IPv6 Backbone Router
RFC 8929
Document | Type | RFC - Proposed Standard (November 2020) | |
---|---|---|---|
Authors | Pascal Thubert , Charles E. Perkins , Eric Levy-Abegnoli | ||
Last updated | 2020-11-23 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Suresh Krishnan | |
Send notices to | (None) |
RFC 8929
"Moved") if a new 6BBR claims a fresher registration (same ROVR, fresher TID) for the same address. The old 6BBR MAY preserve a temporary state in order to forward packets in flight. The state may be, for instance, an NCE that was formed when an NA message was received. It may also be a Binding Table entry in Stale state, pointing at the new 6BBR on the backbone or any other abstract cache entry that can be used to resolve the link-layer address of the new 6BBR. The old 6BBR SHOULD also use REDIRECT messages pointing at the new 6BBR to update the correspondents of the Registered Address, as specified in [RFC4861]. 9.1. Operations on a Binding in Tentative State The Tentative state covers a DAD period over the backbone during which an address being registered is checked for duplication using the procedures defined in [RFC4862]. For a Binding in Tentative state: * The Binding MUST be removed if an NA message is received over the backbone for the Registered Address with no EARO or with an EARO that indicates an existing registration owned by a different Registering Node (different ROVR). In that case, an NA is sent back to the Registering Node with a status code of 1 ("Duplicate Address") to indicate that the Binding has been rejected. This behavior might be overridden by policy, in particular if the registration is trusted, e.g., based on the validation of the ROVR field (see [RFC8928]). * The Binding MUST be removed if an NS(DAD) message is received over the backbone for the Registered Address with no EARO or with an EARO that has a different ROVR that indicates a tentative registration by a different Registering Node. In that case, an NA is sent back to the Registering Node with a status code of 1 ("Duplicate Address"). This behavior might be overridden by policy, in particular if the registration is trusted, e.g., based on the validation of the ROVR field (see [RFC8928]). * The Binding MUST be removed if an NA or an NS(DAD) message is received over the backbone for the Registered Address and contains an EARO that indicates a fresher registration [RFC8505] for the same Registering Node (same ROVR). In that case, an NA MUST be sent back to the Registering Node with a status code of 3 ("Moved"). * The Binding MUST be kept unchanged if an NA or an NS(DAD) message is received over the backbone for the Registered Address and contains an EARO that indicates an older registration [RFC8505] for the same Registering Node (same ROVR). The message is answered with an NA that carries an EARO with a status code of 3 ("Moved") and the Override flag not set. This behavior might be overridden by policy, in particular if the registration is not trusted. * Other NS(DAD) and NA messages from the backbone are ignored. * NS(Lookup) and NS(NUD) messages SHOULD be optimistically answered with an NA message containing an EARO with a status code of 0 ("Success") and the Override flag not set (see Section 3.6). If optimistic DAD is disabled, then they SHOULD be queued to be answered when the Binding goes to Reachable state. When the TENTATIVE_DURATION (Section 12) timer elapses, the Binding is placed in Reachable state for the Registration Lifetime, and the 6BBR returns an NA(EARO) to the Registering Node with a status code of 0 ("Success"). The 6BBR also attempts to take over any existing Binding from other 6BBRs and to update existing NCEs in backbone nodes. This is done by sending an NA message with an EARO and the Override flag not set over the backbone (see Sections 7 and 8). 