| < draft-ietf-behave-address-format-03.txt | draft-ietf-behave-address-format-04.txt > | |||
|---|---|---|---|---|
| Network Working Group C. Huitema | Network Working Group C. Huitema | |||
| Internet-Draft Microsoft Corporation | Internet-Draft Microsoft Corporation | |||
| Obsoletes: 2765 (if approved) C. Bao | Obsoletes: 2765 (if approved) C. Bao | |||
| Intended status: Standards Track CERNET Center/Tsinghua University | Intended status: Standards Track CERNET Center/Tsinghua University | |||
| Expires: June 20, 2010 M. Bagnulo | Expires: July 19, 2010 M. Bagnulo | |||
| UC3M | UC3M | |||
| M. Boucadair | M. Boucadair | |||
| France Telecom | France Telecom | |||
| X. Li | X. Li | |||
| CERNET Center/Tsinghua University | CERNET Center/Tsinghua University | |||
| December 17, 2009 | January 15, 2010 | |||
| IPv6 Addressing of IPv4/IPv6 Translators | IPv6 Addressing of IPv4/IPv6 Translators | |||
| draft-ietf-behave-address-format-03.txt | draft-ietf-behave-address-format-04.txt | |||
| Abstract | Abstract | |||
| This document discusses the algorithmic translation of an IPv6 | This document discusses the algorithmic translation of an IPv6 | |||
| address to a corresponding IPv4 address, and vice versa, using only | address to a corresponding IPv4 address, and vice versa, using only | |||
| statically configured information. It defines a Well-Known Prefix | statically configured information. It defines a well-known prefix | |||
| for use in algorithmic translations, while allowing organizations to | for use in algorithmic translations, while allowing organizations to | |||
| also use Network Specific Prefixes when appropriate. Algorithmic | also use network-specific prefixes when appropriate. Algorithmic | |||
| translation is used in IPv4/IPv6 translators, as well as other types | translation is used in IPv4/IPv6 translators, as well as other types | |||
| of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. | of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 49 ¶ | skipping to change at page 1, line 49 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on June 20, 2010. | This Internet-Draft will expire on July 19, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the BSD License. | described in the BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Applicability Scope . . . . . . . . . . . . . . . . . . . 3 | 1.1. Applicability Scope . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. IPv4-Embedded IPv6 Address Format . . . . . . . . . . . . . . 4 | 2. IPv4-Embedded IPv6 Address Format . . . . . . . . . . . . . . 4 | |||
| 2.1. Address Translation Algorithms . . . . . . . . . . . . . . 6 | 2.1. Address Translation Algorithms . . . . . . . . . . . . . . 6 | |||
| 2.2. Text Representation . . . . . . . . . . . . . . . . . . . 6 | 2.2. Text Representation . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Deployment Guidelines and Choices . . . . . . . . . . . . . . 7 | 3. Deployment Guidelines and Choices . . . . . . . . . . . . . . 7 | |||
| 3.1. Restrictions to the use of the Well-Known Prefix . . . . . 7 | 3.1. Restrictions on the use of the Well-Known Prefix . . . . . 7 | |||
| 3.2. Impact on Inter-Domain Routing . . . . . . . . . . . . . . 8 | 3.2. Impact on Inter-Domain Routing . . . . . . . . . . . . . . 8 | |||
| 3.3. Choice of Prefix for Stateless Translation Deployments . . 8 | 3.3. Choice of Prefix for Stateless Translation Deployments . . 8 | |||
| 3.4. Choice of Prefix for Stateful Translation Deployments . . 10 | 3.4. Choice of Prefix for Stateful Translation Deployments . . 10 | |||
| 3.5. Choice of Suffix . . . . . . . . . . . . . . . . . . . . . 10 | 3.5. Choice of Suffix . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.6. Choice of the Well-Known Prefix . . . . . . . . . . . . . 11 | 3.6. Choice of the Well-Known Prefix . . . . . . . . . . . . . 12 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.1. Protection Against Spoofing . . . . . . . . . . . . . . . 12 | 4.1. Protection Against Spoofing . . . . . . . . . . . . . . . 13 | |||
| 4.2. Secure Configuration . . . . . . . . . . . . . . . . . . . 13 | 4.2. Secure Configuration . . . . . . . . . . . . . . . . . . . 13 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 15 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 15 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction | 1. Introduction | |||
| This document is part of a series of IPv4/IPv6 translation documents. | This document is part of a series of IPv4/IPv6 translation documents. | |||
| A framework for IPv4/IPv6 translation is discussed in | A framework for IPv4/IPv6 translation is discussed in | |||
| [I-D.ietf-behave-v6v4-framework], including a taxonomy of scenarios | [I-D.ietf-behave-v6v4-framework], including a taxonomy of scenarios | |||
| that will be used in this document. Other documents specify the | that will be used in this document. Other documents specify the | |||
| behavior of various types of translators and gateways, including | behavior of various types of translators and gateways, including | |||
| mechanisms for translating between IP headers and other types of | mechanisms for translating between IP headers and other types of | |||
| messages that include IP addresses. This document specifies how an | messages that include IP addresses. This document specifies how an | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| it is the responsibility of the specification of such devices to | it is the responsibility of the specification of such devices to | |||
| reference this document for algorithmic mapping of the addresses | reference this document for algorithmic mapping of the addresses | |||
| themselves. | themselves. | |||
| This document reserves a "Well-Known Prefix" for use in an | This document reserves a "Well-Known Prefix" for use in an | |||
| algorithmic mapping. The value of this IPv6 prefix is: | algorithmic mapping. The value of this IPv6 prefix is: | |||
| 64:FF9B::/96 | 64:FF9B::/96 | |||
| Section 2 describes the format of "IPv4-Embedded IPv6 addresses", | Section 2 describes the format of "IPv4-Embedded IPv6 addresses", | |||
| i.e. - IPv6 addresses in which 32 bits contain an IPv4 address. This | i.e., IPv6 addresses in which 32 bits contain an IPv4 address. This | |||
| format is common to both "IPv4-Converted" and "IPv4-Translatable" | format is common to both "IPv4-Converted" and "IPv4-Translatable" | |||
| IPv6 addresses. This section also defines the algorithms for | IPv6 addresses. This section also defines the algorithms for | |||
| translating addresses, and the text representation of IPv4-Embedded | translating addresses, and the text representation of IPv4-Embedded | |||
| addresses. | IPv6 addresses. | |||
| Section 3 discusses the choice of prefixes, the conditions of use of | Section 3 discusses the choice of prefixes, the conditions of use of | |||
| the Well-Known Prefix and the Network Specific Prefixes, and the use | the Well-Known Prefix and Network-Specific Prefixes, and the use of | |||
