idnits 2.17.1 draft-ietf-softwire-map-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 24, 2014) is 3745 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6052' is defined on line 1013, but no explicit reference was found in the text == Outdated reference: A later version (-06) exists of draft-ietf-softwire-map-deployment-03 == Outdated reference: A later version (-12) exists of draft-ietf-softwire-map-dhcp-06 -- Obsolete informational reference (is this intentional?): RFC 1933 (Obsoleted by RFC 2893) -- Obsolete informational reference (is this intentional?): RFC 3633 (Obsoleted by RFC 8415) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group O. Troan, Ed. 3 Internet-Draft W. Dec 4 Intended status: Standards Track Cisco Systems 5 Expires: July 28, 2014 X. Li 6 C. Bao 7 CERNET Center/Tsinghua University 8 S. Matsushima 9 SoftBank Telecom 10 T. Murakami 11 IP Infusion 12 T. Taylor, Ed. 13 Huawei Technologies 14 January 24, 2014 16 Mapping of Address and Port with Encapsulation (MAP) 17 draft-ietf-softwire-map-10 19 Abstract 21 This document describes a mechanism for transporting IPv4 packets 22 across an IPv6 network using IP encapsulation, and a generic 23 mechanism for mapping between IPv6 addresses and IPv4 addresses and 24 transport layer ports. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on July 28, 2014. 43 Copyright Notice 45 Copyright (c) 2014 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 5 64 5. Mapping Algorithm . . . . . . . . . . . . . . . . . . . . . . 7 65 5.1. Port mapping algorithm . . . . . . . . . . . . . . . . . 8 66 5.2. Basic mapping rule (BMR) . . . . . . . . . . . . . . . . 9 67 5.3. Forwarding mapping rule (FMR) . . . . . . . . . . . . . . 12 68 5.4. Destinations outside the MAP domain . . . . . . . . . . . 13 69 6. The IPv6 Interface Identifier . . . . . . . . . . . . . . . . 13 70 7. MAP Configuration . . . . . . . . . . . . . . . . . . . . . . 14 71 7.1. MAP CE . . . . . . . . . . . . . . . . . . . . . . . . . 14 72 7.2. MAP BR . . . . . . . . . . . . . . . . . . . . . . . . . 15 73 8. Forwarding Considerations . . . . . . . . . . . . . . . . . . 15 74 8.1. Receiving Rules . . . . . . . . . . . . . . . . . . . . . 16 75 8.2. ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . 16 76 8.3. Fragmentation and Path MTU Discovery . . . . . . . . . . 17 77 8.3.1. Fragmentation in the MAP domain . . . . . . . . . . . 17 78 8.3.2. Receiving IPv4 Fragments on the MAP domain borders . 17 79 8.3.3. Sending IPv4 fragments to the outside . . . . . . . . 18 80 9. NAT44 Considerations . . . . . . . . . . . . . . . . . . . . 18 81 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 82 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18 83 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 84 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 85 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 86 14.1. Normative References . . . . . . . . . . . . . . . . . . 20 87 14.2. Informative References . . . . . . . . . . . . . . . . . 20 88 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 23 89 Appendix B. A More Detailed Description of the Derivation of the 90 Port Mapping Algorithm . . . . . . . . . . . . . . . 27 91 B.1. Bit Representation of the Algorithm . . . . . . . . . . . 29 92 B.2. GMA examples . . . . . . . . . . . . . . . . . . . . . . 30 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 95 1. Introduction 97 Mapping of IPv4 addresses in IPv6 addresses has been described in 98 numerous mechanisms dating back to 1996 [RFC1933]. The Automatic 99 tunneling mechanism described in RFC1933 assigned a globally unique 100 IPv6 address to a host by combining the host's IPv4 address with a 101 well-known IPv6 prefix. Given an IPv6 packet with a destination 102 address with an embedded IPv4 address, a node could automatically 103 tunnel this packet by extracting the IPv4 tunnel end-point address 104 from the IPv6 destination address. 106 There are numerous variations of this idea, described in 6over4 107 [RFC2529], 6to4 [RFC3056], ISATAP [RFC5214], and 6rd [RFC5969]. 109 The commonalities of all these IPv6 over IPv4 mechanisms are: 111 o Automatically provisions an IPv6 address for a host or an IPv6 112 prefix for a site 114 o Algorithmic or implicit address resolution of tunnel end point 115 addresses. Given an IPv6 destination address, an IPv4 tunnel 116 endpoint address can be calculated. 118 o Embedding of an IPv4 address or part thereof into an IPv6 address. 120 In later phases of IPv4 to IPv6 migration, it is expected that 121 IPv6-only networks will be common, while there will still be a need 122 for residual IPv4 deployment. This document describes a generic 123 mapping of IPv4 to IPv6, and a mechanism for encapsulating IPv4 over 124 IPv6. 126 Just as the IPv6 over IPv4 mechanisms referred to above, the residual 127 IPv4 over IPv6 mechanism must be capable of: 129 o Provisioning an IPv4 prefix, an IPv4 address or a shared IPv4 130 address. 132 o Algorithmically map between an IPv4 prefix, an IPv4 address or a 133 shared IPv4 address and an IPv6 address. 135 The mapping scheme described here supports encapsulation of IPv4 136 packets in IPv6 in both mesh and hub and spoke topologies, including 137 address mappings with full independence between IPv6 and IPv4 138 addresses. 140 This document describes delivery of IPv4 unicast service across an 141 IPv6 infrastructure. IPv4 multicast is not considered further in 142 this document. 144 The A+P (Address and Port) architecture of sharing an IPv4 address by 145 distributing the port space is described in [RFC6346]. Specifically 146 section 4 of [RFC6346] covers stateless mapping. The corresponding 147 stateful solution DS-lite is described in [RFC6333]. The motivation 148 for this work is described in 149 [I-D.ietf-softwire-stateless-4v6-motivation]. 151 A companion document defines a DHCPv6 option for provisioning of MAP 152 [I-D.ietf-softwire-map-dhcp]. Other means of provisioning are 153 possible. Deployment considerations are described in 154 [I-D.ietf-softwire-map-deployment]. 156 MAP relies on IPv6 and is designed to deliver dual-stack service 157 while allowing IPv4 to be phased out within the service 158 provider's(SP) network. The phasing out of IPv4 within the SP 159 network is independent of whether the end user disables IPv4 service 160 or not. Further, "greenfield"; IPv6-only networks may use MAP in 161 order to deliver IPv4 to sites via the IPv6 network. 163 2. Conventions 165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 167 document are to be interpreted as described in RFC 2119 [RFC2119]. 169 3. Terminology 171 MAP domain: One or more MAP CEs and BRs connected to the 172 same virtual link. A service provider may 173 deploy a single MAP domain, or may utilize 174 multiple MAP domains. 