Network Working Group R. Hinden
Request for Comments: 4193 Nokia
Category: Standards Track B. Haberman
JHU-APL
October 2005
Network Working Group R. Hinden
Request for Comments: 4193 Nokia
Category: Standards Track B. Haberman
JHU-APL
October 2005
Unique Local IPv6 Unicast Addresses
唯一本地IPv6单播地址
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet.
本文档定义了一种IPv6单播地址格式,该格式是全局唯一的,用于本地通信,通常在站点内部。这些地址预计无法在全球互联网上路由。
Table of Contents
目录
1. Introduction ....................................................2
2. Acknowledgements ................................................3
3. Local IPv6 Unicast Addresses ....................................3
3.1. Format .....................................................3
3.1.1. Background ..........................................4
3.2. Global ID ..................................................4
3.2.1. Locally Assigned Global IDs .........................5
3.2.2. Sample Code for Pseudo-Random Global ID Algorithm ...5
3.2.3. Analysis of the Uniqueness of Global IDs ............6
3.3. Scope Definition ...........................................6
4. Operational Guidelines ..........................................7
4.1. Routing ....................................................7
4.2. Renumbering and Site Merging ...............................7
4.3. Site Border Router and Firewall Packet Filtering ...........8
4.4. DNS Issues .................................................8
4.5. Application and Higher Level Protocol Issues ...............9
4.6. Use of Local IPv6 Addresses for Local Communication ........9
4.7. Use of Local IPv6 Addresses with VPNs .....................10
1. Introduction ....................................................2
2. Acknowledgements ................................................3
3. Local IPv6 Unicast Addresses ....................................3
3.1. Format .....................................................3
3.1.1. Background ..........................................4
3.2. Global ID ..................................................4
3.2.1. Locally Assigned Global IDs .........................5
3.2.2. Sample Code for Pseudo-Random Global ID Algorithm ...5
3.2.3. Analysis of the Uniqueness of Global IDs ............6
3.3. Scope Definition ...........................................6
4. Operational Guidelines ..........................................7
4.1. Routing ....................................................7
4.2. Renumbering and Site Merging ...............................7
4.3. Site Border Router and Firewall Packet Filtering ...........8
4.4. DNS Issues .................................................8
4.5. Application and Higher Level Protocol Issues ...............9
4.6. Use of Local IPv6 Addresses for Local Communication ........9
4.7. Use of Local IPv6 Addresses with VPNs .....................10
5. Global Routing Considerations ..................................11
5.1. From the Standpoint of the Internet .......................11
5.2. From the Standpoint of a Site .............................11
6. Advantages and Disadvantages ...................................12
6.1. Advantages ................................................12
6.2. Disadvantages .............................................13
7. Security Considerations ........................................13
8. IANA Considerations ............................................13
9. References .....................................................13
9.1. Normative References ......................................13
9.2. Informative References ....................................14
5. Global Routing Considerations ..................................11
5.1. From the Standpoint of the Internet .......................11
5.2. From the Standpoint of a Site .............................11
6. Advantages and Disadvantages ...................................12
6.1. Advantages ................................................12
6.2. Disadvantages .............................................13
7. Security Considerations ........................................13
8. IANA Considerations ............................................13
9. References .....................................................13
9.1. Normative References ......................................13
9.2. Informative References ....................................14
This document defines an IPv6 unicast address format that is globally unique and is intended for local communications [IPV6]. These addresses are called Unique Local IPv6 Unicast Addresses and are abbreviated in this document as Local IPv6 addresses. They are not expected to be routable on the global Internet. They are routable inside of a more limited area such as a site. They may also be routed between a limited set of sites.
本文档定义了一种IPv6单播地址格式,该格式是全局唯一的,用于本地通信[IPv6]。这些地址称为唯一本地IPv6单播地址,在本文档中缩写为本地IPv6地址。预计它们无法在全球互联网上路由。它们可以在更有限的区域内(如站点)布线。它们也可以在有限的一组站点之间路由。
Local IPv6 unicast addresses have the following characteristics:
本地IPv6单播地址具有以下特征:
- Globally unique prefix (with high probability of uniqueness).
- 全局唯一前缀(具有很高的唯一性概率)。
- Well-known prefix to allow for easy filtering at site boundaries.
- 众所周知的前缀,便于在站点边界进行过滤。
- Allow sites to be combined or privately interconnected without creating any address conflicts or requiring renumbering of interfaces that use these prefixes.
- 允许在不产生任何地址冲突或不需要对使用这些前缀的接口重新编号的情况下合并或私下互连站点。
- Internet Service Provider independent and can be used for communications inside of a site without having any permanent or intermittent Internet connectivity.
- 独立于互联网服务提供商,可用于站点内部的通信,而无需任何永久或间歇的互联网连接。
- If accidentally leaked outside of a site via routing or DNS, there is no conflict with any other addresses.
- 如果通过路由或DNS意外泄漏到站点外部,则不会与任何其他地址发生冲突。
- In practice, applications may treat these addresses like global scoped addresses.
- 实际上,应用程序可能会将这些地址视为全局作用域地址。
This document defines the format of Local IPv6 addresses, how to allocate them, and usage considerations including routing, site border routers, DNS, application support, VPN usage, and guidelines for how to use for local communication inside a site.
