You are here: Home > Publications > RIPE Document Store > Requirements For IPv6 in ICT Equipment

Changes to Requirements For IPv6 in ICT Equipment

Legend (+) Added (-) Deleted
Changed Tag Added Tag Deleted
ripe-501: Formulating requirements for ripe-772: Requirements For IPv6 support can be done in several ways. In this document we look at three different options. ICT Equipment

Contents Table of contents:

delete: <ul> delete: <li> delete: <a href="#1"> insert: <p>

insert: <a href="#_Toc90287581"> 1 Introduction delete: </li> delete: <li> delete: <a href="#1"> Option 1 insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287582"> 1.1 General information on how to use this document delete: <ul> delete: <li> delete: <a href="#standards"> Requirements for support of insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287583"> 1.2 How to specify requirements insert: </a> insert: </p>

insert: <p>

insert: <a href="#_Toc90287584"> 2 Proposed generic text for the tender initiator insert: </a> insert: </p>

insert: <p>

insert: <a href="#_Toc90287585"> 3 Categories of devices in scope for this document insert: </a> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287586"> 3.1 Definitions and descriptions of different categories of devices insert: </a> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287587"> 3.2 Things that are out of scope of this document insert: </a> insert: </p>

insert: <p>

insert: <a href="#_Toc90287588"> 4 Lists of required RFC standards for different categories of hardware delete: </li> delete: <li> delete: <a href="#hardware"> Hardware delete: </a> delete: </li> delete: <li> delete: <a href="#host"> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287589"> 4.1 Requirements for "host" equipment delete: </li> delete: <li> delete: <a href="#layer2con"> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287590"> 4.2 Requirements for consumer grade "layer 2 "layer-2 switch" equipment delete: </li> delete: <li> delete: <a href="#layer2ent"> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287591"> 4.3 Requirements for enterprise/ISP grade "layer 2 "layer-2 switch" equipment delete: </li> delete: <li> delete: <a href="#layer3"> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287592"> 4.4 Requirements for "router or layer 3 layer-3 switch" equipment delete: </li> delete: <li> delete: <a href="#net-sec"> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287593"> 4.5 Requirements for "network security" security equipment” insert: </a> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287594"> 4.6 Requirements for CPE equipment delete: </li> delete: <li> delete: <a href="#software"> insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287595"> 4.7 Requirements for Load balancers insert: </a> insert: </p>

insert: <p>

insert: <a href="#_Toc90287596"> 5 Requirements for IPv6 support in software delete: </li> delete: <li> delete: <a href="#skills"> insert: </p>

insert: <p>

insert: <a href="#_Toc90287597"> 6 IPsec: Mandatory vs Optional insert: </a> insert: </p>

insert: <p>

insert: <a href="#_Toc90287598"> 7 Skill requirements of the systems integrator delete: </li> delete: <li> delete: <a href="#declaration"> DECLARATION insert: </p>

insert: <p style="padding-left: 30px;">

insert: <a href="#_Toc90287599"> 7.1 Declaration of IPv6 competence delete: </li> delete: </ul> delete: </li> delete: <li> delete: <a href="#2"> Option 2 insert: </p>

insert: <p>

insert: <a href="#_Toc90287600"> 8 Acknowledgments delete: <ul> delete: <li> delete: <a href="#2text"> Proposed text for the tender initiator insert: </p>

insert: <p>

  insert: </p>

insert: <h2>

insert: <a name="_Toc90287581"> delete: </li> delete: </ul> delete: </li> delete: <li> delete: <a href="#3"> Option 3 delete: </a> delete: <ul> delete: <li> delete: <a href="#3text"> Proposed text for the tender initiator delete: </a> delete: </li> delete: </ul> delete: </li> delete: <li> delete: <a href="#ack"> Acknowledgements delete: </a> delete: </li> delete: </ul> delete: <hr noshade="noshade" size="1" /> delete: <h2> delete: <a id="1" name="1"> delete: </a> 1 Introduction

To ensure the smooth and cost-efficient uptake of IPv6 across their networks, it is important that governments and large commercial, public sector or research and education enterprises specify requirements for IPv6 functionality and compatibility when seeking drafting tenders for information and computer technology Information and Communication Technology (ICT) equipment and support. insert: </p>

insert: <p>

This document is intended to provide a Best Common Current Practice (BCP) to support organisations in such tender processes, but does not specify any standards or policy itself. It is an update to ripe-554, which is the second version of the “Requirements for IPv6 in ICT Equipment” guidance. insert: </p>

insert: <p>

It offers guidance on what specifications to ask for and it is intended to be used as a insert: <strong> template insert: </strong> that can be used by governments or governments, universities, large enterprises or any other organisation when developing tender documents. specifying IPv6 support in their tenders or equipment requirements. It can also serve as an aid to those people or organisations interested in tendering for government or enterprise contracts.

Formulating requirements for IPv6 support can Be aware that the standards listed here have their origin in various bodies, principally the IETF, which operate independently of the RIPE community, and that any of these standards might be done in several ways. In changed or become replaced with a newer version. While this document we look at three different options: delete: </p> delete: <ol> delete: <li> 1.Option 1 is has been approved by the RIPE membership, principally via the IPv6 WG, as of the date of publication, its contents will age as new RFCs or related documents are issued. insert: </p>

insert: <p>

You may also need to adjust the recommendations to your specific local needs; again, this document is purely a template, and the suggested Mandatory and Optional elements may need to be tuned for your specific use case(s). insert: </p>

insert: <p>

Some parts of this section are loosely based loosely on the delete: <a href="http://www.antd.nist.gov/usgv6/"> NIST/USGv6 profile developed by the US government government: insert: </p>

insert: <p>

insert: <a href="https://www.nist.gov/programs-projects/usgv6-program"> https://www.nist.gov/programs-projects/usgv6-program . delete: <br /> insert: </p>

insert: <p>

for which there is a newer version at: insert: </p>

insert: <p>

insert: <a href="https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.500-267Ar1.pdf"> https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.500-267Ar1.pdf insert: </a> insert: </p>

insert: <p>

The go6 expert council and the Slovenian IPv6 working group authors have modified the content of these documents to make them more universally applicable. The new draft This option includes a list of RFC specification standards standards, which must be supported, divided into four seven categories of devices. delete: <br /> delete: <br /> delete: </li> delete: <li> 1.Option 2 is based Note that this document removes the ‘mobile device’ category, instead including such devices as hosts. insert: </p>

insert: <p>

This document also follows the IPv6 Node requirements document, RFC8504 (which updated RFC6434). This RFC contains general IETF guidance and consensus on compliance what parts of IPv6 need to be implemented by different devices, and its contents are generally reflected in this document. insert: </p>

insert: <h3>

insert: <a name="_Toc90287582"> insert: </a> 1.1 General information on how to use this document insert: </h3>

insert: <p>

This document does not dictate specific technologies to be used, rather it assumes a network design/solution has been produced, and that design, and the components it uses, needs to be mapped to the procurement document.  insert: </p>

insert: <p>

An IPv6 Ready Logo certificate can be required for hosts, routers, and CPE Routers. While the Logo certification was devised around 20 years ago, it is kept current with the “IPv6 Ready” program, as specified IPv6 standard updates and is a globally accepted program for vendors to promote their equipment and to assert that their equipment fulfills basic IPv6 requirements. The IPv6 Ready Logo latest updates require that devices be tested in IPv6-only environments and have IPv6 enabled by the IPv6 Forum. default. The tender initiator shall also provide the list of required mandatory and optional RFCs in order not to exclude vendors that did not yet put their equipment under IPv6 Ready Logo testing certifications. This program is divided into two phases: Phase 1 includes testing and certification of the basic "core" protocols, while Phase 2 includes testing and certification of advanced IPv6 functionality. delete: <br /> delete: <br /> delete: </li> delete: <li> 1.Option 3 is a combination of the first two approaches. delete: </li> delete: </ol> delete: <h2> Option 1 delete: </h2> delete: <p> Requirements are divided in equipment and integrator support (output from go6 IPv6 WG). delete: </p> delete: <p> The following is the draft text that we propose be included in way public tenders for ICT equipment, specifying can’t be accused of preferring any type or vendor of equipment. insert: </p>

insert: <p>

For more information about the IPv6 Ready Logo program see: insert: <a href="http://www.ipv6ready.org/"> http://www.ipv6ready.org/ insert: </a> insert: </p>

insert: <p>

When we specify the list of required RFCs, we must list all mandatory requirements, except the entries that start with, “If [functionality] is requested…” These entries are mandatory only if the tender initiator requires certain functionality. Similarly, if features listed as Optional are required for the tender initiator’s specific use case(s), then those requirements for IPv6 capability and support: delete: </p> delete: <blockquote> delete: <p> delete: <i> should be made Mandatory. Please note that the tender initiator should decide what functionality is required, not the equipment vendor; this document is simply a template.  insert: </p>

insert: <h3>

insert: <a name="_Toc90287583"> insert: </a> 1.2 How to specify requirements insert: </h3>

