Tech-invite3GPPspaceIETF RFCsSIP
in Index   Prev   Next

RFC 8505

Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery

Pages: 47
Proposed Standard
Updates:  6775
Updated by:  892889299010
Part 2 of 3 – Pages 14 to 32
First   Prev   Next

Top   ToC   RFC8505 - Page 14   prevText

5. Updating RFC 6775

The EARO (see Section 4.1) updates the ARO used within NS and NA messages between a 6LN and a 6LR. The update enables a registration to a Routing Registrar in order to obtain additional services, such as return routability to the Registered Address by such means as routing and/or proxy ND, as illustrated in Figure 4. Routing 6LN Registrar | | | NS(EARO) | |--------------->| | | | | Inject/maintain | | host route or | | IPv6 ND proxy state | | <-----------------> | NA(EARO) | |<---------------| | | Figure 4: (Re-)Registration Flow Similarly, the EDAR and EDAC update the DAR and DAC messages so as to transport the new information between 6LRs and 6LBRs across an LLN mesh. The extensions to the ARO are the DAR and the DAC, as used in the Duplicate Address messages. They convey the additional information all the way to the 6LBR.
Top   ToC   RFC8505 - Page 15
   In turn, the 6LBR may proxy the registration to obtain reachability
   services from a Routing Registrar such as a 6BBR, as illustrated in
   Figure 5.  This specification avoids the Duplicate Address message
   flow for Link-Local Addresses in a route-over [RFC6606] topology (see
   Section 5.6).

      6LN          6LR            6LBR      Registrar
       |            |              |            |
       |<Link-local>|   <Routed>   |<Link-local>|
       |            |              |            |
       |  NS(EARO)  |              |            |
       |----------->|              |            |
       |            | Extended DAR |            |
       |            |------------->|            |
       |            |              |  proxy     |
       |            |              |  NS(EARO)  |
       |            |              |----------->|
       |            |              |            | Inject/maintain
       |            |              |            | host route or
       |            |              |            | IPv6 ND proxy state
       |            |              |            | <----------------->
       |            |              |  proxy     |
       |            |              |  NA(EARO)  |
       |            | Extended DAC |<-----------|
       |            |<-------------|            |
       |  NA(EARO)  |              |            |
       |<-----------|              |            |
       |            |              |            |

                     Figure 5: (Re-)Registration Flow

   This specification allows multiple registrations, including
   registrations for privacy and temporary addresses, and provides a
   mechanism to help clean up stale registration state as soon as
   possible, e.g., after a movement (see Section 7).

   Section 5 of [RFC6775] specifies how a 6LN bootstraps an interface
   and locates available 6LRs.  A Registering Node SHOULD register to a
   6LR that supports this specification if one is found, as discussed in
   Section 6.1, instead of registering to an RFC 6775-only 6LR;
   otherwise, the Registering Node operates in a backward-compatible
   fashion when attaching to an RFC 6775-only 6LR.
Top   ToC   RFC8505 - Page 16

5.1. Extending the Address Registration Option

The EARO updates the ARO and is backward compatible with the ARO if and only if the Length value of the option is set to 2. The format of the EARO is presented in Section 4.1. More details on backward compatibility can be found in Section 6. The NS message and the ARO are modified as follows: o The Target Address field in the NS containing the EARO is now the field that indicates the address that is being registered, as opposed to the Source Address field in the NS as specified in [RFC6775] (see Section 5.5). This change enables a 6LBR to send a proxy registration for a 6LN's address to a Routing Registrar and in most cases also avoids the use of an address as the Source Address before it is registered. o The EUI-64 field in the ARO is renamed "Registration Ownership Verifier (ROVR)" and is not required to be derived from a MAC address (see Section 5.3). o The option's Length value MAY be different than 2 and take a value between 3 and 5, in which case the EARO is not backward compatible with an ARO. The increase in size corresponds to a larger ROVR field, so the size of the ROVR is inferred from the option's Length value. o A new Opaque field is introduced to carry opaque information in cases where the registration is relayed to another process, e.g., to be advertised by a routing protocol. A new "I" field provides a type for the opaque information and indicates the other process to which the 6LN passes the opaque value. A value of 0 for the "I" field indicates topological information to be passed to a routing process if the registration is redistributed. In that case, a value of 0 for the Opaque field (1) is backward compatible with the reserved fields that are overloaded and (2) indicates that the default topology is to be used. o This document specifies a new flag in the EARO: the R flag. If the R flag is set, the Registering Node requests that the 6LR ensure reachability for the Registered Address, e.g., by means of routing or proxy ND. Conversely, when it is not set, the R flag indicates that the Registering Node is a router and that it will advertise reachability to the Registered Address via a routing protocol (such as RPL [RFC6550]).
Top   ToC   RFC8505 - Page 17
   o  A node that supports this specification MUST provide a TID field
      in the EARO and set the T flag to indicate the presence of the TID
      (see Section 5.2).

   o  Finally, this specification introduces new status codes to help
      diagnose the cause of a registration failure (see Table 1).

