Network Working Group                                             S. Roy
Internet-Draft                                    Sun Microsystems, Inc.
Expires: October 3, 2005                                       A. Durand
Expires: November 5, 2004
                                                     Comcast Corporation
                                                                J. Paugh
                                                  Sun Microsystems, Inc.
                                                             May 7, 2004
                                                              April 2005

     IPv6 Neighbor Discovery On-Link Assumption Considered Harmful

Status of this Memo

   This document

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is an Internet-Draft aware
   have been or will be disclosed, and is any of which he or she becomes
   aware will be disclosed, in full conformance accordance with
   all provisions of Section 10 6 of RFC2026. BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-Drafts. Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on November 5, 2004. October 3, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2004). All Rights Reserved. (2005).


   This document describes a change to the IPv6 Neighbor Discovery historical and background information
   behind the removal of the "on-link assumption" from the conceptual
   host sending algorithm. algorithm defined in Neighbor Discovery for IP Version 6
   (IPv6).  According to the algorithm, algorithm as originally described, when a
   host's default router list is empty, the host assumes that all
   destinations are on-link.  This is particularly problematic with
   IPv6-capable nodes that do not have off-link IPv6 connectivity (e.g.,
   no default router).  This document describes how making this
   assumption causes problems, and describes how these problems outweigh
   the benefits of this part of the conceptual sending algorithm.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Background on the On-link Assumption . . . . . . . . . . . . .  3
   3.  Problems . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
     3.1   First Rule of Destination Address Selection  . . . . . . .  3
     3.2   Delays Associated with Address Resolution  . . . . . . . .  4
     3.3   Multi-homing   Multi-interface Ambiguity  . . . . . . . . . . . . . . . . . .  4  5
     3.4   Security Related Issues  . . . . . . . . . . . . . . . . .  5
   4.  Proposed  Changes to RFC2461 . . . . . . . . . . . . . . . . .  5 . . . . .  6
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  6
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  6
     6.1   Normative References . . . . . . . . . . . . . . . . . . . .  6
     6.2   Informative References . . . . . . . . . . . . . . . . . . .  6  7
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  7
   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . .  7
   B.  Changes from draft-ietf-v6ops-onlinkassumption-01 draft-ietf-v6ops-onlinkassumption-02  . . . . . .  7
   C.  Changes from draft-ietf-v6ops-onlinkassumption-01  . . . . . .  8
   D.  Changes from draft-ietf-v6ops-onlinkassumption-00  . . . . . .  8
       Intellectual Property and Copyright Statements . . . . . . . .  9

1.  Introduction

   Neighbor Discovery for IPv6 [ND] [I-D.ietf-ipv6-2461bis] defines a
   conceptual sending algorithm for hosts.  This  The version of the algorithm
   described in [RFC2461] states that if a host's default router list is
   empty, then the host assumes that all destinations are on-link.  This
   memo documents the removal of this assumption in the updated Neighbor
   Discovery specification [I-D.ietf-ipv6-2461bis], and describes the
   reasons why this assumption was removed.

   This assumption is problematic with IPv6-capable nodes that do not
   have off-link IPv6 connectivity.  Specifically, it  This is typical when systems that
   have IPv6 enabled on their network interfaces (either on by default
   or administratively configured that way) are attached to networks
   that have no IPv6 services such as off-link routing.  Such systems
   will resolve DNS names to AAAA and A records, and may attempt to
   connect to unreachable IPv6 off-link nodes.

   The on-link assumption creates problems for destination address
   selection as defined in [ADDRSEL], [RFC3484], and adds connection delays
   associated with unnecessary address resolution and neighbor
   unreachability detection.  The behavior associated with the
   assumption is undefined in multihomed scenarios, on multi-interface nodes, and has some subtle
   security implications.  All of these issues are discussed in this

   A revision of Neighbor Discovery [NDBIS] is removing the on-link
   assumption from the specification, but this memo gives historical
   reference and background to why this is has been a good decision.

2.  Background on the On-link Assumption

   This part of Neighbor Discovery's [ND] [RFC2461] conceptual sending
   algorithm was created to facilitate communication on a single link
   between systems manually configured with different global prefixes.
   For example, consider the case where two systems on separate links
   are manually configured with global addresses, and are then plugged
   in back-to-back.  They can still communicate with each other via
   their global addresses because they'll correctly assume that each is

   Without the on-link assumption, the above scenario wouldn't work as
   seamlessly.  One workaround work, and
   the systems would be need to use link-local addresses for
   this communication.  Another is be configured to configure new global addresses
   using the same /64 share a common prefix on these systems, either by manually
   configuring such addresses or by placing a router on-link that
   advertises this prefix, however users may not have appropriate
   privileges or knowledge to implement this workaround.
   as the link-local prefix.

3.  Problems

   The on-link assumption causes the following problems.

