IPv6 Prefix Delegation
for HostsBoeing Research & TechnologyP.O. Box 3707SeattleWA98124USAfltemplin@acm.orgI-DInternet-DraftIPv6 prefixes are typically delegated to requesting routers which
then use them to number their downstream-attached links and networks.
This document considers the case when the requesting router is a node
that acts as a host on behalf of its local applications and as a router
on behalf of any downstream networks.IPv6 Prefix Delegation (PD) entails 1) the communication of a prefix
from a delegating router to a requesting router, 2) a representation of
the prefix in the delegating router's routing table, and 3) a control
messaging service between the delegating and requesting routers to
maintain prefix lifetimes. Following delegation, the prefix is available
for the requesting router's exclusive use and is not shared with any
other nodes. This document considers the case when the requesting router
is a node that acts as a host on behalf of its local applications and as
a router on behalf of any downstream networks. The following paragraphs
present possibilities for node behavior upon receipt of a delegated
prefix.For nodes that connect downstream-attached networks (e.g., a
cellphone that connects a "tethered" Internet of Things (IoT) network),
a Delegating Router 'D' delegates a prefix 'P' to a Requesting node 'R'
as shown in :In this figure, when Delegating Router 'D' delegates prefix
'P', it inserts 'P' into its routing table with Requesting node 'R' as
the next hop. Meanwhile, 'R' receives 'P' via an upstream interface and
sub-delegates 'P' to its downstream external (physical) and/or internal
(virtual) networks. 'R' assigns addresses 'A(*)' taken from 'P' to
downstream interfaces, and Hosts 'H(i)' on downstream networks assign
addresses 'A(*)' taken from 'P' to their interface attachments to the
downstream link. 'R' then acts as a router between hosts 'H(i)' on
downstream networks and correspondents reachable via other interfaces.
'R' can also act as a host on behalf of its local applications.This document also considers the case when 'R' does not have any
downstream interfaces, and can use 'P' solely for its own internal
addressing purposes. In that case, 'R' assigns 'P' to a virtual
interface (e.g., a loopback) that fills the role of a downstream
interface.'R' can then function under the weak end system (aka "weak host")
model by assigning
addresses taken from 'P' to a virtual interface as shown in :'R' could instead function under the strong end system (aka "strong
host") model by
assigning IPv6 addresses taken from 'P' to an upstream interface as
shown in :The major benefit for a node managing a delegated prefix in
either the weak or strong end system models is multi-addressing. With
IPv6 PD-based multi-addressing, the node can configure an unlimited
supply of addresses to make them available for local applications
without requiring coordination with other nodes on upstream
interfaces.The following sections present considerations for nodes that employ
IPv6 PD mechanisms.The terminology of the normative references apply, and the terms
"node", "host" and "router" are the same as defined in .The following terms are defined for the purposes of this
document:an IPv6 prefix that may be
advertised to more than one node on the link, e.g., in a Router
Advertisement (RA) message Prefix Information Option (PIO) . The router that advertises the prefix must
consider the prefix as on-link so that the IPv6 Neighbor Discovery
(ND) address resolution function will identify the correct neighbor
for each packet.an IPv6 prefix that is
advertised to exactly one node on the link, where the node may be
unaware that the prefix is individual and may not participate in
prefix maintenance procedures. The router that advertises the prefix
can consider the prefix as on-link or not on-link. In the former
case, the router performs address resolution so that it only
forwards those packets that match one of the node's configured
addresses. In the latter case, the router can simply forward all
packets matching the prefix to the node. An example individual
prefix service is documented in .an IPv6 prefix that is
explicitly delegated to a node for its own exclusive use, where the
node is an active participant in prefix delegation and maintenance
procedures. The router that delegates the prefix simply forwards all
packets matching the prefix to the node. An example IPv6 PD service
is the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) . An alternative service
based solely on IPv6 ND messaging has also been proposed .IPv6 allows nodes to assign multiple addresses to a single interface.
