Please refer to the current edition of the "Internet Official Protocol Standards" STD 1 for the standardization state and status of this protocol. Distribution of this memo is unlimited. All Rights Reserved. IPv6 Addressing Security Considerations
|Published (Last):||13 July 2004|
|PDF File Size:||9.91 Mb|
|ePub File Size:||17.20 Mb|
|Price:||Free* [*Free Regsitration Required]|
Please refer to the current edition of the "Internet Official Protocol Standards" STD 1 for the standardization state and status of this protocol. Distribution of this memo is unlimited. All Rights Reserved. IPv6 Addressing Security Considerations IANA Considerations It includes the basic formats for the various types of IPv6 addresses unicast, anycast, and multicast.
IPv6 Addressing IPv6 addresses are bit identifiers for interfaces and sets of interfaces where "interface" is as defined in section 2 of [ IPV6 ]. There are three types of addresses: Unicast: An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address.
Anycast: An identifier for a set of interfaces typically belonging to different nodes. Multicast: An identifier for a set of interfaces typically belonging to different nodes. A packet sent to a multicast address is delivered to all interfaces identified by that address. There are no broadcast addresses in IPv6, their function being superseded by multicast addresses. In this document, fields in addresses are given a specific name, for example "subnet".
When this name is used with the term "ID" for identifier after the name e. When it is used with the term "prefix" e. In IPv6, all zeros and all ones are legal values for any field, unless specifically excluded. Specifically, prefixes may contain, or end with, zero-valued fields.
An IPv6 unicast address refers to a single interface. All interfaces are required to have at least one link-local unicast address see section 2. A single interface may also have multiple IPv6 addresses of any type unicast, anycast, and multicast or scope. Unicast addresses with scope greater than link-scope are not needed for interfaces that are not used as the origin or destination of any IPv6 packets to or from non-neighbors.
This is sometimes convenient for point-to-point interfaces. There is one exception to this addressing model: A unicast address or a set of unicast addresses may be assigned to multiple physical interfaces if the implementation treats the multiple physical interfaces as one interface when presenting it to the internet layer. This is useful for load-sharing over multiple physical interfaces. Currently IPv6 continues the IPv4 model that a subnet prefix is associated with one link.
Multiple subnet prefixes may be assigned to the same link. Due to some methods of allocating certain styles of IPv6 addresses, it will be common for addresses to contain long strings of zero bits. In order to make writing addresses containing zero bits easier a special syntax is available to compress the zeros.
The "::" can only appear once in an address. The "::" can also be used to compress leading or trailing zeros in an address.
For example, the following addresses: CA a unicast address FF a multicast address the loopback address the unspecified addresses may be represented as: CA a unicast address FF a multicast address the loopback address :: the unspecified addresses 3. An alternative form that is sometimes more convenient when dealing with a mixed environment of IPv4 and IPv6 nodes is x:x:x:x:x:x:d.
Examples: Some special-purpose subtypes of global unicast addresses which contain embedded IPv4 addresses for the purposes of IPv4-IPv6 interoperation are described in section 2.
Future specifications may redefine one or more sub-ranges of the global unicast space for other purposes, but unless and until that happens, implementations must treat all addresses that do not start with any of the above-listed prefixes as global unicast addresses. There are several types of unicast addresses in IPv6, in particular global unicast, site-local unicast, and link-local unicast.
Additional address types or subtypes can be defined in the future. IPv6 nodes may have considerable or little knowledge of the internal structure of the IPv6 address, depending on the role the node plays for instance, host versus router.
They are required to be unique within a subnet prefix. It is recommended that the same interface identifier not be assigned to different nodes on a link. They may also be unique over a broader scope. The same interface identifier may be used on multiple interfaces on a single node, as long as they are attached to different subnets.
Note that the uniqueness of interface identifiers is independent of the uniqueness of IPv6 addresses. For example, a global unicast address may be created with a non-global scope interface identifier and a site-local address may be created with a global scope interface identifier. For all unicast addresses, except those that start with binary value , Interface IDs are required to be 64 bits long and to be constructed in Modified EUI format.
Modified EUI format based Interface identifiers may have global scope when derived from a global token e. In the resulting Modified EUI format the "u" bit is set to one 1 to indicate global scope, and it is set to zero 0 to indicate local scope.
The motivation for inverting the "u" bit when forming an interface identifier is to make it easy for system administrators to hand configure non-global identifiers when hardware tokens are not available. This is expected to be case for serial links, tunnel end- points, etc. The alternative would have been for these to be of the form , , etc.
