IPv6 Operations (v6ops) Working Group X. Xiao Internet Draft E. Vasilenko Intended status: Informational Huawei Technologies Expires: February 2025 E. Metz KPN G. Mishra Verizon Inc. N. Buraglio Energy Sciences Network August 22, 2024 Neighbor Discovery Considerations in IPv6 Deployments draft-ietf-v6ops-nd-considerations-05 Abstract Neighbor Discovery (ND) is a critical part of IPv6. ND uses multicast extensively and trusts all hosts. In some scenarios, such as wireless networks, multicast can be inefficient. In other scenarios, such as public access networks, hosts may not be trustworthy. Consequently, ND can have issues in some scenarios. The issues and mitigation solutions are documented in more than 20 RFCs, making it challenging to track all these issues and solutions. Therefore, an overview document is helpful. This document first summarizes the published ND issues and the solutions. This provides a one-stop reference. This document then analyzes these mitigation solutions to reveal that isolating hosts into different subnets or links can help prevent ND issues. Three isolation methods and their applicability are described. A simple guideline is provided for selecting a suitable isolation method to prevent potential ND issues. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents Xiao Expires February 22, 2025 [Page 1] Internet-Draft nd-considerations August 2024 at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire in Feb. 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction...................................................3 1.1. Terminology...............................................4 2. Review of ND Issues............................................5 2.1. Multicast May Cause Performance and Reliability Issues....5 2.2. Trusting-all-hosts May Cause On-link Security Issues......6 2.3. Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Lack of Subscriber Management Issues...........7 2.4. Summary of ND Issue.......................................7 3. Review of ND Mitigation Solutions..............................8 3.1. ND Solution in Mobile Broadband IPv6.....................10 3.2. ND Solution in Fixed Broadband IPv6......................10 3.3. Unique IPv6 Prefix per Host..............................11 3.4. Wireless ND and Subnet ND................................12 3.5. Scalable Address Resolution Protocol.....................13 3.6. ARP and ND Optimization for Transparent Interconnection of Lots of Links (TRILL):........................................13 3.7. Proxy ARP/ND in EVPN.....................................13 3.8. Gratuitous Neighbor Discovery............................14 3.9. Reducing Router Advertisements...........................14 3.10. Source Address Validation Improvement and Router Advertisement Guard...........................................15 3.11. RFC 6583 Dealing with Operational Neighbor Discovery Problems......................................................15 3.12. Enhanced DAD............................................16 Xiao Expires February 22, 2025 [Page 2] Internet-Draft nd-considerations August 2024 3.13. ND Mediation for IP Interworking of Layer 2 VPNs........16 3.14. ND Solutions Defined before the Latest Versions of ND...16 3.14.1. SeND...............................................16 3.14.2. Cryptographically Generated Addresses (CGA)........17 3.14.3. ND Proxy...........................................17 3.14.4. Optimistic DAD.....................................18 4. Prevention of Potential ND Issues.............................18 4.1. Learning Host Isolation from the Existing Solutions......18 4.2. Applicability of Various Isolation Methods and a Simple Guideline.....................................................19 4.2.1. Applicability of "L3 & L2 Isolation"................19 4.2.2. Applicability of L3 Isolation.......................20 4.2.3. Applicability of Partial L2 Isolation...............21 4.2.4. A Simple Guideline..................................21 5. Security Considerations.......................................21 6. IANA Considerations...........................................21 7. References....................................................22 7.1. Informative References...................................22 8. Acknowledgments...............................................25 1. Introduction Neighbor Discovery [ND] is specified in RFC 4861. It defines how hosts and routers on the link interact with each other. ND contains eight main procedures: 1. Host's Duplicate Address Detection (DAD): hosts generate Link- Local Addresses (LLAs) and use multicast Neighbor Solicitations (NSs) for DAD. 2. Router Discovery: hosts send multicast Router Solicitations (RSs) to discover the routers. Routers respond with unicast Router Advertisements (RAs) with subnet prefixes for the link and other information. Routers also send unsolicited multicast RAs from time to time. 3. Host's Global Unicast Address (GUA) DAD: hosts form GUA and use multicast NSs for DAD. This procedure is the same for Unique Local Address (ULA) DAD. GUA DAD and ULA DAD are not further distinguished for simplicity of description. 4. Router's Neighbor Discovery: When a router is to forward a packet to an on-link host for the first time, the router uses multicast NSs to perform address resolution for the host. 5. Host's Neighbor Discovery: When a host is to send a packet to another on-link host, the source host uses multicast NSs to perform address resolution for the destination host. 6. Host/router's Node Unreachability Detection (NUD): hosts/routers use unicast NSs for NUD. Xiao Expires February 22, 2025 [Page 3] Internet-Draft nd-considerations August 2024 7. Host's link-layer address change announcement: hosts may use multicast NAs to announce link-layer address changes. 