9.2. Operations on a Binding in Reachable State The Reachable state covers an active registration after a successful DAD process. If the Registration Lifetime is of a long duration, an implementation might be configured to reassess the availability of the Registering Node at a lower period, using a NUD procedure as specified in [RFC7048]. If the NUD procedure fails, the Binding SHOULD be placed in Stale state immediately. For a Binding in Reachable state: * The Binding MUST be removed if an NA or an NS(DAD) message is received over the backbone for the Registered Address and contains an EARO that indicates a fresher registration [RFC8505] for the same Registered Node (i.e., same ROVR but fresher TID). A status code of 4 ("Removed") is returned in an asynchronous NA(EARO) to the Registering Node. Based on configuration, an implementation may delay this operation by a timer with a short setting, e.g., a few seconds to a minute, in order to allow for a parallel registration to reach this node, in which case the NA might be ignored. * NS(DAD) and NA messages containing an EARO that indicates a registration for the same Registered Node that is not as fresh as this Binding MUST be answered with an NA message containing an EARO with a status code of 3 ("Moved"). * An NS(DAD) with no EARO or with an EARO that indicates a duplicate registration (i.e., different ROVR) MUST be answered with an NA message containing an EARO with a status code of 1 ("Duplicate Address") and the Override flag not set, unless the received message is an NA that carries an EARO with a status code of 1 ("Duplicate Address"), in which case the node refrains from answering. * Other NS(DAD) and NA messages from the backbone are ignored. * NS(Lookup) and NS(NUD) messages SHOULD be answered with an NA message containing an EARO with a status code of 0 ("Success") and the Override flag not set. The 6BBR MAY check whether the Registering Node is still available using a NUD procedure over the LLN prior to answering; this behavior depends on the use case and is subject to configuration. When the Registration Lifetime timer elapses, the Binding is placed in Stale state for a duration of STALE_DURATION (Section 12). 9.3. Operations on a Binding in Stale State The Stale state enables tracking of the backbone peers that have a NCE pointing to this 6BBR in case the Registered Address shows up later. If the Registered Address is claimed by another 6LN on the backbone, with an NS(DAD) or an NA, the 6BBR does not defend the address. For a Binding in Stale state: * The Binding MUST be removed if an NA or an NS(DAD) message is received over the backbone for the Registered Address with no EARO or with an EARO that indicates either a fresher registration for the same Registered Node or a duplicate registration. A status code of 4 ("Removed") MAY be returned in an asynchronous NA(EARO) to the Registering Node. * NS(DAD) and NA messages containing an EARO that indicates a registration for the same Registered Node that is not as fresh as this MUST be answered with an NA message containing an EARO with a status code of 3 ("Moved"). * If the 6BBR receives an NS(Lookup) or an NS(NUD) message for the Registered Address, the 6BBR MUST attempt a NUD procedure as specified in [RFC7048] to the Registering Node, targeting the Registered Address, prior to answering. If the NUD procedure succeeds, the operation in Reachable state applies. If the NUD fails, the 6BBR refrains from answering. * Other NS(DAD) and NA messages from the backbone are ignored. When the STALE_DURATION (Section 12) timer elapses, the Binding MUST be removed. 10. Registering Node Considerations A Registering Node MUST implement [RFC8505] in order to interact with a 6BBR (which acts as a Routing Registrar). Following [RFC8505], the Registering Node signals that it requires IPv6 ND proxy services from a 6BBR by registering the corresponding IPv6 address using an NS(EARO) message with the R flag set. The Registering Node may be the 6LN owning the IPv6 address or a 6LBR that performs the registration on its behalf in a route-over mesh. A 6LN MUST register all of its IPv6 addresses to its 6LR, which is the 6BBR when they are connected at Layer 2. Failure to register an address may result in the address being unreachable by other parties. This would happen, for instance, if the 6BBR propagates the NS(Lookup) from the backbone only to the LLN nodes that do not register their addresses. The Registering Node MUST refrain from using multicast NS(Lookup) when the destination is not known as on-link, e.g., if the prefix is advertised in a PIO with the L flag not set. In that case, the Registering Node sends its packets directly to its 6LR. The Registering Node SHOULD also follow BCP 202 [RFC7772] in order to limit the use of multicast RAs. It SHOULD also implement "Simple Procedures for Detecting Network Attachment in IPv6" [RFC6059] (DNA procedures) to detect movements and support "Packet-Loss Resiliency for Router Solicitations" [RFC7559] in order to improve reliability for the unicast RS messages. 