Skip to main content

IPv6 Backbone Router
RFC 8929

Document Type RFC - Proposed Standard (November 2020)
Authors Pascal Thubert , Charles E. Perkins , Eric Levy-Abegnoli
Last updated 2020-11-23
RFC stream Internet Engineering Task Force (IETF)
Formats
Additional resources Mailing list discussion
IESG Responsible AD Suresh Krishnan
Send notices to (None)
RFC 8929
"Moved") if a new 6BBR
   claims a fresher registration (same ROVR, fresher TID) for the same
   address.  The old 6BBR MAY preserve a temporary state in order to
   forward packets in flight.  The state may be, for instance, an NCE
   that was formed when an NA message was received.  It may also be a
   Binding Table entry in Stale state, pointing at the new 6BBR on the
   backbone or any other abstract cache entry that can be used to
   resolve the link-layer address of the new 6BBR.  The old 6BBR SHOULD
   also use REDIRECT messages pointing at the new 6BBR to update the
   correspondents of the Registered Address, as specified in [RFC4861].

9.1.  Operations on a Binding in Tentative State

   The Tentative state covers a DAD period over the backbone during
   which an address being registered is checked for duplication using
   the procedures defined in [RFC4862].

   For a Binding in Tentative state:

   *  The Binding MUST be removed if an NA message is received over the
      backbone for the Registered Address with no EARO or with an EARO
      that indicates an existing registration owned by a different
      Registering Node (different ROVR).  In that case, an NA is sent
      back to the Registering Node with a status code of 1 ("Duplicate
      Address") to indicate that the Binding has been rejected.  This
      behavior might be overridden by policy, in particular if the
      registration is trusted, e.g., based on the validation of the ROVR
      field (see [RFC8928]).

   *  The Binding MUST be removed if an NS(DAD) message is received over
      the backbone for the Registered Address with no EARO or with an
      EARO that has a different ROVR that indicates a tentative
      registration by a different Registering Node.  In that case, an NA
      is sent back to the Registering Node with a status code of 1
      ("Duplicate Address").  This behavior might be overridden by
      policy, in particular if the registration is trusted, e.g., based
      on the validation of the ROVR field (see [RFC8928]).

   *  The Binding MUST be removed if an NA or an NS(DAD) message is
      received over the backbone for the Registered Address and contains
      an EARO that indicates a fresher registration [RFC8505] for the
      same Registering Node (same ROVR).  In that case, an NA MUST be
      sent back to the Registering Node with a status code of 3
      ("Moved").

   *  The Binding MUST be kept unchanged if an NA or an NS(DAD) message
      is received over the backbone for the Registered Address and
      contains an EARO that indicates an older registration [RFC8505]
      for the same Registering Node (same ROVR).  The message is
      answered with an NA that carries an EARO with a status code of 3
      ("Moved") and the Override flag not set.  This behavior might be
      overridden by policy, in particular if the registration is not
      trusted.

   *  Other NS(DAD) and NA messages from the backbone are ignored.

   *  NS(Lookup) and NS(NUD) messages SHOULD be optimistically answered
      with an NA message containing an EARO with a status code of 0
      ("Success") and the Override flag not set (see Section 3.6).  If
      optimistic DAD is disabled, then they SHOULD be queued to be
      answered when the Binding goes to Reachable state.

   When the TENTATIVE_DURATION (Section 12) timer elapses, the Binding
   is placed in Reachable state for the Registration Lifetime, and the
   6BBR returns an NA(EARO) to the Registering Node with a status code
   of 0 ("Success").

   The 6BBR also attempts to take over any existing Binding from other
   6BBRs and to update existing NCEs in backbone nodes.  This is done by
   sending an NA message with an EARO and the Override flag not set over
   the backbone (see Sections 7 and 8).

9.2.  Operations on a Binding in Reachable State

   The Reachable state covers an active registration after a successful
   DAD process.

   If the Registration Lifetime is of a long duration, an implementation
   might be configured to reassess the availability of the Registering
   Node at a lower period, using a NUD procedure as specified in
   [RFC7048].  If the NUD procedure fails, the Binding SHOULD be placed
   in Stale state immediately.