本文档定义了本地IPv6地址的格式、如何分配这些地址以及使用注意事项,包括路由、站点边界路由器、DNS、应用程序支持、VPN使用以及如何在站点内用于本地通信的指南。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The underlying idea of creating Local IPv6 addresses described in this document has been proposed a number of times by a variety of people. The authors of this document do not claim exclusive credit. Credit goes to Brian Carpenter, Christian Huitema, Aidan Williams, Andrew White, Charlie Perkins, and many others. The authors would also like to thank Brian Carpenter, Charlie Perkins, Harald Alvestrand, Keith Moore, Margaret Wasserman, Shannon Behrens, Alan Beard, Hans Kruse, Geoff Huston, Pekka Savola, Christian Huitema, Tim Chown, Steve Bellovin, Alex Zinin, Tony Hain, Bill Fenner, Sam Hartman, and Elwyn Davies for their comments and suggestions on this document.
本文档中描述的创建本地IPv6地址的基本思想已被许多人多次提出。本文件的作者不主张独占信用。这要归功于布赖恩·卡彭特、克里斯蒂安·惠特马、艾丹·威廉姆斯、安德鲁·怀特、查理·帕金斯和其他许多人。作者还要感谢Brian Carpenter、Charlie Perkins、Harald Alvestrand、Keith Moore、Margaret Wasserman、Shannon Behrens、Alan Beard、Hans Kruse、Geoff Huston、Pekka Savola、Christian Huitema、Tim Chown、Steve Bellovin、Alex Zinin、Tony Hain、Bill Fenner、Sam Hartman、,以及Elwyn Davies对本文件的评论和建议。
The Local IPv6 addresses are created using a pseudo-randomly allocated global ID. They have the following format:
本地IPv6地址是使用伪随机分配的全局ID创建的。它们具有以下格式:
| 7 bits |1| 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+----------------------------+
| Prefix |L| Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+----------------------------+
| 7 bits |1| 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+----------------------------+
| Prefix |L| Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+----------------------------+
Where:
哪里:
Prefix FC00::/7 prefix to identify Local IPv6 unicast addresses.
前缀FC00::/7用于标识本地IPv6单播地址的前缀。
L Set to 1 if the prefix is locally assigned. Set to 0 may be defined in the future. See Section 3.2 for additional information.
如果前缀是本地分配的,则L设置为1。将来可能会定义设置为0。更多信息请参见第3.2节。
Global ID 40-bit global identifier used to create a globally unique prefix. See Section 3.2 for additional information.
全局ID 40位全局标识符,用于创建全局唯一前缀。更多信息请参见第3.2节。
Subnet ID 16-bit Subnet ID is an identifier of a subnet within the site.
子网ID 16位子网ID是站点内子网的标识符。
Interface ID 64-bit Interface ID as defined in [ADDARCH].
接口ID[ADDARCH]中定义的64位接口ID。
There were a range of choices available when choosing the size of the prefix and Global ID field length. There is a direct tradeoff between having a Global ID field large enough to support foreseeable future growth and not using too much of the IPv6 address space needlessly. A reasonable way of evaluating a specific field length is to compare it to a projected 2050 world population of 9.3 billion [POPUL] and the number of resulting /48 prefixes per person. A range of prefix choices is shown in the following table:
在选择前缀大小和全局ID字段长度时,有一系列选项可用。在拥有足够大的全局ID字段以支持可预见的未来增长和不必要地使用太多IPv6地址空间之间存在着直接的权衡。评估特定字段长度的合理方法是将其与2050年预计的93亿[POPUL]世界人口以及由此产生的每人/48个前缀的数量进行比较。下表显示了一系列前缀选择:
Prefix Global ID Number of Prefixes % of IPv6 Length /48 Prefixes per Person Address Space
前缀全局ID前缀数IPv6长度的百分比/48每人地址空间前缀数
/11 37 137,438,953,472 15 0.049%
/10 38 274,877,906,944 30 0.098%
/9 39 549,755,813,888 59 0.195%
/8 40 1,099,511,627,776 118 0.391%
/7 41 2,199,023,255,552 236 0.781%
/6 42 4,398,046,511,104 473 1.563%
/11 37 137,438,953,472 15 0.049%
/10 38 274,877,906,944 30 0.098%
/9 39 549,755,813,888 59 0.195%
/8 40 1,099,511,627,776 118 0.391%
/7 41 2,199,023,255,552 236 0.781%
/6 42 4,398,046,511,104 473 1.563%
A very high utilization ratio of these allocations can be assumed because the Global ID field does not require internal structure, and there is no reason to be able to aggregate the prefixes.
可以假设这些分配的利用率非常高,因为全局ID字段不需要内部结构,并且没有理由能够聚合前缀。
The authors believe that a /7 prefix resulting in a 41-bit Global ID space (including the L bit) is a good choice. It provides for a large number of assignments (i.e., 2.2 trillion) and at the same time uses less than .8% of the total IPv6 address space. It is unlikely that this space will be exhausted. If more than this were to be needed, then additional IPv6 address space could be allocated for this purpose.
