Basic Requirements for IPv6 Customer Edge Routers

This document defines basic IPv6 features for a residential or small- office router, referred to as an "IPv6 CE router", in order to establish an industry baseline for features to be implemented on such a router. These routers typically also support IPv4, at least in the LAN side. This document specifies how an IPv6 CE router automatically provisions its WAN interface, acquires address space for provisioning of its LAN interfaces, and fetches other configuration information from the service provider network. Automatic provisioning of more complex topology than a single router with multiple LAN interfaces may be handled by means of HNCP (). In some cases, manual provisioning may be acceptable, when intended for a small number of customers. This document doesn't cover the specific details of each possible access technology. For example, if the IPv6 CE is supporting built-in or external 3GPP/LTE interfaces, is a relevant reference. See for a discussion of options available for deploying IPv6 in wireline service provider access networks. This document also covers the IP transition technologies required in a world where IPv4 addresses are no longer available, so the service providers need to provision IPv6-only WAN access, while at the same time ensuring that IPv4-only or IPv6-only devices or applications in the customer LANs can still reach IPv4-only devices or applications in Internet, which still don't have IPv6 support.

Take careful note: Unlike other IETF documents, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are not used as described in RFC 2119. This document uses these keywords not strictly for the purpose of interoperability, but rather for the purpose of establishing industry-common baseline functionality. As such, the document points to several other specifications (preferable in RFC or stable form) to provide additional guidance to implementers regarding any protocol implementation required to produce a successful IPv6 CE router that interoperates successfully with a particular subset of currently deploying and planned common IPv6 access networks.

one or more links attached to the IPv6 CE router that connect IPv6 hosts. a node intended for home or small-office use that forwards IPv6 packets not explicitly addressed to itself. The IPv6 CE router connects the end-user network to a service provider network. In other documents, the IPv6 CE is named as CPE (Customer Premises Equipment or Customer Provided Equipment). In the context of this document, both terminologies are synonymous. any device implementing an IPv6 stack receiving IPv6 connectivity through the IPv6 CE router. an IPv6 CE router's attachment to a link in the end-user network. Examples are Ethernet (simple or bridged), 802.11 wireless, or other LAN technologies. An IPv6 CE router may have one or more network-layer LAN interfaces. an entity that provides access to the Internet. In this document, a service provider specifically offers Internet access using IPv6, and it may also offer IPv4 Internet access. The service provider can provide such access over a variety of different transport methods such as FTTH, DSL, cable, wireless, 3GPP/LTE, and others. an IPv6 CE router's attachment to a link used to provide connectivity to the service provider network; example link technologies include Ethernet (simple or bridged), PPP links, Frame Relay, or ATM networks, as well as Internet-layer (or higher-layer) "tunnels", such as tunnels over IPv4 or IPv6 itself.

The IPv6 CE router described in this document is expected to be used typically, in any of the following scenarios: Residential/household users. Common usage is any kind of Internet access (web, email, streaming, online gaming, etc.). Residential with Small Office/Home Office (SOHO). Same usage as for the first scenario. Small Office/Home Office (SOHO). Same usage as for the first scenario. Small and Medium Enterprise (SME). Same usage as for the first scenario. Residential/household with advanced requirements. Same basic usage as for the first scenario, however there may be requirements for exporting services to the WAN (IP cameras, web, DNS, email, VPN, etc.). Small and Medium Enterprise (SME) with advanced requirements. Same basic usage as for the first scenario, however there may be requirements for exporting services to the WAN (IP cameras, web, DNS, email, VPN, etc.). The above list is not intended to be comprehensive of all the possible usage scenarios, just the main ones. In fact, combinations of the above usages are also possible, for example a residential with SOHO and advanced requirements. The mechanisms for exporting IPv6 services are commonly "naturally" available in any IPv6 router, as when using GUA, unless they are blocked by firewall rules, which may require some manual configuration by means of a GUI and/or CLI. However, in the case of IPv4, because the usage of private addresses and NAT, it typically requires some degree of manual configuration such as setting up a DMZ, virtual servers, or port/protocol forwarding. In general, CE routers already provide GUI and/or CLI to manually configure them, or the possibility to setup the CE in bridge mode, so another CE behind it, takes care of that. It is out of the scope of this document the definition of any requirements for that. The main difference for an IPv6 CE router to support one or several of the above indicated scenarios, is related to the packet processing capabilities, performance, even other details such as the number of WAN/LAN interfaces, their maximum speed, memory for keeping tables or tracking connections, etc. So, it is out of the scope of this document to classify them. For example, an SME may have just 10 employees (micro-SME), which commonly will be considered same as a SOHO, but a small SME can have up to 50 employees, or 250 for a medium one. Depending on the IPv6 CE router capabilities or even how it is being configured (for instance, using SLAAC or DHCPv6), it may support even a higher number of employees if the traffic in the LANs is low, or switched by another device(s), or the WAN bandwidth requirements are low, etc. The actual bandwidth capabilities of access with technologies such as FTTH, cable and even 3GPP/LTE, allows the support of such usages, and indeed, is a very common situation that access networks and the IPv6 CE provided by the service provider are the same for SMEs and residential users. There is also no difference in terms of who actually provides the IPv6 CE router. In most of the cases is the service provider, and in fact is responsible, typically, of provisioning/managing at least the WAN side. However, commonly the user has access to configure the LAN interfaces, firewall, DMZ, and many other aspects. In fact, in many cases, the user must supply, or at least can replace the IPv6 CE router, which makes even more relevant that all the IPv6 CE routers, support the same requirements defined in this document. The IPv6 CE router described in this document is not intended for usage in other scenarios such as bigger Enterprises, Data Centers, Content Providers, etc. So, even if the documented requirements meet their needs, may have additional requirements, which are out of the scope of this document.