insert: <p>

As stated above, the IPv6 Ready Logo program does not cover all equipment that correctly supports IPv6; so declaring such equipment ineligible may not be desirable. This document recommends that the tender initiator specify that eligible equipment be either certified under the IPv6 Ready program or be compliant with the appropriate RFCs listed in the section below. insert: </p>

insert: <h4>

Important note for tender initiator: insert: </h4>

insert: <p>

The IPv6 Ready Logo certification covers basic IPv6 requirements and some advanced features, but not all of them. If you require any advanced feature that is not covered by the IPv6 Ready Logo certification, please request a list of RFCs that covers those specific needs in addition to IPv6 Logo Certification. In the lists below RFCs that are covered in the IPv6 Ready Logo certification are marked with *. insert: </p>

insert: <h2>

insert: <a name="_Toc90287584"> insert: </a> 2 Proposed generic text for the tender initiator insert: </h2>

insert: <p>

In every tender, the following text shall be included: insert: </p>

insert: <p>

insert: <em> All ICT hardware and software that is a subject of this tender must support both the the IPv6 protocol, and MUST operate in an IPv6-only environment. For example, where SNMP is used, it must be able to operate over IPv6 transport. insert: </em> insert: </p>

insert: <p>

insert: <em> If IPv4 and IPv6 protocols. Similar is supported, similar performance and capabilities must be provided for both protocols. There should not be more than ...% difference protocols in input, output and/or throughput data-flow performance, transmission and processing of packets between the two protocols. delete: </i> delete: </p> delete: <p> delete: <i> (Notes for tender initiators: For high-end devices we recommend to state a maximum difference of 15%. For enterprise grade devices we recommend a maximum of 30%. For consumer grade devices we recommend a maximum of 40%.) delete: </i> delete: </p> delete: <p> delete: <i> Any software that communicates via the IP protocol must support both protocol versions (IPv4 and IPv6). packets. The difference must not be noticeable to users. delete: </i> delete: </p> delete: </blockquote> insert: </em> insert: </p>

insert: <p>

insert: <em> IPv6 support can be verified and certified by the IPv6 Ready Logo certificate. insert: </em> insert: </p>

insert: <p>

insert: <em> Equipment that has not been put through the IPv6 Ready testing procedures must comply appropriately with the Mandatory and Optional RFCs listed below: insert: </em> insert: </p>

insert: <p>

insert: <em> [insert appropriate list of selected mandatory and optional RFCs from below lists] insert: </em> insert: </p>

insert: <h2>

insert: <a name="_Toc90287585"> insert: </a> 3 Categories of devices in scope for this document insert: </h2>

insert: <p>

Requirements are divided in hardware equipment and integrator support. insert: <em>   insert: </em> insert: </p>

insert: <p>

All requirements placed on IPv4 traffic capabilities like latency, bandwidth and throughput, or for monitoring and accounting, should also be required for IPv6 traffic. insert: </p>

Requirements for insert: <a name="_Toc90287586"> insert: </a> 3.1 Definitions and descriptions of different categories of devices insert: </h3>

insert: <p>

The following definitions will be used for classifying the varying hardware equipment. While some hardware may have overlapping functionality (i.e. a layer-2 switch can act as a layer-3 router or a router may have some firewall capabilities), it is expected that for any overlapping functionality, the requirements for each specific device be combined. insert: </p>

insert: <p>

Note that the mobile device category included in ripe-554 has been removed. Such devices now fall under the host category, such that they are considered only from their connectivity to the local infrastructure (via WiFi), and thus the 3GPP-related requirements are out of scope of this document. insert: </p>

insert: <p>

insert: <strong> insert: <em> Host: insert: </em> insert: </strong> A host is a network participant that sends and receives packets but does not forward them on behalf of others. This includes mobile devices attaching to local network infrastructure. insert: </p>

insert: <p>

Host devices in an enterprise may be multihomed, mobile devices being one example, and devices with a network and management interface being another. The IETF has worked for many years on approaches to multihoming for IPv6. Specific [RFC4191] requirements are included in this document. insert: </p>

insert: <p>

insert: <strong> insert: <em> Switch, or ‘Layer-2 Switch’: insert: </em> insert: </strong> A switch or ‘layer-2 switch’ is a device that is primarily used for forwarding Ethernet frames, based on their attributes. Exchanging Ethernet information with other Ethernet switches is usually part of its function. This category is further split below into consumer grade (typically for home use) and enterprise/ISP grade. insert: </p>

insert: <p>

WiFi access points are technically not pure layer-2 devices, but they should (possibly in cooperation with a wireless controller) perform the same functionality as a layer-2 switch as far as IPv6 features are concerned. Thus the text from this section may also be used for WiFi access points. insert: </p>

insert: <p>

insert: <strong> insert: <em> Router or ‘Layer-3 Switch’: insert: </em> insert: </strong> A router or ‘layer-3 switch’ is a device that is primarily used for forwarding IP packets based on their attributes. Exchanging routing information with other routers is usually part of its function. insert: </p>

insert: <p>

insert: <strong> insert: <em> Network Security Equipment: insert: </em> insert: </strong> Network security equipment is devices whose primary function is to permit, deny and/or monitor traffic between interfaces in order to detect or prevent potential malicious activity. These interfaces can also include VPNs (SSL or IPsec). Network Security Equipment is often also a layer-2 switch or a router/layer-3 switch. insert: </p>

insert: <p>

insert: <strong> insert: <em> Customer Premise Equipment (CPE): insert: </em> insert: </strong> A CPE device is a small office or residential router that is used to connect home users and/or small offices in a myriad of configurations. Although a CPE is usually a router, the requirements are different from an Enterprise/ISP router/layer-3 switch. CPEs often need to support of IPv6 transition mechanisms; this document will focus primarily on transition methods for IPv6-only networks. insert: </p>

insert: <p>

insert: <strong> insert: <em> Load Balancer insert: </em> insert: </strong> is a networking device that distributes workload across multiple computers, servers or other resources, to achieve optimal or planned resource utilisation, maximise throughput, minimise response time, and avoid overload. insert: </p>

insert: <p>

The following references are of relevance to this BCP document. At the time of publication, the editions indicated were valid. All references are subject to revision; users of this BCP document are therefore encouraged to investigate the possibility of applying the most recent edition of the references listed below. insert: </p>

insert: <h3>

insert: <a name="_Toc90287587"> insert: </a> 3.2 Things that are out of scope of this document insert: </h3>

insert: <p>

In the interests of reaching consensus to publish an update to ripe-554 as efficiently as possible, the authors minimised the addition of new types of devices.  These may be added in a future update, or as a separate update. insert: </p>

insert: <p>

As stated above, mobile devices are considered in this document only in regards to their connectivity to the enterprise infrastructure (typically by WiFi) and in this respect are considered to be hosts. insert: </p>

insert: <p>

Note that VMs and containers are out of scope for this document; these functions may be provided on systems procured as hosts via this guidance, but are not “ICT equipment” in themselves. insert: </p>

insert: <p>

While [RFC8504] includes a section on YANG for network management, further YANG requirements are not included in this document. insert: </p>

insert: <p>

Certain new routing functions that have emerged recently have also not been added at this point, one example being SRv6 [RFC8986]. insert: </p>

insert: <h2>

insert: <a name="_Toc90287588"> insert: </a> 4 Lists of required RFC standards delete: </h3> delete: <p> for different categories of hardware insert: </h2>

insert: <h5>
ICT hardware equipment can be roughly is divided in this document into four seven functional groups: delete: </p> insert: </h5>
  • Host: client (including mobile device) or server
  • Layer 2 Consumer grade layer-2 switch insert: </li>
  • insert: <li>
  • Enterprise/ISP grade layer-2 switch
  • Router or layer 3 layer-3 switch
  • Equipment to ensure network Network security equipment (firewalls, IDS, IPS, ...) IPS,...) insert: </li>
  • insert: <li>
  • CPE equipment insert: </li>
  • insert: <li>
  • Load Balancer

We have divided the following requirements into two categories, “mandatory” and “optional”. types, Mandatory and Optional. Equipment must meet the mandatory Mandatory standards requirements list. Support for the optional Optional requirements may earn the tender applicant additional points, if so specified by the tender initiator.

delete: <blockquote> delete: <p> Please note that all RFC references are correct at the time of writing, but may be superseded by developments in the IETF. For all updates, please see: delete: <br /> delete: <a href="http://www.rfc-editor.org/"> http://www.rfc-editor.org/ delete: </a> delete: </p> delete: </blockquote> delete: <h3> delete: <a id="hardware" name="hardware"> delete: </a> Hardware delete: </h3>

Any hardware that does not comply to with insert: <strong> all of the mandatory insert: </strong> of the Mandatory standards is should be marked as inappropriate. inappropriate by the tender evaluator. insert: </p>

insert: <p>

The standards that are part of the IPv6 Ready Logo test procedures, typically performed by accredited labs, are marked with an asterisk *.

