What is a link-local address?? WAS: Re: JUNOS forwards IPv6 link-local packets
(tl;dr -- IPv6 link-local definition is ambiguous and inconsistent across vendors) I'm curious about what people's perception of valid link-local addresses is; that is, what specifically makes a valid link-local address? The top portion of RFC 4291 lists the link-local prefix as: 2.4. Address Type Identification The type of an IPv6 address is identified by the high-order bits of the address, as follows: Address type Binary prefix IPv6 notation Section ------------ ------------- ------------- ------- Link-Local unicast 1111111010 FE80::/10 2.5.6 Global Unicast (everything else) (from http://tools.ietf.org/html/rfc4291#section-2.4 ) Thus, it would *seem* that an address such as fe80:1:1:1::2/64 when configured on an interface for its link-local address would be a valid link-local address, as it falls within fe80::/10 However, when we read section 2.5.6, we see a different definition: 2.5.6. Link-Local IPv6 Unicast Addresses Link-Local addresses are for use on a single link. Link-Local addresses have the following format: | 10 | | bits | 54 bits | 64 bits | +----------+-------------+---------------------+ |1111111010| 0 | interface ID | +----------+-------------+---------------------+ Link-Local addresses are designed to be used for addressing on a single link for purposes such as automatic address configuration, neighbor discovery, or when no routers are present. Routers must not forward any packets with Link-Local source or destination addresses to other links. (from http://tools.ietf.org/html/rfc4291#section-2.5.6 ) That section indicates that *only* addresses out of fe80:0:0:0::/64 are valid link local addresses; that is, where the upper 64 bits are precisely 1111111010000000000000000000000000000000000000000000000000000000 (1111111010 followed by 54 0 bits). Is section 2.5.6 wrong? Should it have been written more like section 2.5.7, that specified the address as a prefix, followed by 54 bits of subnet ID? Or did the authors really intend that most of fe80::/10 remain unused, and *only* a single /64 at the very start of fe80::/10 would be valid? I ask this because I'm running into situations where indeed it seems that some router vendors do literally only treat fe80::/64 as link-local, and *all other addresses out of fe80::/10 are treated as global unicast*. This has potential implications on the types of filtering people may be assuming their router vendors are doing; and, with respect to the parent thread, when you talk about routers forwarding link-local packets, it would probably be good to verify with your vendors whether they take the sentence "Routers must not forward any packets with Link-Local source or destination addresses to other links." to apply to all of fe80::/10, or only to the more restrictive fe80::/64 specified in section 2.5.6. I will note that empirical testing shows that even different product lines from the same vendor show different behaviours, as though some engineers read section 2.5.6 in detail, and others simply read section 2.4, and skipped the fine print. So...operators...what do *you* think the correct definition is? And which way would you prefer your router vendors to read RFC4291? Do you prefer the loose definition from section 2.4, or do you prefer the stricter definition from section 2.5.6? Given that the RFC is ambiguous, and has been for the past six years, I'd tend to think the IETF doesn't really have a strong position one way or the other, and is leaving it up to us as operators to vote with our money, and give guidance to router vendors as to which definition we'd like them to follow. Personally, I know my vote is to go with section 2.4, rather than leave all the rest of fe80::/10 in an unusable grey state, where some devices treat it as global unicast, and others treat it as link-local. If we all standardize on the reading in 2.5.6, we leave the entire rest of the /10 fallow, with only one /64 usable from it. Which way do *you* vote? Thanks! Matt
On Sun, May 06, 2012 at 08:25:06AM -0700, Matthew Petach wrote:
So...operators...what do *you* think the correct definition is? And which way would you prefer your router vendors to read RFC4291?
I would expect them to follow 2.4, even if the current spec says that the 54 bits between /10 and /64 are supposed to be set to 0 today. And indeed, it's the most pragmatic way to deal with that fuzzy spec. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Any address withing FE80::/10 is a link local address, however when you are constructing a link local address you sent bits [11..64] to zero. It's quite common for a specification to only use a subset of the reserved space which is what happens here. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
In message <m24nrtapud.wl%randy@psg.com>, Randy Bush writes:
Any address withing FE80::/10 is a link local address
said with great authority. shame the rfc does not do the same. matt points out a spec and implementation problem.
randy
Zero is there to remove the "what do I set these bits to" problem for auto configuration when you have the standard /64 net/host split. The FE80::/10 is still clearly shown in 2.5.6 as a seperate group of bits. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Once upon a time, Randy Bush <randy@psg.com> said:
Any address withing FE80::/10 is a link local address
said with great authority. shame the rfc does not do the same. matt points out a spec and implementation problem.
Well, the prefix length of 10 vs. 64 is hardly relevant when major routers ignore the part about not forwarding the packets anyway. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On 5/6/12, Matthew Petach <mpetach@netflight.com> wrote:
I'm curious about what people's perception of valid link-local addresses is; that is, what specifically makes a valid link-local address?
