Network Working Group S. Deering
Request for Comments: 4007 Cisco Systems
Category: Standards Track B. Haberman
Johns Hopkins Univ
T. Jinmei
Toshiba
E. Nordmark
Sun Microsystems
B. Zill
Microsoft
March 2005
IPv6 Scoped Address Architecture
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document specifies the architectural characteristics, expected
behavior, textual representation, and usage of IPv6 addresses of
different scopes. According to a decision in the IPv6 working group,
this document intentionally avoids the syntax and usage of unicast
site-local addresses.
Deering, et al. Standards Track [Page 1]
RFC 4007 IPv6 Scoped Address Architecture March 2005
Internet Protocol version 6 includes support for addresses of
different "scope"; that is, both global and non-global (e.g., link-
local) addresses. Although non-global addressing has been introduced
operationally in the IPv4 Internet, both in the use of private
address space ("net 10", etc.) and with administratively scoped
multicast addresses, the design of IPv6 formally incorporates the
notion of address scope into its base architecture. This document
specifies the architectural characteristics, expected behavior,
textual representation, and usage of IPv6 addresses of different
scopes.
Though the current address architecture specification [1] defines
unicast site-local addresses, the IPv6 working group decided to
deprecate the syntax and the usage [5] and is now investigating other
forms of local IPv6 addressing. The usage of any new forms of
Deering, et al. Standards Track [Page 2]
RFC 4007 IPv6 Scoped Address Architecture March 2005
local addresses will be documented elsewhere in the future. Thus,
this document intentionally focuses on link-local and multicast
scopes only.
2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [2].
3. Basic Terminology
The terms link, interface, node, host, and router are defined in [3].
The definitions of unicast address scopes (link-local and global) and
multicast address scopes (interface-local, link-local, etc.) are
contained in [1].
4. Address Scope
Every IPv6 address other than the unspecified address has a specific
scope; that is, a topological span within which the address may be
used as a unique identifier for an interface or set of interfaces.
The scope of an address is encoded as part of the address, as
specified in [1].
For unicast addresses, this document discusses two defined scopes:
o Link-local scope, for uniquely identifying interfaces within
(i.e., attached to) a single link only.
o Global scope, for uniquely identifying interfaces anywhere in the
Internet.
The IPv6 unicast loopback address, ::1, is treated as having link-
local scope within an imaginary link to which a virtual "loopback
interface" is attached.
The unspecified address, ::, is a special case. It does not have any
scope because it must never be assigned to any node according to [1].
Note, however, that an implementation might use an implementation
dependent semantics for the unspecified address and may want to allow
the unspecified address to have specific scopes. For example,
implementations often use the unspecified address to represent "any"
address in APIs. In this case, implementations may regard the
unspecified address with a given particular scope as representing the
notion of "any address in the scope". This document does not
prohibit such a usage, as long as it is limited within the
implementation.
Deering, et al. Standards Track [Page 3]
RFC 4007 IPv6 Scoped Address Architecture March 2005
[1] defines IPv6 addresses with embedded IPv4 addresses as being part
of global addresses. Thus, those addresses have global scope, with
regard to the IPv6 scoped address architecture. However, an
implementation may use those addresses as if they had other scopes
for convenience. For instance, [6] assigns link-local scope to IPv4
auto-configured link-local addresses (the addresses from the prefix
169.254.0.0/16 [7]) and converts those addresses into IPv4-mapped
IPv6 addresses in order to perform destination address selection
among IPv4 and IPv6 addresses. This would implicitly mean that the
IPv4-mapped IPv6 addresses equivalent to the IPv4 auto-configuration
link-local addresses have link-local scope. This document does not
preclude such a usage, as long as it is limited within the
implementation.
Anycast addresses [1] are allocated from the unicast address space
and have the same scope properties as unicast addresses. All
statements in this document regarding unicast apply equally to
anycast.
For multicast addresses, there are fourteen possible scopes, ranging
from interface-local to global (including link-local). The
interface-local scope spans a single interface only; a multicast
address of interface-local scope is useful only for loopback delivery
of multicasts within a single node; for example, as a form of inter-
process communication within a computer. Unlike the unicast loopback
address, interface-local multicast addresses may be assigned to any
interface.
There is a size relationship among scopes:
o For unicast scopes, link-local is a smaller scope than global.
o For multicast scopes, scopes with lesser values in the "scop"
subfield of the multicast address (Section 2.7 of [1]) are smaller
than scopes with greater values, with interface-local being the
smallest and global being the largest.