   For a Binding in Reachable state:

   *  The Binding MUST be removed if an NA or an NS(DAD) message is
      received over the backbone for the Registered Address and contains
      an EARO that indicates a fresher registration [RFC8505] for the
      same Registered Node (i.e., same ROVR but fresher TID).  A status
      code of 4 ("Removed") is returned in an asynchronous NA(EARO) to
      the Registering Node.  Based on configuration, an implementation
      may delay this operation by a timer with a short setting, e.g., a
      few seconds to a minute, in order to allow for a parallel
      registration to reach this node, in which case the NA might be
      ignored.

   *  NS(DAD) and NA messages containing an EARO that indicates a
      registration for the same Registered Node that is not as fresh as
      this Binding MUST be answered with an NA message containing an
      EARO with a status code of 3 ("Moved").

   *  An NS(DAD) with no EARO or with an EARO that indicates a duplicate
      registration (i.e., different ROVR) MUST be answered with an NA
      message containing an EARO with a status code of 1 ("Duplicate
      Address") and the Override flag not set, unless the received
      message is an NA that carries an EARO with a status code of 1
      ("Duplicate Address"), in which case the node refrains from
      answering.

   *  Other NS(DAD) and NA messages from the backbone are ignored.

   *  NS(Lookup) and NS(NUD) messages SHOULD be answered with an NA
      message containing an EARO with a status code of 0 ("Success") and
      the Override flag not set.  The 6BBR MAY check whether the
      Registering Node is still available using a NUD procedure over the
      LLN prior to answering; this behavior depends on the use case and
      is subject to configuration.

   When the Registration Lifetime timer elapses, the Binding is placed
   in Stale state for a duration of STALE_DURATION (Section 12).

9.3.  Operations on a Binding in Stale State

   The Stale state enables tracking of the backbone peers that have a
   NCE pointing to this 6BBR in case the Registered Address shows up
   later.

   If the Registered Address is claimed by another 6LN on the backbone,
   with an NS(DAD) or an NA, the 6BBR does not defend the address.

   For a Binding in Stale state:

   *  The Binding MUST be removed if an NA or an NS(DAD) message is
      received over the backbone for the Registered Address with no EARO
      or with an EARO that indicates either a fresher registration for
      the same Registered Node or a duplicate registration.  A status
      code of 4 ("Removed") MAY be returned in an asynchronous NA(EARO)
      to the Registering Node.

   *  NS(DAD) and NA messages containing an EARO that indicates a
      registration for the same Registered Node that is not as fresh as
      this MUST be answered with an NA message containing an EARO with a
      status code of 3 ("Moved").

   *  If the 6BBR receives an NS(Lookup) or an NS(NUD) message for the
      Registered Address, the 6BBR MUST attempt a NUD procedure as
      specified in [RFC7048] to the Registering Node, targeting the
      Registered Address, prior to answering.  If the NUD procedure
      succeeds, the operation in Reachable state applies.  If the NUD
      fails, the 6BBR refrains from answering.

   *  Other NS(DAD) and NA messages from the backbone are ignored.

   When the STALE_DURATION (Section 12) timer elapses, the Binding MUST
   be removed.

10.  Registering Node Considerations

   A Registering Node MUST implement [RFC8505] in order to interact with
   a 6BBR (which acts as a Routing Registrar).  Following [RFC8505], the
   Registering Node signals that it requires IPv6 ND proxy services from
   a 6BBR by registering the corresponding IPv6 address using an
   NS(EARO) message with the R flag set.

   The Registering Node may be the 6LN owning the IPv6 address or a 6LBR
   that performs the registration on its behalf in a route-over mesh.

   A 6LN MUST register all of its IPv6 addresses to its 6LR, which is
   the 6BBR when they are connected at Layer 2.  Failure to register an
   address may result in the address being unreachable by other parties.
   This would happen, for instance, if the 6BBR propagates the
   NS(Lookup) from the backbone only to the LLN nodes that do not
   register their addresses.