| of embedded addresses with stateless and stateful translation. | IPv4-Embedded IPv6 addresses with stateless and stateful translation. | |||
| Section 4 discusses security concerns. | Section 4 discusses security concerns. | |||
| In some scenarios, a dual-stack host will unnecessarily send its | ||||
| traffic through an IPv6/IPv4 translator. This can be caused by | ||||
| host's default address selection algorithm [RFC3484], referrals, or | ||||
| other reasons. Optimizing these scenarios for dual-stack hosts is | ||||
| for future study. | ||||
| 1.1. Applicability Scope | 1.1. Applicability Scope | |||
| This document is part of a series defining address translation | This document is part of a series defining address translation | |||
| services. We understand that the address format could also be used | services. We understand that the address format could also be used | |||
| by other interconnection methods between IPv6 and IPv4, e.g. methods | by other interconnection methods between IPv6 and IPv4, e.g., methods | |||
| based on encapsulation. If encapsulation methods are developed by | based on encapsulation. If encapsulation methods are developed by | |||
| the IETF, we expect that their descriptions will document their | the IETF, we expect that their descriptions will document their | |||
| specific use of IPv4-Embedded IPv6 Addresses. | specific use of IPv4-Embedded IPv6 addresses. | |||
| 1.2. Conventions | 1.2. Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 1.3. Notations | 1.3. Terminology | |||
| This document makes use of the following terms: | This document makes use of the following terms: | |||
| IPv4/IPv6 translator: an entity that translates IPv4 packets to IPv6 | IPv4/IPv6 translator: an entity that translates IPv4 packets to IPv6 | |||
| packets, and vice versa. It may do "stateless" translation, | packets, and vice versa. It may do "stateless" translation, | |||
| meaning that there is no per-flow state required, or "stateful" | meaning that there is no per-flow state required, or "stateful" | |||
| translation where per-flow state is created when the first packet | translation where per-flow state is created when the first packet | |||
| in a flow is received. | in a flow is received. | |||
| Address translator: any entity that has to derive an IPv4 address | Address translator: any entity that has to derive an IPv4 address | |||
| from an IPv6 address or vice versa. This applies not only to | from an IPv6 address or vice versa. This applies not only to | |||
| devices that do IPv4/IPv6 packet translation, but also to other | devices that do IPv4/IPv6 packet translation, but also to other | |||
| entities that manipulate addresses, such as name resolution | entities that manipulate addresses, such as name resolution | |||
| proxies (e.g. DNS64 [I-D.ietf-behave-dns64]) and possibly other | proxies (e.g. DNS64 [I-D.ietf-behave-dns64]) and possibly other | |||
| types of Application Layer Gateways (ALGs). | types of Application Layer Gateways (ALGs). | |||
| Well-Known Prefix: the IPv6 prefix defined in this document for use | Well-Known Prefix: the IPv6 prefix defined in this document for use | |||
| in an algorithmic mapping. | in an algorithmic mapping. | |||
| Network Specific Prefix: an IPv6 prefix assigned by an organization | Network-Specific Prefix: an IPv6 prefix assigned by an organization | |||
| for use in algorithmic mapping. Options for the Network Specific | for use in algorithmic mapping. Options for the Network Specific | |||
| Prefix are discussed in Section 3.3 and Section 3.4. | Prefix are discussed in Section 3.3 and Section 3.4. | |||
| IPv4-Embedded IPv6 addresses: IPv6 addresses in which 32 bits | IPv4-Embedded IPv6 addresses: IPv6 addresses in which 32 bits | |||
| contain an IPv4 address. Their format is described in Section 2. | contain an IPv4 address. Their format is described in Section 2. | |||
| IPv4-Converted IPv6 addresses: IPv6 addresses used to represent IPv4 | IPv4-Converted IPv6 addresses: IPv6 addresses used to represent IPv4 | |||
| hosts in an IPv6 network. They are a variant of IPv4-Embedded | nodes in an IPv6 network. They are a variant of IPv4-Embedded | |||
| addresses, and follow the format described in Section 2. | IPv6 addresses, and follow the format described in Section 2. | |||
| IPv4-Translatable IPv6 addresses: IPv6 addresses assigned to IPv6 | IPv4-Translatable IPv6 addresses: IPv6 addresses assigned to IPv6 | |||
| hosts for use with stateless translation. They are a variant of | nodes for use with stateless translation. They are a variant of | |||
| IPv4-Embedded addresses, and follow the format described in | IPv4-Embedded IPv6 addresses, and follow the format described in | |||
| Section 2. | Section 2. | |||
| 2. IPv4-Embedded IPv6 Address Format | 2. IPv4-Embedded IPv6 Address Format | |||
| IPv4-Converted IPv6 addresses and IPv4-Translatable IPv6 addresses | IPv4-Converted IPv6 addresses and IPv4-Translatable IPv6 addresses | |||
| follow the same format, described here as the IPv4-Embedded IPv6 | follow the same format, described here as the IPv4-Embedded IPv6 | |||
| Address Format. IPv4-Embedded IPv6 Addresses are composed of a | address Format. IPv4-Embedded IPv6 addresses are composed of a | |||
| variable length prefix, the embedded IPv4 address, and a variable | variable length prefix, the embedded IPv4 address, and a variable | |||
| length suffix, as presented in the following diagram, in which PL | length suffix, as presented in the following diagram, in which PL | |||
| designates the prefix length: | designates the prefix length: | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |PL| 0-------------32--40--48--56--64--72--80--88--96--104-112-120-| | |PL| 0-------------32--40--48--56--64--72--80--88--96--104-112-120-| | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |32| prefix |v4(32) | u | suffix | | |32| prefix |v4(32) | u | suffix | | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |40| prefix |v4(24) | u |(8)| suffix | | |40| prefix |v4(24) | u |(8)| suffix | | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |48| prefix |v4(16) | u | (16) | suffix | | |48| prefix |v4(16) | u | (16) | suffix | | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |56| prefix |(8)| u | v4(24) | suffix | | |56| prefix |(8)| u | v4(24) | suffix | | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |64| prefix | u | v4(32) | suffix | | |64| prefix | u | v4(32) | suffix | | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| |96| prefix | v4(32) | | |96| prefix | v4(32) | | |||
| +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ | |||
| Figure 1 | Figure 1 | |||
| In these addresses, the prefix shall be either the "Well-Known | In these addresses, the prefix shall be either the "Well-Known | |||
| Prefix", or a "Network Specific Prefix" unique to the organization | Prefix", or a "Network-Specific Prefix" unique to the organization | |||
| deploying the address translators. | deploying the address translators. (The Well-Known prefic is 96 bits | |||