However, two scopes of different size may cover the exact same region
of topology. For example, a (multicast) site may consist of a single
link, in which both link-local and site-local scope effectively cover
the same topological span.
5. Scope Zones
A scope zone, or simply a zone, is a connected region of topology of
a given scope. For example, the set of links connected by routers
within a particular (multicast) site, and the interfaces attached to
those links, comprise a single zone of multicast site-local scope.
Deering, et al. Standards Track [Page 4]
RFC 4007 IPv6 Scoped Address Architecture March 2005
Note that a zone is a particular instance of a topological region
(e.g., Alice's site or Bob's site), whereas a scope is the size of a
topological region (e.g., a site or a link).
The zone to which a particular non-global address pertains is not
encoded in the address itself but determined by context, such as the
interface from which it is sent or received. Thus, addresses of a
given (non-global) scope may be re-used in different zones of that
scope. For example, two different physical links may each contain a
node with the link-local address fe80::1.
Zones of the different scopes are instantiated as follows:
o Each interface on a node comprises a single zone of interface-
local scope (for multicast only).
o Each link and the interfaces attached to that link comprise a
single zone of link-local scope (for both unicast and multicast).
o There is a single zone of global scope (for both unicast and
multicast) comprising all the links and interfaces in the
Internet.
o The boundaries of zones of a scope other than interface-local,
link-local, and global must be defined and configured by network
administrators.
Zone boundaries are relatively static features, not changing in
response to short-term changes in topology. Thus, the requirement
that the topology within a zone be "connected" is intended to include
links and interfaces that may only be occasionally connected. For
example, a residential node or network that obtains Internet access
by dial-up to an employer's (multicast) site may be treated as part
of the employer's (multicast) site-local zone even when the dial-up
link is disconnected. Similarly, a failure of a router, interface,
or link that causes a zone to become partitioned does not split that
zone into multiple zones. Rather, the different partitions are still
considered to belong to the same zone.
Zones have the following additional properties:
o Zone boundaries cut through nodes, not links. (Note that the
global zone has no boundary, and the boundary of an interface-
local zone encloses just a single interface.)
o Zones of the same scope cannot overlap; i.e., they can have no
links or interfaces in common.
Deering, et al. Standards Track [Page 5]
RFC 4007 IPv6 Scoped Address Architecture March 2005
o A zone of a given scope (less than global) falls completely within
zones of larger scope. That is, a smaller scope zone cannot
include more topology than would any larger scope zone with which
it shares any links or interfaces.
o Each zone is required to be "convex" from a routing perspective;
i.e., packets sent from one interface to any other in the same
zone are never routed outside the zone. Note, however, that if a
zone contains a tunneled link (e.g., an IPv6-over-IPv6 tunnel link
[8]), a lower layer network of the tunnel can be located outside
the zone without breaking the convexity property.
Each interface belongs to exactly one zone of each possible scope.
Note that this means that an interface belongs to a scope zone
regardless of what kind of unicast address the interface has or of
which multicast groups the node joins on the interface.
6. Zone Indices
Because the same non-global address may be in use in more than one
zone of the same scope (e.g., the use of link-local address fe80::1
in two separate physical links) and a node may have interfaces
attached to different zones of the same scope (e.g., a router
normally has multiple interfaces attached to different links), a node
requires an internal means to identify to which zone a non-global
address belongs. This is accomplished by assigning, within the node,
a distinct "zone index" to each zone of the same scope to which that
node is attached, and by allowing all internal uses of an address to
be qualified by a zone index.
Deering, et al. Standards Track [Page 6]
RFC 4007 IPv6 Scoped Address Architecture March 2005
The assignment of zone indices is illustrated in the example in the
figure below:
A loopback interface to the imaginary loopback link (a phantom
link that goes nowhere).
Two interfaces to the same Ethernet link.
An interface to a point-to-point link.
A tunnel interface (e.g., the abstract endpoint of an IPv6-over-
IPv6 tunnel [8], presumably established over either the Ethernet
or the point-to-point link).
It is thus attached to five interface-local zones, identified by the
interface indices 1 through 5.
Because the two Ethernet interfaces are attached to the same link,
the node is only attached to four link-local zones, identified by
link indices 1 through 4. Also note that even if the tunnel
interface is established over the Ethernet, the tunnel link gets its
own link index, which is different from the index of the Ethernet
link zone.