   The Registering Node MUST refrain from using multicast NS(Lookup)
   when the destination is not known as on-link, e.g., if the prefix is
   advertised in a PIO with the L flag not set.  In that case, the
   Registering Node sends its packets directly to its 6LR.

   The Registering Node SHOULD also follow BCP 202 [RFC7772] in order to
   limit the use of multicast RAs.  It SHOULD also implement "Simple
   Procedures for Detecting Network Attachment in IPv6" [RFC6059] (DNA
   procedures) to detect movements and support "Packet-Loss Resiliency
   for Router Solicitations" [RFC7559] in order to improve reliability
   for the unicast RS messages.

11.  Security Considerations

   The procedures in this document modify the mechanisms used for IPv6
   ND and DAD and should not affect other aspects of IPv6 or higher-
   level-protocol operation.  As such, the main classes of attacks that
   are in play are those that work to block Neighbor Discovery or to
   forcibly claim an address that another node is attempting to use.  In
   the absence of cryptographic protection at higher layers, the latter
   class of attacks can have significant consequences, with the attacker
   being able to read all the "stolen" traffic that was directed to the
   target of the attack.

   This specification applies to LLNs and a backbone in which the
   individual links are protected against rogue access on the LLN by
   authenticating a node that attaches to the network and encrypting the
   transmissions at the link layer and on the backbone side, using the
   physical security and access control measures that are typically
   applied there; thus, packets may neither be forged nor overheard.

   In particular, the LLN link layer is required to provide secure
   unicast to/from the Backbone Router and secure broadcast from the
   routers in a way that prevents tampering with or replaying the ND
   messages.

   For the IPv6 ND operation over the backbone, and unless the classical
   ND is disabled (e.g., by configuration), the classical ND messages
   are interpreted as emitted by the address owner and have precedence
   over the 6BBR that is only a proxy.

   As a result, the security threats that are detailed in Section 11.1
   of [RFC4861] fully apply to this specification as well.  In short:

   *  Any node that can send a packet on the backbone can take over any
      address, including addresses of LLN nodes, by claiming it with an
      NA message and the Override bit set.  This means that the real
      owner will stop receiving its packets.

   *  Any node that can send a packet on the backbone can forge traffic
      and pretend it is issued from an address that it does not own,
      even if it did not claim the address using ND.

   *  Any node that can send a packet on the backbone can present itself
      as a preferred router to intercept all traffic outgoing on the
      subnet.  It may even expose a prefix on the subnet as "not-on-
      link" and intercept all the traffic within the subnet.

   *  If the rogue can receive a packet from the backbone, it can also
      snoop all the intercepted traffic, by stealing an address or the
      role of a router.

   This means that any rogue access to the backbone must be prevented at
   all times, and nodes that are attached to the backbone must be fully
   trusted / never compromised.

   Using address registration as the sole ND mechanism on a link and
   coupling it with [RFC8928] guarantees the ownership of a Registered
   Address within that link.

   *  The protection is based on a proof of ownership encoded in the
      ROVR field, and it protects against address theft and
      impersonation by a 6LN, because the 6LR can challenge the
      Registered Node for a proof of ownership.

   *  The protection extends to the full LLN in the case of an LLN link,
      but it does not extend over the backbone since the 6BBR cannot
      provide the proof of ownership when it defends the address.

   A possible attack over the backbone can be done by sending an NS with
   an EARO and expecting the NA(EARO) back to contain the TID and ROVR
   fields of the existing state.  With that information, the attacker
   can easily increase the TID and take over the Binding.

   If the classical ND is disabled on the backbone and the use of
   [RFC8928] and a 6LBR are mandated, the network will benefit from the
   following new advantages:

   Zero-trust security for ND flows within the whole subnet:  the
      increased security that [RFC8928] provides on the LLN will also
      apply to the backbone; it becomes impossible for an attached node
      to claim an address that belongs to another node using ND, and the
      network can filter packets that are not originated by the owner of
      the source address (Source Address Validation Improvement (SAVI)),
      as long as the routers are known and trusted.