176 MAP rule A set of parameters describing the mapping 177 between an IPv4 prefix, IPv4 address or 178 shared IPv4 address and an IPv6 prefix or 179 address. Each domain uses a different 180 mapping rule set. 182 MAP node A device that implements MAP. 184 MAP Border Relay (BR): A MAP enabled router managed by the service 185 provider at the edge of a MAP domain. A 186 Border Relay router has at least an 187 IPv6-enabled interface and an IPv4 interface 188 connected to the native IPv4 network. A MAP 189 BR may also be referred to simply as a "BR" 190 within the context of MAP. 192 MAP Customer Edge (CE): A device functioning as a Customer Edge 193 router in a MAP deployment. A typical MAP CE 194 adopting MAP rules will serve a residential 195 site with one WAN side interface, and one or 196 more LAN side interfaces. A MAP CE may also 197 be referred to simply as a "CE" within the 198 context of MAP. 200 Port-set: The separate part of the transport layer port 201 space; denoted as a port-set. 203 Port-set ID (PSID): Algorithmically identifies a set of ports 204 exclusively assigned to a CE. 206 Shared IPv4 address: An IPv4 address that is shared among multiple 207 CEs. Only ports that belong to the assigned 208 port-set can be used for communication. Also 209 known as a Port-Restricted IPv4 address. 211 End-user IPv6 prefix: The IPv6 prefix assigned to an End-user CE by 212 other means than MAP itself. E.g. 213 Provisioned using DHCPv6 PD [RFC3633], 214 assigned via SLAAC [RFC4862], or configured 215 manually. It is unique for each CE. 217 MAP IPv6 address: The IPv6 address used to reach the MAP 218 function of a CE from other CEs and from BRs. 220 Rule IPv6 prefix: An IPv6 prefix assigned by a Service Provider 221 for a mapping rule. 223 Rule IPv4 prefix: An IPv4 prefix assigned by a Service Provider 224 for a mapping rule. 226 Embedded Address (EA) bits: The IPv4 EA-bits in the IPv6 address 227 identify an IPv4 prefix/address (or part 228 thereof) or a shared IPv4 address (or part 229 thereof) and a port-set identifier. 231 4. Architecture 233 In accordance with the requirements stated above, the MAP mechanism 234 can operate with shared IPv4 addresses, full IPv4 addresses or IPv4 235 prefixes. Operation with shared IPv4 addresses is described here, 236 and the differences for full IPv4 addresses and prefixes are 237 described below. 239 The MAP mechanism uses existing standard building blocks. The 240 existing NAPT on the CE is used with additional support for 241 restricting transport protocol ports, ICMP identifiers and fragment 242 identifiers to the configured port-set. For packets outbound from 243 the private IPv4 network, the CE NAPT MUST translate transport 244 identifiers (e.g. TCP and UDP port numbers) so that they fall within 245 the CE's assigned port-range. 247 The NAPT MUST in turn be connected to a MAP-aware forwarding 248 function, that does encapsulation/ decapsulation of IPv4 packets in 249 IPv6. MAP supports the encapsulation mode specified in [RFC2473]. 250 In addition MAP specifies an algorithm to do "address resolution" 251 from an IPv4 address and port to an IPv6 address. This algorithmic 252 mapping is specified in Section 5. 254 The MAP architecture described here restricts the use of the shared 255 IPv4 address to only be used as the global address (outside) of the 256 NAPT [RFC2663] running on the CE. A shared IPv4 address MUST NOT be 257 used to identify an interface. While it is theoretically possible to 258 make host stacks and applications port-aware, it would be a drastic 259 change to the IP model [RFC6250]. 261 For full IPv4 addresses and IPv4 prefixes, the architecture just 262 described applies with two differences. First, a full IPv4 address 263 or IPv4 prefix can be used as it is today, e.g., for identifying an 264 interface or as a DHCP pool, respectively. Secondly, the NAPT is not 265 required to restrict the ports used on outgoing packets. 267 This architecture is illustrated in Figure 1. 269 User N 270 Private IPv4 271 | Network 272 | 273 O--+---------------O 274 | | MAP CE | 275 | +-----+--------+ | 276 | NAPT44| MAP | | 277 | +-----+ | |\ ,-------. .------. 278 | +--------+ | \ ,-' `-. ,-' `-. 279 O------------------O / \ O---------O / Public \ 280 / IPv6 only \ | MAP | / IPv4 \ 281 ( Network --+ Border +- Network ) 282 \ (MAP Domain) / | Relay | \ / 283 O------------------O \ / O---------O \ / 284 | MAP CE | /". ,-' `-. ,-' 285 | +-----+--------+ | / `----+--' ------' 286 | NAPT44| MAP | |/ 287 | +-----+ | | 288 | | +--------+ | 289 O---+--------------O 290 | 291 User M 292 Private IPv4 293 Network 295 Figure 1: Network Topology 297 The MAP BR connects one or more MAP domains to external IPv4 298 networks. 300 5. Mapping Algorithm 302 A MAP node is provisioned with one or more mapping rules. 304 Mapping rules are used differently depending on their function. 305 Every MAP node must be provisioned with a Basic mapping rule. This 306 is used by the node to configure its IPv4 address, IPv4 prefix or 307 shared IPv4 address. This same basic rule can also be used for 308 forwarding, where an IPv4 destination address and optionally a 309 destination port are mapped into an IPv6 address. Additional mapping 310 rules are specified to allow for multiple different IPv4 sub-nets to 311 exist within the domain and optimize forwarding between them. 313 Traffic outside of the domain (i.e. when the destination IPv4 address 314 does not match (using longest matching prefix) any Rule IPv4 prefix 315 in the Rules database) is forwarded to the BR. 317 There are two types of mapping rules: 319 1. Basic Mapping Rule (BMR) - mandatory. A CE can be provisioned 320 with multiple End-user IPv6 prefixes. There can only be one 321 Basic Mapping Rule per End-user IPv6 prefix. However all CE's 322 having End-user IPv6 prefixes within (aggregated by) the same 323 Rule IPv6 prefix may share the same Basic Mapping Rule. In 324 combination with the End-user IPv6 prefix, the Basic Mapping Rule 325 is used to derive the IPv4 prefix, address, or shared address and 326 the PSID assigned to the CE. 328 2. Forwarding Mapping Rule (FMR) - optional, used for forwarding. 329 The Basic Mapping Rule may also be a Forwarding Mapping Rule. 330 Each Forwarding Mapping Rule will result in an entry in the Rules 331 table for the Rule IPv4 prefix. Given a destination IPv4 address 332 and port within the MAP domain, a MAP node can use the matching 333 FMR to derive the End-user IPv6 address of the interface through 334 which that IPv4 destination address and port combination can be 335 reached. In hub and spoke mode there are no FMRs. 337 Both mapping rules share the same parameters: 339 o Rule IPv6 prefix (including prefix length) 341 o Rule IPv4 prefix (including prefix length) 343 o Rule EA-bits length (in bits) 345 A MAP node finds its BMR by doing a longest match between the End- 346 user IPv6 prefix and the Rule IPv6 prefix in the Mapping Rules table. 