INTERNET-DRAFT Jim Bound NGTRANS Working Group Nokia Networks Laurent Toutain Expires July 2001 Francis Dupont ENST Bretagne Alain Durand Sun Microsystems Dual Stack Transition Mechanism (DSTM) Extensions Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this memo is unlimited. Abstract The Dual Stack Transition Method (DSTM) is an IPv6 transition mechanism that provides for the assignment of IPv4 Global Addresses using DHCPv6, and a Dynamic Tunneling Interface (DTI) so IPv6 nodes within a predominant IPv6 network can communicate with IPv4 ONLY nodes. This document is an extension to DSTM to provide the ability Bound,Toutain,Dupont,Durand Expires July 2001 [Page 1] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 for an IPv4 ONLY node to initiate communications with an IPv6/IPv4 node, which has only an IPv6 address. Bound,Toutain,Dupont,Durand Expires July 2001 [Page 2] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 Table of Contents: 1. Introduction.................................................4 2. Terminology..................................................4 2.1 IPv6 DSTM Terminology.......................................4 2.2 Specification Language......................................5 3. DSTMEXT1 AIIH Server Architecture View......................7 4. DSTM Deployment Example......................................8 4.1 IPv4 node to an IPv6 node...................................9 5. AIIH Server Design Model....................................10 5.1 AIIH DHCPv6/DNS Server.....................................10 5.1.1 AIIH DNS Query and DHCPv6 Processing.....................11 5.1.2. Cleaning up the AIIH IPv4 Assigned Address..............11 5.2 Links with other DNS.......................................12 6. Applicability Statement.....................................13 7. Security Considerations.....................................13 Acknowledgments................................................13 References.....................................................13 Authors' Address...............................................15 Bound,Toutain,Dupont,Durand Expires July 2001 [Page 3] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 1. Introduction The Dual Stack Transition Method (DSTM) is an IPv6 transition mechanism that provides for the assignment of IPv4 Global Addresses using DHCPv6, and a Dynamic Tunneling Interface (DTI) so IPv6 nodes within a predominant IPv6 network can communicate with IPv4 ONLY nodes. This document is an extension to DSTM to provide the ability for an IPv4 ONLY node to initiate communications with an IPv6/IPv4 node, which has only an IPv6 address. All of the mechanisms in DSTM [20] are applicable to this DSTM Extension-1 (DSTMEXT1). Added are the mechanisms for an IPv4 ONLY node to communicate with an IPv6/IPv4 node, because the IPv6/IPv4 node is assigned a temporary IPv4 Global Address to communicate with the IPv4 ONLY node. DSTMEXT1 is composed of a DHCPv6 [4] server coupled with a DNS [1,2] server (called AIIH server, for Assignment of IPv4 Global Addresses to IPv6 Hosts). This server will allocate temporary IPv4 addresses to IPv6 hosts using DHCPv6. This server will also be used to maintain the mapping between the allocated IPv4 address and the permanent IPv6 address of the host. Every IPv6 host will have an IPv4 interface called DTI (Dynamic Tunneling Interface) designed to encapsulate IPv4 packets into IPv6 packets and resolve the address space mechanics, between IPv4 and IPv6. 2. Terminology 2.1 IPv6 DSTM Terminology DSTM Domain The network areas on an Intranet where a DHCPv6 Server has access to IPv6 nodes participating in DSTM for that network, and IPv4 routing access is not necessary within a DSTM domain. DSTM Border Router A border router within a DSTM domain and access to an external IPv4-ONLY domain. DSTM Host A Host that supports a dual IP layer IPv4 and IPv6 stack, DTI, and a DHCPv6 Client process. IPv6 Protocol Terms: See [3] Bound,Toutain,Dupont,Durand Expires July 2001 [Page 4] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 IPv6 Transition Terms: See [14] DHCPv6 Terms: See [4] DTI: Dynamic Tunneling Interface. An interface encapsulating IPv4 packets into IPv6 packets. IPv4 Global Address: An IPv4 address that is globally routable on the Internet. Tunnel End Point (TEP) Destination of the IPv6 packet containing an IPv4 packet. In most cases this will be a dual stack border router. AIIH Server A virtual or co-located server, in an implementation defined manner, that supports both DHCPv6 and DNS Server functions. 