The additional multicast unsolicited NAs would pro
</list> actively create a STALE cache entry on the router, as discussed below.
</t> When the router receives the return traffic flows,
<t> it does not need to send multicast NSes to the solicited-node multicast address
The following sections discuss these changes in more detail but would send unicast NSes instead.
. Therefore, this procedure would only produce an in
Normative changes are specified in <xref target="RFC_UPD"/>. crease in the overall amount of multicast traffic if no return traffic arrives f
</t> or the address that sent the unsolicited NA or if the router does not create a S
<section anchor="hosts" title="Nodes Sending Gratuitous Neighbor Ad TALE entry upon receiving such an NA. The increase would be negligible, as that
vertisements"> additional traffic is a few orders of magnitude less than the usual level of Nei
<t> ghbor Discovery multicast traffic.
The section 7.2.6 of <xref target="RFC4861"/> disc </t>
usses using unsolicited Neighbor </section>
Advertisements to inform node neighbors of the new <section numbered="true" toc="default">
link-layer address quickly. <name>Routers Creating Cache Entries upon Receiving Unsolicited Neighbor
The same mechanism could be used to notify the node Advertisements</name>
neighbors about the new network-layer <t>
address as well: the node can send gratuitous unsol <xref target="RFC4861" sectionFormat="of" section=
icited Neighbor Advertisements upon assigning a new IPv6 address to its interfac "7.2.5"/> states:
e. </t>
</t> <blockquote>When a valid Neighbor Advertisement is received (either solicited or
<t>
To minimize the potential disruption in case of dup
licate addresses the node should not set the Override flag for a preferred addre
ss and must not set the Override flag if the address is in Optimistic <xref targ
et="RFC4429"/> state.
</t>
<t>
As the main purpose of sending unsolicited NAs upon
configuring a new address is to proactively create a Neighbor Cache entry on th
e first-hop routers, the gratuitous NAs are sent to the all-routers multicast ad
dress (ff02::2). Limiting the recipients to routers only would help reduce the m
ulticast noise level.
If the link-layer devices are performing MLD snoopi
ng <xref target="RFC4541"/>, then those unsolicited NAs will be only sent to rou
ters on the given network segment/link, instead of being flooded to all nodes.
</t>
<t>
It should be noted that the proposed mechanism does
not cause any significant increase in multicast traffic.
The additional multicast unsolicited NA would proac
tively create a STALE cache entry on routers as discussed below.
When the router receives the return traffic flows i
t does not need to send multicast NSes to the solicited node multicast address b
ut would be sending unicast NSes instead.
Therefore this procedure would only produce an inc
rease in the overall amount of multicast traffic if no return traffic arrives fo
r the address that sent the unsolicited NA or if the router does not create a ST
ALE entry upon receiving such NA. The increase would be negligible as that addit
ional traffic is a few orders of magnitude less than the usual level of Neighbor
Discovery multicast traffic.
</t>
</section>
<section title="Routers Creating Cache Entries Upon Receiving Unsol
icited Neighbor Advertisements">
<t>
The section 7.2.5 of <xref target="RFC4861"/> state
s:
"When a valid Neighbor Advertisement is received (eith
er solicited or
unsolicited), the Neighbor Cache is searched for the target's entry. unsolicited), the Neighbor Cache is searched for the target's entry.
If no entry exists, the advertisement SHOULD be silently discarded. If no entry exists, the advertisement <bcp14>SHOULD</bcp14> be silently disca rded.
There is no need to create an entry if none exists, since the There is no need to create an entry if none exists, since the
recipient has apparently not initiated any communication with the recipient has apparently not initiated any communication with the
target". target.</blockquote>
<t>
</t> The reasoning behind dropping unsolicited Neighbor
<t> Advertisements ("the
The reasoning behind dropping unsolicited Neighbor
Advertisements ("the
recipient has apparently not initiated any communication with the recipient has apparently not initiated any communication with the
target") is valid for onlink host-to-host communication but, as discussed abo target") is valid for on-link host-to-host communication but, as discussed in
ve, <xref target="Introduction" format="default"/>,
it does not really apply for the scenario when the host is announcing its add it does not really apply to the scenario when the host is announcing its addr
ress to routers. ess to routers.
Therefore, it would be beneficial to allow routers to create new entries upon receiving an unsolicited Neighbor Advertisement. Therefore, it would be beneficial to allow routers to create new entries upon receiving an unsolicited Neighbor Advertisement.
</t> </t>
<t> <t>
This document updates <xref target="RFC4861 This document updates <xref target="RFC486
"/> so that routers create a new Neighbor Cache entry upon receiving an unsolici 1" format="default"/> so that routers create a new Neighbor Cache entry upon rec
ted Neighbor Advertisement for an address that does not already have a Neighbor eiving an unsolicited Neighbor Advertisement for an address that does not alread
Cache entry. y have a Neighbor Cache entry.
. These changes do not modify the ro
The proposed changes do not modify uter behavior specified in <xref target="RFC4861" format="default"/> for the sce
routers behaviour specified in <xref target="RFC4861"/> for the scenario when th nario when the corresponding Neighbor Cache entry already exists.
e corresponding Neighbor Cache entry already exists.
</t> </t>
<t> <t>
The next section analyses various scenarios of duplicated addresses and discusse The next section analyzes various scenarios of duplicate addresses and discusses
s the potential impact of creating a STALE entry for a duplicated IPv6 address. the potential impact of creating a STALE entry for a duplicate IPv6 address.
</t> </t>
</section> </section>
</section> </section>
<section anchor="avoid_dis" title="Avoiding Disruption"> <section anchor="avoid_dis" numbered="true" toc="default">
<t> <name>Avoiding Disruption</name>
If nodes following the recommendations in thi <t>
s document are using the DAD mechanism defined in <xref target="RFC4862"/>, they If nodes following the recommendations in th
would send unsolicited NA as soon as the address changes the state from tentati is document are using the DAD mechanism defined in <xref target="RFC4862" format
ve to preferred (after its uniqueness has been verified). ="default"/>, they would send unsolicited NAs as soon as the address changes sta
However, nodes willing to minimize ne te from tentative to preferred (after its uniqueness has been verified).
twork stack configuration delays might be using optimistic addresses, which mean However, nodes willing to minimize n
s there is a possibility of the address not being unique on the link. etwork stack configuration delays might be using Optimistic Addresses, which mea
Section 2.2 of <xref target="RFC4429" ns there is a possibility of the address not being unique on the link.
/> discusses measures to ensure that ND packets from the optimistic address do n <xref target="RFC4429" sectionFormat
ot override any existing neighbor cache entries as it would cause traffic interr ="of" section="2.2"/> discusses measures to ensure that ND packets from the Opti
uption of the rightful address owner in case of address conflict. mistic Address do not override any existing Neighbor Cache entries, as it would
As nodes willing to speed up cause interruption of the rightful address owner's traffic in the case of an add
their network stack configuration are most likely to be affected by the problem ress conflict.
outlined in this document it seems reasonable for such hosts to advertise their Nodes that are willing to sp
optimistic addresses by sending unsolicited NAs. eed up their network stack configuration are most likely to be affected by the p
The main question to consider roblem outlined in this document; therefore, it seems reasonable for such hosts
is the potential risk of overriding the cache entry for the rightful address ow to advertise their Optimistic Addresses by sending unsolicited NAs.
ner if the optimistic address happens to be duplicated. The main question to conside
</t> r is the potential risk of overriding the cache entry for the rightful address o
<t> wner if the Optimistic Address happens to be a duplicate.
The following sections discuss the address co </t>
llision scenario when a node sends an unsolicited NA for an address in the Optim <t>
istic state, while another node (the rightful owner) has the same address assign The following sections discuss the address c
ed already. ollision scenario when a node sends an unsolicited NA for an address in the Opti
This document uses the term "the rightful ow mistic state, while another node (the rightful owner) already has the same addre
ner" as the same terminology is used in <xref target="RFC4429"/>. ss assigned.
The analysis assumes that the host performs Duplicate Address Detection, as sect This document uses the term "the rightful ow
ion 5.4 of <xref target="RFC4862"/> requires that DAD MUST be performed on all u ner", as the same terminology is used in <xref target="RFC4429" format="default"
nicast />.