作者认为,产生41位全局ID空间(包括L位)的a/7前缀是一个不错的选择。它提供了大量的分配(即2.2万亿),同时使用的IPv6地址空间不到总地址空间的0.8%。这个空间不太可能耗尽。如果需要更多,则可以为此分配额外的IPv6地址空间。
The allocation of Global IDs is pseudo-random [RANDOM]. They MUST NOT be assigned sequentially or with well-known numbers. This is to ensure that there is not any relationship between allocations and to help clarify that these prefixes are not intended to be routed globally. Specifically, these prefixes are not designed to aggregate.
全局ID的分配是伪随机的。不得按顺序分配或使用已知编号分配。这是为了确保分配之间没有任何关系,并有助于澄清这些前缀不打算全局路由。具体来说,这些前缀不是为聚合而设计的。
This document defines a specific local method to allocate Global IDs, indicated by setting the L bit to 1. Another method, indicated by clearing the L bit, may be defined later. Apart from the allocation method, all Local IPv6 addresses behave and are treated identically.
本文档定义了分配全局ID的特定本地方法,通过将L位设置为1表示。通过清除L位指示的另一种方法可在稍后定义。除了分配方法外,所有本地IPv6地址的行为和处理方式都是相同的。
The local assignments are self-generated and do not need any central coordination or assignment, but have an extremely high probability of being unique.
本地分配是自生成的,不需要任何中心协调或分配,但具有极高的唯一性概率。
Locally assigned Global IDs MUST be generated with a pseudo-random algorithm consistent with [RANDOM]. Section 3.2.2 describes a suggested algorithm. It is important that all sites generating Global IDs use a functionally similar algorithm to ensure there is a high probability of uniqueness.
必须使用与[random]一致的伪随机算法生成本地分配的全局ID。第3.2.2节描述了建议的算法。重要的是,所有生成全局ID的站点都使用功能相似的算法,以确保具有较高的唯一性概率。
The use of a pseudo-random algorithm to generate Global IDs in the locally assigned prefix gives an assurance that any network numbered using such a prefix is highly unlikely to have that address space clash with any other network that has another locally assigned prefix allocated to it. This is a particularly useful property when considering a number of scenarios including networks that merge, overlapping VPN address space, or hosts mobile between such networks.
使用伪随机算法在本地分配的前缀中生成全局id可确保使用该前缀编号的任何网络极不可能与分配了另一个本地分配前缀的任何其他网络发生地址空间冲突。当考虑许多场景时,这是一个特别有用的属性,包括合并的网络、重叠的VPN地址空间或此类网络之间的移动主机。
The algorithm described below is intended to be used for locally assigned Global IDs. In each case the resulting global ID will be used in the appropriate prefix as defined in Section 3.2.
下面描述的算法旨在用于本地分配的全局ID。在每种情况下,将在第3.2节中定义的适当前缀中使用生成的全局ID。
1) Obtain the current time of day in 64-bit NTP format [NTP].
1) 以64位NTP格式[NTP]获取当前时间。
2) Obtain an EUI-64 identifier from the system running this algorithm. If an EUI-64 does not exist, one can be created from a 48-bit MAC address as specified in [ADDARCH]. If an EUI-64 cannot be obtained or created, a suitably unique identifier, local to the node, should be used (e.g., system serial number).
2) 从运行此算法的系统获取EUI-64标识符。如果EUI-64不存在,可以根据[ADDARCH]中指定的48位MAC地址创建一个EUI-64。如果无法获得或创建EUI-64,则应使用节点本地的适当唯一标识符(例如,系统序列号)。
3) Concatenate the time of day with the system-specific identifier in order to create a key.
3) 将一天中的时间与系统特定的标识符连接起来以创建密钥。
4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1]; the resulting value is 160 bits.
4) 按照[FIPS,SHA1]中的规定计算密钥上的SHA-1摘要;结果值为160位。
5) Use the least significant 40 bits as the Global ID.
5) 使用最低有效位40作为全局ID。
6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global ID to create a Local IPv6 address prefix.
6) 连接FC00::/7、L位设置为1和40位全局ID以创建本地IPv6地址前缀。
This algorithm will result in a Global ID that is reasonably unique and can be used to create a locally assigned Local IPv6 address prefix.
此算法将生成一个合理唯一的全局ID,可用于创建本地分配的本地IPv6地址前缀。
The selection of a pseudo random Global ID is similar to the selection of an SSRC identifier in RTP/RTCP defined in Section 8.1 of [RTP]. This analysis is adapted from that document.
伪随机全局ID的选择类似于[RTP]第8.1节中定义的RTP/RTCP中SSRC标识符的选择。这一分析是根据该文件改编的。
Since Global IDs are chosen randomly (and independently), it is possible that separate networks have chosen the same Global ID. For any given network, with one or more random Global IDs, that has inter-connections to other such networks, having a total of N such IDs, the probability that two or more of these IDs will collide can be approximated using the formula:
由于全局ID是随机(独立)选择的,因此可能是不同的网络选择了相同的全局ID。对于具有一个或多个随机全局ID的任何给定网络,具有与其他此类网络的互连,总共有N个此类ID,两个或多个ID碰撞的概率可使用以下公式近似计算:
P = 1 - exp(-N**2 / 2**(L+1))
P = 1 - exp(-N**2 / 2**(L+1))
where P is the probability of collision, N is the number of interconnected Global IDs, and L is the length of the Global ID.
