<?xml version='1.0'encoding='utf-8'?>encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.2.3) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-v6ops-nd-considerations-14" number="9898" updates="" obsoletes="" consensus="true" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true"version="3"> <!-- xml2rfc v2v3 conversion 3.28.1 -->version="3" xml:lang="en"> <front> <titleabbrev="nd-considerations">Neighborabbrev="ND Considerations">Neighbor Discovery Considerations in IPv6 Deployments</title> <seriesInfoname="Internet-Draft" value="draft-ietf-v6ops-nd-considerations-14"/>name="RFC" value="9898"/> <author fullname="XiPeng Xiao"> <organization>Huawei Technologies</organization> <address> <email>xipengxiao@huawei.com</email> </address> </author> <author fullname="Eduard Vasilenko"> <organization>Huawei Technologies</organization> <address> <email>vasilenko.eduard@huawei.com</email> </address> </author> <author fullname="Eduard Metz"> <organization>KPN N.V.</organization> <address> <email>eduard.metz@kpn.com</email> </address> </author> <author fullname="Gyan Mishra"> <organization>Verizon Inc.</organization> <address> <email>gyan.s.mishra@verizon.com</email> </address> </author> <author fullname="Nick Buraglio"> <organization>Energy Sciences Network</organization> <address> <email>buraglio@es.net</email> </address> </author> <date year="2025"month="June" day="06"/> <area>Operations and Management</area> <workgroup>IPv6 Operations (v6ops) Working Group</workgroup> <keyword>Internet-Draft</keyword>month="November"/> <area>OPS</area> <workgroup>v6ops</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> <keyword>example</keyword> <!--[rfced] Authors' Addresses: Regarding the postal addresses for XiPeng and Eduard, the markdown file you provided does not match the approved Internet-Draft in that the postal addresses were removed. Would you like your postal address information to be included in the RFC? If so, we will restore it. --> <!-- [rfced] Regarding section titles: a) May we update these section titles as follows? This would make them consistent in the table of contents (all terms would appear with their abbreviations) and more closely align with the items in the "ND solution" column in Table 1. (Part b is about the sections not included in this list.) Original: 3. Review of DN Mitigation Solutions..............................9 3.1. ND Solution in Mobile Broadband IPv6.....................10 3.2. ND Solution in Fixed Broadband IPv6......................11 3.3. Unique IPv6 Prefix per Host (UPPH).......................12 3.5. Scalable Address Resolution Protocol.....................14 3.9. Gratuitous Neighbor Discovery (GRAND)....................15 Perhaps: 3. Review of ND Mitigation Solutions 3.1. Mobile Broadband IPv6 (MBBv6) 3.2. Fixed Broadband IPv6 (FBBv6) 3.3. Unique IPv6 Prefix per Host (UPPH) 3.5. Scalable Address Resolution Protocol (SARP) 3.9. Gratuitous Neighbor Discovery (GRAND) b) We note the following inconsistencies between the section titles below and their respective entries in Table 1. May we make the following updates for consistency? i) We were unable to find "Subnet ND" explicitly mentioned in this section. May we update as follows to match "WiND" in Table 1? Original: 3.4. Wireless ND and Subnet ND Perhaps: 3.4. Wireless ND (WiND) ii) The item for this section appears as "ND TRILL" in Table 1. May we drop "ARP" from this section title and update as follows? Original: 3.6. ARP and ND Optimization for TRILL Perhaps: 3.6. ND Optimization for TRILL iii) May we update as follows to match Table 1? Original: 3.7. Proxy ARP/ND in Ethernet Virtual Private Networks (EVPN) Perhaps: 3.7. ND in Ethernet Virtual Private Networks (ND EVPN) iv) Section 3.10: The item for this section appears as "SAVI/RA G/G+" in Table 1. In addition, we were unable to find "G+" defined in this section. May we update both this section title and its respective entry in Table 1 as follows? Original (section title): 3.10. Source Address Validation Improvement (SAVI) and Router Advertisement Guard Original (table entry): SAVI/ RA G/G+ Perhaps (new section title): 3.10. Source Address Validation Improvement (SAVI) and Router Advertisement Guard (RA-Guard) Perhaps (new table entry): SAVI/ RA-G --> <abstract><?line 57?><t>The Neighbor Discovery (ND) protocol is a critical component of the IPv6 architecture. The protocol uses multicast in many messages. It also assumes a security model where all nodes on a link are trusted. Such a design might be inefficient in some scenarios (e.g., use of multicast in wireless networks) or when nodes are not trustworthy (e.g., public access networks). These security and operational issues and the associated mitigation solutions are documented in more than20twenty RFCs. There is a need to track these issues and solutions in a single document.</t> <t>To that aim, this document summarizes the published ND issues and then describes how all these issues originate from three causes. Addressing the issues is made simpler by addressing the causes. This document also analyzes the mitigation solutions and demonstrates that isolating hosts into different subnets and links can help to address the three causes. Guidance is provided for selecting a suitable isolation method to prevent potential ND issues.</t> </abstract> </front> <middle><?line 77?><section anchor="introduction"> <name>Introduction</name> <t>Neighbor Discovery (ND) <xref target="RFC4861"/> specifies the mechanisms that IPv6 nodes (hosts and routers) on the same link use to communicate and learn about each other. Stateless Address Autoconfiguration (SLAAC) <xref target="RFC4862"/> builds on those ND mechanisms to let nodes configure their own IPv6 addresses. When analyzing the issues nodes may encounter with ND, it helps to view the ND messages they exchange throughout theirlife-cycle,life cycle, taking SLAAC into consideration.</t> <t>For a host, the overall procedure is as follows:</t><artwork><![CDATA[ 1. LLA<ol spacing="normal" type="1"> <li>LLA DAD: The host forms a Link-Local Address (LLA) and performs Duplicate Address Detection (DAD) using multicast Neighbor Solicitations(NSs). 2. Router Discovery:(NSs).</li> <li>Router discovery: The host sends multicast Router Solicitations (RSs) to discover a router on the link. The router responds with Router Advertisements (RAs), providing subnet prefixes and other information. The host installs a Neighbor Cache Entry (NCE) for that router upon receiving the RAs. In contrast, the router cannot install an NCE for the host at this moment of the exchange because the host's global IP address is still unknown. When the router later needs to forward a packet to the host's global address, it will perform address resolution and install an NCE for thehost. 3. GUAhost.</li> <li>GUA DAD: The host forms a Global Unicast Address (GUA){{RFC3587}}<xref target="RFC3587"/> or a Unique Local Address (ULA){{RFC4193}}<xref target="RFC4193"/> and uses multicast NSs for DAD. For simplicity of description, this document will not further distinguish GUA andULA. 4. Next-hopULA.</li> <li>Next-hop determination and address resolution: When the host needs to send a packet, it will first determine whether thenext-hopnext hop is a router or an on-link host (which is the destination). If thenext-hopnext hop is a router, the host already has the NCE for that router. If thenext-hopnext hop is an on-link host, it will use multicast NSs to perform address resolution for the destination host. As a result, the source host installs an NCE for the destinationhost. 5. Nodehost.</li> <li>Node Unreachability Detection (NUD): The host uses unicast NSs to determine whether another node with an NCE is stillreachable. 6. Link-layerreachable.</li> <li>Link-layer address change announcement: If a host's link-layer address changes, it may use multicast Node Advertisements (NAs) to announce its new link-layer address to othernodes. ]]></artwork>nodes.</li> </ol> <t>For a router, the procedure is similar except that there is noRouter Discovery.router discovery. Instead, routers perform a Redirect procedure that hosts do not have. A router sends a Redirect to inform a node of a betternext-hopnext hop for the node's traffic.</t> <!-- [rfced] Introduction: To make this list parallel in structure, may we adjust the punctuation as follows? Original: ND uses multicast in many messages, trusts messages from all nodes, and routers may install NCEs for hosts on demand when they are to forward packets to these hosts. Perhaps: ND uses multicast in many messages and trusts messages from all nodes; in addition, routers may install NCEs for hosts on demand when they are to forward packets to these hosts. --> <t>ND uses multicast in many messages, trusts messages from all nodes, and routers may install NCEs for hosts on demand when they are to forward packets to these hosts. These may lead to issues. Concretely, various ND issues and mitigation solutions have been published in more than 20 RFCs, including:</t><artwork><![CDATA[ *<!-- [rfced] Introduction: a) The items in the list below appear to be a mixture of both RFC titles and "ND issues and mitigation solutions". In addition, some of these terms (e.g., Wireless ND (WiND)) do not explicitly appear in the RFCs that follow. May we update these items to their full RFC titles for consistency and clarity? For the list items that contain multiple RFCs, we would separate each RFC or reference into a separate bullet point. Original: Concretely, various ND issues and mitigation solutions have been published in more than 20 RFCs, including: . ND Trust Models and Threats{{RFC3756}}, *[RFC3756], . Secure ND{{RFC3971}}, *[RFC3971], . Cryptographically Generated Addresses{{RFC3972}}, *[RFC3972], . ND Proxy{{RFC4389}}, *[RFC4389], . Optimistic ND{{RFC4429}}, *[RFC4429], . ND for mobile broadband{{RFC6459}}{{RFC7066}},[RFC6459][RFC7066], [etc.] Perhaps: Concretely, various ND issues and mitigation solutions have been published in more than 20 RFCs, including: * "IPv6 Neighbor Discovery (ND) Trust Models and Threats" [RFC3756] * "SEcure Neighbor Discovery (SEND)" [RFC3971] * "Cryptographically Generated Addresses (CGA)" [RFC3972] * "Neighbor Discovery Proxies (ND Proxy)" [RFC4389] * "Optimistic Duplicate Address Detection (DAD) for IPv6" [RFC4429] * "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)" [RFC6459] * "IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts" [RFC7066] [etc.] b) We note that the title of RFC 4429 is "Optimistic Duplicate Address Detection (DAD) for IPv6" (rather than "Optimistic ND"); may this be updated to the full title of RFC 4429? Original: . Optimistic ND [RFC4429], Perhaps: * "Optimistic Duplicate Address Detection (DAD) for IPv6" [RFC4429] --> <ul spacing="normal"> <li>ND Trust Models and Threats <xref target="RFC3756"/></li> <li>Secure ND <xref target="RFC3971"/></li> <li>Cryptographically Generated Addresses <xref target="RFC3972"/></li> <li>ND Proxy <xref target="RFC4389"/></li> <li>Optimistic ND <xref target="RFC4429"/></li> <li>ND for mobile broadband <xref target="RFC6459"/> <xref target="RFC7066"/></li> <li>ND for fixed broadband{{TR177}}, * ND<xref target="TR177"/></li> <li>ND Mediation{{RFC6575}}, * Operational<xref target="RFC6575"/></li> <li>Operational ND Problems{{RFC6583}}, * Wireless<xref target="RFC6583"/></li> <li>Wireless ND (WiND){{RFC6775}}{{RFC8505}}{{RFC8928}}{{RFC8929}}{{I-D.ietf-6man-ipv6-over-wireless}}, * DAD<xref target="RFC6775"/> <xref target="RFC8505"/> <xref target="RFC8928"/> <xref target="RFC8929"/> <xref target="I-D.ietf-6man-ipv6-over-wireless"/></li> <li>DAD Proxy{{RFC6957}}, * Source<xref target="RFC6957"/></li> <li>Source Address Validation Improvement{{RFC7039}}, * Router<xref target="RFC7039"/></li> <li>Router Advertisement Guard{{RFC6105}}{{RFC7113}}, * Enhanced<xref target="RFC6105"/> <xref target="RFC7113"/></li> <li>Enhanced Duplicate Address Detection{{RFC7527}}, * Scalable<xref target="RFC7527"/></li> <li>Scalable ARP{{RFC7586}}, * Reducing<xref target="RFC7586"/></li> <li>Reducing Router Advertisements{{RFC7772}}, * Unique<xref target="RFC7772"/></li> <li>Unique Prefix Per Host{{RFC8273}}, * ND<xref target="RFC8273"/></li> <li>ND Optimization for Transparent Interconnection of Lots of Links (TRILL){{RFC8302}}, * Gratuitous<xref target="RFC8302"/></li> <li>Gratuitous Neighbor Discovery{{RFC9131}}, * Proxy<xref target="RFC9131"/></li> <li>Proxy ARP/ND for EVPN{{RFC9161}}, and * Using<xref target="RFC9161"/></li> <li>Using DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique IPv6 Prefixes per Client in Large Broadcast Networks{{RFC9663}}. ]]></artwork><xref target="RFC9663"/></li> </ul> <t>This document summarizes these RFCs into a one-stop reference (as of the time of writing) for easier access. This document also identifies three causes of the issues and defines three host isolation methods to address the causes and prevent potential ND issues.</t> <section anchor="terminology"> <name>Terminology</name> <t>This document uses the terms defined in <xref target="RFC4861"/>. Additional terms are defined in this section.</t><dl><dl spacing="normal" newline="false"> <dt>MAC:</dt><dd> <t>To<dd><t>Media Access Control. To avoid confusion with link-local addresses, link-layer addresses are referred to asMAC addresses"MAC addresses" in thisdocument.</t> </dd> </dl> <t>Host Isolation: :separatingdocument.</t></dd> <dt>Host isolation:</dt> <dd>Separating hosts into different subnets orlinks.</t> <t>L3 Isolation: :allocatinglinks.</dd> <dt>L3 Isolation:</dt> <dd>Allocating aunique prefixUnique Prefix perhostHost (UPPH) <xref target="RFC8273"/> <xreftarget="RFC8273"/><xreftarget="RFC9663"/> so that every host is in a different subnet. Given that a unique prefix can be allocated per host on shared media, hosts in different subnets may be on the samelink.</t> <t>L2 Isolation: :takinglink.</dd> <dt>L2 Isolation:</dt> <dd>Taking measures to prevent a host from reaching other hosts directly in Layer 2 (L2) so that every host is in a different link. Due to the existence of Multi-Link Subnet <xref target="RFC4903"/>, hosts in different links may be in the same subnet. Therefore, L2 Isolation does not imply L3 Isolation, and L3 Isolation does not imply L2 Isolationeither.</t> <t>L3+L2 Isolation: :applyingeither.</dd> <dt>L3+L2 Isolation:</dt> <dd>Applying L3 Isolation and L2 Isolation simultaneously so that every host is in a different subnet and on a differentlink.</t> <t>Partiallink.</dd> <dt>Partial L2Isolation: :usingIsolation:</dt> <dd>Using an L3 NDproxyProxy <xref target="RFC4389"/> device to represent the hosts behind it to other hosts in the same subnet. Within the subnet, ND multicast exchange is segmented into multiple smaller scopes, each represented by an NDproxy device.</t>Proxy device.</dd> </dl> </section> </section> <section anchor="review-of-inventoried-nd-issues"> <name>Review of Inventoried ND Issues</name> <section anchor="multicast-may-cause-performance-and-reliability-issues"> <name>Multicast May Cause Performance and Reliability Issues</name> <t>In some cases, ND uses multicast for NSs, NAs, RSs, and RAs. While multicast can be highly efficient in certainscenarios, e.g.,scenarios (e.g., in wirednetworks,networks), multicast can also be inefficient in otherscenarios, e.g.,scenarios (e.g., in large L2 networks or wirelessnetworks.</t>networks).</t> <t>Typically, multicast can create a large amount of protocol traffic in large L2 networks. This can consume network bandwidth, increase processing overhead, and degrade network performance <xref target="RFC7342"/>.</t> <t>In wireless networks, multicast can be inefficient or even unreliable due to a higher probability of transmission interference, lower data rate, and lack of acknowledgements(Section 3.1 of <xref target="RFC9119"/>).</t>(<xref target="RFC9119" section="3.1"/>).</t> <t>Multicast-related performance issues of the various ND messages are summarized below:</t><artwork><![CDATA[<!-- [rfced] Please review the following questions regarding the "Issues" defined in this document. a) May we update the "Issues" to appear in sentence case rather than title case? We would make these changes in Sections 2.1, 2.2, 2.3, and 2.4 and wherever else they appear in this document. For example: Original: . Issue 1: LLA DAD Degrading Performance Perhaps: * Issue 1: LLA DAD degrading performance b) Should the issue names in Section 2.4 match those in Sections 2.1, 2.2, and 2.3? For example, the following issue is slightly different in Sections 2.1 and 2.4: In Section 2.1: . Issue 2: Router's Periodic Unsolicited RAs Draining Hosts' Battery In Section 2.4: o Issue 2: Unsolicited RA Draining Host Battery Life. c) We note that several Issues contain verbs that end in "-ing" (e.g., "degrading" and "draining"). Would updating these verbs to their forms "degrades" and "drains" retain their meaning? This update would clarify the subject and object of these "-ing" verbs. Original: . Issue 1: LLA DAD Degrading Performance . Issue 2: Router's Periodic Unsolicited RAs Draining Hosts' Battery . Issue 3: GUA DAD Degrading Performance - same as in Issue 1. . Issue 4: Router's Address Resolution for Hosts Degrading Performance . Issue 5: Host's Address Resolution for Hosts Degrading Performance Perhaps: * Issue 1: LLA DAD Degrades Performance * Issue 2: Router's Periodic Unsolicited RAs Drain Host's Battery * Issue 3: GUA DAD Degrades Performance * Issue 4: Router's Address Resolution for Hosts Degrades Performance * Issue 5: Host's Address Resolution for Hosts Degrades Performance d) How may we adjust the verbs in the item below for clarity? (Note that we have also adjusted this list item so that it is formatted consistently with the other items.) Original: . (For Further Study) Hosts' MAC Address Change NAs Degrading Performance - with randomized and changing MAC addresses [MADINAS], there may be many such multicast messages. Perhaps: * Issue for further study: Host's MAC Address Changes to NAs Degrades Performance With randomized and changing MAC addresses [MADINAS], there may be many such multicast messages. --> <ul spacing="normal"> <li> <t>Issue 1: LLA DAD Degrading Performance</t> <t>In an L2 network of N addresses (which can be much larger than the number of hosts, as each host can have multiple addresses), there can be N such multicast messages. This may cause performance issues when N islarge. * Issuelarge.</t> </li> <li> <t>Issue 2: Router's Periodic Unsolicited RAs DrainingHosts' Battery - multicastHost's Battery</t> <t>Multicast RAs are generally limited to one packet every MIN_DELAY_BETWEEN_RAS (3 seconds), and there are usually only one or two routers on the link, so it is unlikely to cause a performance issue. However, for battery-powered hosts, such messages may wake them up and drain their batteries{{RFC7772}}. * Issue<xref target="RFC7772"/>.