   Remote ND DoS attack avoidance:  the complete list of addresses in
      the network will be known to the 6LBR and available to the default
      router; with that information, the router does not need to send a
      multicast NS(Lookup) in case of a Neighbor Cache miss for an
      incoming packet, which is a source of remote DoS attack against
      the network.

   Less IPv6 ND-related multicast on the backbone:  DAD and NS(Lookup)
      become unicast queries to the 6LBR.

   Better DAD operation on wireless:  DAD has been found to fail to
      detect duplications on large Wi-Fi infrastructures due to the
      unreliable broadcast operation on wireless; using a 6LBR enables a
      unicast lookup.

   Less Layer 2 churn on the backbone:  Using the Routing Proxy
      approach, the link-layer address of the LLN devices and their
      mobility are not visible in the backbone; only the link-Layer
      addresses of the 6BBR and backbone nodes are visible at Layer 2 on
      the backbone.  This is mandatory for LLNs that cannot be bridged
      on the backbone and useful in any case to scale down, stabilize
      the forwarding tables at Layer 2, and avoid the gratuitous frames
      that are typically broadcasted to fix the transparent bridging
      tables when a wireless node roams from an AP to the next.

   This specification introduces a 6BBR that is a router on the path of
   the LLN traffic and a 6LBR that is used for the lookup.  They could
   be interesting targets for an attacker.  A compromised 6BBR can
   accept a registration but block the traffic or refrain from proxying.
   A compromised 6LBR may unduly accept the transfer of ownership of an
   address or block a newcomer by faking that its address is a
   duplicate.  But those attacks are possible in a classical network
   from a compromised default router and a DHCP server, respectively,
   and can be prevented using the same methods.

   A possible attack over the LLN can still be done by compromising a
   6LR.  A compromised 6LR may modify the ROVR of EDAR messages in
   flight and transfer the ownership of the Registered Address to itself
   or a tier.  It may also claim that a ROVR was validated when it
   really wasn't and reattribute an address to itself or to an attached
   6LN.  This means that 6LRs, as well as 6LBRs and 6BBRS, must still be
   fully trusted / never compromised.

   This specification mandates checking on the 6LBR on the backbone
   before doing the classical DAD, in case the address already exists.
   This may delay the DAD operation and should be protected by a short
   timer, in the order of 100 ms or less, which will only represent a
   small extra delay versus the 1 s wait of the DAD operation.

12.  Protocol Constants

   This specification uses the following constants:

   TENTATIVE_DURATION:  800 milliseconds

   In LLNs with long-lived addresses such as Low-Power WAN (LPWANs),
   STALE_DURATION SHOULD be configured with a relatively long value to
   cover an interval when the address may be reused and before it is
   safe to expect that the address was definitively released.  A good
   default value is 24 hours.  In LLNs where addresses are renewed
   rapidly, e.g., for privacy reasons, STALE_DURATION SHOULD be
   configured with a relatively shorter value -- 5 minutes by default.

13.  IANA Considerations

   This document has no IANA actions.

14.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, DOI 10.17487/RFC4291, February
              2006, <https://www.rfc-editor.org/info/rfc4291>.

   [RFC4429]  Moore, N., "Optimistic Duplicate Address Detection (DAD)
              for IPv6", RFC 4429, DOI 10.17487/RFC4429, April 2006,
              <https://www.rfc-editor.org/info/rfc4429>.

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              DOI 10.17487/RFC4861, September 2007,
              <https://www.rfc-editor.org/info/rfc4861>.

   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
              Address Autoconfiguration", RFC 4862,
              DOI 10.17487/RFC4862, September 2007,
              <https://www.rfc-editor.org/info/rfc4862>.

   [RFC6059]  Krishnan, S. and G. Daley, "Simple Procedures for
              Detecting Network Attachment in IPv6", RFC 6059,
              DOI 10.17487/RFC6059, November 2010,
              <https://www.rfc-editor.org/info/rfc6059>.