8. Router's Redirect: Routers send Redirect packets to inform a host of a better router or that the destination host is on- link. ND can have issues in some scenarios due to the use of multicast, trusting all hosts, or installing NCE entries on demand. Various ND issues and mitigation solutions have been published in more than 20 RFCs, including: . ND Trust Models and Threats [RFC3756], . Secure ND [SeND], . Cryptographically Generated Addresses [CGA], . ND Proxy [RFC4389], . Optimistic ND [RFC4429], . ND for mobile broadband [RFC6459][RFC7066], . ND for fixed broadband [TR177], . ND Mediation [RFC6575], . Operational ND Problems [RFC6583], . Wireless ND (WiND) [RFC6775][RFC8505][RFC8928][RFC8929][SND], . DAD Proxy [RFC6957], . Source Address Validation Improvement [SAVI], . Router Advertisement Guard [RA-Guard][RA-Guard+], . Enhanced Duplicate Address Detection [RFC7527], . Scalable ARP [RFC7586], . Reducing Router Advertisements [RFC7772], . Unique Prefix Per Host [RFC8273], . ND Optimization for TRILL [RFC8302], . Gratuitous Neighbor Discovery [GRAND], . Proxy ARP/ND for EVPN [RFC9161]. Because of the number of RFCs involved, it can become difficult to track issues and solutions. This document summarizes these RFCs into a one-stop reference to better inform network administrators about potential ND issues and mitigation solutions. This document also identifies three host isolation methods that are useful for preventing potential ND issues and provides a simple guideline for selecting one of them. 1.1. Terminology Some important terms are defined in this section. Xiao Expires February 22, 2025 [Page 4] Internet-Draft nd-considerations August 2024 MAC - To avoid confusion with Link-Local Address (LLA), link- layer addresses are referred to as MAC addresses in this document. Host Isolation - separating hosts into different subnets or links. Subnet & Link Isolation - assigning a unique prefix to each host, and connecting each host in a P2P link to the router. Every host is therefore in its subnet and its link. This is also called L3 & L2 Isolation. Subnet Isolation - assigning a unique prefix per host so that each host is in its subnet. The hosts may be in the same link or different links. This is also called L3 Isolation. Proxy Isolation - using a routing proxy device to represent the hosts behind it and separating hosts in a subnet into multiple multicast domains. This is also called Partial L2 Isolation. 2. Review of ND Issues 2.1. Multicast May Cause Performance and Reliability Issues ND uses multicast for Node Solicitations (NSs), Node Advertisements (NAs), Router Solicitations (RSs) and Router Advertisements (RAs). Multicast can be inefficient in some scenarios, e.g. large L2 networks and wireless networks. In large L2 networks, ND multicast can create a large amount of protocol traffic. This can consume network bandwidth, create a processing burden, and reduce network performance [RFC7342]. In wireless networks, multicast messages often require special processing. For example, to ensure that the multicast messages reach even the remotest hosts, multicast messages may be sent at the lowest modulation rate. In some scenarios, multicast may be converted into multiple unicast messages. In addition, many mobile devices drop substantial percentages of multicast traffic on Wi-Fi by listening to only one out of multiple Delivery Traffic Indication Message (DTIM) beacons. Consequently, multicast in wireless networks reduces not only performance but also reliability [RFC9119]. For example, DAD uses the lack of a response as an indication that the address is not currently in use. If the DAD multicast messages are lost, DAD will not work properly. Xiao Expires February 22, 2025 [Page 5] Internet-Draft nd-considerations August 2024 ND uses multicast in the following messages. Multicast impact on performance and reliability is summarized below: . Hosts' LLA, GUA, or ULA DAD: may cause performance issues in both wired and wireless networks, and possibly reliability issues in wireless networks. . Router's periodic unsolicited RAs: multicast RAs are generally limited to one packet every 3s, and there are usually only one or two routers on the link, so it is unlikely to cause a performance issue. However, for battery-powered hosts, such messages may wake them up and create battery life issues [RFC7772]. Additionally, three RAs in a row may be lost in wireless which depreciates the router on the host. . Router's address resolution for hosts: in a network of N hosts, there can be N such multicast messages. This may cause performance issues when N is large. . Hosts address resolution for hosts: in a network of N hosts, there can be N-square such multicast messages. This may cause performance issues when N is large. . Hosts' MAC address change NAs: this type of multicast message is rare and will not cause a performance or reliability issue. It will not be further discussed. Multicast originated from hosts and routers will be called host multicast and router multicast hereafter. 2.2. Trusting-all-hosts May Cause On-link Security Issues ND trusts all hosts. In some scenarios, such as public access networks, some hosts may not be trustworthy. An attacker on the link can cause the following security issues [RFC3756][RFC9099]: . Source IP address spoofing: an attacker can use a victim host's IP address as the source address of its ND message to pretend to be the victim. The attacker can then launch Redirect or Denial of Service (DoS) attacks on the victim. . DAD denial: an attacker can repeatedly reply to a victim's DAD messages, causing the victim's address configuration procedure to fail, resulting in a denial of service to the victim host. . Forged RAs: an attacker can send RAs to other hosts to claim to be a router and preempt the real router, resulting in a Redirect attack [RA-Guard]. . Forged Redirects: an attacker can pretend to be the router and send Redirects to other hosts to redirect their traffic from the router to itself, resulting in a Redirect attack. Xiao Expires February 22, 2025 [Page 6] Internet-Draft nd-considerations August 2024 . Replay attacks: an attacker can capture valid ND messages and replay them later. 