An end-user network will likely support both IPv4 and IPv6. It is not expected that an end user will change their existing network topology with the introduction of IPv6. There are some differences in how IPv6 works and is provisioned; these differences have implications for the network architecture. A typical IPv4 end-user network consists of a "plug and play" router with NAT functionality and a single link behind it, connected to the service provider network. A typical IPv4 NAT deployment by default blocks all incoming connections. Opening of ports is typically allowed using a Universal Plug and Play Internet Gateway Device (UPnP IGD) or some other firewall control protocol. Another consequence of using private address space in the end-user network is that it provides stable addressing; that is, it never changes even when you change service providers, and the addresses are always there even when the WAN interface is down or the customer edge router has not yet been provisioned. Many existing routers support dynamic routing (which learns routes from other routers), and advanced end-users can build arbitrary, complex networks using manual configuration of address prefixes combined with a dynamic routing protocol.

The end-user network architecture for IPv6 should provide equivalent or better capabilities and functionality than the current IPv4 architecture. The end-user network is a stub network, in the sense that is not providing transit to other external networks. However HNCP () allows support for automatic provisioning of downstream routers. Figure 1 illustrates the model topology for the end-user network.

This architecture describes the: Basic capabilities of an IPv6 CE router Provisioning of the WAN interface connecting to the service provider Provisioning of the LAN interfaces For IPv6 multicast traffic, the IPv6 CE router may act as a Multicast Listener Discovery (MLD) proxy and may support a dynamic multicast routing protocol. The IPv6 CE router may be manually configured in an arbitrary topology with a dynamic routing protocol or using HNCP (). Automatic provisioning and configuration is described for a single IPv6 CE router only.

Link-local IPv6 addresses are used by hosts communicating on a single link. Unique Local IPv6 Unicast Addresses (ULAs) are used by hosts communicating within the end-user network across multiple links, but without requiring the application to use a globally routable address. The IPv6 CE router defaults to acting as the demarcation point between two networks by providing a ULA boundary, a multicast zone boundary, and ingress and egress traffic filters. At the time of this writing, several host implementations do not handle the case where they have an IPv6 address configured and no IPv6 connectivity, either because the address itself has a limited topological reachability (e.g., ULA) or because the IPv6 CE router is not connected to the IPv6 network on its WAN interface. To support host implementations that do not handle multihoming in a multi-prefix environment , the IPv6 CE router should not, as detailed in the requirements below, advertise itself as a default router on the LAN interface(s) when it does not have IPv6 connectivity on the WAN interface or when it is not provisioned with IPv6 addresses. For local IPv6 communication, the mechanisms specified in are used. ULA addressing is useful where the IPv6 CE router has multiple LAN interfaces with hosts that need to communicate with each other. If the IPv6 CE router has only a single LAN interface (IPv6 link), then link-local addressing can be used instead. Coexistence with IPv4 requires any IPv6 CE router(s) on the LAN to conform to these recommendations, especially requirements ULA-5 and L-4 below.