| long, and can only be used in the last form of the table.) | ||||
| Various deployments justify different prefix lengths. The tradeoff | Various deployments justify different prefix lengths with Network- | |||
| between different prefix lengths are discussed in Section 3.3 and | Specific prefixes. The tradeoff between different prefix lengths are | |||
| Section 3.4. | discussed in Section 3.3 and Section 3.4. | |||
| Bits 64 to 71 of the address are reserved for compatibility with the | Bits 64 to 71 of the address are reserved for compatibility with the | |||
| host identifier format defined in the IPv6 addressing architecture | host identifier format defined in the IPv6 addressing architecture | |||
| [RFC4291]. These bits MUST be set to zero. When using a /96 prefix, | [RFC4291]. These bits MUST be set to zero. When using a /96 | |||
| the administrators MUST ensure that the bits 64 to 71 are set to | Network-Specific Prefix, the administrators MUST ensure that the bits | |||
| zero. A simple way to achieve that is to construct the /96 Network | 64 to 71 are set to zero. A simple way to achieve that is to | |||
| Specific Prefix by picking a /64 prefix, and then adding four octets | construct the /96 Network-Specific Prefix by picking a /64 prefix, | |||
| set to zero. | and then adding four octets set to zero. | |||
| The IPv4 address is encoded following the prefix, most significant | The IPv4 address is encoded following the prefix, most significant | |||
| bits first. Depending of the prefix length, the 4 octets of the | bits first. Depending of the prefix length, the 4 octets of the | |||
| address may be separated by the reserved octet "u", whose 8 bits MUST | address may be separated by the reserved octet "u", whose 8 bits MUST | |||
| be set to zero. In particular: | be set to zero. In particular: | |||
| o When the prefix is 32 bits long, the IPv4 address is encoded in | o When the prefix is 32 bits long, the IPv4 address is encoded in | |||
| positions 32 to 63. | positions 32 to 63. | |||
| o When the prefix is 40 bits long, 24 bits of the IPv4 address are | o When the prefix is 40 bits long, 24 bits of the IPv4 address are | |||
| encoded in positions 40 to 63, with the remaining 8 bits in | encoded in positions 40 to 63, with the remaining 8 bits in | |||
| position 72 to 79. | position 72 to 79. | |||
| skipping to change at page 6, line 16 ¶ | skipping to change at page 6, line 16 ¶ | |||
| encoded in positions 56 to 63, with the remaining 24 bits in | encoded in positions 56 to 63, with the remaining 24 bits in | |||
| position 72 to 95. | position 72 to 95. | |||
| o When the prefix is 64 bits long, the IPv4 address is encoded in | o When the prefix is 64 bits long, the IPv4 address is encoded in | |||
| positions 72 to 103. | positions 72 to 103. | |||
| o When the prefix is 96 bits long, the IPv4 address is encoded in | o When the prefix is 96 bits long, the IPv4 address is encoded in | |||
| positions 96 to 127. | positions 96 to 127. | |||
| There are no remaining bits, and thus no suffix, if the prefix is 96 | There are no remaining bits, and thus no suffix, if the prefix is 96 | |||
| bits long. In the other cases, the remaining bits of the address | bits long. In the other cases, the remaining bits of the address | |||
| constitute the suffix. These bits are reserved for future | constitute the suffix. These bits are reserved for future | |||
| extensions, and SHOULD be set to a zero. | extensions, and SHOULD be set to zero. | |||
| 2.1. Address Translation Algorithms | 2.1. Address Translation Algorithms | |||
| IPv4-Embedded IPv6 addresses are composed according to the following | IPv4-Embedded IPv6 addresses are composed according to the following | |||
| algorithm: | algorithm: | |||
| o Concatenate the prefix, the 32 bits of the IPv4 address and the | o Concatenate the prefix, the 32 bits of the IPv4 address and the | |||
| null suffix if needed to obtain a 128 bit address. | null suffix if needed to obtain a 128 bit address. | |||
| o if the prefix length is less than 96 bits, remove the last octet | o If the prefix length is less than 96 bits, remove the last octet | |||
| insert the null octet "U" at the appropriate position, as | and insert the null octet "u" at the appropriate position, as | |||
| documented in Figure 1. | documented in Figure 1. | |||
| The IPv4 addresses are extracted from the IPv4-Embedded IPv6 | The IPv4 addresses are extracted from the IPv4-Embedded IPv6 | |||
| addresses according to the following algorithm: | addresses according to the following algorithm: | |||
| o if the prefix is 96 bit long, extract the last 32 bits of the IPv6 | o If the prefix is 96 bit long, extract the last 32 bits of the IPv6 | |||
| address; | address; | |||
| o for the other prefix lengths, extract the U octet to obtain a 120 | o for the other prefix lengths, extract the "u" octet to obtain a | |||
| bit sequence, then extract the 32 bits following the prefix. | 120 bit sequence, then extract the 32 bits following the prefix. | |||
| 2.2. Text Representation | 2.2. Text Representation | |||
| IPv4-Embedded IPv6 addresses will be represented in text in | IPv4-Embedded IPv6 addresses will be represented in text in | |||
| conformity with section 2.2 of [RFC4291]. IPv4-Embedded IPv6 | conformity with section 2.2 of [RFC4291]. IPv4-Embedded IPv6 | |||
| addresses constructed using the Well Known Prefix or a /96 Network | addresses constructed using the Well-Known Prefix or a /96 Network- | |||
| Specific Prefix may be represented using the alternative form | Specific Prefix may be represented using the alternative form | |||
| presented in section 2.2 of [RFC4291], with the embedded IPv4 address | presented in section 2.2 of [RFC4291], with the embedded IPv4 address | |||
| represented in dotted decimal notation. Examples of such | represented in dotted decimal notation. Examples of such | |||
| representations are presented in Table 1 and Table 2. | representations are presented in Table 1 and Table 2. | |||
| +-----------------------+------------+------------------------------+ | +-----------------------+------------+------------------------------+ | |||
| | Network Specific | IPv4 | IPv4-Embedded IPv6 address | | | Network-Specific | IPv4 | IPv4-Embedded IPv6 address | | |||
| | Prefix | address | | | | Prefix | address | | | |||
| +-----------------------+------------+------------------------------+ | +-----------------------+------------+------------------------------+ | |||
| | 2001:DB8::/32 | 192.0.2.33 | 2001:DB8:C000:221:: | | | 2001:DB8::/32 | 192.0.2.33 | 2001:DB8:C000:221:: | | |||
| | 2001:DB8:100::/40 | 192.0.2.33 | 2001:DB8:1C0:2:21:: | | | 2001:DB8:100::/40 | 192.0.2.33 | 2001:DB8:1C0:2:21:: | | |||
| | 2001:DB8:122::/48 | 192.0.2.33 | 2001:DB8:122:C000:2:2100:: | | | 2001:DB8:122::/48 | 192.0.2.33 | 2001:DB8:122:C000:2:2100:: | | |||
| | 2001:DB8:122:300::/56 | 192.0.2.33 | 2001:DB8:122:3C0:0:221:: | | | 2001:DB8:122:300::/56 | 192.0.2.33 | 2001:DB8:122:3C0:0:221:: | | |||