delete: <a id="host" name="host"> insert: <a name="_Toc90287589"> 4.1 Requirements for "host" equipment

delete: <p> delete: <b> insert: <h5>
Mandatory support: delete: </b> delete: </p> insert: </h5>
  • IPv6 Basic specification [RFC2460] [RFC8200/STD 86] *
  • IPv6 Addressing Architecture basic [RFC4291] *
  • Default Address Selection [RFC3484] for IPv6 [RFC6724] insert: </li>
  • insert: <li>
  • Unique Local IPv6 Unicast Addresses (ULA) [RFC4193]
  • ICMPv6 [RFC4443] delete: </li> delete: <li> [RFC4443/STD89] * insert: </li>
  • insert: <li>
  • If support for DHCPv6 is required, the device must support insert: <ul>
      insert: <li>
    • Stateful DHCPv6 client [RFC3315] [RFC8415] * insert: </li>
    • insert: <li>
    • Stateless DHCPv6 client [RFC8415] * insert: </li>
    • insert: <li>
    • DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [RFC3646]* insert: </li>
    • insert: <li>
    • A Method for Generating Semantically Opaque Interface Identifiers (IIDs) with the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [RFC7943] insert: </li>
    • insert: </ul>
  • SLAAC [RFC4862] *
  • Path MTU Discovery [RFC1981] delete: </li> delete: <li> Neighbour [RFC8201/STD87] * insert: </li>
  • insert: <li>
  • Neighbor Discovery [RFC4861] delete: </li> delete: <li> Basic Transition Mechanisms for IPv6 Hosts and Routers [RFC4213] delete: </li> delete: <li> IPsec-v2 [RFC2401, RFC2406, RFC2402] delete: </li> delete: <li> IKE version 2 (IKEv2) [RFC4306, RFC4718] delete: </li> delete: <li> If support for mobile IPv6 is required, the device needs to comply to “MIPv6” [RFC3775, RFC5555] and “Mobile IPv6 Operation With IKEv2 and the Revised IPsec Architecture” [RFC4877] [RFC6980] *
  • DNS protocol extensions for incorporating IPv6 DNS resource records [RFC3596] [RFC3596/STD88]
  • DNS message extension mechanism [RFC2671] [RFC6891/STD75]
  • DNS message size requirements [RFC3226]
  • delete: </ul> delete: <p> delete: <b> Optional support: delete: </b> delete: </p> delete: <ul> delete: <li> Revised ICMPv6 [RFC5095] delete: </li> delete: <li> Extended ICMP for multi-part messages [RFC4884] delete: </li> delete: <li> SEND [RFC3971] delete: </li> delete: <li> SLAAC Privacy Extensions [RFC4941] delete: </li> delete: <li> insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464] insert: </li>
  • insert: <li>
  • Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery [RFC6980] insert: </li>
  • insert: <li>
  • Updates to the IPv6 Multicast Addressing Architecture [RFC7371] insert: </li>
  • insert: <li>
  • A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless DHCPv6 [RFC3736] delete: </li> delete: <li> DS (Traffic class) [RFC2474, RFC3140] delete: </li> delete: <li> Unique Local IPv6 Unicast Addresses (ULA) [RFC4193] delete: </li> delete: <li> Cryptographically Generated Addresses [RFC3972] delete: </li> delete: <li> IPsec-v3 [RFC4301, RFC4303, RFC4302] delete: </li> delete: <li> SNMP protocol [RFC3411] delete: </li> delete: <li> SNMP capabilities [RFC3412, RFC3413, RFC3414] Address Autoconfiguration (SLAAC) [RFC7217], insert: </li>
  • insert: <li>
  • IPv6 Router Advertisement Options for DNS Configuration [RFC8106]
  • Multicast Listener Discovery version 2 [RFC3810] delete: </li> delete: <li> Packetization * insert: </li>
  • insert: <li>
  • Default Router Preferences and More-Specific Routes: Type A and B host roles [RFC4191] insert: </li>
  • insert: <li>
  • If support for tunneling and dual stack is required, the device must support Basic Transition Mechanisms for IPv6 Hosts and Routers [RFC4213] insert: </li>
  • insert: <li>
  • IPv6 Flow Label Specification [RFC6437] insert: </li>
  • insert: </ul>
insert: <h5>
Optional support: insert: </h5>
insert: <ul>
    insert: <li>
  • Extended ICMP for multi-part messages [RFC4884] insert: </li>
  • insert: <li>
  • Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6 [RFC8981] insert: </li>
  • insert: <li>
  • DS (Traffic class) [RFC2474, RFC3140] insert: </li>
  • insert: <li>
  • IPsec/IKEv2 [RFC4301, RFC4303, RFC4302, RFC7296/STD79, RFC7619, RFC8221, RFC8247] * insert: </li>
  • insert: <li>
  • SNMP protocol [RFC3411] insert: </li>
  • insert: <li>
  • SNMP capabilities [RFC3412, RFC3413, RFC3414] insert: </li>
  • insert: <li>
  • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
  • insert: <li>
  • Packetisation Layer Path MTU Discovery [RFC4821] [RFC8899] insert: </li>
  • insert: <li>
  • IPv6 Host-to-Router Load Sharing [RFC4311] insert: </li>
  • insert: <li>
  • Default Router Preferences and More-Specific Routes: Type C host role [RFC4191] insert: </li>
  • insert: <li>
  • IPv6 Router Advertisement Flags Option [RFC5175] insert: </li>
  • insert: <li>
  • The Addition of Explicit Congestion Notification (ECN) to IP [RFC3168] insert: </li>
  • insert: <li>
  • First-Hop Router Selection by Hosts in a Multi-Prefix Network [RFC8028]. insert: </li>
  • insert: <li>
  • Distributing Address Selection Policy Using DHCPv6 [RFC7078] insert: </li>
  • insert: <li>
  • For improved IPv6 address privacy, support should be considered for “Security and Privacy Considerations for IPv6 Address Generation Mechanisms” [RFC7721] and “Recommendation on Stable IPv6 Interface Identifiers” [RFC8064] insert: </li>
  • insert: <li>
  • “MIPv6” [RFC6275, RFC5555] and “Mobile IPv6 Operation With IKEv2 and the Revised IPsec Architecture” [RFC4877] insert: </li>
  • insert: <li>
  • Discovering PREF64 in Router Advertisements [RFC8781]

delete: <a id="layer2con" name="layer2con"> insert: <a name="_Toc90287590"> 4.2 Requirements for consumer grade "layer 2 "layer-2 switch" equipment

delete: <p> delete: <b> Mandatory support: delete: </b> delete: </p> insert: <h5>
Optional support (management): insert: </h5>
  • MLDv2 snooping [RFC4541]
  • delete: </ul> delete: <p> Optional support (management) delete: </p> delete: <ul>
  • IPv6 Basic specification [RFC2460] [RFC8200/STD86] *
  • IPv6 Addressing Architecture basic [RFC4291] *
  • Default Address Selection [RFC3484] for IPv6 [RFC6724]
  • ICMPv6 [RFC4443] [RFC4443/STD89] *
  • SLAAC [RFC4862] * insert: </li>
  • insert: <li>
  • Neighbor Discovery [RFC4861] [RFC6980] *
  • SNMP protocol [RFC3411]
  • SNMP capabilities [RFC3412, RFC3413, RFC3414]
  • insert: <li>
  • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
  • insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464] insert: </li>

delete: <a id="layer" name="layer2ent"> insert: <a name="_Toc90287591"> 4.3 Requirements for enterprise/ISP grade "layer 2 "layer-2 switch" equipment