The IPv6 CE router is responsible for implementing IPv6 routing; that is, the IPv6 CE router must look up the IPv6 destination address in its routing table to decide to which interface it should send the packet. In this role, the IPv6 CE router is responsible for ensuring that traffic using its ULA addressing does not go out the WAN interface and does not originate from the WAN interface. An IPv6 CE router is an IPv6 node according to the IPv6 Node Requirements specification. The IPv6 CE router MUST implement ICMPv6 according to . In particular, point-to-point links MUST be handled as described in Section 3.1 of . The IPv6 CE router MUST NOT forward any IPv6 traffic between its LAN interface(s) and its WAN interface until the router has successfully completed the IPv6 address and the delegated prefix acquisition process. By default, an IPv6 CE router that has no default router(s) on its WAN interface MUST NOT advertise itself as an IPv6 default router on its LAN interfaces. That is, the "Router Lifetime" field is set to zero in all Router Advertisement messages it originates . By default, if the IPv6 CE router is an advertising router and loses its IPv6 default router(s) and/or detects loss of connectivity on the WAN interface, it MUST explicitly invalidate itself as an IPv6 default router on each of its advertising interfaces by immediately transmitting one or more Router Advertisement messages with the "Router Lifetime" field set to zero . The IPv6 CE router MUST comply with .

The IPv6 CE router will need to support connectivity to one or more access network architectures. This document describes an IPv6 CE router that is not specific to any particular architecture or service provider and that supports all commonly used architectures. IPv6 Neighbor Discovery and DHCPv6 protocols operate over any type of IPv6-supported link layer, and there is no need for a link-layer-specific configuration protocol for IPv6 network-layer configuration options as in, e.g., PPP IP Control Protocol (IPCP) for IPv4. This section makes the assumption that the same mechanism will work for any link layer, be it Ethernet, the Data Over Cable Service Interface Specification (DOCSIS), PPP, or others. WAN-side requirements: When the router is attached to the WAN interface link, it MUST act as an IPv6 host for the purposes of stateless or stateful interface address assignment. The IPv6 CE router MUST generate a link-local address and finish Duplicate Address Detection according to prior to sending any Router Solicitations on the interface. The source address used in the subsequent Router Solicitation MUST be the link-local address on the WAN interface. Absent other routing information, the IPv6 CE router MUST use Router Discovery as specified in to discover a default router(s) and install a default route(s) in its routing table with the discovered router's address as the next hop. The router MUST act as a requesting router for the purposes of DHCPv6 prefix delegation (). The IPv6 CE router MUST use a persistent DHCP Unique Identifier (DUID) for DHCPv6 messages. The DUID MUST NOT change between network-interface resets or IPv6 CE router reboots. The WAN interface of the IPv6 CE router SHOULD support a Port Control Protocol (PCP) client as specified in for use by applications on the IPv6 CE router. The PCP client SHOULD follow the procedure specified in Section 8.1 of to discover its PCP server. This document takes no position on whether such functionality is enabled by default or mechanisms by which users would configure the functionality. Handling PCP requests from PCP clients in the LAN side of the IPv6 CE router is out of scope. Link-layer requirements: If the WAN interface supports Ethernet encapsulation, then the IPv6 CE router MUST support IPv6 over Ethernet . If the WAN interface supports PPP encapsulation, the IPv6 CE router MUST support IPv6 over PPP . If the WAN interface supports PPP encapsulation, in a dual-stack environment with IPCP and IPV6CP running over one PPP logical channel, the Network Control Protocols (NCPs) MUST be treated as independent of each other and start and terminate independently. Address assignment requirements: The IPv6 CE router MUST support Stateless Address Autoconfiguration (SLAAC) . The IPv6 CE router MUST follow the recommendations in Section 4 of , and in particular the handling of the L flag in the Router Advertisement Prefix Information option. The IPv6 CE router MUST support DHCPv6 client behavior. The IPv6 CE router MUST be able to support the following DHCPv6 options: Identity Association for Non-temporary Address (IA_NA), Reconfigure Accept , and DNS_SERVERS . The IPv6 CE router SHOULD be able to support the DNS Search List (DNSSL) option as specified in . The IPv6 CE router SHOULD implement the Network Time Protocol (NTP) as specified in to provide a time reference common to the service provider for other protocols, such as DHCPv6, to use. If the IPv6 CE router implements NTP, it requests the NTP Server DHCPv6 option and uses the received list of servers as primary time reference, unless explicitly configured otherwise. LAN side support of NTP is out of scope for this document. If the IPv6 CE router receives a Router Advertisement message (described in ) with the M flag set to 1, the IPv6 CE router MUST do DHCPv6 address assignment (request an IA_NA option). If the IPv6 CE router does not acquire a global IPv6 address(es) from either SLAAC or DHCPv6, then it MUST create a global IPv6 address(es) from its delegated prefix(es) and configure those on one of its internal virtual network interfaces, unless configured to require a global IPv6 address on the WAN interface. The IPv6 CE router MUST support the SOL_MAX_RT option and request the SOL_MAX_RT option in an Option Request Option (ORO). As a router, the IPv6 CE router MUST follow the weak host (Weak End System) model . When originating packets from an interface, it will use a source address from another one of its interfaces if the outgoing interface does not have an address of suitable scope. The IPv6 CE router SHOULD implement the Information Refresh Time option and associated client behavior as specified in . Prefix delegation requirements: The IPv6 CE router MUST support DHCPv6 prefix delegation requesting router behavior as specified in (Identity Association for Prefix Delegation (IA_PD) option). The IPv6 CE router MAY indicate as a hint to the delegating router the size of the prefix it requires. If so, it MUST ask for a prefix large enough to assign one /64 for each of its interfaces, rounded up to the nearest nibble, and SHOULD be configurable to ask for more. The IPv6 CE router MUST be prepared to accept a delegated prefix size different from what is given in the hint. If the delegated prefix is too small to address all of its interfaces, the IPv6 CE router SHOULD log a system management error. covers the recommendations for service providers for prefix allocation sizes. By default, the IPv6 CE router MUST initiate DHCPv6 prefix delegation when either the M or O flags are set to 1 in a received Router Advertisement (RA) message. Behavior of the IPv6 CE router to use DHCPv6 prefix delegation when the IPv6 CE router has not received any RA or received an RA with the M and the O bits set to zero is out of scope for this document. Any packet received by the IPv6 CE router with a destination address in the prefix(es) delegated to the IPv6 CE router but not in the set of prefixes assigned by the IPv6 CE router to the LAN must be dropped. In other words, the next hop for the prefix(es) delegated to the IPv6 CE router should be the null destination. This is necessary to prevent forwarding loops when some addresses covered by the aggregate are not reachable . The IPv6 CE router SHOULD send an ICMPv6 Destination Unreachable message in accordance with Section 3.1 of back to the source of the packet, if the packet is to be dropped due to this rule. If the IPv6 CE router requests both an IA_NA and an IA_PD option in DHCPv6, it MUST accept an IA_PD option in DHCPv6 Advertise/Reply messages, even if the message does not contain any addresses, unless configured to only obtain its WAN IPv6 address via DHCPv6; see . By default, an IPv6 CE router MUST NOT initiate any dynamic routing protocol on its WAN interface. The IPv6 CE router SHOULD support the Prefix Exclude option.

