rfc9762v1.txt   rfc9762.txt 
Internet Engineering Task Force (IETF) L. Colitti Internet Engineering Task Force (IETF) L. Colitti
Request for Comments: 9762 J. Linkova Request for Comments: 9762 J. Linkova
Updates: 4861, 4862 X. Ma, Ed. Updates: 4861, 4862 X. Ma, Ed.
Category: Standards Track Google Category: Standards Track Google
ISSN: 2070-1721 D. Lamparter ISSN: 2070-1721 D. Lamparter
NetDEF, Inc. NetDEF, Inc.
March 2025 June 2025
Signaling DHCPv6 Prefix Delegation per Client Availability to Hosts Using Router Advertisements to Signal the Availability of DHCPv6 Prefix
Delegation to Clients
Abstract Abstract
This document defines the "P" flag in the Prefix Information Option This document defines the P flag in the Prefix Information Option
(PIO) of IPv6 Router Advertisements (RAs). The flag is used to (PIO) of IPv6 Router Advertisements (RAs). The flag is used to
indicate that the network prefers that clients use the deployment indicate that the network prefers that clients use the deployment
model in RFC 9663 instead of using individual addresses in the on- model in RFC 9663 instead of using individual addresses in the on-
link prefix assigned using Stateless Address Autoconfiguration link prefix assigned using Stateless Address Autoconfiguration
(SLAAC) or DHCPv6 address assignment. (SLAAC) or DHCPv6 address assignment.
This document updates RFC 4862 to indicate that the Autonomous flag This document updates RFC 4862 to indicate that the Autonomous flag
in a PIO needs to be ignored if the PIO has the P flag set. It also in a PIO needs to be ignored if the PIO has the P flag set. It also
updates RFC 4861 to specify that the P flag indicates DHCPv6 Prefix updates RFC 4861 to specify that the P flag indicates DHCPv6 prefix
Delegation support for clients. delegation support for clients.
Status of This Memo Status of This Memo
This is an Internet Standards Track document. This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841. Internet Standards is available in Section 2 of RFC 7841.
skipping to change at line 85 skipping to change at line 86
12. IANA Considerations 12. IANA Considerations
13. References 13. References
13.1. Normative References 13.1. Normative References
13.2. Informative References 13.2. Informative References
Acknowledgements Acknowledgements
Authors' Addresses Authors' Addresses
1. Introduction 1. Introduction
[RFC9663] documents an IPv6 address assignment model where IPv6 [RFC9663] documents an IPv6 address assignment model where IPv6
devices obtain dedicated prefixes from the network via DHCPv6 Prefix devices obtain dedicated prefixes from the network via DHCPv6 prefix
Delegation (DHCPv6-PD) [RFC8415]. This model provides devices with a delegation (DHCPv6-PD) [RFC8415]. This model provides devices with a
large IPv6 address space they can use to create addresses for large IPv6 address space they can use to create addresses for
communication, individually number virtual machines (VMs) or communication, individually number virtual machines (VMs) or
containers, or extend the network to downstream devices. It also containers, or extend the network to downstream devices. It also
provides scalability benefits on large networks because network provides scalability benefits on large networks because network
infrastructure devices do not need to maintain per-address state, infrastructure devices do not need to maintain per-address state,
such as IPv6 neighbor cache, Source Address Validation Improvement such as IPv6 neighbor cache, Source Address Validation Improvement
(SAVI) [RFC7039] mappings, Virtual eXtensible Local Area Network (SAVI) [RFC7039] mappings, Virtual eXtensible Local Area Network
(VXLAN) [RFC7348] routes, etc. (VXLAN) [RFC7348] routes, etc.