</t> </li> <li> <t>Issue 3: GUA DAD DegradingPerformance -Performance</t> <t>This is the same as in Issue1. * Issue1.</t> </li> <li> <t>Issue 4: Router's Address Resolution for Hosts DegradingPerformance -Performance</t> <t>This is the same as in Issue1. * Issue1.</t> </li> <li> <t>Issue 5: Host's Address Resolution for Hosts DegradingPerformance -Performance</t> <t>This is the same as in Issue1. * (For Further Study) Hosts'1.</t> </li> <li> <t>Issue for further study: Host's MAC Address Change NAs DegradingPerformance - withPerformance</t> <t>With randomized and changing MAC addresses{{I-D.ietf-madinas-use-cases}},<xref target="RFC9797"/>, there may be many such multicastmessages. ]]></artwork>messages.</t> </li> </ul> <t>In wireless networks, multicast is more likely to cause packet loss. Because DAD treats no response as no duplicate address detected, packet loss may cause duplicate addresses to be undetected. Multicast reliability issues are summarized below:</t><artwork><![CDATA[ * Issue<ul spacing="normal"> <li> <t>Issue 6: LLA DAD Not Completely Reliable in WirelessNetworks. * IssueNetworks</t> </li> <li> <t>Issue 7: GUA DAD Not Completely Reliable in WirelessNetworks. ]]></artwork>Networks</t> </li> </ul> <t>Note: IPv6 address collisions are extremely unlikely. As a result, these two issues are largely theoretical rather than practical.</t> </section> <section anchor="trusting-all-hosts-may-cause-on-link-security-issues"><name>Trusting-all-hosts<name>Trusting-All-Hosts May CauseOn-linkOn-Link Security Issues</name> <!--[rfced] Trusting-All-Hosts vs. Trusting-all-nodes These terms are both used within this document. If they have the same meaning, how would you like to make this consistent? For example: Section 2.2: 2.2. Trusting-All-Hosts May Cause On-Link Security Issues Section 2.4: These issues stem from three primary causes: multicast, Trusting-all-nodes, and Router-NCE-on-Demand. --> <t>In scenarios such as public access networks, some nodes may not be trustworthy. An attacker on the link can cause the following on-link security issues <xreftarget="RFC3756"/><xreftarget="RFC3756"/> <xref target="RFC9099"/>:</t><artwork><![CDATA[ * Issue<ul spacing="normal"> <li> <t>Issue 8: Source IP AddressSpoofing - anSpoofing</t> <t>An attacker can use another node's IP address as the source address of its ND message to pretend to be that node. The attacker can then launch various Redirect or Denial-of-Service (DoS)attacks. * Issueattacks.</t> </li> <li> <t>Issue 9: Denial ofDAD - anDAD</t> <t>An attacker can repeatedly reply to a victim's DAD messages, causing the victim's address configuration procedure to fail, resulting in a DoS to thevictim. * Issuevictim.</t> </li> <li> <t>Issue 10: RogueRAs - anRAs</t> <t>An attacker can send RAs to victim hosts to pretend to be a router. The attacker can then launch various Redirect or DoSattacks. * Issueattacks.</t> </li> <li> <t>Issue 11: SpoofedRedirects - anRedirects</t> <t>An attacker can send forged Redirects to victim hosts to redirect their traffic to the legitimate routeritself. * Issueitself.</t> </li> <li> <t>Issue 12: ReplayAttacks - anAttacks</t> <t>An attacker can capture valid ND messages and replay themlater. ]]></artwork>later.</t> </li> </ul> </section> <section anchor="router-nce-on-demand-may-cause-forwarding-delay-nce-exhaustion-and-address-accountability-issues"> <name>Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Address Accountability Issues</name> <t>When a router needs to forward a packet to a node but does not yet have a Neighbor-Cache Entry (NCE) for that node, it first creates an NCE in the INCOMPLETE state. The router then multicasts an NS to the node's solicited-node multicast address. When the destination replies with an NA containing its MAC address, the router updates the NCE with that address and changes its state to REACHABLE, thereby completing the entry. This process is referred to asRouter- NCE-on-Demand"Router&nbhy;NCE&nbhy;on&nbhy;Demand" in this document.</t> <t>Router-NCE-on-Demand can cause the following issues:</t><t>*Issue<ul spacing="normal"> <li> <t>Issue 13: NCEExhaustion - anExhaustion</t> <t>An attacker can send a high volume of packets targeting non-existent IP addresses, causing the router to create numerous NCEs in the INCOMPLETE state. The resulting resource exhaustion may cause the router to malfunction. This vulnerability, described as "NCE Exhaustion" in this document, does not require the attacker to beon-link. * Issueon-link.</t> </li> <li> <t>Issue 14: Router ForwardingDelay - whenDelay</t> <t>When a packet arrives at a router, the router buffers it while attempting to determine the host's MAC address. This buffering delays forwarding and, depending on the router's buffer size, may lead to packet loss. This delay is referred to as"Router-NCE-on-Demand"Router&nbhy;NCE&nbhy;on&nbhy;Demand Forwarding Delay" in thisdocument. * Issuedocument.</t> </li> <li> <t>Issue 15: Lack of AddressAccountability - withAccountability</t> <t>With SLAAC, hosts generate their IP addresses. The router does not become aware of a host's IP address until an NCE entry is created. With DHCPv6 <xref target="RFC8415"/>, the router may not know the host's addresses unless it performs DHCPv6 snooping. In public access networks, where subscriber management often relies on IP address (or prefix) identification, this lack of address accountability poses a challenge <xref target="I-D.ccc-v6ops-address-accountability"/>. Without knowledge of the host's IP address, network administrators are unable to effectively manage subscribers, which is particularly problematic in public access networks. Moreover, once a router has created its NCEs, ND <xref target="RFC4861"/> provides no mechanism to retrieve them for management or monitoring, as noted in <xref section="2.6.1" sectionFormat="of" target="RFC9099"/>.</t> </li> </ul> </section> <section anchor="summary-of-nd-issues"> <name>Summary of ND Issues</name> <t>The ND issues, as discussed in Sections2.1 to 2.3,<xref target="multicast-may-cause-performance-and-reliability-issues" format="counter"/>, <xref target="trusting-all-hosts-may-cause-on-link-security-issues" format="counter"/>, and <xref target="router-nce-on-demand-may-cause-forwarding-delay-nce-exhaustion-and-address-accountability-issues" format="counter"/>, are summarized below. These issues stem from three primary causes: multicast, Trusting-all-nodes, and Router-NCE-on-Demand. Eliminating any of these causes would also mitigate the corresponding issues. These observations provide guidance for addressing and preventing ND- related issues.</t><t>(1) Multicast-related issues:</t> <artwork><![CDATA[ * Performance<!-- [rfced] Regarding Table 1 a) We note that a few RFC numbers appear in the "ND solution" column. For consistency with the other items in this column, what terminology would you like to replace these RFC numbers with? (Note that we will also update the section titles that correspond with these table entries to match.) Original entries in table 1: 7772 6583 9686 Corresponding section titles: 3.8. Reducing Router Advertisements 3.11. RFC 6583 Dealing with NCE Exhaustion Attacks 3.12. Registering Self-generated IPv6 Addresses using DHCPv6 b) Some abbreviations in this table do not clearly correspond to the list of issueso Issuein Section 2.4 (e.g., "No A. Acct."). Would you like to add a legend above or below Table 1, or add the abbreviations in Section 2.4? Also, FYI, we updated the abbreviations as shown below. Current abbreviations: On-link securi. NCE Exhau. Fwd. Delay No A. Acct. Perhaps: The abbreviations in Table 1 correspond to Section 2.4 as follows. On-link Sec. = Trusting-all-nodes related issues NCE Exh. = NCE Exhaustion Fwd. Delay = Router Forwarding Delay No Addr. Acc. = Lack of Address Accountability c) FYI - We renamed the "RFC type" column to "RFC cat." (RFC category) to align with the text that precedes the table. d) FYI - We updated "U" to "N/A" to make it clear that the corresponding items are not specified in RFCs. Original: I - Informational B - Best Current Practice U - Unknown (not formally defined by the IETF) Current: I: Informational B: Best Current Practice N/A: Not Applicable (not an RFC) --> <ol spacing="normal" type="1"> <li><t>Multicast-related issues:</t> <ul spacing="normal"> <li><t>Performance issues:</t> <ul spacing="normal"> <li>Issue 1: LLA DAD DegradingPerformance. o IssuePerformance</li> <li>Issue 2: Unsolicited RA Draining Host BatteryLife. o IssueLife</li> <li>Issue 3: GUA DAD degradingperformance. o Issueperformance</li> <li>Issue 4: Router Address Resolution for Hosts DegradingPerformance. o IssuePerformance</li> <li>Issue 5: Host Address Resolution for Other Hosts DegradingPerformance. * Reliability issues o IssuePerformance</li> </ul></li> <li><t>Reliability issues:</t> <ul spacing="normal"> <li>Issue 6: LLA DAD Not Completely Reliable in WirelessNetworks o IssueNetworks</li> <li>Issue 7: GUA DAD Not Completely Reliable in WirelessNetworks ]]></artwork> <t>(2) Trusting-all-nodesNetworks</li> </ul></li> </ul></li> <li><t>Trusting-all-nodes related issues:</t><artwork><![CDATA[ o Issue<ul spacing="normal"> <li>Issue 8: Source IP AddressSpoofing o IssueSpoofing</li> <li>Issue 9: Denial ofDAD o IssueDAD</li> <li>Issue 10: RogueRAs o IssueRAs</li> <li>Issue 11: SpoofedRedirects o IssueRedirects</li> <li>Issue 12: ReplayAttacks ]]></artwork> <t>(3) Router-NCE-on-DemandAttacks</li> </ul></li> <li><t>Router-NCE-on-Demand related issues:</t><artwork><![CDATA[ o Issue<ul spacing="normal"> <li>Issue 13: NCEExhaustion o IssueExhaustion</li> <li>Issue 14: Router ForwardingDelay o IssueDelay</li> <li>Issue 15: Lack of AddressAccountability ]]></artwork>Accountability</li> </ul> </li> </ol> <t>These issues are potential vulnerabilities and may not manifest in all usage scenarios.</t> <t>When these issues may occur in a specific deployment, it is advisable to consider the mitigation solutions available. They are described in the following section.</t> </section> </section> <section anchor="review-of-nd-mitigation-solutions"> <name>Review of ND Mitigation Solutions</name><t>Table 1<t><xref target="solutions-table"/> summarizes ND mitigation solutions available for Issues 1-15 described inSection 2.4.<xref target="summary-of-nd-issues" format="default"/>. Similar solutions are grouped, beginning with those that address the most issues. Unrelated solutions are ordered based on the issues (listed inSection 2.4)<xref target="summary-of-nd-issues" format="default"/>) they address. Each solution in the table will be explained in a sub-section later, where abbreviations in the table are described.</t> <t>Inthe table,<xref target="solutions-table"/>, a letter code indicates the RFC category of the mitigation solution (see BCP 9 <xref target="RFC2026"/> for an explanation of these categories):</t><artwork><![CDATA[<!--[rfced] We suggest removing "Draft Standard" from this list because that Standards Track maturity level is no longer in use, per RFC 6410. (Also, it appears that zero of the ND solutions listed in Table 1 are specified in a Draft Standard; please review. We note that RFCs 4861 and 4862 are Draft Standards, but they are not listed in Table 1.) Original: S - Standards Track (Proposed Standard, Draft Standard, or Internet Standard)E - Experimental I - Informational B - BestSuggested: S: Standards Track (Proposed Standard or Internet Standard) --> <dl spacing="compact" newline="false" indent="5"> <dt>S:</dt><dd>Standards Track (Proposed Standard, Draft Standard, or Internet Standard)</dd> <dt>E:</dt><dd>Experimental</dd> <dt>I:</dt><dd>Informational</dd> <dt>B:</dt><dd>Best CurrentPractice U - UnknownPractice</dd> <dt>N/A:</dt><dd>Not Applicable (notformally defined by the IETF) ]]></artwork> <artwork><![CDATA[ +-----+---+-------------------+--------+-------+-------+------+-----+ |ND |RFC| Multicast | Reli- |On-link|NCE |Fwd. |No A.| |solu-|ty-| performance | ability|securi.|Exhau. |Delay |Acct.| |tion |pe |---+---+---+---+---+---+----+-------+-------+------+-----+ | | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8-12 | 13 | 14 | 15 | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |MBBv6| I | Allan RFC)</dd> </dl> <table anchor="solutions-table"> <name>Solutions for Identified Issues</name> <thead> <tr> <th rowspan="2">ND solution</th> <th rowspan="2">RFC cat.</th> <th colspan="5">Multicast performance</th> <th colspan="2">Reliability</th> <th>On-link sec.</th> <th>NCE Exh.</th> <th>Fwd. Delay</th> <th>No Addr. Acc.</th> </tr> <tr> <th align="center">1</th> <th align="center">2</th> <th align="center">3</th> <th align="center">4</th> <th align="center">5</th> <th align="center">6</th> <th align="center">7</th> <th align="center">8-12</th> <th align="center">13</th> <th align="center">14</th> <th align="center">15</th> </tr> </thead> <tbody> <tr> <td>MBBv6</td> <td align="center">I</td> <td colspan="11" align="center">All identified issuessolved | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |FBBv6| U | Allsolved</td> </tr> <tr> <td>FBBv6</td> <td align="center">N/A</td> <td colspan="11" align="center">All identified issuessolved | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |UPPH | I | | X | | X | X | | X | | X | X | X | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |WiND | S |Allsolved</td> </tr> <tr> <td>UPPH</td> <td align="center">I</td> <td></td> <td align="center">X</td> <td></td> <td align="center">X</td> <td align="center">X</td> <td></td> <td align="center">X</td> <td></td> <td align="center">X</td> <td align="center">X</td> <td align="center">X</td> </tr> <tr> <td>WiND</td> <td align="center">S</td> <td colspan="11" align="center">All issues solved for Low-Power and Lossy Networks(LLNs)| +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |SARP | E | | | | | X | | | | | | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |ND | S | | | | | X | | | | | | | |TRILL| | | | | | | | | | | | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |ND | S | | | | | X | | | | | | | |EVPN | | | | | | | | | | | | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |7772 | B | | X | | | | | | | | | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |GRAND| S | | | | X | | | | | | X | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |SAVI/| | | | | | | | | | | | | |RA | I | | | | | | | | X | | | | |G/G+ | | | | | | | | | | | | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |6583 | I | | | | | | | | | X | | | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ |9686 | S | | | | | | | | | | | X | +-----+---+---+---+---+---+---+---+----+-------+-------+------+-----+ Table 1. Solutions for identified issues ]]></artwork>(LLNs)</td> </tr> <tr> <td>SARP</td> <td align="center">E</td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> </tr> <tr> <td>ND TRILL</td> <td align="center">S</td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> </tr> <tr> <td>ND EVPN</td> <td align="center">S</td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> </tr> <tr> <td>7772</td> <td align="center">B</td> <td></td> <td align="center">X</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> </tr> <tr> <td>GRAND</td> <td align="center">S</td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> </tr> <tr> <td>SAVI/RA G/G+</td> <td align="center">I</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> <td></td> <td></td> </tr> <tr> <td>6583</td> <td align="center">I</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> <td></td> <td></td> </tr> <tr> <td>9686</td> <td align="center">S</td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td></td> <td align="center">X</td> </tr> </tbody> </table> <section anchor="nd-solution-in-mobile-broadband-ipv6"> <name>ND Solution in Mobile Broadband IPv6</name> <t>The IPv6 solution defined in "IPv6 in3GPP EPS"3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)" <xref target="RFC6459"/>, "IPv6 for3GPPThird Generation Partnership Project (3GPP) Cellular Hosts" <xref target="RFC7066"/>, and "Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link" <xref target="RFC7278"/> is called Mobile Broadband IPv6 (MBBv6) in this document. They are Informational RFCs. The key points are:</t><artwork><![CDATA[ * Putting<ul spacing="normal"> <li><t>Putting everyhost, e.g.,host (e.g., the mobile User Equipment(UE),(UE)) in a Point-to-Point (P2P) link with therouter, e.g.,router (e.g., the mobilegateway. Consequently: o Allgateway) has the following outcomes:</t> <ul spacing="normal"> <li>All multicast is effectively turned intounicast. o Theunicast.</li> <li>The P2P links do not have a MAC address. Therefore, Router- NCE-on-Demand is notneeded. o Trusting-all-nodesneeded.</li> <li>Trusting-all-nodes is only relevant to the router. By applying filtering at therouter, e.g.,router (e.g., dropping RAs from thehosts,hosts), even malicious hosts cannot causeharm. * Assigningharm.</li> </ul></li> <li>Assigning a unique /64 prefix to each host. Together with the P2P link, this puts each host on a separate link andsubnet. * Maintainingsubnet.</li> <li>Maintaining (prefix, interface) binding at the router for forwardingpurposes. ]]></artwork>purposes.</li> </ul> <t>Since all the three causes of ND issues are addressed, all the issues discussed inSection 2.4<xref target="summary-of-nd-issues" format="default"/> are addressed.</t> </section> <section anchor="nd-solution-in-fixed-broadband-ipv6"> <name>ND Solution in Fixed Broadband IPv6</name> <t>The IPv6 solution defined in "IPv6 in the context of TR-101" <xref target="TR177"/> is called Fixed Broadband IPv6 (FBBv6) in this document. FBBv6 has two flavors:</t><artwork><![CDATA[ * P2P:<ul spacing="normal"> <li>P2P: Everyhost, e.g.,host (e.g., the Residential Gateway(RG),(RG)) is in a P2P link with therouter, e.g.,router (e.g., the Broadband Network Gateway(BNG).(BNG)). In this case, the solution is functionally similar to MBBv6. All ND issues discussed inSection 2.4<xref target="summary-of-nd-issues" format="default"/> aresolved. * Point-to-Multi-Pointsolved.</li> <li>Point to Multipoint (P2MP): Allhosts, e.g.,hosts (e.g., theRGs,RGs) connected to an accessdevice, e.g.,device (e.g., the Optical Line Terminal(OLT),(OLT)) are in a P2MP link with therouter, e.g.,router (e.g., theBNG.BNG). This is achieved by placing all hosts in a single VLAN on the router and configuring the OLT to block any frame from being forwarded between its access ports; traffic from each host can travel only up toward the router, not sideways to another host, thereby preventing direct host-to-hostcommunication. ]]></artwork>communication.