discusses options for multi-addressing as well
as use cases where multi-addressing may be desirable. Address
configuration options for multi-addressing include StateLess Address
AutoConfiguration (SLAAC) , DHCPv6 address
configuration , manual configuration, etc.Nodes configure addresses from a shared or individual prefix and
assign them to the upstream interface over which the prefix was
received. When the node assigns the addresses, it is required to use
Multicast Listener Discovery (MLD) to join the
appropriate solicited-node multicast group(s) and to use the Duplicate
Address Detection (DAD) algorithm to ensure
that no other node configures a duplicate address.In contrast, a node that configures addresses from a delegated prefix
can assign them without invoking MLD/DAD on an upstream interface, since
the prefix has been delegated to the node for its own exclusive use and
is not shared with any other nodes.When a node receives a delegated prefix, it has many alternatives for
provisioning the prefix to its local interfaces and/or downstream
networks. discusses alternatives for
provisioning a prefix obtained by a User Equipment (UE) device under the
3rd Generation Partnership Program (3GPP) service model. This document
considers the more general case when the node receives a delegated
prefix explicitly provided for its own exclusive use.When the node receives the prefix, it can distribute the prefix to
downstream networks and configure one or more addresses for itself on
downstream interfaces. The node then acts as a router on behalf of its
downstream networks and configures a default route via a neighbor on an
upstream interface.The node could instead (or in addition) use portions of the delegated
prefix for its own multi-addressing purposes. In a first alternative,
the node can assign as many addresses as it wants from the prefix to
virtual interfaces. In that case, applications running on the node can
use the addresses according to the weak end system model.In a second alternative, the node can assign as many addresses as it
wants from the prefix to the upstream interface over which the prefix
was received. In that case, applications running on the node can use the
addresses according to the strong end system model.In both of these latter two cases, the node assigns the prefix itself
to a virtual interface so that unused addresses from the prefix are
correctly identified as unreachable. The node then acts as a host on
behalf of its local applications even though neighbors on the upstream
link see it as a router.When a node configures addresses for itself from a shared or
individual prefix, it performs MLD/DAD by sending multicast messages
over upstream interfaces to test whether there is another node on the
link that configures a duplicate address. When there are many such
addresses and/or many such nodes, this could result in substantial
multicast traffic that affects all nodes on the link.When a node configures addresses for itself from a delegated prefix,
it can configure as many addresses as it wants but does not perform
MLD/DAD for any of the addresses over upstream interfaces. This means
that the node can configure arbitrarily many addresses without causing
any multicast messaging over the upstream interface that could disturb
other nodes.Nodes that receive delegated prefixes can be configured to either
participate or not participate in a dynamic routing protocol over the
upstream interface, according to the deployment model. When there are
many nodes on the upstream link, dynamic routing protocol participation
might be impractical due to scaling limitations, and may also be
exacerbated by factors such as node mobility.Unless it participates in a dynamic routing protocol, the node
initially has only a default route pointing to a neighbor via an
upstream interface. This means that packets sent by the node over an
upstream interface will initially go through a default router even if
there is a better first-hop node on the link.When a node receives a shared or individual prefix, it is required to
use the IPv6 ND address resolution function over the upstream interface
to determine the link-layer address of a neighbor that configures a
target address within the prefix. For shared prefixes, the neighbor that
configures the target address will respond to the address resolution
request. For individual prefixes, no neighbor will configure the target
address so that the address resolution requests will go unanswered.When a node receives a delegated prefix, it acts as a simple host to
send Router Solicitation (RS) messages over upstream interfaces (i.e.,
the same as described in Section 4.2 of ) but
also sets the "Router" flag to TRUE in its Neighbor Advertisement
messages. The node considers the upstream interfaces as non-advertising
interfaces , i.e., it does not send RA messages
over the upstream interfaces. The node further does not perform the IPv6
ND address resolution function over upstream interfaces, since the
delegated prefix is explicitly not to be associated with an upstream
interface.In all cases, the current first-hop router may send a Redirect
message that updates the node's neighbor cache so that future packets
can use a better first-hop node on the link. The Redirect can apply
either to a singleton destination address, or to an entire destination
prefix as described in .The Internet Control Message Protocol for IPv6 (ICMPv6) includes a
set of control message types including
Destination Unreachable (DU).According to , routers should return DU
messages (subject to rate limiting) with code 0 ("No route to
destination") when a packet arrives for which there is no matching entry
in the routing table, and with code 3 ("Address unreachable") when the
IPv6 destination address cannot be resolved.According to , hosts should return DU
messages (subject to rate limiting) with code 3 to internal applications
when the IPv6 destination address cannot be resolved, and with code 4
("Port unreachable") if the IPv6 destination address is one of its own
addresses but the transport protocol has no listener.Nodes that obtain and manage delegated prefixes per this document
observe the same procedures as described for both routers and hosts
above.This document introduces no IANA considerations.Security considerations for IPv6 Neighbor Discovery and any applicable PD mechanisms apply to this
document.For shared and individual prefixes, if the router that advertises the
prefix considers the prefix as on-link the IPv6 ND address resolution
function will prevent unwanted IPv6 packets from reaching the node. For
delegated prefixes and individual prefixes that are not considered
on-link, the router delivers all packets that match the prefix even if
they do not match one of the node's configured addresses. In the latter
case, the node may receive unwanted IPv6 packets via an upstream
interface that do not match either a configured IPv6 address or a
transport listener. In that case, the node drops the packets and
observes the "Destination Unreachable - Address/Port unreachable"
procedures discussed in .The node may also receive IPv6 packets via an upstream interface that
do not match any of the node's delegated prefixes. In that case, the
node drops the packets and observes the "Destination Unreachable - No
route to destination" procedures discussed in .
Dropping the packets is necessary to avoid a reflection attack that
would cause the node to forward packets received from an upstream
interface via the same or a different upstream interface.In all cases, the node must decide whether or not to send DUs
according to the specific operational scenario. In trusted networks, the
node should send DU messages to provide useful information to potential
correspondents. In untrusted networks, the node can refrain from sending
DU messages to avoid providing sensitive information to potential
attackers.This work was motivated by discussions on the v6ops list. Mark Smith
pointed out the need to consider MLD as well as DAD for the assignment
of addresses to interfaces. Ricardo Pelaez-Negro, Edwin Cordeiro, Fred
Baker, Naveen Lakshman, Ole Troan, Bob Hinden, Brian Carpenter, Joel
Halpern, Albert Manfredi and Dusan Mudric provided useful comments that
have greatly improved the document.This work is aligned with the NASA Safe Autonomous Systems Operation
(SASO) program under NASA contract number NNA16BD84C.This work is aligned with the FAA as per the SE2025 contract number
DTFAWA-15-D-00030.This work is aligned with the Boeing Information Technology (BIT)
MobileNet program and the Boeing Research & Technology (BR&T)
enterprise autonomy program.