Internet Engineering Task Force (IETF) R. Asati
Request for Comments: 7527 H. Singh
Updates: 4429, 4861, 4862 W. Beebee
Category: Standards Track C. Pignataro
ISSN: 2070-1721 Cisco Systems, Inc.
E. Dart
Lawrence Berkeley National Laboratory
W. George
Time Warner Cable
April 2015
Internet Engineering Task Force (IETF) R. Asati
Request for Comments: 7527 H. Singh
Updates: 4429, 4861, 4862 W. Beebee
Category: Standards Track C. Pignataro
ISSN: 2070-1721 Cisco Systems, Inc.
E. Dart
Lawrence Berkeley National Laboratory
W. George
Time Warner Cable
April 2015
Enhanced Duplicate Address Detection
增强的重复地址检测
Abstract
摘要
IPv6 Loopback Suppression and Duplicate Address Detection (DAD) are discussed in Appendix A of RFC 4862. That specification mentions a hardware-assisted mechanism to detect looped back DAD messages. If hardware cannot suppress looped back DAD messages, a software solution is required. Several service provider communities have expressed a need for automated detection of looped back Neighbor Discovery (ND) messages used by DAD. This document includes mitigation techniques and outlines the Enhanced DAD algorithm to automate the detection of looped back IPv6 ND messages used by DAD. For network loopback tests, the Enhanced DAD algorithm allows IPv6 to self-heal after a loopback is placed and removed. Further, for certain access networks, this document automates resolving a specific duplicate address conflict. This document updates RFCs 4429, 4861, and 4862.
RFC 4862的附录A讨论了IPv6环回抑制和重复地址检测(DAD)。该规范提到了一种硬件辅助机制,用于检测环回DAD消息。如果硬件无法抑制环回DAD消息,则需要软件解决方案。几个服务提供商社区表示需要自动检测DAD使用的环回邻居发现(ND)消息。本文档包括缓解技术,并概述了用于自动检测DAD使用的环回IPv6 ND消息的增强DAD算法。对于网络环回测试,增强的DAD算法允许IPv6在放置和删除环回后自我修复。此外,对于某些访问网络,本文档自动解决特定的重复地址冲突。本文档更新了RFCs 4429、4861和4862。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7527.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7527.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
3. Operational Mitigation Options . . . . . . . . . . . . . . . 4
3.1. Disable DAD on an Interface . . . . . . . . . . . . . . . 4
3.2. Dynamic Disable/Enable of DAD Using Layer 2 Protocol . . 5
3.3. Operational Considerations . . . . . . . . . . . . . . . 5
4. The Enhanced DAD Algorithm . . . . . . . . . . . . . . . . . 6
4.1. Processing Rules for Senders . . . . . . . . . . . . . . 6
4.2. Processing Rules for Receivers . . . . . . . . . . . . . 7
4.3. Changes to RFC 4861 . . . . . . . . . . . . . . . . . . . 7
5. Action to Perform on Detecting a Genuine Duplicate . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Normative References . . . . . . . . . . . . . . . . . . . . 8
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
3. Operational Mitigation Options . . . . . . . . . . . . . . . 4
3.1. Disable DAD on an Interface . . . . . . . . . . . . . . . 4
3.2. Dynamic Disable/Enable of DAD Using Layer 2 Protocol . . 5
3.3. Operational Considerations . . . . . . . . . . . . . . . 5
4. The Enhanced DAD Algorithm . . . . . . . . . . . . . . . . . 6
4.1. Processing Rules for Senders . . . . . . . . . . . . . . 6
4.2. Processing Rules for Receivers . . . . . . . . . . . . . 7
4.3. Changes to RFC 4861 . . . . . . . . . . . . . . . . . . . 7
5. Action to Perform on Detecting a Genuine Duplicate . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Normative References . . . . . . . . . . . . . . . . . . . . 8
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