</li> </ul> <t>The following list summarizes the two key aspects of the FBBv6-P2MP architecture as described in <xref target="TR177"/> and the associated benefits:</t><artwork><![CDATA[ * Implementing<ul spacing="normal"> <li><t>Implementing DADProxy {{RFC6957}}: Inproxy <xref target="RFC6957"/>:</t> <t>In a P2MP architecture described above, the normal ND DAD procedure willbreaksbreak down because hosts cannot exchange NSs with one another. To address this, the router participates in the DAD process as a DAD Proxy to resolve addressduplication. Theduplication.</t> <t>The benefitsare: o Multicastare:</t> <ul spacing="normal"> <li>Multicast traffic from all hosts to the router is effectively converted into unicast, as hosts can only communicate directly with therouter. o Therouter.</li> <li>The Trusting-all-nodes model is limited to the router. By applying simplefiltering, e.g.,filtering (e.g., dropping RAs fromhosts,hosts), the router can mitigate security risks, even from malicioushosts * Assigninghosts.</li> </ul></li> <li><t>Assigning a unique /64 prefix to eachhost: Assigninghost:</t> <t>Assigning each host a unique /64 prefix results in several operationalimprovements: o Theimprovements:</t> <ul spacing="normal"> <li>The router can proactively install a forwarding entry for that prefix towards the host, eliminating the need forRouter-NCE-on-Demand. o SinceRouter-NCE-on-Demand.</li> <li>Since each host resides in a different subnet, traffic between hosts is routed through the router, eliminating the need for hosts to perform address resolution for oneanother. o Withoutanother.</li> <li>Without address resolution, router multicast to hosts is limited to unsolicited RAs. As each host resides in its own subnet, these RAs are sent as unicast packets to individual hosts. This follows the approach specified in{{RFC6085}},<xref target="RFC6085"/>, where the host's MAC address replaces the multicast MAC address in theRA. ]]></artwork>RA.</li> </ul></li> </ul> <t>Since all three causes of ND issues are addressed, all ND issues(Section 2.4)(<xref target="summary-of-nd-issues" format="default"/>) are also addressed.</t> </section> <section anchor="unique-ipv6-prefix-per-host-upph"> <name>Unique IPv6 Prefix per Host (UPPH)</name><t>UPPH<t>Unique IPv6 Prefix per Host (UPPH) solutions are described in <xref target="RFC8273"/> and <xref target="RFC9663"/>. Both are Informational RFCs. <xref target="RFC8273"/> relies on SLAAC for unique prefix allocation while <xref target="RFC9663"/> relies onDHCP-PD.DHCPv6 Prefix Delegation (DHCPv6-PD). That difference in allocation mechanism does not change the discussion on ND issues, because every IPv6 node is still required to run SLAAC, even when it receives its prefix viaDHCP-PD.DHCPv6-PD. Therefore, discussing <xref target="RFC8273"/> alone is sufficient.</t> <t><xref target="RFC8273"/> "improves host isolation and enhanced subscriber management on shared network segments" such as Wi-Fi or Ethernet. The key points are:</t><artwork><![CDATA[ * When<ul spacing="normal"> <li>When a prefix is allocated to the host, the router can proactively install a forwarding entry for that prefix towards the host. There is no moreRouter-NCE-on-Demand. * WithoutRouter-NCE-on-Demand.</li> <li>Without address resolution, router multicast to hosts consists only of unsolicited RAs. They will be sent to hosts one by one in unicast because the prefix for every host isdifferent. * Sincedifferent.</li> <li>Since different hosts are in different subnets, hosts will send traffic to other hosts via the router. There is no host-to-host addressresolution. ]]></artwork>resolution.</li> </ul> <t>Therefore, ND issues caused by Router-NCE-on-Demand and router multicast to hosts are prevented.</t> <t><xref target="RFC8273"/> indicates that a "network implementing a unique IPv6 prefix per host can simply ensure that devices cannot send packets to each other except through the first-hop router".ButHowever, when hosts are on a shared medium like Ethernet, ensuring "devices cannot send packets to each other except through the first-hop router" requires additional measures like Private VLAN <xref target="RFC5517"/>. Without such additional measures, on a shared medium, hosts can still reach each other in L2 as they belong to the same Solicited-Node Multicast Group. Therefore, Trusting-all-nodes and host multicast to routers may cause issues. Of the host multicast issues (i.e., Issues 1, 3, 5, 6, and 7),Unique Prefix per HostUPPH prevents Issues 5 and 7, because there is no need for address resolution among hosts (Issue5)5), and there is no possibility of GUA duplication (Issue 7).ButHowever, Issues 1, 3, and 6 may occur.</t> </section> <!-- [rfced] Section 3.4: As the phrase "WiND" does not explicitly appear in the RFCs mentioned below, may we adjust the text below to indicate this a new term? Original: Wireless ND (WiND) [RFC6775][RFC8505][RFC8928][RFC8929] (Standards Track) defines a fundamentally different ND solution for Low-Power and Lossy Networks (LLNs) [RFC7102]. Perhaps: The term "Wireless ND (WiND)" is used in this document to describe the fundamentally different ND solution for Low-Power and Lossy Networks (LLNs) [RFC7102] that is defined in [RFC6775], [RFC8505], [RFC8928], and [RFC8929] (Standards Track). --> <section anchor="wireless-nd-and-subnet-nd"> <name>Wireless ND and Subnet ND</name> <t>Wireless ND (WiND) <xreftarget="RFC6775"/><xref target="RFC8505"/><xref target="RFC8928"/><xreftarget="RFC6775"/> <xref target="RFC8505"/> <xref target="RFC8928"/> <xref target="RFC8929"/> (Standards Track) defines a fundamentally different ND solution for Low-Power and Lossy Networks (LLNs) <xref target="RFC7102"/>. WiND changes host and router behaviors to use multicast only for router discovery. The key points are:</t><artwork><![CDATA[ * Hosts<ul spacing="normal"> <li>Hosts use unicast to proactively register their addresses at the routers. Routers use unicast to communicate with hosts and become an abstract registrar and arbitrator for addressownership. * Theownership.</li> <li>The router also proactively installs NCEs for the hosts. This avoids the need for address resolution for thehosts. * Thehosts.</li> <li>The router sets the Prefix Information Option (PIO) L-bit to 0. Each host communicates only with the router({{Section 6.3.4 of RFC4861}}). * Other(<xref target="RFC4861" section="6.3.4"/>).</li> <li>Other functionalities that are relevant only toLLNs. ]]></artwork>LLNs.</li> </ul> <t>WiND addresses all ND issues(Section 2.4)(<xref target="summary-of-nd-issues" format="default"/>) in LLNs. However, WiND support is not mandatory for general-purpose hosts. Therefore, it cannot be relied upon as a deployment option without imposing additional constraints on the participating nodes.</t> </section> <section anchor="scalable-address-resolution-protocol"> <name>Scalable Address Resolution Protocol</name><t>Scalable<t>The Scalable Address Resolution Protocol (SARP) <xref target="RFC7586"/> was an Experimental solution. That experiment ended in 2017, two years after the RFC was published. Because the idea has been used in mitigation solutions for more specific scenarios (described in Sections3.6<xref target="arp-and-nd-optimization-for-trill" format="counter"/> and3.7),<xref target="proxy-arpnd-in-ethernet-virtual-private-networks-evpn" format="counter"/>), it is worth describing here. The usage scenario is Data Centers (DCs), where large L2 domains span across multiple sites. In each site, multiple hosts are connected to a switch. The hosts can be Virtual Machines (VMs), so the number can be large. The switches are interconnected by a native or overlay L2 network.</t> <t>The switch will snoop and install a (IP, MAC address) proxy table for the local hosts. The switch will also reply to address resolution requests from other sites to its hosts with its own MAC address. In doing so, all hosts within a site will appear to have a single MAC address to other sites. As such, a switch only needs to build a MAC address table for the local hosts and the remote switches, not for all the hosts in the L2 domain. Consequently, the MAC address table size of the switches is significantly reduced. A switch will also add the (IP, MAC address) replies from remote switches to its proxy ND table so that it can reply to future address resolution requests from local hosts for such IPs directly. This greatly reduces the number of address resolution multicast in the network.</t> <t>Unlike MBBv6, FBBv6, and UPPH, which try to address all ND issues discussed inSection 2.4,<xref target="summary-of-nd-issues" format="default"/>, SARP focuses on reducing address resolution multicast to improve the performance and scalability of large L2 domains in DCs.</t> </section> <section anchor="arp-and-nd-optimization-for-trill"> <name>ARP and ND Optimization for TRILL</name> <t>ARP and NDOptimizationoptimization forTRILLTransparent Interconnection of Lots of Links (TRILL) <xref target="RFC8302"/> (Standards Track) is similar to SARP(Section 3.5).(<xref target="scalable-address-resolution-protocol" format="default"/>). It can be considered an application of SARP in the TRILL environment.</t><t>Like<!-- [rfced] Should the comma after "ARP" be removed in the text below so that "ARP and ND optimization" appear as one item? Original: Like SARP, ARP, and ND Optimization for TRILL focuses on reducing multicast address resolution. Perhaps: Like SARP, ARP and ND optimization for TRILL focuses on reducing multicast address resolution. --> <t>Like SARP, ARP, and ND optimization for TRILL focuses on reducing multicast address resolution. That is, it addresses Issue 5(Section 2.1).</t>(<xref target="multicast-may-cause-performance-and-reliability-issues" format="default"/>).</t> </section> <section anchor="proxy-arpnd-in-ethernet-virtual-private-networks-evpn"> <name>Proxy ARP/ND in Ethernet Virtual Private Networks (EVPN)</name> <t>Proxy ARP/ND in EVPN is specified in <xref target="RFC9161"/> (Standards Track). The usage scenario is DCs where large L2 domains span across multiple sites. In each site, multiple hosts are connected to a Provider Edge (PE) router. The PEs are interconnected by EVPN tunnels.</t><t>PE<t>The PE of each site snoops the local address resolution NAs to build (IP, MAC address) Proxy ND table entries. PEs then propagate such Proxy ND entries to other PEs via the Border Gateway Protocol (BGP). Each PE also snoops local hosts' address resolution NSs for remote hosts. If an entry exists in its Proxy ND table for the remote hosts, the PE will reply directly. Consequently, the number of multicast address resolution messages is significantly reduced.</t> <t>Like SARP, Proxy ARP/ND in EVPN also focuses on reducing address resolution multicast.</t> </section> <section anchor="reducing-router-advertisements"> <name>Reducing Router Advertisements</name> <t>Maintaining IPv6 connectivity requires that hosts be able to receive periodic multicast RAs <xref target="RFC4861"/>. Hosts that process unicast packets while they are asleep must also process multicast RAs while they are asleep. An excessive number of RAs can significantly reduce the battery life of mobile hosts. <xref target="RFC7772"/> (Best Current Practice) specifies a solution to reduce RAs:</t><artwork><![CDATA[ * The<ul spacing="normal"> <li>The router should respond to RS with unicast RA (rather than the normal multicast RA) if the host's source IP address is specified and the host's MAC address is valid. This way, other hosts will not receive thisRA. * TheRA.</li> <li>The router should reduce the multicast RAfrequency ]]></artwork>frequency.</li> </ul> <t><xref target="RFC7772"/> addresses Issue 2(Section 2.1).</t>(<xref target="multicast-may-cause-performance-and-reliability-issues" format="default"/>).</t> </section> <section anchor="gratuitous-neighbor-discovery-grand"> <name>Gratuitous Neighbor Discovery (GRAND)</name> <t>GRAND <xref target="RFC9131"/> (Standards Track) changes ND in the following ways:</t><artwork><![CDATA[ * A<ul spacing="normal"> <li>A node sends unsolicited NAs upon assigning a new IPv6 address to itsinterface. * Ainterface.</li> <li>A router creates a new NCE for the node and sets its state toSTALE. ]]></artwork>STALE.</li> </ul> <t>When a packet for the host later arrives, the router can use the existing STALE NCE to forward it immediately (<xreftarget="RFC4861"/> Section 7.2.2).target="RFC4861" sectionFormat="comma" section="7.2.2"/>). It then verifies reachability by sending a unicast NS rather than a multicast one for address resolution. In this way, GRAND eliminates the Router ForwardingDelay. ButDelay, but it does not solve other Router-NCE-on-Demand issues. For example, NCE Exhaustion can still happen.</t> </section> <section anchor="source-address-validation-improvement-savi-and-router-advertisement-guard"> <name>Source Address Validation Improvement (SAVI) and Router Advertisement Guard</name><t>SAVI<t>Source Address Validation Improvement (SAVI) <xref target="RFC7039"/> (Informational) binds an address to a port on an L2 switch and rejects claims from other ports for that address. Therefore, a node cannot spoof the IP address of another node.</t> <t>Router Advertisement Guard (RA-Guard) <xreftarget="RFC6105"/><xreftarget="RFC6105"/> <xref target="RFC7113"/> (Informational) only allows RAs from a port that a router is connected to. Therefore, nodes on other ports cannot pretend to be a router.</t> <t>SAVI and RA-Guard address the on-link security issues.</t> </section> <section anchor="rfc-6583-dealing-with-nce-exhaustion-attacks"> <name>RFC 6583 Dealing with NCE Exhaustion Attacks</name> <t><xref target="RFC6583"/> (Informational) deals with the NCE Exhaustion attack issue(Section 2.3).(<xref target="router-nce-on-demand-may-cause-forwarding-delay-nce-exhaustion-and-address-accountability-issues" format="default"/>). It recommends that:</t><artwork><![CDATA[ * Operators should o Filter<ul spacing="normal"> <li> <t>Operators should:</t> <ul spacing="normal"> <li>Filter unused address space so that messages to such addresses can be dropped rather than triggering NCEcreation. o Implementcreation.</li> <li>Implement rate-limiting mechanisms for ND message processing to prevent CPU and memory resources from beingoverwhelmed. * Vendors should o Prioritizingoverwhelmed.</li> </ul> </li> <li> <t>Vendors should:</t> <ul spacing="normal"> <li>Prioritize NDP processing for existing NCEs over creating newNCEs ]]></artwork>NCEs.</li> </ul> </li> </ul> <t><xref target="RFC6583"/> acknowledges that "some of these options are 'kludges', and can be operationally difficult to manage". <xref target="RFC6583"/> partially addresses the Router NCE Exhaustion issue. In practice, router vendors cap the number of NCEs per interface to prevent cache exhaustion. If the link has more addresses than that cap, the router cannot keep an entry for every address, and packets destined for addresses without an NCE are simply dropped <xref target="RFC9663"/>.</t> </section> <section anchor="registering-self-generated-ipv6-addresses-using-dhcpv6"> <name>RegisteringSelf-generatedSelf-Generated IPv6 AddressesusingUsing DHCPv6</name> <t>In IPv4, network administrators can retrieve a host's IP address from the DHCP server and use it for subscriber management. In IPv6 and SLAAC, this is not possible(Section 2.3).</t>(<xref target="router-nce-on-demand-may-cause-forwarding-delay-nce-exhaustion-and-address-accountability-issues" format="default"/>).</t> <t><xref target="RFC9686"/> (Standards Track) defines a method for informing a DHCPv6 server that a host has one or more self-generated or statically configured addresses. This enables network administrators to retrieve the IPv6 addresses for each host from the DHCPv6 server. <xref target="RFC9686"/> provides a solution for Issue 15(Section 2.3).</t>(<xref target="router-nce-on-demand-may-cause-forwarding-delay-nce-exhaustion-and-address-accountability-issues" format="default"/>).</t> </section> <section anchor="enhanced-dad"> <name>Enhanced DAD</name> <t>Enhanced DAD <xref target="RFC7527"/> (Standards Track) addresses a DAD failure issue in a specific situation: alooped backlooped-back interface. DAD will fail in a looped-back interface because the sending host will receive the DAD message back and will interpret it as another host is trying to use the same address. The solution is to include a Nonce option <xref target="RFC3971"/> in each DAD message so that the sending host can detect that the looped-back DAD message is sent by itself.</t> <t>Enhanced DAD does not solve any ND issue. It extends ND to work in a new scenario: a looped-back interface. It is reviewed here only for completeness.</t> </section> <section anchor="nd-mediation-for-ip-interworking-of-layer-2-vpns"> <name>ND Mediation for IP Interworking of Layer 2 VPNs</name> <t>ND mediation is specified in <xref target="RFC6575"/> (Standards Track). When two Attachment Circuits (ACs) are interconnected by a Virtual Private Wired Service (VPWS), and the two ACs are of different media (e.g., one is Ethernet while the other is Frame Relay), the two PEs must interwork to provide mediation service so that a Customer Edge (CE) can resolve the MAC address of the remote end. <xref target="RFC6575"/> specifies such a solution.</t> <t>NDMediationmediation does not address any ND issue. It extends ND to work in a new scenario: two ACs of different media interconnected by a VPWS. It is reviewed here only for completeness.</t> </section> <section anchor="nd-solutions-defined-before-the-latest-versions-of-nd"> <name>ND Solutions DefinedbeforeBefore the Latest Versions of ND</name> <t>The latest versions of ND and SLAAC are specified in <xref target="RFC4861"/> and <xref target="RFC4862"/>. Several ND mitigation solutions were published before <xref target="RFC4861"/>. They are reviewed in this section only for completeness.</t> <section anchor="secure-neighbor-discovery-send"> <name>Secure Neighbor Discovery(SeND)</name>(SEND)</name> <t>The purpose ofSeNDSEND <xref target="RFC3971"/> (Standards Track) is to ensure that hosts and routers are trustworthy.SeNDSEND defined three new ND options, i.e., Cryptographically Generated Addresses (CGA) <xref target="RFC3972"/> (Standards Track), RSA public-key cryptosystem, and Timestamp/Nonce, an authorization delegation discovery process, an address ownership proof mechanism, and requirements for the use of these components in the ND protocol.</t> <!