On networks with fewer devices, however, this model may not be On networks with fewer devices, however, this model may not be
appropriate, because scaling to support multiple individual IPv6 appropriate, because scaling to support multiple individual IPv6
addresses per device is less of a concern. Also, many home networks addresses per device is less of a concern. Also, many home networks
currently offer prefix delegation but assume that a limited number of currently offer prefix delegation but assume that a limited number of
specialized devices and/or applications will require delegated specialized devices and/or applications will require delegated
prefixes and thus do not allocate enough address space to offer prefixes and thus do not allocate enough address space to offer
prefixes to every device that connects to the network. For example, prefixes to every device that connects to the network. For example,
if clients enable [RFC9663] on a home network that only receives a if clients assume the [RFC9663] deployment model on a home network
/60 from the ISP and each client obtains a /64 prefix, then the that only receives a /60 from the ISP and each client obtains a /64
network will run out of prefixes after 15 devices have been prefix, then the network will run out of prefixes after 15 devices
connected. have been connected.
Therefore, to safely roll out [RFC9663] implementations on the client Therefore, to safely roll out the support of the deployment model
side, it is necessary to have a mechanism for the network to signal defined in [RFC9663] on the client side, it is necessary to have a
to the client which address assignment method is preferred. mechanism for the network to signal to the client which address
assignment method is preferred.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Terminology 3. Terminology
skipping to change at line 152 skipping to change at line 154
On-link address: an address that is assigned to an interface on a On-link address: an address that is assigned to an interface on a
specified link [RFC4861] specified link [RFC4861]
On-link prefix: a prefix that is assigned to a specified link On-link prefix: a prefix that is assigned to a specified link
Off-link: the opposite of "on-link" (see [RFC4861]) Off-link: the opposite of "on-link" (see [RFC4861])
PIO: Prefix Information Option [RFC4862] PIO: Prefix Information Option [RFC4862]
RA: Router Advertisement [RFC4861]
SLAAC: Stateless Address Autoconfiguration [RFC4862] SLAAC: Stateless Address Autoconfiguration [RFC4862]
4. Rationale 4. Rationale
The network administrator might want to indicate to clients that The network administrator might want to indicate to clients that
requesting a prefix via DHCPv6-PD and using that prefix for address requesting a prefix via DHCPv6-PD and using that prefix for address
assignment (see [RFC9663]) should be preferred over using individual assignment (see [RFC9663]) should be preferred over using individual
addresses from the on-link prefix. The information is passed to the addresses from the on-link prefix. The information is passed to the
client via a P flag in the Prefix Information Option (PIO). The client via a P flag in the PIO. The reasons for it being a PIO flag
reasons for it being a PIO flag are as follows: are as follows:
* The information must be contained in the Router Advertisement * The information must be contained in the RA because it must be
because it must be available to the client before it decides to available to the client before it decides to form IPv6 addresses
form IPv6 addresses from the PIO prefix using SLAAC. Otherwise, from the PIO prefix using SLAAC. Otherwise, the client might use
the client might use SLAAC to form IPv6 addresses from the PIO SLAAC to form IPv6 addresses from the PIO provided and start using
provided and start using them, even if a unique per-client prefix them, even if a unique per-client prefix is available via
is available via DHCPv6-PD. Forming addresses via SLAAC is DHCPv6-PD. Forming addresses via SLAAC is suboptimal because if
suboptimal because if the client later acquires a prefix using the client later acquires a prefix using DHCPv6-PD, it can either
DHCPv6-PD, it can either 1) use both the prefix and SLAAC 1) use both the prefix and SLAAC addresses, reducing the
addresses, reducing the scalability benefits of using DHCPv6-PD, scalability benefits of using DHCPv6-PD, or 2) remove the SLAAC
or 2) remove the SLAAC addresses, which would be disruptive for addresses, which would be disruptive for applications that are
applications that are using them. using them.