IPv6 Loopback Suppression and Duplicate Address Detection (DAD) are discussed in Appendix A of [RFC4862]. That specification mentions a hardware-assisted mechanism to detect looped back DAD messages. If hardware cannot suppress looped back DAD messages, a software solution is required. One specific DAD message is the Neighbor Solicitation (NS), specified in [RFC4861]. The NS is issued by the network interface of an IPv6 node for DAD. Another message involved in DAD is the Neighbor Advertisement (NA). The Enhanced DAD algorithm specified in this document focuses on detecting an NS looped back to the transmitting interface during the DAD operation. Detecting a looped back NA does not solve the looped back DAD
[RFC4862]的附录A讨论了IPv6环回抑制和重复地址检测(DAD)。该规范提到了一种硬件辅助机制,用于检测环回DAD消息。如果硬件无法抑制环回DAD消息,则需要软件解决方案。一个特定的DAD消息是[RFC4861]中指定的邻居请求(NS)。NS由用于DAD的IPv6节点的网络接口发布。《爸爸》中涉及的另一个信息是邻居广告(NA)。本文档中指定的增强型DAD算法的重点是在DAD操作期间检测回传输接口的NS。检测环回NA并不能解决环回DAD问题
problem. Detection of any other looped back ND messages during the DAD operation is outside the scope of this document. This document also includes a section on mitigation that discusses means already available to mitigate the DAD loopback problem. This document updates RFCs 4429, 4861, and 4862. It updates RFCs 4429 and 4862 to use the Enhanced DAD algorithm to detect looped back DAD probes, and it updates RFC 4861 as described in Section 4.3 below.
问题在DAD操作期间检测任何其他环回ND消息超出了本文档的范围。本文档还包括关于缓解措施的一节,其中讨论了缓解DAD环回问题的现有方法。本文档更新了RFCs 4429、4861和4862。它更新RFC 4429和4862,以使用增强型DAD算法检测环回DAD探测,并更新RFC 4861,如下文第4.3节所述。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
o DAD-failed state - Duplication Address Detection failure as specified in [RFC4862]. Note even Optimistic DAD as specified in [RFC4429] can fail due to a looped back DAD probe. This document covers looped back detection for Optimistic DAD as well.
o DAD失败状态-重复地址检测失败,如[RFC4862]中所述。注意,由于环回DAD探测,即使[RFC4429]中指定的乐观DAD也可能失败。本文档还介绍乐观DAD的环回检测。
o Looped back message - also referred to as a reflected message. The message sent by the sender is received by the sender due to the network or an upper-layer protocol on the sender looping the message back.
o 环回消息-也称为反射消息。发送方发送的消息由发送方接收,这是由于网络或发送方上的上层协议将消息循环返回。
o Loopback - A function in which the router's Layer 3 interface (or the circuit to which the router's interface is connected) is looped back or connected to itself. Loopback causes packets sent by the interface to be received by the interface and results in interface unavailability for regular data traffic forwarding. See more details in Section 9.1 of [RFC2328]. The Loopback function is commonly used in an interface context to gain information on the quality of the interface, by employing mechanisms such as ICMPv6 pings and bit-error tests. In a circuit context, this function is used in wide-area environments including optical Dense Wavelength Division Multiplexing (DWDM) and Synchronous Optical Network / Synchronous Digital Hierarchy (SONET/SDH) for fault isolation (e.g., by placing a loopback at different geographic locations along the path of a wide-area circuit to help locate a circuit fault). The Loopback function may be employed locally or remotely.
o 环回-路由器的第3层接口(或路由器接口连接到的电路)被环回或连接到自身的功能。环回导致接口接收接口发送的数据包,并导致接口无法用于常规数据流量转发。详见[RFC2328]第9.1节。环回功能通常在接口上下文中使用,通过使用诸如ICMPv6 ping和位错误测试等机制来获取有关接口质量的信息。在电路环境中,此功能用于广域环境,包括用于故障隔离的光密集波分复用(DWDM)和同步光网络/同步数字体系(SONET/SDH)(例如,通过沿广域电路路径在不同地理位置放置环回,以帮助定位电路故障)。环回功能可在本地或远程使用。
o NS(DAD) - shorthand notation to denote a Neighbor Solicitation (NS) (as specified in [RFC4861]) that has an unspecified IPv6 source address and was issued during DAD.
