IPv6 Operations | T.J. Chown |
Internet-Draft | University of Southampton |
Intended status: Informational | July 04, 2011 |
Expires: January 05, 2012 |
IPv6 Address Accountability Considerations
draft-chown-v6ops-address-accountability-00
Hosts in IPv4 networks typically acquire addresses by use of DHCP, and retain that address and only that address while the DHCP lease remains valid. In IPv6 networks, hosts may use DHCPv6, but may instead autoconfigure their own global addresses, and potentially use many privacy addresses over time. This behaviour places an additional burden on network operators who require address accountability for their users and devices. There has been some discussion of this issue on various mail lists; this text attempts to capture the issues to encourage further discussion.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 05, 2012.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Administrators of IPv4 networks are used to an address accountability model where devices acquire a single global address using DHCP and then use that address while the DHCP lease is valid. The model allows an administrator to track back an IP address to a user or device, in the event of some incident or fault requiring investigation. While by no means foolproof, this model, which may include use of DHCP option 82, is one that IPv4 network administrators are generally comfortable with.
There are many reasons why address stability is desirable, e.g. DNS mappings, ACLs using IP addresses, and logging. However, such stability may not typically exist in IPv6 client networks, particularly where clients are user managed.
In IPv6 networks, where hosts may use SLAAC [RFC4862] and Privacy Addresses [RFC4941], it is quite possible that a host may use multiple IPv6 addresses over time, possibly changing addresses used frequently, or using multiple addresses concurrently. Where privacy addresses are used, a host may choose to generate and start using a new privacy address at any time, and will also typically generate a new privacy address after rebooting. Clients may use different IPv6 addresses per application, while servers may have multiple addresses configured, one per service offered.
It is also worth noting that in an IPv4 network, it is more difficult for a user to pick and use an address manually without clashing with an existing device on the network, while in IPv6 networks, picking an unused address is simple to do without an address clash. Source address validation is a topic being handled in the IETF SAVI WG.
There are various approaches to address accountability, which have different costs, benefits and trade-offs.
By polling network switch and router devices for IPv4 ARP tables and IPv6 ND tables, and correlating the results with switch port MAC tables, it should be possible to determine which IP addresses are in use at any specific point in time and which addresses are being used on which switch ports (and thus users or devices).
This is the approach adopted by tools such as NAV and Netdot, but there is some concern expressed at the load that may be placed on devices by frequent SNMP or other polling. The polling frequency needs to be rapid enough to ensure that cached ND/ARP data on devices is not expired between polling intervals, i.e. the ND/ARP data should not be expired more frequently than the device is polled.
If all ND traffic observed on a link can be captured, it should be possible for IPv6 address usage to be recorded. This would require appropriate capability on a device on any given subnet, e.g. as is currently achieved for RAmond or NDPmon, or a reporting mechanism for the subnet router. There may also be mechanisms such as a (filtered) RSPAN that may be suitable; at least one implementation of this has been published.
A benefit of this approach is that collecting all ND traffic would allow additional accounting and fault detection to be undertaken, e.g. rogue RA detection, or DAD DoS detection.
One approach to accountability is to attempt to force devices to only use DHCPv6, which would in principle give the same address accountability model as exists for IPv4 today. [RFC4649] for DHCPv6 appears to give at least some of the functionality of DHCP option 82.
While it is possible to craft IPv6 Router Advertisements that give 'hints' to hosts that DHCPv6 should be used ('M' bit set), there is no obligation on the host to honour that hint, or to not use privacy addressing as well. In addition, the user running the device may still pick and manually configure their own address, with very little chance of clashing with an existing address.
This text is an initial draft attempting to capture the issues related to IPv6 address accountability models. If an all-DHCPv6 model is not viable, IPv6 network administrators will need to deploy management and monitoring tools to allow them to account for hosts that will have multiple IPv6 addresses that may also change rapidly over time.
Feedback on the issues discussed here is welcomed.
There are no extra security consideration for this document.
There are no extra IANA consideration for this document.
To be added.
[RFC4649] | Volz, B., "Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option", RFC 4649, August 2006. |
[RFC4862] | Thomson, S., Narten, T. and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007. |
[RFC4941] | Narten, T., Draves, R. and S. Krishnan, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 4941, September 2007. |