2.3. Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Lack of Subscriber Management Issues In ND, a router does not maintain (IP, MAC address) binding (i.e. Neighbor Cache Entry or NCE) for a host until it is needed. This is called Router-NCE-on-Demand in this document. When a router is to forward a packet to a host, it will perform address resolution to find the MAC address of the host. This can cause multiple issues: . The packet has to be buffered before the router finds out the MAC address of the host. This delays forwarding and depending on the router's buffer size may also cause packet loss. This is called "Router-NCE-on-Demand Forwarding Delay" in this document. . The way ND performs address resolution is the source node will create an NCE entry first and set its state to INCOMPLETE, then the node will multicast NSs to all the nodes and wait for the destination node to reply with its MAC address. This creates a security vulnerability. If an attacker sends a large number of packets destined to non-existing IP addresses, the router will create a large amount of NCEs in INCOMPLETE state while trying to resolve the MAC addresss. The router may run out of resources and stop functioning. This is called "NCE Exhaustion" in this document. Note that in this case, the attacker can be off-link. . With SLAAC, a host forms its own IP address. A router does not know the host's IP address until an NCE entry is installed. In a service provider network, subscribers are typically managed by their IP addresses. Consequently, if the router does not know a host's IP address, the service provider cannot manage the subscriber. This is an issue for public access networks. 2.4. Summary of ND Issue The ND issues discussed in Sections 2.1 to 2.3 are summarized below. It is worth noting that these issues originate from three causes: multicast, trusting all hosts, and Router-NCE-on-Demand. If a cause can be eliminated, the corresponding issues will also be eliminated. This points out the directions for preventing ND issues. . Performance issues caused by multicast o I1: LLA DAD degrading performance o I2: Unsolicited RA draining hosts' battery Xiao Expires February 22, 2025 [Page 7] Internet-Draft nd-considerations August 2024 o I3: GUA DAD degrading performance o I4: Router address resolution for hosts degrading performance o I5: Host Address resolution for other hosts degrading performance . Reliability issues caused by multicast o I6: LLA DAD not reliable for wireless networks o I7: GUA DAD not reliable for wireless networks . On-link security issues caused by trusting all hosts o I8: Source IP address spoofing o I9: DAD denial o I10: Forged RAs o I11: Forged Redirects o I12: Replay attacks . Router-NCE-on-Demand related issues o I13: Router NCE exhaustion o I14: Router forwarding delay o I15: Lack of subscriber management with SLAAC It is worth noting that these are just potential issues. Depending on the usage scenarios, they may not actually occur. When the above issues can happen, it is advisable to be aware of the mitigation solutions available for them, as described in the next section. 3. Review of ND Mitigation Solutions This section reviews the ND mitigation solutions developed over the years so that network administrators can get an idea of what solutions are available for which issues. They are summarized in Table 1 below for easy reference. The solutions are reviewed in an order that helps to reveal a methodology that can be useful for preventing ND issues, which will be discussed in Section 4. +-----+-------------------+--------+--------+--------+------+-----+ | | Multicast | Reli- |On-link |R NCE |R Fwd.|NoSub| | | performance | ability|security|Exhaust.|Delay |Mgmt.| +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |Issue| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8-12 | 13 | 14 | 15 | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ Xiao Expires February 22, 2025 [Page 8] Internet-Draft nd-considerations August 2024 |MBBv6| All issues solved | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |FBBv6| All issues solved | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |8273 | | X | X | X | X | | X | | X | X | X | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |WiND | All issues solved for LLNs | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |SARP | | | | | X | | | | | | | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |ND | | | | | X | | | | | | | |TRILL| | | | | | | | | | | | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |ND | | | | | X | | | | | | | |EVPN | | | | | | | | | | | | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |7772 | | X | | | | | | | | | | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |GRAND| | | | X | | | | | |Partly| | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |SAVI/| | | | | | | | | | | | |RA | | | | | | | | X | | | | |G/G+ | | | | | | | | | | | | Xiao Expires February 22, 2025 [Page 9] Internet-Draft nd-considerations August 2024 +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ |6583 | | | | | | | | | X | | | +-----+---+---+---+---+---+---+----+--------+--------+------+-----+ Table 1. Solutions for identified issues 3.1. ND Solution in Mobile Broadband IPv6 Mobile Broadband IPv6 (MBBv6) is defined in "IPv6 in 3GPP EPS" [RFC6459], "IPv6 for 3GPP Cellular Hosts" [RFC7066], and "Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link" [RFC7278]. The solution key points are: . Putting every host, i.e. the mobile User Equipment (UE), in a P2P link with the router, i.e. the mobile gateway. MBBv6 also simplifies ND to take advantage of this P2P architecture. As a result: o All multicast is effectively turned into unicast. o The P2P links in MBB do not have MAC address. Therefore, Router-NCE-on-Demand is not needed. o Trusting-all-host is only relevant to the router. By applying some filtering at the router, e.g. dropping RAs from the host, even malicious hosts cannot cause security harm. . Assigning a unique /64 prefix to each host. Together with the P2P link, this puts each host in a separate link and subnet. . Maintaining (prefix, interface) binding at the router for forwarding purpose. Since all the three causes of ND issues are addressed, MBBv6 solves all ND issues. 3.2. ND Solution in Fixed Broadband IPv6 FBBv6 is defined in "IPv6 in the context of TR-101" [TR177]. FBBv6 has two flavors: . P2P: every host, i.e. the Residential Gateway (RG), is in a P2P link with the router, i.e. the Broadband Network Gateway (BNG). In this case, the solution is essentially the same as MBBv6. All ND issues are solved. . P2MP: all hosts on an access device, e.g. the Optical Line Terminal (OLT), are in a P2MP link with the router. This is Xiao Expires February 22, 2025 [Page 10] Internet-Draft nd-considerations August 2024 implemented by aggregating all hosts into a single VLAN at the router and implementing Split Horizon at the access device to prevent direct host communication. The key points of FBBv6-P2MP [TR177] are: . Implementing DAD Proxy [RFC6957]: P2MP architecture with Split Horizon breaks normal ND's DAD procedure. Because all hosts are in the same interface from the router's perspective, the router must ensure that the hosts have different LLAs and GUAs. Otherwise, the router will not be able to distinguish them. However, because hosts cannot reach each other, normal DAD will not function as expected. Therefore, the router must participate in the hosts' DAD process and help hosts resolve duplication. With P2MP link and DAD Proxy: o All host multicast to the router is effectively turned into unicast, as every host can only reach the router. o Trusting-all-host is only relevant to the router. By applying some simple filtering at the router, e.g. dropping RAs from the host, even malicious hosts cannot cause security harm. . Results of assigning a unique /64 prefix to each host: o The router can proactively create (IP prefix, MAC address) binding and use it for forwarding. There is no Router- NCE-on-Demand. o Since different hosts are in different subnets, hosts will send traffic to other hosts via the router. There is no address resolution for other hosts. o Without address resolution, router multicast to hosts consists only of unsolicited RAs. Because every host is in its subnet, unsolicited RAs will be sent individually to each host with the "host's MAC address replacing the multicast MAC address" approach specified in [RFC6085]. Therefore, router multicast is turned into unicast. Since all three causes of ND issues are addressed, FBBv6-P2MP addresses all ND issues. 3.3. Unique IPv6 Prefix per Host Unique IPv6 Prefix per Host is specified in [RFC8273]. The purpose is to "improve host isolation and enhanced subscriber management on shared network segments" such as Wi-Fi or Ethernet. The solution key points are: . Assigning a unique prefix to each host with SLAAC. As a result: Xiao Expires February 22, 2025 [Page 11] Internet-Draft nd-considerations August 2024 o When a prefix is assigned to the host, the router can proactively create (Prefix, MAC address) binding and use it for forwarding. There is no more Router-NCE-on-Demand. o Since different hosts are in different subnets, hosts will send traffic to other hosts via the router. There is no host-to-host address resolution. o Without address resolution, downstream multicast to hosts consists only of unsolicited RAs. They will be sent host by host in unicast because the prefix for every host is different. Therefore, ND issues caused by NCE-on-Demand and router multicast are avoided. RFC 8273 believes that "A network implementing a unique IPv6 prefix per host can simply ensure that devices cannot send packets to each other except through the first-hop router". But this may not be true when hosts are on a shared medium like Ethernet. In this case, hosts may still reach each other in L2 with their LLAs via upstream multicast. So, issues caused by host multicast and Trusting-all- hosts may happen. 3.4. Wireless ND and Subnet ND Wireless ND (WiND) is specified in a series of RFCs [RFC6775][RFC8505][RFC8928][RFC8929]. WiND defines a fundamentally different ND solution for Low-Power and Lossy Networks (LLNs) [RFC7102]. WiND changes host and router behaviors to use multicast only for router discovery. The solution key points are: . Hosts use unicast to proactively register their addresses at the routers. Routers use unicast to communicate with hosts and become an abstract registrar and arbitrator for address ownership. . The router also proactively installs Neighbor Cache Entries (NCEs) for the hosts. This avoids the need for address resolution for the hosts. . The router sets PIO L-bit to 0. Each host communicates only with the router. . Other functionalities that are relevant only to LLNs. WiND addresses all ND issues in LLNs. If it is used outside LLNs, it avoids ND issues caused by NCE-on-Demand and router multicast. Xiao Expires February 22, 2025 [Page 12] Internet-Draft nd-considerations August 2024 Subnet Neighbor Discovery [SND] generalizes the solutions defined in WiND and defines a new protocol named Subnet Gateway