o NS(DAD)-表示邻居请求(NS)(如[RFC4861]中所述)的简写符号,该请求具有未指定的IPv6源地址,并在DAD期间发出。
Service providers have reported a problem with DAD that arises in a few scenarios. In the first scenario, loopback testing for troubleshooting purposes is underway on a circuit connected to an IPv6-enabled interface on a router. The interface issues an NS for the IPv6 link-local address DAD. The NS is reflected back to the router interface due to the loopback condition of the circuit, and the router interface enters a DAD-failed state. After the loopback condition is removed, IPv4 will return to operation without further manual intervention. However, IPv6 will remain in DAD-failed state until manual intervention on the router restores IPv6 to operation.
服务提供商报告了在少数情况下出现的DAD问题。在第一个场景中,正在连接到路由器上启用IPv6的接口的电路上进行用于故障排除的环回测试。接口为IPv6链路本地地址DAD发出NS。由于电路的环回条件,NS被反射回路由器接口,路由器接口进入DAD故障状态。删除环回条件后,IPv4将恢复运行,无需进一步手动干预。但是,IPv6将保持DAD失败状态,直到路由器上的手动干预将IPv6恢复运行。
In the second scenario, two broadband modems are served by the same service provider and terminate to the same Layer 3 interface on an IPv6-enabled access concentrator. In this case, the two modems' Ethernet interfaces are also connected to a common local network (collision domain). The access concentrator serving the modems is the first-hop IPv6 router for the modems and issues a NS(DAD) message for the IPv6 link-local address of its Layer 3 interface. The NS message reaches one modem first, and this modem sends the message to the local network, where the second modem receives the message and then forwards it back to the access concentrator. The looped back NS message causes the network interface on the access concentrator to be in a DAD-failed state. Such a network interface typically serves thousands of broadband modems, and all would have their IPv6 connectivity affected until the DAD-failed state is cleared. Additionally, it may be difficult for the user of the access concentrator to determine the source of the looped back DAD message. Thus, in order to avoid IPv6 outages that can potentially affect multiple users, there is a need for automated detection of looped back NS messages during DAD operations by a node.
在第二种情况下,两个宽带调制解调器由同一服务提供商提供服务,并在启用IPv6的接入集中器上终止于同一层3接口。在这种情况下,两个调制解调器的以太网接口也连接到一个公共本地网络(冲突域)。为调制解调器提供服务的接入集中器是调制解调器的第一跳IPv6路由器,并为其第3层接口的IPv6链路本地地址发出NS(DAD)消息。NS消息首先到达一个调制解调器,该调制解调器将消息发送到本地网络,第二个调制解调器接收消息,然后将其转发回接入集中器。环回NS消息导致访问集中器上的网络接口处于DAD故障状态。这种网络接口通常为数千个宽带调制解调器提供服务,在清除DAD故障状态之前,所有调制解调器的IPv6连接都会受到影响。此外,接入集中器的用户可能难以确定环回DAD消息的源。因此,为了避免可能影响多个用户的IPv6中断,需要在节点的DAD操作期间自动检测环回NS消息。
Note: In both examples above, the IPv6 link-local address DAD operation fails due to a looped back DAD probe. However, the problem of a looped back DAD probe exists for any IPv6 address type including global addresses.
注意:在上面的两个示例中,IPv6链路本地地址DAD操作由于环回DAD探测而失败。但是,任何IPv6地址类型(包括全局地址)都存在环回DAD探测的问题。
Two mitigation options are described below that do not require any change to existing implementations.