2.2 Specification Language In this document, several words are used to signify the requirements of the specification, in accordance with RFC 2119 [8]. These words are often capitalized. MUST This word, or the adjective "required", means that the definition is an absolute requirement of the specification. MUST NOT This phrase means that the definition is an absolute prohibition of the specification. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications must be understood and carefully weighed before choosing a different course. Unexpected results may result otherwise. MAY This word, or the adjective "optional", means that this item is one of an allowed set of alternatives. An implementation which does not include this option MUST be prepared to interoperate with another implementation which does include the option. silently discard The implementation discards the packet without further processing, and without indicating an error Bound,Toutain,Dupont,Durand Expires July 2001 [Page 5] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 to the sender. The implementation SHOULD provide the capability of logging the error, including the contents of the discarded packet, and SHOULD record the event in a statistics counter. Bound,Toutain,Dupont,Durand Expires July 2001 [Page 6] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 3. DSTMEXT1 AIIH Server Architecture View ----------------------------------------------- | IPv4 Internet or Intranet DSTM Domain Intranet | IPv4 Applications | Domain _____________________ | | | | | AIIH Server | | | (DHCPv6 and DNS) | | |_____________________| | / / | | | | __________________ | | _|_______ | | | | | | | IPv6/IPv4 Node | | | | DSTM | |------------------| | --------->| Border | | DSTM Daemon | | | Router | | DHCPv6 client |<------- | IPv6 | |------------------| | & | | DTI/Route |<-------------------->| IPv4 | ------------------- --------- | ---------------------------------------------- Bound,Toutain,Dupont,Durand Expires July 2001 [Page 7] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 4. DSTM Deployment Example In the example below, the following notation will be used: X will designate an IPv6 node with a dual stack X6 will be the IPv6 address of this node X4 the IPv4 address of this node Y will designate a DSTM border router at the boundary between an IPv6 DSTM domain and an IPv4-only domain Z will designate an IPv4-only node Z4 The IPv4-only nodes address ==> means an IPv6 packet --> means an IPv4 packet ++> means a tunneled IPv4 packet is encapsulated in an IPv6 packet ..> means a DNS query or response. The path taken by this packet does not matter in the examples "a" means the DNS name of a node Bound,Toutain,Dupont,Durand Expires July 2001 [Page 8] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 4.1 IPv4 node to an IPv6 node This example covers any scenario where an IPv4-only host wants to establish a session with an IPv6 host, which does not have an IPv4 address. No modification can be made to the IPv4 host or to the application, especially the IPv4-application cannot be recompiled. X4 AIIH Y4 Z4 X6 Y6 | <. . . . . . . . . | - ask for the IPv4 address of X | | | - this request arrives to the AIIH Server | | | | | | - if node X does not have already a | | | temporary IPv4 address assigned then the | | | AIIH allocates an IPv4 address and |<===== | | registers it in the DNS. | . . . . . . . . . >| - AIIH returns the IPv4 address to node Z4 | | | | |<-----------| - Z4 sends an IPv4 packet which arrives at Y4 | <=====| | - Y4 asks the AIIH server for the IPv6 address | | | corresponding to X4. | =====>| | - AIIH server responds |<++++++++++ | | - The packet is tunneled to node X6 | | | Bound,Toutain,Dupont,Durand Expires July 2001 [Page 9] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 5. AIIH Server Design Model The design model provides a mechanism to assign an IPv6 host an IPv4 address. An AIIH Server will assign an IPv6 host a globally routable IPv4 address using the DHCPv6 Reconfigure-Init Message, when it is requested to do so by the DNS server function. 5.1 AIIH DHCPv6/DNS Server The AIIH Server supports a cooperating DHCPv6 and DNS Server and other implementation defined software functions. The AIIH server configuration files and database is not defined in this specification. There can be one or many AIIH Servers on an Intranet and how they maintain consistency and Tunnel End Point configurations for IPv6 links is implementation defined. The AIIH Server is an implementation where DNS, DHCPv6, and communications between those two applications exists. These applications MAY be co-located on the same host, but that is not a requirement of this specification. How DNS and DHCPv6 communicate is implementation defined . The AIIH Server SHOULD support the following operations: 1. Act as the Authoritative DNS Name Server for a set of IPv6 hosts that can be queried for IPv4 Global Addresses. 