347 The rule is then used for IPv4 prefix, address or shared address 348 assignment. 350 A MAP IPv6 address is formed from the BMR Rule IPv6 prefix. This 351 address MUST be assigned to an interface of the MAP node and is used 352 to terminate all MAP traffic being sent or received to the node. 354 Port-restricted IPv4 routes are installed in the Rules table for all 355 the Forwarding Mapping Rules, and a default route is installed to the 356 MAP BR (see Section 5.4. 358 Forwarding rules are used to allow direct communication between MAP 359 CEs, known as mesh mode. In hub and spoke mode, there are no 360 forwarding rules, all traffic MUST be forwarded directly to the BR. 362 5.1. Port mapping algorithm 364 The port mapping algorithm is used in domains whose rules allow IPv4 365 address sharing. 367 The simplest way to represent a port range is using a notation 368 similar to CIDR [RFC4632]. For example the first 256 ports are 369 represented as port prefix 0.0/8. The last 256 ports as 255.0/8. In 370 hexadecimal, 0x0000/8 (PSID = 0) and 0xFF00/8 (PSID = 0xFF). Using 371 this technique, but wishing to avoid allocating the system ports 372 [I-D.ietf-tsvwg-iana-ports] to the user, one would have to exclude 373 the use of one or more PSIDs (e.g., PSIDs 0 to 3 in the example just 374 given). 376 When the PSID is embedded in the End-user IPv6 prefix, then to 377 minimise dependencies between the End-user IPv6 prefix and the 378 assigned port-set, it is desirable to minimize the restrictions of 379 possible PSID values. This is achieved by using an infix 380 representation of the port value. Using such a representation, the 381 well-known ports are excluded by restrictions on the value of the 382 high-order bitfield (A) rather than the PSID. 384 The infix algorithm allocates ports to a given CE as a series of 385 contiguous ranges spaced at regular intervals throughout the complete 386 range of possible port-set values. 388 0 1 389 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 390 +-----------+-----------+-------+ 391 Ports in | A | PSID | M | 392 the CE port-set | > 0 | | | 393 +-----------+-----------+-------+ 394 | a bits | k bits |m bits | 396 Figure 2: Structure of a port-restricted port field 398 a bits: The number of offset bits. 6 by default as this excludes the 399 system ports (0-1023). 401 A: Selects the range of the port number. For a > 0, A MUST be larger 402 than 0. This ensures that the algorithm excludes the system 403 ports. For the default value of a (6), the system ports, are 404 excluded by requiring that A be greater than 0. Smaller values of 405 a excludes a larger initial range. E.g. a = 4, will exclude ports 406 0 - 4095. The interval between successive contiguous ranges 407 assigned to the same user is 2^a. 409 PSID: The Port-Set Identifier (PSID). Different PSIDs guarantee 410 non-overlapping port-sets. 412 k bits: The length in bits of the PSID field. The sharing ratio is 413 2^k. The number of ports assigned to the user is 2^(16-k) - 2^m 414 (excluded ports) 416 M: Selects the specific port within a particular range specified by 417 the concatenation of A and the PSID. 419 m bits: The number of contiguous ports is given by 2^m. 421 5.2. Basic mapping rule (BMR) 423 The Basic Mapping Rule is mandatory, used by the CE to provision 424 itself with an IPv4 prefix, IPv4 address or shared IPv4 address. 425 Recall from Section 5 that the BMR consists of the following 426 parameters: 428 o Rule IPv6 prefix (including prefix length) 429 o Rule IPv4 prefix (including prefix length) 431 o Rule EA-bits length (in bits) 433 Figure 3 shows the structure of the complete MAP IPv6 address as 434 specified in this document. 436 | n bits | o bits | s bits | 128-n-o-s bits | 437 +--------------------+-----------+---------+-----------------------+ 438 | Rule IPv6 prefix | EA bits |subnet ID| interface ID | 439 +--------------------+-----------+---------+-----------------------+ 440 |<--- End-user IPv6 prefix --->| 442 Figure 3: MAP IPv6 Address Format 444 The Rule IPv6 prefix is the part of the End-user IPv6 prefix that is 445 common among all CEs using the same Basic Mapping Rule within the MAP 446 domain. The EA bits encode the CE specific IPv4 address and port 447 information. The EA bits, which are unique for a given Rule IPv6 448 prefix, can contain a full or part of an IPv4 address and, in the 449 shared IPv4 address case, a Port-Set Identifier (PSID). An EA-bit 450 length of 0 signifies that all relevant MAP IPv4 addressing 451 information is passed directly in the BMR, and not derived from the 452 End-user IPv6 prefix. 454 The MAP IPv6 address is created by concatenating the End-user IPv6 455 prefix with the MAP subnet identifier (if the End-user IPv6 prefix is 456 shorter than 64 bits) and the interface identifier as specified in 457 Section 6. 459 The MAP subnet identifier is defined to be the first subnet (s bits 460 set to zero). 462 Define: 464 r = length of the IPv4 prefix given by the BMR; 466 o = length of the EA bit field as given by the BMR; 468 p = length of the IPv4 suffix contained in the EA bit field. 470 The length r MAY be zero, in which case the complete IPv4 address or 471 prefix is encoded in the EA bits. If only a part of the IPv4 address 472 /prefix is encoded in the EA bits, the Rule IPv4 prefix is 473 provisioned to the CE by other means (e.g. a DHCPv6 option). To 474 create a complete IPv4 address (or prefix), the IPv4 address suffix 475 (p) from the EA bits, is concatenated with the Rule IPv4 prefix (r 476 bits). 478 The offset of the EA bits field in the IPv6 address is equal to the 479 BMR Rule IPv6 prefix length. The length of the EA bits field (o) is 480 given by the BMR Rule EA-bits length, and can be between 0 and 48. A 481 length of 48 means that the complete IPv4 address and port is 482 embedded in the End-user IPv6 prefix (a single port is assigned). A 483 length of 0 means that no part of the IPv4 address or port is 484 embedded in the address. The sum of the Rule IPv6 Prefix length and 485 the Rule EA-bits length MUST be less or equal than the End-user IPv6 486 prefix length. 488 If o + r < 32 (length of the IPv4 address in bits), then an IPv4 489 prefix is assigned. This case is shown in Figure 4. 491 IPv4 prefix: 493 | r bits | o bits = p bits | 494 +-------------+---------------------+ 495 | Rule IPv4 | IPv4 Address suffix | 496 +-------------+---------------------+ 497 | < 32 bits | 499 Figure 4: IPv4 prefix 501 If o + r is equal to 32, then a full IPv4 address is to be assigned. 502 The address is created by concatenating the Rule IPv4 prefix and the 503 EA-bits. This case is shown in Figure 5. 