下面描述了两个缓解选项,它们不需要对现有实现进行任何更改。
One can disable DAD on an interface so that there are no NS(DAD) messages issued. While this mitigation may be the simplest, the mitigation has three drawbacks: 1) care is needed when making such
可以在接口上禁用DAD,这样就不会发出NS(DAD)消息。虽然这种缓解措施可能是最简单的,但这种缓解措施有三个缺点:1)在采取此类措施时需要谨慎
configuration changes on point-to-point interfaces, 2) this is a one-time manual configuration on each interface, and 3) genuine duplicates on the link will not be detected.
点到点接口上的配置更改,2)这是每个接口上的一次性手动配置,3)不会检测到链路上的真实副本。
A service provider router, such as an access concentrator, or network core router, SHOULD support the DAD deactivation per interface.
服务提供商路由器(如接入集中器或网络核心路由器)应支持每个接口的DAD停用。
Some Layer 2 protocols include provisions to detect the existence of a loopback on an interface circuit, usually by comparing protocol data sent and received. For example, the Point-to-Point Protocol (PPP) uses a magic number (Section 6.4 of [RFC1661]) to detect a loopback on an interface.
一些第2层协议包括检测接口电路上是否存在环回的规定,通常通过比较发送和接收的协议数据。例如,点对点协议(PPP)使用幻数(RFC1661第6.4节)来检测接口上的环回。
When a Layer 2 protocol detects that a loopback is present on an interface circuit, the device MUST temporarily disable DAD on the interface. When the protocol detects that a loopback is no longer present (or the interface state has changed), the device MUST (re-)enable DAD on that interface.
当第2层协议检测到接口电路上存在环回时,设备必须临时禁用接口上的DAD。当协议检测到环回不再存在(或接口状态已更改)时,设备必须(重新)启用该接口上的DAD。
This mitigation has several benefits. It leverages the Layer 2 protocol's built-in hardware loopback detection capability, if available. Being a hardware solution, it scales better than the software solution proposed in this document. This mitigation also scales better since it relies on an event-driven model that requires no additional state or timer. This may be significant on devices with hundreds or thousands of interfaces that may be in loopback for long periods of time (e.g., awaiting turn-up).
这种缓解措施有几个好处。它利用了第2层协议的内置硬件环回检测功能(如果可用)。作为一个硬件解决方案,它比本文中提出的软件解决方案具有更好的扩展性。这种缓解措施还可以更好地扩展,因为它依赖于不需要额外状态或计时器的事件驱动模型。这在具有数百或数千个接口的设备上可能非常重要,这些接口可能长时间处于环回状态(例如,等待打开)。
Detecting looped back DAD messages using a Layer 2 protocol SHOULD be enabled by default, and it MUST be a configurable option if the Layer 2 technology provides means for detecting loopback messages on an interface circuit.
默认情况下,应启用使用第2层协议检测环回DAD消息,如果第2层技术提供了检测接口电路上环回消息的方法,则该选项必须是可配置选项。
The mitigation options discussed above do not require the devices on both ends of the circuit to support the mitigation functionality simultaneously and do not propose any capability negotiation. They are effective for unidirectional circuit or interface loopback (i.e. the loopback is placed in one direction on the circuit, rendering the other direction nonoperational), but they may not be effective for a bidirectional loopback (i.e., the loopback is placed in both directions of the circuit interface, so as to identify the faulty segment). This is because, unless both ends followed a mitigation
上述缓解方案不要求电路两端的设备同时支持缓解功能,也不建议任何能力协商。它们对单向电路或接口环回有效(即环回放置在电路的一个方向上,使另一个方向不工作),但对双向环回无效(即环回放置在电路接口的两个方向上,以便识别故障段). 这是因为,除非双方都采取了缓解措施
option specified in this document, the noncompliant device would follow current behavior and disable IPv6 on that interface due to DAD until manual intervention restores it.