   [RFC6775]  Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C.
              Bormann, "Neighbor Discovery Optimization for IPv6 over
              Low-Power Wireless Personal Area Networks (6LoWPANs)",
              RFC 6775, DOI 10.17487/RFC6775, November 2012,
              <https://www.rfc-editor.org/info/rfc6775>.

   [RFC7048]  Nordmark, E. and I. Gashinsky, "Neighbor Unreachability
              Detection Is Too Impatient", RFC 7048,
              DOI 10.17487/RFC7048, January 2014,
              <https://www.rfc-editor.org/info/rfc7048>.

   [RFC7559]  Krishnan, S., Anipko, D., and D. Thaler, "Packet-Loss
              Resiliency for Router Solicitations", RFC 7559,
              DOI 10.17487/RFC7559, May 2015,
              <https://www.rfc-editor.org/info/rfc7559>.

   [RFC7772]  Yourtchenko, A. and L. Colitti, "Reducing Energy
              Consumption of Router Advertisements", BCP 202, RFC 7772,
              DOI 10.17487/RFC7772, February 2016,
              <https://www.rfc-editor.org/info/rfc7772>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8200]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", STD 86, RFC 8200,
              DOI 10.17487/RFC8200, July 2017,
              <https://www.rfc-editor.org/info/rfc8200>.

   [RFC8201]  McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed.,
              "Path MTU Discovery for IP version 6", STD 87, RFC 8201,
              DOI 10.17487/RFC8201, July 2017,
              <https://www.rfc-editor.org/info/rfc8201>.

   [RFC8505]  Thubert, P., Ed., Nordmark, E., Chakrabarti, S., and C.
              Perkins, "Registration Extensions for IPv6 over Low-Power
              Wireless Personal Area Network (6LoWPAN) Neighbor
              Discovery", RFC 8505, DOI 10.17487/RFC8505, November 2018,
              <https://www.rfc-editor.org/info/rfc8505>.

15.  Informative References

   [6TiSCH]   Thubert, P., "An Architecture for IPv6 over the TSCH mode
              of IEEE 802.15.4", Work in Progress, Internet-Draft,
              draft-ietf-6tisch-architecture-29, 27 August 2020,
              <https://tools.ietf.org/html/draft-ietf-6tisch-
              architecture-29>.

   [DAD-APPROACHES]
              Nordmark, E., "Possible approaches to make DAD more robust
              and/or efficient", Work in Progress, Internet-Draft,
              draft-nordmark-6man-dad-approaches-02, 19 October 2015,
              <https://tools.ietf.org/html/draft-nordmark-6man-dad-
              approaches-02>.

   [DAD-ISSUES]
              Yourtchenko, A. and E. Nordmark, "A survey of issues
              related to IPv6 Duplicate Address Detection", Work in
              Progress, Internet-Draft, draft-yourtchenko-6man-dad-
              issues-01, 3 March 2015, <https://tools.ietf.org/html/
              draft-yourtchenko-6man-dad-issues-01>.

   [IEEEstd80211]
              IEEE, "IEEE Standard for Information technology--
              Telecommunications and information exchange between
              systems Local and metropolitan area networks--Specific
              requirements - Part 11: Wireless LAN Medium Access Control
              (MAC) and Physical Layer (PHY) Specifications",
              IEEE 802.11-2012, DOI 10.1109/ieeestd.2016.7786995,
              December 2016,
              <https://ieeexplore.ieee.org/document/7786995>.

   [IEEEstd802151]
              IEEE, "IEEE Standard for Information technology--Local and
              metropolitan area networks--Specific requirements--Part
              15.1a: Wireless Medium Access Control (MAC) and Physical
              Layer (PHY) specifications for Wireless Personal Area
              Networks (WPAN)", IEEE 802.15.1-2005,
              DOI 10.1109/ieeestd.2005.96290, June 2005,
              <https://ieeexplore.ieee.org/document/1490827>.