   When registering, a 6LN that acts only as a host MUST set the R flag
   to indicate that it is not a router and that it will not handle its
   own reachability.  A 6LR that manages its reachability SHOULD NOT set
   the R flag; if it does, routes towards this router may be installed
   on its behalf and may interfere with those it advertises.

5.2. Transaction ID

The TID is a sequence number that is incremented by the 6LN with each re-registration to a 6LR. The TID is used to determine the recency of the registration request. The network uses the most recent TID to determine the most recent known location(s) of a moving 6LN. When a Registered Node is registered with multiple 6LRs in parallel, the same TID MUST be used. This enables the 6LBRs and/or Routing Registrars to determine whether the registrations are identical and to distinguish that situation from a movement (for example, see Section 5.7 and Appendix A).

5.2.1. Comparing TID Values

The operation of the TID is fully compatible with that of the RPL Path Sequence counter as described in Section 7.2 of [RFC6550] ("RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks"). A TID is deemed to be more recent than another when its value is greater as determined by the operations detailed in this section. The TID range is subdivided in a "lollipop" fashion [Perlman83], where the values from 128 and greater are used as a linear sequence to indicate a restart and bootstrap the counter, and the values less than or equal to 127 are used as a circular sequence number space of size 128 as mentioned in [RFC1982]. Consideration is given to the mode of operation when transitioning from the linear region to the circular region. Finally, when operating in the circular region, if sequence numbers are determined to be too far apart, then they are not comparable, as detailed below. A window of comparison, SEQUENCE_WINDOW = 16, is configured based on a value of 2^N, where N is defined to be 4 in this specification.
Top   ToC   RFC8505 - Page 18
   For a given sequence counter,

   1.  Prior to use, the sequence counter SHOULD be initialized to an
       implementation-defined value of 128 or greater.  A recommended
       value is 240 (256 - SEQUENCE_WINDOW).

   2.  When a sequence counter increment would cause the sequence
       counter to increment beyond its maximum value, the sequence
       counter MUST wrap back to 0.  When incrementing a sequence
       counter greater than or equal to 128, the maximum value is 255.
       When incrementing a sequence counter less than 128, the maximum
       value is 127.

   3.  When comparing two sequence counters, the following rules MUST be

       1.  When a first sequence counter A is in the interval [128-255]
           and a second sequence counter B is in the interval [0-127]:

           1.  If (256 + B - A) is less than or equal to
               SEQUENCE_WINDOW, then B is greater than A, A is less than
               B, and the two are not equal.

           2.  If (256 + B - A) is greater than SEQUENCE_WINDOW, then A
               is greater than B, B is less than A, and the two are not

           For example, if A is 240 and B is 5, then (256 + 5 - 240) is
           21.  21 is greater than SEQUENCE_WINDOW (16); thus, 240 is
           greater than 5.  As another example, if A is 250 and B is 5,
           then (256 + 5 - 250) is 11.  11 is less than SEQUENCE_WINDOW
           (16); thus, 250 is less than 5.

       2.  In the case where both sequence counters to be compared are
           less than or equal to 127, and in the case where both
           sequence counters to be compared are greater than or equal
           to 128:

           1.  If the absolute magnitude of difference between the two
               sequence counters is less than or equal to
               SEQUENCE_WINDOW, then a comparison as described in
               [RFC1982] is used to determine the relationships
               "greater than", "less than", and "equal".

           2.  If the absolute magnitude of difference of the two
               sequence counters is greater than SEQUENCE_WINDOW, then a
               desynchronization has occurred and the two sequence
               numbers are not comparable.
Top   ToC   RFC8505 - Page 19
   4.  If two sequence numbers are determined to be not comparable,
       i.e., the results of the comparison are not defined, then a node
       should give precedence to the sequence number that was most
       recently incremented.  Failing this, the node should select the
       sequence number in order to minimize the resulting changes to its
       own state.