delete: <p> delete: <b> insert: <h5>
Mandatory support: delete: </b> delete: </p> support (forwarding plane): insert: </h5>
    insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464] insert: </li>
  • MLDv2 snooping [RFC4541]
  • DHCPv6 snooping [RFC3315] delete: <br /> DHCPv6 messages must be blocked between subscribers and the network so that false DHCPv6 servers cannot distribute addresses. delete: </li> delete: <li> Router Advertisement (RA) filtering [RFC4862, RFC5006] delete: <br /> RA filtering must be used in the network to block unauthorised RA messages. Guard [RFC6105] and [RFC7113] insert: </li>
  • insert: <li>
  • DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers [RFC 7610]
  • Dynamic "IPv6 neighbour Neighbor solicitation/advertisement" inspection [RFC4862] delete: <br /> There must be an IPv6 neighbour solicitation/advertisement inspection, as in IPv4 "Dynamic ARP Inspection". The table with MAC-address and link-local and other assigned IPv6-addresses must be dynamically created by SLAAC or DHCPv6 messages. delete: </li> delete: <li> Neighbour [RFC4861] insert: </li>
  • insert: <li>
  • Neighbor Unreachability Detection [NUD, RFC4861] filtering delete: <br /> There must be a NUD filtering function to ensure that false NUD messages cannot be sent.
  • Duplicate Address Detection [DAD, RFC4429] snooping and filtering delete: <br /> Only authorised addresses may be allowed insert: </li>
  • insert: <li>
  • If support for DHCPv6 is required, the device must support insert: <ul>
      insert: <li>
    • Lightweight DHCPv6 Relay Agent [RFC6221] insert: </li>
    • insert: <li>
    • DHCPv6 Relay Agent Remote-ID Option [RFC4649] insert: </li>
    • insert: <li>
    • DHCPv6 Relay Agent Subscriber-ID Option [RFC4580] insert: </li>
    • insert: <li>
    • DHCPv6 Client Link-Layer Address Option [RFC6939] insert: </li>
    • insert: </ul>
    insert: </li>
  • insert: </ul>
insert: <h5>
Mandatory support (management; the device must function as source IPv6 addresses in DAD messages from each port. delete: </li> delete: </ul> delete: <p> delete: <b> Optional support (management) delete: </b> delete: </p> an IPv6 host for management): insert: </h5>
  • IPv6 Basic specification [RFC2460] [RFC8200/STD86] *
  • IPv6 Addressing Architecture basic [RFC4291] *
  • Default Address Selection [RFC3484] for IPv6 [RFC6724]
  • ICMPv6 [RFC4443] [RFC4443/STD89] *
  • SLAAC [RFC4862] delete: </li> * insert: </li>
  • insert: <li>
  • If support for SNMP is required: insert: <ul>
    • SNMP protocol [RFC3411]
    • SNMP capabilities [RFC3412, RFC3413, RFC3414]
    • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
    • insert: </ul>
    insert: </li>
  • insert: <li>
  • IPv6 Routing Header [RFC2460, [RFC8200, Next Header value 43] snooping delete: </li> delete: <li> IPv6 Routing Header messages must not be allowed between subscriber ports and subscriber and uplink to prevent routing loops [See also RFC5095, Deprecation of Type 0 Routing Headers in IPv6] delete: </li> delete: <li> UPnP filtering delete: </li> delete: <li> UPnP messages must always be blocked between customer ports. There may be a possibility to filter different Ether types to allow only 0x86dd between subscriber ports. And most probably you must also permit 0×800 and 0×806 for IPv4. * insert: </li>
  • insert: </ul>
insert: <h5>
Optional support: insert: </h5>
insert: <ul>
    insert: <li>
  • Source Address Validation Improvement (SAVI) Solution for DHCP [RFC7513]

delete: <a id="layer2" name="layer3"> insert: <a name="_Toc90287592"> 4.4 Requirements for "router or layer 3 layer-3 switch" equipment

delete: <p> delete: <b> insert: <h5>
Mandatory support: delete: </b> delete: </p> insert: </h5>
  • IPv6 Basic specification [RFC2460] [RFC8200/STD86] * insert: </li>
  • insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464]
  • IPv6 Addressing Architecture basic [RFC4291] *
  • Default Address Selection [RFC3484] for IPv6 [RFC6724] insert: </li>
  • insert: <li>
  • Unique Local IPv6 Unicast Addresses (ULA) [RFC4193] insert: </li>
  • insert: <li>
  • If support for DHCPv6 is required, the device must support insert: <ul>
      insert: <li>
    • DHCPv6 client/server/relay [RFC8415] * insert: </li>
    • insert: <li>
    • DHCPv6 Relay Agent Remote-ID Option [RFC4649] insert: </li>
    • insert: <li>
    • DHCPv6 Relay Agent Subscriber-ID Option [RFC4580] insert: </li>
    • insert: <li>
    • DHCPv6 Client Link-Layer Address Option [RFC6939] insert: </li>
    • insert: </ul>
  • ICMPv6 [RFC4443] [RFC4443/STD89] *
  • SLAAC [RFC4862] * insert: </li>
  • insert: <li>
  • IPv6 Router Advertisement Options for DNS Configuration [RFC8106] *
  • MLDv2 snooping [RFC4541]
  • Router-Alert option [RFC2711] Multicast Listener Discovery version 2 [RFC3810] * insert: </li>
  • insert: <li>
  • Updates to the IPv6 Multicast Addressing Architecture [RFC7371]
  • Path MTU Discovery [RFC1981] delete: </li> delete: <li> Neighbour [RFC8201/STD87] * insert: </li>
  • insert: <li>
  • Neighbor Discovery [RFC4861] delete: </li> delete: <li> Classless Inter-domain routing [RFC4632] [RFC6980]* insert: </li>
  • insert: <li>
  • 127-bit IPv6 Prefixes on Inter-Router Links [RFC6164] insert: </li>
  • insert: <li>
  • IPv6 Prefix Length Recommendations for Forwarding [RFC 7608]*
  • If support for SNMP is required: insert: <ul>
      insert: <li>
    • SNMP protocol [RFC3411] insert: </li>
    • insert: <li>
    • SNMP capabilities [RFC3412, RFC3413, RFC3414] insert: </li>
    • insert: <li>
    • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
    • insert: </ul>
    insert: </li>
  • insert: <li>
  • If a dynamic internal guidance interior gateway protocol (IGP) is requested, then RIPng [RFC2080], OSPF-v3 OSPFv3 [RFC5340] [RFC5613] or IS-IS [RFC5308] must be supported. The contracting authority shall specify the required protocol. insert: </li>
  • insert: <li>
  • If OSPFv3 is requested, the equipment must comply with "Authentication/Confidentiality for OSPFv3" [RFC4552] or “Supporting Authentication Trailer for OSPFv3” [RFC7166]. insert: </li>
  • insert: <li>
  • If OSPFv3 and SNMP are requested, the device must support "Management Information Base for OSPFv3" [RFC5643] insert: </li>
  • insert: <li>
  • If BGP4 protocol is requested, the equipment must comply with [RFC4271], [RFC1772], [RFC4760], [RFC1997], [RFC3392], [RFC2545], [RFC5492], [RFC6268], [RFC6608], [RFC6793], [RFC7606], [RFC7607], [RFC7705] and [RFC8212] insert: </li>
  • insert: <li>
  • If VRRP protocol is requested the equipment must comply with [RFC5798] insert: </li>
  • insert: <li>
  • If PIM-SM protocol is requested the equipment must comply with [RFC 7761/STD83] and [RFC5059] insert: </li>
  • insert: <li>
  • Support for QoS [RFC2474, RFC3140] insert: </li>
  • insert: <li>
  • If support for tunneling and dual stack is required, the device must support Basic Transition Mechanisms for IPv6 Hosts and Routers [RFC4213] insert: </li>
  • insert: <li>
  • If support for tunneling and dual stack is required, the device must support Generic Packet Tunneling and IPv6 [RFC2473] insert: </li>
  • insert: <li>
  • If 6PE is requested, the equipment must support "Connecting IPv6 Islands over IPv4 MPLS Using IPv6 Provider Edge Routers (6PE)” [RFC4798] insert: </li>
  • insert: <li>
  • If mobile IPv6 is requested, the equipment must support MIPv6 [RFC3775, RFC5555] and "Mobile IPv6 Operation With IKEv2 and the Revised IPsec Architecture” [RFC4877] insert: </li>
  • insert: <li>
  • If MPLS functionality (for example, BGP-free core, MPLS TE, MPLS FRR) is requested, the PE-routers and route reflectors must support "Connecting IPv6 Islands over IPv4 MPLS Using IPv6 Provider Edge Routers (6PE)" [RFC4798] insert: </li>
  • insert: <li>
  • If MPLS Traffic Engineering is used in combination with IS-IS routing protocol, the equipment must support "M-ISIS: Multi-Topology (MT) Routing in Intermediate System to Intermediate Systems (IS-ISs)" [RFC5120]. insert: </li>
  • insert: <li>
  • If layer-3 VPN functionality is requested, the PE-routers and route reflectors must support "BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN" [RFC4659]. insert: </li>
  • insert: <li>
  • IPv6 Flow Label Specification [RFC6437] insert: </li>
  • insert: </ul>
insert: <h5>
Optional support: insert: </h5>
insert: <ul>
    insert: <li>
  • Extended ICMP for multi-part messages [RFC4884] insert: </li>
  • insert: <li>
  • SLAAC Privacy Extensions [RFC4941] insert: </li>
  • insert: <li>
  • Stateless DHCPv6 [RFC8415] * insert: </li>
  • insert: <li>
  • DHCPv6 Prefix Delegation [RFC8415] * insert: </li>
  • insert: <li>
  • DHCPv6 Bulk Leasequery [RFC5460] insert: </li>
  • insert: <li>
  • DHCPv6 Active Leasequery [RFC7653] insert: </li>
  • insert: <li>
  • (QOS) Assured Forwarding [RFC2597] insert: </li>
  • insert: <li>
  • (QOS) Expedited Forwarding [RFC3246] insert: </li>
  • insert: <li>
  • (QOS) Active Queue Management support [RFC7567] insert: </li>
  • insert: <li>
  • Generic Routing Encapsulation [RFC2784] insert: </li>
  • insert: <li>
  • IPsec/IKEv2 (Control Plane) [RFC4301, RFC4303, RFC7268, RFC8221, RFC 8247] * insert: </li>
  • insert: <li>
  • IPsec/IKEv2 VPN (Data Plane) [RFC4301, RFC4303], RFC7269, RFC8221] * insert: </li>
  • insert: <li>
  • Using IPsec to Secure IPv6-in-IPv4 tunnels [RFC4891] insert: </li>
  • insert: <li>
  • DNS protocol extensions for incorporating IPv6 DNS resource records [RFC3596/STD88] insert: </li>
  • insert: <li>
  • DNS message extension mechanism [RFC6891/STD75] insert: </li>
  • insert: <li>
  • DNS message size Requirements [RFC3226] insert: </li>
  • insert: <li>
  • Packetisation Layer Path MTU Discovery [RFC4821] insert: </li>
  • insert: <li>
  • IPv6 Host-to-Router Load Sharing [RFC4311] insert: </li>
  • insert: <li>
  • Default Router Preferences and More-Specific Routes [RFC4191] insert: </li>
  • insert: <li>
  • Discovering PREF64 in Router Advertisements [RFC8781] insert: </li>
  • insert: </ul>
insert: <h3>

insert: <a name="_Toc90287593"> insert: </a> 4.5 Requirements for "network security equipment” insert: </h3>

insert: <h5>
Equipment in this section is divided into three subgroups: insert: </h5>
insert: <ul>
    insert: <li>
  • Firewall (FW) insert: </li>
  • insert: <li>
  • Intrusion prevention device (IPS) insert: </li>
  • insert: <li>
  • Application firewall (APFW) insert: </li>
  • insert: </ul>
insert: <p>