The IPv6 CE router distributes configuration information obtained during WAN interface provisioning to IPv6 hosts and assists IPv6 hosts in obtaining IPv6 addresses. It also supports connectivity of these devices in the absence of any working WAN interface. An IPv6 CE router is expected to support an IPv6 end-user network and IPv6 hosts that exhibit the following characteristics: Link-local addresses may be insufficient for allowing IPv6 applications to communicate with each other in the end-user network. The IPv6 CE router will need to enable this communication by providing globally scoped unicast addresses or ULAs , whether or not WAN connectivity exists. IPv6 hosts should be capable of using SLAAC and may be capable of using DHCPv6 for acquiring their addresses. IPv6 hosts may use DHCPv6 for other configuration information, such as the DNS_SERVERS option for acquiring DNS information. Unless otherwise specified, the following requirements apply to the IPv6 CE router's LAN interfaces only. ULA requirements: The IPv6 CE router SHOULD be capable of generating a ULA prefix . An IPv6 CE router with a ULA prefix MUST maintain this prefix consistently across reboots. The value of the ULA prefix SHOULD be configurable. By default, the IPv6 CE router MUST act as a site border router according to Section 4.3 of and filter packets with local IPv6 source or destination addresses accordingly. An IPv6 CE router MUST NOT advertise itself as a default router with a Router Lifetime greater than zero whenever all of its configured and delegated prefixes are ULA prefixes. LAN requirements: The IPv6 CE router MUST support router behavior according to Neighbor Discovery for IPv6 . The IPv6 CE router MUST assign a separate /64 from its delegated prefix(es) (and ULA prefix if configured to provide ULA addressing) for each of its LAN interfaces. An IPv6 CE router MUST advertise itself as a router for the delegated prefix(es) (and ULA prefix if configured to provide ULA addressing) using the "Route Information Option" specified in Section 2.3 of . This advertisement is independent of having or not having IPv6 connectivity on the WAN interface. An IPv6 CE router MUST NOT advertise itself as a default router with a Router Lifetime greater than zero if it has no prefixes configured or delegated to it. The IPv6 CE router MUST make each LAN interface an advertising interface according to . In Router Advertisement messages (), the Prefix Information option's A and L flags MUST be set to 1 by default. The A and L flags' () settings SHOULD be user configurable. The IPv6 CE router MUST support a DHCPv6 server capable of IPv6 address assignment according to OR a stateless DHCPv6 server according to on its LAN interfaces. Unless the IPv6 CE router is configured to support the DHCPv6 IA_NA option, it SHOULD set the M flag to zero and the O flag to 1 in its Router Advertisement messages . The IPv6 CE router MUST support providing DNS information in the DHCPv6 DNS_SERVERS and DOMAIN_LIST options . The IPv6 CE router MUST support providing DNS information in the Router Advertisement Recursive DNS Server (RDNSS) and DNS Search List options. Both options are specified in . The IPv6 CE router SHOULD implement a DNS proxy as described in . The IPv6 CE router SHOULD make available a subset of DHCPv6 options (as listed in Section 5.3 of ) received from the DHCPv6 client on its WAN interface to its LAN-side DHCPv6 server. If the delegated prefix changes, i.e., the current prefix is replaced with a new prefix without any overlapping time period, then the IPv6 CE router MUST immediately advertise the old prefix with a Preferred Lifetime of zero and a Valid Lifetime of either a) zero or b) the lower of the current Valid Lifetime and two hours (which must be decremented in real time) in a Router Advertisement message as described in Section 5.5.3, (e) of . The IPv6 CE router MUST send an ICMPv6 Destination Unreachable message, code 5 (Source address failed ingress/egress policy) for packets forwarded to it that use an address from a prefix that has been invalidated. The IPv6 CE router SHOULD provide HNCP (Home Networking Control Protocol) services, as specified in .

