IPv6 Prefix Delegation for Hosts

IPv6 Prefix Delegation (PD) entails 1) the communication of a prefix from a delegating router to a requesting router, 2) a representation of the prefix in the delegating router's routing table, and 3) a control messaging service between the delegating and requesting routers to maintain prefix lifetimes. Following delegation, the prefix is available for the requesting router's exclusive use and is not shared with any other nodes. This document considers the case when the requesting router is a node that acts as a host on behalf of its local applications and as a router on behalf of any downstream networks. The following paragraphs present possibilities for node behavior upon receipt of a delegated prefix. For nodes that connect downstream-attached networks (e.g., a cellphone that connects a "tethered" Internet of Things (IoT) network), a Delegating Router 'D' delegates a prefix 'P' to a Requesting node 'R' as shown in :

]]> In this figure, when Delegating Router 'D' delegates prefix 'P', it inserts 'P' into its routing table with Requesting node 'R' as the next hop. Meanwhile, 'R' receives 'P' via an upstream interface and sub-delegates 'P' to its downstream external (physical) and/or internal (virtual) networks. 'R' assigns addresses 'A(*)' taken from 'P' to downstream interfaces, and Hosts 'H(i)' on downstream networks assign addresses 'A(*)' taken from 'P' to their interface attachments to the downstream link. 'R' then acts as a router between hosts 'H(i)' on downstream networks and correspondents reachable via other interfaces. 'R' can also act as a host on behalf of its local applications. This document also considers the case when 'R' does not have any downstream interfaces, and can use 'P' solely for its own internal addressing purposes. In that case, 'R' assigns 'P' to a virtual interface (e.g., a loopback) that fills the role of a downstream interface. 'R' can then function under the weak end system (aka "weak host") model by assigning addresses taken from 'P' to a virtual interface as shown in :

'R' could instead function under the strong end system (aka "strong host") model by assigning IPv6 addresses taken from 'P' to an upstream interface as shown in :

The major benefit for a node managing a delegated prefix in either the weak or strong end system models is multi-addressing. With IPv6 PD-based multi-addressing, the node can configure an unlimited supply of addresses to make them available for local applications without requiring coordination with other nodes on upstream interfaces. The following sections present considerations for nodes that employ IPv6 PD mechanisms.

The terminology of the normative references apply, and the terms "node", "host" and "router" are the same as defined in . The following terms are defined for the purposes of this document: an IPv6 prefix that may be advertised to more than one node on the link, e.g., in a Router Advertisement (RA) message Prefix Information Option (PIO) . The router that advertises the prefix must consider the prefix as on-link so that the IPv6 Neighbor Discovery (ND) address resolution function will identify the correct neighbor for each packet. an IPv6 prefix that is advertised to exactly one node on the link, where the node may be unaware that the prefix is individual and may not participate in prefix maintenance procedures. The router that advertises the prefix can consider the prefix as on-link or not on-link. In the former case, the router performs address resolution so that it only forwards those packets that match one of the node's configured addresses so that the node will not receive unwanted packets. In the latter case, the router can simply forward all packets matching the prefix to the node. An example individual prefix service is documented in . an IPv6 prefix that is explicitly delegated to a node for its own exclusive use, where the node is an active participant in prefix delegation and maintenance procedures. The router that delegates the prefix simply forwards all packets matching the prefix to the node. An example IPv6 PD service is the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) . An alternative service based solely on IPv6 ND messaging has also been proposed .

IPv6 allows nodes to assign multiple addresses to a single interface. discusses options for multi-addressing as well as use cases where multi-addressing may be desirable. Address configuration options for multi-addressing include StateLess Address AutoConfiguration (SLAAC) , DHCPv6 address configuration , manual configuration, etc. Nodes configure addresses from a shared or individual prefix and assign them to the upstream interface over which the prefix was received. When the node assigns the addresses, it is required to use Multicast Listener Discovery (MLD) to join the appropriate solicited-node multicast group(s) and to use the Duplicate Address Detection (DAD) algorithm to ensure that no other node configures a duplicate address. In contrast, a node that configures addresses from a delegated prefix can assign them without invoking MLD/DAD on an upstream interface, since the prefix has been delegated to the node for its own exclusive use and is not shared with any other nodes.

When a node receives a delegated prefix, it has many alternatives for provisioning the prefix to its local interfaces and/or downstream networks. discusses alternatives for provisioning a prefix obtained by a User Equipment (UE) device under the 3rd Generation Partnership Program (3GPP) service model. This document considers the more general case when the node receives a delegated prefix explicitly provided for its own exclusive use. When the node receives the prefix, it can distribute the prefix to downstream networks and configure one or more addresses for itself on downstream interfaces. The node then acts as a router on behalf of its downstream networks and configures a default route via a neighbor on an upstream interface. The node could instead (or in addition) use portions of the delegated prefix for its own multi-addressing purposes. In a first alternative, the node can assign as many addresses as it wants from the prefix to virtual interfaces. In that case, applications running on the node can use the addresses according to the weak end system model. In a second alternative, the node can assign as many addresses as it wants from the prefix to the upstream interface over which the prefix was received. In that case, applications running on the node can use the addresses according to the strong end system model. In both of these latter two cases, the node assigns the prefix itself to a virtual interface so that unused addresses from the prefix are correctly identified as unreachable. The node then acts as a host on behalf of its local applications even though neighbors on the upstream link see it as a router.