For every mandatory standard the applicable subgroups are specified in parentheses at the end of the line. insert: </p>

insert: <h5>
Mandatory support: insert: </h5>
insert: <ul>
    insert: <li>
  • IPv6 Basic specification [RFC8200/STD86] (FW, IPS, APFW) * insert: </li>
  • insert: <li>
  • IPv6 Addressing Architecture [RFC4291] (FW, IPS, APFW) insert: </li>
  • insert: <li>
  • Default Address Selection for IPv6 [RFC6724] (FW, IPS, APFW) insert: </li>
  • insert: <li>
  • ICMPv6 [RFC4443/STD89] (FW, IPS, APFW) * insert: </li>
  • insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464] insert: </li>
  • insert: <li>
  • SLAAC [RFC4862] (FW, IPS) * insert: </li>
  • insert: <li>
  • If support for SNMP is required: insert: <ul>
      insert: <li>
    • SNMP protocol [RFC3411] insert: </li>
    • insert: <li>
    • SNMP capabilities [RFC3412, RFC3413, RFC3414] insert: </li>
    • insert: <li>
    • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
    • insert: </ul>
    insert: </li>
  • insert: <li>
  • IPv6 Router Advertisement Options for DNS Configuration [RFC8106] (FW) insert: </li>
  • insert: <li>
  • Inspecting IPv6-in-IPv4 protocol-41 traffic, which is specified in: Basic Transition Mechanisms for IPv6 Hosts and Routers [RFC4213] (IPS) insert: </li>
  • insert: <li>
  • Path MTU Discovery [RFC8201/STD87] (FW, IPS, APFW) * insert: </li>
  • insert: <li>
  • Neighbor Discovery [RFC4861] (FW, IPS, APFW) * insert: </li>
  • insert: <li>
  • If the request is for the BGP4 protocol, the equipment must comply with RFC4271, RFC1772, RFC4760 and RFC2545 (FW, IPS, APFW) insert: </li>
  • insert: <li>
  • If the request is for a dynamic internal gateway protocol (IGP), then the required RIPng [RFC2080], OSPFv3 [RFC5340] or IS-IS [RFC5308] must be supported. The contracting authority shall specify the required protocol. (FW, IPS, APFW)
  • If OSPF-v3 OSPFv3 is requested, the equipment must comply with "Authentication/Confidentiality for OSPF-v3" OSPFv3" [RFC4552] or “Supporting Authentication Trailer for OSPFv3” [RFC7166] (FW, IPS, APFW)
  • If BGP4 protocol is OSPFv3 and SNMP are requested, the equipment device must comply with RFC4271, RFC1772, RFC4760, RFC1997, RFC3392 and RFC2545 support "Management Information Base for OSPFv3" [RFC5643]
  • Support for QoS [RFC2474, RFC3140] delete: </li> delete: <li> (FW, APFW) insert: </li>
  • insert: <li>
  • If tunneling is required, the device must support Basic Transition Mechanisms for IPv6 Hosts and Routers [RFC4213] delete: </li> delete: <li> Using IPsec to Secure IPv6-in-IPv4 tunnels [RFC4891] delete: </li> delete: <li> Generic Packet Tunneling and IPv6 [RFC2473] delete: </li> delete: <li> If 6PE is requested, the equipment must comply with "Connecting IPv6 Islands over IPv4 MPLS Using IPv6 Provider Edge Routers (6PE)” [RFC4798] delete: </li> delete: <li> Multicast Listener Discovery version 2 [RFC3810] delete: </li> delete: <li> If mobile IPv6 is requested, the equipment must comply with MIPv6 [RFC3775, RFC5555] and "Mobile IPv6 Operation With IKEv2 and the Revised IPsec Architecture" [RFC4877] delete: </li> delete: <li> If MPLS functionality (for example, BGP-free core, MPLS TE, MPLS FRR) is requested, the PE-routers and route reflectors must support "Connecting IPv6 Islands over IPv4 MPLS Using IPv6 Provider Edge Routers (6PE)" [RFC 4798] delete: </li> delete: <li> If layer-3 VPN functionality is requested, the PE-routers and route reflectors must support "BGP-MPLS IP Virtual Private (FW) insert: </li>
  • insert: </ul>
insert: <p>

A Network (VPN) Extension for IPv6 VPN" [RFC 4659] delete: </li> delete: <li> If MPLS Traffic Engineering is used in combination with IS-IS routing protocol, the equipment must support "M-ISIS: Multi Topology (MT) Routing in Intermediate System to Intermediate Systems (IS-ISs)" [RFC 5120] delete: </li> delete: </ul> delete: <p> delete: <b> Optional support delete: </b> delete: </p> delete: <ul> delete: <li> Revised ICMPv6 [RFC5095] delete: </li> delete: <li> DHCPv6 client / server [RFC3315] delete: </li> delete: <li> Extended ICMP for multi-part messages [RFC4884] delete: </li> delete: <li> SEND [RFC3971] delete: </li> delete: <li> SLAAC Privacy Extensions [RFC4941] delete: </li> delete: <li> Stateless DHCPv6 [RFC3736] delete: </li> delete: <li> DHCPv6 PD [RFC3633] delete: </li> delete: <li> Route Refresh for BGP Capabilities-4 [RFC2918] delete: </li> delete: <li> BGP Extended Communities Attribute [RFC4360] delete: </li> delete: <li> (QOS), Assured Forwarding [RFC2597] delete: </li> delete: <li> (QOS) Expedited Forwarding [RFC3246] delete: </li> delete: <li> Generic Routing Encapsulation [RFC2784] delete: </li> delete: <li> Unique Local IPv6 Unicast Addresses (ULA) [RFC4193] delete: </li> delete: <li> Cryptographically Generated Addresses [RFC3972] delete: </li> delete: <li> ProSafe-v3 [RFC4301, RFC4303, RFC4302] delete: </li> delete: <li> IPSec-v2 [RFC2401, RFC2406, RFC2402] delete: </li> delete: <li> IKE version 2 (IKEv2) [RFC4306, RFC4718] delete: </li> delete: <li> SNMP protocol [RFC3411] delete: </li> delete: <li> SNMP capabilities [RFC3412, RFC3413, RFC3414] delete: </li> delete: <li> Mibsam SNMP for IP [RFC4293] Forwarding [RFC4292], IPsec [RFC4807] and DiffServ [RFC3289] delete: </li> delete: <li> DNS protocol extensions for incorporating IPv6 DNS resource records [RFC3596] delete: </li> delete: <li> DNS message extension mechanism [RFC2671] delete: </li> delete: <li> DNS message size Requirements [RFC3226] delete: </li> delete: <li> 127-bit IPv6 Prefixes Security Device is often placed where a layer-2 switch or a router/layer-3 switch would otherwise be placed. Depending on Inter-Router Links: delete: <br /> delete: <a href="http://tools.ietf.org/html/draft-kohno-ipv6-prefixlen-p2p-01"> http://tools.ietf.org/html/draft-kohno-ipv6-prefixlen-p2p-01 delete: </a> delete: </li> delete: <li> Packetization Layer Path MTU Discovery [RFC4821] delete: </li> delete: <li> When IS-IS routing protocol is requested, the equipment this placement those requirements should support "M-ISIS: Multi Topology (MT) Routing in Intermediate System to Intermediate Systems (IS-ISs)" [RFC 5120] (this support is highly recommended) delete: </li> delete: </ul> delete: <h3> delete: <a id="net-sec" name="net-sec"> delete: </a> Requirements for "network security" equipment delete: </h3> delete: <p> Equipment in this section is divided into three subgroups: delete: </p> delete: <ul> delete: <li> Firewall (FW) delete: </li> delete: <li> Intrusion prevention device (IMS) delete: </li> delete: <li> Application firewall (APFW) delete: </li> delete: </ul> delete: <p> For every mandatory standard the applicable subgroups are specified in parentheses at the end of the line. delete: </p> delete: <p> delete: <b> Mandatory support: delete: </b> delete: </p> delete: <ul> delete: <li> IPv6 Basic specification [RFC2460] (FW, IPS, APFW) delete: </li> delete: <li> IPv6 Addressing Architecture basic [RFC4291] (FW, IPS, APFW) delete: </li> delete: <li> Default Address Selection [RFC3484] (FW, IPS, APFW) delete: </li> delete: <li> ICMPv6 [RFC4443] (FW, IPS, APFW) delete: </li> delete: <li> SLAAC [RFC4862] (FW, IPS) delete: </li> delete: <li> Router-Alert option [RFC2711] (FW, IPS) delete: </li> delete: <li> Path MTU Discovery [RFC1981] (FW, IPS, APWF) delete: </li> delete: <li> Neighbour Discovery [RFC4861] (FW, IPS, APFW) delete: </li> delete: <li> If the request is for the BGP4 protocol, the equipment must comply with RFC4271, RFC1772, RFC4760 and RFC2545 (FW, IPS, APFW) delete: </li> delete: <li> If the request is for a dynamic internal guidance protocol (IGP), then the required RIPng [RFC2080], OSPF-v3 [RFC5340] or IS-IS [RFC5308]. The contracting authority shall specify the required protocol. (FW, IPS, APFW) delete: </li> delete: <li> If the requested OSPF-v3, the device must support "Authentication/Confidentiality for OSPFv3" [RFC4552] (FW, IPS, APFW) delete: </li> delete: <li> Support for QoS [RFC2474, RFC3140] (FW APFW) delete: </li> delete: <li> Basic Transition Mechanisms for IPv6 Hosts and Routers [RFC4213] (FW) delete: </li> delete: <li> Using IPsec to Secure IPv6-in-IPv4 Tunnels [RFC4891] (FW) delete: </li> delete: </ul> be included. insert: </p>

