Host behavior to short prefix length

RFC 4861 describes a conceptual model of a host for Neighbor Discovery. Conceptual data structures in the conceptual model includes the Prefix List. The Prefix List is, "A list of the prefixes that define a set of addresses that are on-link. Prefix List entries are created from information received in Router Advertisements." The Prefix Information Option (PIO) in the IPv6 Neighbor Discovery Router Advertisement defines an 8-bit prefix length field. When a host is configured to accept RAs, it will add prefixes included in the PIO, into the Prefix List. When prefixes are added into the Prefix List of a host, the prefix added will be assumed on-link. The PIO in the Router Advertisement has an 8-bit prefix length field. The value ranges from 0 to 128. IPv6 Address Architecture requires the length of interface ID to be 64 bits long. RFC 4291 states, "For all unicast addresses, except those that start with the binary value 000, Interface IDs are required to be 64 bits long" Therefore, on-link prefixes with bits shorter than 64 bits violate RFC 4291. The SLAAC specification refers RFC 4291 about the interface identifier length. And current host implementations do not accept prefix length other than 64, in the SLAAC process.

When an RA with short prefix length field with autonomous address-configuration flag value 1 is received, some host implementations (Windows, macOS, Linux) will not add an IPv6 address to the network interface. Even though a new IPv6 address is not added, the host assumes the prefix as on-link. When autonomous address-configuration flag value is 0, the host will not run the SLAAC process, but assume that the prefix is on-link. Current implementations accept up to /4 as prefix length. Because current IANA allocation of GUA is limited to 2000::/3, it would be very easy to mislead the whole IPv6 Internet as on-link. Which can lead to a DoS attack, MITM attack, etc.

RFC 3756 Section 4.2.5. describes mitigation for DoS attacks using rogue RAs. "As an example, one possible approach to limiting the damage of this attack is to require advertised on-link prefixes be /64s (otherwise it's easy to advertise something short like 0/0 and this attack is very easy)." RFC 4291 limits the interface identifier length to 64 bits. When IID is 64 bits, the subnet prefix length will be 64 bits. Therefore, the prefix length other than 64 bits is rogue, and the host should not accept the prefix information.

If approved, this draft adds the following sentence and updates Section 6. of RFC 4861. A host SHOULD NOT accept a prefix length shorter than 64.

The purpose of this document is to mitigate adverse effects caused by a rogue RA. Limitation of the prefix length as described in Section 4.

Many thanks to Tatsuya Hayashi, Yuji Suga and Katsushi Kobayashi for many comments.