-- [rfced] Please clarify; after the 3 options are listed, how does the second part of this sentence relate to the first part? Original: SeND defined three new ND options, i.e., Cryptographically Generated Addresses (CGA) [RFC3972] (Standards Track), RSA public-key cryptosystem, and Timestamp/Nonce, an authorization delegation discovery process, an address ownership proof mechanism, and requirements for the use of these components in the ND protocol. Perhaps: SEND defined three new ND options: Cryptographically Generated Addresses (CGA) [RFC3972] (Standards Track), RSA public-key cryptosystem, and Timestamp/Nonce. These are an authorization delegation discovery process, an address ownership proof mechanism, and requirements for the use of these components in the ND protocol, respectively. --> </section> <section anchor="cryptographically-generated-addresses-cga"> <name>Cryptographically Generated Addresses (CGA)</name> <t>The purpose of CGA is to associate a cryptographic public key with an IPv6 address in theSeNDSEND protocol. The key point is to generate the Interface Identifier (IID) of an IPv6 address by computing a cryptographic hash of the public key. The resulting IPv6 address is called a CGA. The corresponding private key can then be used to sign messages sent from the address.</t> <t>CGA assumes that a legitimate host does not care about the bit combination of the IID that would be created by some hash procedure. The attacker needs an exact IID to impersonate the legitimate hosts, but then the attacker is challenged to do a reverse hashcalculationcalculation, which is a strong mathematical challenge.</t> <t>CGA is part ofSeND.SEND. There is no reported deployment.</t> </section> <section anchor="nd-proxy"> <name>ND Proxy</name> <t>ND Proxy <xref target="RFC4389"/> (Experimental) aims to enable multiple links joined by an ND Proxy device to work as a single link.</t><artwork><![CDATA[ * When<ul spacing="normal"> <li>When an ND Proxy receives an ND request from a host on a link, it will proxy the message out the "best" (defined in the next paragraph) outgoing interface. If there is no best interface, the ND Proxy will proxy the message to all other links. Here, proxy means acting as if the ND message originates from the ND Proxy itself. That is, the ND Proxy will change the ND message's source IP and source MAC address to the ND Proxy's outgoing interface's IP and MAC address, and create an NCE entry at the outgoing interfaceaccordingly. * Whenaccordingly.</li> <li>When ND Proxy receives an ND reply, it will act as if the ND message is destined for itself, and update the NCE entry state at the receiving interface. Based on such state information, the ND Proxy can determine the "best" outgoing interface for future ND requests. The ND Proxy then proxies the ND message back to the requestinghost. ]]></artwork>host.</li> </ul> <t>ND Proxy is widely used in SARP(Sections 3.5),(<xref target="scalable-address-resolution-protocol" format="default"/>), NDOptimizationoptimization for TRILL(Sections 3.6),(<xref target="arp-and-nd-optimization-for-trill" format="default"/>), and Proxy ARP/ND in EVPN(Sections 3.7).</t>(<xref target="proxy-arpnd-in-ethernet-virtual-private-networks-evpn" format="default"/>).</t> </section> <section anchor="optimistic-dad"> <name>Optimistic DAD</name> <t>Optimistic DAD <xref target="RFC4429"/> (Standards Track) seeks to minimize address configuration delays in the successful case and to reduce disruption as far as possible in the failure case. That is, Optimistic DAD lets hosts immediately use the newly formed address to communicate before DAD completes, assuming that DAD will succeed anyway. If the address turns out to be duplicate, Optimistic DAD provides a set of mechanisms to minimize the impact. Optimistic DAD modified the original ND <xref target="RFC2461"/> and original SLAAC <xreftarget="RFC2462"/>,target="RFC2462"/> (both of which are obsolete), but the solution was not incorporated into the latest specifications of ND <xref target="RFC4861"/> and SLAAC <xref target="RFC4862"/>. However, implementations of Optimistic DAD exist.</t> <t>Optimistic DAD does not solve any ND issue(Section 2).(<xref target="review-of-inventoried-nd-issues" format="default"/>). It is reviewed here only for completeness.</t> </section> </section> </section> <section anchor="guidelines-for-prevention-of-potential-nd-issues"> <name>Guidelines for Prevention of Potential ND Issues</name> <t>By knowing the potential ND issues and associated mitigation solutions, network administrators of existing IPv6 deployments can assess whether these issues may occur in their networks and, if so, whether to deploy the mitigation solutions proactively. Deploying these solutions may take time and additional resources. Therefore, it is advisable to plan.</t> <t>Network administrators planning to start their IPv6 deployments can use the issue-solution information to help plan their deployments. Moreover, they can take proactive action to prevent potential ND issues.</t> <section anchor="learning-host-isolation-from-the-existing-solutions"> <name>Learning Host Isolation from the Existing Solutions</name> <t>While various ND solutions may initially appear unrelated, categorizing them into four distinct groups highlights an important observation:"host isolation"host isolation is an effective strategy for mitigating ND-related issues.</t><t>Group<ul spacing="normal"> <li><t>Group 1: L3 and L2 Isolation</t> <t>This group includes MBBv6 and FBBv6, which isolate hosts at both L3 and L2 by placing each host within its subnet and link. This prevents ND issues caused by multicast and Trusting-all-nodes, as each host operates within its isolated domain. Furthermore, since routers can route packets to a host based on its unique prefix, the need for Router-NCE-on-Demand is also eliminated. Therefore, L3 and L2 Isolation prevent all NDissues.</t> <t>Groupissues.</t></li> <li><t>Group 2: L3 Isolation</t> <t>This group includes UPPH solutions like <xref target="RFC8273"/> and <xref target="RFC9663"/>, which isolate hosts into separate subnets while potentially leaving them on the same shared medium. This approach mitigates ND issues caused by router multicast to hosts and eliminates the need for"Router-NCE-on-Demand",Router-NCE-on-Demand, as detailed inSection 3.3.</t> <t>Group<xref target="unique-ipv6-prefix-per-host-upph" format="default"/>.</t></li> <li><t>Group 3: Partial L2 Isolation</t> <t>This group encompasses solutions such as WiND, SARP, NDOptimizationoptimization for TRILL, and Proxy ND in EVPN. These solutions use a proxy device to represent the hosts behind it, effectively isolating those hosts into distinct multicast domains. While hosts are still located within the same subnet, their separation into different multicast domains reduces the scope of ND issues related to multicast-based addressresolution.</t> <t>Groupresolution.</t></li> <li><t>Group 4: Non-Isolating Solutions</t> <t>The final group includes remaining solutions that do not implement host isolation. These solutions do not prevent ND issues but instead focus on addressing specific NDproblems.</t>problems.</t></li> </ul> <t>The analysis demonstrates that the stronger the isolation of hosts, the more ND issues can be mitigated. This correlation is intuitive, as isolating hosts reduces the multicast scope, minimizes the number of nodes that must be trusted, and may eliminate the need for"Router-NCE-on-Demand",Router-NCE-on-Demand, the three primary causes of ND issues.</t> <t>This understanding can be used to prevent ND issues.</t> </section> <section anchor="applicability-of-various-isolation-methods"> <name>Applicability of Various Isolation Methods</name> <section anchor="applicability-of-l3l2-isolation"> <name>Applicability of L3+L2 Isolation</name> <t>Benefits:</t><t>o All<ul spacing="normal"> <li><t>All ND issues(Section 2.4)(<xref target="summary-of-nd-issues" format="default"/>) can be effectivelymitigated.</t>mitigated.</t></li> </ul> <!-- [rfced] We note a mixture of sentence and title case for several of the list items that appear in Sections 4.2.1, 4.2.2, and 4.2.3. For consistency, may we update these list items to sentence case? Some examples below: Original: 3. Privacy Issue from Unique Prefix Identifiability: 1. Unique Prefix Allocation 2. Router Support for L3 Isolation . Reduced Multicast Traffic: . Router Support for Partial L2 Isolation: Perhaps: 3. Privacy issue from unique prefix identifiability: 1. Unique prefix allocation 2. Router support for L3 isolation * Reduced multicast traffic: * Router support for partial L2 isolation: --> <t>Constraints:</t> <ol spacing="normal"type="1"><li> <dl> <dt>L2 Isolation:</dt> <dd>type="1"> <li> <t>L2 Isolation:</t> <t>Actions must be taken to isolate hosts in L2. The required effort varies by the chosen method and deployment context. For example, the P2P method <xref target="RFC7066"/> isheavy-weight,heavyweight, while the Private VLAN method <xref target="RFC5517"/> is more manageable.</t></dd> </dl></li> <li><dl> <dt>Unique<t>Unique PrefixAllocation:</dt> <dd>Allocation:</t> <t>A large number of prefixes will be required, with one prefix assigned per host. This is generally not a limitation for IPv6. For instance, members of a Regional Internet Registry (RIR) can obtain a /29 prefix allocation <xref target="RIPE738"/>, which provides 32 billion /64 prefixes--- sufficient for any foreseeable deployment scenarios. Practical implementations, such as MBBv6 assigning /64 prefixes to billions of mobile UEs <xreftarget="RFC6459"/>target="RFC6459"/>, and FBBv6 assigning /56 prefixes to hundreds of millions of routed RGs <xref target="TR177"/>, demonstrate the feasibility of this approach.</t></dd> </dl></li> <li><dl> <dt>Privacy<t>Privacy Issue from Unique PrefixIdentifiability:</dt> <dd>Identifiability:</t> <t>Assigning a unique prefix to each host may theoretically reduce privacy, as hosts can be directly identified by their assigned prefix. However, alternative host identification methods, such as cookies, are commonly used. Therefore, unique prefix identifiability may not make much difference. The actual impact on privacy is therefore likely to be limited.</t></dd> </dl></li> <li><dl> <dt>Router<t>Router Support for L3Isolation:</dt> <dd>Isolation:</t> <t>The router must support an L3 Isolation solution, e.g., <xref target="RFC8273"/> or <xref target="RFC9663"/>.</t></dd> </dl></li> <li><dl> <dt>A<t>A Large Number of Router Interfaces May beNeeded:</dt> <dd>Needed:</t> <t>If the P2P method is used, the router must instantiate a separate logical interface for every attached host. In this case, a large number of interfaces will be needed at the router.</t></dd> </dl></li> <li><dl> <dt>Router<t>Router as aBottleneck:</dt> <dd>Bottleneck:</t> <t>Since all communication between hosts is routed through the router, the router may become a performance bottleneck in high-traffic scenarios.</t></dd> </dl></li> <li><dl> <dt>Incompatibility<t>Incompatibility with Host-Based MulticastServices:</dt> <dd>Services:</t> <t>Services that rely on multicast communication among hosts, such as the Multicast Domain Name System <xref target="RFC6762"/>, will be disrupted.</t></dd> </dl></li> </ol> </section> <section anchor="applicability-of-l3-isolation"> <name>Applicability of L3 Isolation</name> <t>Benefits:</t><artwork><![CDATA[ * All<ul spacing="normal"> <li><t>All ND issues(Section 2.4)(<xref target="summary-of-nd-issues" format="default"/>) are mitigated, with the exceptionof: o LLAof:</t> <ul spacing="normal"> <li>LLA DAD multicast degradingperformance, o LLAperformance,</li> <li>LLA DAD not reliable in wireless networks,and o On-link securityand</li> <li>on-link security.</li> </ul> <t> These remaining issues depend on the characteristics of the sharedmedium: o Ifmedium:</t> <ul spacing="normal"> <li>If the shared medium is Ethernet, the issues related to LLA DAD multicast arenegligible. o Ifnegligible.</li> <li>If nodes can be trusted, such as in private networks,on- linkon-link security concerns are notsignificant. * Nosignificant.</li> </ul></li> <li>There is no need for L2 Isolation. Consequently, this method can be applied in a wide range of scenarios, making it possibly the most practical host isolationmethod. ]]></artwork> <t>Constraints, asmethod.</li> </ul> <t>Constraints (as discussed inSection 4.2.1:</t><xref target="applicability-of-l3l2-isolation" format="default"/>):</t> <ol spacing="normal" type="1"><li> <t>Unique Prefix Allocation</t> </li> <li> <t>Router Support for L3 Isolation</t> </li> <li> <t>Router as a Bottleneck</t> </li> <li> <t>Privacy Issue from Unique Prefix Identifiability.</t> </li> </ol> </section> <section anchor="applicability-of-partial-l2-isolation"> <name>Applicability of Partial L2 Isolation</name><t>Benefits:</t> <artwork><![CDATA[ * Reduced<t>Benefit:</t> <ul spacing="normal"> <li>Reduced Multicast Traffic: This method reduces multicast traffic, particularly for address resolution, by dividing the subnet into multiple multicastdomains. ]]></artwork>domains.</li> </ul> <t>Constraint:</t><artwork><![CDATA[ * Router<ul spacing="normal"> <li>Router Support for Partial L2 Isolation:]]></artwork> <t>TheThe router must implement a Partial L2 Isolation solution such as WiND, SARP, NDOptimizationoptimization for TRILL, and Proxy ND in EVPN to support thismethod.</t>method.</li> </ul> </section> </section> <section anchor="guidelines-for-applying-isolation-methods"> <name>Guidelines for Applying Isolation Methods</name> <t>Based on the applicability analysis provided in the preceding sections, network administrators can determine whether to implement an isolation method and, if so, which method is most appropriate for their specific deployment.</t> <t>A simple guideline is to consider the isolation methods in the order listed in the preceding sections, progressing from the strongest isolation to the weakest:</t><artwork><![CDATA[ * Stronger<ul spacing="normal"> <li>Stronger isolation methods can prevent more ND issues, but may also impose higher entryrequirements. * Weakerrequirements.</li> <li>Weaker isolation methods have fewer entry requirements but may leave some ND issuesunmitigated. ]]></artwork>unmitigated.</li> </ul> <t>The choice between L3+L2 Isolation and L3 Isolation often depends on the cost of implementing L2 Isolation:</t><artwork><![CDATA[ * If<ul spacing="normal"> <li>If the cost is acceptable, L3+L2 Isolation is preferable because it eliminates every ND issue listed inSection 2.4. * Otherwise,<xref target="summary-of-nd-issues" format="default"/>.</li> <li>Otherwise, L3 Isolation addresses most of those issues while keeping the implementation effortreasonable. ]]></artwork>reasonable.</li> </ul> <t>Selecting an isolation method that is either too strong or too weak does not result in serious consequences:</t><artwork><![CDATA[ * Choosing<ul spacing="normal"> <li>Choosing an overly strong isolation method may require the network administrator to meet higher entry requirements initially, such as measures for L2 Isolation, additional prefixes, or additional routercapabilities. * Choosingcapabilities.</li> <li>Choosing a"weakerweaker isolationmethod"method may necessitate deploying supplemental ND mitigation techniques to address any unresolved NDissues. ]]></artwork>issues.</li> </ul> <t>In either case, the resulting solution can be functional and effective.</t> </section> </section> <section anchor="security-considerations"> <name>Security Considerations</name> <t>This document is a review of known ND issues and solutions, including security. It does not introduce any new solutions. Therefore, it does not introduce new security issues.</t> </section> <section anchor="iana-considerations"> <name>IANA Considerations</name> <t>This document has norequest to IANA.</t>IANA actions.</t> </section> </middle> <back> <displayreference target="I-D.ccc-v6ops-address-accountability" to="AddrAcc"/> <displayreference target="RFC9797" to="MADINAS"/> <displayreference target="I-D.ietf-6man-ipv6-over-wireless" to="SND"/> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name><reference anchor="RFC4861" target="https://www.rfc-editor.org/info/rfc4861" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4861.xml"> <front> <title>Neighbor Discovery for IP version 6 (IPv6)</title> <author fullname="T. Narten" initials="T." surname="Narten"/> <author fullname="E. Nordmark" initials="E." surname="Nordmark"/> <author fullname="W. Simpson" initials="W." surname="Simpson"/> <author fullname="H. Soliman" initials="H." surname="Soliman"/> <date month="September" year="2007"/> <abstract> <t>This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4861"/> <seriesInfo name="DOI" value="10.17487/RFC4861"/> </reference> <reference anchor="RFC4862" target="https://www.rfc-editor.org/info/rfc4862" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4862.xml"> <front> <title>IPv6 Stateless Address Autoconfiguration</title> <author fullname="S. Thomson" initials="S." surname="Thomson"/> <author fullname="T. Narten" initials="T." surname="Narten"/> <author fullname="T. Jinmei" initials="T." surname="Jinmei"/> <date month="September" year="2007"/> <abstract> <t>This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4862"/> <seriesInfo name="DOI" value="10.17487/RFC4862"/> </reference><xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4861.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4862.xml"/> </references> <references anchor="sec-informative-references"> <name>Informative References</name> <!-- FYI: We've added URLs for the following reference(s): [TR177] --> <referenceanchor="TR177">anchor="TR177" target="https://www.broadband-forum.org/pdfs/tr-177-1-0-1.pdf"> <front> <title>IPv6 in the context of TR-101</title> <author> <organization>BroadbandForum, TR-177</organization>Forum</organization> </author><date/><date month="11" year="2017"/> </front> <refcontent>TR-177</refcontent> </reference> <reference anchor="RIPE738" target="https://www.ripe.net/publications/docs/ripe-738"> <front> <title>IPv6 Address Allocation and Assignment Policy</title> <author> <organization>RIPE</organization> </author><date/> </front> </reference> <reference anchor="RFC3587" target="https://www.rfc-editor.org/info/rfc3587" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3587.xml"> <front> <title>IPv6 Global Unicast Address Format</title> <author fullname="R. Hinden" initials="R." surname="Hinden"/> <author fullname="S. Deering" initials="S." surname="Deering"/> <author fullname="E. Nordmark" initials="E." surname="Nordmark"/><datemonth="August" year="2003"/> <abstract> <t>This document obsoletes RFC 2374, "An IPv6 Aggregatable Global Unicast Address Format". It defined an IPv6 address allocation structure that includes Top Level Aggregator (TLA) and Next Level Aggregator (NLA). This document makes RFC 2374 and the TLA/NLA structure historic. This memo provides information for the Internet community.