The analysis assumes that the host performs DAD, as <xref target="RFC4862" secti
onFormat="of" section="5.4"/> requires that DAD <bcp14>MUST</bcp14> be performed
on all unicast
addresses prior to assigning them to an interface. addresses prior to assigning them to an interface.
</t> </t>
<section anchor="avoid_dis_exists" title="Neighbor Cache Entr <section anchor="avoid_dis_exists" numbered="true" toc="default">
y Exists in Any State Other Than INCOMPLETE"> <name>Neighbor Cache Entry Exists in Any State Other Than INCOMPLETE</na
<t> me>
If the router Neighbor Cache entry for the target add <t>
ress already exists in any state other than INCOMPLETE, then as per section 7.2 If the router's Neighbor Cache entry for the target
.5 of <xref target="RFC4861"/> an unsolicited NA with the Override flag cleared address already exists in any state other than INCOMPLETE, then as per <xref tar
would change the entry state from REACHABLE to STALE but would not update the en get="RFC4861" sectionFormat="of" section="7.2.5"/>, an unsolicited NA with the O
try in any other way. Therefore, even if the host sends an unsolicited NA from i verride flag cleared would change the entry state from REACHABLE to STALE but wo
ts Optimistic address the router cache entry would not be updated with the new L uld not update the entry in any other way. Therefore, even if the host sends an
ink-Layer address and no impact to the traffic for the rightful address owner i unsolicited NA from its Optimistic Address, the router's cache entry would not b
s expected. e updated with the new link-layer address, and no impact on the traffic for the
</t> rightful address owner is expected.
<t> </t>
The return traffic intended for the host with the Optimistic address would be se <t>
nt to the rightful owner. However, this is unavoidable with or without the unsol The return traffic intended for the host with the Optimistic Address would be se
icited NA mechanism. nt to the rightful owner. However, this is unavoidable with or without the unsol
icited NA mechanism.
</t> </t>
</section> </section>
<section anchor="avoid_dis_inc" title="Neighbor Cache Entry i <section anchor="avoid_dis_inc" numbered="true" toc="default">
s in INCOMPLETE state"> <name>Neighbor Cache Entry Is in INCOMPLETE State</name>
<t> <t>
Another corner case is the INCOMPLETE cache entry for Another corner case is the INCOMPLETE cache entry fo
the address. r the address.
<list style="numbers"> </t>
<t> <ol spacing="normal" type="1"><li>
The router receives a packet for the rightful owner of the address. The router receives a packet for the rightful owner of the address.
</t> </li>
<t> <li>
The router starts the address resolution process by creating an INCOMPLETE entry and sends the multicast NS. The router starts the address resolution process by creating an INCOMPLETE entry and sends the multicast NS.
</t> </li>
<t> <li>
More packets arrive at the router for the address in question. More packets arrive at the router for the address in question.
</t> </li>
<t> <li>
The host configures an Optimistic address and sends an unsolicited NA. The host configures an Optimistic Address and sends an unsolicited NA.
</t> </li>
<t> <li>
The router creates a STALE entry and sends the buffered packet(s) to the host (w hile at least some of those packets are actually intended for the rightful owner ). The router creates a STALE entry and sends the buffered packet(s) to the host (w hile at least some of those packets are actually intended for the rightful owner ).
</t> </li>
<t> <li>
As the STALE entry was used to send packets, the router changes the entry state As the STALE entry was used to send packets, the router changes the entry state
to DELAY and waits up to DELAY_FIRST_PROBE_TIME ([RFC4861], 5 secs) before sendi to DELAY and waits up to DELAY_FIRST_PROBE_TIME (5 seconds) <xref target="RFC486
ng unicast NS. 1"/> before sending a unicast NS.
</t> </li>
<t> <li>
The rightful owner responds to the multicast NS sent at Step 2 with a solicited NA with the Override flag set. The rightful owner responds to the multicast NS sent at Step 2 with a solicited NA with the Override flag set.
</t> </li>
<t> <li>
The router updates the entry with the TLLAO supplied (the rightful owner link-la The router updates the entry with the TLLAO supplied (the rightful owner's link-
yer address) and sets the entry state to REACHABLE (as the NA has the Solicited layer address) and sets the entry state to REACHABLE (as the NA has the Solicite
flag set). d flag set).
</t> </li>
</list> </ol>
</t> <t>
<t> As a result, some packets (packets in the buffer at Step 6 and all packets arriv
As a result some packets (ones in the buffer at Step 6 and all packets arriving ing between Step 6 and Step 8) are delivered to the host with the Optimistic Add
between Step 6 and Step 8) are delivered to the host with the Optimisitc address ress, while some of them, if not all, are intended for the rightful owner.
, while some of them, if not all, are intended for the rightful owner. Without the unsolicited NA, one or more packets that are in the buffer at Step 8
Without the unsolicited NA, packet which are in the buffer at Step 8 (usually ju (usually just one packet, but some routers may buffer a few) would have been de
st one packet but some routers may buffer a few) would have been delivered to th livered to the rightful owner and the rest of the packets would have been droppe
e rightful owner and the rest of the packets would have been dropped. d.
However, the probability of such scenario is rather low as it would require the However, the probability of such a scenario is rather low, as it would require t
following he following
things to happen almost simultaneously (within tens of milliseconds in most case s): things to happen almost simultaneously (within tens of milliseconds in most case s):
<list style="symbols"> </t>
<t> <ul spacing="normal">
<li>
One host starts using a new IPv6 address and sending traffic without sending an unso licited NA first. One host starts using a new IPv6 address and sending traffic without sending an unso licited NA first.
</t> </li>
<t> <li>
Anot Anot
her host configures the same IPv6 address in Optimistic mode before the router c her host configures the same IPv6 address in Optimistic mode before the router c
ompletes the address resolution for the rightful owner. ompletes the address resolution process for the rightful owner.
</t> </li>
</list> </ul>
</t> <t>
<t> It should be noted that in this scenario the rightful owner does not send any un
It should be noted that in this scenario the rigthful owner does not send any un solicited NAs before sending packets. If the rightful owner implements the funct
solicited NAs before sending packets. If the rightful owner implements the funct ionality described in this document and sends unsolicited NAs upon configuring i
ionality described in this document and sends unsolicited NAs upon configuring i ts address, then the router creates a STALE entry for the address, causing all p
ts address, then the router creates a STALE entry for the address, causing all p ackets to be delivered to the rightful owner (see <xref target="avoid_dis_exists
ackets are delivered to the rightful owner (see <xref target="avoid_dis_exists"/ " format="default"/>). The rightful owner would experience no disruption but mig
>). The rightful owner would experience no disruption but might receive some pac ht receive some packets intended for the host with an Optimistic Address.
kets intended for the host with Optimistic address.
</t> </t>
<t> <t>
This section focuses on the scenario when the solicited NA from the rightful own This section focuses on the scenario when the solicited NA from the rightful own
er arrives after the unsolicited one sent from the Optimistic address (Step 7 an er arrives after the unsolicited one sent from the Optimistic Address (Step 7 an
d Step 4 respectively). d Step 4, respectively).
If the solicited NA arrives first it changes the NC entry state from INCOMPLETE If the solicited NA arrives first, it changes the NC entry state from INCOMPLETE
to REACHABLE. As discussed in <xref target="avoid_dis_exists"/>, there will be n to REACHABLE. As discussed in <xref target="avoid_dis_exists" format="default"/
o disruption for the rightful owner if the router already has a REACHABLE entry >, there will be no disruption for the rightful owner if the router already has
for the address when an unsolicited NA is received. a REACHABLE entry for the address when an unsolicited NA is received.
</t> </t>
</section> </section>
<section anchor="avoid_dis_nonexists" title="Neighbor Cache E <section anchor="avoid_dis_nonexists" numbered="true" toc="default">
ntry Does Not Exist"> <name>Neighbor Cache Entry Does Not Exist</name>
<t> <t>
There are two distinct scenarios whic There are two distinct scenarios tha
h can lead to the situation when the router does not have a NC entry for the IPv t can lead to the situation when the router does not have an NC entry for the IP
6 address: v6 address:
<list style="numbers"> </t>
<t> <ol spacing="normal" type="1"><li>
The rightful owner of The rightful owner o
the address has not been using it for off-link communication recently or has ne f the address has not been using it for off-link communication recently or has n
ver used it at all. ever used it at all.