在本文档中指定的选项中,不符合要求的设备将遵循当前行为,并由于DAD禁用该接口上的IPv6,直到手动干预将其恢复。
The Enhanced DAD algorithm covers detection of a looped back NS(DAD) message. This document proposes use of a random number in the Nonce Option specified in SEcure Neighbor Discovery (SEND) [RFC3971]. Note [RFC3971] does not provide a recommendation for pseudorandom functions. Pseudorandom functions are covered in [RFC4086]. Since a nonce is used only once, the NS(DAD) for each IPv6 address of an interface uses a different nonce. Additional details of the algorithm are included in Section 4.1.
增强的DAD算法包括检测环回NS(DAD)消息。本文档建议在安全邻居发现(SEND)[RFC3971]中指定的Nonce选项中使用随机数。注[RFC3971]未提供伪随机函数的建议。[RFC4086]中介绍了伪随机函数。由于nonce只使用一次,因此接口的每个IPv6地址的NS(DAD)使用不同的nonce。第4.1节包含了算法的其他细节。
If there is a collision because two nodes used the same Target Address in their NS(DAD) and generated the same random nonce, then the algorithm will incorrectly detect a looped back NS(DAD) when a genuine address collision has occurred. Since each looped back NS(DAD) event is logged to system management, the administrator of the network will have access to the information necessary to intervene manually. Also, because the nodes will have detected what appear to be looped back NS(DAD) messages, they will continue to probe, and it is unlikely that they will choose the same nonce the second time (assuming quality random number generators).
如果由于两个节点在其NS(DAD)中使用相同的目标地址并生成相同的随机nonce而发生冲突,则当发生真正的地址冲突时,算法将错误地检测到环回NS(DAD)。由于每个环回NS(DAD)事件都记录到系统管理中,因此网络管理员将有权访问手动干预所需的信息。此外,由于节点将检测到似乎是环回NS(DAD)消息的内容,因此它们将继续探测,并且它们不太可能在第二次选择相同的nonce(假设有质量随机数生成器)。
The algorithm is capable of detecting any ND solicitation (NS and Router Solicitation) or advertisement (NA and Router Advertisement) that is looped back. However, there may be increased implementation complexity and memory usage for the sender node to store a nonce and nonce-related state for all ND messages. Therefore, this document does not recommend using the algorithm outside of the DAD operation by an interface on a node.
该算法能够检测任何环回的ND请求(NS和路由器请求)或广告(NA和路由器广告)。然而,发送方节点存储所有ND消息的nonce和nonce相关状态可能会增加实现复杂性和内存使用。因此,本文档不建议通过节点上的接口在DAD操作之外使用算法。
If a node has been configured to use the Enhanced DAD algorithm, when sending an NS(DAD) for a tentative or optimistic interface address, the sender MUST generate a random nonce associated with the interface address, MUST store the nonce internally, and MUST include the nonce in the Nonce option included in the NS(DAD). If the interface does not receive any DAD failure indications within RetransTimer milliseconds (see [RFC4861]) after having sent DupAddrDetectTransmits Neighbor Solicitations, the interface moves the Target Address to the assigned state.
如果节点已配置为使用增强型DAD算法,则在发送NS(DAD)以获取暂定或乐观接口地址时,发送方必须生成与接口地址关联的随机nonce,必须在内部存储该nonce,并且必须在NS(DAD)中包含的nonce选项中包含该nonce。如果在发送DupAddrDetectTransmissions邻居请求后,接口在Renstimer毫秒内(参见[RFC4861])未收到任何DAD故障指示,则接口将目标地址移动到已分配状态。
If any probe is looped back within RetransTimer milliseconds after having sent DupAddrDetectTransmits NS(DAD) messages, the interface continues with another MAX_MULTICAST_SOLICIT number of NS(DAD) messages transmitted RetransTimer milliseconds apart. Section 2 of [RFC3971] defines a single-use nonce, so each Enhanced DAD probe uses a different nonce. If no probe is looped back within RetransTimer milliseconds after MAX_MULTICAST_SOLICIT NS(DAD) messages are sent, the probing stops. The probing MAY be stopped via manual intervention. When probing is stopped, the interface moves the Target Address to the assigned state.