* This information is specific to the particular prefix being * This information is specific to the particular prefix being
announced. For example, a network administrator might want announced. For example, a network administrator might want
clients to assign global addresses from delegated prefixes but use clients to assign global addresses from delegated prefixes but
the PIO prefix to form Unique Local IPv6 Unicast Addresses form Unique Local IPv6 Unicast Addresses [RFC4193] from another
[RFC4193]. Also, in a multihoming situation, one upstream network PIO in the RA using SLAAC. Also, in a multihoming situation, one
might choose to assign prefixes via prefix delegation and another upstream network might choose to assign prefixes via prefix
via PIOs. delegation and another via PIOs.
Note that setting the 'P' flag in a PIO expresses the network Note that setting the P flag in a PIO expresses the network
operator's preference that clients should attempt using DHCPv6-PD operator's preference that clients should attempt using DHCPv6-PD
instead of performing individual address configuration on the prefix. instead of performing individual address configuration on the prefix.
For clients that honor this preference by requesting prefix For clients that honor this preference by requesting prefix
delegation, the actual delegated prefix will necessarily be a prefix delegation, the actual delegated prefix will necessarily be a prefix
different from the one from the PIO. different from the one from the PIO.
5. P Flag Overview 5. P Flag Overview
The P flag (also called the DHCPv6-PD preferred flag) is a 1-bit PIO The P flag (also called the DHCPv6-PD Preferred Flag) is a 1-bit PIO
flag, located after the R flag [RFC6275]. The presence of a PIO with flag, located after the R flag [RFC6275]. The presence of a PIO with
the P flag set indicates that the network prefers that clients use the P flag set indicates that the network prefers that clients use
Prefix Delegation instead of acquiring individual addresses via SLAAC prefix delegation instead of acquiring individual addresses via SLAAC
or DHCPv6 address assignment. This implies that the network has a or DHCPv6 address assignment. This implies that the network has a
DHCPv6 server capable of making DHCPv6 Prefix Delegations to every DHCPv6 server capable of making DHCPv6 prefix delegations to every
device on the network, as described in [RFC9663]. device on the network, as described in [RFC9663].
Figure 1 shows the resulting format of the Prefix Information Option. Figure 1 shows the resulting format of the PIO.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Prefix Length |L|A|R|P| Rsvd1 | | Type | Length | Prefix Length |L|A|R|P| Rsvd1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Valid Lifetime | | Valid Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Preferred Lifetime | | Preferred Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at line 225 skipping to change at line 229
| | | |
+ Prefix + + Prefix +
| | | |
+ + + +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1 Figure 1
The P flag is independent of the value of the M and O flags in the The P flag is independent of the value of the M and O flags in the
Router Advertisement. If the network desires to delegate prefixes to RA. If the network desires to delegate prefixes to devices that
devices that support DHCPv6 Prefix Delegation but do not support the support DHCPv6 prefix delegation but do not support the P flag, it
P flag, it SHOULD also set the M or O bits in the RA to 1, because SHOULD also set the M or O bits in the RA to 1, because some devices,
some devices, such as Customer Edge (CE) routers [RFC7084], might not such as Customer Edge (CE) routers [RFC7084], might not initiate
initiate DHCPv6 Prefix Delegation if both the M and O bits are set to DHCPv6 prefix delegation if both the M and O bits are set to zero.
zero.
6. Router Behavior 6. Router Behavior
Routers SHOULD set the P flag to zero by default, unless explicitly Routers SHOULD set the P flag to zero by default, unless explicitly
configured by the administrator, and SHOULD allow the operator to set configured by the administrator, and SHOULD allow the operator to set
the P flag value for any given prefix advertised in a PIO. Routers the P flag value for any given prefix advertised in a PIO. Routers
MUST allow the P flag to be configured separately from the A flag. MUST allow the P flag to be configured separately from the A flag.
In particular, enabling or disabling the P flag MUST not trigger In particular, enabling or disabling the P flag MUST NOT trigger
automatic changes in the A flag value set by the router. automatic changes in the A flag value set by the router.