Deering, et al. Standards Track [Page 7]
RFC 4007 IPv6 Scoped Address Architecture March 2005
Each zone index of a particular scope should contain enough
information to indicate the scope, so that all indices of all scopes
are unique within the node and zone indices themselves can be used
for a dedicated purpose. Usage of the index to identify an entry in
the Management Information Base (MIB) is an example of the dedicated
purpose. The actual representation to encode the scope is
implementation dependent and is out of scope of this document.
Within this document, indices are simply represented in a format such
as "link index 2" for readability.
The zone indices are strictly local to the node. For example, the
node on the other end of the point-to-point link may well use
entirely different interface and link index values for that link.
An implementation should also support the concept of a "default" zone
for each scope. And, when supported, the index value zero at each
scope SHOULD be reserved to mean "use the default zone". Unlike
other zone indices, the default index does not contain any scope, and
the scope is determined by the address that the default index
accompanies. An implementation may additionally define a separate
default zone for each scope. Those default indices can also be used
as the zone qualifier for an address for which the node is attached
to only one zone; e.g., when using global addresses.
At present, there is no way for a node to automatically determine
which of its interfaces belong to the same zones; e.g., the same link
or the same multicast scope zone larger than interface. In the
future, protocols may be developed to determine that information. In
the absence of such protocols, an implementation must provide a means
for manual assignment and/or reassignment of zone indices.
Furthermore, to avoid performing manual configuration in most cases,
an implementation should, by default, initially assign zone indices
only as follows:
o A unique interface index for each interface.
o A unique link index for each interface.
Then manual configuration would only be necessary for the less common
cases of nodes with multiple interfaces to a single link or of those
with interfaces to zones of different (multicast-only) scopes.
Thus, the default zone index assignments for the example node from
Figure 1 would be as illustrated in Figure 2, below. Manual
configuration would then be required to, for example, assign the same
link index to the two Ethernet interfaces, as shown in Figure 1.
Deering, et al. Standards Track [Page 8]
RFC 4007 IPv6 Scoped Address Architecture March 2005
As well as initially assigning zone indices, as specified above, an
implementation should automatically select a default zone for each
scope for which there is more than one choice, to be used whenever an
address is specified without a zone index (or with a zone index of
zero). For instance, in the example shown in Figure 2, the
implementation might automatically select intf2 and link2 as the
default zones for each of those two scopes. (One possible selection
algorithm is to choose the first zone that includes an interface
other than the loopback interface as the default for each scope.) A
means must also be provided to assign the default zone for a scope
manually, overriding any automatic assignment.
The unicast loopback address, ::1, may not be assigned to any
interface other than the loopback interface. Therefore, it is
recommended that, whenever ::1 is specified without a zone index or
with the default zone index, it be interpreted as belonging to the
loopback link-local zone, regardless of which link-local zone has
been selected as the default. If this is done, then for nodes with
only a single non-loopback interface (e.g., a single Ethernet
interface), the common case, link-local addresses need not be
qualified with a zone index. The unqualified address ::1 would
always refer to the link-local zone containing the loopback
interface. All other unqualified link-local addresses would refer to
the link-local zone containing the non-loopback interface (as long as
the default link-local zone was set to be the zone containing the
non-loopback interface).
Deering, et al. Standards Track [Page 9]
RFC 4007 IPv6 Scoped Address Architecture March 2005
Because of the requirement that a zone of a given scope fall
completely within zones of larger scope (see Section 5, above), two
interfaces assigned to different zones of scope S must also be
assigned to different zones of all scopes smaller than S. Thus, the
manual assignment of distinct zone indices for one scope may require
the automatic assignment of distinct zone indices for smaller scopes.
For example, suppose that distinct multicast site-local indices 1 and
2 are manually assigned in Figure 1 and that site 1 contains links 1,
2, and 3, but site 2 only contains link 4. This configuration would
cause the automatic creation of corresponding admin-local (i.e.,
multicast "scop" value 4) indices 1 and 2, because admin-local scope
is smaller than site-local scope.
With the above considerations, the complete set of zone indices for
our example node from Figure 1, with the additional configurations
here, is shown in Figure 3, below.