Functionality and features that are supported over IPv4 should be comparable with the functionalities functionality supported over IPv6. For example, if an intrusion prevention system is capable of operating over IPv4 in Layer 2 and Layer 3 layer-2 and layer-3 mode, then it should also offer this functionality over IPv6. Or if a firewall is running in a cluster capable of synchronizing synchronising IPv4 sessions between all members of a cluster, then this must also be possible with IPv6 sessions.

delete: <p> delete: <b> insert: <h5>
Optional support delete: </b> delete: </p> support: insert: </h5>
  • Revised ICMPv6 [RFC5095] delete: </li> delete: <li> DHCPv6 client / server [RFC3315] client/server/relay [RFC8415] * insert: </li>
  • insert: <li>
  • Stateless DHCPv6 [RFC8415] * insert: </li>
  • insert: <li>
  • DHCPv6 Prefix Delegation [RFC8415] *
  • Extended ICMP for Multipart Messages [RFC4884] delete: </li> delete: <li> SEND [RFC3971]
  • SLAAC Privacy Extensions [RFC4941] delete: </li> delete: <li> Stateless DHCPv6 [RFC3736] delete: </li> delete: <li> DHCPv6 PD [RFC3633]
  • BGP Communities Attribute [RFC1997]
  • BGP Capabilities Advertisement WITH-4 [RFC3392]
  • (QOS), (QOS) Assured Forwarding [RFC2597]
  • (QOS) Expedited Forwarding [RFC3246]
  • Unique Local IPv6 Unicast Addresses (ULA) [RFC4193]
  • Cryptographically Generated Addresses [RFC3972] delete: </li> delete: <li> IPsec-v3 IPsec/IKEv2 [RFC4301, RFC4303, RFC4302] delete: </li> delete: <li> OSPF-v3 RFC4302, RFC7296/STD79] * insert: </li>
  • insert: <li>
  • Using IPsec to Secure IPv6-in-IPv4 Tunnels [RFC4891] (FW) insert: </li>
  • insert: <li>
  • OSPFv3 [RFC5340]
  • Authentication / Confidentiality for OSPF-v3 Authentication/Confidentiality for OSPFv3 [RFC4552]
  • Generic Packet Tunneling and IPv6 [RFC2473]
  • IPsec-v2 [RFC2401, RFC2406, RFC2402] delete: </li> delete: <li> IKE version 2 (IKEv2) [RFC4306, RFC4718] delete: </li> delete: <li> SNMP protocol [RFC3411] delete: </li> delete: <li> SNMP capabilities [RFC3412, RFC3413, RFC3414] delete: </li> delete: <li> DNS protocol extensions for incorporating IPv6 DNS resource records to support IPv6 [RFC3596]
  • DNS message extension mechanism [RFC2671] [RFC6891]
  • DNS message size requirements [RFC3226]
  • Using IPSec to Secure IPv6-in-IPv4 Tunnels [RFC4891]
  • Multicast Listener Discovery version 2 [RFC3810] *
  • MLDv2 snooping [RFC4541] (when in L2 or passthrough mode) delete: </li> delete: <li> Packetization * insert: </li>
  • insert: <li>
  • Packetisation Layer Path MTU Discovery [RFC4821] and [RFC8899] insert: </li>
  • insert: <li>
  • IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) [RFC5739] insert: </li>
  • insert: <li>
  • IPv6 Host-to-Router Load Sharing [RFC4311] insert: </li>
  • insert: <li>
  • Default Router Preferences and More-Specific Routes [RFC4191] insert: </li>
  • insert: <li>
  • Transmission and Processing of IPv6 Extension Headers [RFC 7045]

delete: <br /> delete: <a id="net-sec2" name="software"> insert: <a name="_Toc90287594"> 4.6 Requirements for IPv6 CPE equipment insert: </h3>

insert: <h5>
Mandatory support: insert: </h5>
insert: <ul>
    insert: <li>
  • Basic Requirements for IPv6 Customer Edge Routers [RFC7084] * insert: </li>
  • insert: <li>
  • Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service [RFC6092] insert: </li>
  • insert: <li>
  • If support for specific IPv4 transition mechanisms is required, the device must support the relevant requirements, as can be taken from Requirements for IPv6 Customer Edge Routers to Support IPv4-as-a-Service [RFC8585] and Discovering PREF64 in Router Advertisements [RFC8781] insert: </li>
  • insert: <li>
  • If support for SNMP is required: insert: <ul>
      insert: <li>
    • SNMP protocol [RFC3411] insert: </li>
    • insert: <li>
    • SNMP capabilities [RFC3412, RFC3413, RFC3414] insert: </li>
    • insert: <li>
    • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
    • insert: </ul>
    insert: </li>
  • insert: </ul>
insert: <h5>
Optional support: insert: </h5>
insert: <ul>
    insert: <li>
  • IPsec/IKEv2 [RFC4301, RFC4303, RFC4302, RFC7296, RFC7619, RFC8221, RFC8247] * insert: </li>
  • insert: <li>
  • “MIPv6” [RFC6275, RFC5555] and “Mobile IPv6 Operation With IKEv2 and the Revised IPsec Architecture” [RFC4877] insert: </li>
  • insert: <li>
  • Extended ICMP for multi-part messages [RFC4884] insert: </li>
  • insert: <li>
  • SLAAC Privacy Extensions [RFC4941] insert: </li>
  • insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464] insert: </li>
  • insert: <li>
  • (QOS) DS (Traffic class) [RFC2474, RFC3140] insert: </li>
  • insert: <li>
  • (QOS) Active Queue Management support [RFC7567] insert: </li>
  • insert: <li>
  • Multicast Listener Discovery version 2 [RFC3810] * insert: </li>
  • insert: <li>
  • Packetisation Layer Path MTU Discovery [RFC4821] and [RFC8899] insert: </li>
  • insert: <li>
  • Requirements for IPv6 Customer Edge Routers to Support IPv4-as-a-Service [RFC8585] insert: </li>
  • insert: <li>
  • IPv6 Host-to-Router Load Sharing [RFC4311] insert: </li>
  • insert: <li>
  • Default Router Preferences and More-Specific Routes [RFC4191] insert: </li>
  • insert: </ul>
insert: <h3>

insert: <a name="_Toc90287595"> insert: </a> 4.7 Requirements for Load balancers insert: </h3>

insert: <p>

A load balancer distributes incoming requests and/or connections from clients to multiple servers. Load balancers will have to support several combinations of IPv4 and IPv6 connections: insert: </p>