Protocol (SGP). It is being discussed in the IPv6 Maintenance (6man) WG. 3.5. Scalable Address Resolution Protocol Scalable Address Resolution Protocol (SARP) is an Experimental solution specified in [RFC7586]. The usage scenario is DCs where large L2 domains span across multiple sites. In each site, multiple hosts are connected to a switch. The hosts can be VMs so the number can be large. The switches are interconnected by a native or overlay L2 network. The switch will snoop and install (IP, MAC address) proxy table for the local hosts. The switch will also reply to address resolution requests from other sites to its hosts with its own MAC address. This way, all hosts in a site will appear to have a single MAC address to other sites. Therefore, a switch only needs to build a MAC address table for the local hosts and the remote switches, not for all the hosts in the L2 domain. The MAC address table size of the switches is therefore significantly reduced. A switch will also add the (IP, MAC address) replies from remote switches to its proxy ND table so that it can reply to future address resolution requests for such IPs directly. This greatly reduces the number of address resolution multicast in the network. Unlike MBBv6, FBBv6, and RFC 8372 which try to address all ND issues, SARP focuses on reducing address resolution multicast to improve the performance and scalability of large L2 domains in DCs. 3.6. ARP and ND Optimization for Transparent Interconnection of Lots of Links (TRILL): ARP and ND Optimization for TRILL is specified in [RFC8302]. The solution is very similar to SARP discussed in Section 3.5. It can be considered as an application of SARP in the TRILL environment. Like SARP, ARP, and ND Optimization for TRILL focuses on reducing multicast address resolution. 3.7. Proxy ARP/ND in EVPN Proxy ARP/ND in EVPN is specified in [RFC9161]. The usage scenario is Data Centers (DCs) where large L2 domains span across multiple sites. In each site, multiple hosts are connected to a Provider Edge Xiao Expires February 22, 2025 [Page 13] Internet-Draft nd-considerations August 2024 (PE) router acting as a switch. The PEs are interconnected by an overlay network. PE of each site snoops the local address resolution NAs to build (IP, MAC address) Proxy ND table entries. PEs then propagate such Proxy ND entries to other PEs via BGP EVPN. Each PE also snoops address resolution NSs from its hosts. If an entry exists in its Proxy ND table for the specified destination IP address, the PE will reply directly. Consequently, the number of multicast address resolution messages is significantly reduced. Like SARP, Proxy ARP/ND in EVPN also focuses on reducing address resolution multicast. 3.8. Gratuitous Neighbor Discovery Gratuitous Neighbor Discovery is specified in [GRAND]. GRAND changes ND in the following ways: . A node sends unsolicited NAs upon assigning a new IPv6 address to its interface. . A router creates a new NCE for the host and sets its state to STALE. Later, when the router receives traffic to the host, the existence of the NCE entry in the STALE state will cause the router to send unicast NS to the host to verify its reachability rather than sending multicast NS to resolve its MAC address. This can shorten the time the host's NCE entry reaches the REACHABLE state and improve forwarding performance. Therefore, GRAND provides an improvement but does not fully solve the Router-NCE-on-Demand issues. For example, NCE exhaustion can still happen. 3.9. Reducing Router Advertisements [RFC7772] specifies a solution for reducing RAs: . The router should respond to RS with unicast RA if the host's source IP address is specified (i.e. the RS is not the first RS before GUA DAD) and the host's MAC address is valid. . The router should reduce multicast RA frequency. . Sleeping hosts that process unicast packets while asleep must also process multicast RAs while asleep. . Sleeping hosts that do not intend to maintain IPv6 connectivity while asleep should either disconnect from the network and Xiao Expires February 22, 2025 [Page 14] Internet-Draft nd-considerations August 2024 clear all IPv6 configuration or perform Detecting Network Attachment in IPv6 (DNAv6) procedures [RFC6059] when waking up. By reducing RAs, RFC 7772 reduces the energy consumption of battery- powered hosts that can be awakened by RAs. 3.10. Source Address Validation Improvement and Router Advertisement Guard Source Address Validation Improvement [SAVI] binds an address to a port and rejects claims from other ports for that address. Therefore, a node cannot spoof the IP address of another node. [RA-Guard] and [RA-Guard+] only allow RAs from a port that a router is connected to. Therefore, nodes on other ports cannot pretend to be a router. [SAVI], [RA-Guard], and [RA-Guard+] address the on-link security issues. 3.11. RFC 6583 Dealing with Operational Neighbor Discovery Problems Router NCE Exhaustion handling is described in [RFC6583]. This is to deal with the off-link attack issue discussed in Section 2.3. The solution key points are: . For operators: o Filtering of unused address space so that messages to such addresses can be dropped rather than triggering NCE creation; o Rate-limiting the NDP queue to avoid CPU/memory overflow. . For vendors: o Prioritizing NDP processing for existing NCEs over creating new NCEs RFC 6583 acknowledges that "some of these options are 'kludges', and can be operationally difficult to manage". RFC 6583 partially addresses the Router NCE Exhaustion issue. In the real world, network equipment vendors simply limit the number of NCE entries on a router interface to prevent Router NCE Exhaustion. But this can have a side-effect. When a host uses more IPv6 addresses than the limit, irregular packet drops may result because the router does not maintain NCEs for all those IPv6 addresses [DHCP-PD]. Xiao Expires February 22, 2025 [Page 15] Internet-Draft nd-considerations August 2024 3.12. Enhanced DAD Enhanced DAD is specified in [RFC7527]. Enhanced DAD addresses a DAD failure issue in a specific situation: looped back interface. DAD will fail in a looped-back interface because the sending host will receive the DAD message back and will interpret it as another host is trying to use the same address. The solution is to include a Nonce option (defined in [SeND]) in each DAD message so that the sending host can detect that the looped-back DAD message is sent by itself. Enhanced DAD does not solve any ND issue discussed in Section 2. It extends ND to work in a new scenario: looped-back interface. It is reviewed here only for completeness. 