Although the above examples show the zones being assigned index
values sequentially for each scope, starting at one, the zone index
values are arbitrary. An implementation may label a zone with any
value it chooses, as long as the index value of each zone of all
scopes is unique within the node. Zero SHOULD be reserved to
represent the default zone. Implementations choosing to follow the
recommended basic API [10] will want to restrict their index values
Deering, et al. Standards Track [Page 10]
RFC 4007 IPv6 Scoped Address Architecture March 2005
to those that can be represented by the sin6_scope_id field of the
sockaddr_in6 structure.
7. Sending Packets
When an upper-layer protocol sends a packet to a non-global
destination address, it must have a means of identifying the intended
zone to the IPv6 layer for cases in which the node is attached to
more than one zone of the destination address's scope.
Although identification of an outgoing interface is sufficient to
identify an intended zone (because each interface is attached to no
more than one zone of each scope), in many cases that is more
specific than desired. For example, when sending to a link-local
unicast address from a node that has more than one interface to the
intended link (an unusual configuration), the upper layer protocol
may not care which of those interfaces is used for the transmission.
Rather, it would prefer to leave that choice to the routing function
in the IP layer. Thus, the upper-layer requires the ability to
specify a zone index, when sending to a non-global, non-loopback
destination address.
8. Receiving Packets
When an upper-layer protocol receives a packet containing a non-
global source or destination address, the zone to which that address
pertains can be determined from the arrival interface, because the
arrival interface can be attached to only one zone of the same scope
as that of the address under consideration. However, it is
recommended that the IP layer convey to the upper layer the correct
zone indices for the arriving source and destination addresses, in
addition to the arrival interface identifier.
9. Forwarding
When a router receives a packet addressed to a node other than
itself, it must take the zone of the destination and source addresses
into account as follows:
o The zone of the destination address is determined by the scope of
the address and arrival interface of the packet. The next-hop
interface is chosen by looking up the destination address in a
(conceptual) routing table specific to that zone (see Section 10).
That routing table is restricted to refer to interfaces belonging
to that zone.
Deering, et al. Standards Track [Page 11]
RFC 4007 IPv6 Scoped Address Architecture March 2005
o After the next-hop interface is chosen, the zone of the source
address is considered. As with the destination address, the zone
of the source address is determined by the scope of the address
and arrival interface of the packet. If transmitting the packet
on the chosen next-hop interface would cause the packet to leave
the zone of the source address, i.e., cross a zone boundary of the
scope of the source address, then the packet is discarded.
Additionally, if the packet's destination address is a unicast
address, an ICMP Destination Unreachable message [4] with Code 2
("beyond scope of source address") is sent to the source of the
original packet. Note that Code 2 is currently left as unassigned
in [4], but the IANA will re-assign the value for the new purpose,
and [4] will be revised with this change.
Note that even if unicast site-local addresses are deprecated, the
above procedure still applies to link-local addresses. Thus, if a
router receives a packet with a link-local destination address that
is not one of the router's own link-local addresses on the arrival
link, the router is expected to try to forward the packet to the
destination on that link (subject to successful determination of the
destination's link-layer address via the Neighbor Discovery protocol
[9]). The forwarded packet may be transmitted back through the
arrival interface, or through any other interface attached to the
same link.
A node that receives a packet addressed to itself and containing a
Routing Header with more than zero Segments Left (Section 4.4 of [3])
first checks the scope of the next address in the Routing Header. If
the scope of the next address is smaller than the scope of the
original destination address, the node MUST discard the packet.
Otherwise, it swaps the original destination address with the next
address in the Routing Header. Then the above forwarding rules apply
as follows:
o The zone of the new destination address is determined by the scope
of the next address and the arrival interface of the packet. The
next-hop interface is chosen as per the first bullet of the rules
above.
o After the next-hop interface is chosen, the zone of the source
address is considered as per the second bullet of the rules above.
This check about the scope of the next address ensures that when a
packet arrives at its final destination, if that destination is
link-local, then the receiving node can know that the packet
Deering, et al. Standards Track [Page 12]
RFC 4007 IPv6 Scoped Address Architecture March 2005
originated on-link. This will help the receiving node send a
"response" packet with the final destination of the received packet
as the source address without breaking its source zone.
Note that it is possible, though generally inadvisable, to use a
Routing Header to convey a non-global address across its associated
zone boundary in the previously used next address field. For
example, consider a case in which a link-border node (e.g., a router)
receives a packet with the destination being a link-local address,
and the source address a global address. If the packet contains a
Routing Header where the next address is a global address, the next-
hop interface to the global address may belong to a different link
than that of the original destination. This is allowed because the
scope of the next address is not smaller than the scope of the
original destination.