When a node configures addresses for itself from a shared or individual prefix, it performs MLD/DAD by sending multicast messages over upstream interfaces to test whether there is another node on the link that configures a duplicate address. When there are many such addresses and/or many such nodes, this could result in substantial multicast traffic that affects all nodes on the link. When a node configures addresses for itself from a delegated prefix, it can configure as many addresses as it wants but does not perform MLD/DAD for any of the addresses over upstream interfaces. This means that the node can configure arbitrarily many addresses without causing any multicast messaging over the upstream interface that could disturb other nodes.

Nodes that receive delegated prefixes can be configured to either participate or not participate in a dynamic routing protocol over the upstream interface, according to the deployment model. When there are many nodes on the upstream link, dynamic routing protocol participation might be impractical due to scaling limitations, and may also be exacerbated by factors such as node mobility. Unless it participates in a dynamic routing protocol, the node initially has only a default route pointing to a neighbor via an upstream interface. This means that packets sent by the node over an upstream interface will initially go through a default router even if there is a better first-hop node on the link.

When a node receives a shared or individual prefix with "L=1" and has a packet to send to an IPv6 destination within the prefix, it is required to use the IPv6 ND address resolution function over the upstream interface to resolve the link-layer address of a neighbor that configures the address. When a node receives a shared or individual prefix with "L=0" and has a packet to send to an IPv6 destination within the prefix, if the address is not one of the node's own addresses it sends the packet to a default router since "L=0" makes no statement about on-link or off-link properties of the prefix . When a node receives a delegated prefix, it acts as a simple host to send Router Solicitation (RS) messages over upstream interfaces (i.e., the same as described in Section 4.2 of ) but also sets the "Router" flag to TRUE in its Neighbor Advertisement messages. The node considers the upstream interfaces as non-advertising interfaces , i.e., it does not send RA messages over the upstream interfaces. The node further does not perform the IPv6 ND address resolution function over upstream interfaces, since the delegated prefix is explicitly not to be associated with an upstream interface. In all cases, the current first-hop router may send a Redirect message that updates the node's neighbor cache so that future packets can use a better first-hop node on the link. The Redirect can apply either to a singleton destination address, or to an entire destination prefix as described in .

The Internet Control Message Protocol for IPv6 (ICMPv6) includes a set of control message types including Destination Unreachable (DU). According to , routers should return DU messages (subject to rate limiting) with code 0 ("No route to destination") when a packet arrives for which there is no matching entry in the routing table, and with code 3 ("Address unreachable") when the IPv6 destination address cannot be resolved. According to , hosts should return DU messages (subject to rate limiting) with code 3 to internal applications when the IPv6 destination address cannot be resolved, and with code 4 ("Port unreachable") if the IPv6 destination address is one of its own addresses but the transport protocol has no listener. Nodes that obtain and manage delegated prefixes per this document observe the same procedures as described for both routers and hosts above.

This document introduces no IANA considerations.

Security considerations for IPv6 Neighbor Discovery and any applicable PD mechanisms apply to this document. Nodes that receive delegated prefixes do not perform DAD procedures on their upstream interfaces, meaning that they cannot contribute to multicast messaging congestion on the upstream link. Also, routers that delegate prefixes keep only a single neighbor cache entry for each prefix delegation recipient, meaning that the router's neighbor cache cannot be subject to resource exhaustion attacks. For shared and individual prefixes, if the router that advertises the prefix considers the prefix as on-link the IPv6 ND address resolution function will prevent unwanted IPv6 packets from reaching the node. For delegated prefixes and individual prefixes that are not considered on-link, the router delivers all packets that match the prefix to the unicast link-layer address of the node (i.e., as determined by resolution of the node's link-local address) even if they do not match one of the node's configured addresses. In the latter case, the node may receive unwanted IPv6 packets via an upstream interface that do not match either a configured IPv6 address or a transport listener. The node then drops the packets and observes the "Destination Unreachable - Address/Port unreachable" procedures discussed in . The node may also receive IPv6 packets via an upstream interface that do not match any of the node's delegated prefixes. In that case, the node drops the packets and observes the "Destination Unreachable - No route to destination" procedures discussed in . Dropping the packets is necessary to avoid a reflection attack that would cause the node to forward packets received from an upstream interface via the same or a different upstream interface. In all cases, the node must decide whether or not to send DUs according to the specific operational scenario. In trusted networks, the node should send DU messages to provide useful information to potential correspondents. In untrusted networks, the node can refrain from sending DU messages to avoid providing sensitive information to potential attackers.

This work was motivated by discussions on the v6ops list. Mark Smith pointed out the need to consider MLD as well as DAD for the assignment of addresses to interfaces. Ricardo Pelaez-Negro, Edwin Cordeiro, Fred Baker, Naveen Lakshman, Ole Troan, Bob Hinden, Brian Carpenter, Joel Halpern, Albert Manfredi and Dusan Mudric provided useful comments that have greatly improved the document. This work is aligned with the NASA Safe Autonomous Systems Operation (SASO) program under NASA contract number NNA16BD84C. This work is aligned with the FAA as per the SE2025 contract number DTFAWA-15-D-00030. This work is aligned with the Boeing Information Technology (BIT) MobileNet program and the Boeing Research & Technology (BR&T) enterprise autonomy program.