3.13. ND Mediation for IP Interworking of Layer 2 VPNs ND mediation is specified in [RFC6575]. When two Attachment Circuits (ACs) are interconnected by a Virtual Private Wired Service (VPWS), and the two ACs are of different media (e.g. one is Ethernet while the other is Frame Relay), the two Provider Edges (PEs) must interwork to provide mediation service so that a Customer Edge (CE) can resolve the MAC address of the remote end. RFC 6575 specifies such a solution. ND Mediation does not address any ND issue discussed in Section 2. It extends ND to work in a new scenario: two ACs of different media interconnected by a VPWS. It is reviewed here only for completeness. 3.14. ND Solutions Defined before the Latest Versions of ND The latest versions of [ND] and [SLAAC] are specified in RFCs 4861 and 4862. Several ND mitigation solutions are based on the older version of ND and SLAAC. They are reviewed in this section only for completeness. 3.14.1. SeND Secure Neighbor Discovery [SeND] is specified in RFC 3971. The purpose is to ensure that hosts and routers are trustworthy. SeND defined three new ND options (i.e. Cryptographically Generated Addresses [CGA], RSA public-key cryptosystem, Timestamp/Nonce), an authorization delegation discovery process, an address ownership proof mechanism, and requirements for the use of these components in NDP. Xiao Expires February 22, 2025 [Page 16] Internet-Draft nd-considerations August 2024 SeND addresses the Trusting-all-hosts issues. But it has high requirements on the hosts and routers, especially to maintain the keys. It has very low market adoption. 3.14.2. Cryptographically Generated Addresses (CGA) Cryptographically Generated Addresses [CGA] is specified in RFC 3972. The purpose is to associate a cryptographic public key with an IPv6 address in [SeND]. The solution key point is to generate the Interface Identifier (IID) of the IPv6 address by computing a cryptographic hash of the public key. The resulting IPv6 address is called a CGA. The corresponding private key can then be used to sign messages sent from the address. CGA uses the fact that a legitimate host does not care about the bit combination of IID that would be created by some hash procedure. The attacker needs an exact IID to impersonate the legitimate hosts but then the attacker is challenged to do a reverse hash calculation that is a strong mathematical challenge. CGA is part of SeND. It has low market adoption. 3.14.3. ND Proxy ND Proxy is specified in [RFC4389]. It is an Experimental solution. The purpose is to enable multiple links joined by an ND-Proxy device to work as a single link. The ND-Proxy acts like a bridge: . When it receives an ND request from a host in a link, it will "proxy" the message out the "best" outgoing interface. If there is no "best" interface, the ND-Proxy will "proxy" the message to all other links. Here "proxy" means acting as if the ND message originates from the ND-Proxy itself. That is, the ND-Proxy will change the ND message's source IP and source MAC address to the ND-Proxy's outgoing interface's IP and MAC address, and create an NCE entry at the outgoing interface accordingly. . When ND-Proxy receives an ND reply, it will act as if the ND message is destined to itself, and update the NCE entry state at the receiving interface. Based on such state information, the ND-Proxy can determine the "best" outgoing interface for future ND requests. The ND-Proxy then "proxy" the ND message back to the requesting host. Xiao Expires February 22, 2025 [Page 17] Internet-Draft nd-considerations August 2024 ND Proxy does not solve any ND issue discussed in Section 2. It extends ND to work in a new scenario: multiple links joined by a device that is not a bridge but acting like a bridge. The idea of ND Proxy is widely used in SARP, ND Optimization for TRILL, and Proxy ARP/ND in EVPN which are discussed in Sections 3.5 to 3.7. 3.14.4. Optimistic DAD Optimistic DAD is specified in [RFC4429]. The purpose is to minimize address configuration delays in the successful case and to reduce disruption as far as possible in the failure case. That is, Optimistic DAD lets hosts immediately use the newly formed address to communicate before DAD actually completes, assuming that DAD will succeed anyway. If the address turns out to be duplicate, Optimistic DAD provides a set of mechanisms to minimize the impact. Optimistic DAD modified the original ND (RFC 2461) and SLAAC (RFC 2462) but the solution was not incorporated into the latest specification of [ND] and [SLAAC]. Optimistic DAD does not solve any ND issue discussed in Section 2. It is reviewed here only for completeness. 