10. Routing
Note that as unicast site-local addresses are deprecated, and link-
local addresses do not need routing, the discussion in this section
only applies to multicast scoped routing.
When a routing protocol determines that it is operating on a zone
boundary, it MUST protect inter-zone integrity and maintain intra-
zone connectivity.
To maintain connectivity, the routing protocol must be able to create
forwarding information for the global groups and for all the scoped
groups for each of its attached zones. The most straightforward way
of doing this is to create (conceptual) forwarding tables for each
specific zone.
To protect inter-zone integrity, routers must be selective in the
group information shared with neighboring routers. Routers routinely
exchange routing information with neighboring routers. When a router
is transmitting this routing information, it must not include any
information about zones other than the zones assigned to the
interface used to transmit the information.
Deering, et al. Standards Track [Page 13]
RFC 4007 IPv6 Scoped Address Architecture March 2005
As an example, the router in Figure 4 must exchange routing
information on five interfaces. The information exchanged is as
follows (for simplicity, multicast scopes smaller or larger than the
organization scope except global are not considered here):
o Interface 1
* All global groups
* All organization groups learned from Interfaces 1, 2, and 3
o Interface 2
* All global groups
* All organization groups learned from Interfaces 1, 2, and 3
o Interface 3
* All global groups
* All organization groups learned from Interfaces 1, 2, and 3
o Interface 4
* All global groups
* All organization groups learned from Interface 4
o Interface 5
* All global groups
* All organization groups learned from Interface 5
Deering, et al. Standards Track [Page 14]
RFC 4007 IPv6 Scoped Address Architecture March 2005
By imposing route exchange rules, zone integrity is maintained by
keeping all zone-specific routing information contained within the
zone.
11. Textual Representation
As already mentioned, to specify an IPv6 non-global address without
ambiguity, an intended scope zone should be specified as well. As a
common notation to specify the scope zone, an implementation SHOULD
support the following format:
<address>%<zone_id>
where
<address> is a literal IPv6 address,
<zone_id> is a string identifying the zone of the address, and
`%' is a delimiter character to distinguish between <address> and
<zone_id>.
The following subsections describe detailed definitions, concrete
examples, and additional notes of the format.
11.1. Non-Global Addresses
The format applies to all kinds of unicast and multicast addresses of
non-global scope except the unspecified address, which does not have
a scope. The format is meaningless and should not be used for global
addresses. The loopback address belongs to the trivial link; i.e.,
the link attached to the loopback interface. Thus the format should
not be used for the loopback address, either. This document does not
specify the usage of the format when the <address> is the unspecified
address, as the address does not have a scope. This document,
however, does not prohibit an implementation from using the format
for those special addresses for implementation dependent purposes.
11.2. The <zone_id> Part
In the textual representation, the <zone_id> part should be able to
identify a particular zone of the address's scope. Although a zone
index is expected to contain enough information to determine the
scope and to be unique among all scopes as described in Section 6,
the <zone_id> part of this format does not have to contain the scope.
This is because the <address> part should specify the appropriate
scope. This also means that the <zone_id> part does not have to be
unique among all scopes.
Deering, et al. Standards Track [Page 15]
RFC 4007 IPv6 Scoped Address Architecture March 2005
With this loosened property, an implementation can use a convenient
representation as <zone_id>. For example, to represent link index 2,
the implementation can simply use "2" as <zone_id>, which would be
more readable than other representations that contain the "link"
scope.
When an implementation interprets the format, it should construct the
"full" zone index, which contains the scope, from the <zone_id> part
and the scope specified by the <address> part. (Remember that a zone
index itself should contain the scope, as specified in Section 6.)
An implementation SHOULD support at least numerical indices that are
non-negative decimal integers as <zone_id>. The default zone index,
which should typically be 0 (see Section 6), is included in the
integers. When <zone_id> is the default, the delimiter characters
"%" and <zone_id> can be omitted. Similarly, if a textual
representation of an IPv6 address is given without a zone index, it
should be interpreted as <address>%<default ID>, where <default ID>
is the default zone index of the scope that <address> has.
An implementation MAY support other kinds of non-null strings as
<zone_id>. However, the strings must not conflict with the delimiter
character. The precise format and semantics of additional strings is
implementation dependent.