2. Communications between the AIIH DNS server and the AIIH DHCPv6 Server. 3. An AIIH DHCPv6 Server that can maintain a pool of IPv4 Global Addresses in an implementation defined manner. 4. An AIIH DHCPv6 Server that can maintain Tunnel End Points for IPv6 Links in an implementation defined manner. 5. An AIIH DHCPv6 Server to process DNS AIIH IPv6 host DNS queries, and Reconfiguring IPv6 hosts to assign IPv4 Global Addresses to their interfaces. 6. Dynamically Updating DNS with an IPv4 Global Address for an IPv6 host that supports IPv4/IPv6. An AIIH Server MUST support a dual IPv4/IPv6 network layer and implementation of IPv4/IPv6. An IPv4 address is assigned to an IPv4/IPv6 host, when a DNS A query is made for a node that only has an IPv6 address (see section 5.2). fails to respond to a DNS A RR query. Bound,Toutain,Dupont,Durand Expires July 2001 [Page 10] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 5.1.1 AIIH DNS Query and DHCPv6 Processing Once the AIIH DNS finds the IPv6 host being queried the AIIH DNS requests from its corresponding AIIH DHCPv6 Server to assign an IPv4 Global Address to the IPv6 host being queried. The AIIH DHCPv6 Server will look within its pool of IPv4 Global Addresses for an address and if a Tunnel End Point address is required for the IPv6 host to reach the router to route packets onto the Internet. If an address is available the DHCPv6 Server will send a DHCPv6 Reconfigure-Init Message to the IPv6 node to temporarily assign the node an IPv4 Global Address [20]. Once the AIIH DHCPv6 server is certain that the IPv6 host has assigned the address to an interface, the AIIH DHCPv6 Server responds back to the corresponding AIIH DNS Server with the IPv4 Global Address assigned to the IPv6 host being queried, or that an address could not be assigned to this IPv6 host. It is important to wait for an acknowledgment from the client to be sure that the host is up before validating an IPv4 address has been assigned. Nevertheless, this could introduce a delay incompatible with the timer used during a DNS query. The dialog could be modified. Just after the DNS temporary IPv4 address assignment, the AIIH DNS returns this address but with a small TTL. The real TTL will be used if the acknowledgment is received, otherwise the IPv4 address is deprecated for a some period of time. The AIIH DNS Server will now respond to the IPv4 DNS Query as the Authoritative DNS Name Server with an address or host not found. The AIIH DHCPv6 Server MAY send a dynamic update to DNS [6] to add an A type record to the Primary DNS Server, where the query came from to the AIIH DNS Server. The Time-To-Live (TTL) field in the update MUST NOT be set to be greater than the valid lifetime for the IPv4-Compatible address in the DHCPv6 Extension provided to the DHCPv6 Client. It is highly recommended to not update the DNS with an A record for the IPv6 host, unless that IPv6 host provides a permanent IPv4 Application service needed by IPv4 hosts. 5.1.2. Cleaning up the AIIH IPv4 Assigned Address Once the IPv4 address expires, the DHCPv6 Server will permit the IPv4 address to be reused. But before the address can be reused the DHCPv6 Server MUST delete the IPv4 address from the Primary DNS Server, through the Dynamic Updates to DNS mechanism, if an A record was added to the relative Primary DNS Server. Bound,Toutain,Dupont,Durand Expires July 2001 [Page 11] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 If an AIIH client wants to keep the temporary IPv4 address after its expiration time, it MUST send a DHCPv6 Request Message before the address expires. 