Behave WG T. Savolainen Internet-Draft Nokia Intended status: Standards Track J. Korhonen Expires: June 21, 2012 Nokia Siemens Networks December 19, 2011 Discovery of a Network-Specific NAT64 Prefix using a Well-Known Name draft-ietf-behave-nat64-discovery-heuristic-04.txt Abstract This document describes a method for detecting presence of DNS64 and for learning IPv6 prefix used for protocol translation on an access network without explicit support from the access network. The method depends on existence of a well-known IPv4-only domain name "ipv4only.arpa". The information learned enables applications and hosts to perform local IPv6 address synthesis and on dual-stack accesses avoid traversal through NAT64. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 21, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Savolainen & Korhonen Expires June 21, 2012 [Page 1] Internet-Draft NSP Discovery using WKN December 2011 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements and Terminology . . . . . . . . . . . . . . . . . 3 2.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 3. Host behavior . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Learning NAT64 prefix securely by using DNSSEC . . . . . . 5 3.2. Connectivity test . . . . . . . . . . . . . . . . . . . . 7 4. Operational considerations for hosting the IPv4-only well-known name . . . . . . . . . . . . . . . . . . . . . . . 7 5. DNS(64) entity considerations . . . . . . . . . . . . . . . . 7 6. Exit strategy . . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 8.1. About the IPv4 address for the well-known name . . . . . . 9 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 10. Normative References . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Savolainen & Korhonen Expires June 21, 2012 [Page 2] Internet-Draft NSP Discovery using WKN December 2011 1. Introduction As part of the transition to IPv6 NAT64 [RFC6146] and DNS64 [RFC6147] technologies will be utilized by some access networks to provide IPv4 connectivity for IPv6-only hosts. The DNS64 utilizes IPv6 address synthesis to create local IPv6 presentations of peers having only IPv4 addresses, hence allowing DNS-using IPv6-only hosts to communicate with IPv4-only peers. However, DNS64 cannot serve applications not using DNS, such as those receiving IPv4 address literals as referrals. Such applications could nevertheless be able to work through NAT64, provided they are able to create locally valid IPv6 presentations of peers' IPv4 addresses. Additionally, DNS64 is not able to do IPv6 address synthesis for hosts running validating DNSSEC enabled resolvers, but instead the synthesis must be done by the hosts themselves. In order to perform IPv6 synthesis hosts have to learn the IPv6 prefix(es) used on the access network for protocol translation. This document describes a best effort method for applications and hosts to learn the information required to perform local IPv6 address synthesis. An example application is a browser encountering IPv4 address literals in an IPv6-only access network. Another example is a host running validating security aware DNS resolver in an IPv6-only access network. The knowledge of IPv6 address synthesis taking place may also be useful if DNS64 and NAT64 are present in dual-stack enabled access networks. In such cases hosts may choose to prefer IPv4 in order to avoid traversal through protocol translators. It is important to notice that use of this approach will not result in as robust and good behaving system as an all-IPv6 system would be. Hence it is highly RECOMMENDED to upgrade to IPv6 and utilize the described method only as a short-term solution. 2. Requirements and Terminology 2.1. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Savolainen & Korhonen Expires June 21, 2012 [Page 3] Internet-Draft NSP Discovery using WKN December 2011 2.2. Terminology Well-Known IPv4-only Name (WKN): a fully qualified domain name, "ipv4only.arpa", well-known to have only A record. Well-Known IPv4 Address: an IPv4 address that is well-known and mapped to the well-known name. 3. Host behavior A host requiring information about presence of NAT64 and the IPv6 prefix used for protocol translation SHALL send a DNS query for AAAA records of a well-known IPv4-only fully qualified domain name: "ipv4only.arpa". The host MAY also need to perform DNS query for the A record of the well-known name in order to learn what is the IPv4 address of the well-known name. The host may perform this check in both IPv6-only and dual-stack access networks. When sending AAAA query for the well-known name a host MUST set "Checking Disabled (CD)" bit to zero, as otherwise the DNS64 will not perform IPv6 address synthesis hence does not reveal the IPv6 prefix(es) used for protocol translation. A DNS reply with one or more non-empty AAAA records indicates that the access network is utilizing IPv6 address synthesis. A host MUST look through all of the received AAAA records to collect all available prefixes. The prefixes may include Well-Known Prefix 64: ff9b::/96 [RFC6052] or one or more Network-Specific Prefixes. In the case of NSPs the host SHALL search for the IPv4 address of the well- known name inside of the received IPv6 addresses to determine the used address format. An IPv4 address of the well-known name should be found inside synthetic IPv6 address at some of the locations described in [RFC6052]. If the searched IPv4 address is not found on any of the standard locations the network must be using different formatting. Developers may over time learn on IPv6 translated address formats that are extensions or alternatives to the standard formats. Developers MAY at that point add additional steps to