Even if the main target of this document is the support of IPv6-only WAN access, for some time, there will be a need to support IPv4-only devices and applications in the customers LANs, in one side of the picture. In the other side, some Service Providers willing to deploy IPv6, may not be able to do so in the first stage, neither as IPv6-only or dual-stack in the WAN. Consequently, transition technologies to resolve both issues should be taken in consideration.

464XLAT is a technique to provide IPv4 access service to IPv6-only edge networks without encapsulation. The IPv6 CE router SHOULD support CLAT functionality. If 464XLAT is supported, it MUST be implemented according to . The following CE Requirements also apply: 464XLAT requirements: The IPv6 CE router MUST perform IPv4 Network Address Translation (NAT) on IPv4 traffic translated using the CLAT, unless a dedicated /64 prefix has been acquired using DHCPv6-PD . The IPv6 CE router MUST implement in order to discover the PLAT-side translation IPv4 and IPv6 prefix(es)/suffix(es). In environments with PCP support, the IPv6 CE SHOULD follow to learn the PLAT-side translation IPv4 and IPv6 prefix(es)/suffix(es) used by an upstream PCP-controlled NAT64 device.

Dual-Stack Lite enables both continued support for IPv4 services and incentives for the deployment of IPv6. It also de&nbhy;couples IPv6 deployment in the service provider network from the rest of the Internet, making incremental deployment easier. Dual-Stack Lite enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IP in IP (IPv4-in-IPv6) and Network Address Translation (NAT). It is expected that DS-Lite traffic is forwarded over the IPv6 CE router's native IPv6 WAN interface, and not encapsulated in another tunnel. The IPv6 CE router SHOULD implement DS-Lite functionality. If DS&nbhy;Lite is supported, it MUST be implemented according to . This document takes no position on simultaneous operation of Dual-Stack Lite and native IPv4. The following IPv6 CE router requirements also apply: DS-Lite requirements: The IPv6 CE router MUST support configuration of DS-Lite via the DS-Lite DHCPv6 option . The IPv6 CE router MAY use other mechanisms to configure DS-Lite parameters. Such mechanisms are outside the scope of this document. The IPv6 CE router MUST support the DHCPv6 S46 priority option described in . The IPv6 CE router MUST NOT perform IPv4 Network Address Translation (NAT) on IPv4 traffic encapsulated using DS-Lite. If the IPv6 CE router is configured with an IPv4 address on its WAN interface, then the IPv6 CE router SHOULD disable the DS-Lite Basic Bridging BroadBand (B4) element.