</t> </abstract>month="03" year="2020"/> </front><seriesInfo name="RFC" value="3587"/> <seriesInfo name="DOI" value="10.17487/RFC3587"/><refcontent>RIPE-738</refcontent> </reference><reference anchor="RFC4193" target="https://www.rfc-editor.org/info/rfc4193" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4193.xml"> <front> <title>Unique Local IPv6 Unicast Addresses</title> <author fullname="R. Hinden" initials="R." surname="Hinden"/> <author fullname="B. Haberman" initials="B." surname="Haberman"/> <date month="October" year="2005"/> <abstract> <t>This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3587.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4193.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3756.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3971.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3972.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4389.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4429.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6459.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7066.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6575.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6583.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6775.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8505.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8928.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8929.xml"/> <!-- [SND] draft-ietf-6man-ipv6-over-wireless-08 IESG State: I-D Exists as ofa site. These addresses are not expected to be routable on the global Internet. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4193"/> <seriesInfo name="DOI" value="10.17487/RFC4193"/> </reference> <reference anchor="RFC3756" target="https://www.rfc-editor.org/info/rfc3756" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3756.xml"> <front> <title>IPv6 Neighbor Discovery (ND) Trust Models and Threats</title> <author fullname="P. Nikander" initials="P." role="editor" surname="Nikander"/> <author fullname="J. Kempf" initials="J." surname="Kempf"/> <author fullname="E. Nordmark" initials="E." surname="Nordmark"/> <date month="May" year="2004"/> <abstract> <t>The existing IETF standards specify that IPv6 Neighbor Discovery (ND) and Address Autoconfiguration mechanisms may be protected with IPsec Authentication Header (AH). However, the current specifications limit the security solutions08/01/25 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-6man-ipv6-over-wireless.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6957.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7039.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6105.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7113.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7527.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7586.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7772.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8273.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8302.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9131.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9161.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9663.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4903.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7342.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9119.xml"/> <!-- [MADINAS] Note tomanual keying duePE: Updated draft-ietf-madinas-use-cases-19 topractical problems faced with automatic key management. This document specifies three different trust models and discusses the threats pertinent to IPv6 Neighbor Discovery. The purposeRFC 9797 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9797.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9099.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8415.xml"/> <!-- [AddrAcc] draft-ccc-v6ops-address-accountability-00 IESG State: Expired as ofthis discussion is08/01/25 --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ccc-v6ops-address-accountability.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2026.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7278.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6085.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5517.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7102.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9686.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2461.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2462.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml"/> </references> </references> <section numbered="false" anchor="acknowledgements"> <name>Acknowledgements</name> <t>The authors would like todefine the requirements for Securing IPv6 Neighbor Discovery. This memo provides informationthank <contact fullname="Eric Vyncke"/>, <contact fullname="Gunter Van de Velde"/>, <contact fullname="Lorenzo Colitti"/>, <contact fullname="Erik Kline"/>, <contact fullname="Warren Kumari"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Gorry Fairhurst"/>, <contact fullname="Pascal Thubert"/>, <contact fullname="Jen Linkova"/>, <contact fullname="Brian Carpenter"/>, <contact fullname="Mike Ackermann"/>, <contact fullname="Nalini Elkins"/>, <contact fullname="Ed Horley"/>, <contact fullname="Ole Troan"/>, <contact fullname="David Thaler"/>, <contact fullname="Chongfeng Xie"/>, <contact fullname="Chris Cummings"/>, <contact fullname="Dale Carder"/>, <contact fullname="Tim Chown"/>, <contact fullname="Priyanka Sinha"/>, <contact fullname="Aijun Wang"/>, <contact fullname="Ines Robles"/>, <contact fullname="Magnus Westerlund"/>, <contact fullname="Barry Leiba"/>, <contact fullname="Deb Cooley"/>, and <contact fullname="Paul Wouters"/> forthe Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="3756"/> <seriesInfo name="DOI" value="10.17487/RFC3756"/> </reference> <reference anchor="RFC3971" target="https://www.rfc-editor.org/info/rfc3971" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3971.xml"> <front> <title>SEcure Neighbor Discovery (SEND)</title> <author fullname="J. Arkko" initials="J." role="editor" surname="Arkko"/> <author fullname="J. Kempf" initials="J." surname="Kempf"/> <author fullname="B. Zill" initials="B." surname="Zill"/> <author fullname="P. Nikander" initials="P." surname="Nikander"/> <date month="March" year="2005"/> <abstract> <t>IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover other nodes on the link, to determinetheirlink-layer addresses to find routers, and to maintain reachability information about the paths to active neighbors. If not secured, NDP is vulnerable to various attacks. This document specifies security mechanisms for NDP. Unlike those in the original NDP specifications, these mechanisms do not use IPsec. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3971"/> <seriesInfo name="DOI" value="10.17487/RFC3971"/> </reference> <reference anchor="RFC3972" target="https://www.rfc-editor.org/info/rfc3972" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3972.xml"> <front> <title>Cryptographically Generated Addresses (CGA)</title> <author fullname="T. Aura" initials="T." surname="Aura"/> <date month="March" year="2005"/> <abstract> <t>This document describes a method for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery (SEND) protocol. Cryptographically Generated Addresses (CGA) are IPv6 addresses for which the interface identifier is generated by computing a cryptographic one-way hash function from a public key and auxiliary parameters. The binding between the public key and the address can be verified by re-computing the hash value and by comparing the hash with the interface identifier. Messages sent from an IPv6 address can be protected by attaching the public key and auxiliary parameters and by signing the message with the corresponding private key. The protection works without a certification authority or any security infrastructure. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3972"/> <seriesInfo name="DOI" value="10.17487/RFC3972"/> </reference> <reference anchor="RFC4389" target="https://www.rfc-editor.org/info/rfc4389" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4389.xml"> <front> <title>Neighbor Discovery Proxies (ND Proxy)</title> <author fullname="D. Thaler" initials="D." surname="Thaler"/> <author fullname="M. Talwar" initials="M." surname="Talwar"/> <author fullname="C. Patel" initials="C." surname="Patel"/> <date month="April" year="2006"/> <abstract> <t>Bridging multiple links into a single entity has several operational advantages. A single subnet prefix is sufficient to support multiple physical links. There is no need to allocate subnet numbers to the different networks, simplifying management. Bridging some types of media requires network-layer support, however. This document describes these cases and specifies the IP-layer support that enables bridging under these circumstances. This memo defines an Experimental Protocol for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="4389"/> <seriesInfo name="DOI" value="10.17487/RFC4389"/> </reference> <reference anchor="RFC4429" target="https://www.rfc-editor.org/info/rfc4429" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4429.xml"> <front> <title>Optimistic Duplicate Address Detection (DAD) for IPv6</title> <author fullname="N. Moore" initials="N." surname="Moore"/> <date month="April" year="2006"/> <abstract> <t>Optimistic Duplicate Address Detection is an interoperable modification of the existing IPv6 Neighbor Discovery (RFC 2461)reviews andStateless Address Autoconfiguration (RFC 2462) processes.comments. Theintention is to minimize address configuration delays in the successful case, to reduce disruption as far as possible in the failure case, and to remain interoperable with unmodified hosts and routers. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4429"/> <seriesInfo name="DOI" value="10.17487/RFC4429"/> </reference> <reference anchor="RFC6459" target="https://www.rfc-editor.org/info/rfc6459" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6459.xml"> <front> <title>IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)</title> <author fullname="J. Korhonen" initials="J." role="editor" surname="Korhonen"/> <author fullname="J. Soininen" initials="J." surname="Soininen"/> <author fullname="B. Patil" initials="B." surname="Patil"/> <author fullname="T. Savolainen" initials="T." surname="Savolainen"/> <author fullname="G. Bajko" initials="G." surname="Bajko"/> <author fullname="K. Iisakkila" initials="K." surname="Iisakkila"/> <date month="January" year="2012"/> <abstract> <t>The use of cellular broadband for accessing the Internet and other data services via smartphones, tablets, and notebook/netbook computers has increased rapidly as a result of high-speed packet data networks such as HSPA, HSPA+, and now Long-Term Evolution (LTE) being deployed. Operators that have deployed networks based on 3rd Generation Partnership Project (3GPP) network architectures are facing IPv4 address shortages at the Internet registries and are feeling pressure to migrateauthors would also like toIPv6. This document describes the support for IPv6 in 3GPP network architectures. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="6459"/> <seriesInfo name="DOI" value="10.17487/RFC6459"/> </reference> <reference anchor="RFC7066" target="https://www.rfc-editor.org/info/rfc7066" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7066.xml"> <front> <title>IPv6thank <contact fullname="Tim Winters"/> forThird Generation Partnership Project (3GPP) Cellular Hosts</title> <author fullname="J. Korhonen" initials="J." role="editor" surname="Korhonen"/> <author fullname="J. Arkko" initials="J." role="editor" surname="Arkko"/> <author fullname="T. Savolainen" initials="T." surname="Savolainen"/> <author fullname="S. Krishnan" initials="S." surname="Krishnan"/> <date month="November" year="2013"/> <abstract> <t>As the deployment of third and fourth generation cellular networks progresses, a large number of cellular hosts arebeingconnected to the Internet. Standardization organizations have madetheInternet Protocol version 6 (IPv6) mandatory in their specifications. However, the concept of IPv6 covers many aspects and numerous specifications. In addition, the characteristics of cellular links in terms of bandwidth, cost, and delay put special requirements on how IPv6 is used. This document considers IPv6 for cellular hosts that attach to the General Packet Radio Service (GPRS), Universal Mobile Telecommunications System (UMTS), or Evolved Packet System (EPS) networks (hereafter collectively referred to as Third Generation Partnership Project (3GPP) networks). This document also lists specific IPv6 functionalities that need to be implemented in addition to what is already prescribed in the IPv6 Node Requirements document (RFC 6434). It also discusses some issues related to the use of these components when operating in these networks. Thisdocumentobsoletes RFC 3316.</t> </abstract> </front> <seriesInfo name="RFC" value="7066"/> <seriesInfo name="DOI" value="10.17487/RFC7066"/> </reference> <reference anchor="RFC6575" target="https://www.rfc-editor.org/info/rfc6575" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6575.xml"> <front> <title>Address Resolution Protocol (ARP) Mediation for IP Interworking of Layer 2 VPNs</title> <author fullname="H. Shah" initials="H." role="editor" surname="Shah"/> <author fullname="E. Rosen" initials="E." role="editor" surname="Rosen"/> <author fullname="G. Heron" initials="G." role="editor" surname="Heron"/> <author fullname="V. Kompella" initials="V." role="editor" surname="Kompella"/> <date month="June" year="2012"/> <abstract> <t>The Virtual Private Wire Service (VPWS), detailed in RFC 4664, provides point-to-point connections between pairs of Customer Edge (CE) devices. It does so by binding two Attachment Circuits (each connecting a CE device with a Provider Edge (PE) device) to a pseudowire (connecting the two PEs). In general, the Attachment Circuits must be of the same technology (e.g., both Ethernet or both ATM),shepherd.</t> </section> </back> </rfc> <!-- [rfced] Terminology andthe pseudowire must carry the frames of that technology. However, if it is known that the frames' payload consists solely of IP datagrams, it is possible to provide a point-to-point connection in which the pseudowire connects Attachment Circuits of different technologies. This requires the PEs to perform a function known as "Address Resolution Protocol (ARP) Mediation". ARP Mediation refers to the process of resolving Layer 2 addresses when different resolution protocols are used on either Attachment Circuit. The methods described in this document are applicable even when the CEs run a routing protocol between them, as long as the routing protocol runs over IP. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6575"/> <seriesInfo name="DOI" value="10.17487/RFC6575"/> </reference> <reference anchor="RFC6583" target="https://www.rfc-editor.org/info/rfc6583" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6583.xml"> <front> <title>Operational Neighbor Discovery Problems</title> <author fullname="I. Gashinsky" initials="I." surname="Gashinsky"/> <author fullname="J. Jaeggli" initials="J." surname="Jaeggli"/> <author fullname="W. Kumari" initials="W." surname="Kumari"/> <date month="March" year="2012"/> <abstract> <t>In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery (ND) can be vulnerable to deliberate or accidental denial of service (DoS), whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial-of-service attacks can be launched intentionally (by an attacker) or result from legitimate operational tools or accident conditions. As a resultabbreviations: a) FYI, we updated each instance ofthese vulnerabilities, new devices may not be able"SeND" to"join" a network, it may be impossible to establish new IPv6 flows, and existing IPv6 transported flows may be interrupted.</t> <t>This document describes the potential for DoS in detail and suggests possible implementation improvements as well as operational mitigation techniques that can, in some cases, be used"SEND" toprotect against or at least alleviate the impact of such attacks. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6583"/> <seriesInfo name="DOI" value="10.17487/RFC6583"/> </reference> <reference anchor="RFC6775" target="https://www.rfc-editor.org/info/rfc6775" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6775.xml"> <front> <title>Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)</title> <author fullname="Z. Shelby" initials="Z." role="editor" surname="Shelby"/> <author fullname="S. Chakrabarti" initials="S." surname="Chakrabarti"/> <author fullname="E. Nordmark" initials="E." surname="Nordmark"/> <author fullname="C. Bormann" initials="C." surname="Bormann"/> <date month="November" year="2012"/> <abstract> <t>The IETF work in IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) defines 6LoWPANs such as IEEE 802.15.4. This and other similar link technologies have limited or nomatch usageof multicast signaling due to energy conservation. In addition, the wireless network may not strictly follow the traditional concept of IP subnets and IP links. IPv6 Neighbor Discovery was not designed for non- transitive wireless links, as its reliance on the traditional IPv6 link concept and its heavy use of multicast make it inefficient and sometimes impracticalina low-power and lossy network. This document describes simple optimizations to IPv6 Neighbor Discovery, its addressing mechanisms, and duplicate address detection for Low- power Wireless Personal Area Networks and similar networks. The document thus updatesRFC4944 to specify the use of the optimizations defined here. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6775"/> <seriesInfo name="DOI" value="10.17487/RFC6775"/> </reference> <reference anchor="RFC8505" target="https://www.rfc-editor.org/info/rfc8505" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8505.xml"> <front> <title>Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery</title> <author fullname="P. Thubert" initials="P." role="editor" surname="Thubert"/> <author fullname="E. Nordmark" initials="E." surname="Nordmark"/> <author fullname="S. Chakrabarti" initials="S." surname="Chakrabarti"/> <author fullname="C. Perkins" initials="C." surname="Perkins"/> <date month="November" year="2018"/> <abstract> <t>This specification updates RFC 6775 -- the Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery specification -- to clarify the role of the protocol as a registration technique and simplify the registration operation in 6LoWPAN routers,3971 as well asto provide enhancements to the registration capabilities and mobility detection for different network topologies, including the Routing Registrars performing routing for host routes and/or proxy Neighbor Discovery in a low-power network.