其中P是碰撞概率,N是互连全局ID的数量,L是全局ID的长度。
The following table shows the probability of a collision for a range of connections using a 40-bit Global ID field.
下表显示了使用40位全局ID字段的一系列连接发生冲突的概率。
Connections Probability of Collision
碰撞概率
2 1.81*10^-12
10 4.54*10^-11
100 4.54*10^-09
1000 4.54*10^-07
10000 4.54*10^-05
2 1.81*10^-12
10 4.54*10^-11
100 4.54*10^-09
1000 4.54*10^-07
10000 4.54*10^-05
Based on this analysis, the uniqueness of locally generated Global IDs is adequate for sites planning a small to moderate amount of inter-site communication using locally generated Global IDs.
基于此分析,本地生成的全局ID的唯一性对于使用本地生成的全局ID规划少量到中度站点间通信的站点来说是足够的。
By default, the scope of these addresses is global. That is, they are not limited by ambiguity like the site-local addresses defined in [ADDARCH]. Rather, these prefixes are globally unique, and as such, their applicability is greater than site-local addresses. Their limitation is in the routability of the prefixes, which is limited to a site and any explicit routing agreements with other sites to propagate them (also see Section 4.1). Also, unlike site-locals, a site may have more than one of these prefixes and use them at the same time.
默认情况下,这些地址的范围是全局的。也就是说,它们不受[ADDARCH]中定义的站点本地地址的模糊性的限制。相反,这些前缀是全局唯一的,因此,它们的适用性大于站点本地地址。它们的局限性在于前缀的可路由性,这仅限于一个站点以及与其他站点的任何显式路由协议来传播前缀(另请参见第4.1节)。此外,与站点本地人不同,站点可能有多个前缀,并同时使用它们。
The guidelines in this section do not require any change to the normal routing and forwarding functionality in an IPv6 host or router. These are configuration and operational usage guidelines.
本节中的指南不要求对IPv6主机或路由器中的正常路由和转发功能进行任何更改。这些是配置和操作使用指南。
Local IPv6 addresses are designed to be routed inside of a site in the same manner as other types of unicast addresses. They can be carried in any IPv6 routing protocol without any change.
本地IPv6地址设计为在站点内部以与其他类型的单播地址相同的方式路由。它们可以在任何IPv6路由协议中携带,无需任何更改。
It is expected that they would share the same Subnet IDs with provider-based global unicast addresses, if they were being used concurrently [GLOBAL].
如果同时使用[global],则它们将与基于提供商的全局单播地址共享相同的子网ID。
The default behavior of exterior routing protocol sessions between administrative routing regions must be to ignore receipt of and not advertise prefixes in the FC00::/7 block. A network operator may specifically configure prefixes longer than FC00::/7 for inter-site communication.
管理路由区域之间的外部路由协议会话的默认行为必须是忽略接收FC00::/7块中的前缀,而不是播发前缀。网络运营商可以专门为站点间通信配置长于FC00::/7的前缀。
If BGP is being used at the site border with an ISP, the default BGP configuration must filter out any Local IPv6 address prefixes, both incoming and outgoing. It must be set both to keep any Local IPv6 address prefixes from being advertised outside of the site as well as to keep these prefixes from being learned from another site. The exception to this is if there are specific /48 or longer routes created for one or more Local IPv6 prefixes.
如果在与ISP的站点边界使用BGP,则默认BGP配置必须过滤掉任何本地IPv6地址前缀,包括传入和传出的地址前缀。必须将其设置为防止任何本地IPv6地址前缀在站点外部播发,以及防止这些前缀从其他站点学习。例外情况是,如果为一个或多个本地IPv6前缀创建了特定/48或更长的路由。
For link-state IGPs, it is suggested that a site utilizing IPv6 local address prefixes be contained within one IGP domain or area. By containing an IPv6 local address prefix to a single link-state area or domain, the distribution of prefixes can be controlled.
对于链路状态IGP,建议将使用IPv6本地地址前缀的站点包含在一个IGP域或区域内。通过将IPv6本地地址前缀包含到单个链路状态区域或域,可以控制前缀的分布。
The use of Local IPv6 addresses in a site results in making communication that uses these addresses independent of renumbering a site's provider-based global addresses.
在站点中使用本地IPv6地址会导致使用这些地址的通信独立于对站点的基于提供商的全局地址重新编号。
When merging multiple sites, the addresses created with these prefixes are unlikely to need to be renumbered because all of the addresses have a high probability of being unique. Routes for each specific prefix would have to be configured to allow routing to work correctly between the formerly separate sites.
合并多个站点时,使用这些前缀创建的地址不太可能需要重新编号,因为所有地址都很可能是唯一的。每个特定前缀的路由必须配置为允许路由在以前独立的站点之间正确工作。
While no serious harm will be done if packets with these addresses are sent outside of a site via a default route, it is recommended that routers be configured by default to keep any packets with Local IPv6 addresses from leaking outside of the site and to keep any site prefixes from being advertised outside of their site.