7. Client Behavior 7. Client Behavior
7.1. Processing the P Flag 7.1. Processing the P Flag
This specification only applies to clients that support DHCPv6 Prefix This specification only applies to clients that support DHCPv6 prefix
Delegation. Clients that do not support DHCPv6 prefix delegation delegation. Clients that do not support DHCPv6 prefix delegation
MUST ignore the P flag. The P flag is meaningless for link-local MUST ignore the P flag. The P flag is meaningless for link-local
prefixes, and any Prefix Information Option containing the link-local prefixes, and any PIO containing the link-local prefix MUST be
prefix MUST be ignored as specified in Section 5.5.3 of [RFC4862]. ignored as specified in Section 5.5.3 of [RFC4862]. In the following
In the following text, all prefixes are assumed not to be link-local. text, all prefixes are assumed not to be link-local.
For each interface, the client MUST keep a list of every prefix that For each interface, the client MUST keep a list of every prefix that
was received from a PIO with the P flag set and currently has a non- was received from a PIO with the P flag set and currently has a non-
zero Preferred Lifetime. The list affects the behavior of the DHCPv6 zero preferred lifetime. The list affects the behavior of the DHCPv6
client as follows: client as follows:
* When a prefix's Preferred Lifetime becomes zero, either because * When a prefix's preferred lifetime becomes zero, either because
the Preferred Lifetime expires or because the client receives a the preferred lifetime expires or because the client receives a
PIO for the prefix with a zero Preferred Lifetime, the prefix MUST PIO for the prefix with a zero preferred lifetime, the prefix MUST
be removed from the list. be removed from the list.
* When the length of the list increases to one, the client SHOULD * When the length of the list increases to one, the client SHOULD
start requesting prefixes via DHCPv6 prefix delegation unless it start requesting prefixes via DHCPv6 prefix delegation unless it
is already doing so. is already doing so.
* When the length of the list decreases to zero, the client SHOULD * When the length of the list decreases to zero, the client SHOULD
stop requesting or renewing prefixes via DHCPv6 prefix delegation stop requesting or renewing prefixes via DHCPv6 prefix delegation
if it has no other reason to do so. The lifetimes of any prefixes if it has no other reason to do so. The lifetimes of any prefixes
already obtained via DHCPv6 are unaffected. already obtained via DHCPv6 are unaffected.
* If the client has already received delegated prefix(es) from one * If the client has already received delegated prefix(es) from one
or more servers, then any time a prefix is added to or removed or more servers, then any time one or more prefix(es) are added to
from the list, the client MUST consider this to be a change in or removed from the list, the client MUST consider this to be a
configuration information as described in Section 18.2.12 of change in configuration information as described in
[RFC8415]. In that case, the client MUST perform a REBIND, unless Section 18.2.12 of [RFC8415]. In that case, the client MUST
the list is now empty. This is in addition to performing a REBIND perform a REBIND, unless the list is now empty. This is in
in the other cases required by that section. Issuing a REBIND addition to performing a REBIND in the other cases required by
allows the client to obtain new prefixes if necessary, for that section. Issuing a REBIND allows the client to obtain new
example, when the network is being renumbered. It also refreshes prefixes if necessary, for example, when the network is being
the state related to the delegated prefix(es). renumbered. It also refreshes the state related to the delegated
prefix(es).
When a client requests a prefix via DHCPv6-PD, it MUST use the prefix When a client requests a prefix via DHCPv6-PD, it MUST use the prefix
length hint (Section 18.2.4 of [RFC8415]) to request a prefix that is length hint (Section 18.2.4 of [RFC8415]) to request a prefix that is
short enough to form addresses via SLAAC. short enough to form addresses via SLAAC.
In order to achieve the scalability benefits of using DHCPv6-PD, the In order to achieve the scalability benefits of using DHCPv6-PD, the
client SHOULD prefer to form addresses from the delegated prefix client SHOULD prefer to form addresses from the delegated prefix
instead of using individual addresses in the on-link prefix(es). instead of using individual addresses in the on-link prefix(es).