4. Prevention of Potential ND Issues 4.1. Learning Host Isolation from the Existing Solutions Although the various ND solutions look unrelated, dividing them into four groups helps to reveal an important point: isolating hosts can help to prevent ND issues. The first group contains MBBv6 and FBBv6. These solutions isolate hosts in both L3 and L2 by putting each host in its subnet and its link. This isolation method is called "L3 & L2 Isolation" or "Subnet & Link Isolation". It prevents ND issues caused by multicast and Trusting-all-hosts as every host is in its subnet and link. Because a router can route packets to a host based on its unique prefix, there is no need for Router-NCE-on-Demand, therefore ND issues caused by Router-NCE-on-Demand are also prevented. The second group contains Unique Prefix Per Host (UPPH) [RFC8273]. UPPH also isolates hosts into different subnets but may leave all hosts in the same shared medium. This isolation method is called "L3 Isolation" or "Subnet Isolation". As discussed in Section 3.3, this Xiao Expires February 22, 2025 [Page 18] Internet-Draft nd-considerations August 2024 isolation method prevents ND issues caused by router multicast and Router-NCE-on-Demand. The third group contains WiND, SARP, ND Optimization for TRILL, and Proxy ND in EVPN. They use a proxy device to represent the hosts behind it and effectively isolate such hosts into different multicast domains from other hosts. Multiple hosts are still in a multicast domain and all hosts are still in the same subnet. Therefore, this isolation method is called Partial L2 Isolation" or "Proxy Isolation". This isolation method alleviates ND issues from host multicast for address resolution. The fourth group contains the remaining solutions. They do not isolate hosts. They do not prevent any ND issues but focus on solving a specific ND issue. The above reveals that the stronger hosts are isolated, the more ND issues can be prevented. This is natural because isolating hosts reduces multicast scope, the number of hosts to trust, and possibly the need for Router-NCE-on-Demand, the three causes of ND issues. This understanding can be used to prevent ND issues. 4.2. Applicability of Various Isolation Methods and a Simple Guideline 4.2.1. Applicability of "L3 & L2 Isolation" The benefits are: o All ND issues can be prevented. The constraints are: o The hosts must be able to set up P2P links with the router. o Many prefixes will be needed, one per host. o This is unlikely to be an issue for IPv6. Today, any member of a Regional Internet Registry (RIR) can get a /29 [RIPE738]. This contains 32 billion /64 prefixes and should be sufficient for any scenario. MBBv6 assigning /64 prefixes to billions of mobile UEs [RFC6459] and FBBv6 assigning /56 prefixes to hundreds of millions of routed RGs [TR177] are evidence that this is doable. Xiao Expires February 22, 2025 [Page 19] Internet-Draft nd-considerations August 2024 o Each host is easily identifiable by its unique prefix. This theoretically reduces privacy. However, hosts can be identified by many other methods, e.g. by using cookies. Therefore, the real impact on privacy may be limited. o The router must support a "Subnet Isolation with P2P Link" solution, e.g. MBBv6, as described in Section 3.1. o Many interfaces will be needed at the router, one per host. o All hosts will communicate through the router, and the router may become a bottleneck. o Services relying on multicast communication among hosts, e.g. mDNS, will not work. 4.2.2. Applicability of L3 Isolation The benefits are: o All ND issues are prevented except "LLA DAD multicast degrading performance", "LLA DAD not reliable for wireless networks", and "On-link security" issues. Depending on the shared medium, these remaining issues may not happen. For example, if the shared medium is Ethernet, "LLA DAD multicast degrading performance" and "LLA DAD not reliable for wireless networks" are non-issues. If the hosts can be trusted, e.g. in a private network, "On-link security" is also a non-issue. o There is no new requirement on the hosts. Therefore, this method can be applied in many scenarios. It is practically the most usable host isolation method. The constraints are: o Many prefixes will be needed, one per host. However as explained above, this may not be an issue for organizations that can obtain sufficient IPv6 addresses from RIRs. o The router must support a Subnet Isolation solution, e.g. [RFC8273] or [DHCP-PD]. o All host-to-host communication with GUA will go through the router, and the router may become a bottleneck. Xiao Expires February 22, 2025 [Page 20] Internet-Draft nd-considerations August 2024 o Each host is identifiable by its unique prefix. This might be a privacy issue as discussed previously. 4.2.3. Applicability of Partial L2 Isolation The benefit is: o Reduced multicast especially for address resolution, as the subnet is divided into multiple multicast domains. The constraint is: o The router must support Proxy Isolation. 4.2.4. A Simple Guideline Given the applicability analysis above, network administrators can decide whether to apply any isolation method. A simple guideline is to consider the isolation methods one by one in the order listed in the previous sections, that is, from the strongest isolation to the weakest. The stronger the isolation, the more ND issues can be prevented, but the more constraints there will be. All things considered, L3 Isolation can be a good tradeoff as the benefits are clear while the constraints are acceptable. It is worth noting that, if a network administrator picks an isolation method that is too strong or too weak, there is no serious consequence. Picking an isolation method that is too strong means that the network administrator needs to deal with more constraints while picking an isolation method that is too weak means that the network administrator may need to deploy more ND solutions to deal with ND issues. Either way, the resulting solution can still work. 5. Security Considerations This document is a review of known ND issues and solutions. It does not introduce any new solutions. Therefore, it does not introduce new security issues. 