| | 2001:DB8:122:344::/64 | 192.0.2.33 | 2001:DB8:122:344:C0:2:2100:: | | | 2001:DB8:122:344::/64 | 192.0.2.33 | 2001:DB8:122:344:C0:2:2100:: | | |||
| | 2001:DB8:122:344::/96 | 192.0.2.33 | 2001:DB8:122:344::192.0.2.33 | | | 2001:DB8:122:344::/96 | 192.0.2.33 | 2001:DB8:122:344::192.0.2.33 | | |||
| +-----------------------+------------+------------------------------+ | +-----------------------+------------+------------------------------+ | |||
| Table 1: Text representation of IPv4-Embedded IPv6 addresses using | Table 1: Text representation of IPv4-Embedded IPv6 addresses using | |||
| Network Specific Prefixes | Network-Specific Prefixes | |||
| +-------------------+--------------+----------------------------+ | +-------------------+--------------+----------------------------+ | |||
| | Well Known Prefix | IPv4 address | IPv4-Embedded IPv6 address | | | Well Known Prefix | IPv4 address | IPv4-Embedded IPv6 address | | |||
| +-------------------+--------------+----------------------------+ | +-------------------+--------------+----------------------------+ | |||
| | 64:FF9B::/96 | 192.0.2.33 | 64:FF9B::192.0.2.33 | | | 64:FF9B::/96 | 192.0.2.33 | 64:FF9B::192.0.2.33 | | |||
| +-------------------+--------------+----------------------------+ | +-------------------+--------------+----------------------------+ | |||
| Table 2: Text representation of IPv4-Embedded IPv6 addresses using | Table 2: Text representation of IPv4-Embedded IPv6 addresses using | |||
| the Well Known Prefixes | the Well-Known Prefix | |||
| The Network Specific Prefixes examples in Table 1 are derived from | The Network-Specific Prefix examples in Table 1 are derived from the | |||
| the IPv6 Prefix reserved for doocumentation in [RFC3849]. The IPv4 | IPv6 prefix reserved for documentation in [RFC3849]. The IPv4 | |||
| address 192.0.2.33 is part of the subnet 192.0.2.0/24 reserved for | address 192.0.2.33 is part of the subnet 192.0.2.0/24 reserved for | |||
| documentation in [RFC3330]. | documentation in [RFC3330]. | |||
| 3. Deployment Guidelines and Choices | 3. Deployment Guidelines and Choices | |||
| 3.1. Restrictions to the use of the Well-Known Prefix | 3.1. Restrictions on the use of the Well-Known Prefix | |||
| The Well-Known Prefix MAY be used by organizations deploying | The Well-Known Prefix MAY be used by organizations deploying | |||
| translation services, as explained in Section 3.4. | translation services, as explained in Section 3.4. | |||
| The Well-Known Prefix SHOULD NOT be used to construct IPv4- | The Well-Known Prefix SHOULD NOT be used to construct IPv4- | |||
| Translatable addresses. The host served by IPv4-Translatable IPv6 | Translatable addresses. The nodes served by IPv4-Translatable IPv6 | |||
| addresses should be able to receive IPv6 traffic bound to their IPv4- | addresses should be able to receive global IPv6 traffic bound to | |||
| Translatable IPv6 address without incurring intermediate protocol | their IPv4-Translatable IPv6 address without incurring intermediate | |||
| translation. This is only possible if the specific prefix used to | protocol translation. This is only possible if the specific prefix | |||
| build the IPv4-Translatable IPv6 addresses is advertized in inter- | used to build the IPv4-Translatable IPv6 addresses is advertized in | |||
| domain routing, and this kind of specific prefix advertisement is not | inter-domain routing, but the advertisement of more specific prefixes | |||
| supported with the Well-Known Prefix as explained in Section 3.2. | derived from the Well-Known Prefix is not supported, as explained in | |||
| Network Specific Prefixes SHOULD be used in these scenarios, as | Section 3.2. Network-Specific Prefixes SHOULD be used in these | |||
| explained in Section 3.3. | scenarios, as explained in Section 3.3. | |||
| The Well-Known Prefix MUST NOT be used to represent non global IPv4 | The Well-Known Prefix MUST NOT be used to represent non global IPv4 | |||
| addresses, such as those defined in [RFC1918]. Doing so would | addresses, such as those defined in [RFC1918]. | |||
| introduce ambiguous IPv6 addresses. | ||||
| 3.2. Impact on Inter-Domain Routing | 3.2. Impact on Inter-Domain Routing | |||
| The Well-Known Prefix MAY appear in inter-domain routing tables, if | The Well-Known Prefix MAY appear in inter-domain routing tables, if | |||
| service providers decide to provide IPv6-IPv4 interconnection | service providers decide to provide IPv6-IPv4 interconnection | |||
| services to peers. Advertisement of the Well-Known Prefix SHOULD be | services to peers. Advertisement of the Well-Known Prefix SHOULD be | |||
| controlled either by upstream and/or downstream service providers | controlled either by upstream and/or downstream service providers | |||
| owing to inter-domain routing policies, e.g., through configuration | owing to inter-domain routing policies, e.g., through configuration | |||
| of BGP [RFC4271]. Organizations that advertize the Well-Known Prefix | of BGP [RFC4271]. Organizations that advertize the Well-Known Prefix | |||
| in inter-domain routing MUST be able to provide IPv4/IPv6 address | in inter-domain routing MUST be able to provide IPv4/IPv6 translation | |||
| translation service. | service. | |||
| When the IPv4/IPv6 translation relies on the Well-Known Prefix, | When the IPv4/IPv6 translation relies on the Well-Known Prefix, | |||
| embedded IPv6 prefixes longer than the Well-Known Prefix MUST NOT be | embedded IPv6 prefixes longer than the Well-Known Prefix MUST NOT be | |||
| advertised in BGP (especially e-BGP) [RFC4271] because this leads to | advertised in BGP (especially e-BGP) [RFC4271] because this leads to | |||
| importing IPv4 routing table into IPv6 one and therefore induces | importing the IPv4 routing table into the IPv6 one and therefore | |||
| scalability issues to the global IPv6 routing table. Adjacent BGP | induces scalability issues to the global IPv6 routing table. | |||
| speakers MUST ignore advertisements of embedded IPv6 prefixes longer | Administrators of BGP nodes SHOULD configure filters that discard | |||
| than the Well-Known Prefix. BGP speakers SHOULD be able to be | advertisements of embedded IPv6 prefixes longer than the Well-Known | |||
| configured with the default Well-Known Prefix. | Prefix. | |||
| When the IPv4/IPv6 translation service relies on Network Specific | When the IPv4/IPv6 translation service relies on Network-Specific | |||
| Prefixes and stateless translation is used, the IPv4-Translatable | Prefixes, the IPv4-Translatable IPv6 prefixes used in stateless | |||
| IPv6 prefixes MUST be advertised with proper aggregation to the IPv6 | translation MUST be advertised with proper aggregation to the IPv6 | |||
| Internet. Similarly, if translators are configured with multiple | Internet. Similarly, if translators are configured with multiple | |||
| Network Specific Prefixes, these prefixes MUST be advertised to the | Network-Specific Prefixes,these prefixes MUST be advertised to the | |||