5.3. Registration Ownership Verifier (ROVR)

The ROVR field replaces the EUI-64 field of the ARO defined in [RFC6775]. It is associated in the 6LR and the 6LBR with the registration state. The ROVR can be a unique ID of the Registering Node, such as the EUI-64 address of an interface. This can also be a token obtained with cryptographic methods that can be used in additional protocol exchanges to associate a cryptographic identity (key) with this registration to ensure that only the owner can modify it later, if the proof of ownership of the ROVR can be obtained. The scope of a ROVR is the registration of a particular IPv6 Address, and it MUST NOT be used to correlate registrations of different addresses. The ROVR can be of different types; the type is signaled in the message that carries the new type. For instance, the type can be a cryptographic string and can be used to prove the ownership of the registration as specified in [AP-ND] ("Address Protected Neighbor Discovery for Low-power and Lossy Networks"). In order to support the flows related to the proof of ownership, this specification introduces new status codes "Validation Requested" and "Validation Failed" in the EARO. Note regarding ROVR collisions: Different techniques for forming the ROVR will operate in different namespaces. [RFC6775] specifies the use of EUI-64 addresses. [AP-ND] specifies the generation of cryptographic tokens. While collisions are not expected in the EUI-64 namespace only, they may happen if [AP-ND] is implemented by at least one of the nodes. An implementation that understands the namespace MUST consider that ROVRs from different namespaces are different even if they have the same value. An RFC 6775-only 6LBR or 6LR will confuse the namespaces; this slightly increases the risk of a ROVR collision. A ROVR collision has no effect if the two Registering Nodes register different addresses, since the ROVR is only significant within the context of one registration. A ROVR is not expected to be unique to one registration, as this specification allows a node to use the same ROVR to register multiple IPv6 Addresses. This is why the ROVR MUST NOT be used as a key to identify the Registering Node or as an index to the registration. It is only used as a match to ensure that the node that updates a registration for an IPv6 Address is the node that made the original
Top   ToC   RFC8505 - Page 20
   registration for that IPv6 Address.  Also, when the ROVR is not an
   EUI-64 address, then it MUST NOT be used as the Interface Identifier
   of the Registered Address.  This way, a registration that uses that
   ROVR will not collide with that of an IPv6 Address derived from
   EUI-64 and using the EUI-64 as the ROVR per [RFC6775].

   The Registering Node SHOULD store the ROVR, or enough information to
   regenerate it, in persistent memory.  If this is not done and an
   event such as a reboot causes a loss of state, re-registering the
   same address could be impossible until (1) the 6LRs and the 6LBR
   time out the previous registration or (2) a management action clears
   the relevant state in the network.

5.4. Extended Duplicate Address Messages

In order to map the new EARO content in the EDA messages, a new TID field is added to the EDAR and EDAC messages as a replacement for the Reserved field, and a non-null value of the ICMP Code indicates support for this specification. The format of the EDAR and EDAC messages is presented in Section 4.2. As with the EARO, the EDA messages are backward compatible with the RFC 6775-only versions, as long as the ROVR field is 64 bits long. Remarks concerning backward compatibility for the protocol between the 6LN and the 6LR apply similarly between a 6LR and a 6LBR.

5.5. Registering the Target Address

An NS message with an EARO is a registration if and only if it also carries an SLLA Option ("SLLAO") [RFC6775] ("SLLA" stands for "Source Link-Layer Address"). The EARO can also be used in NS and NA messages between Routing Registrars to determine the distributed registration state; in that case, it does not carry the SLLA Option and is not confused with a registration. The Registering Node is the node that performs the registration to the Routing Registrar. As also described in [RFC6775], it may be the Registered Node as well, in which case it registers one of its own addresses and indicates its own MAC address as the SLLA in the NS(EARO). This specification adds the capability to proxy the registration operation on behalf of a Registered Node that is reachable over an LLN mesh. In that case, if the Registered Node is reachable from the Routing Registrar via a mesh-under configuration, the Registering Node indicates the MAC address of the Registered Node as the SLLA in the NS(EARO). If the Registered Node is reachable over a route-over configuration from the Registering Node, the SLLA in the NS(ARO) is
Top   ToC   RFC8505 - Page 21
   that of the Registering Node.  This enables the Registering Node to
   attract the packets from the Routing Registrar and route them over
   the LLN to the Registered Node.

   In order to enable the latter operation, this specification changes
   the behavior of the 6LN and the 6LR so that the Registered Address is
   found in the Target Address field of the NS and NA messages as
   opposed to the Source Address field.  With this convention, a TLLA
   Option (Target Link-Layer Address Option, or "TLLAO") indicates the
   link-layer address of the 6LN that owns the address.