3.1  First Rule of Destination Address Selection

   Default Address Selection for IPv6 [ADDRSEL] [RFC3484] defines a destination
   address selection algorithm that takes an unordered list of
   destination addresses as input, and produces a sorted list of
   destination addresses as output.  The algorithm consists of
   destination address sorting rules, the first of which is "Avoid
   unusable destinations".  The idea behind this rule is to place
   unreachable destinations at the end of the sorted list so that
   applications will be least likely to try to communicate with those
   addresses first.

   The on-link assumption could potentially cause false positives when
   attempting unreachability determination for this rule.  On a network
   where there is no IPv6 router (all off-link IPv6 destinations are
   unreachable), the on-link assumption states that destinations are
   assumed to be on-link.  An implementation could interpret that as, if
   the default router list is empty, then all destinations are
   reachable. reachable
   on-link.  This causes may cause the rule to not necessarily prefer reachable
   IPv4 destinations over an unreachable IPv6 destinations, resulting in
   unreachable destinations being placed at the front of the sorted
   destination over a reachable IPv4 destination.

3.2  Delays Associated with Address Resolution

   Users expect that applications quickly connect to a given destination
   regardless of the number of IP addresses assigned to that
   destination.  If a destination name resolves to multiple addresses
   and the application attempts to communicate to each address until one
   succeeds, this process shouldn't take an unreasonable amount of time.
   It is therefore important that the system quickly determine if IPv6
   destinations are unreachable so that the application can try other
   destinations when those IPv6 destinations are unreachable.

   For an IPv6 enabled host deployed on a network that has no IPv6
   routers, the result of the on-link assumption is that link-layer
   address resolution must be performed on all IPv6 addresses to which
   the host sends packets.  The Application will not receive
   acknowledgment of the unreachability of destinations that are not
   on-link on-
   link until at least address resolution has failed, which is no less
   (amplified RETRANS_TIMER).  This is
   greatly amplified by transport protocol delays). delays.  For example,
   [RFC1122] requires that TCP retransmit for at least 3 minutes before
   aborting the connection attempt.

   When the application has a large list of off-link unreachable IPv6
   addresses followed by at least one reachable IPv4 address, the delay
   associated with Neighbor Unreachability Detection (NUD) of each IPv6
   addresses before successful communication with the IPv4 address is

3.3  Multi-homing  Multi-interface Ambiguity

   There is no defined way to implement this aspect of the sending
   algorithm on a multi-homed node. node that is attached to multiple links.  From an
   implementor's point of view, there are three ways to handle sending
   an IPv6 packet to a destination in the face of the on-link assumption
   on a multi-homed multi-interface node:

   1.  Attempt to resolve the destination on a single link.

   2.  Attempt to resolve the destination on every link.

   3.  Drop the packet.

   If the destination is indeed on-link, the first option might not
   succeed since the wrong link could be picked.  The second option
   might succeed in reaching a destination (assuming that one is
   reachable) but is more complex to implement, and isn't guaranteed to
   pick the correct destination.  For example, there is still ambiguity
   about which link to use if more than one node answers the
   solicitations on multiple links.  Dropping the packet is equivalent
   to not making the on-link assumption at all.  In other words, if
   there is no route to the destination, don't attempt to send the

3.4  Security Related Issues

   The on-link assumption discussed here introduces a security
   vulnerability to the Neighbor Discovery protocol described in section
   4.2.2 of IPv6 Neighbor Discovery Trust Models and Threats [PSREQ] [RFC3756]
   titled "Default router is 'killed'".  There is a threat that a host's
   router can be maliciously killed in order to cause the host to start
   sending all packets on-link.  The attacker can then spoof off-link
   nodes by sending packets on the same link as the host.  The
   vulnerability is discussed in detail in [PSREQ]. [RFC3756].

   Another security related side-effect of the on-link assumption has to
   do with virtual private networks (VPN's).  It has been observed that
   some commercially available VPN software solutions that don't support
   IPv6 send IPv6 packets to the local media in the clear (their
   security policy doesn't simply drop IPv6 packets).  Consider a
   scenario where a system has a single Ethernet interface with VPN
   software that encrypts and encapsulates certain packets.  The system
   attempts to send a packet to an IPv6 destination that it obtained by
   doing a DNS lookup, and the packet ends up going in the clear to the
   local media.  A malicious second third party could then spoof the
   destination on-link.

4.  Proposed  Changes to RFC2461

   This document suggests the

   The following changes have been made to the Neighbor Discovery [ND] specification:
   specification between [RFC2461] and [I-D.ietf-ipv6-2461bis]:

      The last sentence of the second paragraph of section 5.2
      ("Conceptual Sending Algorithm") should be was removed.  This sentence
      is currently, was,
      "If the Default Router List is empty, the sender assumes that the
      destination is on-link. on-link."