insert: <ul>
    insert: <li>
  • Load balancing IPv6 clients to IPv6 servers (6-to-6) insert: <strong> insert: <u> must insert: </u> insert: </strong> be supported insert: </li>
  • insert: <li>
  • Load balancing IPv6 clients to IPv4 servers (6-to-4) insert: <strong> insert: <u> must insert: </u> insert: </strong> be supported insert: </li>
  • insert: <li>
  • Load balancing IPv4 clients to IPv4 servers (4-to-4) insert: <strong> insert: <u> should insert: </u> insert: </strong> be supported insert: </li>
  • insert: <li>
  • Load balancing IPv4 clients to IPv6 servers (4-to-6) insert: <strong> insert: <u> should insert: </u> insert: </strong> be supported insert: </li>
  • insert: <li>
  • Load balancing a single external/virtual IPv4 address to a mixed set of IPv4 and IPv6 servers insert: <strong> insert: <u> should insert: </u> insert: </strong> be supported insert: </li>
  • insert: <li>
  • Load balancing a single external/virtual IPv6 address to a mixed set of IPv4 and IPv6 servers insert: <strong> insert: <u> should insert: </u> insert: </strong> be supported insert: </li>
  • insert: </ul>
insert: <h5>
Mandatory support: insert: </h5>
insert: <ul>
    insert: <li>
  • IPv6 Basic specification [RFC8200/STD86] * insert: </li>
  • insert: <li>
  • IPv6 Addressing Architecture [RFC4291] * insert: </li>
  • insert: <li>
  • Default Address Selection [RFC6274] insert: </li>
  • insert: <li>
  • Transmission of IPv6 Packets over Ethernet Networks [RFC2464] insert: </li>
  • insert: <li>
  • Unique Local IPv6 Unicast Addresses (ULA) [RFC4193] insert: </li>
  • insert: <li>
  • ICMPv6 [RFC4443/STD89] * insert: </li>
  • insert: <li>
  • Path MTU Discovery [RFC8201/STD87] * insert: </li>
  • insert: <li>
  • Neighbor Discovery [RFC4861] * insert: </li>
  • insert: <li>
  • IPv6 Router Advertisement Options for DNS Configuration [RFC8106] insert: </li>
  • insert: <li>
  • DNS protocol extensions for incorporating IPv6 DNS resource records [RFC3596/STD88] insert: </li>
  • insert: <li>
  • DNS message extension mechanism [RFC6891] insert: </li>
  • insert: <li>
  • DNS message size requirements [RFC3226] insert: </li>
  • insert: <li>
  • If layer-7 load balancing (application level/reverse proxy, defined as ‘surrogate’ in section 2.2 of RFC3040) is requested, the equipment must support "Forwarded HTTP Extension [RFC7239]" for both IPv4 and IPv6 client addresses insert: </li>
  • insert: <li>
  • If layer-7 load balancing (application level/reverse proxy, defined as ‘surrogate’ in section 2.2 of RFC3040) is requested, the equipment must support "Transport Layer Security (TLS) Protocol Version 1.3 [RFC8446]" insert: </li>
  • insert: <li>
  • If support for IPsec is required, the device must support IPsec/IKEv2 [RFC4301, RFC4303, RFC4302, RFC7296/STD79] * and Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) [RFC5685] insert: </li>
  • insert: <li>
  • If support for BGP4 is required, the equipment must comply with RFC4271, RFC1772, RFC4760 and RFC2545 insert: </li>
  • insert: <li>
  • If support for a dynamic internal gateway protocol (IGP) is required, RIPng [RFC2080], OSPFv3 [RFC5340] or IS-IS [RFC5308] must be supported. The contracting authority shall specify the required protocol. insert: </li>
  • insert: <li>
  • If OSPFv3 is requested, the device must support "Authentication/Confidentiality for OSPFv3" [RFC4552] insert: </li>
  • insert: </ul>
insert: <h5>
Optional support: insert: </h5>
insert: <ul>
    insert: <li>
  • Extended ICMP for multi-part messages [RFC4884] insert: </li>
  • insert: <li>
  • DS (Traffic class) [RFC2474, RFC3140] insert: </li>
  • insert: <li>
  • SNMP protocol [RFC3411] insert: </li>
  • insert: <li>
  • SNMP capabilities [RFC3412, RFC3413, RFC3414] insert: </li>
  • insert: <li>
  • SNMP MIBs for IP [RFC4293] Forwarding [RFC4292] and DiffServ [RFC3289] insert: </li>
  • insert: <li>
  • Multicast Listener Discovery version 2 [RFC3810] * insert: </li>
  • insert: <li>
  • Packetisation Layer Path MTU Discovery [RFC4821] insert: </li>
  • insert: <li>
  • NAT64/DNS64 [RFC6146, RFC6147] insert: </li>
  • insert: <li>
  • IPv6 Host-to-Router Load Sharing [RFC4311] insert: </li>
  • insert: <li>
  • Default Router Preferences and More-Specific Routes [RFC4191] insert: </li>
  • insert: </ul>
insert: <h2>

insert: <a name="_Toc90287596"> insert: </a> 5 Requirements for IPv6 support in software delete: </h3> insert: </h2>

All software must support IPv4 and IPv6 and be able to communicate over both types of IPv6-only and dual-stack networks. If software includes network parameters in its local or remote server settings, it should also must support configuration of IPv6 parameters. delete: </p> delete: <p> Functional differences must not be significantly different between IPv4 and IPv6. The user should not experience any significant noticeable difference when software is communicating over IPv4 or IPv6. delete: </p> delete: <h3> delete: <a id="net-sec3" name="skills"> IPv6, unless this is providing explicit benefit to the user. insert: </p>

insert: <p>

Software developer/vendor must at a minimum do the following things to guarantee this: insert: </p>

insert: <ul>
    insert: <li>
  • It is strongly recommended not to use any address literals in software code, as described in “Default Address Selection for Internet Protocol version 6” [RFC6724] insert: </li>
  • insert: <li>
  • Every place in the software where IP addresses are handled (such as in user interfaces, configuration parsing or where data is processed) all valid IPv6 address notations as specified in "IP Version 6 Addressing Architecture [RFC4291]" must be supported insert: </li>
  • insert: <li>
  • Every place where IPv6 addresses are shown or output the notation as specified in "A Recommendation for IPv6 Address Text Representation [RFC5952]" should be followed insert: </li>
  • insert: <li>
  • Resolving hostnames in DNS must support IPv6 (AAAA) answers insert: </li>
  • insert: <li>
  • Connecting to other systems and receiving connections from other systems must support IPv6 connections using the appropriate system mechanisms (e.g. networking sockets) insert: </li>
  • insert: <li>
  • When setting up a connection the software should follow Default Address Selection for Internet Protocol Version 6 [RFC6724] or Happy Eyeballs Version 2: Better Connectivity Using Concurrency [RFC8305] insert: </li>
  • insert: <li>
  • These requirements should also be checked in any library or tools used by the software insert: </li>
  • insert: </ul>
insert: <p>

This list is not exhaustive and only covers the basic requirements. insert: </p>

insert: <p>

The white paper "IP-version dependency in application software - Preparing source code for IPv6" insert: <a href="#_ftn1" name="_ftnref1"> insert: <sup> [1] insert: </sup> from the Netherlands IPv6 Foundation can be used to get developers started. insert: </p>

insert: <h2>

insert: <a name="_Toc90287597"> insert: </a> 6 IPsec: Mandatory vs Optional insert: </h2>

insert: <p>

In the original IPv6 Node Requirements (RFC4294) IPsec was listed as a 'MUST' implement to be standards compliant. The updated Node Requirements RFC (RFC6434) published in 2011 changed IPsec to a 'SHOULD' implement. Reasons for the change were stated in that RFC. insert: </p>

insert: <p>

The RIPE IPv6 Working Group has extensively discussed whether to make IPsec support mandatory or optional.  When finalising ripe-554, the most vocal constituents showed support for moving IPsec to the optional sections, which is what is also reflected in this updated document. insert: </p>

insert: <p>

While the consensus of the community was to make IPsec optional in most cases, the IETF confirmed in 2019 in the latest version of the IPv6 Node Requirements standard (RFC8504) that IPsec 'SHOULD' be implemented (not ‘MUST’). In the IETF context, a ‘SHOULD’ means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. insert: </p>

insert: <p>

Organisations that use IPsec or expect to use it in the future should include the following in the mandatory section when initiating the tender: insert: </p>

insert: <ul>
    insert: <li>
  • IPsec/IKEv2 [RFC4301, RFC4303, RFC8221, RFC7296 RFC7619 and RFC 8247] * insert: </li>
  • insert: </ul>
insert: <p>

The current set of mandatory-to-implement algorithms for the IPsec Architecture are defined in Cryptographic Algorithm Implementation Requirements for ESP and AH [RFC8221]. IPv6 nodes implementing the IPsec Architecture MUST conform to the requirements in [RFC8221]. insert: </p>

insert: <p>

The current set of mandatory-to-implement algorithms for IKEv2 are defined in Cryptographic Algorithm Implementation Requirements for ESP and AH [RFC8247]. IPv6 nodes implementing IKEv2 MUST conform to the requirements in [RFC8247] and/or any future updates or replacements to [RFC8247]. insert: </p>

insert: <p>

While the Authentication Header specified in RFC4302 was supposed to be the way to provide for integrity and non-repudiation, because it could not traverse NATs, it became common practice for ESP null to be used. As stated in Section 13.1 of RFC8504, which is taken from RFC4301, IPv6 nodes implementing the IPsec Architecture ‘MUST’ implement ESP (RFC4303) and ‘MAY’ implement AH (RFC4302). insert: </p>

insert: <h2>

insert: <a name="_Toc90287598"> insert: </a> 7 Skill requirements of the systems integrator delete: </h3> insert: </h2>

Vendors and reseller resellers that offer system integration services must have at least three employees who have valid certificates of competency from the equipment manufacturers for the equipment that is sold as part of the tender. These certificates Additionally these employees must indicate a have general knowledge of the IPv6 protocol, IPv6 network planning and IPv6 security. security (eg. as indicated by certification for these skills also). If it becomes obvious during the equipment installation and integration that the integrator's integrator’s knowledge, competence and experience is not sufficient to successfully install and configure the equipment to establish normal IPv4 and IPv6 communication with the network, the agreement shall be cancelled canceled and become null and void. void. 