505 Complete IPv4 address: 507 | r bits | o bits = p bits | 508 +-------------+---------------------+ 509 | Rule IPv4 | IPv4 Address suffix | 510 +-------------+---------------------+ 511 | 32 bits | 513 Figure 5: Complete IPv4 address 515 If o + r is > 32, then a shared IPv4 address is to be assigned. The 516 number of IPv4 address suffix bits (p) in the EA bits is given by 32 517 - r bits. The PSID bits are used to create a port set. The length 518 of the PSID bit field within EA bits is: q = o - p. 520 Shared IPv4 address: 522 | r bits | p bits | | q bits | 523 +-------------+---------------------+ +------------+ 524 | Rule IPv4 | IPv4 Address suffix | |Port-Set ID | 525 +-------------+---------------------+ +------------+ 526 | 32 bits | 528 Figure 6: Shared IPv4 address 530 The length of r MAY be 32, with no part of the IPv4 address embedded 531 in the EA bits. This results in a mapping with no dependence between 532 the IPv4 address and the IPv6 address. In addition the length of o 533 MAY be zero (no EA bits embedded in the End-User IPv6 prefix), 534 meaning that also the PSID is provisioned using e.g. the DHCP option. 536 See Appendix A for an example of the Basic Mapping Rule. 538 5.3. Forwarding mapping rule (FMR) 540 The Forwarding Mapping Rule is optional, and used in mesh mode to 541 enable direct CE to CE connectivity. 543 On adding an FMR rule, an IPv4 route is installed in the Rules table 544 for the Rule IPv4 prefix. 546 | 32 bits | | 16 bits | 547 +--------------------------+ +-------------------+ 548 | IPv4 destination address | | IPv4 dest port | 549 +--------------------------+ +-------------------+ 550 : : ___/ : 551 | p bits | / q bits : 552 +----------+ +------------+ 553 |IPv4 sufx| |Port-Set ID | 554 +----------+ +------------+ 555 \ / ____/ ________/ 556 \ : __/ _____/ 557 \ : / / 558 | n bits | o bits | s bits | 128-n-o-s bits | 559 +--------------------+-----------+---------+------------+----------+ 560 | Rule IPv6 prefix | EA bits |subnet ID| interface ID | 561 +--------------------+-----------+---------+-----------------------+ 562 |<--- End-user IPv6 prefix --->| 564 Figure 7: Deriving of MAP IPv6 address 566 See Appendix A for an example of the Forwarding Mapping Rule. 568 5.4. Destinations outside the MAP domain 570 IPv4 traffic between MAP nodes that are all within one MAP domain is 571 encapsulated in IPv6, with the sender's MAP IPv6 address as the IPv6 572 source address and the receiving MAP node's MAP IPv6 address as the 573 IPv6 destination address. To reach IPv4 destinations outside of the 574 MAP domain, traffic is also encapsulated in IPv6, but the destination 575 IPv6 address is set to the configured IPv6 address of the MAP BR. 577 On the CE, the path to the BR can be represented as a point to point 578 IPv4 over IPv6 tunnel [RFC2473] with the source address of the tunnel 579 being the CE's MAP IPv6 address and the BR IPv6 address as the remote 580 tunnel address. When MAP is enabled, a typical CE router will 581 install a default IPv4 route to the BR. 583 The BR forwards traffic received from the outside to CE's using the 584 normal MAP forwarding rules. 586 6. The IPv6 Interface Identifier 588 The Interface identifier format of a MAP node is described below. 590 | 128-n-o-s bits | 591 | 16 bits| 32 bits | 16 bits| 592 +--------+----------------+--------+ 593 | 0 | IPv4 address | PSID | 594 +--------+----+-----------+--------+ 596 Figure 8 598 In the case of an IPv4 prefix, the IPv4 address field is right-padded 599 with zeroes up to 32 bits. The PSID field is left-padded to create a 600 16 bit field. For an IPv4 prefix or a complete IPv4 address, the 601 PSID field is zero. 603 If the End-user IPv6 prefix length is larger than 64, the most 604 significant parts of the interface identifier is overwritten by the 605 prefix. 607 7. MAP Configuration 609 For a given MAP domain, the BR and CE MUST be configured with the 610 following MAP elements. The configured values for these elements are 611 identical for all CEs and BRs within a given MAP domain. 613 o The Basic Mapping Rule and optionally the Forwarding Mapping 614 Rules, including the Rule IPv6 prefix, Rule IPv4 prefix, and 615 Length of EA bits 617 o Hub and spoke mode or Mesh mode. (If all traffic should be sent 618 to the BR, or if direct CE to CE traffic should be supported). 620 In addition the MAP CE MUST be configured with the IPv6 address(es) 621 of the MAP BR (Section 5.4). 623 7.1. MAP CE 625 The MAP elements are set to values that are the same across all CEs 626 within a MAP domain. The values may be configured in a variety of 627 manners, including provisioning methods such as the Broadband Forum's 628 "TR-69" Residential Gateway management interface, an XML-based object 629 retrieved after IPv6 connectivity is established, or manual 630 configuration by an administrator. IPv6 DHCP options for MAP 631 configuration is defined in [I-D.ietf-softwire-map-dhcp]. Other 632 configuration and management methods may use the format described by 633 this option for consistency and convenience of implementation on CEs 634 that support multiple configuration methods. 636 The only remaining provisioning information the CE requires in order 637 to calculate the MAP IPv4 address and enable IPv4 connectivity is the 638 IPv6 prefix for the CE. The End-user IPv6 prefix is configured as 639 part of obtaining IPv6 Internet access. 641 The MAP provisioning parameters, and hence the IPv4 service itself, 642 are tied to the associated End-user IPv6 prefix lifetime; thus, the 643 MAP service is also tied to this in terms of authorization, 644 accounting, etc. 646 A single MAP CE MAY be connected to more than one MAP domain, just as 647 any router may have more than one IPv4-enabled service provider 648 facing interface and more than one set of associated addresses 649 assigned by DHCP. Each domain a given CE operates within would 650 require its own set of MAP configuration elements and would generate 651 its own IPv4 address. Each MAP domain requires a distinct End-user 652 IPv6 prefix. 654 The MAP DHCP option is specified in [I-D.ietf-softwire-map-dhcp]. 656 7.2. MAP BR 658 The MAP BR MUST be configured with the same MAP elements as the MAP 659 CEs operating within the same domain. 661 For increased reliability and load balancing, the BR IPv6 address MAY 662 be an anycast address shared across a given MAP domain. As MAP is 663 stateless, any BR may be used at any time. If the BR IPv6 address is 664 anycast the relay MUST use this anycast IPv6 address as the source 665 address in packets relayed to CEs. 667 Since MAP uses provider address space, no specific routes need to be 668 advertised externally for MAP to operate, neither in IPv6 nor IPv4 669 BGP. However, if anycast is used for the MAP IPv6 relays, the 670 anycast addresses must be advertised in the service provider's IGP. 672 8. Forwarding Considerations 674 Figure 1 depicts the overall MAP architecture with IPv4 users (N and 675 M) networks connected to a routed IPv6 network. 