   A Registering Node (e.g., a 6LBR also acting as a RPL root) that
   advertises reachability for the 6LN MUST place its own link-layer
   address in the SLLA Option of the registration NS(EARO) message.
   This maintains compatibility with RFC 6775-only 6LoWPAN ND.

5.6. Link-Local Addresses and Registration

LLN nodes are often not wired and may move. There is no guarantee that a Link-Local Address will remain unique among a huge and potentially variable set of neighboring nodes. Compared to [RFC6775], this specification only requires that a Link-Local Address be unique from the perspective of the two nodes that use it to communicate (e.g., the 6LN and the 6LR in an NS/NA exchange). This simplifies the DAD process in a route-over topology for Link-Local Addresses by avoiding an exchange of EDA messages between the 6LR and a 6LBR for those addresses. An exchange between two nodes using Link-Local Addresses implies that they are reachable over one hop. A node MUST register a Link-Local Address to a 6LR in order to obtain further reachability by way of that 6LR and, in particular, to use the Link-Local Address as the Source Address to register other addresses, e.g., global addresses. If there is no collision with a previously registered address, then the Link-Local Address is unique from the standpoint of this 6LR and the registration is not a duplicate. Two different 6LRs might claim the same Link-Local Address but different link-layer addresses. In that case, a 6LN MUST only interact with at most one of the 6LRs. The exchange of EDAR and EDAC messages between the 6LR and a 6LBR, which ensures that an address is unique across the domain covered by the 6LBR, does not need to take place for Link-Local Addresses.
Top   ToC   RFC8505 - Page 22
   When sending an NS(EARO) to a 6LR, a 6LN MUST use a Link-Local
   Address as the Source Address of the registration, whatever the type
   of IPv6 Address that is being registered.  That Link-Local Address
   MUST be either an address that is already registered to the 6LR or
   the address that is being registered.

   When a 6LN starts up, it typically multicasts an RS and receives one
   or more unicast RA messages from 6LRs.  If the 6LR can process EARO
   messages, then it places a 6CIO in its RA message with the E flag set
   as required in Section 6.1.

   When a Registering Node does not have an already-registered address,
   it MUST register a Link-Local Address, using it as both the Source
   Address and the Target Address of an NS(EARO) message.  In that case,
   it is RECOMMENDED to use an address for which DAD is not required
   (see [RFC6775]), e.g., derived from a globally unique EUI-64 address;
   using the SLLA Option in the NS is consistent with existing ND
   specifications such as [RFC4429] ("Optimistic Duplicate Address
   Detection (DAD) for IPv6").  The 6LN MAY then use that address to
   register one or more other addresses.

   A 6LR that supports this specification replies with an NA(EARO),
   setting the appropriate status.  Since there is no exchange of EDAR
   or EDAC messages for Link-Local Addresses, the 6LR may answer
   immediately to the registration of a Link-Local Address, based solely
   on its existing state and the SLLA Option that is placed in the
   NS(EARO) message as required in [RFC6775].

   A node registers its IPv6 Global Unicast Addresses (GUAs) to a 6LR in
   order to establish global reachability for these addresses via that
   6LR.  When registering with an updated 6LR, a Registering Node does
   not use a GUA as the Source Address, in contrast to a node that
   complies with [RFC6775].  For non-Link-Local Addresses, the exchange
   of EDAR and EDAC messages MUST conform to [RFC6775], but the extended
   formats described in this specification for the DAR and the DAC are
   used to relay the extended information in the case of an EARO.

5.7. Maintaining the Registration States

This section discusses protocol actions that involve the Registering Node, the 6LR, and the 6LBR. It must be noted that the portion that deals with a 6LBR only applies to those addresses that are registered to it; as discussed in Section 5.6, this is not the case for Link-Local Addresses. The registration state includes all data that is stored in the router relative to that registration, in particular, but not limited to, an NCE. 6LBRs and Routing Registrars may store additional registration information and use synchronization protocols that are out of scope for this document.
Top   ToC   RFC8505 - Page 23
   A 6LR cannot accept a new registration when its registration storage
   space is exhausted.  In that situation, the EARO is returned in an NA
   message with a status code of "Neighbor Cache Full" (Status 2; see
   [RFC6775] and Table 1), and the Registering Node may attempt to
   register to another 6LR.