11. Security Considerations The procedures in this document modify the mechanisms used for IPv6 ND and DAD and should not affect other aspects of IPv6 or higher- level-protocol operation. As such, the main classes of attacks that are in play are those that work to block Neighbor Discovery or to forcibly claim an address that another node is attempting to use. In the absence of cryptographic protection at higher layers, the latter class of attacks can have significant consequences, with the attacker being able to read all the "stolen" traffic that was directed to the target of the attack. This specification applies to LLNs and a backbone in which the individual links are protected against rogue access on the LLN by authenticating a node that attaches to the network and encrypting the transmissions at the link layer and on the backbone side, using the physical security and access control measures that are typically applied there; thus, packets may neither be forged nor overheard. In particular, the LLN link layer is required to provide secure unicast to/from the Backbone Router and secure broadcast from the routers in a way that prevents tampering with or replaying the ND messages. For the IPv6 ND operation over the backbone, and unless the classical ND is disabled (e.g., by configuration), the classical ND messages are interpreted as emitted by the address owner and have precedence over the 6BBR that is only a proxy. As a result, the security threats that are detailed in Section 11.1 of [RFC4861] fully apply to this specification as well. In short: * Any node that can send a packet on the backbone can take over any address, including addresses of LLN nodes, by claiming it with an NA message and the Override bit set. This means that the real owner will stop receiving its packets. * Any node that can send a packet on the backbone can forge traffic and pretend it is issued from an address that it does not own, even if it did not claim the address using ND. * Any node that can send a packet on the backbone can present itself as a preferred router to intercept all traffic outgoing on the subnet. It may even expose a prefix on the subnet as "not-on- link" and intercept all the traffic within the subnet. * If the rogue can receive a packet from the backbone, it can also snoop all the intercepted traffic, by stealing an address or the role of a router. This means that any rogue access to the backbone must be prevented at all times, and nodes that are attached to the backbone must be fully trusted / never compromised. Using address registration as the sole ND mechanism on a link and coupling it with [RFC8928] guarantees the ownership of a Registered Address within that link. * The protection is based on a proof of ownership encoded in the ROVR field, and it protects against address theft and impersonation by a 6LN, because the 6LR can challenge the Registered Node for a proof of ownership. * The protection extends to the full LLN in the case of an LLN link, but it does not extend over the backbone since the 6BBR cannot provide the proof of ownership when it defends the address. A possible attack over the backbone can be done by sending an NS with an EARO and expecting the NA(EARO) back to contain the TID and ROVR fields of the existing state. With that information, the attacker can easily increase the TID and take over the Binding. If the classical ND is disabled on the backbone and the use of [RFC8928] and a 6LBR are mandated, the network will benefit from the following new advantages: Zero-trust security for ND flows within the whole subnet: the increased security that [RFC8928] provides on the LLN will also apply to the backbone; it becomes impossible for an attached node to claim an address that belongs to another node