The definition of proper integration, timing and degree of disruption of the network during the assembly shall be a matter of agreement between the client and systems integrator.

It is also recommended that a systems integrator and its employees have a broad knowledge of IPv6 and generic IPv6 certificates other than those specifically offered by the equipment manufacturers. These certificates can be obtained from independent education providers. Such knowledge may be awarded extra points in the tender process.

All bidders in the tender process must sign the following form, which indicates that the company and its employees have passed technical training for design, construction and integration of ICT equipment in IPv4 and IPv6 networks.

delete: <hr noshade="noshade" size="1" />

delete: <a id="net-sec4" name="declaration"> insert: <a name="_Toc90287599"> DECLARATION 7.1 Declaration of IPv6 competence

Tender initiators should require technical IPv6 competence declaration from the equipment supplier or integrator. IPv6 knowledge and experience is required to assure proper installation and integration of equipment in the IPv6 ICT environment. insert: </p>

insert: <p>

Declaration of technical competence for planning, building and integrating ICT should say that the equipment in IPv4 and IPv6 networks and environments delete: </p> delete: <p> Company: ________________________________________ delete: </p> delete: <p> Address: ________________________________________ delete: </p> delete: <p> declares, supplier or system integrator declares under criminal and material responsibility:

  • That we they have a sufficient number of people employed to perform the offered services;
  • That those employees are professionally trained for their work - design, construction and integration of ICT equipment in both IPv4 and IPv6 networks and environments environments;
  • That the quality of offered services meets the requirements laid out in the tender documents. documents, and that these requirements apply to both IPv4 and IPv6. 

Place ____________________ delete: </p> delete: <p> Date ____________________ delete: <br /> delete: <br /> delete: </p> delete: <p> Stamp and signature of Systems Integrator delete: </p> delete: <p> delete: </p> delete: <hr noshade="noshade" size="1" /> Note that declarations like this can vary depending on local legislation. Therefore translators and tender initiators should get legal advice on the exact wording for these requirements. insert: </p>

delete: <a id="2" name="2"> insert: <a name="_Toc90287600"> Option 2 delete: </h2> delete: <p> The tender initiator can require ICT equipment to be “Phase 1” or “Phase 2” certified under the “IPv6 Ready” program. Tests for both phases of certification can be done in five accredited laboratories around the world: TTA (Korea), BII (China), CHT-TL (Taiwan), IRISA (France) and UNH-IOL (US). These tests determine basic IPv6 protocols compliance (Phase 1, approximately 150 tests) and advanced IPv6 functionality (Phase 2, over 450 tests). delete: </p> delete: <ul> delete: <li> delete: <a href="http://www.ipv6ready.org/"> About the IPv6 Ready Program delete: </a> delete: </li> delete: <li> delete: <a href="http://ipv6ready.org/?page=phase-1-about"> About Phase 1 delete: </a> delete: </li> delete: <li> delete: <a href="http://ipv6ready.org/?page=phase-2-about"> About Phase 2 delete: </a> delete: </li> delete: </ul> delete: <p> Any other requirements for the system integrator remain the same as in the first option. delete: </p> delete: <h3> delete: <a id="2text" name="2text"> delete: </a> Proposed text for the tender initiator: delete: </h3> delete: <blockquote> delete: <p> delete: <i> ICT equipment that supports and communicates over the IPv4 protocol must also support the IPv6 protocol and be able to communicate with other devices over IPv6. Basic IPv6 support must be verified and certified by the IPv6 Ready program with a “Phase 1” logo certificate. A “Phase 2” logo certificate will be awarded additional points (+10%) in the tender evaluation procedure. delete: </i> delete: </p> delete: </blockquote> delete: <h3> Option 3 delete: </h3> delete: <p> The third option is a mix of the two alternatives outlined above. The IPv6 Ready program does not cover all equipment that correctly supports IPv6, so declaring such equipment ineligible may not be desirable. This option suggests that the tender initiator specify that eligible equipment may be either Phase 1 or Phase 2 certified under the IPv6 Ready program, or be compliant with the appropriate RFCs listed in Option 1. delete: </p> delete: <h3> delete: <a id="3text" name="3text"> delete: </a> Proposed text for the tender initiator: delete: </h3> delete: <blockquote> delete: <p> delete: <i> ICT equipment that supports and communicates over the IPv4 protocol must also support the IPv6 protocol and be able to communicate with other devices over IPv6. Basic IPv6 support must be verified and certified by the IPv6 Ready program with a “Phase 1” logo certificate. A “Phase 2” logo certificate will be awarded additional points (+10%) in the tender evaluation procedure. delete: </i> delete: </p> delete: <p> delete: <i> Equipment that has not been put through the IPv6 Ready testing procedures must comply with the RFCs listed below: delete: </i> delete: </p> delete: <p> delete: <i> [appropriate list of selected mandatory and optional RFCs from Option 1] delete: </i> delete: </p> delete: </blockquote> delete: <h2> delete: <a id="ack" name="ack"> delete: </a> 8 Acknowledgments

The very first (Slovenian) version of this document was created in the Go6 Expert council and the Slovenian IPv6 working group back in 2009. insert: </p>

insert: <p>

The original authors would like to thank all involved in the creation and modification of the first version of this document. document (ripe-501, year 2009). First of all all, we would like to thank Janez Sterle, Urban Kunc, Matjaz Straus, Simeon Lisec, Davor Sostaric and Matjaz Lenassi from the go6 expert council for their enthusiastic governance of this document. We recognise the work done in the Slovenian IPv6 working group and thank them for their review and useful input, with special recognition goes to Ivan Pepelnjak, Andrej Kobal and Ragnar Us for their efforts and work done on the document. Thanks also go to the Co-chairs of RIPE IPv6 Working Group, David Kessens, Shane Kerr and Marco Hogewoning, for their support and encouragement. We would also like to thank Patrik Fältström, Torbjörn Eklöv, Fältström, Torbjörn Eklöv, Randy Bush and Bush, Matsuzaki Yoshinobu, Ides Vanneuville, Olaf Maennel, Ole Troan, Trøan, Teemu Savolainen and people from RIPE IPv6 WG (Joao Damas, S.P.Zeidler, Gert Döring Doering and others) for their input, comments and review of the document. Last, but not least we would like to thank the RIPE NCC staff Chris Buckridge from RIPE-NCC for correcting our grammar and wording in this document. And everybody else that contributed to this work.

insert: <p>

The authors of the previous version of the document (ripe-554, year 2012) would like to thank the RIPE IPv6 WG and its chairs for all support and encouragement to develop a followup version of the document. Special thanks goes to Ole Trøan, editor of RFC6204 for his help in the CPE section and also suggesting other changes across the document. Thanks to Marco Hogewoning, Ivan Pepelnjak and S.P. Zeidler for great input in ideas how to make document structure and content better, Timothy Winters and Erica Johnson (both IPv6 Ready Logo committee, UNH) for help with marking RFCs they test and constructive suggestions. Thanks also to Yannis Nikolopoulos and Frits Nolet. Special thanks goes to Jouni Korhonen, Jari Arkko, Eric Vyncke, David Freedman, Tero Kivinen and Michael Richardson for some very useful comments and suggestions that made this document much better. insert: </p>

insert: <p>

The authors of the current version of the document would like to thank members of the RIPE IPv6 Working Group and its chairs, and especially Jens Link, Martin Schröder, Fernando Gont, Enno Rey, Dave Taht, Azalea Fernandez, Yannis Nikolopoulos and Eric Vyncke for their comments. insert: </p>

insert: <p>

Suggestions for improvement of current document and comments can be sent to the RIPE IPv6 WG or RIPE BCOP TF mailing lists. insert: </p>

insert: <p>

insert: <a href="https://www.ripe.net/../../../../../../../../../../../mailman/listinfo/ipv6-wg/"> https://www.ripe.net/mailman/listinfo/ipv6-wg/ insert: <br />
insert: </a>
insert: <a href="https://www.ripe.net/../../../../../../../../../../../mailman/listinfo/bcop"> https://www.ripe.net/mailman/listinfo/bcop insert: </a> insert: </p>

insert: <hr />
insert: <p>

insert: <a href="#_ftnref1" name="_ftn1"> insert: <sup> [1] insert: </sup> insert: </a> insert: <a href="https://www.stipv6.nl/wp-content/uploads/2013/09/ip-aspects-software-stipv6-white-paper-v12.pdf" data-linktype="external" data-val="https://www.stipv6.nl/wp-content/uploads/2013/09/ip-aspects-software-stipv6-white-paper-v12.pdf"> https://www.stipv6.nl/wp-content/uploads/2013/09/ip-aspects-software-stipv6-white-paper-v12.pdf insert: </a> insert: </p>

RIPE Documents Search