Therefore, when the client requests a prefix using DHCPv6-PD, the Therefore, when the client requests a prefix using DHCPv6-PD, the
client SHOULD NOT use SLAAC to obtain IPv6 addresses from PIOs with client SHOULD NOT use SLAAC to obtain IPv6 addresses from PIOs with
the P and A bits set. Similarly, if all PIOs processed by the client the P and A bits set. Similarly, if all PIOs processed by the client
have the P bit set, the client SHOULD NOT request individual IPv6 have the P bit set, the client SHOULD NOT request individual IPv6
addresses from DHCPv6, i.e., it SHOULD NOT include any IA_NA options addresses from DHCPv6, i.e., it SHOULD NOT include any IA_NA options
in SOLICIT messages [RFC8415]. The client MAY continue to use in Solicit messages [RFC8415]. The client MAY continue to use
addresses that are already configured. addresses that are already configured.
If the client does not obtain any suitable prefixes via DHCPv6-PD If the client does not obtain any suitable prefixes via DHCPv6-PD
that are suitable for SLAAC, it MAY choose to disable further that are suitable for SLAAC, it MAY choose to disable further
processing of the P flag on that interface, allowing the client to processing of the P flag on that interface, allowing the client to
fall back to other address assignment mechanisms, such as forming fall back to other address assignment mechanisms, such as forming
addresses via SLAAC (if the PIO has the A flag set to 1) and/or addresses via SLAAC (if the PIO has the A flag set to 1) and/or
requesting individual addresses via DHCPv6. requesting individual addresses via DHCPv6.
7.2. Using Delegated Prefix(es) 7.2. Using Delegated Prefix(es)
skipping to change at line 323 skipping to change at line 327
For every accepted prefix: For every accepted prefix:
* The client MAY form as many IPv6 addresses from the prefix as it * The client MAY form as many IPv6 addresses from the prefix as it
chooses. chooses.
* The client MAY use the prefix to provide IPv6 addresses to * The client MAY use the prefix to provide IPv6 addresses to
internal components such as VMs or containers. internal components such as VMs or containers.
* The client MAY use the prefix to allow devices directly connected * The client MAY use the prefix to allow devices directly connected
to it to obtain IPv6 addresses. For example, the client MAY route to it to obtain IPv6 addresses. For example, the client MAY route
traffic for that prefix to the interface and send a Router traffic for that prefix to an interface and send an RA containing
Advertisement containing a PIO for the prefix on the interface. a PIO for the prefix on that interface. That interface MUST NOT
That interface MUST NOT be the interface the prefix is obtained be the interface the prefix is obtained from. If the client
from. If the client advertises the prefix on an interface and it advertises the prefix on an interface and it has formed addresses
has formed addresses from the prefix, then it MUST act as though from the prefix, then it MUST act as though the addresses were
the addresses were assigned to that interface for the purposes of assigned to that interface for the purposes of Neighbor Discovery
Neighbor Discovery and Duplicate Address Detection. and Duplicate Address Detection.
The client MUST NOT send or forward packets with destination The client MUST NOT send or forward packets with destination
addresses within a delegated prefix to the interface that it obtained addresses within a delegated prefix to the interface that it obtained
the prefix on, as this can cause a routing loop. This problem will the prefix on, as this can cause a routing loop. This problem will
not occur if the client has assigned the prefix to another interface. not occur if the client has assigned the prefix to another interface.
Another way the client can prevent this problem is to add to its Another way the client can prevent this problem is to add to its
routing table a high-metric discard route for the delegated prefix. routing table a high-metric discard route for the delegated prefix.
