1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
|
<pre>Network Working Group J. Jeong, Ed.
Request for Comments: 5006 ETRI/University of Minnesota
Category: Experimental S. Park
SAMSUNG Electronics
L. Beloeil
France Telecom R&D
S. Madanapalli
Ordyn Technologies
September 2007
<span class="h1">IPv6 Router Advertisement Option for DNS Configuration</span>
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Abstract
This document specifies a new IPv6 Router Advertisement option to
allow IPv6 routers to advertise DNS recursive server addresses to
IPv6 hosts.
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-1.1">1.1</a>. Applicability Statements . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-1.2">1.2</a>. Coexistence of RDNSS Option and DHCP Option . . . . . . . <a href="#page-2">2</a>
<a href="#section-2">2</a>. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-3">3</a>. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-4">4</a>. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-5">5</a>. Neighbor Discovery Extension . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-5.1">5.1</a>. Recursive DNS Server Option . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-5.2">5.2</a>. Procedure of DNS Configuration . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-5.2.1">5.2.1</a>. Procedure in IPv6 Host . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-6">6</a>. Implementation Considerations . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-6.1">6.1</a>. DNS Server List Management . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
6.2. Synchronization between DNS Server List and Resolver
Repository . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-7">7</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-8">8</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-9">9</a>. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-10">10</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-10.1">10.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-10.2">10.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<span class="grey">Jeong, et al. Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address
Autoconfiguration provide ways to configure either fixed or mobile
nodes with one or more IPv6 addresses, default routers and some other
parameters [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>][3]. To support the access to additional services in
the Internet that are identified by a DNS name, such as a web server,
the configuration of at least one recursive DNS server is also needed
for DNS name resolution.
It is infeasible for nomadic hosts, such as laptops, to be configured
manually with a DNS resolver each time they connect to a different
wireless LAN (WLAN) such as IEEE 802.11 a/b/g [<a href="#ref-12" title=""Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"">12</a>]-[<a href="#ref-15" title=""Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Further Higher Data Rate Extension in the 2.4 GHz Band"">15</a>]. Normally,
DHCP [<a href="#ref-6" title=""Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">6</a>]-[<a href="#ref-8" title=""DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">8</a>] is used to locate such resolvers. This document
provides an alternate, experimental mechanism which uses a new IPv6
Router Advertisement (RA) option to allow IPv6 routers to advertise
DNS recursive server addresses to IPv6 hosts.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Applicability Statements</span>
The only standards-track DNS configuration mechanism in the IETF is
DHCP, and its support in hosts and routers is necessary for reasons
of interoperability.
RA-based DNS configuration is a useful, optional alternative in
networks where an IPv6 host's address is autoconfigured through IPv6
stateless address autoconfiguration, and where the delays in
acquiring server addresses and communicating with the servers are
critical. RA-based DNS configuration allows the host to acquire the
nearest server addresses on every link. Furthermore, it learns these
addresses from the same RA message that provides configuration
information for the link, thereby avoiding an additional protocol
run. This can be beneficial in some mobile environments, such as
with Mobile IPv6 [<a href="#ref-10" title=""Mobility Support in IPv6"">10</a>].
The advantages and disadvantages of the RA-based approach are
discussed in [<a href="#ref-9" title=""IPv6 Host Configuration of DNS Server Information Approaches"">9</a>] along with other approaches, such as the DHCP and
well-known anycast addresses approaches.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Coexistence of RDNSS Option and DHCP Option</span>
The RDNSS (Recursive DNS Server) option and DHCP option can be used
together [<a href="#ref-9" title=""IPv6 Host Configuration of DNS Server Information Approaches"">9</a>]. To order the RA and DHCP approaches, the O (Other
stateful configuration) flag can be used in the RA message [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>]. If
no RDNSS option is included in the RA messages, an IPv6 host may
perform DNS configuration through DHCPv6 [<a href="#ref-6" title=""Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">6</a>]-[<a href="#ref-8" title=""DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">8</a>] regardless of
whether the O flag is set or not.