如果在发送DupAddrDetectTransmissions NS(DAD)消息后,任何探测在Renstimer毫秒内环回,则接口将继续执行另一个MAX_MULTICAST_Request number of NS(DAD)消息,该消息在Renstimer毫秒之间传输。[RFC3971]的第2节定义了一个单次使用的nonce,因此每个增强型DAD探测器使用不同的nonce。如果在发送MAX_MULTICAST_Request NS(DAD)消息后的Renstimer毫秒内未循环回任何探测,则探测将停止。可通过手动干预停止探测。当探测停止时,接口将目标地址移动到已分配状态。
If the node has been configured to use the Enhanced DAD algorithm and an interface on the node receives any NS(DAD) message where the Target Address matches the interface address (in tentative or optimistic state), the receiver compares the nonce included in the message, with any stored nonce on the receiving interface. If a match is found, the node SHOULD log a system management message, SHOULD update any statistics counter, and MUST drop the received message. If the received NS(DAD) message includes a nonce and no match is found with any stored nonce, the node SHOULD log a system management message for a DAD-failed state and SHOULD update any statistics counter.
如果节点已配置为使用增强型DAD算法,并且节点上的接口接收到目标地址与接口地址匹配的任何NS(DAD)消息(处于暂定或乐观状态),则接收器将消息中包含的nonce与接收接口上存储的任何nonce进行比较。如果找到匹配项,则节点应记录系统管理消息,更新任何统计计数器,并且必须删除收到的消息。如果收到的NS(DAD)消息包含一个nonce,并且未找到与任何存储的nonce匹配的消息,则节点应记录DAD失败状态的系统管理消息,并应更新任何统计计数器。
The following text is appended to the Source Address definition in Section 4.3 of [RFC4861]:
[RFC4861]第4.3节中的源地址定义附加了以下文本:
If a node has been configured to use the Enhanced DAD algorithm, an NS with an unspecified source address adds the Nonce option to the message and implements the state machine of the Enhanced DAD algorithm.
如果节点已配置为使用增强型DAD算法,则具有未指定源地址的NS会将Nonce选项添加到消息中,并实现增强型DAD算法的状态机。
The following text is appended to the RetransTimer variable description in Section 6.3.2 of [RFC4861]:
[RFC4861]第6.3.2节中的Renstimer变量说明中附有以下文字:
The RetransTimer MAY be overridden by a link-specific document if a node supports the Enhanced DAD algorithm.
如果节点支持增强型DAD算法,则可通过特定于链接的文档覆盖重新安装计时器。
As described in the paragraphs above, the nonce can also serve to detect genuine duplicates even when the network has potential for looping back ND messages. When a genuine duplicate is detected, the node follows the manual intervention specified in Section 5.4.5 of [RFC4862]. However, in certain cases, if the genuine duplicate
如上文段落中所述,nonce还可用于检测真正的重复,即使网络有可能回送ND消息。当检测到真实副本时,节点遵循[RFC4862]第5.4.5节中规定的手动干预。但是,在某些情况下,如果真实副本
matches the tentative or optimistic IPv6 address of a network interface of the access concentrator, additional automated action is recommended.
匹配访问集中器网络接口的暂定或乐观IPv6地址,建议执行其他自动操作。
Some networks follow a trust model where a trusted router serves untrusted IPv6 host nodes. Operators of such networks have a desire to take automated action if a network interface of the trusted router has a tentative or optimistic address duplicated by a host. One example of a type of access network is cable broadband deployment where the access concentrator is the first-hop IPv6 router to multiple broadband modems and supports proxying of DAD messages. The network interface on the access concentrator initiates DAD for an IPv6 address and detects a genuine duplicate due to receiving an NS(DAD) or an NA message. On detecting such a duplicate, the access concentrator SHOULD log a system management message, drop the received ND message, and block the modem on whose Layer 2 service identifier the duplicate NS(DAD) or NA message was received. Any other network that follows the same trust model MAY use the automated action proposed in this section.