| IPv6 Internet with proper aggregation. | IPv6 Internet with proper aggregation. | |||
| 3.3. Choice of Prefix for Stateless Translation Deployments | 3.3. Choice of Prefix for Stateless Translation Deployments | |||
| Organization may deploy translation services using stateless | Organizations may deploy translation services using stateless | |||
| translation. In these deployments, internal IPv6 hosts are addressed | translation. In these deployments, internal IPv6 nodes are addressed | |||
| using "IPv4-Translatable" IPv6 addresses, which enable them to be | using IPv4-Translatable IPv6 addresses, which enable them to be | |||
| accessed by IPv4 hosts. The addresses of these external hosts are | accessed by IPv4 nodes. The addresses of these external nodes are | |||
| then represented in "IPv4-Converted" IPv6 addresses. | then represented in IPv4-Converted IPv6 addresses. | |||
| Organizations deploying stateless IPv4/IPv6 translation SHOULD assign | Organizations deploying stateless IPv4/IPv6 translation SHOULD assign | |||
| a Network Specific Prefix to their IPv4/IPv6 translation service. | a Network-Specific Prefix to their IPv4/IPv6 translation service. | |||
| "IPv4-Translatable" and "IPv4-Converted" addresses MUST be | IPv4-Translatable and IPv4-Converted IPv6 addresses MUST be | |||
| constructed as specified in Section 2. IPv4-Translatable IPv6 | constructed as specified in Section 2. IPv4-Translatable IPv6 | |||
| addresses MUST use the selected Network Specific Prefix. Both types | addresses MUST use the selected Network-Specific Prefix. Both types | |||
| of addresses SHOULD use the same prefix. | of addresses SHOULD use the same prefix. | |||
| Using the same prefix ensures that internal IPv6 hosts will use the | Using the same prefix ensures that IPv6 nodes internal to the | |||
| most efficient paths to reach the hosts served by "IPv4-Translatable" | organization will use the most efficient paths to reach the nodes | |||
| addresses. Specifically, if an internal host learns the IPv4 address | served by IPv4-Translatable IPv6 addresses. Specifically, if a node | |||
| of a target internal host without knowing that this target is in fact | learns the IPv4 address of a target internal node without knowing | |||
| located behind the same translator, translation rules will ensure | that this target is in fact located behind the same translator that | |||
| that the IPv6 address constructed with the network specific prefix is | the node also uses, translation rules will ensure that the IPv6 | |||
| the same as the IPv4-Translatable address assigned to the target. | address constructed with the Network-Specific prefix is the same as | |||
| Standard routing preference will then ensure that the IPv6 packets | the IPv4-Translatable IPv6 address assigned to the target. Standard | |||
| are delivered directly, without requiring "hair-pinning" at the | routing preference will then ensure that the IPv6 packets are | |||
| delivered directly, without requiring "hair-pinning" at the | ||||
| translator. | translator. | |||
| The intra-domain routing protocol must be able to deliver packets to | The intra-domain routing protocol must be able to deliver packets to | |||
| the hosts served by IPv4-Translatable IPv6 addresses. This may | the nodes served by IPv4-Translatable IPv6 addresses. This may | |||
| require routing on some or all of the embedded IPv4 address bits. | require routing on some or all of the embedded IPv4 address bits. | |||
| Security considerations detailed in Section 4 require that routers | Security considerations detailed in Section 4 require that routers | |||
| check the validity of the IPv4-Translatable IPv6 source addresses, | check the validity of the IPv4-Translatable IPv6 source addresses, | |||
| using some form of reverse path check. | using some form of reverse path check. | |||
| The management of stateless address translation can be illustrated | ||||
| with a small example. We will consider an IPv6 network with the | ||||
| prefix 2001:DB8:122::/48. The network administrator has selected the | ||||
| Network-Specific prefix 2001:DB8:122:344::/64 for managing stateless | ||||
| IPv4/IPv6 translation. The network is visible in IPv4 as the subnet | ||||
| 192.0.2.0/24. In this network, the host A is assigned the IPv4- | ||||
| Translatable IPv6 address 2001:DB8:122:344:C0:2:2100::, which | ||||
| corresponds to the IPv4 address 192.0.2.33. Host A's address is | ||||
| configured either manually or through DHCPv6. | ||||
| In this example, host A is not directly connected to the translator, | ||||
| but instead to a link managed by a router R. The router R is | ||||
| configured to forward to A the packets bound to 2001:DB8:122:344:C0: | ||||
| 2:2100::. To receive these packets, R will advertise reachability of | ||||
| the prefix 2001:DB8:122:344:C0:2:2100::/104 in the intra-domain | ||||
| routing protocol -- or perhaps a shorter prefix if many hosts on link | ||||
| have IPv4-Translatable IPv6 addresses derived from the same IPv4 | ||||
| subnet. If a packet bound to 192.0.2.33 reaches the translator, the | ||||
| destination address will be translated to 2001:DB8:122:344:C0:2: | ||||
| 2100::, and the packet will be routed towards R and then to A. | ||||
| Let's suppose now that a host B of the same domain learns the IPv4 | ||||
| address of A, maybe through an application-specific referral. If B | ||||
| has translation-aware software, B can compose a destination address | ||||
| by combining the Network-Specific Prefix 2001:DB8:122:344::/64 and | ||||
| the IPv4 address 192.0.2.33, resulting in the address 2001:DB8:122: | ||||
| 344:C0:2:2100::. The packet sent by B will be forwarded towards R, | ||||
| and then to A, avoiding protocol translation. | ||||
| Forwarding, and reverse path checks, should be performed on the | Forwarding, and reverse path checks, should be performed on the | |||
| combination of the "prefix" and the IPv4 address. In theory, routers | combination of the prefix and the IPv4 address. In theory, routers | |||
| should be able to route on prefixes of any length. However, routing | should be able to route on prefixes of any length. However, routing | |||
| on prefixes larger than 64 bits may be slower. But routing | on prefixes larger than 64 bits may be slower on some routers. But | |||
| efficiency is not the only consideration in the choice of a prefix | routing efficiency is not the only consideration in the choice of a | |||
| length. Organizations also need to consider the availability of | prefix length. Organizations also need to consider the availability | |||
| prefixes, and the potential impact of all-zeroes identifiers. | of prefixes, and the potential impact of all-zeroes identifiers. | |||
| If a /32 prefix is used, all the routing bits are contained in the | If a /32 prefix is used, all the routing bits are contained in the | |||