using ND, and the network can filter packets that are not originated by the owner of the source address (Source Address Validation Improvement (SAVI)), as long as the routers are known and trusted. Remote ND DoS attack avoidance: the complete list of addresses in the network will be known to the 6LBR and available to the default router; with that information, the router does not need to send a multicast NS(Lookup) in case of a Neighbor Cache miss for an incoming packet, which is a source of remote DoS attack against the network. Less IPv6 ND-related multicast on the backbone: DAD and NS(Lookup) become unicast queries to the 6LBR. Better DAD operation on wireless: DAD has been found to fail to detect duplications on large Wi-Fi infrastructures due to the unreliable broadcast operation on wireless; using a 6LBR enables a unicast lookup. Less Layer 2 churn on the backbone: Using the Routing Proxy approach, the link-layer address of the LLN devices and their mobility are not visible in the backbone; only the link-Layer addresses of the 6BBR and backbone nodes are visible at Layer 2 on the backbone. This is mandatory for LLNs that cannot be bridged on the backbone and useful in any case to scale down, stabilize the forwarding tables at Layer 2, and avoid the gratuitous frames that are typically broadcasted to fix the transparent bridging tables when a wireless node roams from an AP to the next. This specification introduces a 6BBR that is a router on the path of the LLN traffic and a 6LBR that is used for the lookup. They could be interesting targets for an attacker. A compromised 6BBR can accept a registration but block the traffic or refrain from proxying. A compromised 6LBR may unduly accept the transfer of ownership of an address or block a newcomer by faking that its address is a duplicate. But those attacks are possible in a classical network from a compromised default router and a DHCP server, respectively, and can be prevented using the same methods. A possible attack over the LLN can still be done by compromising a 6LR. A compromised 6LR may modify the ROVR of EDAR messages in flight and transfer the ownership of the Registered Address to itself or a tier. It may also claim that a ROVR was validated when it really wasn't and reattribute an address to itself or to an attached 6LN. This means that 6LRs, as well as 6LBRs and 6BBRS, must still be fully trusted / never compromised. This specification mandates checking on the 6LBR on the backbone before doing the classical DAD, in case the address already exists. This may delay the DAD operation and should be protected by a short timer, in the order of 100 ms or less, which will only represent a small extra delay versus the 1 s wait of the DAD operation. 12. Protocol Constants This specification uses the following constants: TENTATIVE_DURATION: 800 milliseconds In LLNs with long-lived addresses such as Low-Power WAN (LPWANs), STALE_DURATION SHOULD be configured with a relatively long value to cover an interval when the address may be reused and before it is safe to expect that the address was definitively released. A good default value is 24 hours. In LLNs where addresses are renewed rapidly, e.g., for privacy reasons, STALE_DURATION SHOULD be configured with a relatively shorter value -- 5 minutes by default. 13. IANA Considerations This document has no IANA actions. 14. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, <https://www.rfc-editor.org/info/rfc4291>. [RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD) for IPv6", RFC 4429, DOI 10.17487/RFC4429, April 2006, <https://www.rfc-editor.org/info/rfc4429>. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, September 2007, <https://www.rfc-editor.org/info/rfc4861>. [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, DOI 10.17487/RFC4862, September 2007, <https://www.rfc-editor.org/info/rfc4862>. [RFC6059] Krishnan, S. and G. Daley, "Simple Procedures for Detecting Network Attachment in IPv6", RFC 6059, DOI 10.17487/RFC6059, November 2010, <https://www.rfc-editor.org/info/rfc6059>. [RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C. Bormann, "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)", RFC 6775, DOI 10.17487/RFC6775, November 2012, <https://www.rfc-editor.org/info/rfc6775>. [RFC7048] Nordmark, E. and I. Gashinsky, "Neighbor Unreachability Detection Is Too Impatient", RFC 7048, DOI 10.17487/RFC7048, January 2014, <https://www.rfc-editor.org/info/rfc7048>. [RFC7559] Krishnan, S., Anipko, D., and D. Thaler, "Packet-Loss Resiliency for Router Solicitations", RFC 7559, DOI 10.17487/RFC7559, May 2015, <https://www.rfc-editor.org/info/rfc7559>. [RFC7772] Yourtchenko, A. and L. Colitti, "Reducing Energy Consumption of Router Advertisements", BCP 202, RFC 7772, DOI 10.17487/RFC7772, February 2016, <https://www.rfc-editor.org/info/rfc7772>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, <https://www.rfc-editor.org/info/rfc8200>. [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., "Path MTU Discovery for IP version 6", STD 87, RFC 8201, DOI 10.17487/RFC8201, July 2017, <https://www.rfc-editor.org/info/rfc8201>. [RFC8505] Thubert, P., Ed., Nordmark, E., Chakrabarti, S., and C. Perkins, "Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery", RFC 8505, DOI 10.17487/RFC8505, November 2018, <https://www.rfc-editor.org/info/rfc8505>. 15. Informative References [6TiSCH] Thubert, P., "An Architecture for IPv6 over the TSCH mode of IEEE 802.15.4", Work in Progress, Internet-Draft, draft-ietf-6tisch-architecture-29, 27 August 2020, <https://tools.ietf.org/html/draft-ietf-6tisch- architecture-29>. [DAD-APPROACHES] Nordmark, E., "Possible approaches to make DAD more robust and/or efficient", Work in Progress, Internet-Draft, draft-nordmark-6man-dad-approaches-02, 19 October 2015, <https://tools.ietf.org/html/draft-nordmark-6man-dad- approaches-02>. [DAD-ISSUES] Yourtchenko, A. and E. Nordmark, "A survey of issues related to IPv6 Duplicate Address Detection", Work in Progress, Internet-Draft, draft-yourtchenko-6man-dad- issues-01, 3 March 2015, <https://tools.ietf.org/html/ draft-yourtchenko-6man-dad-issues-01>. [IEEEstd80211] IEEE, "IEEE Standard for Information technology-- Telecommunications and information exchange between systems Local and metropolitan area networks--Specific requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", IEEE 802.11-2012, DOI 10.1109/ieeestd.2016.7786995, December 2016, <https://ieeexplore.ieee.org/document/7786995>. [IEEEstd802151] IEEE, "IEEE Standard for Information technology--Local and metropolitan area networks--Specific requirements--Part 15.1a: Wireless Medium Access Control (MAC) and Physical Layer (PHY) specifications for Wireless Personal Area Networks (WPAN)", IEEE 802.15.1-2005, DOI 10.1109/ieeestd.2005.96290, June 2005, <https://ieeexplore.ieee.org/document/1490827>. [IEEEstd802154] IEEE, "IEEE Standard for Local and metropolitan area networks--Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)", IEEE 802.15.4-2011, DOI 10.1109/ieeestd.2011.6012487, September 2011, <https://ieeexplore.ieee.org/document/6012487>. [IEEEstd8021Q] IEEE, "IEEE Standard for Local and Metropolitan Area Networks--Bridges and Bridged Networks", IEEE 802.1Q-2018, DOI 10.1109/IEEESTD.2018.8403927, July 2018, <https://ieeexplore.ieee.org/document/8403927>. [MCAST-PROBLEMS] Perkins, C. E., McBride, M., Stanley, D., Kumari, W., and J. C. Zuniga, "Multicast Considerations over IEEE 802 Wireless Media", Work in Progress, Internet-Draft, draft- ietf-mboned-ieee802-mcast-problems-12, 26 October 2020, <https://tools.ietf.org/html/draft-ietf-mboned-ieee802- mcast-problems-12>. [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006, <https://www.rfc-editor.org/info/rfc4271>. [RFC4389] Thaler, D., Talwar, M., and C. Patel, "Neighbor Discovery Proxies (ND Proxy)", RFC 4389, DOI 10.17487/RFC4389, April 2006, <https://www.rfc-editor.org/info/rfc4389>. [RFC4903] Thaler, D., "Multi-Link Subnet Issues", RFC 4903, DOI 10.17487/RFC4903, June 2007, <https://www.rfc-editor.org/info/rfc4903>. [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF for IPv6", RFC 5340, DOI 10.17487/RFC5340, July 2008, <https://www.rfc-editor.org/info/rfc5340>. [RFC5415] Calhoun, P., Ed., Montemurro, M., Ed., and D. Stanley, Ed., "Control And Provisioning of Wireless Access Points (CAPWAP) Protocol Specification", RFC 5415, DOI 10.17487/RFC5415, March 