<span class="grey">Jeong, et al. Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Definitions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="#ref-1" title=""Key words for use in RFCs to Indicate Requirement Levels"">1</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Terminology</span>
This document uses the terminology described in [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>] and [<a href="#ref-3" title=""IPv6 Stateless Address Autoconfiguration"">3</a>]. In
addition, four new terms are defined below:
o Recursive DNS Server (RDNSS): Server which provides a recursive
DNS resolution service for translating domain names into IP
addresses as defined in [<a href="#ref-4" title=""Domain Names - Concepts and Facilities"">4</a>] and [<a href="#ref-5" title=""Domain Names - Implementation and Specification"">5</a>].
o RDNSS Option: IPv6 RA option to deliver the RDNSS information to
IPv6 hosts [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>].
o DNS Server List: A data structure for managing DNS Server
Information in the IPv6 protocol stack in addition to the Neighbor
Cache and Destination Cache for Neighbor Discovery [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>].
o Resolver Repository: Configuration repository with RDNSS addresses
that a DNS resolver on the host uses for DNS name resolution; for
example, the Unix resolver file (i.e., /etc/resolv.conf) and
Windows registry.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Overview</span>
This document defines a new ND option called RDNSS option that
contains the addresses of recursive DNS servers. Existing ND
transport mechanisms (i.e., advertisements and solicitations) are
used. This works in the same way that hosts learn about routers and
prefixes. An IPv6 host can configure the IPv6 addresses of one or
more RDNSSes via RA messages periodically sent by a router or
solicited by a Router Solicitation (RS).
Through the RDNSS option, along with the prefix information option
based on the ND protocol ([<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>] and [<a href="#ref-3" title=""IPv6 Stateless Address Autoconfiguration"">3</a>]), an IPv6 host can perform
network configuration of its IPv6 address and RDNSS simultaneously
without needing a separate message exchange for the RDNSS
information. The RA option for RDNSS can be used on any network that
supports the use of ND.
This approach requires RDNSS information to be configured in the
routers sending the advertisements. The configuration of RDNSS
addresses in the routers can be done by manual configuration. The
automatic configuration or redistribution of RDNSS information is
<span class="grey">Jeong, et al. Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
possible by running a DHCPv6 client on the router [<a href="#ref-6" title=""Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">6</a>]-[<a href="#ref-8" title=""DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">8</a>]. The
automatic configuration of RDNSS addresses in routers is out of scope
for this document.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Neighbor Discovery Extension</span>
The IPv6 DNS configuration mechanism in this document needs a new ND
option in Neighbor Discovery: the Recursive DNS Server (RDNSS)
option.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Recursive DNS Server Option</span>
The RDNSS option contains one or more IPv6 addresses of recursive DNS
servers. All of the addresses share the same lifetime value. If it
is desirable to have different lifetime values, multiple RDNSS
options can be used. Figure 1 shows the format of the RDNSS option.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
: Addresses of IPv6 Recursive DNS Servers :
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Recursive DNS Server (RDNSS) Option Format
Fields:
Type 8-bit identifier of the RDNSS option type as assigned
by the IANA: 25
Length 8-bit unsigned integer. The length of the option
(including the Type and Length fields) is in units of
8 octets. The minimum value is 3 if one IPv6 address
is contained in the option. Every additional RDNSS
address increases the length by 2. The Length field
is used by the receiver to determine the number of
IPv6 addresses in the option.
<span class="grey">Jeong, et al. Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
Lifetime 32-bit unsigned integer. The maximum time, in
seconds (relative to the time the packet is sent),
over which this RDNSS address MAY be used for name
resolution. Hosts MAY send a Router Solicitation to
ensure the RDNSS information is fresh before the
interval expires. In order to provide fixed hosts
with stable DNS service and allow mobile hosts to
prefer local RDNSSes to remote RDNSSes, the value of
Lifetime should be at least as long as the Maximum RA
Interval (MaxRtrAdvInterval) in <a href="./rfc4861">RFC 4861</a>, and be at
most as long as two times MaxRtrAdvInterval; Lifetime
SHOULD be bounded as follows: MaxRtrAdvInterval <=
Lifetime <= 2*MaxRtrAdvInterval. A value of all one
bits (0xffffffff) represents infinity. A value of
zero means that the RDNSS address MUST no longer be
used.