It must never be assigned to any node. It indicates the absence of an address. One example of its use is in the Source Address field of any IPv6 packets sent by an initializing host before it has learned its own address. An IPv6 packet with a source address of unspecified must never be forwarded by an IPv6 router. It may be used by a node to send an IPv6 packet to itself.
It may never be assigned to any physical interface. It is treated as having link-local scope, and may be thought of as the link-local unicast address of a virtual interface typically called "the loopback interface" to an imaginary link that goes nowhere.
The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single node. An IPv6 packet with a destination address of loopback must never be sent outside of a single node and must never be forwarded by an IPv6 router. A packet received on an interface with destination address of loopback must be dropped. All global unicast addresses other than those that start with binary have a bit interface ID field i.
Global unicast addresses that start with binary have no such constraint on the size or structure of the interface ID field. Examples of global unicast addresses that start with binary are the IPv6 address with embedded IPv4 addresses described in section 2. An example of global addresses starting with a binary value other than and therefore having a bit interface ID field can be found in [ AGGR ]. IPv6 nodes that use this technique are assigned special IPv6 unicast addresses that carry a global IPv4 address in the low-order 32 bits.
A second type of IPv6 address which holds an embedded IPv4 address is also defined. This address type is used to represent the addresses of IPv4 nodes as IPv6 addresses. These are Link-Local and Site-Local.
The Link-Local is for use on a single link and the Site-Local is for use in a single site. Routers must not forward any packets with link-local source or destination addresses to other links. Although a subnet ID may be up to bits long, it is expected that globally-connected sites will use the same subnet IDs for site-local and global prefixes.
Routers must not forward any packets with site-local source or destination addresses outside of the site. Anycast addresses are allocated from the unicast address space, using any of the defined unicast address formats. Thus, anycast addresses are syntactically indistinguishable from unicast addresses.
When a unicast address is assigned to more than one interface, thus turning it into an anycast address, the nodes to which the address is assigned must be explicitly configured to know that it is an anycast address.
For any assigned anycast address, there is a longest prefix P of that address that identifies the topological region in which all interfaces belonging to that anycast address reside. Within the region identified by P, the anycast address must be maintained as a separate entry in the routing system commonly referred to as a "host route" ; outside the region identified by P, the anycast address may be aggregated into the routing entry for prefix P.
Note that in the worst case, the prefix P of an anycast set may be the null prefix, i. In that case, the anycast address must be maintained as a separate routing entry throughout the entire internet, which presents a severe scaling limit on how many such "global" anycast sets may be supported. Therefore, it is expected that support for global anycast sets may be unavailable or very restricted.
One expected use of anycast addresses is to identify the set of routers belonging to an organization providing internet service. Such addresses could be used as intermediate addresses in an IPv6 Routing header, to cause a packet to be delivered via a particular service provider or sequence of service providers.
Some other possible uses are to identify the set of routers attached to a particular subnet, or the set of routers providing entry into a particular routing domain. There is little experience with widespread, arbitrary use of internet anycast addresses, and some known complications and hazards when using them in their full generality [ ANYCST ].
This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero. Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet.
All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces. The subnet-router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers. An interface may belong to any number of multicast groups. The values are: 0 reserved 1 interface-local scope 2 link-local scope 3 reserved 4 admin-local scope 5 site-local scope 6 unassigned 7 unassigned 8 organization-local scope 9 unassigned A unassigned B unassigned C unassigned D unassigned E global scope F reserved interface-local scope spans only a single interface on a node, and is useful only for loopback transmission of multicast.
The "meaning" of a permanently-assigned multicast address is independent of the scope value. FF means all NTP servers on the same link as the sender.
FF means all NTP servers in the same site as the sender. Non-permanently-assigned multicast addresses are meaningful only within a given scope. For example, a group identified by the non- permanent, site-local multicast address FF at one site bears no relationship to a group using the same address at a different site, nor to a non-permanent group using the same group ID with different scope, nor to a permanent group with the same group ID.
Multicast addresses must not be used as source addresses in IPv6 packets or appear in any Routing header. Routers must not forward any multicast packets beyond of the scope indicated by the scop field in the destination multicast address.
RFC 3513 - Internet Protocol Version 6 (IPv6) Addressing Architecture
Some special-purpose subtypes of global unicast addresses which contain embedded IPv4 addresses for the purposes of IPv4-IPv6 interoperation are described in section 2. Additional address types or subtypes can be defined in the future. The known boundaries will differ from router to router, depending on what positions the router holds in the routing hierarchy. They are required to be unique within a subnet prefix.