Internet DRAFT - draft-yourtchenko-ipv6-disable-ipv4-proxyarp
draft-yourtchenko-ipv6-disable-ipv4-proxyarp
Network Working Group A. Yourtchenko
Internet-Draft cisco
Intended status: Standards Track O. DeLong
Expires: November 11, 2013 May 10, 2013
Disable "Proxy ARP for Everything" on IPv4 link-local in the presence of
IPv6 global address
draft-yourtchenko-ipv6-disable-ipv4-proxyarp-00
Abstract
rfc3927 defines the behavior "Proxy ARP for Everything" in case the
only address present on the host is IPv4 link-local. However, it
does not specify anything about the presence or absence of IPv6
global addressing. This results in the hosts assuming it has both
IPv4 and IPv6 connectivity in the scenario where the host itself is
dualstack-enabled, but the network supplies only IPv6 configuration
information. Some implementations in this case may decide to use
IPv4, which results in long connection delays. This document
proposes to avoid the "Proxy ARP for Everything" behavior if the host
has been assigned an IPv6 address.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 11, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Yourtchenko & DeLong Expires November 11, 2013 [Page 1]
�
Internet-DrafDisable Proxy ARP on IPv4 Link-local With IPv6 May 2013
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . . 3
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 3
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 3
7.1. Normative References . . . . . . . . . . . . . . . . . . 4
7.2. Informative References . . . . . . . . . . . . . . . . . 4
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
Section 2.6.2 of Dynamic Configuration of IPv4 Link-Local Addresses
[RFC3927] says: "In the case of a device with a single interface and
only a Link-Local IPv4 address, this requirement can be paraphrased
as "ARP for everything"."
In the case of dualstack-enabled host, which is only supplied the
IPv6 configuration from the network, this behavior still causes the
application layers to believe that they have both IPv4 and IPv6
connectivity.
This results in undesirable behavior in two cases: applications that
are IPv4-only, and applications that are assuming that IPv4 is always
available (i.e. those incorrectly implementing RFC 6555 [RFC6555]
and always using only IPv4 as the "fallback" connection, possibly
even preferring it over IPv6.
Especially problematic are the cases where the OS stack will return
the list of addresses in the getaddrinfo() call sorted with IPv4 in
the beginning, and the application would assume that the
getaddrinfo() always returns IPv6 first. While one can argue that
the applications implementing "happy eyeballs" algorithms should not
depend on the sort order of the entries, this behavior would break a
lot of "legacy" applications that sequentially try the addresses
returned by getaddrinfo().
Yourtchenko & DeLong Expires November 11, 2013 [Page 2]
�
Internet-DrafDisable Proxy ARP on IPv4 Link-local With IPv6 May 2013
The "ARP for everything" rule causes an interface route to 0.0.0.0/0
to be installed by the hosts, and IPv4 connection attempt will then
take a very long time to time out, without any recourse to intervene
from the network side - short of either replying on each ARP request
and then spoofing the rejection of the connection by the remote host,
or assigning bogus IPv4 addresses, with the default gateway rejecting
all of the IPv4 traffic with ICMP Unreachable messages.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC2119].
3. Description
This proposal suggests to change the wording of the Section 2.6.2 of
the Dynamic Configuration of IPv4 Link-Local Addresses [RFC3927] to
include the clarification: "If the host has any interface with a
global unicast IPv6 address assigned and any IPv6 route to any non-
connected network (including default), then the host MUST immediately
return an error rather than transmit any packet with a link-local
IPv4 source address unless the destination is also an IPv4 link-local
address."
4. Security Considerations
The proposed behavior adjustment does create a potential for a DoS if
the host uses IPv4 link-local only addressing, and the attacker
forces IPv6 configuration by e.g. sending a rogue RA. The authors
believe this scenario is a comparatively much more infrequent than
the IPv6-only scenario - especially as the transition to IPv6
progresses. During the transition period the network administrators
will have to secure both protocols, regardless of whether the
addressing information is supplied by the network or not.
5. Acknowledgements
This document was born after a discussion at gogoNET LIVE! 3
conference held November 12 - 14, 2012 at San Jose State University
6. IANA Considerations
None.
7. References
Yourtchenko & DeLong Expires November 11, 2013 [Page 3]
�
Internet-DrafDisable Proxy ARP on IPv4 Link-local With IPv6 May 2013
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
Dual-Stack Hosts", RFC 6555, April 2012.
7.2. Informative References
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of IPv4 Link-Local Addresses", RFC 3927, May
2005.
Appendix A. Change History
[Note to RFC Editor: Please remove this section prior to
publication.]
Authors' Addresses
Andrew Yourtchenko
Cisco Systems, Inc.
6a de Kleetlaan
Diegem 1831
BE
Phone: +32 2 704 5494
Email: ayourtch@cisco.com
Owen DeLong
3251 Firth Way
San Jose CA 95121
US
Phone: +32 2 704 5494
Email: owen@delong.com
Yourtchenko & DeLong Expires November 11, 2013 [Page 4]