</t> </li>
<t> <li>
The rightful owner ju The rightful owner j
st started sending packets from that address but the router has not received any ust started sending packets from that address, but the router has not received a
return traffic yet. ny return traffic yet.
</t> </li>
</list> </ol>
The impact on the rightful owner's tr <t>
affic flows would be different in those cases. The impact on the rightful owner's t
</t> raffic flows would be different in those cases.
<section title="The Rightful Owner Is Not Sending Pa </t>
ckets From The Address"> <section numbered="true" toc="default">
<t> <name>The Rightful Owner Is Not Sending Packets from the Address</name
In this scenario the followin >
g events are expected to happen: <t>
In this scenario, the follow
ing events are expected to happen:
<list style="numbers"> </t>
<t> <ol spacing="normal" type="1"><li>
The host conf The host con
igures the address and sets its state to Optimistic. figures the address and sets its state to Optimistic.
</t> </li>
<t> <li>
The host send The host sen
s an unsolicited NA with the Override flag set to zero and starts sending traffi ds an unsolicited NA with the Override flag set to zero and starts sending traff
c from the Optimistic address. ic from the Optimistic Address.
</t> </li>
<t> <li>
The router cr The router c
eates a STALE entry for the address and the host link-layer address. reates a STALE entry for the address and the host link-layer address.
</t> </li>
<t> <li>
The host star The host sta
ts DAD and detects the address duplication. rts DAD and detects the address duplication.
</t> </li>
<t> <li>
The router re The router r
ceives the return traffic for the duplicated address. As the NC entry is STALE i eceives the return traffic for the duplicate address. As the NC entry is STALE,
t sends traffic using that entry, changes it to DELAY and waits up to DELAY_FIRS it sends traffic using that entry, changes it to DELAY, and waits up to DELAY_FI
T_PROBE_TIME (<xref target="RFC4861"/>) seconds. RST_PROBE_TIME seconds <xref target="RFC4861" format="default"/>.
</t> </li>
<t> <li>
The r The
outer changes the NC entry state to PROBE and sends up to MAX_UNICAST_SOLICIT (< router changes the NC entry state to PROBE and sends up to MAX_UNICAST_SOLICIT u
xref target="RFC4861"/>) unicast NSes separated by RetransTimer milliseconds (<x nicast NSes <xref target="RFC4861" format="default"/> separated by RetransTimer
ref target="RFC4861"/>) to the host link-layer address. milliseconds <xref target="RFC4861" format="default"/> to the host link-layer ad
</t> dress.
<t> </li>
As the host h <li>
as detected the address conflict already it does not respond to the unicast NSes As the host
. (It is unlikely that the host has not completed the DAD process at this stage, has already detected the address conflict, it does not respond to the unicast NS
as DELAY_FIRST_PROBE_TIME (5 seconds) is much higher than the DAD duration (Dup es. (It is unlikely that the host has not completed the DAD process at this stag
AddrDetectTransmits*RetransTimer*1000 + MAX_RTR_SOLICITATION_DELAY secs, section e, as DELAY_FIRST_PROBE_TIME (5 seconds) is much higher than the DAD duration (D
5.4 of <xref target="RFC4862"/>). The default value for the DAD process would b upAddrDetectTransmits*RetransTimer*1000 + MAX_RTR_SOLICITATION_DELAY seconds) (<
e 1*1*1000 + 1 = 2 secs, <xref target="RFC4861"/>. If the host has completed DAD xref target="RFC4862" sectionFormat="of" section="5.4"/>).) The default value fo
but did not detect the address conflict then there are two hosts with the same r the DAD process would be 1*1*1000 + 1 = 2 seconds <xref target="RFC4861" forma
address in the Preferred state and the disruption is inevitable anyway. t="default"/>.
</t> If the host has completed DAD but did not detect the address conflict, then ther
<t> e are two hosts with the same address in the preferred state and disruption is i
nevitable anyway.
</li>
<li>
As the router receives no response for the unicast NSes, it deletes the NC entry. As the router receives no response for the unicast NSes, it deletes the NC entry.
</t> </li>
<li>
<t> If return pa
If return pac ckets for communication initiated at Step 2 are still arriving, the router buffe
kets for communication initiated at step 2 are still arriving, the router buffer rs a small number of those packets and starts the address resolution process aga
s a small number of those packets and starts the address resolution again by sen in by sending a multicast NS to the solicited-node multicast address. The rightf
ding a multicast NS to the solicited node multicast address. The rightful owner ul owner responds, and the router's NC entry is updated with the rightful owner'
responds and the router NC entry is updated with the rightful owner link-local a s link-local address. The buffered packet or packets are sent to that address. A
ddress. The buffered packet(s) are sent to that address. Any packets still arriv ny packets still arriving after the address resolution process has completed are
ing after the address resolution still completed are sent to the rightful addres sent to the rightful address owner as well.
s owner as well. </li>
</t> </ol>
</list> <t>
The rightful owner is not exp The rightful owner is not ex
eriencing any disruption as it does not send any traffic. periencing any disruption, as it does not send any traffic.
It would only start receiving packets intended for another host after Step 8 is It would only start receiving packets intended for another host after Step 8 is
completed and only if return packets for the communication initiated at step 2 a completed and only if return packets for the communication initiated at Step 2 a
re still arriving. re still arriving.
</t> </t>
<t> <t>
However, the same behaviour However, the same behavior w
would be observed if changes proposed in this document are not implemented. ould be observed if the changes specified in this document are not implemented.
If the host starts sending p If the host starts sending p
ackets from its Optimistic address but then changes the address state to Duplica ackets from its Optimistic Address but then detects that the address is a duplic
ted, the first return packet would trigger the address resolution process and wo ate, the first return packet would trigger the address resolution process and wo
uld be buffered until the resolution is completed. uld be buffered until the resolution is completed.
The buffered packet(s) and any packets still arriving after the address is resol
ved would be forwarded to the rightful owner of the address.
So the rightful owner might still receive one or more packets from the flows int
ended for another host.
Therefore, it's safe to conclude that the proposed changes do introduce any disr
uption for the rightful owner of the duplicated address.
</t>
</section>
<section anchor="dis_start" title="The Rightful Owner Has St
arted Sending Packets From The Address">
<t>
In this scenario the following events
are happening:
<list style="numbers"> The buffered packet(s) and any packets still arriving after the address is resol
<t> ved would be forwarded to the rightful owner of the address.
The rightful owner st So, the rightful owner might still receive one or more packets from the flows in
arts sending traffic from the address (e.g. the address has just been configured tended for another host.
or has not been recently used). Therefore, it's safe to conclude that the changes specified in this document do
</t> not introduce any disruption for the rightful owner of the duplicated address.
</t>
</section>
<section anchor="dis_start" numbered="true" toc="default">
<name>The Rightful Owner Has Started Sending Packets from the Address<
/name>
<t>
In this scenario, the following even
ts are happening:
<t> </t>
The host conf <ol spacing="normal" type="1"><li>
igures the address and sets its state to Optimistic. The rightful owner s
</t> tarts sending traffic from the address (e.g., the address has just been configur
<t> ed or has not been recently used).
The host send </li>
s an unsolicited NA with the Override flag set to zero and starts sending traffi <li>
c from the Optimistic address. The host con
</t> figures the address and sets its state to Optimistic.
<t> </li>
The router cr <li>
eates a STALE entry for the address and the host link-layer address. The host sen
</t> ds an unsolicited NA with the Override flag set to zero and starts sending traff
<t> ic from the Optimistic Address.
The host star </li>
ts DAD and detects the address duplication. <li>
</t> The router c
<t> reates a STALE entry for the address and the host link-layer address.
The router re </li>
ceives the return traffic for the IPv6 address in question. Some flows intended <li>
for the rightful owner of the duplicated address, while some are for the new hos The host sta
t. As the NC entry is STALE it sends traffic using that entry, changes it to DEL rts DAD and detects the address duplication.