   If the registry in the 6LBR is full, then the 6LBR cannot decide
   whether a registration for a new address is a duplicate.  In that
   case, the 6LBR replies to an EDAR message with an EDAC message that
   carries a new status code indicating "6LBR Registry Saturated"
   (Table 1).  Note: This code is used by 6LBRs instead of "Neighbor
   Cache Full" when responding to a Duplicate Address message exchange
   and is passed on to the Registering Node by the 6LR.  There is no
   point in the node retrying this registration via another 6LR, since
   the problem is network-wide.  The node may abandon that address,
   de-register other addresses first to make room, or keep the address
   "tentative" [RFC4861] and retry later.

   A node renews an existing registration by sending a new NS(EARO)
   message for the Registered Address, and the 6LR MUST report the new
   registration to the 6LBR.

   A node that ceases to use an address SHOULD attempt to de-register
   that address from all the 6LRs to which it has registered the
   address.  This is achieved using an NS(EARO) message with a
   Registration Lifetime of 0.  If this is not done, the associated
   state will remain in the network until the current Registration
   Lifetime expires; this may lead to a situation where the 6LR
   resources become saturated, even if they were correctly planned to
   start with.  The 6LR may then take defensive measures that may
   prevent this node or some other nodes from owning as many addresses
   as they request (see Section 7).

   A node that moves away from a particular 6LR SHOULD attempt to
   de-register all of its addresses registered to that 6LR and register
   to a new 6LR with an incremented TID.  When/if the node appears
   elsewhere, an asynchronous NA(EARO) or EDAC message with a status
   code of "Moved" SHOULD be used to clean up the state in the previous
   location.  The "Moved" status can be used by a Routing Registrar in
   an NA(EARO) message to indicate that the ownership of the proxy state
   was transferred to another Routing Registrar due to movement of the
   device.  If the receiver of the message has registration state
   corresponding to the related address, it SHOULD propagate the status
   down the forwarding path to the Registered Node (e.g., reversing an
   existing RPL [RFC6550] path as prescribed in [Efficient-NPDAO]).
   Whether it could do so or not, the receiver MUST clean up said state.
Top   ToC   RFC8505 - Page 24
   Upon receiving an NS(EARO) message with a Registration Lifetime of 0
   and determining that this EARO is the most recent for a given NCE
   (see Section 5.2), a 6LR cleans up its NCE.  If the address was
   registered to the 6LBR, then the 6LR MUST report to the 6LBR, through
   a Duplicate Address exchange with the 6LBR, indicating the null
   Registration Lifetime and the latest TID that this 6LR is aware of.

   Upon receiving the EDAR message, the 6LBR determines if this is the
   most recent TID it has received for that particular registry entry.
   If so, then the EDAR is answered with an EDAC message bearing a
   status code of 0 ("Success") [RFC6775], and the entry is scheduled to
   be removed.  Otherwise, a status code of "Moved" is returned instead,
   and the existing entry is maintained.

   When an address is scheduled to be removed, the 6LBR SHOULD keep its
   NCE in a DELAY state [RFC4861] for a configurable period of time, so
   as to prevent a scenario where (1) a mobile node that de-registered
   from one 6LR did not yet register to a new one or (2) the new
   registration did not yet reach the 6LBR due to propagation delays in
   the network.  Once the DELAY time has passed, the 6LBR silently
   removes its entry.

6. Backward Compatibility

This specification changes the behavior of the peers in a registration flow. To enable backward compatibility, a 6LN that registers to a 6LR that is not known to support this specification MUST behave in a manner that is backward compatible with [RFC6775]. Conversely, if the 6LR is found to support this specification, then the 6LN MUST conform to this specification when communicating with that 6LR. A 6LN that supports this specification MUST always use an EARO as a replacement for an ARO in its registration to a router. This behavior is backward compatible, since the T flag and TID field occupy fields that are reserved in [RFC6775] and are thus ignored by an RFC 6775-only router. A router that supports this specification MUST answer an NS(ARO) and an NS(EARO) with an NA(EARO). A router that does not support this specification will consider the ROVR as an EUI-64 address and treat it the same; this scenario has no consequence if the Registered Addresses are different.
Top   ToC   RFC8505 - Page 25

6.1. Signaling EARO Support

[RFC7400] specifies the 6CIO, which indicates a node's capabilities to the node's peers. The 6CIO MUST be present in both RS and RA messages, unless the 6CIO information was already shared in recent exchanges or pre-configured in all nodes in a network. In any case, a 6CIO MUST be placed in an RA message that is sent in response to an RS with a 6CIO. Section 4.3 defines a new flag for the 6CIO to signal EARO support by the issuer of the message. New flags are also added to the 6CIO to signal the sender's capability to act as a 6LR, 6LBR, and Routing Registrar (see Section 4.3). Section 4.3 also defines a new flag that indicates the support of EDAR and EDAC messages by the 6LBR. This flag is valid in RA messages but not in RS messages. More information on the 6LBR is found in a separate Authoritative Border Router Option (ABRO). The ABRO is placed in RA messages as prescribed by [RFC6775]; in particular, it MUST be placed in an RA message that is sent in response to an RS with a 6CIO indicating the capability to act as a 6LR, since the RA propagates information between routers.