677 MAP uses Encapsulation mode as specified in [RFC2473]. 679 For a shared IPv4 address, a MAP CE forwarding IPv4 packets from the 680 LAN performs NAT44 functions first and creates appropriate NAT44 681 bindings. The resulting IPv4 packets MUST contain the source IPv4 682 address and source transport identifiers specified by the MAP 683 provisioning parameters. The IPv4 packet is forwarded using the CE's 684 MAP forwarding function. The IPv6 source and destination addresses 685 MUST then be derived as per Section 5 of this draft. 687 8.1. Receiving Rules 689 A MAP CE receiving an IPv6 packet to its MAP IPv6 address sends this 690 packet to the CE's MAP function where it is decapsulated. The 691 resulting IPv4 packet is then forwarded to the CE's NAT44 function 692 where it is handled according to the NAT's translation table. 694 A MAP BR receiving IPv6 packets selects a best matching MAP domain 695 rule (Rule IPv6 prefix) based on a longest address match of the 696 packet's IPv6 source address, as well as a match of the packet 697 destination address against the configured BR IPv6 address(es). The 698 selected MAP rule allows the BR to determine the EA-bits from the 699 source IPv6 address. 701 To prevent spoofing of IPv4 addresses, any MAP node (CE and BR) MUST 702 perform the following validation upon reception of a packet. First, 703 the embedded IPv4 address or prefix, as well as PSID (if any), are 704 extracted from the source IPv6 address using the matching MAP rule. 705 These represent the range of what is acceptable as source IPv4 706 address and port. Secondly, the node extracts the source IPv4 707 address and port from the IPv4 packet embedded inside the IPv6 708 packet. If they are found to be outside the acceptable range, the 709 packet MUST be silently discard and a counter incremented to indicate 710 that a potential spoofing attack may be underway. The source 711 validation checks just described are not done for packets whose 712 source IPv6 address is that of the BR (BR IPv6 address). 714 By default, the CE router MUST drop packets received on the MAP 715 virtual interface (i.e., after decapsulation of IPv6) for IPv4 716 destinations not for its own IPv4 shared address, full IPv4 address 717 or IPv4 prefix. 719 8.2. ICMP 721 ICMP message should be supported in MAP domain. Hence, the NAT44 in 722 MAP CE MUST implement the behavior for ICMP message conforming to the 723 best current practice documented in [RFC5508]. 725 If a MAP CE receives an ICMP message having ICMP identifier field in 726 ICMP header, NAT44 in the MAP CE MUST rewrite this field to a 727 specific value assigned from the port set. BR and other CEs must 728 handle this field similar to the port number in the TCP/UDP header 729 upon receiving the ICMP message with ICMP identifier field. 731 If a MAP node receives an ICMP error message without the ICMP 732 identifier field for errors that is detected inside a IPv6 tunnel, a 733 node should relay the ICMP error message to the original source. 734 This behavior SHOULD be implemented conforming to the section 8 of 735 [RFC2473]. 737 8.3. Fragmentation and Path MTU Discovery 739 Due to the different sizes of the IPv4 and IPv6 header, handling the 740 maximum packet size is relevant for the operation of any system 741 connecting the two address families. There are three mechanisms to 742 handle this issue: Path MTU discovery (PMTUD), fragmentation, and 743 transport-layer negotiation such as the TCP Maximum Segment Size 744 (MSS) option [RFC0897]. MAP uses all three mechanisms to deal with 745 different cases. 747 8.3.1. Fragmentation in the MAP domain 749 Encapsulating an IPv4 packet to carry it across the MAP domain will 750 increase its size (typically by 40 bytes). It is strongly 751 recommended that the MTU in the MAP domain be well managed and that 752 the IPv6 MTU on the CE WAN side interface be set so that no 753 fragmentation occurs within the boundary of the MAP domain. 755 Fragmentation on MAP domain entry is described in section 7.2 of 756 [RFC2473]. 758 The use of an anycast source address could lead to an ICMP error 759 message generated on the path being sent to a different BR. 760 Therefore, using dynamic tunnel MTU Section 6.7 of [RFC2473] is 761 subject to IPv6 Path MTU black-holes. A MAP BR using an anycast 762 source address SHOULD NOT by default use Path MTU discovery across 763 the MAP domain. 765 Multiple BRs using the same anycast source address could send 766 fragmented packets to the same CE at the same time. If the 767 fragmented packets from different BRs happen to use the same fragment 768 ID, incorrect reassembly might occur. See [RFC4459] for an analysis 769 of the problem. Section 3.4 suggests solving the problem by 770 fragmenting the inner packet. 772 8.3.2. Receiving IPv4 Fragments on the MAP domain borders 774 Forwarding of an IPv4 packet received from the outside of the MAP 775 domain requires the IPv4 destination address and the transport 776 protocol destination port. The transport protocol information is 777 only available in the first fragment received. As described in 778 section 5.3.3 of [RFC6346] a MAP node receiving an IPv4 fragmented 779 packet from outside has to reassemble the packet before sending the 780 packet onto the MAP link. If the first packet received contains the 781 transport protocol information, it is possible to optimize this 782 behavior by using a cache and forwarding the fragments unchanged. 783 Implementers of MAP should be aware that there are a number of well- 784 known attacks against IP fragmentation; see [RFC1858] and [RFC3128]. 785 Implementers should also be aware of additional issues with 786 reassembling packets at high rates, as described in [RFC4963]. 788 8.3.3. Sending IPv4 fragments to the outside 790 If two IPv4 host behind two different MAP CE's with the same IPv4 791 address sends fragments to an IPv4 destination host outside the 792 domain, those hosts may use the same IPv4 fragmentation identifier, 793 resulting in incorrect reassembly of the fragments at the destination 794 host. Given that the IPv4 fragmentation identifier is a 16 bit 795 field, it can be used similarly to port ranges. A MAP CE SHOULD 796 rewrite the IPv4 fragmentation identifier to be within its allocated 797 port-set. 799 9. NAT44 Considerations 801 The NAT44 implemented in the MAP CE SHOULD conform with the behavior 802 and best current practice documented in [RFC4787], [RFC5508], and 803 [RFC5382]. In MAP address sharing mode (determined by the MAP domain 804 /rule configuration parameters) the operation of the NAT44 MUST be 805 restricted to the available port numbers derived via the basic 806 mapping rule. 808 10. IANA Considerations 810 This specification does not require any IANA actions. 