如果通过默认路由将具有这些地址的数据包发送到站点外部,则不会造成严重危害,但建议在默认情况下配置路由器,以防止任何具有本地IPv6地址的数据包泄漏到站点外部,并防止任何站点前缀在其站点外部发布。
Site border routers and firewalls should be configured to not forward any packets with Local IPv6 source or destination addresses outside of the site, unless they have been explicitly configured with routing information about specific /48 or longer Local IPv6 prefixes. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route. The default behavior of these devices should be to install a "reject" route for these prefixes. Site border routers should respond with the appropriate ICMPv6 Destination Unreachable message to inform the source that the packet was not forwarded. [ICMPV6]. This feedback is important to avoid transport protocol timeouts.
站点边界路由器和防火墙应配置为不在站点外部转发具有本地IPv6源地址或目标地址的任何数据包,除非它们已明确配置了有关特定/48或更长本地IPv6前缀的路由信息。这将确保具有本地IPv6目标地址的数据包不会通过默认路由转发到站点外部。这些设备的默认行为应该是为这些前缀安装“拒绝”路由。站点边界路由器应响应相应的ICMPv6目的地不可到达消息,以通知源数据包未转发。[ICMPV6]。此反馈对于避免传输协议超时非常重要。
Routers that maintain peering arrangements between Autonomous Systems throughout the Internet should obey the recommendations for site border routers, unless configured otherwise.
除非另有配置,否则在整个互联网的自治系统之间保持对等安排的路由器应遵守站点边界路由器的建议。
At the present time, AAAA and PTR records for locally assigned local IPv6 addresses are not recommended to be installed in the global DNS.
目前,不建议在全局DNS中安装本地分配的本地IPv6地址的AAAA和PTR记录。
For background on this recommendation, one of the concerns about adding AAAA and PTR records to the global DNS for locally assigned Local IPv6 addresses stems from the lack of complete assurance that the prefixes are unique. There is a small possibility that the same locally assigned IPv6 Local addresses will be used by two different organizations both claiming to be authoritative with different contents. In this scenario, it is likely there will be a connection attempt to the closest host with the corresponding locally assigned IPv6 Local address. This may result in connection timeouts, connection failures indicated by ICMP Destination Unreachable messages, or successful connections to the wrong host. Due to this concern, adding AAAA records for these addresses to the global DNS is thought to be unwise.
关于本建议的背景信息,关于将AAAA和PTR记录添加到本地分配的本地IPv6地址的全局DNS中的问题之一源于缺乏前缀唯一性的完全保证。两个声称具有不同内容的权威机构将使用相同的本地分配IPv6本地地址的可能性很小。在这种情况下,可能会尝试使用相应的本地分配的IPv6本地地址连接到最近的主机。这可能会导致连接超时、ICMP目标无法访问消息指示的连接失败,或成功连接到错误的主机。出于这种考虑,将这些地址的AAAA记录添加到全局DNS被认为是不明智的。
Reverse (address-to-name) queries for locally assigned IPv6 Local addresses MUST NOT be sent to name servers for the global DNS, due to the load that such queries would create for the authoritative name servers for the ip6.arpa zone. This form of query load is not specific to locally assigned Local IPv6 addresses; any current form
对于本地分配的IPv6本地地址的反向(地址到名称)查询不得发送到全局DNS的名称服务器,因为此类查询将为ip6.arpa区域的权威名称服务器创建负载。这种形式的查询负载并不特定于本地分配的本地IPv6地址;任何当前形式
of local addressing creates additional load of this kind, due to reverse queries leaking out of the site. However, since allowing such queries to escape from the site serves no useful purpose, there is no good reason to make the existing load problems worse.
由于反向查询从站点中泄漏,本地寻址的错误会造成此类额外负载。但是,由于允许此类查询从站点转义没有任何用处,因此没有充分的理由使现有的负载问题变得更糟。
The recommended way to avoid sending such queries to nameservers for the global DNS is for recursive name server implementations to act as if they were authoritative for an empty d.f.ip6.arpa zone and return RCODE 3 for any such query. Implementations that choose this strategy should allow it to be overridden, but returning an RCODE 3 response for such queries should be the default, both because this will reduce the query load problem and also because, if the site administrator has not set up the reverse tree corresponding to the locally assigned IPv6 Local addresses in use, returning RCODE 3 is in fact the correct answer.
避免将此类查询发送到全局DNS的名称服务器的建议方法是,递归名称服务器实现将其作为空d.f.ip6.arpa区域的权威,并为任何此类查询返回RCODE 3。选择此策略的实现应允许覆盖此策略,但为此类查询返回RCODE 3响应应为默认值,因为这将减少查询负载问题,还因为如果站点管理员未设置与正在使用的本地分配的IPv6本地地址对应的反向树,返回RCODE 3实际上是正确的答案。
Application and other higher level protocols can treat Local IPv6 addresses in the same manner as other types of global unicast addresses. No special handling is required. This type of address may not be reachable, but that is no different from other types of IPv6 global unicast address. Applications need to be able to handle multiple addresses that may or may not be reachable at any point in time. In most cases, this complexity should be hidden in APIs.