6.2. RFC 6775-Only 6LN

An RFC 6775-only 6LN will use the Registered Address as the Source Address of the NS message and will not use an EARO. An updated 6LR MUST accept that registration if it is valid per [RFC6775], and it MUST manage the binding cache accordingly. The updated 6LR MUST then use the RFC 6775-only DAR and DAC messages as specified in [RFC6775] to indicate to the 6LBR that the TID is not present in the messages. The main difference from [RFC6775] is that the exchange of DAR and DAC messages for the purpose of DAD is avoided for Link-Local Addresses. In any case, the 6LR MUST use an EARO in the reply and can use any of the status codes defined in this specification.

6.3. RFC 6775-Only 6LR

An updated 6LN discovers the capabilities of the 6LR in the 6CIO in RA messages from that 6LR; if the 6CIO was not present in the RA, then the 6LR is assumed to be RFC 6775-only. An updated 6LN MUST use an EARO in the request, regardless of the type of 6LR -- RFC 6775-only or updated; this implies that the T flag is set. It MUST use a ROVR of 64 bits if the 6LR is RFC 6775-only.
Top   ToC   RFC8505 - Page 26
   If an updated 6LN moves from an updated 6LR to an RFC 6775-only 6LR,
   the RFC 6775-only 6LR will send an RFC 6775-only DAR message, which
   cannot be compared with an updated one for recency.  Allowing
   RFC 6775-only DAR messages to update a state established by the
   updated protocol in the 6LBR would be an attack vector; therefore,
   this cannot be the default behavior.  But if RFC 6775-only and
   updated 6LRs coexist temporarily in a network, then it makes sense
   for an administrator to install a policy that allows this behavior,
   using some method that is out of scope for this document.

6.4. RFC 6775-Only 6LBR

With this specification, the Duplicate Address messages are extended to transport the EARO information. As with the NS/NA exchange, an updated 6LBR MUST always use the EDAR and EDAC messages. Note that an RFC 6775-only 6LBR will accept and process an EDAR message as if it were an RFC 6775-only DAR, as long as the ROVR is 64 bits long. An updated 6LR discovers the capabilities of the 6LBR in the 6CIO in RA messages from the 6LR; if the 6CIO was not present in any RA, then the 6LBR is assumed to be RFC 6775-only. If the 6LBR is RFC 6775-only, the 6LR MUST use only the 64 leftmost bits of the ROVR and place the result in the EDAR message to maintain compatibility. This way, the support of DAD is preserved.

7. Security Considerations

This specification extends [RFC6775], and the Security Considerations section of that document also applies to this document. In particular, the link layer SHOULD be sufficiently protected to prevent rogue access. [RFC6775] does not protect the content of its messages and expects lower-layer encryption to defeat potential attacks. This specification requires the LLN MAC layer to provide secure unicast to/from a Routing Registrar and secure broadcast or multicast from the Routing Registrar in a way that prevents tampering with or replaying the ND messages. This specification recommends using privacy techniques (see Section 8) and protecting against address theft via methods that are outside the scope of this document. As an example, [AP-ND] guarantees the ownership of the Registered Address using a cryptographic ROVR.
Top   ToC   RFC8505 - Page 27
   The registration mechanism may be used by a rogue node to attack the
   6LR or 6LBR with a denial-of-service attack against the registry.  It
   may also happen that the registry of a 6LR or 6LBR is saturated and
   cannot take any more registrations; this scenario effectively denies
   the requesting node the capability to use a new address.  In order to
   alleviate those concerns, (1) Section 5.2 provides a sequence counter
   that keeps incrementing to detect and clean up stale registration
   information and that contributes to defeat replay attacks and
   (2) Section 5.7 provides a number of recommendations that ensure that
   a stale registration is removed as soon as possible from the 6LR
   and 6LBR.