</t> </abstract> </front> <seriesInfo name="RFC" value="8505"/> <seriesInfo name="DOI" value="10.17487/RFC8505"/> </reference> <reference anchor="RFC8928" target="https://www.rfc-editor.org/info/rfc8928" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8928.xml"> <front> <title>Address-Protected Neighbor Discovery for Low-Power and Lossy Networks</title> <author fullname="P. Thubert" initials="P." role="editor" surname="Thubert"/> <author fullname="B. Sarikaya" initials="B." surname="Sarikaya"/> <author fullname="M. Sethi" initials="M." surname="Sethi"/> <author fullname="R. Struik" initials="R." surname="Struik"/> <date month="November" year="2020"/> <abstract> <t>This document updates the IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery (ND) protocol defined in RFCs 6775 and 8505. The new extension is called Address-Protected Neighbor Discovery (AP-ND), and it protects the owner of an address against address theft and impersonation attacksmost usage ina Low-Power and Lossy Network (LLN). Nodes supportingrecent RFCs. b) Should "IPv6" be removed from thisextension computeabbreviation for acryptographic identifier (Crypto-ID), and use it with one ormoreof their Registered Addresses. The Crypto-ID identifies the owner of the Registered Address1:1 relationship between abbreviation andcan be usedexpansion (and toprovide proof of ownership of the Registered Addresses. Once an address is registered with the Crypto-ID and a proof of ownership is provided, only the ownermatch other uses ofthat address can modify the registration information, thereby enforcing Source Address Validation.</t> </abstract> </front> <seriesInfo name="RFC" value="8928"/> <seriesInfo name="DOI" value="10.17487/RFC8928"/> </reference> <reference anchor="RFC8929" target="https://www.rfc-editor.org/info/rfc8929" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8929.xml"> <front> <title>IPv6 Backbone Router</title> <author fullname="P. Thubert" initials="P." role="editor" surname="Thubert"/> <author fullname="C.E. Perkins" initials="C.E." surname="Perkins"/> <author fullname="E. Levy-Abegnoli" initials="E." surname="Levy-Abegnoli"/> <date month="November" year="2020"/> <abstract> <t>This document updates RFCs 6775 and 8505"Unique Prefix Per Host [RFC8273]" inorder to enable proxy services for IPv6 Neighbor Discovery by Routing Registrars called "Backbone Routers". Backbone Routers are placed along the wireless edge of a backbone and federate multiple wireless links to form a single Multi-Link Subnet (MLSN).</t> </abstract> </front> <seriesInfo name="RFC" value="8929"/> <seriesInfo name="DOI" value="10.17487/RFC8929"/> </reference> <reference anchor="I-D.ietf-6man-ipv6-over-wireless" target="https://datatracker.ietf.org/doc/html/draft-ietf-6man-ipv6-over-wireless-08" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-6man-ipv6-over-wireless.xml"> <front> <title>Architecture and Framework for IPv6 over Non-Broadcast Access</title> <author fullname="Pascal Thubert" initials="P." surname="Thubert"/> <author fullname="Michael Richardson" initials="M." surname="Richardson"> <organization>Sandelman Software Works</organization> </author> <date day="19" month="May" year="2025"/> <abstract> <t>This document presents an architecture and framework for IPv6 access networks that decouples the network-layer concepts of Links, Interface, and Subnets from the link-layer concepts of links, ports, and broadcast domains, and limits the reliance on link-layer broadcasts. This architecture is suitable forthis document)? Original: 3.3. Unique IPv6over any network, including non-broadcast networks, which is typically the case for intangible media such as wireless and virtual networks such as overlays. A study of the issuesPrefix per Host (UPPH) Perhaps: 3.3. Unique Prefix per Host (UPPH) c) FYI - For consistency withIPv6 ND over intangible media is presented, and a frameworkRFC 9663, we have expanded "DHCP-PD" tosolve those issues within the new architecture is proposed.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-6man-ipv6-over-wireless-08"/> </reference> <reference anchor="RFC6957" target="https://www.rfc-editor.org/info/rfc6957" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6957.xml"> <front> <title>Duplicate Address Detection Proxy</title> <author fullname="F. Costa" initials="F." surname="Costa"/> <author fullname="J-M. Combes" role="editor" surname="J-M. Combes"/> <author fullname="X. Pougnard" initials="X." surname="Pougnard"/> <author fullname="H. Li" initials="H." surname="Li"/> <date month="June" year="2013"/> <abstract> <t>The document describes a proxy-based mechanism allowing the use of Duplicate Address Detection (DAD) by IPv6 nodes in a point-to-multipoint architecture with a "split-horizon" forwarding scheme, primarily deployed for Digital Subscriber Line (DSL)"DHCPv6 Prefix Delegation (DHCPv6-PD)" andFiber access architectures. Based on the DAD signaling, the first-hop router stores in a Binding Table all known IPv6 addresses used on a point-to-multipoint domain (e.g., VLAN). When a node performs DAD for an address already used byupdated anothernode, the first-hop router defends the address rather than the device using the address.</t> </abstract> </front> <seriesInfo name="RFC" value="6957"/> <seriesInfo name="DOI" value="10.17487/RFC6957"/> </reference> <reference anchor="RFC7039" target="https://www.rfc-editor.org/info/rfc7039" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7039.xml"> <front> <title>Source Address Validation Improvement (SAVI) Framework</title> <author fullname="J. Wu" initials="J." surname="Wu"/> <author fullname="J. Bi" initials="J." surname="Bi"/> <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/> <author fullname="F. Baker" initials="F." surname="Baker"/> <author fullname="C. Vogt" initials="C." role="editor" surname="Vogt"/> <date month="October" year="2013"/> <abstract> <t>Source Address Validation Improvement (SAVI) methods were developed to prevent nodes attached to the same IP link from spoofing each other's IP addresses, so as to complement ingress filtering with finer-grained, standardized IP source address validation. This document is a framework document that describes and motivates the designinstance ofthe SAVI methods. Particular SAVI methods are described in other documents.</t> </abstract> </front> <seriesInfo name="RFC" value="7039"/> <seriesInfo name="DOI" value="10.17487/RFC7039"/> </reference> <reference anchor="RFC6105" target="https://www.rfc-editor.org/info/rfc6105" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6105.xml"> <front> <title>IPv6 Router Advertisement Guard</title> <author fullname="E. Levy-Abegnoli" initials="E." surname="Levy-Abegnoli"/> <author fullname="G. Van de Velde" initials="G." surname="Van de Velde"/> <author fullname="C. Popoviciu" initials="C." surname="Popoviciu"/> <author fullname="J. Mohacsi" initials="J." surname="Mohacsi"/> <date month="February" year="2011"/> <abstract> <t>Routed protocols are often susceptible to spoof attacks. The canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solution that is non-trivial to deploy. This document proposes a light-weight alternative and complement"DHCP-PD" toSEND based on filtering in the layer-2 network fabric, using a variety of filtering criteria, including, for example, SEND status. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="6105"/> <seriesInfo name="DOI" value="10.17487/RFC6105"/> </reference> <reference anchor="RFC7113" target="https://www.rfc-editor.org/info/rfc7113" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7113.xml"> <front> <title>Implementation Advice"DHCPv6-PD". Please review. d) FYI - We have added expansions forIPv6 Router Advertisement Guard (RA-Guard)</title> <author fullname="F. Gont" initials="F." surname="Gont"/> <date month="February" year="2014"/> <abstract> <t>The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly employed to mitigate attack vectors based on forged ICMPv6 Router Advertisement messages. Many existing IPv6 deployments rely on RA-Guard as theabbreviations upon firstline of defense against the aforementioned attack vectors. However, some implementationsuse per Section 3.6 ofRA-Guard have been found to be prone to circumvention by employing IPv6 Extension Headers. This document describes the evasion techniques that affect the aforementioned implementations and formally updatesRFC6105, such that the aforementioned RA-Guard evasion vectors are eliminated.</t> </abstract> </front> <seriesInfo name="RFC" value="7113"/> <seriesInfo name="DOI" value="10.17487/RFC7113"/> </reference> <reference anchor="RFC7527" target="https://www.rfc-editor.org/info/rfc7527" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7527.xml"> <front> <title>Enhanced Duplicate Address Detection</title> <author fullname="R. Asati" initials="R." surname="Asati"/> <author fullname="H. Singh" initials="H." surname="Singh"/> <author fullname="W. Beebee" initials="W." surname="Beebee"/> <author fullname="C. Pignataro" initials="C." surname="Pignataro"/> <author fullname="E. Dart" initials="E." surname="Dart"/> <author fullname="W. George" initials="W." surname="George"/> <date month="April" year="2015"/> <abstract> <t>IPv6 Loopback Suppression and Duplicate Address Detection (DAD) are discussed7322 ("RFC Style Guide"). Please review each expansion inAppendix A of RFC 4862. That specification mentions a hardware-assisted mechanism to detect looped back DAD messages. If hardware cannot suppress looped back DAD messages, a software solution is required. Several service provider communities have expressed a need for automated detection of looped back Neighbor Discovery (ND) messages used by DAD. This document includes mitigation techniques and outlines the Enhanced DAD algorithm to automate the detection of looped back IPv6 ND messages used by DAD. For network loopback tests, the Enhanced DAD algorithm allows IPv6 to self-heal after a loopback is placed and removed. Further, for certain access networks, this document automates resolving a specific duplicate address conflict. This document updates RFCs 4429, 4861, and 4862.</t> </abstract> </front> <seriesInfo name="RFC" value="7527"/> <seriesInfo name="DOI" value="10.17487/RFC7527"/> </reference> <reference anchor="RFC7586" target="https://www.rfc-editor.org/info/rfc7586" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7586.xml"> <front> <title>The Scalable Address Resolution Protocol (SARP) for Large Data Centers</title> <author fullname="Y. Nachum" initials="Y." surname="Nachum"/> <author fullname="L. Dunbar" initials="L." surname="Dunbar"/> <author fullname="I. Yerushalmi" initials="I." surname="Yerushalmi"/> <author fullname="T. Mizrahi" initials="T." surname="Mizrahi"/> <date month="June" year="2015"/> <abstract> <t>This document introducestheScalable Address Resolution Protocol (SARP), an architecture that uses proxy gateways to scale large data center networks. SARP is based on fast proxies that significantly reduce switches' Filtering Database (FDB) table sizes and reduce impact of ARP and Neighbor Discovery (ND) on network elements in an environment where hosts within one subnet (or VLAN) can spread over various locations. SARP is targeted for massive data centers with a significant number of Virtual Machines (VMs) that can move across various physical locations.</t> </abstract> </front> <seriesInfo name="RFC" value="7586"/> <seriesInfo name="DOI" value="10.17487/RFC7586"/> </reference> <reference anchor="RFC7772" target="https://www.rfc-editor.org/info/rfc7772" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7772.xml"> <front> <title>Reducing Energy Consumption of Router Advertisements</title> <author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko"/> <author fullname="L. Colitti" initials="L." surname="Colitti"/> <date month="February" year="2016"/> <abstract> <t>Frequent Router Advertisement messages can severely impact host power consumption. This document recommends operational practices to avoid such impact.</t> </abstract> </front> <seriesInfo name="BCP" value="202"/> <seriesInfo name="RFC" value="7772"/> <seriesInfo name="DOI" value="10.17487/RFC7772"/> </reference> <reference anchor="RFC8273" target="https://www.rfc-editor.org/info/rfc8273" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8273.xml"> <front> <title>Unique IPv6 Prefix per Host</title> <author fullname="J. Brzozowski" initials="J." surname="Brzozowski"/> <author fullname="G. Van de Velde" initials="G." surname="Van de Velde"/> <date month="December" year="2017"/> <abstract> <t>This document outlines an approach utilizing existing IPv6 protocols to allow hosts to be assigned a unique IPv6 prefix (instead of a unique IPv6 address from a shared IPv6 prefix). Benefits of using a unique IPv6 prefix over a unique service-provider IPv6 address include improved host isolation and enhanced subscriber management on shared network segments.</t> </abstract> </front> <seriesInfo name="RFC" value="8273"/> <seriesInfo name="DOI" value="10.17487/RFC8273"/> </reference> <reference anchor="RFC8302" target="https://www.rfc-editor.org/info/rfc8302" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8302.xml"> <front> <title>Transparent Interconnection of Lots of Links (TRILL): ARP and Neighbor Discovery (ND) Optimization</title> <author fullname="Y. Li" initials="Y." surname="Li"/> <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/> <author fullname="L. Dunbar" initials="L." surname="Dunbar"/> <author fullname="R. Perlman" initials="R." surname="Perlman"/> <author fullname="M. Umair" initials="M." surname="Umair"/> <date month="January" year="2018"/> <abstract> <t>Thisdocumentdescribes mechanismscarefully tooptimize the Address Resolution Protocol (ARP) and Neighbor Discovery (ND) traffic in a Transparent Interconnection of Lots of Links (TRILL) campus. TRILL switches maintain a cache of IP /ensure correctness. Media Access Control (MAC)address / Data Label bindings that are learned from ARP/ND requests and responses that pass through them. In many cases, this cache allows an edge Routing Bridge (RBridge) to avoid flooding an ARP/ND request by either responding to it directly or encapsulating it and unicasting it. Such optimization reduces packet flooding over a TRILL campus.</t> </abstract> </front> <seriesInfo name="RFC" value="8302"/> <seriesInfo name="DOI" value="10.17487/RFC8302"/> </reference> <reference anchor="RFC9131" target="https://www.rfc-editor.org/info/rfc9131" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9131.xml"> <front> <title>Gratuitous Neighbor Discovery: Creating Neighbor Cache Entries on First-Hop Routers</title> <author fullname="J. Linkova" initials="J." surname="Linkova"/> <date month="October" year="2021"/> <abstract> <t>Neighbor Discovery (RFC 4861) is used by IPv6 nodes to determine the link-layer addresses of neighboring nodes as well as to discover and maintain reachability information. This document updates RFC 4861 to allow routers to proactively create a Neighbor Cache entry when a new IPv6 address is assigned to a node. It also updates RFC 4861 and recommends that nodes send unsolicited Neighbor Advertisements upon assigning a new IPv6 address. These changes will minimize the delay and packet loss when a node initiates connections to an off-link destination from a new IPv6 address.</t> </abstract> </front> <seriesInfo name="RFC" value="9131"/> <seriesInfo name="DOI" value="10.17487/RFC9131"/> </reference> <reference anchor="RFC9161" target="https://www.rfc-editor.org/info/rfc9161" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9161.xml"> <front> <title>Operational Aspects of Proxy ARP/ND in Ethernet Virtual Private Networks</title> <author fullname="J. Rabadan" initials="J." role="editor" surname="Rabadan"/> <author fullname="S. Sathappan" initials="S." surname="Sathappan"/> <author fullname="K. Nagaraj" initials="K." surname="Nagaraj"/> <author fullname="G. Hankins" initials="G." surname="Hankins"/> <author fullname="T. King" initials="T." surname="King"/> <date month="January" year="2022"/> <abstract> <t>This document describes the Ethernet Virtual Private Network (EVPN) Proxy ARP/ND function augmented by the capability of the ARP/ND Extended Community. From that perspective, this document updates the EVPN specification to provide more comprehensive documentation of the operation of the Proxy ARP/ND function. The EVPN Proxy ARP/ND function and the ARP/ND Extended Community help operators of Internet Exchange Points, Data Centers, and other networks deal with IPv4 and IPv6 address resolution issues associated with large Broadcast Domains by reducing and even suppressing the flooding produced by address resolution in the EVPN network.</t> </abstract> </front> <seriesInfo name="RFC" value="9161"/> <seriesInfo name="DOI" value="10.17487/RFC9161"/> </reference> <reference anchor="RFC9663" target="https://www.rfc-editor.org/info/rfc9663" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9663.xml"> <front> <title>UsingDHCPv6 Prefix Delegation (DHCPv6-PD)to Allocate Unique IPv6 Prefixes per Client in Large Broadcast Networks</title> <author fullname="L. Colitti" initials="L." surname="Colitti"/> <author fullname="J. Linkova" initials="J." role="editor" surname="Linkova"/> <author fullname="X. Ma" initials="X." role="editor" surname="Ma"/> <date month="October" year="2024"/> <abstract> <t>This document discusses an IPv6 deployment scenario when individual nodes connected to large broadcast networks (such as enterprise networks or public Wi-Fi networks) are allocated unique prefixes via DHCPv6 Prefix Delegation (DHCPv6-PD), as specified in RFC 8415.</t> </abstract> </front> <seriesInfo name="RFC" value="9663"/> <seriesInfo name="DOI" value="10.17487/RFC9663"/> </reference> <reference anchor="RFC4903" target="https://www.rfc-editor.org/info/rfc4903" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4903.xml"> <front> <title>Multi-Link Subnet Issues</title> <author fullname="D. Thaler" initials="D." surname="Thaler"/> <date month="June" year="2007"/> <abstract> <t>There have been several proposals around the notion that a subnet may span multiple links connected by routers. This memo documents the issues and potential problems that have been raised with such an approach. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="4903"/> <seriesInfo name="DOI" value="10.17487/RFC4903"/> </reference> <reference anchor="RFC7342" target="https://www.rfc-editor.org/info/rfc7342" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7342.xml"> <front> <title>Practices for Scaling ARP and Neighbor Discovery (ND) in Large Data Centers</title> <author fullname="L. Dunbar" initials="L." surname="Dunbar"/> <author fullname="W. Kumari" initials="W." surname="Kumari"/> <author fullname="I. Gashinsky" initials="I." surname="Gashinsky"/> <date month="August" year="2014"/> <abstract> <t>This memo documents some operational practices that allow ARP and Neighbor Discovery (ND) to scale in data center environments.