一些网络遵循信任模型,其中受信任路由器为不受信任的IPv6主机节点提供服务。如果受信任路由器的网络接口具有主机复制的暂定或乐观地址,则此类网络的运营商希望采取自动操作。一种类型的接入网络的一个示例是有线宽带部署,其中接入集中器是多个宽带调制解调器的第一跳IPv6路由器,并支持DAD消息的代理。访问集中器上的网络接口启动IPv6地址的DAD,并检测到由于接收到NS(DAD)或NA消息而产生的真实副本。在检测到此类重复时,接入集中器应记录系统管理消息,删除接收到的ND消息,并阻止在其第2层服务标识符上接收重复NS(DAD)或NA消息的调制解调器。遵循相同信任模型的任何其他网络都可以使用本节中建议的自动操作。
This document does not improve or reduce the security posture of [RFC4862]. The nonce can be exploited by a rogue deliberately changing the nonce to fail the looped back detection specified by the Enhanced DAD algorithm. SEND is recommended to circumvent this exploit. Additionally, the nonce does not protect against the DoS caused by a rogue node replying by a fake NA to all DAD probes. SEND is recommended to circumvent this exploit also. Disabling DAD has an obvious security issue before a remote node on the link can issue reflected NS(DAD) messages. Again, SEND is recommended for this exploit. Source Address Validation Improvement (SAVI) [RFC6620] also protects against various attacks by on-link rogues.
本文件并未改善或降低[RFC4862]的安全态势。流氓可以利用nonce故意更改nonce以使增强型DAD算法指定的环回检测失败。建议使用SEND来规避此漏洞。此外,nonce不能防止恶意节点向所有DAD探测发送假NA,从而导致拒绝服务。建议使用SEND来规避此漏洞。在链路上的远程节点发出反射的NS(DAD)消息之前,禁用DAD存在明显的安全问题。再次建议使用SEND进行此攻击。源地址验证改进(SAVI)[RFC6620]还可以防止链路盗贼的各种攻击。
[RFC1661] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994, <http://www.rfc-editor.org/info/rfc1661>.
[RFC1661]辛普森,W.,编辑,“点对点协议(PPP)”,STD 51,RFC 1661994年7月<http://www.rfc-editor.org/info/rfc1661>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998, <http://www.rfc-editor.org/info/rfc2328>.
[RFC2328]Moy,J.,“OSPF版本2”,STD 54,RFC 23281998年4月<http://www.rfc-editor.org/info/rfc2328>.
[RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005, <http://www.rfc-editor.org/info/rfc3971>.
[RFC3971]Arkko,J.,Ed.,Kempf,J.,Zill,B.,和P.Nikander,“安全邻居发现(SEND)”,RFC 39712005年3月<http://www.rfc-editor.org/info/rfc3971>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005, <http://www.rfc-editor.org/info/rfc4086>.
[RFC4086]Eastlake 3rd,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 40862005年6月<http://www.rfc-editor.org/info/rfc4086>.
[RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD) for IPv6", RFC 4429, April 2006, <http://www.rfc-editor.org/info/rfc4429>.
[RFC4429]Moore,N.,“IPv6的乐观重复地址检测(DAD)”,RFC 44292006年4月<http://www.rfc-editor.org/info/rfc4429>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007, <http://www.rfc-editor.org/info/rfc4861>.
[RFC4861]Narten,T.,Nordmark,E.,Simpson,W.,和H.Soliman,“IP版本6(IPv6)的邻居发现”,RFC 48612007年9月<http://www.rfc-editor.org/info/rfc4861>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007, <http://www.rfc-editor.org/info/rfc4862>.
[RFC4862]Thomson,S.,Narten,T.和T.Jinmei,“IPv6无状态地址自动配置”,RFC 48622007年9月<http://www.rfc-editor.org/info/rfc4862>.
[RFC6620] Nordmark, E., Bagnulo, M., and E. Levy-Abegnoli, "FCFS SAVI: First-Come, First-Served Source Address Validation Improvement for Locally Assigned IPv6 Addresses", RFC 6620, May 2012, <http://www.rfc-editor.org/info/rfc6620>.