the described discovery procedures. The additional steps are outside the scope of the present document. The host should ensure a 32-bit IPv4 address value is present only once in an IPv6 address. In case another instance of the value is found inside the IPv6, the host shall repeat the search with another IPv4 address, if possible. Savolainen & Korhonen Expires June 21, 2012 [Page 4] Internet-Draft NSP Discovery using WKN December 2011 In the case only one IPv6 prefix was present in the DNS response: a host shall use that IPv6 prefix for both local synthesis and for detecting synthesis done by the DNS64 entity on the network. In the case multiple IPv6 prefixes were present in the DNS response: a host SHOULD use all received prefixes when determining whether other received IPv6 addresses are synthetic. However, for selecting prefix for the local IPv6 address synthesis host MUST use the following prioritization order, of which purpose is to avoid use of prefixes containing suffixes reserved for the future [RFC6052]: 1. Use NSP having /96 prefix 2. Use WKP prefix 3. Use longest available NSP prefix In the case of NXDOMAIN response or an empty AAAA reply: the DNS64 is not available on the access network, network filtered the well-known query on purpose, or something went wrong in the DNS resolution. All unsuccessful cases result in unavailability of a host to perform local IPv6 address synthesis. The host MAY periodically resend AAAA query to check if DNS64 has become available or possibly temporary problem cleared. The host MAY perform A query for the well-known name to learn whether the NAT64 prefix discovery framework is available at all (see section 6 about Exit Strategy). The host MAY also continue monitoring DNS replies with IPv6 addresses constructed from WKP, in which case the host MAY use the WKP as if it were learned during the query for well-known name. To save Internet's resources, if possible, a host should perform NAT64 discovery only when needed (e.g. when local synthesis is required, cached reply timeouts, new network interface is started, and so forth. Furthermore, the host SHOULD cache the replies it receives and honor TTLs. 3.1. Learning NAT64 prefix securely by using DNSSEC If a node is using untrusted channel between itself and DNS64, or DNS64 entity itself is untrusted, it is possible for an attacker to influence node's NAT64 prefix detection procedures. This may result in denial-of-service, redirection, man-in-the-middle, or other attacks. To protect against these attacks the node may use DNSSEC, or communicate with trusted DNS64 over trusted channel. Significantly, explicit access network support is needed for the DNSSEC approach to work. To support DNSSEC capable nodes to perform NAT64 prefix learning Savolainen & Korhonen Expires June 21, 2012 [Page 5] Internet-Draft NSP Discovery using WKN December 2011 securely, NAT64 using access network MUST do the following. In the case of multiple IPv6 prefixes being used in a network, e.g. for load-balancing purposes, it is for network administrators to decide whether a single NAT64's fully qualified domain name maps to multiple prefixes, or whether there will be dedicated FQDN per IPv6 prefix. 1. Have one or more fully qualified domain names for the NAT64 translators (NAT64 FQDN). 2. Have each NAT64 FQDN to have one or more DNS AAAA records with each IPv6 address consisting of NAT64 prefix and 0's for the elements after the actual NAT64 prefix. 3. Sign the NAT64 FQDNs' AAAA records with DNSSEC. 4. Have access network's authoritative nameservers to respond to DNS queries for the NAT64 FQDNs only when the queries have been originated from the network domain the NAT64 is serving. If the NAT64's AAAA records are made resolvable throughout the Internet, a possible misuse vector of the NAT64 prefixes and NAT64 FQDNs in other networks is enabled: an attacker in other access network may lure a host on that network to think it is configuring NAT64 prefix in secure manner, while in reality it is not as the node would be configuring NAT64 prefix in a network where the NAT64 prefix should not be used. A DNSSEC capable node MUST use the following procedure to confirm the learned NAT64 prefix is legitimate: 1. Node MUST heuristically find out a NAT64 prefix candidate by making AAAA query for the "ipv4only.arpa". 2. Node MUST send DNS PTR query for the IPv6 address of the translator (for "ipv6.arpa"), using the prefix from the step 1 and 0 for the elements after the prefix length. This will return the NAT64 FQDN. 3. Node MUST send DNS AAAA query for the NAT64 FQDN. 4. Node MUST verify the DNS AAAA response matches the address obtained in step 1. It is possible that the NAT64 FQDN maps to multiple AAAA records, in which case the node has to check if any of the responses matches to the address obtained in step 1. The node MUST ignore other responses and not to use those for local IPv6 address synthesis. 5. Node MUST perform DNSSEC validation of the DNS AAAA response. Savolainen & Korhonen Expires June 21, 2012 [Page 6] Internet-Draft NSP Discovery using WKN December 2011 After the node has used DNSSEC to validate the IPv6 address received as response to the NAT64 FQDN query the node can consider NAT64 prefix securely learned. 