应用程序和其他更高级别的协议可以以与其他类型的全局单播地址相同的方式处理本地IPv6地址。无需特殊处理。这种类型的地址可能无法访问,但与其他类型的IPv6全局单播地址没有区别。应用程序需要能够处理多个地址,这些地址可能在任何时间点都可以访问,也可能无法访问。在大多数情况下,这种复杂性应该隐藏在API中。
From a host's perspective, the difference between Local IPv6 and other types of global unicast addresses shows up as different reachability and could be handled by default in that way. In some cases, it is better for nodes and applications to treat them differently from global unicast addresses. A starting point might be to give them preference over global unicast, but fall back to global unicast if a particular destination is found to be unreachable. Much of this behavior can be controlled by how they are allocated to nodes and put into the DNS. However, it is useful if a host can have both types of addresses and use them appropriately.
从主机的角度来看,本地IPv6和其他类型的全局单播地址之间的差异表现为不同的可达性,默认情况下可以通过这种方式处理。在某些情况下,节点和应用程序最好将其与全局单播地址区别对待。一个出发点可能是让他们优先于全局单播,但如果发现某个特定目的地无法到达,则返回到全局单播。这种行为的大部分可以通过如何将它们分配给节点并放入DNS来控制。但是,如果主机可以同时拥有这两种类型的地址并适当地使用它们,则这是非常有用的。
Note that the address selection mechanisms of [ADDSEL], and in particular the policy override mechanism replacing default address selection, are expected to be used on a site where Local IPv6 addresses are configured.
请注意,[ADDSEL]的地址选择机制,尤其是取代默认地址选择的策略覆盖机制,预计将在配置了本地IPv6地址的站点上使用。
Local IPv6 addresses, like global scope unicast addresses, are only assigned to nodes if their use has been enabled (via IPv6 address autoconfiguration [ADDAUTO], DHCPv6 [DHCP6], or manually). They are
本地IPv6地址(如全局范围单播地址)仅在启用使用(通过IPv6地址自动配置[ADDAUTO]、DHCPv6[DHCP6]或手动)的情况下分配给节点。他们是
not created automatically in the way that IPv6 link-local addresses are and will not appear or be used unless they are purposely configured.
不会以IPv6链路本地地址的方式自动创建,也不会显示或使用IPv6链路本地地址,除非有意配置它们。
In order for hosts to autoconfigure Local IPv6 addresses, routers have to be configured to advertise Local IPv6 /64 prefixes in router advertisements, or a DHCPv6 server must have been configured to assign them. In order for a node to learn the Local IPv6 address of another node, the Local IPv6 address must have been installed in a naming system (e.g., DNS, proprietary naming system, etc.) For these reasons, controlling their usage in a site is straightforward.
为了让主机自动配置本地IPv6地址,必须将路由器配置为在路由器播发中播发本地IPv6/64前缀,或者必须将DHCPv6服务器配置为分配它们。为了让一个节点了解另一个节点的本地IPv6地址,本地IPv6地址必须已安装在命名系统(例如DNS、专有命名系统等)中。由于这些原因,控制它们在站点中的使用非常简单。
To limit the use of Local IPv6 addresses the following guidelines apply:
要限制本地IPv6地址的使用,请遵循以下准则:
- Nodes that are to only be reachable inside of a site: The local DNS should be configured to only include the Local IPv6 addresses of these nodes. Nodes with only Local IPv6 addresses must not be installed in the global DNS.
- 只能在站点内部访问的节点:本地DNS应配置为仅包括这些节点的本地IPv6地址。只有本地IPv6地址的节点不得安装在全局DNS中。
- Nodes that are to be limited to only communicate with other nodes in the site: These nodes should be set to only autoconfigure Local IPv6 addresses via [ADDAUTO] or to only receive Local IPv6 addresses via [DHCP6]. Note: For the case where both global and Local IPv6 prefixes are being advertised on a subnet, this will require a switch in the devices to only autoconfigure Local IPv6 addresses.
- 仅限于与站点中的其他节点通信的节点:这些节点应设置为仅通过[ADDAUTO]自动配置本地IPv6地址,或仅通过[DHCP6]接收本地IPv6地址。注意:对于在子网上同时播发全局和本地IPv6前缀的情况,这将要求设备中的交换机仅自动配置本地IPv6地址。
- Nodes that are to be reachable from inside of the site and from outside of the site: The DNS should be configured to include the global addresses of these nodes. The local DNS may be configured to also include the Local IPv6 addresses of these nodes.
- 可从站点内部和站点外部访问的节点:DNS应配置为包括这些节点的全局地址。本地DNS可被配置为还包括这些节点的本地IPv6地址。
- Nodes that can communicate with other nodes inside of the site and outside of the site: These nodes should autoconfigure global addresses via [ADDAUTO] or receive global address via [DHCP6]. They may also obtain Local IPv6 addresses via the same mechanisms.
- 可与站点内外的其他节点通信的节点:这些节点应通过[ADDAUTO]自动配置全局地址或通过[DHCP6]接收全局地址。他们还可以通过相同的机制获取本地IPv6地址。
Local IPv6 addresses can be used for inter-site Virtual Private Networks (VPN) if appropriate routes are set up. Because the addresses are unique, these VPNs will work reliably and without the need for translation. They have the additional property that they will continue to work if the individual sites are renumbered or merged.