AY and waits up to DELAY_FIRST_PROBE_TIME (<xref target="RFC4861"/>) seconds. </li>
</t> <li>
<t> The router r
The r eceives the return traffic for the IPv6 address in question. Some flows are inte
outer changes the NC entry state to PROBE and sends up to MAX_UNICAST_SOLICIT (< nded for the rightful owner of the duplicate address, while some are for the new
xref target="RFC4861"/>) unicast NSes separated by RetransTimer milliseconds (<x host. As the NC entry is STALE, it sends traffic using that entry, changes it t
ref target="RFC4861"/>) to the host link-layer address. o DELAY, and waits up to DELAY_FIRST_PROBE_TIME seconds <xref target="RFC4861" f
</t> ormat="default"/>.
<t> </li>
As the host h <li>
as detected the address conflict already it does not respond to the unicast NSes The
. router changes the NC entry state to PROBE and sends up to MAX_UNICAST_SOLICIT u
</t> nicast NSes <xref target="RFC4861" format="default"/> separated by RetransTimer
<t> milliseconds <xref target="RFC4861" format="default"/> to the host link-layer ad
dress.
</li>
<li>
As the host
has already detected the address conflict, it does not respond to the unicast NS
es.
</li>
<li>
As the router receives no response for the unicast NSes, it deletes the NC entry. As the router receives no response for the unicast NSes, it deletes the NC entry.
</t> </li>
<li>
<t> The next pac
The next pack ket recreates the entry and triggers the resolution process. The router buffers
et re-creates the entry and triggers the resolution process. The router buffers the packet and sends a multicast NS to the solicited-node multicast address. The
the packet and sends a multicast NS to the solicited node multicast address. The rightful owner responds, and the router's NC entry is updated with the rightful
rightful owner responds and the router NC entry is updated with the rightful ow owner's link-local address.
ner link-local address. </li>
</t> </ol>
</list> <t>
</t> As a result, the traffic for
<t> the address of the rightful owner would be sent to the host with the duplicate
As a result the traffic for t address instead. The duration of the disruption can be estimated as DELAY_FIRST
he address rightful owner would be sent to the host with the duplicated address _PROBE_TIME*1000 + (MAX_UNICAST_SOLICIT - 1)*RetransTimer milliseconds.
instead. The duration of the disruption can be estimated as DELAY_FIRST_PROBE_TI As per the constants defined
ME*1000 + (MAX_UNICAST_SOLICIT - 1)*RetransTimer milliseconds. in <xref target="RFC4861" sectionFormat="of" section="10"/>, this interval is e
As per the constants defined qual to 5*1000 + (3 - 1)*1000 = 7000 milliseconds, or 7 seconds.
in Section 10 of <xref target="RFC4861"/> this interval is equal to 5*1000 + (3
- 1)*1000 = 7000ms or 7 seconds.
</t> </t>
<t> <t>
However, it should be However, it should b
noted that the probability of such scenario is rather low. Similary to the scen e noted that the probability of such a scenario is rather low. Similar to the sc
ario discussed in <xref target="avoid_dis_inc"/>, it would require the following enario discussed in <xref target="avoid_dis_inc" format="default"/>, it would re
things to happen almost simultaneously (within tens of milliseconds in most cas quire the following things to happen almost simultaneously (within tens of milli
es): seconds in most cases):
<list style="symbols"> </t>
<t> <ul spacing="normal">
One h <li>
ost starts using a new IPv6 address and sending traffic without sending an unsol One
icited NA first. host starts using a new IPv6 address and sending traffic without sending an unso
</t> licited NA first.
<t> </li>
Anoth <li>
er host configures the same IPv6 address in Optimistic mode before the router re Anot
ceives the return traffic for the first host. her host configures the same IPv6 address in Optimistic mode before the router r
</t> eceives the return traffic for the first host.
</list> </li>
</t> </ul>
<t> <t>
As discussed in <xref target="avoid_dis_inc"/>, the disruption to the rightful o As discussed in <xref target="avoid_dis_inc" format="default"/>, the disruption
wner can easily be prevent if that node implements the mechanism described in th for the rightful owner can easily be prevented if that node implements the mecha
e document. Sending unsolicited NAs before initiatining off-link communication w nism described in this document. Sending unsolicited NAs before initiating off-l
ould create a STALE entry in the router NC and prevent any tarffic to that addre ink communication would create a STALE entry in the router's NC and prevent any
ss to be sent to the host with the Optimistic address (see <xref target="avoid_d traffic to that address from being sent to the host with the Optimistic Address
is_exists"/>). (see <xref target="avoid_dis_exists" format="default"/>).
</t> </t>
</section>
</section> </section>
</section> </section>
<section anchor="RFC_UPD" numbered="true" toc="default">
</section> <name>Modifications to RFC-Mandated Behavior</name>
<section anchor="RFC_UPD" title="Modifications to RFC-Mandated Behavi <t>
or"> All normative text in this memo is contained in this
<t> section.
All normative text in this memo is contained in this </t>
section. <section numbered="true" toc="default">
</t> <name>Modification to RFC 4861 (Neighbor Discovery for IP version 6 (IPv
<section title="Modification to RFC4861 Neighbor Discovery fo 6))</name>
r IP version 6 (IPv6)"> <section numbered="true" toc="default">
<section title="Modification to the section 7.2.5"> <name>Modification to Section 7.2.5 of RFC 4861</name>
<t> <t>
This document makes the following changes to the se This document makes the following changes to <xref
ction 7.2.5 of <xref target="RFC4861"/>: target="RFC4861" sectionFormat="of" section="7.2.5"/>:
</t> </t>
<t> <t>The text in RFC 4861 is as follows:</t>
--------------------------------------------------- <blockquote>When a valid Neighbor Advertisement is received (either so
--------------- licited or
</t>
<t>
OLD TEXT:
</t>
<t>
---------------------------------------------------
---------------
</t>
<t>
When a valid Neighbor Advertisement is received (ei
ther solicited or
unsolicited), the Neighbor Cache is searched for the target's entry. unsolicited), the Neighbor Cache is searched for the target's entry.
If no entry exists, the advertisement SHOULD be silently discarded. If no entry exists, the advertisement <bcp14>SHOULD</bcp14> be silently disca rded.
There is no need to create an entry if none exists, since the There is no need to create an entry if none exists, since the
recipient has apparently not initiated any communication with the recipient has apparently not initiated any communication with the
target. target.</blockquote>
</t> <t>This document updates the text as follows:</t>
<t> <blockquote><t>When a valid Neighbor Advertisement is received (either
--------------------------------------------------- solicited or
---------------
</t>
<t>
NEW TEXT:
</t>
<t>
---------------------------------------------------
---------------
</t>
<t>
When a valid Neighbor Advertisement is received (ei
ther solicited or
unsolicited), the Neighbor Cache is searched for the target's entry. unsolicited), the Neighbor Cache is searched for the target's entry.
If no entry exists: If no entry exists:</t>
<list style="symbols"> <ul spacing="normal">
<t> Hosts SHOULD silently discard the advertisement. <li> Hosts <bcp14>SHOULD</bcp14> silently discard the advertisement
.
There is no need to create an entry if none exists, since the There is no need to create an entry if none exists, since the
recipient has apparently not initiated any communication with the target. recipient has apparently not initiated any communication with the target.
</t> </li>
<t> Routers SHOULD create a new entry for the target address with the link-layer <li> Routers <bcp14>SHOULD</bcp14> create a new entry for the target
address set to the Target link-layer address option (if supplied). The entry's address with the link-layer address set to the Target Link-Layer Address Option
reachability state MUST be set to STALE. If the received Neighbor Advertisement (if supplied). The entry's reachability state <bcp14>MUST</bcp14> be set to STA
does not contain the Target link-layer address option the advertisement SHOULD b LE. If the received Neighbor Advertisement does not contain the Target Link-Laye
e silently discarded. r Address Option, the advertisement <bcp14>SHOULD</bcp14> be silently discarded.
</t> </li>
</list> </ul>
</t> </blockquote>
<t> </section>
--------------------------------------------------- <section anchor="UPD726" numbered="true" toc="default">
--------------- <name>Modification to Section 7.2.6 of RFC 4861</name>
</t> <t>
This document makes the following changes to <xref
</section> target="RFC4861" sectionFormat="of" section="7.2.6"/>:
<section anchor="UPD726" title="Modification to the section 7.2.6"> </t>
<t> <t>The text in RFC 4861 is as follows:</t>
This document proposes the following changes to the <blockquote>Also, a node belonging to an anycast address <bcp14>MAY</b
section 7.2.6 of <xref target="RFC4861"/>: cp14> multicast
</t>
<t>
OLD TEXT:
</t>
<t>
---------------------------------------------------
---------------
</t>
<t>
Also, a node belonging to an anycast addres
s MAY multicast
unsolicited Neighbor Advertisements for the anycast address when the
node's link-layer address changes.