One possible candidate for these strings would be interface names, as
interfaces uniquely disambiguate any scopes. In particular,
interface names can be used as "default identifiers" for interfaces
and links, because by default there is a one-to-one mapping between
interfaces and each of those scopes as described in Section 6.
An implementation could also use interface names as <zone_id> for
scopes larger than links, but there might be some confusion in this
use. For example, when more than one interface belongs to the same
(multicast) site, a user would be confused about which interface
should be used. Also, a mapping function from an address to a name
would encounter the same kind of problem when it prints an address
with an interface name as a zone index. This document does not
specify how these cases should be treated and leaves it
implementation dependent.
It cannot be assumed that indices are common across all nodes in a
zone (see Section 6). Hence, the format MUST be used only within a
node and MUST NOT be sent on the wire unless every node that
interprets the format agrees on the semantics.
Deering, et al. Standards Track [Page 16]
RFC 4007 IPv6 Scoped Address Architecture March 2005
11.3. Examples
The following addresses
fe80::1234 (on the 1st link of the node)
ff02::5678 (on the 5th link of the node)
ff08::9abc (on the 10th organization of the node)
would be represented as follows:
fe80::1234%1
ff02::5678%5
ff08::9abc%10
(Here we assume a natural translation from a zone index to the
<zone_id> part, where the Nth zone of any scope is translated into
"N".)
If we use interface names as <zone_id>, those addresses could also be
represented as follows:
where the interface "ne0" belongs to the 1st link, "pvc1.3" belongs
to the 5th link, and "interface10" belongs to the 10th organization.
11.4. Usage Examples
Applications that are supposed to be used in end hosts such as
telnet, ftp, and ssh may not explicitly support the notion of address
scope, especially of link-local addresses. However, an expert user
(e.g., a network administrator) sometimes has to give even link-local
addresses to such applications.
Here is a concrete example. Consider a multi-linked router called
"R1" that has at least two point-to-point interfaces (links). Each
of the interfaces is connected to another router, "R2" and "R3",
respectively. Also assume that the point-to-point interfaces have
link-local addresses only.
Now suppose that the routing system on R2 hangs up and has to be
reinvoked. In this situation, we may not be able to use a global
address of R2, because this is routing trouble and we cannot expect
to have enough routes for global reachability to R2.
Deering, et al. Standards Track [Page 17]
RFC 4007 IPv6 Scoped Address Architecture March 2005
Hence, we have to login R1 first and then try to login R2 by using
link-local addresses. In this case, we have to give the link-local
address of R2 to, for example, telnet. Here we assume the address is
fe80::2.
Note that we cannot just type
% telnet fe80::2
here, since R1 has more than one link and hence the telnet command
cannot detect which link it should try to use for connecting.
Instead, we should type the link-local address with the link index as
follows:
% telnet fe80::2%3
where "3" after the delimiter character `%' corresponds to the link
index of the point-to-point link.
11.5. Related API
An extension to the recommended basic API defines how the format for
non-global addresses should be treated in library functions that
translate a nodename to an address, or vice versa [11].
11.6. Omitting Zone Indices
The format defined in this document does not intend to invalidate the
original format for non-global addresses; that is, the format without
the zone index portion. As described in Section 6, in some common
cases with the notion of the default zone index, there can be no
ambiguity about scope zones. In such an environment, the
implementation can omit the "%<zone_id>" part. As a result, it can
act as though it did not support the extended format at all.
11.7. Combinations of Delimiter Characters
There are other kinds of delimiter characters defined for IPv6
addresses. In this subsection, we describe how they should be
combined with the format for non-global addresses.
The IPv6 addressing architecture [1] also defines the syntax of IPv6
prefixes. If the address portion of a prefix is non-global and its
scope zone should be disambiguated, the address portion SHOULD be in
the format. For example, a link-local prefix fe80::/64 on the second
link can be represented as follows:
fe80::%2/64
Deering, et al. Standards Track [Page 18]
RFC 4007 IPv6 Scoped Address Architecture March 2005
In this combination, it is important to place the zone index portion
before the prefix length when we consider parsing the format by a
name-to-address library function [11]. That is, we can first
separate the address with the zone index from the prefix length, and
just pass the former to the library function.
The preferred format for literal IPv6 addresses in URLs is also
defined [12]. When a user types the preferred format for an IPv6
non-global address whose zone should be explicitly specified, the
user could use the format for the non-global address combined with
the preferred format.