[RFC6620]Nordmark,E.,Bagnulo,M.和E.Levy Abegnoli,“FCFS SAVI:本地分配IPv6地址的先到先得源地址验证改进”,RFC 6620,2012年5月<http://www.rfc-editor.org/info/rfc6620>.
Acknowledgements
致谢
Thanks (in alphabetical order by first name) to Adrian Farrel, Benoit Claise, Bernie Volz, Brian Haberman, Dmitry Anipko, Eric Levy-Abegnoli, Eric Vyncke, Erik Nordmark, Fred Templin, Hilarie Orman, Jouni Korhonen, Michael Sinatra, Ole Troan, Pascal Thubert, Ray Hunter, Suresh Krishnan, Tassos Chatzithomaoglou, and Tim Chown for their guidance and review of the document. Thanks to Thomas Narten for encouraging this work. Thanks to Steinar Haug and Scott Beuker for describing some of the use cases.
感谢阿德里安·法雷尔、贝诺特·克莱斯、伯尼·沃尔兹、布赖恩·哈贝曼、德米特里·阿尼普科、埃里克·利维·阿贝格诺利、埃里克·温克、埃里克·诺德马克、弗雷德·坦普林、希拉里·奥曼、朱尼·科霍宁、迈克尔·西纳特拉、奥勒·特罗安、帕斯卡尔·苏伯特、雷·亨特、苏雷什·克里希南、塔索斯·查齐托莫古卢、,以及Tim Chown对该文件的指导和审查。感谢Thomas Narten鼓励这项工作。感谢Steinar Haug和Scott Beuker对一些用例的描述。
Authors' Addresses
作者地址
Rajiv Asati Cisco Systems, Inc. 7025 Kit Creek road Research Triangle Park, NC 27709-4987 United States
Rajiv Asati Cisco Systems,Inc.美国北卡罗来纳州Kit Creek road研究三角公园7025号,邮编:27709-4987
EMail: rajiva@cisco.com
URI: http://www.cisco.com/
EMail: rajiva@cisco.com
URI: http://www.cisco.com/
Hemant Singh Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 United States
Hemant Singh Cisco Systems,Inc.美国马萨诸塞州Boxborough大道1414号,邮编01719
Phone: +1 978 936 1622
EMail: shemant@cisco.com
URI: http://www.cisco.com/
Phone: +1 978 936 1622
EMail: shemant@cisco.com
URI: http://www.cisco.com/
Wes Beebee Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 United States
Wes Beebee Cisco Systems,Inc.美国马萨诸塞州Boxborough大道1414号,邮编01719
Phone: +1 978 936 2030
EMail: wbeebee@cisco.com
URI: http://www.cisco.com/
Phone: +1 978 936 2030
EMail: wbeebee@cisco.com
URI: http://www.cisco.com/
Carlos Pignataro Cisco Systems, Inc. 7200-12 Kit Creek Road Research Triangle Park, NC 27709 United States
Carlos Pignataro Cisco Systems,Inc.美国北卡罗来纳州Kit Creek Road研究三角公园7200-12号,邮编:27709
EMail: cpignata@cisco.com
URI: http://www.cisco.com/
EMail: cpignata@cisco.com
URI: http://www.cisco.com/
Eli Dart Lawrence Berkeley National Laboratory 1 Cyclotron Road, Berkeley, CA 94720 United States
美国加利福尼亚州伯克利回旋加速器路1号Eli Dart Lawrence Berkeley国家实验室,邮编94720
EMail: dart@es.net
URI: http://www.es.net/
EMail: dart@es.net
URI: http://www.es.net/
Wesley George Time Warner Cable 13820 Sunrise Valley Drive Herndon, VA 20171 United States
韦斯利·乔治·时代华纳有线电视13820美国弗吉尼亚州赫恩登日出谷大道20171
EMail: wesley.george@twcable.com
EMail: wesley.george@twcable.com