</t>
<t>
---------------------------------------------------
---------------
</t>
<t>
NEW TEXT:
</t>
<t>
---------------------------------------------------
---------------
</t>
<t>
Also, a node belonging to an anycast addres
s MAY multicast
unsolicited Neighbor Advertisements for the anycast address when the unsolicited Neighbor Advertisements for the anycast address when the
node's link-layer address changes. node's link-layer address changes.</blockquote>
</t>
<t>
A node may also wish to notify its first-hop router
s when it configures a new global IPv6 address so the routers can proactively po
pulate their neighbor caches with the corresponding entries. In such cases a nod
e SHOULD send up to MAX_NEIGHBOR_ADVERTISEMENT
Neighbor Advertisement messages. If the address is preferred then the Overrid
e flag SHOULD NOT be set. If the address is in the Optimistic state then the Ov
erride flag MUST NOT be set. The destination address SHOULD be set to the all-ro
uters multicast address. These advertisements MUST be separated by at
least RetransTimer seconds. The first advertisement SHOULD be sent as soon as
one of the
following events happens:
</t>
<t>
<list style="symbols">
<t>if Optimistic DAD <xref target="RFC4429"
/> is used: a new Optimistic address is assigned
to the node interface.</t>
<t>
if Optimistic DAD is not used: an a
ddress changes the state from
tentative to preferred.
</t>
</list>
---------------------------------------------------
---------------
</t> <t>This document updates the text as follows:</t>
<blockquote><t>Also, a node belonging to an anycast address <bcp14>MAY
</bcp14> multicast
unsolicited Neighbor Advertisements for the anycast address when the
node's link-layer address changes.</t>
</section> <t>A node may also wish to notify its first-hop routers when it config
</section> ures a new global IPv6 address so the routers can proactively populate their Nei
</section> ghbor Caches with the corresponding entries. In such cases, a node <bcp14>SHOULD
<section title="Solution Limitations"> </bcp14> send up to MAX_NEIGHBOR_ADVERTISEMENT
<t> Neighbor Advertisement messages. If the address is preferred, then the Overri
The solution described in this document provides so de flag <bcp14>SHOULD NOT</bcp14> be set. If the address is in the Optimistic st
me improvement for a node configuring a new IPv6 address and starting sending tr ate, then the Override flag <bcp14>MUST NOT</bcp14> be set. The destination add
affic from it. ress <bcp14>SHOULD</bcp14> be set to the all-routers multicast address. These ad
However, that approach does not completely eliminat vertisements <bcp14>MUST</bcp14> be separated by at
e the scenario when a router receives some transit traffic for an address withou least RetransTimer seconds. The first advertisement <bcp14>SHOULD</bcp14> be
t the corresponding Neighbor Cache entry. sent as soon as one of the
For example: following events happens:</t>
<list style="symbols"> <dl newline="false" spacing="normal">
<t>If the host starts using an already configured I <dt>If Optimistic DAD <xref target="RFC4429" format="default"/> is us
Pv6 address after a long period of inactivity, the router might not have the NC ed:</dt><dd>A new Optimistic Address is assigned
entry for that address anymore, as old/expired entries are deleted. </t> to the node interface.</dd>
<t>Clearing the router Neighbor Cache would trigger <dt>If Optimistic DAD is not used:</dt><dd>An address changes the sta
the packet loss for all actively used addresses removed from the cache.</t> te from
</list> tentative to preferred.</dd>
</t> </dl>
</blockquote>
</section>
</section> </section>
</section>
<section anchor="others" title="Solutions Considered but Discarded"> <section numbered="true" toc="default">
<t> <name>Solution Limitations</name>
There are other possible approaches to address the problem <t>
, for example: The solution described in this document provides s
<list style="symbols"> ome improvement for a node configuring a new IPv6 address and starting to send t
<t> raffic from it.
However, that approach does not completely elimina
te the scenario when a router receives some transit traffic for an address witho
ut the corresponding Neighbor Cache entry.
For example:
</t>
<ul spacing="normal">
<li>If the host starts using an already-configured IPv6 address after a
long period of inactivity, the router might not have the NC entry for that addre
ss anymore, as old/expired entries are deleted. </li>
<li>Clearing the router's Neighbor Cache would trigger packet loss for a
ll actively used addresses removed from the cache.</li>
</ul>
</section>
<section anchor="others" numbered="true" toc="default">
<name>Solutions Considered but Discarded</name>
<t>
There are other possible approaches to address the problem
. For example:
</t>
<ul spacing="normal">
<li>
Just do nothing. Just do nothing.
</t> </li>
<t> <li>
Migrating from the "reactive" Neighbor Dis Migrate from the "reactive" Neighbor Disco
covery (<xref target="RFC4861"/>) to the registration-based mechanisms (<xref ta very <xref target="RFC4861" format="default"/> to the registration-based mechani
rget="RFC8505"/>). sms <xref target="RFC8505" format="default"/>.
</t> </li>
<t> <li>
Creating new entries in routers Neighbor Ca Create new entries in the router's Neighbor
che by gleaning from Neighbor Discovery DAD messages. Cache by gleaning from Neighbor Discovery DAD messages.
</t> </li>
<t> <li>
Initiates bidirectional communication from Initiate bidirectional communication from
the host to the router using the host GUA. the host to the router using the host GUA.
</t> </li>
<t> <li>
Making the probing logic on hosts more rob Make the probing logic on hosts more robus
ust. t.
</t> </li>
<t> <li>
Increasing the buffer size on routers. Increase the buffer size on routers.
</t> </li>
<t> <li>
Transit dataplane traffic from an unknown Transit data plane traffic from an unknown
address (an address w/o the corresponding neighbor cache entry) triggers an addr address (an address without the corresponding Neighbor Cache entry) to trigger
ess resolution process on the router. an address resolution process on the router.
</t> </li>
</list> </ul>
</t> <t>
<t>
It should be noted that some of those options are already implemented by some vendors. The following sections discuss those approaches and the reasons they were discarded. It should be noted that some of those options are already implemented by some vendors. The following sections discuss those approaches and the reasons they were discarded.
</t> </t>
<section title="Do Nothing"> <section numbered="true" toc="default">
<t> <name>Do Nothing</name>
<t>
One of the possible approaches might be to declare that everything is working as intended and let the upper-layer protocols deal w ith packet loss. The obvious drawbacks include: One of the possible approaches might be to declare that everything is working as intended and let the upper-layer protocols deal w ith packet loss. The obvious drawbacks include:
<list style="symbols"> </t>
<t> <ul spacing="normal">
<li>
Unhappy users. Unhappy users.
</t> </li>
<t> <li>
Many support tickets. Many support tickets.
</t> </li>
<t> <li>
More resistance to deploy More resistance to deployi
IPv6 and IPv6-Only networks. ng IPv6 and IPv6-only networks.
</t> </li>
</list> </ul>
</t> </section>
</section> <section numbered="true" toc="default">
<name>Change to the Registration-Based Neighbor Discovery</name>
<section title="Change to the Registration-Based Neighbor Discover <t>
y"> The most radical approach would be to move
<t> away from the reactive ND as defined in <xref target="RFC4861" format="default"
The most radical approach would be to move /> and expand the registration-based ND <xref target="RFC6775" format="default"/
away from the reactive ND as defined in <xref target="RFC4861"/> and expand the > <xref target="RFC8505" format="default"/> used in IPv6 over Low-Power Wireless
registration-based ND (<xref target="RFC6775"/>, <xref target="RFC8505"/>) used Personal Area Networks (6LoWPANs) to the rest of the IPv6 deployments.
in Low-Power Wireless Personal Area Networks (6LoWPANs) to the rest of IPv6 depl This option requires some investig
oyments. ation and discussion.