   In particular, this specification recommends that:

   o  A node that ceases to use an address SHOULD attempt to de-register
      that address from all the 6LRs to which it is registered.

   o  The registration lifetimes SHOULD be individually configurable for
      each address or group of addresses.  A node SHOULD be configured
      for each address (or address category) with a Registration
      Lifetime that reflects the expectation of how long it will use the
      address with the 6LR to which the address is registered.  In
      particular, use cases that involve mobility or rapid address
      changes SHOULD use lifetimes that are the same order of magnitude
      as the duration of the expectation of presence but that are still

   o  The router (6LR or 6LBR) SHOULD be configurable so as to limit the
      number of addresses that can be registered by a single node, but
      as a protective measure only.  In any case, a router MUST be able
      to keep a minimum number of addresses per node.  That minimum
      depends on the type of device and ranges between 3 for a very
      constrained LLN and 10 for a larger device.  A node may be
      identified by its MAC address, as long as it is not obfuscated by
      privacy measures.  A stronger identification (e.g., by security
      credentials) is RECOMMENDED.  When the maximum is reached, the
      router SHOULD use a Least Recently Used (LRU) algorithm to
      clean up the addresses, keeping at least one Link-Local Address.
      The router SHOULD attempt to keep one or more stable addresses if
      stability can be determined, e.g., because they are used over a
      much longer time span than other (privacy, shorter-lived)

   o  In order to avoid denial of registration due to a lack of
      resources, administrators should take great care to deploy
      adequate numbers of 6LRs to cover the needs of the nodes in their
      range, so as to avoid a situation of starving nodes.  It is
      expected that the 6LBR that serves an LLN is a more capable node
Top   ToC   RFC8505 - Page 28
      than the average 6LR, but in a network condition where it may
      become saturated, a particular LLN should distribute the 6LBR
      functionality -- for instance, by leveraging a high-speed Backbone
      Link and Routing Registrars to aggregate multiple LLNs into a
      larger subnet.

   The LLN nodes depend on a 6LBR and may use the services of a Routing
   Registrar for their operation.  A trust model MUST be put in place to
   ensure that only authorized devices are acting in these roles, so as
   to avoid threats such as black-holing or bombing attack whereby an
   impersonated 6LBR would destroy state in the network by using the
   "Removed" status code.  At a minimum, this trust model could be based
   on Layer 2 access control or could provide role validation as well
   (see Req-5.1 in Appendix B.5).

8. Privacy Considerations

As indicated in Section 3, this protocol does not limit the number of IPv6 Addresses that each device can form. However, to mitigate denial-of-service attacks, it can be useful as a protective measure to have a limit that is high enough not to interfere with the normal behavior of devices in the network. A host should be able to form and register any address that is topologically correct in the subnet(s) advertised by the 6LR/6LBR. This specification does not mandate any particular way for forming IPv6 Addresses, but it discourages using EUI-64 for forming the Interface Identifier in the Link-Local Address because this method prevents the usage of Secure Neighbor Discovery (SEND) [RFC3971], Cryptographically Generated Addresses (CGAs) [RFC3972], and other address privacy techniques. [RFC8065] ("Privacy Considerations for IPv6 Adaptation-Layer Mechanisms") explains why privacy is important and how to form privacy-aware addresses. All implementations and deployments must consider the option of privacy addresses in their own environments. The IPv6 Address of the 6LN in the IPv6 header can be compressed statelessly when the Interface Identifier in the IPv6 Address can be derived from the lower-layer address. When it is not critical to benefit from that compression, e.g., the address can be compressed statefully, or it is rarely used and/or it is used only over one hop, privacy concerns should be considered. In particular, new implementations should follow [RFC8064] ("Recommendation on Stable IPv6 Interface Identifiers"). [RFC8064] recommends the mechanism specified in [RFC7217] ("A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)") for generating Interface Identifiers to be used in SLAAC.
Top   ToC   RFC8505 - Page 29

9. IANA Considerations

IANA has made a number of changes under the "Internet Control Message Protocol version 6 (ICMPv6) Parameters" registry, as follows.

9.1. Address Registration Option Flags

IANA has created a new subregistry for "Address Registration Option Flags" under the "Internet Control Message Protocol version 6 (ICMPv6) Parameters" registry. (See [RFC4443] for information regarding ICMPv6.) This specification defines eight positions -- bit 0 to bit 7 -- and assigns bit 6 for the R flag and bit 7 for the T flag (see Section 4.1). The registration procedure is "IETF Review" or "IESG Approval" (see [RFC8126]). The initial contents of the registry are shown in Table 2. +-------------+--------------+------------+ | ARO Status | Description | Reference | +-------------+--------------+------------+ | 0-5 | Unassigned | | | | | | | 6 | R Flag | RFC 8505 | | | | | | 7 | T Flag | RFC 8505 | +-------------+--------------+------------+ Table 2: New Address Registration Option Flags