2009, <https://www.rfc-editor.org/info/rfc5415>. [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July 2011, <https://www.rfc-editor.org/info/rfc6275>. [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks", RFC 6550, DOI 10.17487/RFC6550, March 2012, <https://www.rfc-editor.org/info/rfc6550>. [RFC6606] Kim, E., Kaspar, D., Gomez, C., and C. Bormann, "Problem Statement and Requirements for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Routing", RFC 6606, DOI 10.17487/RFC6606, May 2012, <https://www.rfc-editor.org/info/rfc6606>. [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January 2013, <https://www.rfc-editor.org/info/rfc6830>. [RFC7432] Sajassi, A., Ed., Aggarwal, R., Bitar, N., Isaac, A., Uttaro, J., Drake, J., and W. Henderickx, "BGP MPLS-Based Ethernet VPN", RFC 7432, DOI 10.17487/RFC7432, February 2015, <https://www.rfc-editor.org/info/rfc7432>. [RFC8273] Brzozowski, J. and G. Van de Velde, "Unique IPv6 Prefix per Host", RFC 8273, DOI 10.17487/RFC8273, December 2017, <https://www.rfc-editor.org/info/rfc8273>. [RFC8928] Thubert, P., Ed., Sarikaya, B., Sethi, M., and R. Struik, "Address-Protected Neighbor Discovery for Low-Power and Lossy Networks", RFC 8928, DOI 10.17487/RFC8928, November 2020, <https://www.rfc-editor.org/info/rfc8928>. [RIFT] Przygienda, T., Sharma, A., Thubert, P., Rijsman, B., and D. Afanasiev, "RIFT: Routing in Fat Trees", Work in Progress, Internet-Draft, draft-ietf-rift-rift-12, 26 May 2020, <https://tools.ietf.org/html/draft-ietf-rift-rift-12>. [RPL-LEAVES] Thubert, P. and M. C. Richardson, "Routing for RPL Leaves", Work in Progress, Internet-Draft, draft-ietf- roll-unaware-leaves-23, 10 November 2020, <https://tools.ietf.org/html/draft-ietf-roll-unaware- leaves-23>. [RS-REFRESH] Nordmark, E., Yourtchenko, A., and S. Krishnan, "IPv6 Neighbor Discovery Optional RS/RA Refresh", Work in Progress, Internet-Draft, draft-ietf-6man-rs-refresh-02, 31 October 2016, <https://tools.ietf.org/html/draft-ietf- 6man-rs-refresh-02>. [SAVI-WLAN] Bi, J., Wu, J., Wang, Y., and T. Lin, "A SAVI Solution for WLAN", Work in Progress, Internet-Draft, draft-bi-savi- wlan-20, 14 November 2020, <https://tools.ietf.org/html/draft-bi-savi-wlan-20>. [UNICAST-LOOKUP] Thubert, P. and E. Levy-Abegnoli, "IPv6 Neighbor Discovery Unicast Lookup", Work in Progress, Internet-Draft, draft- thubert-6lo-unicast-lookup-00, 25 January 2019, <https://tools.ietf.org/html/draft-thubert-6lo-unicast- lookup-00>. Appendix A. Possible Future Extensions With the current specification, the 6LBR is not leveraged to avoid multicast NS(Lookup) on the backbone. This could be done by adding a lookup procedure in the EDAR/EDAC exchange. By default, the specification does not have a fine-grained trust model: all nodes that can authenticate to the LLN link layer or attach to the backbone are equally trusted. It would be desirable to provide a stronger authorization model, e.g., whereby nodes that associate their address with a proof of ownership [RFC8928] should be trusted more than nodes that do not. Such a trust model and related signaling could be added in the future to override the default operation and favor trusted nodes. As an alternate to the ND Proxy operation, the registration may be redistributed as a host route in a routing protocol that would operate over the backbone; this is already happening in IoT networks [RPL-LEAVES] and Data Center Routing [RIFT] and could be extended to other protocols, e.g., BGP [RFC4271] and OSPFv3 [RFC5340]. The registration may also be advertised in an overlay protocol such as Mobile IPv6 (MIPv6) [RFC6275], the Locator/ID Separation Protocol (LISP) [RFC6830], or Ethernet VPN (EVPN) [RFC7432]. Appendix B. Applicability and Requirements Served This document specifies ND proxy functions that can be used to federate an IPv6 Backbone Link and multiple IPv6 LLNs into a single MLSN. The ND proxy functions enable IPv6 ND services for DAD and address lookup that do not require broadcasts over the LLNs. The term LLN is used to cover multiple types of WLANs and WPANs, including (Low-Power) Wi-Fi, BLUETOOTH(R) Low Energy, IEEE Std 802.11ah and IEEE Std 802.15.4 wireless meshes, and the types of networks listed in "Requirements Related to Various Low-Power Link Types" (see