This option requires some investiga However, significant changes to th
tion and discussion. e existing IPv6 implementations would be needed, so an unclear adoption timeline
However, significant changes to th makes this approach less preferable than the approach specified in this documen
e existing IPv6 implementations would be needed, so unclear adoption timeline ma t.
kes this approach less preferable than one proposed in this document. </t>
</t> </section>
</section> <section numbered="true" toc="default">
<name>Host Sending NS to the Router Address from Its GUA</name>
<section title="Host Sending NS to the Router Address from Its GUA" <t>
> The host could force the creation of a STALE entry
<t> for its GUA in the router's Neighbor Cache by sending the following Neighbor So
The host could force creating a STALE entry for its licitation message:
GUA in the router ND cache by sending the following Neighbor Solicitation mess </t>
age: <ul spacing="normal">
<list style="symbols"> <li>
<t> The NS source address is the host
The NS source address is the host G GUA.
UA. </li>
</t> <li>
<t> The destination address is
The destination address is the default router IPv6 address.
the default router IPv6 address. </li>
</t> <li>
<t> The Source Link-Layer Address Opti
The Source Link-Layer Address optio on contains the host link-layer address.
n contains the host link-layer address. </li>
</t> <li>
<t> The target address is the host's d
The target address is the host defa efault router address (the default router address the host received in the RA).
ult router address (the default router address the host received in the RA). </li>
</t> </ul>
</list> <t>
</t> The main disadvantages of this approach are as fol
<t> lows:
The main disadvantages of this approach are: </t>
<list style="symbols"> <ul spacing="normal">
<t> <li>
Would not work for Optimistic addre It would not work for Optimistic A
sses as section 2.2 of <xref target="RFC4429"/> explicitly prohibits sending Nei ddresses, as <xref target="RFC4429" sectionFormat="of" section="2.2"/> explicitl
ghbor Solicitations from an Optimistic Address. y prohibits sending Neighbor Solicitations from an Optimistic Address.
</t> </li>
<t> <li>
If first-hop redundancy is deployed If first-hop redundancy is deploye
in the network, the NS would reach the active router only, so all backup router d in the network, the NS would reach the active router only, so all backup route
s (or all active routers except one) would not get their neighbor cache updated. rs (or all active routers except one) would not get their Neighbor Cache updated
</t> .
<t> </li>
Some wireless devices are k <li>
nown to alter ND packets and perform various non-obvious forms of ND proxy actio Some wireless devices are
ns. known to alter ND packets and perform various nonobvious forms of ND proxy actio
In some cases, unsolicited N ns.
As might not even reach the routers. In some cases, unsolicited
</t> NAs might not even reach the routers.
</list> </li>
</t> </ul>
</section> </section>
<section numbered="true" toc="default">
<section title="Host Sending Router Solicitation from its GUA"> <name>Host Sending Router Solicitation from Its GUA</name>
<t> <t>
The host could send a router solicitation m The host could send a Router Solicitation
essage to 'all routers' multicast address, using its GUA as a source. message to the all-routers multicast address, using its GUA as a source.
If the host link-layer address is included If the host link-layer address is included
in the Source Link-Layer Address option, the router would create a STALE entry f in the Source Link-Layer Address Option, the router would create a STALE entry
or the host GUA as per the section 6.2.6 of <xref target="RFC4861"/>. for the host GUA as per <xref target="RFC4861" sectionFormat="of" section="6.2.6
However, this approach cannot be used if th "/>.
e GUA is in optimistic state: section 2.2 of <xref target="RFC4429"/> explicitly However, this approach cannot be used if t
prohibits using an Optimistic Address as the source address of a Router Solicit he GUA is in the Optimistic state: <xref target="RFC4429" sectionFormat="of" sec
ation with a SLLAO as it might disrupt the rightful owner of the address in the tion="2.2"/> explicitly prohibits using an Optimistic Address as the source add
case of a collision. ress of a Router Solicitation with a SLLAO, as it might cause disruption for the
So for the optimistic addresses the host ca rightful owner of the address in the case of a collision.
n send an RS without SLLAO included. So, for the Optimistic Addresses, the host
In that case the router may respond with ei can send an RS without a SLLAO included.
ther a multicast or a unicast RA (only the latter would create a cache entry). In that case, the router may respond with
</t> either a multicast or unicast RA (only the latter would create a cache entry).
<t> </t>
This approach has the following drawbacks: <t>
<list style="symbols"> This approach has the following drawbacks:
<t> </t>
If the address is in the Op <ul spacing="normal">
timistic state the RS cannot contain SLLAO. As a result the router would only cr <li>
eate a cache entry if solicited RAs are sent as unicast. If the address is in the O
Routers sending solicited R ptimistic state, the RS cannot contain a SLLAO. As a result, the router would on
As as multicast would not create a new cache entry as they do not need to send a ly create a cache entry if solicited RAs are sent as unicast.
unicast packet back to the host. Routers sending solicited
</t> RAs as multicast would not create a new cache entry, as they do not need to send
<t> a unicast packet back to the host.
There might be a random del </li>
ay between receiving an RS and sending a unicast RA back (and creating a cache e <li>
ntry) which might undermine the idea of creating the cache entry proactively. There might be a random de
</t> lay between receiving an RS and sending a unicast RA back (and creating a cache
<t> entry), which might undermine the idea of creating the cache entry proactively.
Some wireless devices are </li>
known to intercept ND packets and perform various non-obvious forms of ND proxy <li>
actions. In some cases the RS might not even reach the routers. Some wireless devices are
</t> known to intercept ND packets and perform various nonobvious forms of ND proxy a
ctions. In some cases, the RS might not even reach the routers.
</list> </li>
</t> </ul>
</section> </section>
<section numbered="true" toc="default">
<section title="Routers Populating Their Caches by Gleaning From N <name>Routers Populating Their Caches by Gleaning from Neighbor Discover
eighbor Discovery Packets"> y Packets</name>
<t> <t>
Routers may be able to learn about new addresses b Routers may be able to learn about new addresses
y gleaning from the DAD Neighbor Solicitation messages. by gleaning from the DAD Neighbor Solicitation messages.
The router could listen to all solicited node mult The router could listen to all solicited-node mul
icast address groups and upon receiving a Neighbor Solicitation from the unspeci ticast address groups and, upon receiving a Neighbor Solicitation from the unspe
fied address search its Neighbor Cache for the solicitation's Target Address. cified address, search its Neighbor Cache for the solicitation's target address.
If no entry exists, the router may create an entry If no entry exists, the router may create an entr
, set its reachability state to 'INCOMPLETE' and start the address resolution fo y, set its reachability state to INCOMPLETE, and start the address resolution pr
r that entry. ocess for that entry.
</t> </t>
<t> <t>
The same solution was proposed in <xref target= "I- The same solution was proposed in <xref target="I-
D.halpern-6man-nd-pre-resolve-addr" />. Some routing vendors support such optimi D.halpern-6man-nd-pre-resolve-addr" format="default"/>. Some routing vendors alr
zation already. However, this approach has a number of drawbacks and therefore s eady support such optimization. However, this approach has a number of drawbacks
hould not be used as the only solution: and therefore should not be used as the only solution:
<list style="symbols"> </t>
<t> <ul spacing="normal">
Routers need to receive al <li>
l multicast Neighbor Discovery packets which might negatively impact the routers Routers need to receive al
CPU. l multicast Neighbor Discovery packets; this might negatively impact a router's
</t> CPU.
<t> </li>
If the router starts the ad <li>
dress resolution as soon as it receives the DAD Neighbor Solicitation the host m If the router starts the a
ight be still performing DAD and the target address might be tentative. ddress resolution process as soon as it receives the DAD Neighbor Solicitation,
In that case, the host SHOU the host might still be performing DAD and the target address might be tentative
LD silently ignore the received Neighbor Solicitation from the router as per the .
Section 5.4.3 of <xref target="RFC4862"/>. In that case, the host <bc
As a result the router migh p14>SHOULD</bcp14> silently ignore the received Neighbor Solicitation from the r
t not be able to complete the address resolution before the return traffic arriv outer as per <xref target="RFC4862" sectionFormat="of" section="5.4.3"/>.
es. As a result, the router mi
ght not be able to complete the address resolution process before the return tra
</t> ffic arrives.