812 11. Security Considerations 814 Spoofing attacks: With consistency checks between IPv4 and IPv6 815 sources that are performed on IPv4/IPv6 packets received by MAP 816 nodes, MAP does not introduce any new opportunity for spoofing 817 attacks that would not already exist in IPv6. 819 Denial-of-service attacks: In MAP domains where IPv4 addresses are 820 shared, the fact that IPv4 datagram reassembly may be necessary 821 introduces an opportunity for DOS attacks. This is inherent to 822 address sharing, and is common with other address sharing 823 approaches such as DS-Lite and NAT64/DNS64. The best protection 824 against such attacks is to accelerate IPv6 deployment, so that, 825 where MAP is supported, it is less and less used. 827 Routing-loop attacks: This attack may exist in some automatic 828 tunneling scenarios are documented in [RFC6324]. They cannot 829 exist with MAP because each BRs checks that the IPv6 source 830 address of a received IPv6 packet is a CE address based on 831 Forwarding Mapping Rule. 833 Attacks facilitated by restricted port set: From hosts 834 that are not subject to ingress filtering of [RFC2827], some 835 attacks are possible by an attacker injecting spoofed packets 836 during ongoing transport connections ([RFC4953], [RFC5961], 837 [RFC6056]. The attacks depend on guessing which ports are 838 currently used by target hosts, and using an unrestricted port-set 839 is preferable, i.e. Using native IPv6 connections that are not 840 subject to MAP port range restrictions. To minimize this type of 841 attacks when using a restricted port-set, the MAP CE's NAT44 842 filtering behavior SHOULD be "Address-Dependent Filtering". 843 Furthermore, the MAP CEs SHOULD use a DNS transport proxy function 844 to handle DNS traffic, and source such traffic from IPv6 845 interfaces not assigned to MAP. 847 [RFC6269] outlines general issues with IPv4 address sharing. 849 12. Contributors 851 This document is the result of the IETF Softwire MAP design team 852 effort and numerous previous individual contributions in this area: 854 Chongfeng Xie (China Telecom) 855 Room 708, No.118, Xizhimennei Street Beijing 100035 CN 856 Phone: +86-10-58552116 857 Email: xiechf@ctbri.com.cn 859 Qiong Sun (China Telecom) 860 Room 708, No.118, Xizhimennei Street Beijing 100035 CN 861 Phone: +86-10-58552936 862 Email: sunqiong@ctbri.com.cn 864 Gang Chen (China Mobile) 865 53A,Xibianmennei Ave. Beijing 100053 P.R.China 866 Email: chengang@chinamobile.com 868 Yu Zhai 869 CERNET Center/Tsinghua University 870 Room 225, Main Building, Tsinghua University 871 Beijing 100084 872 CN 873 Email: jacky.zhai@gmail.com 875 Wentao Shang (CERNET Center/Tsinghua University) 876 Room 225, Main Building, Tsinghua University Beijing 100084 877 CN 878 Email: wentaoshang@gmail.com 880 Guoliang Han (CERNET Center/Tsinghua University) 881 Room 225, Main Building, Tsinghua University Beijing 100084 882 CN 883 Email: bupthgl@gmail.com 885 Rajiv Asati (Cisco Systems) 886 7025-6 Kit Creek Road Research Triangle Park NC 27709 USA 887 Email: rajiva@cisco.com 889 13. Acknowledgements 891 This document is based on the ideas of many, including Masakazu 892 Asama, Mohamed Boucadair, Gang Chen, Maoke Chen, Wojciech Dec, 893 Xiaohong Deng, Jouni Korhonen, Tomasz Mrugalski, Jacni Qin, Chunfa 894 Sun, Qiong Sun, and Leaf Yeh. The authors want in particular to 895 recognize Remi Despres, who has tirelessly worked on generalized 896 mechanisms for stateless address mapping. 898 The authors would like to thank Lichun Bao, Guillaume Gottard, Dan 899 Wing, Jan Zorz, Necj Scoberne, Tina Tsou, Kristian Poscic, and 900 especially Tom Taylor and Simon Perreault for the thorough review and 901 comments of this document. 903 14. References 905 14.1. Normative References 907 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 908 Requirement Levels", BCP 14, RFC 2119, March 1997. 910 [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 911 IPv6 Specification", RFC 2473, December 1998. 913 14.2. Informative References 915 [I-D.ietf-softwire-map-deployment] 916 Qiong, Q., Chen, M., Chen, G., Tsou, T., and S. Perreault, 917 "Mapping of Address and Port (MAP) - Deployment 918 Considerations", draft-ietf-softwire-map-deployment-03 919 (work in progress), October 2013. 921 [I-D.ietf-softwire-map-dhcp] 922 Mrugalski, T., Troan, O., Dec, W., Bao, C., 923 leaf.yeh.sdo@gmail.com, l., and X. Deng, "DHCPv6 Options 924 for configuration of Softwire Address and Port Mapped 925 Clients", draft-ietf-softwire-map-dhcp-06 (work in 926 progress), November 2013. 928 [I-D.ietf-softwire-stateless-4v6-motivation] 929 Boucadair, M., Matsushima, S., Lee, Y., Bonness, O., 930 Borges, I., and G. Chen, "Motivations for Carrier-side 931 Stateless IPv4 over IPv6 Migration Solutions", draft-ietf- 932 softwire-stateless-4v6-motivation-05 (work in progress), 933 November 2012. 935 [I-D.ietf-tsvwg-iana-ports] 936 Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 937 Cheshire, "Internet Assigned Numbers Authority (IANA) 938 Procedures for the Management of the Service Name and 939 Transport Protocol Port Number Registry", draft-ietf- 940 tsvwg-iana-ports-10 (work in progress), February 2011. 942 [RFC0897] Postel, J., "Domain name system implementation schedule", 943 RFC 897, February 1984. 945 [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security 946 Considerations for IP Fragment Filtering", RFC 1858, 947 October 1995. 949 [RFC1933] Gilligan, R. and E. Nordmark, "Transition Mechanisms for 950 IPv6 Hosts and Routers", RFC 1933, April 1996. 952 [RFC2529] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4 953 Domains without Explicit Tunnels", RFC 2529, March 1999. 955 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 956 Translator (NAT) Terminology and Considerations", RFC 957 2663, August 1999. 959 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 960 Defeating Denial of Service Attacks which employ IP Source 961 Address Spoofing", BCP 38, RFC 2827, May 2000. 963 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 964 via IPv4 Clouds", RFC 3056, February 2001. 966 [RFC3128] Miller, I., "Protection Against a Variant of the Tiny 967 Fragment Attack (RFC 1858)", RFC 3128, June 2001. 969 [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic 970 Host Configuration Protocol (DHCP) version 6", RFC 3633, 971 December 2003. 973 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 974 Network Tunneling", RFC 4459, April 2006. 976 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 977 (CIDR): The Internet Address Assignment and Aggregation 978 Plan", BCP 122, RFC 4632, August 2006. 