   [IEEEstd802154]
              IEEE, "IEEE Standard for Local and metropolitan area
              networks--Part 15.4: Low-Rate Wireless Personal Area
              Networks (LR-WPANs)", IEEE 802.15.4-2011,
              DOI 10.1109/ieeestd.2011.6012487, September 2011,
              <https://ieeexplore.ieee.org/document/6012487>.

   [IEEEstd8021Q]
              IEEE, "IEEE Standard for Local and Metropolitan Area
              Networks--Bridges and Bridged Networks", IEEE 802.1Q-2018,
              DOI 10.1109/IEEESTD.2018.8403927, July 2018,
              <https://ieeexplore.ieee.org/document/8403927>.

   [MCAST-PROBLEMS]
              Perkins, C. E., McBride, M., Stanley, D., Kumari, W., and
              J. C. Zuniga, "Multicast Considerations over IEEE 802
              Wireless Media", Work in Progress, Internet-Draft, draft-
              ietf-mboned-ieee802-mcast-problems-12, 26 October 2020,
              <https://tools.ietf.org/html/draft-ietf-mboned-ieee802-
              mcast-problems-12>.

   [RFC4271]  Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
              Border Gateway Protocol 4 (BGP-4)", RFC 4271,
              DOI 10.17487/RFC4271, January 2006,
              <https://www.rfc-editor.org/info/rfc4271>.

   [RFC4389]  Thaler, D., Talwar, M., and C. Patel, "Neighbor Discovery
              Proxies (ND Proxy)", RFC 4389, DOI 10.17487/RFC4389, April
              2006, <https://www.rfc-editor.org/info/rfc4389>.

   [RFC4903]  Thaler, D., "Multi-Link Subnet Issues", RFC 4903,
              DOI 10.17487/RFC4903, June 2007,
              <https://www.rfc-editor.org/info/rfc4903>.

   [RFC5340]  Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF
              for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008,
              <https://www.rfc-editor.org/info/rfc5340>.

   [RFC5415]  Calhoun, P., Ed., Montemurro, M., Ed., and D. Stanley,
              Ed., "Control And Provisioning of Wireless Access Points
              (CAPWAP) Protocol Specification", RFC 5415,
              DOI 10.17487/RFC5415, March 2009,
              <https://www.rfc-editor.org/info/rfc5415>.

   [RFC6275]  Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility
              Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July
              2011, <https://www.rfc-editor.org/info/rfc6275>.

   [RFC6550]  Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J.,
              Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
              JP., and R. Alexander, "RPL: IPv6 Routing Protocol for
              Low-Power and Lossy Networks", RFC 6550,
              DOI 10.17487/RFC6550, March 2012,
              <https://www.rfc-editor.org/info/rfc6550>.

   [RFC6606]  Kim, E., Kaspar, D., Gomez, C., and C. Bormann, "Problem
              Statement and Requirements for IPv6 over Low-Power
              Wireless Personal Area Network (6LoWPAN) Routing",
              RFC 6606, DOI 10.17487/RFC6606, May 2012,
              <https://www.rfc-editor.org/info/rfc6606>.

   [RFC6830]  Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
              Locator/ID Separation Protocol (LISP)", RFC 6830,
              DOI 10.17487/RFC6830, January 2013,
              <https://www.rfc-editor.org/info/rfc6830>.

   [RFC7432]  Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A.,
              Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based
              Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February
              2015, <https://www.rfc-editor.org/info/rfc7432>.

   [RFC8273]  Brzozowski, J. and G. Van de Velde, "Unique IPv6 Prefix
              per Host", RFC 8273, DOI 10.17487/RFC8273, December 2017,
              <https://www.rfc-editor.org/info/rfc8273>.

   [RFC8928]  Thubert, P., Ed., Sarikaya, B., Sethi, M., and R. Struik,
              "Address-Protected Neighbor Discovery for Low-Power and
              Lossy Networks", RFC 8928, DOI 10.17487/RFC8928, November
              2020, <https://www.rfc-editor.org/info/rfc8928>.

   [RIFT]     Przygienda, T., Sharma, A., Thubert, P., Rijsman, B., and
              D. Afanasiev, "RIFT: Routing in Fat Trees", Work in
              Progress, Internet-Draft, draft-ietf-rift-rift-12, 26 May
              2020,
              <https://tools.ietf.org/html/draft-ietf-rift-rift-12>.