| top 64 bits of the IPv6 address, leading to excellent routing | top 64 bits of the IPv6 address, leading to excellent routing | |||
| properties. These prefixes may however be hard to obtain, and | properties. These prefixes may however be hard to obtain, and | |||
| allocation of a /32 to a small set of IPv4-Translatable addresses may | allocation of a /32 to a small set of IPv4-Translatable IPv6 | |||
| be seen as wasteful. In addition, the /32 prefix and a zero suffix | addresses may be seen as wasteful. In addition, the /32 prefix and a | |||
| leads to an all-zeroes interface identifier, an issue that we discuss | zero suffix leads to an all-zeroes interface identifier, an issue | |||
| in Section 3.5. | that we discuss in Section 3.5. | |||
| Intermediate prefix lengths such as /40, /48 or /56 appear as | Intermediate prefix lengths such as /40, /48 or /56 appear as | |||
| compromises. Only some of the IPv4 bits are part of the /64 | compromises. Only some of the IPv4 bits are part of the /64 | |||
| prefixes. Reverse path checks, in particular, may have a limited | prefixes. Reverse path checks, in particular, may have a limited | |||
| efficiency. Reverse checks limited to the most significant bits of | efficiency. Reverse path checks limited to the most significant bits | |||
| the IPv4 address will reduce the possibility of spoofing external | of the IPv4 address will reduce the possibility of spoofing external | |||
| IPv4 address, but would allow IPv6 hosts to spoof internal IPv4- | IPv4 address, but would allow IPv6 nodes to spoof internal IPv4- | |||
| Translatable addresses. | Translatable addresses. | |||
| We propose here a compromise, based on using no more than 1/256th of | We propose here a compromise, based on using no more than 1/256th of | |||
| an organization's allocation of IPv6 addresses for the IPv4/IPv6 | an organization's allocation of IPv6 addresses for the IPv4/IPv6 | |||
| translation service. For example, if the organization is an ISP, | translation service. For example, if the organization is an Internet | |||
| with an allocated IPv6 prefix /32 or shorter, the ISP could dedicate | Service Provider with an allocated IPv6 prefix /32 or shorter, the | |||
| a /40 prefix to the translation service. An end site with a /48 | ISP could dedicate a /40 prefix to the translation service. An end | |||
| allocation could dedicate a /56 prefix to the translation service, or | site with a /48 allocation could dedicate a /56 prefix to the | |||
| possibly a /96 prefix if all IPv4-Translatable IPv6 Addresses are | translation service, or possibly a /96 prefix if all IPv4- | |||
| located on the same link. | Translatable IPv6 addresses are located on the same link. | |||
| The recommended prefix length is also a function of the deployment | The recommended prefix length is also a function of the deployment | |||
| scenario. The stateless translation can be used for Scenario 1, | scenario. The stateless translation can be used for Scenario 1, | |||
| Scenario 2, Scenario 5 and Scenario 6 defined in | Scenario 2, Scenario 5, and Scenario 6 defined in | |||
| [I-D.ietf-behave-v6v4-framework]. For different scenarios, the | [I-D.ietf-behave-v6v4-framework]. For different scenarios, the | |||
| prefix length recommendations are: | prefix length recommendations are: | |||
| o For scenario 1 (an IPv6 network to the IPv4 Internet) and scenario | o For scenario 1 (an IPv6 network to the IPv4 Internet) and scenario | |||
| 2 (the IPv4 Internet to an IPv6 network), we recommend using a /40 | 2 (the IPv4 Internet to an IPv6 network), we recommend using a /40 | |||
| prefix for an ISP holding a /32 allocation, and a /56 prefix for a | prefix for an ISP holding a /32 allocation, and a /56 prefix for a | |||
| site holding a /48 allocation. | site holding a /48 allocation. | |||
| o For scenario 5 (an IPv6 network to an IPv4 network) and scenario 6 | o For scenario 5 (an IPv6 network to an IPv4 network) and scenario 6 | |||
| (an IPv4 network to an IPv6 network), we recommend using a /64 or | (an IPv4 network to an IPv6 network), we recommend using a /64 or | |||
| a /96 prefix. | a /96 prefix. | |||
| 3.4. Choice of Prefix for Stateful Translation Deployments | 3.4. Choice of Prefix for Stateful Translation Deployments | |||
| Organizations may deploy translation services based on stateful | Organizations may deploy translation services based on stateful | |||
| translation technology. An organization may decide to use either a | translation technology. An organization may decide to use either a | |||
| Network Specific Prefix or the Well-Known Prefix for its stateful | Network-Specific Prefix or the Well-Known Prefix for its stateful | |||
| IPv4/IPv6 translation service. | IPv4/IPv6 translation service. | |||
| When these services are used, IPv6 hosts are addressed through | When these services are used, IPv6 nodes are addressed through | |||
| standard IPv6 addresses, while IPv4 hosts are represented by IPv4- | standard IPv6 addresses, while IPv4 nodes are represented by IPv4- | |||
| Converted addresses, as specified in Section 2. | Converted IPv6 addresses, as specified in Section 2. | |||
| The stateful nature of the translation creates a potential stability | The stateful nature of the translation creates a potential stability | |||
| issue when the organization deploys multiple translators. If several | issue when the organization deploys multiple translators. If several | |||
| translators use the same prefix, there is a risk that packets | translators use the same prefix, there is a risk that packets | |||
| belonging to the same connection may be routed to different | belonging to the same connection may be routed to different | |||
| translators as the internal routing state changes. This issue can be | translators as the internal routing state changes. This issue can be | |||
| mitigated either by assigning different prefixes to different | avoided either by assigning different prefixes to different | |||
| translators, or by ensuring that all translators using same prefix | translators, or by ensuring that all translators using same prefix | |||
| coordinate their state. | coordinate their state. | |||
| Stateful translation can be used in scenarios defined in | Stateful translation can be used in scenarios defined in | |||
| [I-D.ietf-behave-v6v4-framework]. The Well Known Prefix SHOULD be | [I-D.ietf-behave-v6v4-framework]. The Well Known Prefix SHOULD be | |||
| used in most scenarios, with two exceptions: | used in these scenarios, with two exceptions: | |||
| o In all scenarios, the translation MAY use a Network Specific | o In all scenarios, the translation MAY use a Network-Specific | |||
| Prefix, if deemed appropriate for management reasons. | Prefix, if deemed appropriate for management reasons. | |||
| o The Well-Known Prefix MUST NOT be used for scenario 3 (the IPv6 | o The Well-Known Prefix MUST NOT be used for scenario 3 (the IPv6 | |||
| Internet to an IPv4 network), as this would lead to using the | Internet to an IPv4 network), as this would lead to using the | |||