</t> </abstract> </front> <seriesInfo name="RFC" value="7342"/> <seriesInfo name="DOI" value="10.17487/RFC7342"/> </reference> <reference anchor="RFC9119" target="https://www.rfc-editor.org/info/rfc9119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9119.xml"> <front> <title>Multicast Considerations over IEEE 802 Wireless Media</title> <author fullname="C. Perkins" initials="C." surname="Perkins"/> <author fullname="M. McBride" initials="M." surname="McBride"/> <author fullname="D. Stanley" initials="D." surname="Stanley"/> <author fullname="W. Kumari" initials="W." surname="Kumari"/> <author fullname="JC. Zúñiga" initials="JC." surname="Zúñiga"/> <date month="October" year="2021"/> <abstract> <t>Well-known issues with multicast have prevented the deployment of multicast in 802.11 (Wi-Fi) and other local-area wireless environments. This document describes--> <!-- [rfced] Please review theknown limitations"Inclusive Language" portion ofwireless (primarily 802.11) Layer 2 multicast. Also described are certain multicast enhancement features that have been specified bytheIETFonline Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> andby IEEE 802 for wireless media, as well as some operational choices that can be made to improve the performance of the network. Finally, some recommendationslet us know if any changes areprovided about the usage and combination of these features and operational choices.</t> </abstract> </front> <seriesInfo name="RFC" value="9119"/> <seriesInfo name="DOI" value="10.17487/RFC9119"/> </reference> <reference anchor="I-D.ietf-madinas-use-cases" target="https://datatracker.ietf.org/doc/html/draft-ietf-madinas-use-cases-19" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-madinas-use-cases.xml"> <front> <title>Randomized and Changing MAC Address: Context, Network Impacts, and Use Cases</title> <author fullname="Jerome Henry" initials="J." surname="Henry"> <organization>Cisco Systems</organization> </author> <author fullname="Yiu Lee" initials="Y." surname="Lee"> <organization>Comcast</organization> </author> <date day="20" month="December" year="2024"/> <abstract> <t>To limit the privacy issues created by the association between a device, its traffic, its location, and its user in [IEEE_802] networks, client and client Operating System vendors have started implementing MAC address randomization. This technology is particularly important in Wi-Fi [IEEE_802.11] networks due to the over-the-air medium and device mobility. When such randomization happens, some in-network states may break, which may affect network connectivity and user experience. At the same time, devices may continue using other stable identifiers, defeating the MAC address randomization purposes. This document lists various network environments and a rangeneeded. Updates ofnetwork services that may be affected by such randomization. This document then examines settings where the user experience may be affected by in-network state disruption. Last,thisdocument examines two existing frameworks to maintain user privacy while preserving user quality of experience and network operation efficiency.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-madinas-use-cases-19"/> </reference> <reference anchor="RFC9099" target="https://www.rfc-editor.org/info/rfc9099" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9099.xml"> <front> <title>Operational Security Considerations for IPv6 Networks</title> <author fullname="É. Vyncke" surname="É. Vyncke"/> <author fullname="K. Chittimaneni" initials="K." surname="Chittimaneni"/> <author fullname="M. Kaeo" initials="M." surname="Kaeo"/> <author fullname="E. Rey" initials="E." surname="Rey"/> <date month="August" year="2021"/> <abstract> <t>Knowledge and experience on how to operate IPv4 networks securely is available, whether the operator is an Internet Service Provider (ISP) or an enterprise internal network. However, IPv6 presents some new security challenges. RFC 4942 describes security issuesnature typically result inthe protocol, but network managers also need amorepractical, operations-minded document to enumerate advantages and/or disadvantages of certain choices.</t> <t>This document analyzes the operational security issues associated with several types of networks and proposes technical and procedural mitigation techniques. This documentprecise language, which isonly applicable to managed networks, such as enterprise networks, service provider networks, or managed residential networks.</t> </abstract> </front> <seriesInfo name="RFC" value="9099"/> <seriesInfo name="DOI" value="10.17487/RFC9099"/> </reference> <reference anchor="RFC8415" target="https://www.rfc-editor.org/info/rfc8415" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8415.xml"> <front> <title>Dynamic Host Configuration Protocol for IPv6 (DHCPv6)</title> <author fullname="T. Mrugalski" initials="T." surname="Mrugalski"/> <author fullname="M. Siodelski" initials="M." surname="Siodelski"/> <author fullname="B. Volz" initials="B." surname="Volz"/> <author fullname="A. Yourtchenko" initials="A." surname="Yourtchenko"/> <author fullname="M. Richardson" initials="M." surname="Richardson"/> <author fullname="S. Jiang" initials="S." surname="Jiang"/> <author fullname="T. Lemon" initials="T." surname="Lemon"/> <author fullname="T. Winters" initials="T." surname="Winters"/> <date month="November" year="2018"/> <abstract> <t>This document describes the Dynamic Host Configuration Protocolhelpful forIPv6 (DHCPv6): an extensible mechanism for configuring nodes with network configuration parameters, IP addresses, and prefixes. Parameters can be provided statelessly, or in combination with stateful assignment of one or more IPv6 addresses and/or IPv6 prefixes. DHCPv6 can operate either in place of or in addition to stateless address autoconfiguration (SLAAC).</t> <t>This document updates the text from RFC 3315 (the original DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a clientreaders. For example, please consider whether "native" shouldwait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay agent handling of unknown messages (RFC 7283). In addition, this document clarifies the interactions between models of operation (RFC 7550). As such, this document obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550.</t> </abstract> </front> <seriesInfo name="RFC" value="8415"/> <seriesInfo name="DOI" value="10.17487/RFC8415"/> </reference> <reference anchor="I-D.ccc-v6ops-address-accountability" target="https://datatracker.ietf.org/doc/html/draft-ccc-v6ops-address-accountability-00" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ccc-v6ops-address-accountability.xml"> <front> <title>IPv6 Address Accountability Considerations</title> <author fullname="Tim Chown" initials="T." surname="Chown"> <organization>Jisc</organization> </author> <author fullname="Chris Cummings" initials="C." surname="Cummings"> <organization>Energy Sciences Network</organization> </author> <author fullname="Dale W. Carder" initials="D. W." surname="Carder"> <organization>ESnet</organization> </author> <date day="21" month="October" year="2024"/> <abstract> <t>Hostsbe updated inIPv4 networks typically acquire addresses by use of DHCP, and retain that address and only that address whiletheDHCP lease remains valid. In IPv6 networks, hosts may use DHCPv6, but may instead autoconfigure their own global address(es), and potentially use many privacy addresses over time. This behaviour places an additional burden on network operators who require address accountability for their users and devices. There has been some discussion of this issue on various mail lists; thistextattempts to capture the issues to encourage further discussion.</t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ccc-v6ops-address-accountability-00"/> </reference> <reference anchor="RFC2026" target="https://www.rfc-editor.org/info/rfc2026" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2026.xml"> <front> <title>The Internet Standards Process -- Revision 3</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="October" year="1996"/> <abstract> <t>This memo documents the process used by the Internet community for the standardization of protocols and procedures. It defines the stages in the standardization process, the requirements for moving a document between stages and the types of documents used during this process. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="9"/> <seriesInfo name="RFC" value="2026"/> <seriesInfo name="DOI" value="10.17487/RFC2026"/> </reference> <reference anchor="RFC7278" target="https://www.rfc-editor.org/info/rfc7278" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7278.xml"> <front> <title>Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link</title> <author fullname="C. Byrne" initials="C." surname="Byrne"/> <author fullname="D. Drown" initials="D." surname="Drown"/> <author fullname="A. Vizdal" initials="A." surname="Vizdal"/> <date month="June" year="2014"/> <abstract> <t>This document describes requirements for extending an IPv6 /64 prefix from a User Equipment Third Generation Partnership Project (3GPP) radio interface to a LAN link and describes two implementation examples.</t> </abstract> </front> <seriesInfo name="RFC" value="7278"/> <seriesInfo name="DOI" value="10.17487/RFC7278"/> </reference> <reference anchor="RFC6085" target="https://www.rfc-editor.org/info/rfc6085" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6085.xml"> <front> <title>Address Mapping of IPv6 Multicast Packets on Ethernet</title> <author fullname="S. Gundavelli" initials="S." surname="Gundavelli"/> <author fullname="M. Townsley" initials="M." surname="Townsley"/> <author fullname="O. Troan" initials="O." surname="Troan"/> <author fullname="W. Dec" initials="W." surname="Dec"/> <date month="January" year="2011"/> <abstract> <t>When transmitting an IPv6 packet with a multicast destination address, the IPv6 destination address is mapped to an Ethernet link-layer multicast address. This document clarifies that a mapping of an IPv6 packet with a multicast destination address may in some circumstances map to an Ethernet link-layer unicast address. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6085"/> <seriesInfo name="DOI" value="10.17487/RFC6085"/> </reference> <reference anchor="RFC5517" target="https://www.rfc-editor.org/info/rfc5517" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5517.xml"> <front> <title>Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment</title> <author fullname="S. HomChaudhuri" initials="S." surname="HomChaudhuri"/> <author fullname="M. Foschiano" initials="M." surname="Foschiano"/> <date month="February" year="2010"/> <abstract> <t>This document describes a mechanism to achieve device isolation through the application of special Layer 2 forwarding constraints. Such a mechanism allows end devices to share the same IP subnet while being Layer 2 isolated, which in turn allows network designers to employ larger subnets and so reduce the address management overhead.</t> <t>Some of the numerous deployment scenarios of the aforementioned mechanism (which range from data center designs to Ethernet-to-the-home-basement networks)below: The switches arementioned in the following text to exemplify the mechanism's possible usages; however, this document is not intended to cover all such deployment scenarios nor delve into their details. This document is not an Internet Standards Track specification; it is published for informational purposes.</t> </abstract> </front> <seriesInfo name="RFC" value="5517"/> <seriesInfo name="DOI" value="10.17487/RFC5517"/> </reference> <reference anchor="RFC7102" target="https://www.rfc-editor.org/info/rfc7102" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7102.xml"> <front> <title>Terms Used in Routing for Low-Power and Lossy Networks</title> <author fullname="JP. Vasseur" initials="JP." surname="Vasseur"/> <date month="January" year="2014"/> <abstract> <t>This document provides a glossary of terminology used in routing requirements and solutions for networks referred to as Low-Power and Lossy Networks (LLNs). An LLN is typically composed of many embedded devices with limited power, memory, and processing resourcesinterconnected by avariety of links. There is a wide scope of application areas for LLNs, including industrial monitoring, building automation (e.g., heating, ventilation, air conditioning, lighting, access control, fire), connected home, health care, environmental monitoring, urban sensor networks, energy management, assets tracking, and refrigeration.</t> </abstract> </front> <seriesInfo name="RFC" value="7102"/> <seriesInfo name="DOI" value="10.17487/RFC7102"/> </reference> <reference anchor="RFC9686" target="https://www.rfc-editor.org/info/rfc9686" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9686.xml"> <front> <title>Registering Self-Generated IPv6 Addresses Using DHCPv6</title> <author fullname="W. Kumari" initials="W." surname="Kumari"/> <author fullname="S. Krishnan" initials="S." surname="Krishnan"/> <author fullname="R. Asati" initials="R." surname="Asati"/> <author fullname="L. Colitti" initials="L." surname="Colitti"/> <author fullname="J. Linkova" initials="J." surname="Linkova"/> <author fullname="S. Jiang" initials="S." surname="Jiang"/> <date month="December" year="2024"/> <abstract> <t>This document defines a method to inform a DHCPv6 server that a device has one or more self-generated or statically configured addresses.</t> </abstract> </front> <seriesInfo name="RFC" value="9686"/> <seriesInfo name="DOI" value="10.17487/RFC9686"/> </reference> <reference anchor="RFC2461" target="https://www.rfc-editor.org/info/rfc2461" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2461.xml"> <front> <title>Neighbor Discovery for IP Version 6 (IPv6)</title> <author fullname="T. Narten" initials="T." surname="Narten"/> <author fullname="E. Nordmark" initials="E." surname="Nordmark"/> <author fullname="W. Simpson" initials="W." surname="Simpson"/> <date month="December" year="1998"/> <abstract> <t>This document specifies the Neighbor Discovery protocol for IP Version 6. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="2461"/> <seriesInfo name="DOI" value="10.17487/RFC2461"/> </reference> <reference anchor="RFC2462" target="https://www.rfc-editor.org/info/rfc2462" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2462.xml"> <front> <title>IPv6 Stateless Address Autoconfiguration</title> <author fullname="S. Thomson" initials="S." surname="Thomson"/> <author fullname="T. Narten" initials="T." surname="Narten"/> <date month="December" year="1998"/> <abstract> <t>This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="2462"/> <seriesInfo name="DOI" value="10.17487/RFC2462"/> </reference> <reference anchor="RFC6762" target="https://www.rfc-editor.org/info/rfc6762" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml"> <front> <title>Multicast DNS</title> <author fullname="S. Cheshire" initials="S." surname="Cheshire"/> <author fullname="M. Krochmal" initials="M." surname="Krochmal"/> <date month="February" year="2013"/> <abstract> <t>As networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful.</t> <t>Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names.</t> <t>The primary benefits of Multicast DNS names are that (i) they require little or no administrationnative orconfiguration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures.</t> </abstract> </front> <seriesInfo name="RFC" value="6762"/> <seriesInfo name="DOI" value="10.17487/RFC6762"/> </reference> </references> </references> <?line 1029?> <section numbered="false" anchor="acknowledgements"> <name>Acknowledgements</name> <t>The authors would like to thank Eric Vyncke, Gunter Van de Velde, Lorenzo Colitti, Erik Kline, Warren Kumari, Mohamed Boucadair, Gorry Fairhurst, Pascal Thubert, Jen Linkova, Brian Carpenter, Mike Ackermann, Nalini Elkins, Ed Horley, Ole Troan, David Thaler, Chongfeng Xie, Chris Cummings, Dale Carder, Tim Chown, Priyanka Sinha, Aijun Wang, Ines Robles, Magnus Westerlund, Barry Leiba, Deb Cooley and Paul Wouters for their reviews and comments. The authors would also like to thank Tim Winters for being the document shepherd.</t> </section> </back> <!