Lw4o6 specifies an extension to DS-Lite, which moves the NAPT function from the DS-Lite tunnel concentrator to the tunnel client located in the IPv6 CE router, removing the requirement for a CGN function in the tunnel concentrator and reducing the amount of centralized state. The IPv6 CE router SHOULD implement lw4o6 functionality. If DS-Lite is implemented, lw4o6 MUST be supported as well. If lw4o6 is supported, it MUST be implemented according to . This document takes no position on simultaneous operation of lw4o6 and native IPv4. The following IPv6 CE router Requirements also apply: Lw4o6 requirements: The IPv6 CE router MUST support configuration of lw4o6 via the lw4o6 DHCPv6 options . The IPv6 CE router MAY use other mechanisms to configure lw4o6 parameters. Such mechanisms are outside the scope of this document. The IPv6 CE router MUST support the DHCPv6 S46 priority option described in . The IPv6 CE router MUST support the DHCPv4-over-DHCPv6 (DHCP 4o6) transport described in . The IPv6 CE router MAY support Dynamic Allocation of Shared IPv4 Addresses as described in .

MAP-E is a mechanism for transporting IPv4 packets across an IPv6 network using IP encapsulation, including a generic mechanism for mapping between IPv6 addresses and IPv4 addresses as well as transport-layer ports. The IPv6 CE router SHOULD support MAP-E functionality. If MAP-E is supported, it MUST be implemented according to . The following CE Requirements also apply: MAP-E requirements: The IPv6 CE router MUST support configuration of MAP-E via the MAP-E DHCPv6 options . The IPv6 CE router MAY use other mechanisms to configure MAP-E parameters. Such mechanisms are outside the scope of this document. The IPv6 CE router MUST support the DHCPv6 S46 priority option described in .

MAP-T is a mechanism similar to MAP-E, differing from it in that MAP-T uses IPv4-IPv6 translation, rather than encapsulation, as the form of IPv6 domain transport. The IPv6 CE router SHOULD support MAP-T functionality. If MAP-T is supported, it MUST be implemented according to . The following IPv6 CE Requirements also apply: MAP-T requirements: The CE router MUST support configuration of MAP-T via the MAP-E DHCPv6 options . The IPv6 CE router MAY use other mechanisms to configure MAP-E parameters. Such mechanisms are outside the scope of this document. The IPv6 CE router MUST support the DHCPv6 S46 priority option described in .

6in4 specifies a tunneling mechanism to allow end-users to manually configure IPv6 support via a service provider's IPv4 network infrastructure. The IPv6 CE router MAY support 6in4 functionality. 6in4 used for a manually configured tunnel requires a subset of the 6rd parameters (delegated prefix and remote IPv4 end-point). The on-wire and forwarding plane is identical for both mechanisms, however 6in4 doesn't support mesh traffic and requires manually provisioning. Thus, if the device supports either 6rd or 6in4, it's commonly a minor UI addition to support both. If 6in4 is supported, it MUST be implemented according to . The following CE Requirements also apply: 6in4 requirements: The IPv6 CE router SHOULD support 6in4 automated configuration by means of the 6rd DHCPv4 Option 212. If the IPv6 CE router has obtained an IPv4 network address through some other means such as PPP, it SHOULD use the DHCPINFORM request message to request the 6rd DHCPv4 Option. The IPv6 CE router MAY use other mechanisms to configure 6in4 parameters. Such mechanisms are outside the scope of this document. If the IPv6 CE router is capable of automated configuration of IPv4 through IPCP (i.e., over a PPP connection), it MUST support user-entered configuration of 6in4. If the IPv6 CE router supports configuration mechanisms other than the 6rd DHCPv4 Option 212 (user-entered, TR-069 , etc.), the IPv6 CE router MUST support 6in4 in "hub and spoke" mode. 6in4 in "hub and spoke" requires all IPv6 traffic to go to the 6rd Border Relay, which in this case is the tunnel-end-point. In effect, this requirement removes the "direct connect to 6rd" route defined in Section 7.1.1 of . The IPv6 CE router MUST allow 6in4 and native IPv6 WAN interfaces to be active alone as well as simultaneously in order to support coexistence of the two technologies during an incremental transition period such as a transition from 6in4 to native IPv6. Each packet sent on a 6in4 or native WAN interface MUST be directed such that its source IP address is derived from the delegated prefix associated with the particular interface from which the packet is being sent (Section 4.3 of ). The IPv6 CE router MUST allow different as well as identical delegated prefixes to be configured via each (6in4 or native) WAN interface. In the event that forwarding rules produce a tie between 6in4 and native IPv6, by default, the IPv6 CE router MUST prefer native IPv6.