   [RPL-LEAVES]
              Thubert, P. and M. C. Richardson, "Routing for RPL
              Leaves", Work in Progress, Internet-Draft, draft-ietf-
              roll-unaware-leaves-23, 10 November 2020,
              <https://tools.ietf.org/html/draft-ietf-roll-unaware-
              leaves-23>.

   [RS-REFRESH]
              Nordmark, E., Yourtchenko, A., and S. Krishnan, "IPv6
              Neighbor Discovery Optional RS/RA Refresh", Work in
              Progress, Internet-Draft, draft-ietf-6man-rs-refresh-02,
              31 October 2016, <https://tools.ietf.org/html/draft-ietf-
              6man-rs-refresh-02>.

   [SAVI-WLAN]
              Bi, J., Wu, J., Wang, Y., and T. Lin, "A SAVI Solution for
              WLAN", Work in Progress, Internet-Draft, draft-bi-savi-
              wlan-20, 14 November 2020,
              <https://tools.ietf.org/html/draft-bi-savi-wlan-20>.

   [UNICAST-LOOKUP]
              Thubert, P. and E. Levy-Abegnoli, "IPv6 Neighbor Discovery
              Unicast Lookup", Work in Progress, Internet-Draft, draft-
              thubert-6lo-unicast-lookup-00, 25 January 2019,
              <https://tools.ietf.org/html/draft-thubert-6lo-unicast-
              lookup-00>.

Appendix A.  Possible Future Extensions

   With the current specification, the 6LBR is not leveraged to avoid
   multicast NS(Lookup) on the backbone.  This could be done by adding a
   lookup procedure in the EDAR/EDAC exchange.

   By default, the specification does not have a fine-grained trust
   model: all nodes that can authenticate to the LLN link layer or
   attach to the backbone are equally trusted.  It would be desirable to
   provide a stronger authorization model, e.g., whereby nodes that
   associate their address with a proof of ownership [RFC8928] should be
   trusted more than nodes that do not.  Such a trust model and related
   signaling could be added in the future to override the default
   operation and favor trusted nodes.

   As an alternate to the ND Proxy operation, the registration may be
   redistributed as a host route in a routing protocol that would
   operate over the backbone; this is already happening in IoT networks
   [RPL-LEAVES] and Data Center Routing [RIFT] and could be extended to
   other protocols, e.g., BGP [RFC4271] and OSPFv3 [RFC5340].  The
   registration may also be advertised in an overlay protocol such as
   Mobile IPv6 (MIPv6) [RFC6275], the Locator/ID Separation Protocol
   (LISP) [RFC6830], or Ethernet VPN (EVPN) [RFC7432].

Appendix B.  Applicability and Requirements Served

   This document specifies ND proxy functions that can be used to
   federate an IPv6 Backbone Link and multiple IPv6 LLNs into a single
   MLSN.  The ND proxy functions enable IPv6 ND services for DAD and
   address lookup that do not require broadcasts over the LLNs.

   The term LLN is used to cover multiple types of WLANs and WPANs,
   including (Low-Power) Wi-Fi, BLUETOOTH(R) Low Energy, IEEE Std
   802.11ah and IEEE Std 802.15.4 wireless meshes, and the types of
   networks listed in "Requirements Related to Various Low-Power Link
   Types" (see Appendix B.3 of [RFC8505]).

   Each LLN in the subnet is attached to a 6BBR.  The Backbone Routers
   interconnect the LLNs and advertise the addresses of the 6LNs over
   the Backbone Link using ND proxy operations.

   This specification updates IPv6 ND over the backbone to distinguish
   address movement from duplication and eliminate Stale state in the
   backbone routers and backbone nodes once a 6LN has roamed.  This way,
   mobile nodes may roam rapidly from one 6BBR to the next, and
   requirements are met per "Requirements Related to Mobility" (see
   Appendix B.1 of [RFC8505]).