3.2. Connectivity test After a host has obtained a candidate prefix and format for the IPv6 address synthesis, the host may locally synthesize an IPv6 address, by using a publicly routable IPv4 address, and test connectivity with the resulting IPv6 address. The connectivity test may be conducted e.g. with ICMPv6 or with a transport layer protocol. This connectivity test ensures local address synthesis results in functional and protocol translatable IPv6 addresses. The host MUST NOT perform connectivity test against the IPv4 address of the well-known name, but instead use some other destination such as host vendor's servers. In many scenarios separate connectivity test is not really required as an application may just try to connect to the IPv4-only destination with synthetic IPv6 address and see if a connection is successfully established or not. 4. Operational considerations for hosting the IPv4-only well-known name The authoritative name server for the well-known name shall have DNS record TTL set to a long value in order to improve effectiveness of DNS caching and robustness of the discovery procedure in general. The exact value depends on availability time for the used public IPv4 address, but should not be longer than one year. The domain serving the well-known name must be signed with DNSSEC. See also Security Considerations section. It is expected that volumes for well-known name related queries are roughly SOMETHING, TBD. The infrastructure required to serve well- known name is SOMETHING, TBD. 5. DNS(64) entity considerations DNS(64) servers MUST NOT interfere or perform special procedures for the queries related to the well-known name until the time has arrived for the exit strategy to be deployed. Savolainen & Korhonen Expires June 21, 2012 [Page 7] Internet-Draft NSP Discovery using WKN December 2011 6. Exit strategy A day will come when this tool is no longer needed. At that point best suited techniques for implementing exit strategy will be documented. In the global scope the exit strategy may include sending NXDOMAIN replies by the authoritative name server of the well-known name with a very long TTL. A client implementation receiving NXDOMAIN response for the A query of the well-known name means SHOULD consider this tool as temporarily disabled. 7. Security Considerations The security considerations follow closely those of RFC6147 [RFC6147]. If an attacker manages to change the NAT64 prefix host discovers, the traffic generated by the host will be delivered to altered destination. This can result in either a denial-of-service (DoS) attack (if the resulting IPv6 addresses are not assigned to any device), a flooding attack (if the resulting IPv6 addresses are assigned to devices that do not wish to receive the traffic), or an eavesdropping attack (in case the altered NSP is routed through the attacker). The zone serving the well-known name has to be protected with DNSSEC, as otherwise it will be too attractive target for attackers who wish to alter hosts' NSP prefix discovery procedures. A host SHOULD implement validating DNSSEC resolver for validating the A response of the well-known name query. A host without validating DNSSEC resolver SHOULD request validation to be performed by the used recursive DNS server. For the secure NAT64 prefix discovery the access network SHOULD sign the NAT64 translator's fully qualified domain name, and make that DNS resolvable only from the network domain NAT64 is serving. Otherwise the NAT64 prefix may be used for attacks in other access networks. A host SHOULD use the algorithm described in Section 3.1 in order to securely learn the NAT64 prefix. 8. IANA Considerations According to procedures described in RFC3172 this document requests IANA and IAB to reserve a second level domain from the .ARPA zone for the well-known domain name. The well-known domain name could be, for example, "ipv4only.arpa". Savolainen & Korhonen Expires June 21, 2012 [Page 8] Internet-Draft NSP Discovery using WKN December 2011 The well-known name also needs to map to one but preferably to two different public IPv4 addresses. 8.1. About the IPv4 address for the well-known name The IPv4 address for the well-known name, if possible, should be chosen so that it is unlikely to appear more than once within an IPv6 address and also as easy as possible to find from within the synthetic IPv6 address. An address not listed in the Section 3 of [RFC5735] is required as otherwise DNS64 entity may not perform AAAA record synthesis. The address does not have to be routable or allocated to any node, as no communications are initiated to the IPv4 address. Allocating two IPv4 addresses would improve the heuristics in cases where the primary IPv4 address' bit pattern appears more than once in the synthetic IPv6 address (NSP prefix contains the same bit pattern as the IPv4 address). If no well-known IPv4 address is statically allocated for this method, the heuristic requires sending additional A query to learn the IPv4 address that is sought inside the received IPv6 address. Without knowing IPv4 address it is impossible to determine address format used by DNS64. 9. Acknowledgements Authors would like to thank Andrew Sullivan, Washam Fan, Cameron Byrne, Zhenqiang Li, Dave Thaler, Peter Koch, and Christian Huitema for significant improvement ideas and comments. Special acknowledgements go to Dan Wing for the NAT64 prefix secure discovery algorithm. 10. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", BCP 153, RFC 5735, January 2010. [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, October 2010. Savolainen & Korhonen Expires June 21, 2012 [Page 9] Internet-Draft NSP Discovery using WKN December 2011 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011. [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van Beijnum, "DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", RFC 6147, April 2011. Authors' Addresses Teemu Savolainen Nokia Hermiankatu 12 D FI-33720 Tampere Finland Email: teemu.savolainen@nokia.com Jouni Korhonen Nokia Siemens Networks Linnoitustie 6 FI-02600 Espoo Finland Email: jouni.nospam@gmail.com Savolainen & Korhonen Expires June 21, 2012 [Page 10]