980 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 981 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 982 RFC 4787, January 2007. 984 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 985 Address Autoconfiguration", RFC 4862, September 2007. 987 [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", RFC 988 4953, July 2007. 990 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 991 Errors at High Data Rates", RFC 4963, July 2007. 993 [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site 994 Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, 995 March 2008. 997 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 998 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 999 RFC 5382, October 2008. 1001 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1002 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1003 April 2009. 1005 [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's 1006 Robustness to Blind In-Window Attacks", RFC 5961, August 1007 2010. 1009 [RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4 1010 Infrastructures (6rd) -- Protocol Specification", RFC 1011 5969, August 2010. 1013 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 1014 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 1015 October 2010. 1017 [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- 1018 Protocol Port Randomization", BCP 156, RFC 6056, January 1019 2011. 1021 [RFC6250] Thaler, D., "Evolution of the IP Model", RFC 6250, May 1022 2011. 1024 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 1025 Roberts, "Issues with IP Address Sharing", RFC 6269, June 1026 2011. 1028 [RFC6324] Nakibly, G. and F. Templin, "Routing Loop Attack Using 1029 IPv6 Automatic Tunnels: Problem Statement and Proposed 1030 Mitigations", RFC 6324, August 2011. 1032 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1033 Stack Lite Broadband Deployments Following IPv4 1034 Exhaustion", RFC 6333, August 2011. 1036 [RFC6346] Bush, R., "The Address plus Port (A+P) Approach to the 1037 IPv4 Address Shortage", RFC 6346, August 2011. 1039 Appendix A. Examples 1041 Example 1 - Basic Mapping Rule 1042 Given the MAP domain information and an IPv6 address of 1043 an endpoint: 1045 End-user IPv6 prefix: 2001:db8:0012:3400::/56 1046 Basic Mapping Rule: {2001:db8:0000::/40 (Rule IPv6 prefix), 1047 192.0.2.0/24 (Rule IPv4 prefix), 1048 16 (Rule EA-bits length)} 1049 PSID length: (16 - (32 - 24) = 8. (Sharing ratio of 256) 1050 PSID offset: 6 (default) 1052 A MAP node (CE or BR) can via the BMR, or equivalent FMR, 1053 determine the IPv4 address and port-set as shown below: 1055 EA bits offset: 40 1056 IPv4 suffix bits (p) Length of IPv4 address (32) - 1057 IPv4 prefix length (24) = 8 1058 IPv4 address: 192.0.2.18 (0xc0000212) 1059 PSID start: 40 + p = 40 + 8 = 48 1060 PSID length: o - p = (56 - 40) - 8 = 8 1061 PSID: 0x34 1063 Available ports (63 ranges) : 1232-1235, 2256-2259, ...... , 1064 63696-63699, 64720-64723 1066 The BMR information allows a MAP CE to determine (complete) 1067 its IPv6 address within the indicated IPv6 prefix. 1069 IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034 1071 Example 2 - BR: 1073 Another example can be made of a MAP BR, 1074 configured with the following FMR when receiving a packet 1075 with the following characteristics: 1077 IPv4 source address: 1.2.3.4 (0x01020304) 1078 IPv4 source port: 80 1079 IPv4 destination address: 192.0.2.18 (0xc0000212) 1080 IPv4 destination port: 1232 1082 Forwarding Mapping Rule: {2001:db8::/40 (Rule IPv6 prefix), 1083 192.0.2.0/24 (Rule IPv4 prefix), 1084 16 (Rule EA-bits length)} 1086 IPv6 address of MAP BR: 2001:db8:ffff::1 1088 The above information allows the BR to derive as follows 1089 the mapped destination IPv6 address for the corresponding 1090 MAP CE, and also the mapped source IPv6 address for 1091 the IPv4 source address. 1093 IPv4 suffix bits (p): 32 - 24 = 8 (18 (0x12)) 1094 PSID length: 8 1095 PSID: 0x34 (1232) 1097 The resulting IPv6 packet will have the following key fields: 1099 IPv6 source address: 2001:db8:ffff::1 1100 IPv6 destination address: 2001:db8:0012:3400:0000:c000:0212:0034 1102 Example 3 - FMR: 1104 An IPv4 host behind the MAP CE (addressed as per the previous 1105 examples) corresponding with IPv4 host 1.2.3.4 will have its 1106 packets encapsulated by IPv6 using the IPv6 address of the BR 1107 configured on the MAP CE as follows: 1109 IPv6 address of BR: 2001:db8:ffff::1 1110 IPv4 source address: 192.0.2.18 1111 IPv4 destination address: 1.2.3.4 1112 IPv4 source port: 1232 1113 IPv4 destination port: 80 1114 MAP CE IPv6 source address: 2001:db8:0012:3400:0000:c000:0212:0034 1115 IPv6 destination address: 2001:db8:ffff::1 1116 Example 4 - Rule with no embedded address bits and no address sharing 1118 End-User IPv6 prefix: 2001:db8:0012:3400::/56 1119 Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix), 1120 192.0.2.18/32 (Rule IPv4 prefix), 1121 0 (Rule EA-bits length)} 1122 PSID length: 0 (Sharing ratio is 1) 1123 PSID offset: n/a 1125 A MAP node (CE or BR) can via the BMR or equivalent FMR, determine 1126 the IPv4 address and port-set as shown below: 1128 EA bits offset: 0 1129 IPv4 suffix bits (p): Length of IPv4 address (32) - 1130 IPv4 prefix length (32) = 0 1131 IPv4 address: 192.0.2.18 (0xc0000212) 1132 PSID start: 0 1133 PSID length: 0 1134 PSID: null 1136 The BMR information allows a MAP CE also to determine (complete) 1137 its full IPv6 address by combining the IPv6 prefix with the MAP 1138 interface identifier (that embeds the IPv4 address). 1140 IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0201:0000 1142 Example 5 - Rule with no embedded address bits and address sharing 1143 (sharing ratio 256) 1144 End-User IPv6 prefix: 2001:db8:0012:3400::/56 1145 Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix), 1146 192.0.2.18/32 (Rule IPv4 prefix), 1147 0 (Rule EA-bits length)} 1148 PSID length: 8. (From DHCP. Sharing ratio of 256) 1149 PSID offset: 6 (Default) 1150 PSID : 0x34 (Provisioned with DHCP.) 1152 A MAP node can via the BMR determine the IPv4 address and port-set 1153 as shown below: 1155 EA bits offset: 0 1156 IPv4 suffix bits (p): Length of IPv4 address (32) - 1157 IPv4 prefix length (32) = 0 1158 IPv4 address: 192.0.2.18 (0xc0000212) 1159 PSID offset: 6 1160 PSID length: 8 1161 PSID: 0x34 1163 Available ports (63 ranges) : 1232-1235, 2256-2259, ...... , 1164 63696-63699, 64720-64723 1166 The BMR information allows a MAP CE also to determine (complete) 1167 its full IPv6 address by combining the IPv6 prefix with the MAP 1168 interface identifier (that embeds the IPv4 address and PSID). 