6rd specifies an automatic tunneling mechanism tailored to advance deployment of IPv6 to end users via a service provider's IPv4 network infrastructure. Key aspects include automatic IPv6 prefix delegation to sites, stateless operation, simple provisioning, and service that is equivalent to native IPv6 at the sites that are served by the mechanism. It is expected that such traffic is forwarded over the IPv6 CE router's native IPv4 WAN interface and not encapsulated in another tunnel. The IPv6 CE router MAY support 6rd functionality. If 6rd is supported, it MUST be implemented according to . The following CE Requirements also apply: 6rd requirements: The IPv6 CE router MUST support 6rd configuration via the 6rd DHCPv4 Option 212. If the IPv6 CE router has obtained an IPv4 network address through some other means such as PPP, it SHOULD use the DHCPINFORM request message to request the 6rd DHCPv4 Option. The IPv6 CE router MAY use other mechanisms to configure 6rd parameters. Such mechanisms are outside the scope of this document. If the IPv6 CE router is capable of automated configuration of IPv4 through IPCP (i.e., over a PPP connection), it MUST support user-entered configuration of 6rd. If the IPv6 CE router supports configuration mechanisms other than the 6rd DHCPv4 Option 212 (user-entered, TR-069 , etc.), the IPv6 CE router MUST support 6rd in "hub and spoke" mode. 6rd in "hub and spoke" requires all IPv6 traffic to go to the 6rd Border Relay. In effect, this requirement removes the "direct connect to 6rd" route defined in Section 7.1.1 of . The IPv6 CE router MUST allow 6rd and native IPv6 WAN interfaces to be active alone as well as simultaneously in order to support coexistence of the two technologies during an incremental transition period such as a transition from 6rd to native IPv6. Each packet sent on a 6rd or native WAN interface MUST be directed such that its source IP address is derived from the delegated prefix associated with the particular interface from which the packet is being sent (Section 4.3 of ). The IPv6 CE router MUST allow different as well as identical delegated prefixes to be configured via each (6rd or native) WAN interface. In the event that forwarding rules produce a tie between 6rd and native IPv6, by default, the IPv6 CE router MUST prefer native IPv6.

Actual deployments support IPv4 multicast for services such as IPTV. In the transition phase it is expected that multicast services will still be provided using IPv4 to the customer LANs. In order to support the delivery of IPv4 multicast services to IPv4 clients over an IPv6 multicast network, the IPv6 CE router SHOULD support and .

It is considered a best practice to filter obviously malicious traffic (e.g., spoofed packets, "Martian" addresses, etc.). Thus, the IPv6 CE router ought to support basic stateless egress and ingress filters. The IPv6 CE router is also expected to offer mechanisms to filter traffic entering the customer network; however, the method by which vendors implement configurable packet filtering is beyond the scope of this document. Security requirements: The IPv6 CE router SHOULD support . In particular, the IPv6 CE router SHOULD support functionality sufficient for implementing the set of recommendations in , Section 4. This document takes no position on whether such functionality is enabled by default or mechanisms by which users would configure it. The IPv6 CE router SHOULD support ingress filtering in accordance with BCP 38 . Note that this requirement was downgraded from a MUST from RFC 6204 due to the difficulty of implementation in the IPv6 CE router and the feature's redundancy with upstream router ingress filtering. If the IPv6 CE router firewall is configured to filter incoming tunneled data, the firewall SHOULD provide the capability to filter decapsulated packets from a tunnel.