9.2. Address Registration Option I-Field

IANA has created a new subregistry for "Address Registration Option I-Field" under the "Internet Control Message Protocol version 6 (ICMPv6) Parameters" registry. This specification defines four integer values from 0 to 3 and assigns value 0 to "Abstract Index for Topology Selection" (see Section 4.1). The registration procedure is "IETF Review" or "IESG Approval" [RFC8126].
Top   ToC   RFC8505 - Page 30
   The initial contents of the registry are shown in Table 3.

      | Value  | Meaning                               | Reference  |
      | 0      | Abstract Index for Topology Selection | RFC 8505   |
      |        |                                       |            |
      | 1-3    | Unassigned                            |            |

               Table 3: New Subregistry for the EARO I-Field

9.3. ICMP Codes

IANA has created two new subregistries of the 'ICMPv6 "Code" Fields' registry, which itself is a subregistry of ICMPv6 codes in the "Internet Control Message Protocol version 6 (ICMPv6) Parameters" registry. The new subregistries relate to ICMP Types 157 (Duplicate Address Request) (shown in Table 4) and 158 (Duplicate Address Confirmation) (shown in Table 5), respectively. For those two ICMP types, the ICMP Code field is split into two subfields: the Code Prefix and the Code Suffix. The new subregistries relate to the Code Suffix portion of the ICMP Code. The range of the Code Suffix is 0-15 in all cases. The registration procedure is "IETF Review" or "IESG Approval" [RFC8126] for both subregistries. The initial contents of these subregistries are as follows: +--------------+--------------------------------------+------------+ | Code Suffix | Meaning | Reference | +--------------+--------------------------------------+------------+ | 0 | DAR message | RFC 6775 | | | | | | 1 | EDAR message with 64-bit ROVR field | RFC 8505 | | | | | | 2 | EDAR message with 128-bit ROVR field | RFC 8505 | | | | | | 3 | EDAR message with 192-bit ROVR field | RFC 8505 | | | | | | 4 | EDAR message with 256-bit ROVR field | RFC 8505 | | | | | | 5-15 | Unassigned | | +--------------+--------------------------------------+------------+ Table 4: Code Suffixes for ICMP Type 157 DAR Message
Top   ToC   RFC8505 - Page 31
   | Code Suffix  | Meaning                              | Reference  |
   | 0            | DAC message                          | RFC 6775   |
   |              |                                      |            |
   | 1            | EDAC message with 64-bit ROVR field  | RFC 8505   |
   |              |                                      |            |
   | 2            | EDAC message with 128-bit ROVR field | RFC 8505   |
   |              |                                      |            |
   | 3            | EDAC message with 192-bit ROVR field | RFC 8505   |
   |              |                                      |            |
   | 4            | EDAC message with 256-bit ROVR field | RFC 8505   |
   |              |                                      |            |
   | 5-15         | Unassigned                           |            |

           Table 5: Code Suffixes for ICMP Type 158 DAC Message

9.4. New ARO Status Values

IANA has made additions to the "Address Registration Option Status Values" subregistry, as follows: +-------+--------------------------------------------+------------+ | Value | Description | Reference | +-------+--------------------------------------------+------------+ | 3 | Moved | RFC 8505 | | | | | | 4 | Removed | RFC 8505 | | | | | | 5 | Validation Requested | RFC 8505 | | | | | | 6 | Duplicate Source Address | RFC 8505 | | | | | | 7 | Invalid Source Address | RFC 8505 | | | | | | 8 | Registered Address Topologically Incorrect | RFC 8505 | | | | | | 9 | 6LBR Registry Saturated | RFC 8505 | | | | | | 10 | Validation Failed | RFC 8505 | +-------+--------------------------------------------+------------+ Table 6: New ARO Status Values
Top   ToC   RFC8505 - Page 32

9.5. New 6LoWPAN Capability Bits

IANA has made additions to the "6LoWPAN Capability Bits" subregistry, as follows: +------+---------------------------+------------+ | Bit | Description | Reference | +------+---------------------------+------------+ | 10 | EDA Support (D bit) | RFC 8505 | | | | | | 11 | 6LR capable (L bit) | RFC 8505 | | | | | | 12 | 6LBR capable (B bit) | RFC 8505 | | | | | | 13 | Routing Registrar (P bit) | RFC 8505 | | | | | | 14 | EARO support (E bit) | RFC 8505 | +------+---------------------------+------------+ Table 7: New 6LoWPAN Capability Bits

(page 32 continued on part 3)

Next Section