Addresses of IPv6 Recursive DNS Servers
One or more 128-bit IPv6 addresses of the recursive
DNS servers. The number of addresses is determined
by the Length field. That is, the number of
addresses is equal to (Length - 1) / 2.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Procedure of DNS Configuration</span>
The procedure of DNS configuration through the RDNSS option is the
same as with any other ND option [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>].
<span class="h4"><a class="selflink" id="section-5.2.1" href="#section-5.2.1">5.2.1</a>. Procedure in IPv6 Host</span>
When an IPv6 host receives an RDNSS option through RA, it checks
whether the option is valid.
o If the RDNSS option is valid, the host SHOULD copy the option's
value into the DNS Server List and the Resolver Repository as long
as the value of the Length field is greater than or equal to the
minimum value (3). The host MAY ignore additional RDNSS addresses
within an RDNSS option and/or additional RDNSS options within an
RA when it has gathered a sufficient number of RDNSS addresses.
o If the RDNSS option is invalid (e.g., the Length field has a value
less than 3), the host SHOULD discard the option.
<span class="grey">Jeong, et al. Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Implementation Considerations</span>
Note: This non-normative section gives some hints for implementing
the processing of the RDNSS option in an IPv6 host.
For the configuration and management of RDNSS information, the
advertised RDNSS addresses can be stored and managed in both the DNS
Server List and the Resolver Repository.
In environments where the RDNSS information is stored in user space
and ND runs in the kernel, it is necessary to synchronize the DNS
Server List of RDNSS addresses in kernel space and the Resolver
Repository in user space. For the synchronization, an implementation
where ND works in the kernel should provide a write operation for
updating RDNSS information from the kernel to the Resolver
Repository. One simple approach is to have a daemon (or a program
that is called at defined intervals) that keeps monitoring the
lifetime of RDNSS addresses all the time. Whenever there is an
expired entry in the DNS Server List, the daemon can delete the
corresponding entry from the Resolver Repository.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. DNS Server List Management</span>
The kernel or user-space process (depending on where RAs are
processed) should maintain a data structure called a DNS Server List
which keeps the list of RDNSS addresses. Each entry in the DNS
Server List consists of an RDNSS address and Expiration-time as
follows:
o RDNSS address: IPv6 address of the Recursive DNS Server, which is
available for recursive DNS resolution service in the network
advertising the RDNSS option; such a network is called site in
this document.
o Expiration-time: The time when this entry becomes invalid.
Expiration-time is set to the value of the Lifetime field of the
RDNSS option plus the current system time. Whenever a new RDNSS
option with the same address is received, this field is updated to
have a new expiration time. When Expiration-time becomes less
than the current system time, this entry is regarded as expired.
Note: An RDNSS address MUST be used only as long as both the RA
router lifetime and the RDNSS option lifetime have not expired.
The reason is that the RDNSS may not be currently reachable or may
not provide service to the host's current address (e.g., due to
network ingress filtering [<a href="#ref-16" title=""Preventing Use of Recursive Nameservers in Reflector Attacks"">16</a>][17]).
<span class="grey">Jeong, et al. Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Synchronization between DNS Server List and Resolver Repository</span>
When an IPv6 host receives the information of multiple RDNSS
addresses within a site through an RA message with RDNSS option(s),
it stores the RDNSS addresses (in order) into both the DNS Server
List and the Resolver Repository. The processing of the RDNSS
option(s) included in an RA message is as follows:
Step (a): Receive and parse the RDNSS option(s). For the RDNSS
addresses in each RDNSS option, perform Step (b) through Step (d).
Note that Step (e) is performed whenever an entry expires in the
DNS Server List.