The top portion of RFC 4291 lists the link-local prefix as: [snip] Link-Local unicast 1111111010 FE80::/10 2.5.6 Global Unicast (everything else)
/10 is the link-local prefix. Every address in this /10 is part of the link-local prefix, and no IP address in this /10 is a valid global unicast address.
Thus, it would *seem* that an address such as fe80:1:1:1::2/64 when configured on an interface for its link-local address would be a valid link-local address, as it falls within fe80::/10
This is in the the link-local prefix, but not a valid address, it doesn't follow the format of a link local address as noted by 2.5.6. [snip]
Routers must not forward any packets with Link-Local source or destination addresses to other links. (from http://tools.ietf.org/html/rfc4291#section-2.5.6 ) did the authors really intend that most of fe80::/10 remain unused, and *only* a single /64 at the very start of fe80::/10 would be valid?
The usage of the remainder of the /10 reserved for link local is unspecified.; It is conceivable but unlikely that uses might be defined in the future.
I ask this because I'm running into situations where indeed it seems that some router vendors do literally only treat fe80::/64 as link-local, and *all other addresses out of fe80::/10 are treated as global unicast*.
This is definitely erroneous, since fe80::/10 is excluded from the global unicast address range. Addresses outside the first /64 _might_ be valid link-local or not, whatever they are, they are definitely not valid global unicast addresses, and they fall within the link-local range: routers are required to not forward packets with a source or destination within the /10.
This has potential implications on the types of filtering people may be assuming their router vendors are doing;
When we are talking about security matters... it's definitely not safe to assume your vendor has implemented all the source/destination address filtering they should. Implement suitable testing to verify. -- -JH
On 5/6/12, Matthew Petach <mpetach@netflight.com> wrote:
Which way do *you* vote?
Hi Matthew, Cisco routers forward packets for 127.0.0.0/8 unless explicitly configured not to, treating it like any other unicast address. Linux load balancers require a special kernel patch to also use them as routers because the kernel authors failed to conceive of a situation where accepting an external packet with a source address matching a configured interface address was, in fact, a correct thing to do. I vote for the Cisco approach. It has occasionally quirky results but it's also flexible enough to handle situations the protocol designers didn't conceive of. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 7. May 2012, at 12:56 , William Herrin wrote:
I vote for the Cisco approach. It has occasionally quirky results but it's also flexible enough to handle situations the protocol designers didn't conceive of.
Isn't it a simple scope violation in IPv6 and thus a bug and with that end of story? I mean the check isn't even overly expensive in this case... and I can't see how much meaningful other than unicast traffic passing a gateway you could do this way anyway. The worst someone sends a small packet and you get a huge reply to a local node that didn't ask for it keeping your switches and two random machines busy or generating a bit of nd noise, or ... 19:12:31.257674 02:00:00:00:08:0b > 02:00:00:00:07:0a, ethertype IPv6 (0x86dd), length 70: (hlim 64, next-header ICMPv6 (58) payload length: 16) fe80::ff:fe00:80b > 2001:db8::1: [icmp6 sum ok] ICMP6, echo request, seq 12 19:12:31.257817 02:00:00:00:07:0a > 02:00:00:00:08:0b, ethertype IPv6 (0x86dd), length 118: (hlim 64, next-header ICMPv6 (58) payload length: 64) fe80::ff:fe00:70a > fe80::ff:fe00:80b: [icmp6 sum ok] ICMP6, destination unreachable, beyond scope 2001:db8::1, source address fe80::ff:fe00:80b I actually tried to see if I could cross the atlantic with such a packet, only to find that I didn't have an exist gateway showing this bug. Oh well, I am safe. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
On 5/7/12, William Herrin <bill@herrin.us> wrote:
On 5/6/12, Matthew Petach <mpetach@netflight.com> wrote:
Which way do *you* vote? Hi Matthew, Cisco routers forward packets for 127.0.0.0/8 unless explicitly configured not to, treating it like any other unicast address.
The difference with IPv4, is the RFC1122 requirement is on hosts to not allow the network number { 127, <any> } to appear outside the host. There's no RFC requirement that a router refuse to forward traffic with a source or destination address within the reserved loopback network number. I a router filters based on source address it is an added feature. there's no rfc requirement that an IPv4 router "must not forward a packet with a source or destination address in the [IPv4] loopback range". The Cisco behavior for 127/8 with IPv4 is therefore quite reasonable. With IPv6, there is a RFC MUST requirement that such packets to the link local address space not be forwarded, therefore that Cisco behavior would be severely broken/ in IPv6 with regards to fe80::/10: an IPv6 router must not forward such packets as would be allowed with normal unicast addresses. (Even if the router is configured with one of those addresses, locally) -- -JH
participants (8)
-
Bjoern A. Zeeb
-
Chris Adams
-
Daniel Roesen
-
Jimmy Hess
-
Mark Andrews
-
Matthew Petach
-
Randy Bush
-
William Herrin