1170 IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034 1172 Note that the IPv4 address and PSID is not derived from the IPv6 1173 prefix assigned to the CE, but provisioned separately using 1174 e.g. DHCP. 1176 Appendix B. A More Detailed Description of the Derivation of the Port 1177 Mapping Algorithm 1179 This Appendix describes how the port mapping algorithm described in 1180 Section 5.1 was derived. The algorithm is used in domains whose 1181 rules allow IPv4 address sharing. 1183 The basic requirement for a port mapping algorithm is that the port- 1184 sets it assigns to different MAP CEs MUST be non-overlapping. A 1185 number of other requirements guided the choice of the algorithm: 1187 o In keeping with the general MAP algorithm the port-set MUST be 1188 derivable from a port-set identifier (PSID) that can be embedded 1189 in the End-user IPv6 prefix. 1191 o The mapping MUST be reversible, such that, given the port number, 1192 the PSID of the port-set to which it belongs can be quickly 1193 derived. 1195 o The algorithm MUST allow a broad range of address sharing ratios. 1197 o It SHOULD be possible to exclude subsets of the complete port 1198 numbering space from assignment. Most operators would exclude the 1199 system ports (0-1023). A conservative operator might exclude all 1200 but the transient ports (49152-65535). 1202 o The effect of port exclusion on the possible values of the End- 1203 user IPv6 prefix (i.e., due to restrictions on the PSID value) 1204 SHOULD be minimized. 1206 o For administrative simplicity, the algorithm SHOULD allocate the 1207 the same or almost the same number of ports to each CE sharing a 1208 given IPv4 address. 1210 The two extreme cases that an algorithm satisfying those conditions 1211 might support are: (1) the port numbers are not contiguous for each 1212 PSID, but uniformly distributed across the allowed port range; (2) 1213 the port numbers are contiguous in a single range for each PSID. The 1214 port mapping algorithm proposed here is called the Generalized 1215 Modulus Algorithm (GMA) and supports both these cases. 1217 For a given IPv4 address sharing ratio (R) and the maximum number of 1218 contiguous ports (M) in a port-set, the GMA is defined as: 1220 a. The port numbers (P) corresponding to a given PSID are generated 1221 by: 1223 (1) ... P = (R * M) * i + M * PSID + j 1225 where i and j are indices and the ranges of i, j, and the PSID 1226 are discussed in a moment. 1228 b. For any given port number P, the PSID is calculated as: 1230 (2) ... PSID = trunc((P modulo (R * M)) / M) 1232 where trunc() is the operation of rounding down to the nearest 1233 integer. 1235 Formula (1) can be interpreted as follows. First, the available port 1236 space is divided into blocks of size R * M. Each block is divided 1237 into R individual ranges of length M. The index i in formula (1) 1238 selects a block, PSID selects a range within that block, and the 1239 index j selects a specific port value within the range. On the basis 1240 of this interpretation: 1242 o i ranges from ceil(N / (R * M)) to trunc(65536/(R * M)) - 1, where 1243 ceil is the operation of rounding up to the nearest integer and N 1244 is the number of ports (e.g., 1024) excluded from the lower end of 1245 the range. That is, any block containing excluded values is 1246 discarded at the lower end, and if the final block has fewer than 1247 R * M values it is discarded. This ensures that the same number 1248 of ports is assigned to every PSID. 1250 o PSID ranges from 0 to R - 1; 1252 o j ranges from 0 to M - 1. 1254 B.1. Bit Representation of the Algorithm 1256 If R and M are powers of 2 (R = 2^k, M = 2^m), formula (1) translates 1257 to a computationally convenient structure for any port number 1258 represented as a 16-bit binary number. This structure is shown in 1259 Figure 9. 1261 0 8 15 1262 +---------------+----------+------+-------------------+ 1263 | P | 1264 ----------------+-----------------+-------------------+ 1265 | i | PSID | j | 1266 +---------------+----------+------+-------------------+ 1267 |<----a bits--->|<-----k bits---->|<------m bits----->| 1269 Figure 9: Bit Representation of a Port Number 1271 As shown in the figure, the index value i of formula (1) is given by 1272 the first a = 16 - k - m bits of the port number. The PSID value is 1273 given by the next k bits, and the index value j is given by the last 1274 m bits. 1276 For any port number, the PSID can be obtained by a bit mask 1277 operation. 1279 Note that when M and R are powers of 2, 65536 divides evenly by R * 1280 M. Hence the final block is complete and the upper bound on i is 1281 exactly 65536/(R * M) - 1. The lower bound on i is still the minimum 1282 required to ensure that the required set of ports is excluded. No 1283 port numbers are wasted through discarding of blocks at the lower end 1284 if block size R * M is a factor of N, the number of ports to be 1285 excluded. 1287 As a final note, the number of blocks into which the range 0-65535 is 1288 being divided in the above representation is given by 2^a. Hence the 1289 case where a = 0 can be interpreted as one where the complete range 1290 has been divided into a single block, and individual port-sets are 1291 contained in contiguous ranges in that block. We cannot throw away 1292 the whole block in that case, so port exclusion has to be achieved by 1293 putting a lower bound equal to ceil(N / M) on the allowed set of PSID 1294 values instead. 1296 B.2. GMA examples 1298 For example, for R = 256, PSID = 0, offset: a = 6 and PSID length: k 1299 = 8 bits 1301 Available ports (63 ranges) : 1024-1027, 2048-2051, ...... , 1302 63488-63491, 64512-64515 1304 Example 1: with offset = 6 (a = 6) 1306 For example, for R = 64, PSID = 0, a = 0 (PSID offset = 0 and PSID 1307 length = 6 bits), no port exclusion: 1309 Available ports (1 range) : 0-1023 1311 Example 2: with offset = 0 (a = 0) and N = 0 1313 Authors' Addresses 1315 Ole Troan (editor) 1316 Cisco Systems 1317 Philip Pedersens vei 1 1318 Lysaker 1366 1319 Norway 1321 Email: ot@cisco.com 1322 Wojciech Dec 1323 Cisco Systems 1324 Haarlerbergpark Haarlerbergweg 13-19 1325 Amsterdam, NOORD-HOLLAND 1101 CH 1326 Netherlands 1328 Email: wdec@cisco.com 1330 Xing Li 1331 CERNET Center/Tsinghua University 1332 Room 225, Main Building, Tsinghua University 1333 Beijing 100084 1334 CN 1336 Email: xing@cernet.edu.cn 1338 Congxiao Bao 1339 CERNET Center/Tsinghua University 1340 Room 225, Main Building, Tsinghua University 1341 Beijing 100084 1342 CN 1344 Email: congxiao@cernet.edu.cn 1346 Satoru Matsushima 1347 SoftBank Telecom 1348 1-9-1 Higashi-Shinbashi, Munato-ku 1349 Tokyo 1350 Japan 1352 Email: satoru.matsushima@g.softbank.co.jp 1354 Tetsuya Murakami 1355 IP Infusion 1356 1188 East Arques Avenue 1357 Sunnyvale 1358 USA 1360 Email: tetsuya@ipinfusion.com 1361 Tom Taylor (editor) 1362 Huawei Technologies 1363 Ottawa 1364 Canada 1366 Email: tom.taylor.stds@gmail.com