Appendix B.3 of [RFC8505]). Each LLN in the subnet is attached to a 6BBR. The Backbone Routers interconnect the LLNs and advertise the addresses of the 6LNs over the Backbone Link using ND proxy operations. This specification updates IPv6 ND over the backbone to distinguish address movement from duplication and eliminate Stale state in the backbone routers and backbone nodes once a 6LN has roamed. This way, mobile nodes may roam rapidly from one 6BBR to the next, and requirements are met per "Requirements Related to Mobility" (see Appendix B.1 of [RFC8505]). A 6LN can register its IPv6 addresses and thereby obtain ND proxy services over the backbone, meeting the requirements expressed in "Requirements Related to Proxy Operations" (see Appendix B.4 of [RFC8505]. The negative impact of the IPv6 ND-related broadcasts can be limited to one of the federated links, enabling the number of 6LNs to grow. The Routing Proxy operation avoids the need to expose the link-layer addresses of the 6LNs onto the backbone, keeping the Layer 2 topology simple and stable. This meets the requirements in "Requirements Related to Scalability" (see Appendix B.6 of [RFC8505]), as long as the 6BBRs are dimensioned for the number of registrations that each needs to support. In the case of a Wi-Fi access link, a 6BBR may be collocated with the AP, a Fabric Edge (FE), or a Control and Provisioning of Wireless Access Points (CAPWAP) [RFC5415] Wireless LAN Controller (WLC). In those cases, the wireless client (STA) is the 6LN that makes use of [RFC8505] to register its IPv6 address(es) to the 6BBR acting as the Routing Registrar. The 6LBR can be centralized and either connected to the Backbone Link or reachable over IP. The 6BBR ND proxy operations eliminate the need for wireless nodes to respond synchronously when a lookup is performed for their IPv6 addresses. This provides the function of a Sleep Proxy for ND [DAD-APPROACHES]. For the Time-Slotted Channel Hopping (TSCH) mode of [IEEEstd802154], the 6TiSCH architecture [6TiSCH] describes how a 6LoWPAN ND host could connect to the Internet via a RPL mesh network, but doing so requires extensions to the 6LOWPAN ND protocol to support mobility and reachability in a secure and manageable environment. The extensions detailed in this document also work for the 6TiSCH architecture, serving the requirements listed in "Requirements Related to Routing Protocols" (see Appendix B.2 of [RFC8505]). The registration mechanism may be seen as a more reliable alternate to snooping [SAVI-WLAN]. Note that registration and snooping are not mutually exclusive. Snooping may be used in conjunction with the registration for nodes that do not register their IPv6 addresses. The 6BBR assumes that if a node registers at least one IPv6 address to it, then the node registers all of its addresses to the 6BBR. With this assumption, the 6BBR can possibly cancel all undesirable multicast NS messages that would otherwise have been delivered to that node. Scalability of the MLSN [RFC4903] requires avoidance of multicast/ broadcast operations as much as possible even on the backbone [MCAST-PROBLEMS]. Although hosts can connect to the backbone using IPv6 ND operations, multicast RAs can be saved by using [RS-REFRESH], which also requires the support of [RFC7559]. Acknowledgments Many thanks to Dorothy Stanley, Thomas Watteyne, and Jerome Henry for their various contributions. Also, many thanks to Timothy Winters and Erik Nordmark for their help, review, and support in preparation for the IESG cycle and to Kyle Rose, Elwyn Davies, Barry Leiba, Mirja Kühlewind, Alvaro Retana, Roman Danyliw, and especially Dominique Barthel and Benjamin Kaduk for their useful contributions through the IETF Last Call and IESG process. Authors' Addresses Pascal Thubert (editor) Cisco Systems, Inc. Building D 45 Allee des Ormes - BP1200 06254 MOUGINS - Sophia Antipolis France Phone: +33 497 23 26 34 Email: pthubert@cisco.com Charles E. Perkins Blue Meadow Networking Saratoga, CA 95070 United States of America Email: charliep@computer.org Eric Levy-Abegnoli Cisco Systems, Inc. Building D 45 Allee des Ormes - BP1200 06254 MOUGINS - Sophia Antipolis France Phone: +33 497 23 26 20 Email: elevyabe@cisco.com