如果设置了适当的路由,本地IPv6地址可用于站点间虚拟专用网络(VPN)。由于地址是唯一的,这些VPN将可靠地工作,无需翻译。他们还有一个额外的属性,即如果对各个站点重新编号或合并,他们将继续工作。
Section 4.1 provides operational guidelines that forbid default routing of local addresses between sites. Concerns were raised to the IPv6 working group and to the IETF as a whole that sites may attempt to use local addresses as globally routed provider-independent addresses. This section describes why using local addresses as globally-routed provider-independent addresses is unadvisable.
第4.1节提供了禁止站点之间本地地址默认路由的操作指南。向IPv6工作组和整个IETF提出了一个问题,即站点可能会尝试使用本地地址作为全局路由的独立于提供商的地址。本节介绍为什么不建议使用本地地址作为全局路由的独立于提供程序的地址。
There is a mismatch between the structure of IPv6 local addresses and the normal IPv6 wide area routing model. The /48 prefix of an IPv6 local addresses fits nowhere in the normal hierarchy of IPv6 unicast addresses. Normal IPv6 unicast addresses can be routed hierarchically down to physical subnet (link) level and only have to be flat-routed on the physical subnet. IPv6 local addresses would have to be flat-routed even over the wide area Internet.
IPv6本地地址的结构与正常的IPv6广域路由模型不匹配。IPv6本地地址的/48前缀不适合IPv6单播地址的正常层次结构。普通IPv6单播地址可以分层路由到物理子网(链路)级别,并且只需在物理子网上进行平面路由。即使在广域互联网上,IPv6本地地址也必须采用平面路由。
Thus, packets whose destination address is an IPv6 local address could be routed over the wide area only if the corresponding /48 prefix were carried by the wide area routing protocol in use, such as BGP. This contravenes the operational assumption that long prefixes will be aggregated into many fewer short prefixes, to limit the table size and convergence time of the routing protocol. If a network uses both normal IPv6 addresses [ADDARCH] and IPv6 local addresses, these types of addresses will certainly not aggregate with each other, since they differ from the most significant bit onwards. Neither will IPv6 local addresses aggregate with each other, due to their random bit patterns. This means that there would be a very significant operational penalty for attempting to use IPv6 local address prefixes generically with currently known wide area routing technology.
因此,只有在使用的广域路由协议(如BGP)携带了相应的/48前缀的情况下,目标地址为IPv6本地地址的数据包才能在广域上路由。这违反了长前缀将聚合为更少的短前缀的操作假设,从而限制了路由协议的表大小和收敛时间。如果网络同时使用普通IPv6地址[ADDARCH]和IPv6本地地址,这些类型的地址肯定不会相互聚合,因为它们从最高有效位开始就不同。由于IPv6本地地址的随机位模式,它们也不会相互聚合。这意味着,如果试图在当前已知的广域路由技术中普遍使用IPv6本地地址前缀,将受到非常严重的操作惩罚。
There are a number of design factors in IPv6 local addresses that reduce the likelihood that IPv6 local addresses will be used as arbitrary global unicast addresses. These include:
IPv6本地地址中有许多设计因素,可降低IPv6本地地址用作任意全局单播地址的可能性。这些措施包括:
- The default rules to filter packets and routes make it very difficult to use IPv6 local addresses for arbitrary use across the Internet. For a site to use them as general purpose unicast addresses, it would have to make sure that the default rules were not being used by all other sites and intermediate ISPs used for their current and future communication.
- 过滤数据包和路由的默认规则使得在Internet上任意使用IPv6本地地址变得非常困难。对于将其用作通用单播地址的站点,必须确保所有其他站点和用于当前和未来通信的中间ISP未使用默认规则。
- They are not mathematically guaranteed to be unique and are not registered in public databases. Collisions, while highly unlikely, are possible and a collision can compromise the integrity of the communications. The lack of public registration creates operational problems.
- 它们在数学上不能保证唯一,也不能在公共数据库中注册。碰撞虽然不太可能发生,但也有可能发生,碰撞可能会损害通信的完整性。缺乏公开注册会造成运营问题。
- The addresses are allocated randomly. If a site had multiple prefixes that it wanted to be used globally, the cost of advertising them would be very high because they could not be aggregated.
- 地址是随机分配的。如果一个站点有多个希望在全球范围内使用的前缀,那么广告成本将非常高,因为它们无法聚合。
- They have a long prefix (i.e., /48) so a single local address prefix doesn't provide enough address space to be used exclusively by the largest organizations.
- 它们有一个很长的前缀(即/48),因此单个本地地址前缀不能提供足够的地址空间供最大的组织独占使用。
This approach has the following advantages:
这种方法有以下优点:
- Provides Local IPv6 prefixes that can be used independently of any provider-based IPv6 unicast address allocations. This is useful for sites not always connected to the Internet or sites that wish to have a distinct prefix that can be used to localize traffic inside of the site.
- 提供可独立于任何基于提供商的IPv6单播地址分配使用的本地IPv6前缀。这对于并非始终连接到Internet的站点或希望具有可用于本地化站点内部流量的独特前缀的站点非常有用。
- Applications can treat these addresses in an identical manner as any other type of global IPv6 unicast addresses.
- 应用程序可以以与任何其他类型的全局IPv6单播地址相同的方式处理这些地址。
- Sites can be merged without any renumbering of the Local IPv6 addresses.
- 可以合并站点,而无需对本地IPv6地址进行任何重新编号。
- Sites can change their provider-based IPv6 unicast address without disrupting any communication that uses Local IPv6 addresses.