</list>
</t>
</section>
<section title="Initiating Hosts-to-Routers Communication">
<t>
The host may force the router to start address reso
lution by sending a data packet such as ping or traceroute to its default router
link-local address, using the GUA as a source address.
As the RTT to the default router is lower than RTT
to any off-link destinations it's quite likely that the router would start the
neighbor discovery process for the host GUA before the first packet of the retur
ning traffic arrives.
</t>
<t> This approach has the following drawbacks:
<list style="symbols">
<t>
Data packets to the router
link-local address could be blocked by security policy or control plane protect
ion mechanism.
</t>
<t>
It introduces an additiona
l overhead for routers control plane (in addition to processing ND packets, the
data packet needs to be processed as well).
</t>
<t>
Unless the data packet is s
ent to 'all routers' ff02::2 multicast address, if the network provides a first-
hop redundancy then only the active router would create a new cache entry.
</t>
</list>
</t>
</section>
<section title="Making the Probing Logic on Hosts More Robust">
<t>
Theoretically the probing logic on hosts mi
ght be modified to deal better with initial packet loss. For example, only one p
robe can be sent or probes retransmit intervals can be reduced. However, this ap
proach has a number of drawbacks:
<list style="symbols"> </li>
<t>It would require updating all possible a </ul>
pplications performing probing, while the proposed solution is implemented on op </section>
erating systems level.</t> <section numbered="true" toc="default">
<t>Some implementations need to send multip <name>Initiating Host-to-Router Communication</name>
le probes. Examples include but not limited to: <t>
<list style="symbols"> The host may force the router to start address res
<t>Sending AAAA and A records DNS p olution by sending a data packet such as ping or traceroute to its default route
robes in parallel.</t> r link-local address, using the GUA as a source address.
<t>Detecting captive portals often As the RTT to the default router is lower than the
require sending multiple packets.</t> RTT to any off-link destinations, it's quite likely that the router would start
</list> the Neighbor Discovery process for the host GUA before the first packet of the
</t> returning traffic arrives.
<t>While it would increase the probability </t>
of the probing to complete successfully, there are multiple cases when packet lo <t> This approach has the following drawbacks:
ss would still occur: </t>
<list style="symbols"> <ul spacing="normal">
<t> The probe response consists of <li>
multiple packets, so all but the first one are dropped. </t> Data packets to the router
<t> There are multiple applications 's link-local address could be blocked by a security policy or control plane pro
on the same host sending traffic and return packets arrive simultaneously.</t> tection mechanism.
<t> There are multiple first-hop ro </li>
uters in the network. The first probe packet creates the NC entry on one of them <li>
. The subsequent return traffic flows might cross other routers and still experi It introduces an additiona
ence the issue.</t> l overhead for the router's control plane (in addition to processing ND packets,
</list> the data packet needs to be processed as well).
</t> </li>
<t> <li>
Reducing the probe retransmit interval unnec Unless the data packet is
essary increases the network utilization and might cause the network congestion. sent to the all-routers ff02::2 multicast address, if the network provides a fir
</t> st-hop redundancy, then only the active router would create a new cache entry.
</list> </li>
</t> </ul>
</section> </section>
<section title="Increasing the Buffer Size on Routers"> <section numbered="true" toc="default">
<t> <name>Making the Probing Logic on Hosts More Robust</name>
Increasing the buffer size and buff <t>
ering more packets would exacerbate issues described in <xref target="RFC6583"/> Theoretically, the probing logic on hosts
and make the router more vulnerable to ND-based denial of service attacks. might be modified to better deal with initial packet loss. For example, only one
</t> probe can be sent, or probe retransmit intervals can be reduced. However, this
</section> approach has a number of drawbacks:
<section title="Transit Dataplane Traffic From a New Address Trigge </t>
ring Address Resolution"> <ul spacing="normal">
<t> <li>It would require updating all possible applications that perform p
When a router receives a transit packet sourced by robing, while the solution described in this document is implemented at the oper
a on-link neighbor node, it might check the presence of the neighbor cache entry ating-system level.</li>
for the packet source address and if the entry does not exist, start address re <li>
solution process. <t>Some implementations need to send multiple probes. Examples inclu
This approach does ensure that a Neighbor Cache ent de but are not limited to:
ry is proactively created every time a new, previously unseen GUA is used for se </t>
nding offlink traffic. <ul spacing="normal">
However, this approach has a number of limitations, in particular: <li>Sending AAAA and A record DNS probes in parallel.</li>
<list style="symbols"> <li>Detecting captive portals, which often requires sending multip
<t>If traffic flows are asymmetrical the return traffic might not transit the sa le packets.</li>
me router as the original traffic which triggered the address resolution. </ul>
So the neighbor cache entry is created on the "wrong" router, not the one which </li>
actually needs the neighbor cache entry for the host address. <li>
</t> <t>While it would increase the probability that the probing will com
<t> plete successfully, there are multiple cases when packet loss would still occur:
The functionality needs to be limited to explicitly configured networks/i </t>
nterfaces, as the router needs to distinguish between onlink addresses (ones the <ul spacing="normal">
router needs to have Neighbor Cache entries for) and the rest of the address sp <li> The probe response consists of multiple packets, so all but t
ace. he first one are dropped. </li>
The proactive address resolution must only be triggered by packets from t <li> There are multiple applications on the same host sending traf
he prefixes known to be on-link. Otherwise, traffic from spoofed source addresse fic, and return packets arrive simultaneously.</li>
s or any transit traffic could lead to neighbor cache exhaustion. <li> There are multiple first-hop routers in the network. The firs
</t> t probe packet creates the NC entry on one of them. The subsequent return traffi
<t> c flows might cross other routers and still experience the issue.</li>
Implementing such functionality is much more complicated than all other solution </ul>
s as it would involve complex data-control planes interaction. </li>
<li>
Reducing the probe retransmit interval unnec
essarily increases network utilization and might cause network congestion.
</li>
</ul>
</section>
<section numbered="true" toc="default">
<name>Increasing the Buffer Size on Routers</name>
<t>
Increasing the buffer size and buf
fering more packets would exacerbate issues described in <xref target="RFC6583"
format="default"/> and make the router more vulnerable to ND-based denial-of-ser
vice attacks.
</t>
</section>
<section numbered="true" toc="default">
<name>Transit Data Plane Traffic from a New Address to Trigger Address R
esolution</name>
<t>
When a router receives a transit packet sourced by
an on-link neighbor node, it might check for the presence of a Neighbor Cache e
ntry for the packet source address and, if the entry does not exist, start the a
ddress resolution process.
This approach does ensure that a Neighbor Cache en
try is proactively created every time a new, previously unseen GUA is used for s
ending off-link traffic.
However, this approach has a number of limitations. In particular:
</t> </t>
</list> <ul spacing="normal">
</t> <li>If traffic flows are asymmetrical, the return traffic might not tr
</section> ansit the same router as the original traffic that triggered the address resolut
ion process.
So, the Neighbor Cache entry is created on the "wrong" router, not the one that
actually needs the Neighbor Cache entry for the host address.
</li>
<li>
The functionality needs to be limited to explicitly configured networks/
interfaces, as the router needs to distinguish between on-link addresses (addres
ses for which the router needs to have Neighbor Cache entries) and the rest of t
he address space.
The proactive address resolution process must only be triggered by packe
ts from the prefixes known to be on-link. Otherwise, traffic from spoofed source
addresses or any transit traffic could lead to Neighbor Cache exhaustion.
</li>
<li>
Implementing such functionality is much more complicated than all other solution
s, as it would involve complex interactions between the data plane and the contr
ol plane.
</li>
</ul>
</section>
</section> </section>
<section anchor="IANA" numbered="true" toc="default">
<section anchor="IANA" title="IANA Considerations"> <name>IANA Considerations</name>
<t> <t>
This memo asks the IANA for no new parameters. This document has no IANA actions.
</t> </t>
</section> </section>
<section anchor="Security" numbered="true" toc="default">
<section anchor="Security" title="Security Considerations"> <name>Security Considerations</name>
<t> <t>
One of the potential attack vectors to consider is a cache sp One of the potential attack vectors to consider is cache spo
oofing when the attacker might try to install a cache entry for the victim's IPv ofing, where the attacker might try to install a cache entry for the victim's IP
6 address and the attacker's Link-Layer address. However, it should be noted tha v6 address and the attacker's link-layer address. However, it should be noted th
t this document does not propose any changes for the scenario when the ND cache at this document does not propose any changes for the scenario when the Neighbor
for the given IPv6 address already exists. Cache for a given IPv6 address already exists.