Thanks to James Woodyatt, Mohamed Boucadair, Masanobu Kawashima, Mikael Abrahamsson, Barbara Stark, Ole Troan and Brian Carpenter for their review and comments. This document is an update of RFC7084, whose original authors were: Hemant Singh, Wes Beebee, Chris Donley and Barbara Stark. The rest of the text on this section and the Contributors section, are the original acknowledgements and Contributors sections of the earlier version of this document. Thanks to the following people (in alphabetical order) for their guidance and feedback: Mikael Abrahamsson, Tore Anderson, Merete Asak, Rajiv Asati, Scott Beuker, Mohamed Boucadair, Rex Bullinger, Brian Carpenter, Tassos Chatzithomaoglou, Lorenzo Colitti, Remi Denis-Courmont, Gert Doering, Alain Durand, Katsunori Fukuoka, Brian Haberman, Tony Hain, Thomas Herbst, Ray Hunter, Joel Jaeggli, Kevin Johns, Erik Kline, Stephen Kramer, Victor Kuarsingh, Francois-Xavier Le Bail, Arifumi Matsumoto, David Miles, Shin Miyakawa, Jean-Francois Mule, Michael Newbery, Carlos Pignataro, John Pomeroy, Antonio Querubin, Daniel Roesen, Hiroki Sato, Teemu Savolainen, Matt Schmitt, David Thaler, Mark Townsley, Sean Turner, Bernie Volz, Dan Wing, Timothy Winters, James Woodyatt, Carl Wuyts, and Cor Zwart. This document is based in part on CableLabs' eRouter specification. The authors wish to acknowledge the additional contributors from the eRouter team: Ben Bekele, Amol Bhagwat, Ralph Brown, Eduardo Cardona, Margo Dolas, Toerless Eckert, Doc Evans, Roger Fish, Michelle Kuska, Diego Mazzola, John McQueen, Harsh Parandekar, Michael Patrick, Saifur Rahman, Lakshmi Raman, Ryan Ross, Ron da Silva, Madhu Sudan, Dan Torbet, and Greg White.

The following people have participated as co-authors or provided substantial contributions to this document: Ralph Droms, Kirk Erichsen, Fred Baker, Jason Weil, Lee Howard, Jean-Francois Tremblay, Yiu Lee, John Jason Brzozowski, and Heather Kirksey. Thanks to Ole Troan for editorship in the original RFC 6204 document.

One of the apparent main issues for vendors to include new functionalities, such as support for new transition mechanisms, is the lack of space in the flash (or equivalent) memory. However, it has been confirmed from existing open source implementations (OpenWRT/LEDE), that adding the support for the new transitions mechanisms, requires around 10-12 Kbytes (because most of the code is shared among several transition mechanisms), which typically means about 0,15% of the existing code size in popular CEs in the market. It is also clear that the new requirements don't have extra cost in terms of RAM memory, neither other hardware requirements such as more powerful CPUs. The other issue seems to be the cost of developing the code for those new functionalities. However at the time of writing this document, it has been confirmed that there are several open source versions of the required code for supporting the new transition mechanisms, so the development cost is negligent, and only integration and testing cost may become a minor issue.

The -bis version of this document has some minor text edits here and there. Significant updates are: New section "Usage Scenarios". Added support of HNCP () in LAN (L-16). Added support of 464XLAT (). Added support of lw4o6 (). Added support of MAP-E () and MAP-T (). As the main scope of this document is the IPv6-only CE (IPv6-only in the WAN link), the support of 6rd () has been changed to MAY. 6in4 () support has been included as well in case 6rd is supported, as it doesn't require additional code. New section "IPv4 Multicast Support". Added support for DNS proxy as general LAN requirement. Split of transition in two sub-sections for the sake of clarity.

Section to be removed for WGLC. Significant updates are: LW4O6-5 changed to port-restricted to conform with . MAPE-3 changed to port-restricted to conform with . MAPT-3 changed to port-restricted to conform with . removed from 464XLAT, DS-LITE, MAP-E and MAP-T requirements. removed from 464XLAT, and included as general LAN requirement. included as MAY for lw4o6. 6in4 text clarifications. Included non-normative reference to to clarify that the details of the connectivity to 3GPP/LTE networks is out of the scope. Split of transition in two sub-sections for the sake of clarity.

Section to be removed for WGLC. Significant updates are: G-6 added in order to comply with . LW4O6-5 removed. MAPE-3 removed. MAPT-3 removed. Included non-normative reference to to clarify that the details of the connectivity to 3GPP/LTE networks is out of the scope. Split of transition in two sub-sections for the sake of clarity.

Section to be removed for WGLC. Significant updates are: LW4O6-5 removed, was a mistake due to copy-paste from DS-LITE. Removed citation to individual I-Ds for DHCPv6 options.

Section to be removed for WGLC. Significant updates are: Clarifications on text regarding downstream routers support.