7.3. Absence of PIOs with the P Bit Set 7.3. Absence of PIOs with the P Bit Set
The P bit is purely a positive indicator, telling nodes that DHCPv6 The P bit is purely a positive indicator, telling nodes that DHCPv6
Prefix Delegation is available and the network prefers that nodes use prefix delegation is available and the network prefers that nodes use
it, even if they do not have any other reason to run a Prefix it, even if they do not have any other reason to run a prefix
Delegation client. The absence of any PIOs with the P bit does not delegation client. The absence of any PIOs with the P bit does not
carry any kind of signal to the opposite and MUST NOT be processed to carry any kind of signal to the opposite and MUST NOT be processed to
mean that DHCPv6-PD is absent. In particular, nodes that run mean that DHCPv6-PD is absent. In particular, nodes that run
DHCPv6-PD due to explicit configuration or by default (e.g., to DHCPv6-PD due to explicit configuration or by default (e.g., to
extend the network) MUST NOT disable DHCPv6-PD on the absence of PIOs extend the network) MUST NOT disable DHCPv6-PD on the absence of PIOs
with the P bit set. A very common example of this are CE routers as with the P bit set. A very common example of this are CE routers as
described by [RFC7084]. described by [RFC7084].
7.4. On-Link Communication 7.4. On-Link Communication
When the network delegates unique prefixes to clients, each client When the network delegates unique prefixes to clients, each client
will consider other client's destination addresses to be off-link, will consider other clients' destination addresses to be off-link,
because those addresses are from the delegated prefixes and are not because those addresses are from the delegated prefixes and are not
within any on-link prefix. When a client sends traffic to another within any on-link prefix. When a client sends traffic to another
client, packets will initially be sent to the default router. The client, packets will initially be sent to the default router. The
router may respond with an ICMPv6 redirect message (Section 4.5 of router may respond with an ICMPv6 redirect message (Section 4.5 of
[RFC4861]). If the client receives and accepts the redirect, then [RFC4861]). If the client receives and accepts the redirect, then
traffic can flow directly from device to device. Therefore, hosts traffic can flow directly from device to device. Therefore, hosts
supporting the P flag SHOULD process redirects unless configured supporting the P flag SHOULD process redirects unless configured
otherwise. Hosts that do not process ICMPv6 redirects, and routers otherwise. Hosts that do not process ICMPv6 redirects, and routers
that do not act on ICMPv6 redirects, may experience higher latency that do not act on ICMPv6 redirects, may experience higher latency
while communicating to prefixes delegated to other clients on the while communicating to prefixes delegated to other clients on the
skipping to change at line 437 skipping to change at line 441
| "equal" means the two prefix lengths are the same and the | "equal" means the two prefix lengths are the same and the
| first prefix-length bits of the prefixes are identical), and | first prefix-length bits of the prefixes are identical), and
| if the Valid Lifetime is not 0, form an address (and add it to | if the Valid Lifetime is not 0, form an address (and add it to
| the list) by combining the advertised prefix with an interface | the list) by combining the advertised prefix with an interface
| identifier of the link as follows: | identifier of the link as follows:
NEW TEXT: NEW TEXT:
| For each Prefix Information Option in the Router Advertisement: | For each Prefix Information Option in the Router Advertisement:
| |
| a) If the P flag is set and the node implements RFC 9762, it | a) If the prefix is the link-local prefix, silently ignore the
| Prefix Information Option.
|
| b) If the P flag is set and the node implements RFC 9762, it
| SHOULD treat the Autonomous flag as if it was unset and use | SHOULD treat the Autonomous flag as if it was unset and use
| prefix delegation to obtain addresses as described in RFC | prefix delegation to obtain addresses as described in RFC
| 9762. | 9762.
| |
| b) If the Autonomous flag is not set, silently ignore the Prefix | c) If the Autonomous flag is not set, silently ignore the Prefix
| Information Option. | Information Option.
| |
| c) If the prefix is the link-local prefix, silently ignore the
| Prefix Information Option.