| Well-Known Prefix with non global IPv4 addresses. That means a | Well-Known Prefix with non-global IPv4 addresses. That means a | |||
| Network Specific Prefix MUST be used in that scenario, for example | Network-Specific Prefix MUST be used in that scenario, for example | |||
| a /96 prefix compatible with the Well Known prefix format. | a /96 prefix compatible with the Well-Known prefix format. | |||
| 3.5. Choice of Suffix | 3.5. Choice of Suffix | |||
| The address format described in Section 2 recommends a zero suffix. | The address format described in Section 2 recommends a zero suffix. | |||
| Before making this recommendation, we considered different options: | Before making this recommendation, we considered different options: | |||
| checksum neutrality; the encoding of a port range; and a value | checksum neutrality; the encoding of a port range; and a value | |||
| different than 0. | different than 0. | |||
| In the case of stateless translation, there would be no need for the | In the case of stateless translation, there would be no need for the | |||
| translator to recompute complement to 1 checksum if both the IPv4- | translator to recompute a one's complement checksum if both the IPv4- | |||
| Translatable addresses and the IPv4-Converted address were | Translatable and the IPv4-Converted IPv6 addresses were constructed | |||
| constructed in a "checksum-neutral" manner, that is if the IPv6 | in a "checksum-neutral" manner, that is if the IPv6 addresses would | |||
| addresses would have the some complement to 1 checksum as the | have the same one's complement checksum as the embedded IPv4 address. | |||
| embedded IPv4 address. In the case of stateful translation, checksum | In the case of stateful translation, checksum neutrality does not | |||
| neutrality does eliminate checksums computation during translation, | eliminate checksum computation during translation, as only one of the | |||
| as only one of the two addresses would be checksum neutral. We | two addresses would be checksum neutral. We considered reserving 16 | |||
| considered reserving 16 bits in the suffix to guarantee checksum | bits in the suffix to guarantee checksum neutrality, but declined | |||
| neutrality, but declined because it would not help with stateful | because it would not help with stateful translation, and because | |||
| translation, because checksum neutrality can also be achieved by an | checksum neutrality can also be achieved by an appropriate choice of | |||
| appropriate choice of the Network Specific Prefix. The Well Known | the Network-Specific Prefix, as was done for example with the Well- | |||
| Prefix was chosen to provide checksum neutrality. | Known Prefix. | |||
| There have been proposals to complement stateless translation with a | There have been proposals to complement stateless translation with a | |||
| port-range feature. Instead of mapping an IPv4 address to exactly | port-range feature. Instead of mapping an IPv4 address to exactly | |||
| one IPv6 prefix, the options would allow several IPv6 hosts to share | one IPv6 prefix, the options would allow several IPv6 nodes to share | |||
| an IPv4 address, with each host managing a different range of ports. | an IPv4 address, with each node managing a different range of ports. | |||
| But these schemes are not yet specified in work group documents. If | If a port range extension is needed, it could be defined later, using | |||
| a port range extension is needed, it could be defined later, using | ||||
| bits currently reserved as null in the suffix. | bits currently reserved as null in the suffix. | |||
| When a /32 prefix is used, an all-zero suffix results in an all-zero | When a /32 prefix is used, an all-zero suffix results in an all-zero | |||
| interface identifier. We understand the conflict with Section 2.6.1 | interface identifier. We understand the conflict with Section 2.6.1 | |||
| of RFC4291, which specifies that all zeroes are used for the subnet- | of RFC4291, which specifies that all zeroes are used for the subnet- | |||
| router anycast address. However, in our specification, there would | router anycast address. However, in our specification, there would | |||
| be only one IPv4-Translatable node in the /64 subnet, and the anycast | be only one node with an IPv4-Translatable IPv6 address in the /64 | |||
| semantic would not create confusion. We thus decided to keep the | subnet, and the anycast semantic would not create confusion. We thus | |||
| null suffix for now. (This issue does not exist for prefixes larger | decided to keep the null suffix for now. This issue does not exist | |||
| than 32 bits, such as the /40, /56, /64 and /96 prefixes that we | for prefixes larger than 32 bits, such as the /40, /56, /64 and /96 | |||
| recommend in Section 3.3.) | prefixes that we recommend in Section 3.3. | |||
| 3.6. Choice of the Well-Known Prefix | 3.6. Choice of the Well-Known Prefix | |||
| Before making our recommendation of the Well-Known Prefix, we were | Before making our recommendation of the Well-Known Prefix, we were | |||
| faced with three choices: | faced with three choices: | |||
| o reuse the IPv4-mapped prefix, ::FFFF:0:0/96, as specified in RFC | o reuse the IPv4-mapped prefix, ::FFFF:0:0/96, as specified in RFC | |||
| 2765 Section 2.1; | 2765 Section 2.1; | |||
| o request IANA to allocate a /32 prefix, | o request IANA to allocate a /32 prefix, | |||
| o or request allocation of a new /96 prefix. | o or request allocation of a new /96 prefix. | |||
| We weighted the pros and cons of these choices before settling on the | We weighted the pros and cons of these choices before settling on the | |||
| recommended /96 Well-Known Prefix. | recommended /96 Well-Known Prefix. | |||
| The main advantage of the existing IPv4-mapped prefix is that it is | The main advantage of the existing IPv4-mapped prefix is that it is | |||
| already defined. Reusing that prefix will require minimal | already defined. Reusing that prefix would require minimal | |||
| standardization efforts. However, being already defined is not just | standardization efforts. However, being already defined is not just | |||
| and advantage, as there may be side effects of current | an advantage, as there may be side effects of current | |||
| implementations. When presented with the IPv4-mapped prefix, current | implementations. When presented with the IPv4-mapped prefix, current | |||
| versions of Windows and MacOS generate IPv4 packets, but will not | versions of Windows and MacOS generate IPv4 packets, but will not | |||
| send IPv6 packets. If we used the IPv4-mapped prefix, these hosts | send IPv6 packets. If we used the IPv4-mapped prefix, these nodes | |||
| would not be able to support translation without modification. This | would not be able to support translation without modification. This | |||
| will defeat the main purpose of the translation techniques. We thus | will defeat the main purpose of the translation techniques. We thus | |||