6. IANA Considerations This document has no request to IANA. Xiao Expires February 22, 2025 [Page 21] Internet-Draft nd-considerations August 2024 7. References 7.1. Informative References [CGA] T. Aura, "Cryptographically Generated Addresses (CGA)", RFC3972 [DHCP-PD] L. Colitti, J. Linkova, X. Ma, "Using DHCP-PD to Allocate Unique IPv6 Prefix per Host in Broadcast Networks", draft- ietf-v6ops-dhcp-pd-per-device-08. [GRAND] J. Linkova, "Gratuitous Neighbor Discovery: Creating Neighbor Cache Entries on First-Hop Routers", RFC 9131 [mDNS] S. Cheshire, M. Krochmal, "Multicast DNS", RFC 6762. [ND] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, September 2007, RFC 4861. [RA-Guard] E. Levy-Abegnoli, G. Van de Velde, C. Popoviciu, J. Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, DOI 10.17487/RFC6105, February 2011, RFC 6105. [RA-Guard+]F. Gont, "Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)", RFC 7113, DOI 10.17487/RFC7113, February 2014, RFC 7113. [RFC3756] P. Nikander, J. Kempf, E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756. [RFC4291] R. Hinden, S.Deering, "IP Version 6 Addressing Architecture", RFC 4291. [RFC4389] D. Thaler, M. Talwar, C. Patel, "Neighbor Discovery Proxies (ND Proxy)", RFC 4389. [RFC4429] N. Moore, "Optimistic Duplicate Address Detection (DAD) for IPv6", RFC 4429. [RFC4903] D. Thaler, "Multi-Link Subnet Issues", RFC 4903. [RFC6459] J. Korhonen, J. Soininen, B. Patil, T. Savolainen, G. Bajko, K. Iisakkila, "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)", RFC 6459. Xiao Expires February 22, 2025 [Page 22] Internet-Draft nd-considerations August 2024 [RFC6059] S. Krishnan, G. Daley, "Simple Procedures for Detecting Network Attachment in IPv6", RFC 6059. [RFC6085] S. Gundavelli, M. Townsley, O. Troan, W. Dec, "Address Mapping of IPv6 Multicast Packets on Ethernet", RFC 6085. [RFC6575] H. Shah, E. Rosen, G. Heron, V. Kompella, "Address Resolution Protocol (ARP) Mediation for IP Interworking of Layer 2 VPNs", RFC 6575. [RFC6583] I. Gashinsky, J. Jaeggli, W. Kumari, "Operational Neighbor Discovery Problems", RFC 6583. [RFC6775] Z. Shelby, S. Chakrabarti, E. Nordmark, C. Bormann, "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)", RFC 6775. [RFC6957] F. Costa, J-M. Combes, X. Pougnard, H. Li, "Duplicate Address Detection Proxy", RFC 6957 [RFC7066] J. Korhonen, J. Arkko, T. Savolainen, S. Krishnan, "IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts", RFC 7066. [RFC7102] JP. Vasseur, "Terms Used in Routing for Low-Power and Lossy Networks", RFC 7102. [RFC7278] Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link", RFC7278. [RFC7342] L. Dunbar, W. Kumari, I. Gashinsky, "Practices for Scaling ARP and Neighbor Discovery (ND) in Large Data Centers", RFC 7342. [RFC7527] R. Asati, H. Singh, W. Beebee, C. Pignataro, E. Dart, W. George, "Enhanced Duplicate Address Detection", RFC 7527. [RFC7586] Y. Nachum, L. Dunbar, I. Yerushalmi, T. Mizrahi, "The Scalable Address Resolution Protocol (SARP) for Large Data Centers", RFC7586. [RFC7772] A. Yourtchenko, L. Colitti, "Reducing Energy Consumption of Router Advertisements", RFC 7772. Xiao Expires February 22, 2025 [Page 23] Internet-Draft nd-considerations August 2024 [RFC8273] J. Brzozowski, G. Van de Velde, "Unique IPv6 Prefix per Host", RFC 8273. [RFC8302] Y. Li, D. Eastlake 3rd, L. Dunbar, R. Perlman, M. Umair, "Transparent Interconnection of Lots of Links (TRILL): ARP and Neighbor Discovery (ND) Optimization", RFC 8302. [RFC8505] P. Thubert, E. Nordmark, S. Chakrabarti, C. Perkins, "Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery", RFC 8505. [RFC8928] P. Thubert, B. Sarikaya, M. Sethi, R. Struik, "Address- Protected Neighbor Discovery for Low-Power and Lossy Networks", RFC 8928. [RFC8929] P. Thubert, C.E. Perkins, E. Levy-Abegnoli, "IPv6 Backbone Router", RFC 8929. [RFC9099] E. Vyncke, K. Chittimaneni, M. Kaeo, E. Rey, "Operational Security Considerations for IPv6 Networks", RFC 9099. [RFC9119] C. Perkins, M. McBride, D. Stanley, W. Kumari, JC. Zuniga, "Multicast Considerations over IEEE 802 Wireless Media", RFC 9119. [RFC9161] J. Rabadan, S. Sathappan, K. Nagaraj, G. Hankins, T. King, "Operational Aspects of Proxy ARP/ND in Ethernet Virtual Private Networks", RFC 9161. [RIPE738] IPv6 Address Allocation and Assignment Policy, https://www.ripe.net/publications/docs/ripe-738 [SAVI] J. Wu, J. Bi, M. Bagnulo, F. Baker, C. Vogt, "Source Address Validation Improvement (SAVI) Framework", RFC 7039. [SeND] J. Arkko, J. Kempf, B. Zill, P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC3971. [SLAAC] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862. [SND] P. Thubert, M. Richardson, "Architecture and Framework for IPv6 over Non-Broadcast Access", Internet draft, June 2023. Xiao Expires February 22, 2025 [Page 24] Internet-Draft nd-considerations August 2024 [TR177] S. Ooghe, B. Varga, W. Dec, D. Allan, "IPv6 in the context of TR-101", Broadband Forum, TR-177. 8. Acknowledgments The authors would like to thank Lorenzo Colitti, Warren Kumari, Pascal Thubert, Jen Linkova, Brian Carpenter, Eric Vyncke, Mike Ackermann, Nalini Elkins, Ed Horley, Ole Troan, David Thaler for their reviews and comments. Authors' Addresses XiPeng Xiao Huawei Technologies Dusseldorf Hansaallee 205, 40549 Dusseldorf, Germany Email: xipengxiao@huawei.com Eduard Vasilenko Huawei Technologies 17/4 Krylatskaya st, Moscow, Russia 121614 Email: vasilenko.eduard@huawei.com Eduard Metz KPN N.V. Maanplein 55, 2516CK The Hague, The Netherlands Email: eduard.metz@kpn.com Gyan Mishra Verizon Inc. Email: gyan.s.mishra@verizon.com Nick Buraglio Energy Sciences Network Email: buraglio@es.net Xiao Expires February 22, 2025 [Page 25]