- 站点可以更改其基于提供商的IPv6单播地址,而不会中断使用本地IPv6地址的任何通信。
- Well-known prefix that allows for easy filtering at site boundary.
- 众所周知的前缀,允许在站点边界轻松过滤。
- Can be used for inter-site VPNs.
- 可用于站点间VPN。
- If accidently leaked outside of a site via routing or DNS, there is no conflict with any other addresses.
- 如果通过路由或DNS意外泄漏到站点外部,则不会与任何其他地址冲突。
This approach has the following disadvantages:
这种方法有以下缺点:
- Not possible to route Local IPv6 prefixes on the global Internet with current routing technology. Consequentially, it is necessary to have the default behavior of site border routers to filter these addresses.
- 无法使用当前的路由技术在全球Internet上路由本地IPv6前缀。因此,有必要使用站点边界路由器的默认行为来过滤这些地址。
- There is a very low probability of non-unique locally assigned Global IDs being generated by the algorithm in Section 3.2.3. This risk can be ignored for all practical purposes, but it leads to a theoretical risk of clashing address prefixes.
- 第3.2.3节中的算法生成非唯一本地分配全局ID的概率非常低。这种风险在所有实际应用中都可以忽略,但它会导致地址前缀冲突的理论风险。
Local IPv6 addresses do not provide any inherent security to the nodes that use them. They may be used with filters at site boundaries to keep Local IPv6 traffic inside of the site, but this is no more or less secure than filtering any other type of global IPv6 unicast addresses.
本地IPv6地址不会为使用它们的节点提供任何固有的安全性。它们可以与站点边界处的过滤器一起使用,以保持站点内部的本地IPv6流量,但这并不比过滤任何其他类型的全局IPv6单播地址更安全。
Local IPv6 addresses do allow for address-based security mechanisms, including IPsec, across end to end VPN connections.
本地IPv6地址允许跨端到端VPN连接使用基于地址的安全机制,包括IPsec。
The IANA has assigned the FC00::/7 prefix to "Unique Local Unicast".
IANA已将FC00::/7前缀分配给“唯一本地单播”。
[ADDARCH] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture", RFC 3513, April 2003.
[ADDARCH]Hinden,R.和S.Deering,“互联网协议版本6(IPv6)寻址体系结构”,RFC 3513,2003年4月。
[FIPS] "Federal Information Processing Standards Publication", (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995.
[FIPS]“联邦信息处理标准出版物”(FIPS PUB)180-1,安全哈希标准,1995年4月17日。
[GLOBAL] Hinden, R., Deering, S., and E. Nordmark, "IPv6 Global Unicast Address Format", RFC 3587, August 2003.
[GLOBAL]Hinden,R.,Deering,S.和E.Nordmark,“IPv6全球单播地址格式”,RFC 3587,2003年8月。
[ICMPV6] Conta, A. and S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 2463, December 1998.
[ICMPV6]Conta,A.和S.Deering,“互联网协议版本6(IPv6)规范的互联网控制消息协议(ICMPV6)”,RFC 2463,1998年12月。
[IPV6] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[IPV6]Deering,S.和R.Hinden,“互联网协议,第6版(IPV6)规范”,RFC 2460,1998年12月。
[NTP] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation and Analysis", RFC 1305, March 1992.
[NTP]Mills,D.,“网络时间协议(第3版)规范、实施和分析”,RFC13051992年3月。
[RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[RANDOM]Eastlake,D.,3rd,Schiller,J.和S.Crocker,“安全的随机性要求”,BCP 106,RFC 40862005年6月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[SHA1] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001.
[SHA1]Eastlake 3rd,D.和P.Jones,“美国安全哈希算法1(SHA1)”,RFC 31742001年9月。
[ADDAUTO] Thomson, S. and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998.
[ADDAUTO]Thomson,S.和T.Narten,“IPv6无状态地址自动配置”,RFC 24621998年12月。
[ADDSEL] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003.
[ADDSEL]Draves,R.,“互联网协议版本6(IPv6)的默认地址选择”,RFC 3484,2003年2月。
[DHCP6] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[DHCP6]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC 3315,2003年7月。
[POPUL] Population Reference Bureau, "World Population Data Sheet of the Population Reference Bureau 2002", August 2002.
人口资料局,“2002年人口资料局世界人口数据表”,2002年8月。
[RTP] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003.
[RTP]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 35502003年7月。
Authors' Addresses
作者地址
Robert M. Hinden Nokia 313 Fairchild Drive Mountain View, CA 94043 USA
Robert M.Hinden诺基亚313飞兆半导体山景大道,加利福尼亚州94043
Phone: +1 650 625-2004
EMail: bob.hinden@nokia.com
Phone: +1 650 625-2004
EMail: bob.hinden@nokia.com
Brian Haberman Johns Hopkins University Applied Physics Lab 11100 Johns Hopkins Road Laurel, MD 20723 USA
布莱恩·哈伯曼·约翰·霍普金斯大学应用物理实验室,美国马里兰州劳雷尔市约翰·霍普金斯路11100号,20723
Phone: +1 443 778 1319
EMail: brian@innovationslab.net
Phone: +1 443 778 1319
EMail: brian@innovationslab.net
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。