-- ##markdown-source: H4sIAAAAAAAAA9V9a3MbyRHYd/6KCf3hCBvAiaRESkylYvAhHWOKhyL1uFQq 5VoAA2CtxS68D0K4k/Pb0895LJaUZJ8rDqsokcRuz0xPT7+7ZzAY7NVpndkz s39r08VyUpTmMq2mxYMtt+aiyKt0ZsukTuEnk+bmevxwYi7tOiu2K5vX1f5e MpmU9uHMmHw2mEbP782KaZ6sAPasTOb1ILX1fPBwUqyrwc6zg8Pne3t76bo8 M3XZVPXRs2evnh3tVXWSz5KsyC393e4lpU1grj+v3aTgAfM2yZOFxQnt720W ZzzL4JkDGrVnPhblpzRfmDdl0az3Pm3gyby2ZW7rwSVOcW+a1GewzHmxVzWT VVpV8Hq9XcPo11fvXu/tTYsZvH9mGljJy711emb+V11M+6Yqyrq08wp+2q7w h/+9t5c09bIoz/bMYM/A17zJMsbGL+nYwiR+SZOCPinKRZKnv9Jcz8xPTbKx qXlnp8u8yIpFait6yq6SNDszn9M1vPwZ3v3zkp4cTovV7hhXsyYpZ+ZDUqWZ zT/9EwM96KtDS7C+Zbi3tv61Y6S/jG/N7fDDMATPQIcreOPPn9Z5N9g32yQ3 b9NqWSYdYD/YMv21AJrMpxHoBbw1rIYreu/PD/xU9wC36fSTOW/KZJGlXTi6 ym252Jr7aWrzqa3Mra03QEPhaBN5+8+2GgIhARED+ZQrAPBgz/bwyXd3h6en Z/QOful5IyKFI1UvrYHDUNvPtSnm8PTg8Nnhvnt8ltTw9DzJKuv+5kgr+BpE v+E6zsx5WSSzCZ6Q10XZrPoE/PSUZnV3Pb46PX75yLxGs1lpq8qMsqyYEjLo oI3gRCxyPGhmXGTpdPv0POukXFg4Ucu6XldnP/642WyGJRAwIurHdTMBCHxC fwRWUf2IHw1gTt+9TlxL8Le9vcFgYJJJVZfJtOY9ACR3MLiD28ueWZcFHOIi MylwEzMt0xqmlcGerNbAeHLaFdgkBEO4ScrpMq3ttG5KOyTIDkJTAZGsmgwh VDXu7irJt2YFqAQGVQ3NdY1gAEmFSaqqgQ9gyMpOGxgVnitmNjObpS0tPJOZ HH6vDOLeZGn+CUa2zB7tjCj+vpku4TN4CHbFrGB5tZlYGNbO5ynSLE2hKlbW VFObJ2VaADO0w8Wwj1OFhSGUaL6btLQZ7nzOpA5cEzAGU8plNjiHvKh5HvBE vdwiEIHKm2qS6TSCQWiCAd1KkZgKZdBJhhCA2zaW+TkeCUBPMU2BqGawsDpd MBFWRdYI34d5ANU0SIzwTJrTUgrE0BK4xtEzc/f6oqKB4W+0tbmFB+vCIFl8 wkEqG4yK73vwKSK9Amaf+WGGTEoFjlCbJIUDVS8Bsn5uYENXgORfASAugZBR LWHQ28vWQDUiFNAJ1DaBvy6LDW14NKeiTBdpDhgw87JYwWelBU6RII3R7ssZ RYGGo8lbMJ9VMgNUp6t1ZkszAWTHDwoIwExKHN9Nn8kStmOrK+jGPOzQzK7g R0BkzVKDMJLCM/AwDLMsqhpxCMiepfM57ABhZwIEwe8jOVcwk9wsbbaGTaFj IUwHR45Wa9406SwBDoyrg8P2AIrDzACbBYLK4CDikCQhqiatk0lmdSowb5Aw y4K2fQ16Cs5jXdTwXwpH3G3LkFnGKp3NMru39wfUC8pi1kwRBO36Y8zjt9/+ C9DZ85cnh//4h6nWdprOU0UeSFaQJdWqYvQg80BQfI4OGEeIDNBGQAvBk8bS oALZxAceDynMHFjRqsmRWVoloMwmJZDoBF41NgE2UMCb5dDc1/AQHWDHwhvk Tfk8XTR83MzB/c1odNFDMG76RzD9SZNms4pnUcDIgJ5wDQUMWsvsFSBulE1L BFVsRD2UbcR9+4hkzhTVIlMGs0q2BiRr0aAahkA2ab2EcfsmrYkyaNiH1G7o XZoQs1L8Hd79jNNbELkUzWIJ2JDTlZaAwbkdTLfTzMI5TUjxo4UzXUb6J59s EJJw6HFf+jQcbjOeSqC4KegrwkYqIDyQipuKpbsxh0NzczMyl6PLM5IGCACJ c4U85wa2cXBToEDRDTmAp3u08cAA6Tkn0i6bdcbbrA9fWpQ0tGswQA8oAtfh WbbSpQNxj3IZToFovrf3wH35w6OhuSNK8zQcTLiy+SyUXfJoBM4NcnAHYA2d boYEK2UqVhpG8mXhKH+H1YA4nXkYtNUyymgGMOq0Ih0eZn03qnp9Oem4XmYd eILn6WfPRVkDQMI3TuuCzfSLSoFHwQ7iRrgDfAGnxYJmV5dbv57bi6seMRQ6 qTLlBiYM857a9EGpFyYGQjwnha1MhFAcGHkP2BpKSBkcJmsAvECXicEgJDpW xSrWMOjLkfXEEgd07/1QmUVWTICYrseOXQKYqk5hoCb/lMMpHDo4dPxqvwfA EuFfFIN0rmBGG1TbE7MGgQj4RdnoRnJQZEQZjo7mBocT6nXzgH9ERhBxy/K9 MreLBpnpMTD4948doDc8+vucydIdInij52D/9tt/BzZ2/OLlKbAxOsXw/N8b a1on7z2ePH74+eGrY3gYZ4oyxoEKjtZ9RbOFeQ2JN5BIxdOwxQ1j6b3G9bIe 4FVhFaiEJiSFeVMSlcJxQWHVgFZAS8bRYU6Ch+dDoNLP9WBZrAE6bNUKxb/i cxfNZ36DEWVufLfBeKbd7vqNm6clLE9HsKjd0exCEsx1IqQ56dkucReLfEDC ibbpYLNMQfqkVfQ24KaWuYPud03U3QmyHxyJDGz72dYsE49JYvqOaNzJ7AYZ zwyXG/CajJTz1u6iUvA4EQuldi2KqRfMIVyIrQAoL6QqmnK6w3uI8B0YPQA7 4PiJF0AEIBuBgEuU68kkzZDgAjlw+/6yFxwUsjma3K3KI6/o2OMkZ36J8pdZ sJxL5SKemfHwmZWJnQxZmGXJFuEIvoRRIcdrQEFDsj/D3UmUX2XuHc8JoneZ o6Am0NognGFbMNyCYAgXqOMCCDQ3NsFwXp0sjF9zFYr6kAYjIQ8nPc2SEhmx XddMerUaEjkpq21RimIBDLNk1ld9ztOWubMzsKumdTAKwkQ4rAbOCuITy+QB TMqRnjeWycHrsBQWdGjNIH6AD5HiO7E1s3Y5D0pk+BBsAsgqtAh57aBFfcVO 7bN1V3ltiywQZ5L2SVv3mivtnoo7ICbmm7yyAu2cFT68EWa1ZTuWsKgiiFlU JRKoYtKu1GxE8KDwkhavCju8fFHk0xIoPNv2zQMat00VW1rd9gsiGRBmyWL0 NhoioW0+Amnm06whp59oe3/EId4hesxbNNd5oHdgriQwfxFEpy9O/vGPvr5w j1Yvaa/y8avTw+Dji3K7rotFmayX6HjItuaNzVExhUmNVJf2rx4FrwLIcVl8 3qpMO375Kvj0ZxBOK5Q4Uz/28+dHr2IAuFWrAtgMIMX5i/jhk+cv4GH++fTZ ycnui6iOzaL3yNsVP/gWyJc3QcC+OH0RTdP5AWRBwHRWlXv45XHw8Ef1T8CT Bx9TNsHouVMEyj+/fPHM//zq6GXwM6/nenA5JHf0CVDmIF0/nAzwEA/U+xEM CNI/wvHJqxfh8u6Z46uG8SHJwFKltV6vUH8lxmUUhcch7rt0X7B08TjIUId+ GaeHhyEarvIl2sOzJy0GefPFUTRhIDEykUd3Y/fEy3Brgds0U1R4u5Vzeec0 IkRRt8akoJsxvPUTyiZB+9HpcUwRTJnsZSU6elcmebVOyE9APnlQsHNZBvC4 mwI5ydxx/htyHxy8u7u+uVECeHn8LJzRG6CpJq2JJ+za7vzKq8Pj8CDyNgNe fhTqvvowvnWPooXf95YHrJlMscufLtDolZVfAvkIwzngTwbjS7KUxJNqBVVu Kdf+bUsiw1xk6rm7Qf8pe3HF2GN/ms7p5ATwKl6pJxxRwEGRmbHdmwBHtoOq BiEBg6JnBsj3IFH0ku8lXZFk2aArNF+wYWSTKkWhSp69YWs89ByRD2+GnhXx gHgHjtg3IWeewYJz95iqr223DQmE0C0k8Mh47nDneD8iYOUPfzDvSPvB6Ma2 A0sEihZs0dbgKZEgCL06QzxZqfAnepKkH7of/QtkzFVMsLwhb0cXZwZ/OEOP YfJQpDPymjQYU2LNi3UVslCcz6S/ozC5j2hM2rOS/ZiwaTBK8IBOJHZY0km8 VsySN/2ssnDYvsFXV5TsqmNIN8dtOInEB9ABh0ooMgG20omUI7PEmIgfhDQM 0pmVLEunk/VnccK6SYWAeH5gN6YPpFSgP7Y1PjoXJ+RHp3M365wQKgbLBPG5 QiHVd9jowAVqIQCQHRzRZNRfR1i6OYqRdCa+pxWcIFADqtAVmYiti9oV6dv4 ICmrIXxREUkFzLbMGFDBPTIHN0e9J3AXAvHrYdfMZWPV3refQUkgPgDn9C1q hQNksOaeFr67f89fPUN+3oUr9usKplLvzuzaO/LMA2ux/QhnQL3kH4RVgLm9 jYiuH8JBJhB+uPNiCNSm5B+lDTr+084eJWt4A5EfAaQRgkejVaSoPye5BQkD g30LAcvK22so4occIY2TktjazmTZBwjkDZMFSbXe0QCBMz2kU9Wx9au0QHYV DqE2dwW7BCQ3QwPMWUluV5/au4+ATn2E/tQn56yzKJwHK3CL4Ot24eI1MCA9 vwZdpFrBMUWDZ1qskQeSR9vNFzXMbYw1v25eKrJ7UFzIUwxEfJ3j8SrKlGMv 1yQSSCK8dVN8C0R6Qd61MdtpFGDADbmzWap2t74Ko15LKA3exjnumlEoJsEA h49G8M8d/kTgRuQJBwU7jrYJg1qCcgIEFIXspqBwJRi606gdoITiaxzmQjV1 5qJr/RZMCuPshgEdW+kAajLSNIDSFChF/dqxQFE1tmu2U9oDT9EGshisJGjJ Cv36uB0uPip2KInpjkFFrSBYYKmBDNOPDFoXm3RWL8kkg4E4zEz2NIe2ULFb kv3N+gUYVDP//jrYY9Fgj58fqfZ03RH4bK+uhVFUiR7YhmzykigGQ4XMVRPa VSBomN9ESQmVIFRzJa8EjwBMijUwYmxZsUEfYVInBq0/XkiGsUo086fo3M3s bKG+kHvRj4+Hh/iA6qmHwAB6ooPoAgYwQZWBDg0aZmTdLDCgndUPgpGjaqJN wjm0MElvCtPpMIdnGgAB/RfRjtsRHqoBMcI82Goc9bbtEMKoGLsTBd8rjG8T lZRslpNLo1lN0Bc5Z07lRQKoQ8Q3iPlSaBENfcdj3CC9vvhyZJRbWOB02eEA 9mF7IkuUauyO78AiOTduQ3ZH8x7GmDo6E6PqhwoRlBYzsM3f5xUHWSzxCnNZ wtFHFKLiVv3gAJ4n6OPZAjaDKM2I1cIFeQzQd5CBYVWzfgiKvjhWfGSBxNPb 69u/Xl7djP7nX8+v3n28urr9693o3hwcowaLMZpeX8PwmIgA303VIHAfc8lh JASPbqZN4fxAQfAHk6JQrqTonMzSTxbewLAbItBv2S4qh7DsDU6zT/x0wose rPFswLJ4z1s7pvSKO7RJPlG8ZGWaNXMCRKeEBBlaamMrtrVJx2cajniUnEnj Szgjjo9AC8bzYKPVML+LXcu0u34Et5rvHOnFGUH6N45zgM7S1xLBuK+b2bYn pEnmhw57wQL/dvT1wcj6AVY4K1bEVXCbSF9ATEcmTRjhcU6bFcJOqgFQ0oCE MSqjTKyieZI3E2mk6zR/E8en2FyJpBxRrkbKsqJiH+S5ROiQWmr2AeaFBDsr wij8OnNOGrVlZ+SksTPiXgHMgMnsvMSmA6yuyfX1YcTlTRkoLmprl/ar/PvE 8+9b0J4vCswcQbeqaEIZqfLe8+a0gQjKqT823weFfNIFZo+F6QOgAWRZWrlc H/sZ0LtCcMpO4viLOC8wWLopwtUTH8YtXFrYUM7tAvG6VJmyxiQx/Ku4DNC1 C3Q4AIY3YF3Ya4o/S4DpXvOYWuqhS7Ii2oPN786H6rMi6XMg0GiZEFsM0qpg fSA16xqpI4qrs4LkAsOcjkAqEE+PZLbOUDAROqZFU3j2CjSFNi28PFOX5vXY He37dVHMcYABSnE3JZxGxM2D2BLwoyBEnVRheEz/CiIcwzbstgk5uZjINYYv meTJtkK4HNyPpoC5VIHUbXJAvWozLnKC3j+bgzk1KOaDe1uSfXRwWdz3BFib nF+dyQs4TSTq3bWDgYIK7wyIC35kLuFtbhihTleAB3zZR1Zw3zSbwD0iGHHv xvk6QdCoMPMkzfpC9AiHTExYhxjzreFbizp8hnJp0VAiQ8eKKGCMH1HWDQJg gRuG3OKNSVxItnNfWvvh4ET7ApPv3oND0CyJ9lAzkjcenTbIl4Wd7Yywsxb8 vXQBNVILxCxpozCzixReQxYsATkgV5vN27NErQ72H87xiJfRMcVpssZ8UUBE ls46SF4ywRgMqS+UrME8iVWJwe3F1QCO+CWH0zxXes1BNPJGg54PdhkGdK8+ LxNkZZieQLm7mg82pXyrDgOXs7V0rU+miUj4cdLU3uuyZT2TtG6fbzMI8m3a eTYIg6K/nJHA9iNigkQCBqWZ6V3fXvz8dnxz9e7KVJjfFiUWEZk5wc3h9vA0 CDdyOvaAZu4lvZy9oU+mCCLzCAA3BVVGFy0fUfqPKOnIwQKVpR/m2zTrmU+Q 5EwGAsL+SuWNqvygA7eueIU4/7ur0cVPo/ObK5VtpZ1sKS0Z5KqyEIt4FQNF jGHUXVpuYiEgQWtARN0e4056e0zosIBhOfJHORGgQsck+NihZUPZPIDCGjia 0GWgAWFKIcdxcpiKeCrrQLa0eKqDodRRqFsC7EZbkoWLAeqnKMvDcFwW00JI dlm/JK+qBVseuNxWSTYH5qcpaYDlhyZDM41PXt/l/85wi/ZjhPnE+vYW9f2J K+3fm5RzMD1umS+LKkCsyjEqZ5XssAxUyvn0yxlPyjJ9wLNYByItzJeQ9U4a 9FtWlFuELi6ch12tmT7DBJRwbyQ1JDg2giCGhu/OcFaV8h72d868rT8D0ZvP WOcJpvODgjAVqLv9KHGgrbnTFweECAO7p2a/8xx41DkohML9jsMUIh8MtRvx 5TzCisUwoiTVfkvwLiQlQCRWSP8RN3S0MQFTHk26jThx9GC5xJxAPYM5pC5P kTgKYoPPzYydvX6tHO+USM7zwxdifOkEVJ1Fb1WYt7hr0oEeT9yqdnmwCrzK i2INCKZUy0dUaAeGyyWqZsKHCWeg1WCwXuAWZBZxHUWw5oMgZ5YjRj0XvuSq FMnudw445dfRpnkYBYXokJVnmUVLWEzW6XQqVW8CYRBDwAgjYhgzuZ2LT71y bq/avrK+86QlMzhfKeXiFyWbPE1O5hZQsYXDMMVSpMB5w/gJMAbAXBbfGoMO 0waMJtBn15yKkWAGSao74WcS78jQvAX7qiDPTUGudCWJZeKIiRV+YMB+/yg1 JUiil/x+Mpxd+jkrbXWZ2gfx7syD/Qt3HJNZ8hR9//miz/Z3rUFd9ZgeDU/Y Z+rtIFa07slSJldtEDYwUj+kqUUEFjOfG6BnAi2AK4B8iFM9Gh73W6Y3QiHr W5OaxDADebYKCzzWZUpT4Ej3mVdUCGORdcq5WBxj6OBUQ3OFzsBcwrP51of4 KxdJ3xRNNuOQgSRLsTiZFqVkbHsZLzNHGMWkAhtKksxlx8xCqzRQwQuKToJo Pf56ezlgtYpd0i5eD387OOx1OK1DDYPyNHbcr0FwqPhGp/Sw4x1Q5GNnbOyL dR7Ym3Te+X7gOZy5MddPj+ll8nf67+jrKwsS5+BjoH8mc/17B/hjFCB7dAO+ z6sUj6rOoQ6w3+dmegQs0dpRr+M4mW6ii6bwpI+k4/m2K6GLWkPDvOvzLku4 67kdW5TXetzrVuq/YbW7ynzXQ4+rll1Pf1UXUqYbVOgBN/WpPqEmnWqyp2ge sDA4n5TWilASSv0miafuuaE3d6OKO4RQTKdNKeV/XM41RW1TCt77HNIguLOH tFI5q9VET1TNPSQpJd4RF91qbM3bAGKReMPKpxOFoW3Mp/Tw7xU+I4ymcxim f2E478npECNgSWcOB4cvdiblhebzobmXxOi4DnOB9fR21gcBt0jzXE6BmLpF ZWODl1DECRIsVTDVnckwAktyppxR2GeSoKQVXV926yBDY7A9x56kGItdgUCu MCroGJ/gmesEqTBggmYdnBlN5kpQNxoI+tkPQ8JXCnOp4UHqeyJ4aJwUJrhz cQb3eR9D45yoPUUfRArCdUoeDyoten1h8LdFwQqIGEwdu2cOKlAUzi/G5pXo 4UfPjk5AdaI8PVyJlBUwFJbYAhoOS0+P+T1YHPfUYaGcVZiCCSfyYFwWqMrO 3Cd9Q70Rgt9V89LmCe4jSc2/ArhXn0HupXhkEikpuIa/XvsqLf3zOfz5HE/r RVNS/suY/fFitLyHj99zXZM5oFIaBICBTs2+m2zZkr9697q3t/d/4Ave/NMA v/4k3+2vP7V/aP0vbwOcL3B+4F9A8Reajo+14NcXkjkD+EECA1+QUeIHrzeg fsHbhRkNvyAc3LvBl3o7YDhh2BPhCNv7wm774RditkPzhY3zL8Aca4ZD+/pl bc2XYH3t729Yl8wfvw/h+wi+j+H7OXy/gO8T/OwU/3k5ODyiBw+P6YXD5/TO C/h3B8//wnzenp8/nHwBIvkSCuwRnE6XUzpzKnORPcBv7a/fdT6veT7v/1Pm 8348/skofr6YX4L/9Wf5QTf2F///F/7395wPpt4D3HugTcRJhAhkQzfFZjCm fBZKoiuqauvTlw9ubm6r3u86n3tMZ/8CrOeLo2vTwpX+s/v/l99/v5hvIH7+ pfl8oRT3XRjx9/+H66LU+v+gdWEmCMA931nL/6P5vLkb3V7u4vmXr87nl3/P fO5HH65//Nf36wvY1CbgY0/A+eVJOG9+fPOn/yT6wTKlb1tXx/r+DfN5dfLy 5JFz+k34+Z3lRetLDJWht19IaOyIVlbn0DMHfOc+0ODfcsGab3BEzTXUU0d5 JE5bDso0XNOl4zfjsbka3+9HlW59eUB8i/TQhc0ydIeym2TflXJRNRwJt/2r z7UEIxJpgfHjyXOp6UE4XDyJsYZyprV9ODFM8IZfqmW6xtqjv2FA+gAH7en6 SMOeJ6wMU9j1ZnRL1U9uIkenL0Hzp6zZLINVdmLGHJB+1ROTOI5SOHs0Vs99 /xzzCT5fFylmncJjgSOuqcmj55PeNaWYbTyayfsKlICrvzfpmhy0B++vev24 OmGMoAd1MaAfwAQ5AgxQoouYkNZFntrQfXwEzJtNsh1Szzr79waGyrZh5yiq wIoTvALnuKmbMte0dCmmjh1qiAeYmFQ4BPW6sCmtQJYrawjCrv6rFYDlaA0G 2yWdy4+465xKK069ROfWQ5K7jg2ag3G+jcdyZQ3zNKs5sMaVzC2EzsDoW1PJ 34hrfWMwrl6gTznPGNlMp5RfwxkV0vCCg6HLpPRpJ9wwLCoPwrMhJToYoNCM XUBcseAadd11TyCCd4nIrJs6TPWl+gkpaJIEKcSslCroTN6Cea8x+wMevy8p 2HC+emaSyhEO8RNFGYJY5LopKd7DNv59SuEO7t+0U/gWVCSXPpcP09T5BYQg D3TFFNCnEb857GKIr6kQ95/mh3VnEzpfzsuTVB7TNZg5eK0sps1f6APt64DZ efMseSjK0KN/ND4zV51c5M5WLBaAI73hQ24O7t4gD2kVOSmVPMU1/JzFGFGY DsrB+e2b3pD9NrTiympvB8U2HBGJ65MjQpsFBKF/4rZD4jh++5/cXTadHLU6 lsjlWI4xvh33zgisHkePpzdBTE2qZyWSnWuojmtlwrewEBcTIm8wRM/VkuqY QVz8fPOux4Escovh+F9H8e2boXHNxegLu3NMlxi7I3fNOkuovjjRdUTd1j6g iIui+j7imM9capwmwMAUKeUhK6afKMg1LzGVmWTuxBLv43Mb5IZNYO8t8DEM Rgpq1kVZV//VZYLR63E1AXwEksLBID7cYOsySo4KcYG8EIl2gxkMtAG+ssrv kSb0BJExSUrD53DveWjX+8uVlr6L3cRx0zk8XyivE/Re1668g87gADeQfNdB C0MKZoYOX3fou3rxTUB9mQPegrxRDMCsZAXd1fI+rnDtyCiaQpAJMyke5MDl 5OnDAxTETHwuJLtuS5uQON7krllSJJNcIVrQGYWIF6sXZGOGVKHrvNNpnMTF EfF0TY7a1AU/8AlcrSZdJRj898uneDUdap/zLQndbh+N7KXiNFSumMYCf2NE mf7kRApAq9rORBoOHBys428pORTLdhgjqo5BhL3nXAlq6/gP40njmjqUF+5u iRkVvkTlm5QXbmXodZhHtZZ2RZDbKN+Yy0e5XYZ0mVafVLPZ1X1auo4j+2/X bPyW+nc8a+l6m/POiC1WlprQKYSgZyZWuWqDiXbk7l28ZnguUTJwXclCfYZz fkJlR1CX1H5FGwoTqC4ICAuyC+i8Wvb9xTA6MxOiybL65DFSksR/pHi2H9YQ +i/l6CJOKl49ci/qCxiLKj/vXUrRRfjj9ZUOUcBHWmQrTCVaoyb47ALpu8Qp f9QLt44YdHBwmrhojGohOlGY1i0gyCodLrk5hBSRUW1w4ptJ+aY8MQTUlB/S WZNkvk1P6toissRYE80tXUvMWcA6+UsExLOXlEHGsbUg5SmwqTgtemrjHmP0 5ZEWPi8K7d1oVz//Dt3cfUgR9CjESE9Tt9RYKdc+KEFTD2o7QEkYB+jD79GM yJvf6mUbi2DfJ8H4fjzS8MOcF5iJzBHSLps9et1nv3H3SyTaqFOCBMm1zzOn cUbdGTwITNAbjC9xx4E16OHEPJy8BcanbrmURNer06ouTEHKPMis2qOzzHKc vQqESkrZdn0OJe2VzkHZ5JowSQycsli58xt3bpSsauFiD2kSrsFZ6jofYGUh 8nhNqCrg4I0W/zJZRVjeF25cae1/2EPAarcen3NHod0gbc31odC0PimVr/Zd LdHHdPA6xQS3K+Qvats+5Z+RhH5ZO2rhrhlG0Oqx3xKR7oR9u9jokhShoisW vm/GjLl9WF7XLR3c/P8prkm5GGHuLFerznd5Jjm+NAWAOyMoENzzyTbi7nAu lTOGfTll1XMuCA+aPzjR5aw6ZkRepEkLYDavdhqOaIMNmiBmy3uM+nqVsGcD EneoUIXYDm0Kb0/t4NUZGHowPIekFZP91plJ5NvB7UV82WGUEnjY1tHkiOgE hdkQ1M5lX49CGloYTl/SdsqtdjNcW8AdQGxeaas9sX2dXUDVByLgxLnq2yj7 vn9ee6ASFeqtx6vcBzbc1MxvXKo2rpHdUb6pTLOiIlJ3avs8LVzLfsekaEm+ G953Tkp5o2Qoub5FrvkMTWVcpg+oApOpzZvw4sXhaZiJrAXWHTD6HUvsBzaE MmmcOf6DYLRJL7YASKR5M2bDcpVArU2v712RDnV/dNYPgqBLOyKm3WFjIBUS FUQEKOXpzHO1aEOzj372mdaRe5hzjNKhBUtD86P65phE1Iu+OWHn/2mv32p+ 5uS9EHulb7/gFyIZVwdH1KmeXQ11V4Vr1XRA8GgavaBOn4GsC5BivuEEpkoG dqe8C7Mm6iX9IVgaQTvxaXCs1IQt9/ABbguENWz4/u/QkA+UK81CIu6DiUg9 1yEsQW/bLOFUIsz7cXwSRoxUcZdzQIT7WNqBBk4OsV0cEjyA0fortsgiTjax y+Qhxcx61LqjDqUkV3Bgrb3wvUBjqSyswQtmTrlFaCpRqLDSi9vSLjC5rZRy j6AHWB3JVaFs7ey9AzO03slod13nA2cYF4rk7sYMGb1MOHkjKScpVxeE1Oml 60ZiWE7MBdYnKckdekTl24S64MIwdhpSy7QqNsoe79IrIDqmUCEnlbMZKMvk +sQTMb7+uWduBhPugfTM221X3v3nsSgBmJYDxBz44oKT4fHwOZ49X9PQc/Pi jGvvPubsVRZ41N1N4jo0CEwHKVayVZFOAzqIXMuxdYJsFt/znTTwZQRSNWt0 dGrUCQU37itTsfQQGUhwI2jBqgyX9WoRVhPLdsGM+6ST/8snypqC0bsReQIC uajE4g5kypRvkSDVVXy+3t/GVX8zbebnO1fuZrOPpcMQ23vf8GDU+tJsEqob bSctOq2IzR3rPgYRPmNL7ejZ4WmfnK5bm2D5zVxOLeVzbjjm4ZrMDl2/CMpj ndmEimOwGa1pJDLQla5LUWQqbUEzXdOSgztdujJ2K3M8PKETfDxEMZVKi0VD 7QXU4KQWgFZvsokTpfHhS2xHdIFKG6zu4PKi6gW5sK6D06xYwSaCjbSmaENJ rSxcdy+Q6Nw2n3QC/LXvlER8wCuIceDCVEA+06Vv6F9pz54PaVk3vElvqW0e HoIPb7FzTcX6hLQJkue5GQ9bSwzUtzdKg36jrOAmJqf7m9DYQoaOOZi+d5F3 wjMkUdCxZi1sfA+ydtwP3RI96VhWa9r1njBxbgHpj1sElzioby+wwwDZ0gX9 A7FDTlDWtQjp1DC5rpwhAduOv6ILKIpZXxOYWUHe1qIf+Jc33OgtIXgyo/Xa UrhLw98SuAGIe4FR4YwT2f4Rd8Xou21lJufKzOn2EQ6mR2BcknoLVS46UdpV Uftt5fiLoFeDslFTO0evcbYA28GhH4nGJkaQ/upK8hz5UJ/wRU71gvg+dhVo pnjIRzs7KCsiALt0oRXm0gcyWo5uIdEOggGuzzjRloNprd0omEbmDYd1dmWl 0gmxExwrRCddp4OuhuuxbzYprr0FVu+5FTo/nG/F1TFY1F6cpXhwfN5TExcO lPY5OsXqJ7rGtB4RvQsB0e845R6LqPYNpYPOiyk7+nKeOJmPXnvpnCtimz05 LIxarQErEi2qXiOUHRYIUwEuySILZ0HB5q6Wx5jZSbj46lNRh+NAW1ZVmbUm H4fm5QcN4l5gRNu1sdNiFeq8RGEWMQ/IUpvz27JpPL7NH9KyyH2HgBvcPHyu b+ifp6ffsRGxk6DDEcEiN+XbAbzeI3VtocZz2GNkR+2bYfpqcKuwcGavNwgw C5U9sjsvY34qnvDAfx21gt7dBueO6xCiF9U3SMxIJnYJza9LTFnKA9UiXWEh 8cH4quc8QpzFdKU+p7bcw0WTUGrgj5konuMrpAk3CRZ0VcCNO87+7cizdPKe 77A8xrfjZehJTHG9OLkafSpwBtcJB+rEFeFekYe9hMGX1Pl1TiVDLlXE6XsH 52/GPV8OBKsiySqrCRjhD50LkrtgmDkjFBHXeNVFLo5Q6k6hQZf2ClWCtSCw 0BlfsahgHu6Zb4d8cjz3ayfId5Z5VFC1j3LnISA0/ROsVFrXPNlMnrtUBplZ 5O3X3u8PFJ0VhxbLOu1aa7TwTpz8pGVrQ8W4PWLcy1tMb/FXc+he7OXQ88ZB kFoTI5Mqs3YNgKvambT0ajzURpu8tl6kTl7ovqsq1Cq92MSX2F+5uz2qHUoH RLrODN+RtEqhv7CPIdB4VyEVVWX5q+kS7zThTkgwFk7EeydC43lJ9eFSCk5d ae5Zj1Qnw93IHATt1CLvhGRwhEgCYRV1NqhcIa2/zsrB8MxXdb2O4CD2VcGm SqKqbLD/UdxCO3Cjc9cUIhnO77obdfoMdNmEHBw4XAPoTnQmp9vAiy1b0JZU R12S6um7CQ4o95/FEv0Y3VbQIf7Ve8WHto6ygzAHye/siCNpfK9MGA5Bhi1m vE9rwPt0wpZ8fm9ZJXXZkz7d04WRtJUTAQnv/aIJkCqF5yxseOTA378b3VwF NbquKU10hRpfZiZ9atoxLCM2NsIgtky3/yFcmkzQ1QrreVfU/J2KyA+kjzb3 opCtQyinw6PhEatRJJ/wXmE6T9E1TSBEK80FDy5lkoaDfKRR3kdeRPuIb8tn IRJREy3QgiSBQQtHu+uuOT6RBg26OB3JnY3OMI56xV9TKWmCkZd2OzHv5Ccp huZgLh6ab7oM5QBrSXpB24quK1DYkQMPRnengCIRhrs5a5dcN4HVmVAyHwUp MN5A3I/NMa54/xvlxU2zJF1FFjOlAPpoZlhBHPjApPOZRmywJp/rTz0HQ3so aIUY9tTqvO3l4G40oJ+c63zn4hdWouK1k/mccM6Fy4CSxUsILUoLCzXFyK3n rhkO8SALbHX7I2Ef5HzRDnGTc15CVOWt97G1mlGKZvD6wlDVzKUFOkFWRXd/ xqQWNjEI7wPaQcYMgFTeLdsCw82xeHhCpefJx3ymS/SCr4gvIu48y+TbidD/ z0LBcSlM63lNKWlw0Ml5p0sHlX7qzXN/Y2kRty2mLy8vxDijpDYAFrYoBXV3 seD0/fAmOfoiTkuR23BiLimTOokPKHGIL6Fw97lSt3rXmTIGGrRVD26ruBi/ 50YLoMKWW9cTrQqSbWMwKM/A7MlWQWbzB8DxI9gE+6zAK2d+5S4x43AaXNou jJxiB3TtKK++Pa7InA6yCbqoixK4T61YtVJe3NZsIP3wKWvwwR/cfWeyR0EW ngSksGUSOQ84p2N/GA+75qscOLcyaOfruXeLYKUV9rVrT2v7QUzqQXA4Tdax TcCYWVOoVWRzuIFTbMXIIlFHclcp8sWJibQ9DueYyAUrMFooZoNQwCdUjp0Z 5DMhXK+qxAfbpbuiTxX0Q2msQBqRUUoaB/L1ULTuPSL7ggNlJN9tNh8s3N1p 4UX2eEVicF2TtmaAR54/2kmLnWrSc6qjbZrzolEqMMA12BNJKp4pwlyLU62j NdlQhj9R0pIkJhL3Ep7hWC7o+jG7Cqgaq/w6VUIfPJX7r6m8jlgm6yaCB5SN PGmRGKRaIRlId3eOOMSIxTXhjcBTpWh3G/TM76ao45ZakVWP4Zi1vrCzV+sO abl7SiNxEb6xqIUmP9zBiGsilsQhYu0/s4NSICV/p9qIQ9vhH6LL1DoQHkTm 6HFs09uUvrin1VGmSuuGL3TBniBFsaYeJyiinE5NYDaiZSE4BsEPD+KHo4Qk VUAJYQrAGz02bEjMg9LtjGgeEUAU+eR0q6LKBQkewQkXseDGo9bxQflbVCpD V1biHYqiPdxSbziJDob3IeLyaKPD6akQba9LmI/0UffPhNgJ4dDtXMABQT/X Hr47O9zSk7GWRL3NpCJYKvMkMwsWxZlJUn+EAkf9fWfdW0QgqMckdvLBmwws JQtlLu9aOrvCMasqV+Pl704k8h1zSSgOTs0v5+4qqA/j20qv91y5l7o9mHwB Y4cHU3oibehUku61JCXiIi2nDdpqB6OLqveI9zBpO1o5bI1cwTXc/jD+eO9v l6C4KUDkvKl5kNpBKzAHlOdPXmlOwXQuXeef0cyiyrymup87NH34hg+Cjq5B dNu4QB/tG2dbUNM6j6tKJqk0l5gLeBG0A/WkXlz1lO60tqMdMRJjQGI4Fpvw RSh3bhiOxqNNYuLcu2jPHUn6ZsHfQpQkU1pEqajuQHPnVsJGEVt9imq7SdbX dF9qix4yNDj2hmZrDVpgya39KQnbBVQz/vQh+tSLR1YJdulZrHXJanEOP8rv uecCikcbYeG1IsEtsDxVL0/Ub/hOPXoOE61b/55Ayh/cDbAdzp57q74eRIDm XmAUxrYujO0M/FCOoE9zdH7l6Hpeum83vFiAYGsdKCfFk85M7gVRgfuGc9++ 7Xrag4s37mp1vqSW7azWjPFarJE0Eh1ggtSUoFdbbIPJfOFdCky7TlbrH0lU iO5tkgb0mFJjSzN/z6bLulJzoR/6A1x20h6bNehAVRuoLw4BcjDzpUrqYWqq wCbADQUGlNda/0UW5qW71ko2+TsQ1bXf8HfZT1duh+1kQ6DaC/eT5QwkQU10 bYZ4AGmH3QTjfDQZRhU6XZFrNmCutQ9DCXb29WWPPRrxONKKvOGkXOKL0VRB h1wqO/TTlhCUb6wdz539FFxknCBG5Pm4G+la4nhEP3rRwMRyBg1rlOjE9JY3 iX6nOjrHDj6IWAd8Nyufdxy0/ScVytcvkEd/giYKOeYlHapYTdKo4ZoBnDEw 7q6KIVdpf4v+QbQ3CTuultFFDl0Tb86KQJPqMybkEUCKTAMxF7k2aW3NVMon GvFQ1iHAtPKdicmbMyvo7hRktTIdwDs2/lWHp2sJDBKqLjH9dIUuiRUr/h6a x6O0D1bmFSeglxb9SnYW5IjJudFLrFX87d5obQ7CzCzQP9BzR4yPwkAuKkq9 GRDK3wptDcdXBY6DqwKdnKSMNcldcZcuGl83EbzpSkn4j5JHoR4334WAmhQ4 X0TK6rem/WAUQdRRJaH9CYDZx/St4CZZS9e4OyjY14AOVQ9fWxR86YfXKudR /u+EG1/Kx1G1sV/OI7NC1gMfsEbF176anwC0h8LvrGyCHpIpH/1KIzremQQW YroQD7U7dsGdFzwLUcR9oH93jkHF0O6VGXH0CCMK/FuUwVNEUH8I0lZ3cCnG PV6tEd7nQH4fudkwj/xv7O4Qy2MXHnUKJ4d8th1GpPU4Xa0xzKt0gyc/RG8b AVRkEnhTBKM8Zb57wjlDea4UanFgtNUFTaJFVufacJOUVA7RpN7l+ghhqUnm Wv4rhXdgJ2qtwSlL/miJIekAa0rA51TcZh2eS7K3tKaYwai5OIx5C0ZUQPfH An5NHgoTZirKmOl3JbQQo6aclvDhEzFpOuPn4YOnPeF5DLfCxurqbYj/pPzv eStBXjW/ytpPRN7oTsFb1EKvVHx9kFyl4K5rpYYH8yaj3hZsirk4MChTZbNW EQDEN8ck8Mq7ojTAyO4NAhGc4NYaMimukey7IMymvgPQOllrXgX+81beulfJ EaZq19SFHeQ2Vx/D+Oou4RVSzHhLHYHEwRngB5v9VMyEKazhrlrbWUHoR7K1 Zl14J3q4ATgISGg4tcM2mFUxY5NFQpLCHzPjVPyj52rCiKnj/oyX2qtQ956V DXe2Z7MW2AwI18TV9tfelFKPk7SrdfeEPmUyubRxV3jl324tjFzywy76fcKb EjjfeuIWYRfVN9mY5k2DZ5fcm/j5WPpnsPo1Dm6DDxv4n2/pcgWtVQ8vjQ+v pQ86XXhrkRRKNRgfdRdjkpQGKEir9YpOpWWVCZoAlAomwZ3Hmk/XVPbhLuPF u09QDlSFJl/z+4UMwmK8y7wNai+GYI/jwxIu4cH9kzh+TZdnpitmC0Gevov1 hIHDPdZxUEUMe2Fj/2FhuN2YwgdycSKCZCn1Gq7HsOby5RFRg6CRsy/mwGRk m60JtEALAPE1ie52CsrOIcMBl+swRBoNw9KASUgmzpUrno4bm5T+agB/abhT eK5c3kHUpJtugg6v2423ABDFoSLNs260O3afjSNu4/yrUPKKT/wcdgeZN4wH SgP14674Zmn45kuxsAKjBDFCPCO4v+HM7Mcly/u0o7lvHmJo5+zCeSqV0vgy h66LHKhYj+5gON69RZ2tHUorxqfEPVxxMjA9LvnAaoLgiy7nsTYTLH+/OdbI CcAOmgr5WIGkrlOKCZes0X3KqOm7SiNXo9dV5xpk16FfouvqDQIStCKjwKCt wrFl+jOXcy5Xqa4o9l5hSbCPqkvUCX8Oq0DFxnBd0BFuVMPfdynZWir1SHYH p6+5DJJZlAjAm4Vgwv1ypyHKvw73+Yj2+esb3Gp7QBngT7Y66IeGaEgFRPSu 55sUTItX2B3ajC5/evD8bqU1RhSyiApYJVzl+lZom5iAMvj4KXE8Xn9OFf9x ik7YGqXzVql9vlPG1qBXxensx8PjENXHZ9Q2ElnSU2fK5ig2SdwECPedBG4v +5Lz2VJyKdikiduhVus1Wr3AxsNFBp2IcchGNiGcjH6QHFRY74owJhZOBuZd 9aP2RMJ+iKu56jPx2heetXl8SwL1UBiqz4jm+mNpdEAExIfRb7zvfpKWSkUs UWgo5x0Py481XzsogTDVFA583EdEmSEqhu4iGzq3Qax7p+Ce9/b5GUbHBtcO E63bHajgG6Vx61iVdiXps35LuOadu1Q6NU51cc/rd/dS3tEz71eGKiiWNtlk xkQybShpKLjox4U32feId0dVvloqgalvK7JZV1z254r9CZnkZJLiOd8/I7rn ndScorQRu+ar4uW8ahooeQwzFwSDnW1SpLS+2DWe3Jhwwm31NEYb3HcqfhVk W5AUnUvuFCf6NNQZgj3t1ERGLiVxzOCbeQFFrzqug4pobegPPd4IXVZoI+KK BCXiDt3dSqlN4boPXyv+QVQSz/jfUu5AxSbrzvM3x3/aYUHnYXu4wrQ6IMZl qjLNkAn4XWSnoq8O5YSsw2HE9ai/65kZiX3tNgDUOlLj2jIDXpbL8rSDDAwO ShG7EFAls5XeJzFFLpRr+gRdJO+LW6VVZitNstbuRNiJUl4M2wUjIS5BIG0H GwwE1f0gjBm1ZOB3GVbYnsHoreScR0K3yRBejoatJgQj14hHcSSVJz5ViBUH W7kGKIqUvm+Q5xsEGckMBpxppw05aShzuHI44/t3Eu5TFUatsRnma/X3UH0k RnYwkQyvn+NrCTGTh2wNd60I5/ZgkOzu+o7ppZhgpYA2/fzx6JW2/wg6D/32 2931+Or0+CX3lULlwZnxx6ArwnLxsR9PnjMUh4hB0OKHU3JzUnmBQRKuQwoI 7hLiLddbxNtGc99JXVFvXYK1b/hmfY8tmV0VZPq/v9Lru7lLtdeQQ2AvTnaB LYEvlBhIQGABYGmOdvem8s0e+yFb9qQ8t0nYT6IOlSSmveMhE+9U7hJmAygm Rw0oCfdQmtxtodfRPo8NU395e1QgYTgYNN22+hhOgmaFQVdxPtvYUEGIOaSA wPGRYFqn1ACzwIxuhpQD6veWwUyL4lNKZgHVZa1W3CO0amnZ8VLTGDUMyV9l 9QnFEYzhW23JTdtTyrRgf5MhJZ33QMsnah2Q1GyuDMVCaG4hx1v3XPtGmHtp DEBtNI53OOw7n1xPTFb7CGCCdfC0UyO0Q2Ok3Ov5byXxwV9eYMnsDfGnW18b w+O5qGRFN15PMIqOvbJlZuLcCzhuSvroLL6UtKlq4Tu1BFbVeOA5ZcWCD2/o ntYsRsqDsTNhenFn4IT5KkPxzDX1s1b2yi2+4/7SvPwTtw0Ukjov6joDjjr9 JGv0/euiZrDf0/TQ0UR4Tat2/oiqXCdudBSY6EIYRB0XW5eonSJCyNaolU2Q 9ECnyICDCL6HqaQBVbIu9zvrTyVSaVSMGy836IHTOnjBEJekpptb6iZEWQWu HQ17UnU7xNMtnfs61ZundBtD5S5PaDfIA5w60/eZ6dzFKQ1u0SvmcZ96vTUx MHW6LpPsd77EBU7+IsSNtudxF+dGzV/w1Z9bWfphb9rKBtaF9rGmu5fVlJ6C FQ0syJbk+tUMKAUR2djt6wWlnj5qlRUkefW90y+yq2CpARxjWshCxOd2kaWL lPSj1pCssIuMcKq6yug0d9kFHmGgmccDxkUNU0xTKSVnnHs/u2o+H1O+DRo8 hTrsbg8CVPKYlfEsfbwOSVSvqMMAlikpPAood6cS77z+xPfSa9BmG24I37y3 dtpKq1shD7yjfT964y2IkKPhoVPOH1NCVUn9irRRfaKbG6rI+l5t47ED/qgf Zfeg33HBbMBn3jFPPAsOi983NSYD5xA/3o/vV+5opxS2OJxgbQHorRq0EC8m eSlczkPkpMAv9Yu09jBYzO4mdKHizBnukRB1hSVJ51s+QhVw6Cf8TV9zNmk+ j0w2OB1SShkHg0baM7rDiMWdDa+RTCKCcN4JsRVcMsYa4+N6Ma4k+z0eBYoj 4EGgJnLCoDu+debCGI9YLV6hoUNLajdwJ2ROvnsMerB27ynl3R9p6+yFYklS v6LrStszcaFiqqTfI36nF21GCAmwATNbqBfIBUDEo6Op4zqKBCg3FpTbKqDL e3UA7U6Im1izGyP2/3BodBVc4EAObmo3ZUl9wc6JlPwQJvr5fAycRdeQ1Ntm bjedr+8Min5my6ldXiFo8pY/4x37FVJK2GfdreVE4YBGqFLzFfYsc9Hfpm6w KcUb5nFzzN3zSx365/6NlG88WMuFpO3hU+6Ui1frBpfraHUByJTAsc3asQvq dt7GGjc+26QVRxmC9brEyJUsiN2/gkJXUU9fWGekzDA2s8WRg8W4mB/nHCP3 oPxInlLHkeP2ObCSVE5poaluBf+GNMrOXwlmc+IiN2Znb9lUpfc0vKL8YlkU cvc5d5DaKuSdSaAmLrQVCepOBkN+ZQtC4FHKdu+7QKLXblwX0LYS0g9ivQ6A uhPwwtcoFqxV1mt3//Jwd91mf9N9tPbZurVU2Ud5RbMwLE1fyO5ld9uZ27Wd LknaV1FroHxLgVK+RsXBaflKsZkKb7W/1sWnojrJJcqh79KnKrNzVVIewr0q gBfCTZPQVx/cgMNJlKW7wplvs40TD3x+Acc80LUvLJYGoTwJR4Ygz8uCEnZw 4ZTor++365XTztfold2qXHM9uh19fT3LRFI6OQ0S9gHfAwCDwYDSsBCUGfla S6bM387YQLaz/7Y/BzZt9//hgwOU3l1JxixFBklOJKBpX5Ug2z5s8+knWM+b Bk1r84HkrPlgsxlbQjew2vzXAiYPJFmnfXzrk/kLCr2++ZhgSwzzlwZvSumb t8UywYSj86KZJrMkLQFsUZbEzl/Dr8umxLbY4wTbPcH0Gpg0/P4/kF+D6l88 JH1zDoI4NxdJuabeeAAU5kxCF/NtwUKDQ3WLhc2pucpAI4djdDUDs7jMLJzI nzO8IqNI4KHLBNQNTKHKxE6HM5Qv5hY2/5cU5n6xBNPKXDQrTHWq8Hl49wIv tIFB36UrfH6TY/OWdAvYItfofZovYY6j9G9NDovHKzOuUUW6w5gMwHibLHLg XR8tlk5mDWoe54Cirbmx6QRevLQT1h6LDMseUC9Lmsx8lBi1ZMmnpRB1JTfz rFi2hhtK8TfaU5LL8cbi7D+muYPJ9/XgqVRSI51raddAzyBD/y8igndxr7wA AA==overlay L2 network. --></rfc>