Therefore, there are no new vectors for an attacker to overri Therefore, there are no new vectors for an attacker to overr
de an existing cache entry. ide an existing cache entry.
</t> </t>
<t> <t>
<xref target="avoid_dis"/> describes some corner cases when a host with the dupl <xref target="avoid_dis" format="default"/> describes some corner cases when a h
icated Optimistic address might get some packets intended for the rightful owner ost with a duplicate Optimistic Address might get some packets intended for the
of the address. However such scenarios do not introduce any new attack vectors: rightful owner of the address. However, such scenarios do not introduce any new
even without the proposed changes, an attacker can easily override the routers attack vectors: even without the changes discussed in this document, an attacker
neighbor cache and redirect the traffic by sending NAs with the Solicited flag s can easily override the router's Neighbor Cache and redirect the traffic by sen
et. ding NAs with the Solicited flag set.
As discussed in <xref target="dis_start"/> the worst case scenario might cause a As discussed in <xref target="dis_start" format="default"/>, the worst-case scen
disruption for up to 7 seconds. This risk is considered acceptable due to very ario might cause a disruption for up to 7 seconds. Because this scenario is high
low probability of that scenario. More importantly, for all cases described in < ly unlikely, this risk of disruption is considered acceptable. More importantly,
xref target="avoid_dis"/> the rightful owner can prevent disruption caused by an for all cases described in <xref target="avoid_dis" format="default"/>, the rig
accidental address duplication just by implementing the mechanism described in htful owner can prevent disruption caused by an accidental address duplication j
this document. If the rightful owner sends unsolicited NAs before using the addr ust by implementing the mechanism described in this document. If the rightful ow
ess, the STALE entry would be created on the router NC and any subsequent unsoli ner sends unsolicited NAs before using the address, the STALE entry would be cre
cited NAs sent from the host with an Optimistic address would not override the N ated on the router's NC, and any subsequent unsolicited NAs sent from the host w
C entry. ith an Optimistic Address would not override the NC entry.
</t> </t>
<t> <t>
A malicious host could attempt to exhaust the neighbor cache A malicious host could attempt to exhaust the Neighbor Cache
on the router by creating a large number of STALE entries. However, this attack on the router by creating a large number of STALE entries. However, this attack
vector is not new and this document does not increase the risk of such an attack vector is not new, and the mechanism specified in this document does not increa
: the attacker could do it, for example, by sending a NS or RS packet with SLLAO se the risk of such an attack: the attacker could do it, for example, by sending
included. All recommendations from <xref target="RFC6583"/> still apply. an NS or RS packet with a SLLAO included. All recommendations from <xref target
</t> ="RFC6583" format="default"/> still apply.
<t> </t>
Announcing a new address to all-routers multicast address may <t>
inform an on-link attacker about IPv6 addresses assigned to the host. However, Announcing a new address to the all-routers multicast addres
hiding information about the specific IPv6 address should not be considered a se s may inform an on-link attacker about IPv6 addresses assigned to the host. Howe
curity measure as such information is usually disclosed via DAD to all nodes any ver, hiding information about the specific IPv6 address should not be considered
way if MLD snooping is not enabled. Network administrators can also mitigate thi a security measure, as such information is usually disclosed via DAD to all nod
s issue by enabling MLD snooping on the link-layer devices to prevent IPv6 link- es anyway if MLD snooping is not enabled. Network administrators can also mitiga
local multicast packets being flooded to all onlink nodes. te this issue by enabling MLD snooping on the link-layer devices to prevent IPv6
If peer-to-peer onlink communications are not desirab link-local multicast packets from being flooded to all on-link nodes.
le for the given network segment they should be prevented by proper layer-2 secu If peer-to-peer on-link communications are not desir
rity mechanisms. Therefore, the risk of allowing hosts to send unsolicited Neigh able for a given network segment, they should be prevented by proper Layer 2 sec
bor Advertisements to all-routers multicast address is low. urity mechanisms. Therefore, the risk of allowing hosts to send unsolicited Neig
</t> hbor Advertisements to the all-routers multicast address is low.
<t> </t>
It should be noted that the proposed mechanism allows hosts t <t>
o proactively inform their routers about global IPv6 addresses existing on-link. It should be noted that the mechanism discussed in this docu
Routers could use that information to distinguish between used and unused addre ment allows hosts to proactively inform their routers about global IPv6 addresse
sses to mitigate ND cache exhaustion DoS attacks described in Section 4.3.2 <xre s existing on-link. Routers could use that information to distinguish between us
f target="RFC3756"/> and <xref target="RFC6583"/>. ed and unused addresses to mitigate Neighbor Cache exhaustion DoS attacks as des
cribed in <xref target="RFC3756" sectionFormat="of" section="4.3.2"/> and in <xr
ef target="RFC6583" format="default"/>.
</t> </t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>
Thanks to the following people (in alphabetical order) for th
eir
comments, review and feedback: Mikael Abrahamsson, St
ewart Bryant, Lorenzo Colitti, Roman Danyliw, Owen DeLong, Martin Duke, Igor Gas
hinsky, Carles Gomez, Fernando Gont, Tatuya Jinmei, Benjamin Kaduk, Scott Kelly,
Erik Kline, Warren Kumari, Barry Leiba, Jordi Palet Martinez, Erik Nordmark, Mi
chael Richardson, Dan Romascanu, Zaheduzzaman Sarker, Michael Scharf, John Scudd
er, Mark Smith, Dave Thaler, Pascal Thubert, Loganaden Velvindron, Eric Vyncke.
</t>
</section> </section>
</middle> </middle>
<!-- *****BACK MATTER ***** -->
<back> <back>
<references title="Normative References"> <displayreference target="I-D.halpern-6man-nd-pre-resolve-addr" to="ND-ADDR-RES"
&RFC2119; />
&RFC4291;
&RFC4429;
&RFC4861;
&RFC4862;
&RFC8174;
</references>
<references title="Informative References"> <references>
&RFC3756; <name>References</name>
&RFC4541; <references>
&RFC6583; <name>Normative References</name>
&RFC6775; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC8305; FC.2119.xml"/>
&RFC8505; <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
&RFC8981; FC.4291.xml"/>
<?rfc include="reference.I-D.halpern-6man-nd-pre-resolve-addr" ?> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4429.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4861.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4862.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8174.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.3756.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.4541.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6583.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.6775.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8305.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8505.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R
FC.8981.xml"/>
<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D
.halpern-6man-nd-pre-resolve-addr.xml"/>
</references>
</references> </references>
<section anchor="Acknowledgements" numbered="false" toc="default">
<name>Acknowledgements</name>
<t>
Thanks to the following people (in alphabetical order) for t
heir
comments, review, and feedback: <contact fullname="M
ikael Abrahamsson"/>, <contact fullname="Stewart Bryant"/>, <contact fullname="L
orenzo Colitti"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Owen
DeLong"/>, <contact fullname="Martin Duke"/>, <contact fullname="Igor Gashinsky"
/>, <contact fullname="Carles Gomez"/>, <contact fullname="Fernando Gont"/>, <co
ntact fullname="Tatuya Jinmei"/>, <contact fullname="Benjamin Kaduk"/>, <contact
fullname="Scott Kelly"/>, <contact fullname="Erik Kline"/>, <contact fullname="
Warren Kumari"/>, <contact fullname="Barry Leiba"/>, <contact fullname="Jordi Pa
let Martinez"/>, <contact fullname="Erik Nordmark"/>, <contact fullname="Michael
Richardson"/>, <contact fullname="Dan Romascanu"/>, <contact fullname="Zaheduzz
aman Sarker"/>, <contact fullname="Michael Scharf"/>, <contact fullname="John Sc
udder"/>, <contact fullname="Mark Smith"/>, <contact fullname="Dave Thaler"/>, <
contact fullname="Pascal Thubert"/>, <contact fullname="Loganaden Velvindron"/>,
and <contact fullname="Éric Vyncke"/>.
</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 77 change blocks. 
1290 lines changed or deleted 1163 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/