      Bullet item 3) in section 6.3.6 ("Default Router Selection")
      should be was
      removed.  The item currently reads, read, "If the Default Router List is empty,
      assume that all destinations are on-link as specified in Section

      APPENDIX A was modified to remove on-link assumption related text
      in bullet item 1) under the discussion on what happens when a
      multihomed host fails to receive Router Advertisements.

   The result of these changes is that destinations are considered
   unreachable when there is no routing information for that destination
   (through a default router or otherwise).  Instead of attempting
   link-layer link-
   layer address resolution when sending to such a destination, a node
   should send an ICMPv6 Destination Unreachable message (code 0 - no
   route to destination) message up the stack.

5.  Security Considerations

   The removal of the on-link assumption from Neighbor Discovery removes
   some security related vulnerabilities of the protocol as described in
   Section 3.4.

6.  References

6.1  Normative References

   [ADDRSEL]  Draves, R., "Default Address Selection

              Narten, T., "Neighbor Discovery for Internet
              Protocol IP version 6 (IPv6)", RFC 3484,
              draft-ietf-ipv6-2461bis-02 (work in progress),
              February 2003.

   [ND] 2005.

   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1122, October 1989.

   [RFC2461]  Narten, T., Nordmark, E. E., and W. Simpson, "Neighbor
              Discovery for IP Version 6 (IPv6)", RFC 2461,
              December 1998.


   [RFC3484]  Draves, R., "Default Address Selection for Internet
              Protocol version 6 (IPv6)", RFC 3484, February 2003.

   [RFC3756]  Nikander, P., Kempf, J. J., and E. Nordmark, "IPv6 Neighbor
              Discovery trust models (ND) Trust Models and threats", October 2003.

              draft-ietf-send-psreq-04 Threats", RFC 3756,
              May 2004.

6.2  Informative References


   [RFC2462]  Thomson, S. and T. Narten, "IPv6 Stateless Address
              Autoconfiguration", RFC 2462, December 1998.

   [NDBIS]    Narten, T., Nordmark, E., Simpson, W., Soliman, H. and J.
              Tatuya, "Neighbor Discovery for IP Version 6 (IPv6)",
              February 2004.


Authors' Addresses

   Sebastien Roy
   Sun Microsystems, Inc.
   1 Network Drive
   Burlington, MA  01801



   Alain Durand
   Sun Microsystems, Inc.
   17 Network Circle
   Menlo Park, CA  94025

   Comcast Corporation
   1500 Market St.
   Philadelphia, PA  09102


   James Paugh
   Sun Microsystems, Inc.
   17 Network Circle
   Menlo Park, CA  94025



Appendix A.  Acknowledgments

   The authors gratefully acknowledge the contributions of Jim Bound,
   Tony Hain, Mika Liljeberg, Erik Nordmark, Pekka Savola, and Ronald
   van der Pol.

Appendix B.  Changes from draft-ietf-v6ops-onlinkassumption-02

   o  Changed abstract to reflect the historical nature of this

   o  Changed the introduction to stress that this is historical
      information documenting the removal of the on-link assumption from
      the ND spec.

   o  Added text to the introduction stating that the assumption is a
      problem for nodes with IPv6 on by default.

   o  Added mention to RFC1122 in section 3.2.

   o  Changed use of the term multi-homed nodes to "nodes that are
      attached to multiple links".

   o  Changed section 4 from "Proposed Changes" to "Changes" and
      adjusted included text to reflect that the changes have been made.

Appendix C.  Changes from draft-ietf-v6ops-onlinkassumption-01

   o  Added text in the Introduction stating that rfc2461bis has removed
      the on-link assumption, and that this memo gives the historical
      reference and background for its removal.

   o  Stated in Section 2 that users may not have sufficient privileges
      or knowledge to manually configure addresses or routers in order
      to work-around the lack of an on-link assumption.

   o  Removed implementation details of the on-link assumption from
      Section 3.1.

   o  Miscellaneous editorial changes.

Appendix C. D.  Changes from draft-ietf-v6ops-onlinkassumption-00

   o  Clarified in the abstract and introduction that the problem is
      with systems that are IPv6 enabled but have no off-link

   o  In Section 3.3, clarified that soliciting on all links could have
      ambiguous results.

   o  The old Security Considerations section was moved to Section 3.4,
      and the new Security Considerations section refers to that new

   o  Miscellaneous editorial changes.

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation RFC documents can be
   found in BCP-11. BCP 78 and BCP 79.

   Copies of
   claims of rights IPR disclosures made available for publication to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementors implementers or users of this
   specification can be obtained from the IETF Secretariat. on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which that may cover technology that may be required to practice implement
   this standard.  Please address the information to the IETF Executive

Full Copyright Statement

   Copyright (C) The Internet Society (2004). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose at

Disclaimer of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees. Validity

   This document and the information contained herein is are provided on an

Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Funding for the RFC Editor function is currently provided by the
   Internet Society.