Internet DRAFT - draft-vyncke-v6ops-ipv6-only-thin-clients
draft-vyncke-v6ops-ipv6-only-thin-clients
IPv6 Operations E. Vyncke
Internet-Draft A. Yourtchenko
Intended status: Informational Cisco
Expires: December 28, 2015 D. Valenkamp
ETH Zurich
June 26, 2015
IPv6-Only for Wired Thin-Clients
draft-vyncke-v6ops-ipv6-only-thin-clients-00
Abstract
While IPv6-only (no IPv4 at all) is becoming an objective, there are
remaining issues on this road for the wired thin clients. This
document enumerates of couple of them; each with a short description,
followed by a description of the issue in IPv6-only networks then
some solutions.
It is expected that this document will grow by collecting other
roadblocks and suggestions to remove them.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 28, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Vyncke, et al. Expires December 28, 2015 [Page 1]
Internet-Draft Pv6-Only for Wired Thin-Clients June 2015
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Wake-on-Lan . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Description . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Issue . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3. Mitigation . . . . . . . . . . . . . . . . . . . . . . . 3
2. Preboot Execution Environment . . . . . . . . . . . . . . . . 3
2.1. Description . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Issue . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Mitigation . . . . . . . . . . . . . . . . . . . . . . . 4
3. 3rd issue . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
7.1. Normative References . . . . . . . . . . . . . . . . . . 4
7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Wake-on-Lan
1.1. Description
Wake-on-Lan also known as WOL is specified in [WOL]. It allows for a
remote operator to wake a sleeping host in order to trigger software
update while the host is sleeping (for example during the night of
the week-end). It consists of sending a specially formatted frame
for a specific host. This is called the magic packet: with the
Ethernet payload having somewhere 6 bytes containing 0xFF followed by
16 times the network interface datalink-layer address.
1.2. Issue
As the host is sleeping, it does not transmit any packets and will
not reply to neither ARP request nor Neighbor Solicitations. This
means that the adjacent routers have lost the binding between
datalink and network address and also that all layer-2 switches have
lost the binding between the datalink-layer address and the port/
interface. So, it is not possible to send a unicast IPv4 or IPv6
packet containing this magic packet as it will be dropped by the
router (no adjacency information). In IPv4, a local configuration
can allow the 'directed broadcast' (see RFC2644 [RFC2644])such that
Vyncke, et al. Expires December 28, 2015 [Page 2]
Internet-Draft Pv6-Only for Wired Thin-Clients June 2015
the magic packet can be sent to an IPv4 directed broadcast which will
be sent to a datalink-layer broadcast, i.e. forwarded on all ports of
all routers and switches in the same layer-2 domain. Therefore, the
magic packet will reach all hosts including the sleeping one.
In IPv6, there is no directed broadcast for good reason. Only a
link-local multicast group such as ff02::1 for all link-local hosts.
So, the magic packet for a single host could be sent to this
multicast group, reaching all link-local hosts (as switches and
routers will forward this packet to all ports/interfaces) and waking
up the sleeping node. But, there is no solution for a remote
operator to send this magic packet...
1.3. Mitigation
A trivial solution would be to hard code in the router configuration
a specific global or ULA address to the broadcast data-link layer
address. For example, to reach all nodes in 2001:db8::/64, let's
configure a static Neighbor Cache entry for 2001:db8::cafe:c0:ffee as
ff-ff-ff-ff-ff-ff. Then a remote operator can send the magic packet
to this destination, it will be routed across the layer-3 network,
will be addressed to the data-link layer broadcast address which will
be flooded by all layer-2 switches on all their ports, finally
reaching the sleeping host.
This approach has two drawbacks:
1. provisioning of all those mappings in all routers
2. opening a door to a denial of service attack: a remote hostile
party could keep sending packets this is specific unicast address
forcing all hosts to stay awake, hence wasting electrical energy.
As this address is a unicast address which does not belong to any
physical host on the layer-2 domain, then all nodes will silently
discard this packet at the layer-3.
Another approach would be to have a management plane command (SNMP or
Netconf) to send the magic packet directly to the Ethernet broadcast
using any ethertype.
2. Preboot Execution Environment
2.1. Description
Preboot Execution Environment also known as PXE is specified in
[PXE21]. It allows for any host to boot a complete viable operating
system and file system via the use of Dynamic Host Configuration
Vyncke, et al. Expires December 28, 2015 [Page 3]
Internet-Draft Pv6-Only for Wired Thin-Clients June 2015
Protocol and ancilliary protocols such as Trivial File Transfer
Protocol and HyperText Transfer Protocol.
2.2. Issue
The specification has no mention of IPv6 and while DHCP and TFTP
support IPv6, there are differences between DHCP for IPv4 and for
IPV6. This lack of IPv6 support is addressed in RFC5970 [RFC5970]
but there are little to no implementation for this IPv6-enabled PXE.
This makes impossible for a thin-client host to boot its complete
operating system and file system over an IPv6-only network.
2.3. Mitigation
It is mainly an implementation issue in the boot PROM + DHCPv6
servers. Some of the boot PROMS use flash technology so they could
be reprogrammed to fully support RFC5970 [RFC5970]
On the other hand, PXE boot over IPv6 is possible: see [Zimmer2013],
relying on Unified Extensible Firmware Interface [UEFI].
3. 3rd issue
Placeholder for any further issue to be described later.
4. IANA Considerations
This document contains no IANA considerations.
5. Security Considerations
The security considerations are detailed in previous sections.
6. Acknowledgements
The author would like to thank Armin Wittman, Alain Fiocco, Steve
Simlo, Stig Venaas for some discussions on this topic.
7. References
7.1. Normative References
[PXE21] Intel, , "Preboot Execution Environment (PXE)
Specification", 1999,
<ftp://download.intel.com/design/archives/wfm/downloads/
pxespec.pdf>.
Vyncke, et al. Expires December 28, 2015 [Page 4]
Internet-Draft Pv6-Only for Wired Thin-Clients June 2015
[RFC5970] Huth, T., Freimann, J., Zimmer, V., and D. Thaler, "DHCPv6
Options for Network Boot", RFC 5970, September 2010.
[UEFI] "Unified Extensible Firmware Interface Specification",
April 2015,
<http://www.uefi.org/sites/default/files/resources/
UEFI%202_5.pdf>.
[WOL] AMD, , "Magic Packet Technology", 1995,
<http://support.amd.com/TechDocs/20213.pdf>.
[Zimmer2013]
Zimmer, V., "Configuring an IPV6 network boot", October
2013, <http://vzimmer.blogspot.com/2013/10/
configuring-ipv6-network-boot.html>.
7.2. Informative References
[RFC2644] Senie, D., "Changing the Default for Directed Broadcasts
in Routers", BCP 34, RFC 2644, August 1999.
Authors' Addresses
Eric Vyncke
Cisco
De Kleetlaan 6a
Diegem 1831
Belgium
Phone: +32 2 778 4677
Email: evyncke@cisco.com
Andrew Yourtchenko
Cisco
De Kleetlaan 6a
Diegem 1831
Belgium
Phone: +32478681281
Email: ayourtch@cisco.com
Vyncke, et al. Expires December 28, 2015 [Page 5]
Internet-Draft Pv6-Only for Wired Thin-Clients June 2015
Derk-Jan Valenkamp
ETH Zurich
Weinbergstrasse 43
Zurich 8092
Switzerland
Phone: +41 44 632 50 86
Email: derk-jan.valenkamp@id.ethz.ch
Vyncke, et al. Expires December 28, 2015 [Page 6]