However, the typed URL is often sent on the wire, and it would cause
confusion if an application did not strip the <zone_id> portion
before sending. Note that the applications should not need to care
about which kind of addresses they're using, much less parse or strip
out the <zone_id> portion of the address.
Also, the format for non-global addresses might conflict with the URI
syntax [13], since the syntax defines the delimiter character (`%')
as the escape character. This conflict would require, for example,
that the <zone_id> part for zone 1 with the delimiter be represented
as '%251'. It also means that we could not simply copy a non-escaped
format from other sources as input to the URI parser. Additionally,
if the URI parser does not convert the escaped format before passing
it to a name-to-address library, the conversion will fail. All these
issues would decrease the benefit of the textual representation
described in this section.
Hence, this document does not specify how the format for non-global
addresses should be combined with the preferred format for literal
IPv6 addresses. In any case, it is recommended to use an FQDN
instead of a literal IPv6 address in a URL, whenever an FQDN is
available.
12. Security Considerations
A limited scope address without a zone index has security
implications and cannot be used for some security contexts. For
example, a link-local address cannot be used in a traffic selector of
a security association established by Internet Key Exchange (IKE)
when the IKE messages are carried over global addresses. Also, a
link-local address without a zone index cannot be used in access
control lists.
The routing section of this document specifies a set of guidelines
whereby routers can prevent zone-specific information from leaking
out of each zone. If, for example, multicast site boundary routers
Deering, et al. Standards Track [Page 19]
RFC 4007 IPv6 Scoped Address Architecture March 2005
allow site routing information to be forwarded outside of the site,
the integrity of the site could be compromised.
Since the use of the textual representation of non-global addresses
is restricted to use within a single node, it does not create a
security vulnerability from outside the node. However, a malicious
node might send a packet that contains a textual IPv6 non-global
address with a zone index, intending to deceive the receiving node
about the zone of the non-global address. Thus, an implementation
should be careful when it receives packets that contain textual non-
global addresses as data.
13. Contributors
This document is a combination of several separate efforts. Atsushi
Onoe took a significant role in one of them and deeply contributed to
the content of Section 11 as a co-author of a separate proposal.
14. Acknowledgements
Many members of the IPv6 working group provided useful comments and
feedback on this document. In particular, Margaret Wasserman and Bob
Hinden led the working group to make a consensus on IPv6 local
addressing. Richard Draves proposed an additional rule to process
Routing header containing scoped addresses. Dave Thaler and Francis
Dupont gave valuable suggestions to define semantics of zone indices
in terms of related API. Pekka Savola reviewed a version of the
document very carefully and made detailed comments about serious
problems. Steve Bellovin, Ted Hardie, Bert Wijnen, and Timothy
Gleeson reviewed and helped improve the document during the
preparation for publication.
15. References
15.1. Normative References
[1] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
Addressing Architecture", RFC 3513, April 2003.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[3] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998.
[4] Conta, A. and S. Deering, "Internet Control Message Protocol
(ICMPv6) for the Internet Protocol Version 6 (IPv6)
Specification", RFC 2463, December 1998.
Deering, et al. Standards Track [Page 20]
RFC 4007 IPv6 Scoped Address Architecture March 2005
15.2. Informative References
[5] Huitema, C. and B. Carpenter, "Deprecating Site Local
Addresses", RFC 3879, September 2004.
[6] Draves, R., "Default Address Selection for Internet Protocol
version 6 (IPv6)", RFC 3484, February 2003.
[7] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic Configuration
of Link-Local IPv4 Addresses", Work in Progress.
[8] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6
Specification", RFC 2473, December 1998.
[9] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
for IP Version 6 (IPv6)", RFC 2461, December 1998.
[10] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W.
Stevens, "Basic Socket Interface Extensions for IPv6", RFC 3493,
February 2003.
[11] Gilligan, R., "Scoped Address Extensions to the IPv6 Basic
Socket API", Work in Progress, July 2002.
[12] Hinden, R., Carpenter, B., and L. Masinter, "Format for Literal
IPv6 Addresses in URL's", RFC 2732, December 1999.
[13] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986, January
2005.
Deering, et al. Standards Track [Page 21]
RFC 4007 IPv6 Scoped Address Architecture March 2005
Authors' Addresses
Stephen E. Deering
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Brian Haberman
Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Road
Laurel, MD 20723-6099
USA
RFC 4007 IPv6 Scoped Address Architecture March 2005
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
[email protected].
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