|
| d) If the preferred lifetime is greater than the valid lifetime, | d) If the preferred lifetime is greater than the valid lifetime,
| silently ignore the Prefix Information Option. A node MAY | silently ignore the Prefix Information Option. A node MAY
| wish to log a system management error in this case. | wish to log a system management error in this case.
| |
| e) If the prefix advertised is not equal to the prefix of an | e) If the prefix advertised is not equal to the prefix of an
| address configured by stateless autoconfiguration already in | address configured by stateless autoconfiguration already in
| the list of addresses associated with the interface (where | the list of addresses associated with the interface (where
| "equal" means the two prefix lengths are the same and the | "equal" means the two prefix lengths are the same and the
| first prefix-length bits of the prefixes are identical) and if | first prefix-length bits of the prefixes are identical) and if
| the Valid Lifetime is not 0, form an address (and add it to | the Valid Lifetime is not 0, form an address (and add it to
| the list) by combining the advertised prefix with an interface | the list) by combining the advertised prefix with an interface
| identifier of the link as follows: | identifier of the link as follows:
10. Security Considerations 10. Security Considerations
The mechanism described in this document relies on the information The mechanism described in this document relies on the information
provided in the Router Advertisement and therefore shares the same provided in the RA and therefore shares the same security model as
security model as SLAAC. If the network does not implement RA-Guard SLAAC. If the network does not implement RA-Guard [RFC6105], an
[RFC6105], an attacker might send RAs containing the PIO used by the attacker might send RAs containing the PIO used by the network, set
network, set the P flag to 1, and force hosts to ignore the A flag. the P flag to 1, and force hosts to ignore the A flag. In the
In the absence of DHCPv6-PD infrastructure, hosts would either obtain absence of DHCPv6-PD infrastructure, hosts would either obtain no
no IPv6 addresses or, if they fall back to other IPv6 address IPv6 addresses or, if they fall back to other IPv6 address assignment
assignment mechanisms such as SLAAC and IA_NA, would experience mechanisms such as SLAAC and IA_NA, would experience delays in
delays in obtaining IPv6 addresses. If the network does not support obtaining IPv6 addresses. If the network does not support
DHCPv6-Shield [RFC7610], the attacker could also run a rogue DHCPv6 DHCPv6-Shield [RFC7610], the attacker could also run a rogue DHCPv6
server, providing the host with invalid prefixes or other invalid server, providing the host with invalid prefixes or other invalid
configuration information. configuration information.
The attacker might force hosts to oscillate between DHCPv6-PD and The attacker might force hosts to oscillate between DHCPv6-PD and
PIO-based SLAAC by sending the same set of PIOs with and then without PIO-based SLAAC by sending the same set of PIOs with and then without
the P flag set. That would cause the clients to issue REBIND the P flag set. That would cause the clients to issue REBIND
requests, increasing the load on the DHCP infrastructure. However, requests, increasing the load on the DHCP infrastructure. However,
Section 14.1 of [RFC8415] requires that DHCPv6-PD clients rate-limit Section 14.1 of [RFC8415] requires that DHCPv6-PD clients rate-limit
transmitted DHCPv6 messages. transmitted DHCPv6 messages.
It should be noted that if the network allows rogue RAs to be sent, It should be noted that if the network allows rogue RAs to be sent,
the attacker would be able to disrupt hosts connectivity anyway, so the attacker would be able to disrupt hosts' connectivity anyway, so
this document doesn't introduce any fundamentally new security this document doesn't introduce any fundamentally new security
considerations. considerations.
Security considerations inherent to the PD-per-device model are Security considerations inherent to the PD-per-device model are
documented in Section 15 of [RFC9663]. documented in Section 15 of [RFC9663].