Step (b): For each RDNSS address, check the following: If the
RDNSS address already exists in the DNS Server List and the RDNSS
option's Lifetime field is set to zero, delete the corresponding
RDNSS entry from both the DNS Server List and the Resolver
Repository in order to prevent the RDNSS address from being used
any more for certain reasons in network management, e.g., the
breakdown of the RDNSS or a renumbering situation. The processing
of this RDNSS address is finished here. Otherwise, go to Step
(c).
Step (c): For each RDNSS address, if it already exists in the DNS
Server List, then just update the value of the Expiration-time
field according to the procedure specified in the second bullet of
<a href="#section-6.1">Section 6.1</a>. Otherwise, go to Step (d).
Step (d): For each RDNSS address, if it does not exist in the DNS
Server List, register the RDNSS address and lifetime with the DNS
Server List and then insert the RDNSS address in front of the
Resolver Repository. In the case where the data structure for the
DNS Server List is full of RDNSS entries, delete from the DNS
Server List the entry with the shortest expiration time (i.e., the
entry that will expire first). The corresponding RDNSS address is
also deleted from the Resolver Repository. In the order in the
RDNSS option, position the newly added RDNSS addresses in front of
the Resolver Repository so that the new RDNSS addresses may be
preferred according to their order in the RDNSS option for the DNS
name resolution. The processing of these RDNSS addresses is
finished here. Note that, in the case where there are several
routers advertising RDNSS option(s) in a subnet, the RDNSSes that
have been announced recently are preferred.
Step (e): Delete each expired entry from the DNS Server List, and
delete the RDNSS address corresponding to the entry from the
Resolver Repository.
<span class="grey">Jeong, et al. Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
The security of the RA option for RDNSS might be worse than ND
protocol security [<a href="#ref-2" title=""Neighbor Discovery for IP version 6 (IPv6)"">2</a>]. However, any new vulnerability in this RA
option is not known yet. In this context, it can be claimed that the
vulnerability of ND is not worse and is a subset of the attacks that
any node attached to a LAN can do independently of ND. A malicious
node on a LAN can promiscuously receive packets for any router's MAC
address and send packets with the router's MAC address as the source
MAC address in the L2 header. As a result, L2 switches send packets
addressed to the router to the malicious node. Also, this attack can
send redirects that tell the hosts to send their traffic somewhere
else. The malicious node can send unsolicited RA or Neighbor
Advertisement (NA) replies, answer RS or Neighbor Solicitation (NS)
requests, etc. Also, an attacker could configure a host to send out
an RA with a fraudulent RDNSS address, which is presumably an easier
avenue of attack than becoming a rogue router and having to process
all traffic for the subnet. It is necessary to disable the RA RDNSS
option in both routers and clients administratively to avoid this
problem. All of this can be done independently of implementing ND.
Therefore, it can be claimed that the RA option for RDNSS has
vulnerabilities similar to those existing in current mechanisms.
If the Secure Neighbor Discovery (SEND) protocol is used as a
security mechanism for ND, all the ND options including the RDNSS
option are automatically included in the signatures [<a href="#ref-11" title=""SEcure Neighbor Discovery (SEND)"">11</a>], so the
RDNSS transport is integrity-protected. However, since any valid
SEND node can still insert RDNSS options, SEND cannot verify who is
or is not authorized to send the options.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. IANA Considerations</span>
The IANA has assigned a new IPv6 Neighbor Discovery Option type for
the RDNSS option defined in this document.
Option Name Type
RDNSS option 25
The IANA registry for these options is:
<a href="http://www.iana.org/assignments/icmpv6-parameters">http://www.iana.org/assignments/icmpv6-parameters</a>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgements</span>
This document has greatly benefited from inputs by Robert Hinden,
Pekka Savola, Iljitsch van Beijnum, Brian Haberman and Tim Chown.
The authors appreciate their contributions.
<span class="grey">Jeong, et al. Experimental [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-1">1</a>] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-2">2</a>] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", <a href="./rfc4861">RFC 4861</a>,
September 2007.