5.2 Links with other DNS When the Primary DNS Server for the IPv6 node receives the IPv4 hosts query, it will do a DNS search for that IPv6 host and find that there is an Authoritative DNS Server for that specific DNS A record, which represents an IPv6 host. That DNS Server will be one part of the AIIH Server software. After the AIIH DHCPv6 Server assigns the IPv6 node a temporary IPv4 Global Address, the AIIH DNS Server will respond to the original IPv4 DNS query authoritatively with an IPv4 Global Address for the IPv6 host or return host Not Found. For Example: IPv4 node "v4host.abc.com" queries for "v6host1.xyz.com" Query reaches Primary DNS Server for "v6host1.xyz.com". xyz.com. IN SOA primary.xyz.com. etc etc. . . xyz.com IN NS primary.xyz.com aiih.xyz.com IN NS v6trans.aiih.xyz.com . . primary.xyz.com IN A 202.13.12.6 v6trans.aiih.xyz.com IN A 202.13.12.8 . . . v6host1.xyz.com IN CNAME v6host1.aiih.xyz.com v6host2.xyz.com IN CNAME v6host2.aiih.xyz.com v6host3.xyz.com IN CNAME v6host3.aiih.xyz.com DNS query will end up going to the authoritative server v6trans.aiih.xyz.com looking for v6host1.aiih.xyz.com. This permits the AIIH Server to now process a request for an IPv4 Global Address for an IPv6 host that had no IPv6 DNS AAAA Record [18]. If DTI is present, the reverse DNS must be linked to the pool of addresses managed by the AIIH Server. Bound,Toutain,Dupont,Durand Expires July 2001 [Page 12] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 6. Applicability Statement This mechanism is only applicable to environments where the end-2-end connection is secure. More needs to go in this section. 7. Security Considerations The DSTMEXT1 mechanism can use all the defined security specifications for each functional part of the operation. For DNS the DNS Security Extensions/Update can be used [9, 10], for DHCPv6 the DHCPv6 Authentication Message can be used [4], and for communications between the IPv6 node, once it has an IPv4 address, and the remote IPv4 node, IPsec [7] can be used as DSTMEXT1 does not break secure end-to-end communications at any point in the mechanism. Acknowledgments TBD............ References [1] Mockapetris, P., "Domain Names - Concepts and Facilities", STD 13, RFC 1034, USC/Information Sciences Institute, November 1987. [2] Mockapetris, P., "Domain Names - Implementation and Specifica- tion", STD 13, RFC 1035, USC/Information Sciences Institute, November 1987. [3] S. Deering and R. Hinden. Internet Protocol, Version 6 (IPv6) Architecture", RFC 2460, December 1998. [4] J. Bound, M. Carney, C. Perkins, and R. Droms. Dynamic Host Configuration Protocol for IPv6. draft-ietf-dhc-dhcpv6-16.txt November 2000 (work in progress). [5] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound. Dynamic Updates to the Domain Name System (DNS). RFC 2136, April 1997. [6] William R. Cheswick and Steven Bellovin. Firewalls and Internet Security. Addison-Wesley, Reading, MA 1994 (ISBN: 0-201-63357-4). Bound,Toutain,Dupont,Durand Expires July 2001 [Page 13] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 [7] IPSEC - S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, November 1998. S. Kent, R. Atkinson. IP Authentication Header. RFC 2402, November 1998. S. Kent, R. Atkinson. IP Encapsulating Security Payload RFC 2406, November 1998. [8] S. Bradner. Key words for use in RFCs to indicate Requirement Levels. RFC 2119, March 1997. [9] D. Eastlake and C. Kaufman. Domain Name System Security Extensions. RFC 2065, January 1997. [10] D. Eastlake. Secure Domain Name System Dynamic Update. RFC 2137, April 1997. [11] R. Callon and D. Haskins. Routing Aspects Of IPv6 Transition RFC 2185, September 1997. [12] A. Conta and S. Deering. Generic Packet Tunneling in IPv6. RFC 2473, December 1998. [13] E. Nordmark. Stateless IP/ICMP Translator (SIIT) RFC 2765, February 2000. [14] R. Gilligan and E. Nordmark. Transition Mechanisms for IPv6 Hosts and Routers. RFC 2893, August 2000. [15] R. Droms. Dynamic Host Configuration Protocol. RFC 2131, March 1997. [16] Rekhter, Moskowitz, Karrenburg, Groot. Address Allocation for Private Networks. RFC 1918. February 1996. [17] M. Crawford, C. Huitema. DNS Extensions to Support IPv6 Address Aggregation and Renumbering. RFC 2874, July 2000. [18] Thomson, Narten. IPv6 Stateless Address Configuration. RFC 2462, December 1998. [19] Hinden, Deering. IP Version 6 Addressing Architecture. RFC 2373, July 1998. [20] Bound, Toutain, Afifi, Dupont, and Durand. Dual Stack Transition Method (DSTM), draft-ietf-ngtrans-dstm-04.txt February 2001. Bound,Toutain,Dupont,Durand Expires July 2001 [Page 14] INTERNET-DRAFT draft-ietf-ngtrans-dstmext1-aiih-00.txt Feruary 2001 Authors' Address Jim Bound Nokia Networks 5 Wayside Road Burlington, MA 01803 Phone: +1 781 492 0613 Email: Jim.Bound@nokia.com Laurent Toutain ENST Bretagne BP 78 35 512 Cesson Phone : +33 2 99 12 70 26 Email : Laurent.Toutain@enst-bretagne.fr Francis Dupont ENST Bretagne BP 78 35 512 Cesson Phone : +33 2 99 12 70 36 Email : Francis.Dupont@enst-bretagne.fr Alain Durand Sun Microsystems 901 San Antonio Road UMPK 17-202 Palo Alto, CA 94303-4900 Tel: +1 650 786 7503 Fax: +1 650 786 5896 Email: Alain.Durand@sun.com Bound,Toutain,Dupont,Durand Expires July 2001 [Page 15]