   A 6LN can register its IPv6 addresses and thereby obtain ND proxy
   services over the backbone, meeting the requirements expressed in
   "Requirements Related to Proxy Operations" (see Appendix B.4 of
   [RFC8505].

   The negative impact of the IPv6 ND-related broadcasts can be limited
   to one of the federated links, enabling the number of 6LNs to grow.
   The Routing Proxy operation avoids the need to expose the link-layer
   addresses of the 6LNs onto the backbone, keeping the Layer 2 topology
   simple and stable.  This meets the requirements in "Requirements
   Related to Scalability" (see Appendix B.6 of [RFC8505]), as long as
   the 6BBRs are dimensioned for the number of registrations that each
   needs to support.

   In the case of a Wi-Fi access link, a 6BBR may be collocated with the
   AP, a Fabric Edge (FE), or a Control and Provisioning of Wireless
   Access Points (CAPWAP) [RFC5415] Wireless LAN Controller (WLC).  In
   those cases, the wireless client (STA) is the 6LN that makes use of
   [RFC8505] to register its IPv6 address(es) to the 6BBR acting as the
   Routing Registrar.  The 6LBR can be centralized and either connected
   to the Backbone Link or reachable over IP.  The 6BBR ND proxy
   operations eliminate the need for wireless nodes to respond
   synchronously when a lookup is performed for their IPv6 addresses.
   This provides the function of a Sleep Proxy for ND [DAD-APPROACHES].

   For the Time-Slotted Channel Hopping (TSCH) mode of [IEEEstd802154],
   the 6TiSCH architecture [6TiSCH] describes how a 6LoWPAN ND host
   could connect to the Internet via a RPL mesh network, but doing so
   requires extensions to the 6LOWPAN ND protocol to support mobility
   and reachability in a secure and manageable environment.  The
   extensions detailed in this document also work for the 6TiSCH
   architecture, serving the requirements listed in "Requirements
   Related to Routing Protocols" (see Appendix B.2 of [RFC8505]).

   The registration mechanism may be seen as a more reliable alternate
   to snooping [SAVI-WLAN].  Note that registration and snooping are not
   mutually exclusive.  Snooping may be used in conjunction with the
   registration for nodes that do not register their IPv6 addresses.
   The 6BBR assumes that if a node registers at least one IPv6 address
   to it, then the node registers all of its addresses to the 6BBR.
   With this assumption, the 6BBR can possibly cancel all undesirable
   multicast NS messages that would otherwise have been delivered to
   that node.

   Scalability of the MLSN [RFC4903] requires avoidance of multicast/
   broadcast operations as much as possible even on the backbone
   [MCAST-PROBLEMS].  Although hosts can connect to the backbone using
   IPv6 ND operations, multicast RAs can be saved by using [RS-REFRESH],
   which also requires the support of [RFC7559].

Acknowledgments

   Many thanks to Dorothy Stanley, Thomas Watteyne, and Jerome Henry for
   their various contributions.  Also, many thanks to Timothy Winters
   and Erik Nordmark for their help, review, and support in preparation
   for the IESG cycle and to Kyle Rose, Elwyn Davies, Barry Leiba, Mirja
   Kühlewind, Alvaro Retana, Roman Danyliw, and especially Dominique
   Barthel and Benjamin Kaduk for their useful contributions through the
   IETF Last Call and IESG process.

Authors' Addresses

   Pascal Thubert (editor)
   Cisco Systems, Inc.
   Building D
   45 Allee des Ormes - BP1200
   06254 MOUGINS - Sophia Antipolis
   France

   Phone: +33 497 23 26 34
   Email: pthubert@cisco.com

   Charles E. Perkins
   Blue Meadow Networking
   Saratoga, CA 95070
   United States of America

   Email: charliep@computer.org

   Eric Levy-Abegnoli
   Cisco Systems, Inc.
   Building D
   45 Allee des Ormes - BP1200
   06254 MOUGINS - Sophia Antipolis
   France

   Phone: +33 497 23 26 20
   Email: elevyabe@cisco.com