[<a id="ref-3">3</a>] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address
Autoconfiguration", <a href="./rfc4862">RFC 4862</a>, September 2007.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[<a id="ref-4">4</a>] Mockapetris, P., "Domain Names - Concepts and Facilities",
<a href="./rfc1034">RFC 1034</a>, November 1987.
[<a id="ref-5">5</a>] Mockapetris, P., "Domain Names - Implementation and
Specification", <a href="./rfc1035">RFC 1035</a>, November 1987.
[<a id="ref-6">6</a>] Droms, R., Ed., "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", <a href="./rfc3315">RFC 3315</a>, July 2003.
[<a id="ref-7">7</a>] Droms, R., "Stateless Dynamic Host Configuration Protocol
(DHCP) Service for IPv6", <a href="./rfc3736">RFC 3736</a>, April 2004.
[<a id="ref-8">8</a>] Droms, R., Ed., "DNS Configuration options for Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)", <a href="./rfc3646">RFC 3646</a>,
December 2003.
[<a id="ref-9">9</a>] Jeong, J., Ed., "IPv6 Host Configuration of DNS Server
Information Approaches", <a href="./rfc4339">RFC 4339</a>, February 2006.
[<a id="ref-10">10</a>] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in
IPv6", <a href="./rfc3775">RFC 3775</a>, June 2004.
[<a id="ref-11">11</a>] Arkko, J., Ed., "SEcure Neighbor Discovery (SEND)", <a href="./rfc3971">RFC 3971</a>,
March 2005.
[<a id="ref-12">12</a>] ANSI/IEEE Std 802.11, "Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) Specifications",
March 1999.
[<a id="ref-13">13</a>] IEEE Std 802.11a, "Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) specifications: High-speed
Physical Layer in the 5 GHZ Band", September 1999.
<span class="grey">Jeong, et al. Experimental [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
[<a id="ref-14">14</a>] IEEE Std 802.11b, "Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) specifications: Higher-Speed
Physical Layer Extension in the 2.4 GHz Band", September 1999.
[<a id="ref-15">15</a>] IEEE P802.11g/D8.2, "Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications: Further
Higher Data Rate Extension in the 2.4 GHz Band", April 2003.
[<a id="ref-16">16</a>] Damas, J. and F. Neves, "Preventing Use of Recursive
Nameservers in Reflector Attacks", Work in Progress, July 2007.
[<a id="ref-17">17</a>] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", <a href="https://www.rfc-editor.org/bcp/bcp38">BCP 38</a>, <a href="./rfc2827">RFC 2827</a>, May 2000.
<span class="grey">Jeong, et al. Experimental [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
Authors' Addresses
Jaehoon Paul Jeong (editor)
ETRI/Department of Computer Science and Engineering
University of Minnesota
117 Pleasant Street SE
Minneapolis, MN 55455
USA
Phone: +1 651 587 7774
Fax: +1 612 625 0572
EMail: jjeong@cs.umn.edu
URI: <a href="http://www.cs.umn.edu/~jjeong/">http://www.cs.umn.edu/~jjeong/</a>
Soohong Daniel Park
Mobile Convergence Laboratory
SAMSUNG Electronics
416 Maetan-3dong, Yeongtong-Gu
Suwon, Gyeonggi-Do 443-742
Korea
Phone: +82 31 200 4508
EMail: soohong.park@samsung.com
Luc Beloeil
France Telecom R&D
42, rue des coutures
BP 6243
14066 CAEN Cedex 4
France
Phone: +33 02 3175 9391
EMail: luc.beloeil@orange-ftgroup.com
Syam Madanapalli
Ordyn Technologies
1st Floor, Creator Building, ITPL
Bangalore - 560066
India
Phone: +91-80-40383000
EMail: smadanapalli@gmail.com
<span class="grey">Jeong, et al. Experimental [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5006">RFC 5006</a> IPv6 RA Option for DNS Configuration September 2007</span>
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Jeong, et al. Experimental [Page 12]
</pre>
|