| eliminated the first choice, and decided to not reuse the IPv4-mapped | eliminated the first choice, and decided to not reuse the IPv4-mapped | |||
| prefix, ::FFFF:0:0/96. | prefix, ::FFFF:0:0/96. | |||
| A /32 prefix would have allowed the embedded IPv4 address to fit | A /32 prefix would have allowed the embedded IPv4 address to fit | |||
| within the top 64 bits of the IPv6 address. This would have | within the top 64 bits of the IPv6 address. This would have | |||
| facilitated routing and load balancing when an organization deploys | facilitated routing and load balancing when an organization deploys | |||
| several translators. However, such destination-address based load | several translators. However, such destination-address based load | |||
| balancing may not be desirable. It is not compatible with STUN in | balancing may not be desirable. It is not compatible with STUN in | |||
| skipping to change at page 12, line 36 ¶ | skipping to change at page 13, line 17 ¶ | |||
| According to Section 2.2 of [RFC4291], in the legal textual | According to Section 2.2 of [RFC4291], in the legal textual | |||
| representations of IPv6 addresses, dotted decimal can only appear at | representations of IPv6 addresses, dotted decimal can only appear at | |||
| the end. The /96 prefix is compatible with that requirement. It | the end. The /96 prefix is compatible with that requirement. It | |||
| enables the dotted decimal notation without requiring an update to | enables the dotted decimal notation without requiring an update to | |||
| [RFC4291]. This representation makes the address format easier to | [RFC4291]. This representation makes the address format easier to | |||
| use, and log files easier to read. | use, and log files easier to read. | |||
| The prefix that we recommend has the particularity of being "checksum | The prefix that we recommend has the particularity of being "checksum | |||
| neutral". The sum of the hexadecimal numbers "0064" and "FF9B" is | neutral". The sum of the hexadecimal numbers "0064" and "FF9B" is | |||
| "FFFF", i.e. a value equal to zero in complement to 1 arithmetic. An | "FFFF", i.e. a value equal to zero in one's complement arithmetic. | |||
| IPv4-Embedded IPv6 address constructed with this prefix will have the | An IPv4-Embedded IPv6 address constructed with this prefix will have | |||
| same complement to 1 checksum as the embedded IPv4 address. | the same one's complement checksum as the embedded IPv4 address. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| 4.1. Protection Against Spoofing | 4.1. Protection Against Spoofing | |||
| By and large, address translators can be modeled as special routers, | By and large, IPv4/IPv6 translators can be modeled as special | |||
| are subject to the same risks, and can implement the same | routers, are subject to the same risks, and can implement the same | |||
| mitigations. There is however a particular risk that directly | mitigations. There is however a particular risk that directly | |||
| derives from the practice of embedding IPv4 addresses in IPv6: | derives from the practice of embedding IPv4 addresses in IPv6: | |||
| address spoofing. | address spoofing. | |||
| An attacker could use an IPv4-Embedded address as the source address | An attacker could use an IPv4-Embedded IPv6 address as the source | |||
| of malicious packets. After translation, the packets will appear as | address of malicious packets. After translation, the packets will | |||
| IPv4 packets from the specified source, and the attacker may be hard | appear as IPv4 packets from the specified source, and the attacker | |||
| to track. If left without mitigation, the attack would allow | may be hard to track. If left without mitigation, the attack would | |||
| malicious IPv6 nodes to spoof arbitrary IPv4 addresses. | allow malicious IPv6 nodes to spoof arbitrary IPv4 addresses. | |||
| The mitigation is to implement reverse path checks, and to verify | The mitigation is to implement reverse path checks, and to verify | |||
| throughout the network that packets are coming from an authorized | throughout the network that packets are coming from an authorized | |||
| location. | location. | |||
| 4.2. Secure Configuration | 4.2. Secure Configuration | |||
| The prefixes and formats need to be the configured consistently among | The prefixes and formats need to be the configured consistently among | |||
| multiple devices in the same network (e.g., hosts that need to prefer | multiple devices in the same network (e.g., nodes that need to prefer | |||
| native over translated addresses, DNS gateways, and IPv4/IPv6 | native over translated addresses, DNS gateways, and IPv4/IPv6 | |||
| translators). As such, the means by which they are learned/ | translators). As such, the means by which they are learned/ | |||
| configured MUST be secure. Specifying a default prefix and/or format | configured MUST be secure. Specifying a default prefix and/or format | |||
| in implementations provides one way to configure them securely. Any | in implementations provides one way to configure them securely. Any | |||
| alternative means of configuration is responsible for specifying how | alternative means of configuration is responsible for specifying how | |||
| to do so securely. | to do so securely. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| The Well Known Prefix falls into the range ::/8 reserved by the IETF. | The Well Known Prefix falls into the range ::/8 reserved by the IETF. | |||
| skipping to change at page 15, line 37 ¶ | skipping to change at page 16, line 37 ¶ | |||
| draft-ietf-behave-v6v4-framework-03 (work in progress), | draft-ietf-behave-v6v4-framework-03 (work in progress), | |||
| October 2009. | October 2009. | |||
| [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | |||
| E. Lear, "Address Allocation for Private Internets", | E. Lear, "Address Allocation for Private Internets", | |||
| BCP 5, RFC 1918, February 1996. | BCP 5, RFC 1918, February 1996. | |||
| [RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330, | [RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330, | |||
| September 2002. | September 2002. | |||
| [RFC3484] Draves, R., "Default Address Selection for Internet | ||||
| Protocol version 6 (IPv6)", RFC 3484, February 2003. | ||||
| [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix | [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix | |||
| Reserved for Documentation", RFC 3849, July 2004. | Reserved for Documentation", RFC 3849, July 2004. | |||
| [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway | |||
| Protocol 4 (BGP-4)", RFC 4271, January 2006. | Protocol 4 (BGP-4)", RFC 4271, January 2006. | |||
| Authors' Addresses | Authors' Addresses | |||
| Christian Huitema | Christian Huitema | |||
| Microsoft Corporation | Microsoft Corporation | |||
| End of changes. 73 change blocks. | ||||
| 169 lines changed or deleted | 206 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||