11. Privacy Considerations 11. Privacy Considerations
The privacy implications of implementing the P flag and using The privacy implications of implementing the P flag and using
DHCPv6-PD to assign prefixes to hosts are similar to the privacy DHCPv6-PD to assign prefixes to hosts are similar to the privacy
implications of using DHCPv6 for assigning individual addresses. If implications of using DHCPv6 to assign individual addresses. If the
the DHCPv6 infrastructure assigns the same prefix to the same client, DHCPv6 infrastructure assigns the same prefix to the same client,
then an observer might be able to identify clients based on the then an observer might be able to identify clients based on the
highest 64 bits of the client's address. Those implications and highest 64 bits of the client's address. Those implications and
recommended countermeasures are discussed in Section 13 of [RFC9663]. recommended countermeasures are discussed in Section 13 of [RFC9663].
Implementing the P flag support on a host and receiving side enables Implementing the P flag support on a host and receiving will enable
DHCPv6 on that host. Sending DHCPv6 packets may reveal some minor DHCPv6 on that host if the host receives an RA containing a PIO with
the P bit set. Sending DHCPv6 packets may reveal some minor
additional information about the host, most prominently the hostname. additional information about the host, most prominently the hostname.
This is not a new concern and would apply for any network that uses This is not a new concern and would apply for any network that uses
DHCPv6 and sets the 'M' flag in Router Advertisements. DHCPv6 and sets the M flag in RAs.
No privacy considerations result from supporting the P flag on the No privacy considerations result from supporting the P flag on the
sender side. sender side.
12. IANA Considerations 12. IANA Considerations
IANA has made the following allocation in the "IPv6 Neighbor IANA has made the following allocation in the "IPv6 Neighbor
Discovery Prefix Information Option Flags" registry [RFC8425]: Discovery Prefix Information Option Flags" registry [RFC8425]:
+================+==============================+===========+ +================+==============================+===========+
| PIO Option Bit | Description | Reference | | PIO Option Bit | Description | Reference |
+================+==============================+===========+ +================+==============================+===========+
| 3 | P - DHCPv6-PD preferred flag | RFC 9762 | | 3 | P - DHCPv6-PD Preferred Flag | RFC 9762 |
+----------------+------------------------------+-----------+ +----------------+------------------------------+-----------+
Table 1 Table 1
13. References 13. References
13.1. Normative References 13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
skipping to change at line 615 skipping to change at line 620
DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique
IPv6 Prefixes per Client in Large Broadcast Networks", IPv6 Prefixes per Client in Large Broadcast Networks",
RFC 9663, DOI 10.17487/RFC9663, October 2024, RFC 9663, DOI 10.17487/RFC9663, October 2024,
<https://www.rfc-editor.org/info/rfc9663>. <https://www.rfc-editor.org/info/rfc9663>.
Acknowledgements Acknowledgements
Thanks to Nick Buraglio, Brian Carpenter, Tim Chown, David Farmer, Thanks to Nick Buraglio, Brian Carpenter, Tim Chown, David Farmer,
Fernando Gont, Susan Hares, Mahesh Jethanandani, Suresh Krishnan, Ted Fernando Gont, Susan Hares, Mahesh Jethanandani, Suresh Krishnan, Ted
Lemon, Andrew McGregor, Tomek Mrugalski, Erik Nordmark, Michael Lemon, Andrew McGregor, Tomek Mrugalski, Erik Nordmark, Michael
Richardson, John Scudder, Ole Trøan, Dirk Von Hugo, Éric Vyncke and Richardson, Patrick Rohr, John Scudder, Ole Trøan, Dirk Von Hugo,
Timothy Winters for the discussions, reviews, input, and Éric Vyncke and Timothy Winters for the discussions, reviews, input,
contributions. and contributions.
Authors' Addresses Authors' Addresses
Lorenzo Colitti Lorenzo Colitti
Google Google
Shibuya 3-21-3, Shibuya 3-21-3,
Japan Japan
Email: lorenzo@google.com Email: lorenzo@google.com
Jen Linkova Jen Linkova
 End of changes. 37 change blocks. 
97 lines changed or deleted 102 lines changed or added

This html diff was produced by rfcdiff 1.48.