< draft-wing-nat-pt-replacement-comparison-01.txt   draft-wing-nat-pt-replacement-comparison-02.txt >
Behave and Softwires WGs D. Wing Behave and Softwires WGs D. Wing
Internet-Draft D. Ward Internet-Draft D. Ward
Intended status: Informational Cisco Intended status: Informational Cisco
Expires: March 30, 2009 A. Durand Expires: April 2, 2009 A. Durand
Comcast Comcast
September 26, 2008 September 29, 2008
A Comparison of Proposals to Replace NAT-PT A Comparison of Proposals to Replace NAT-PT
draft-wing-nat-pt-replacement-comparison-01 draft-wing-nat-pt-replacement-comparison-02
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 30, 2009. This Internet-Draft will expire on April 2, 2009.
Abstract Abstract
As we approach IPv4 address depletion, the IETF must provide for IPv4 As we approach IPv4 address depletion, the IETF must provide for IPv4
and IPv6 coexistence: a way for ISPs and enterprises to reduce and IPv6 coexistence: a way for ISPs and enterprises to reduce
public IPv4 address consumption and a way for hosts to migrate to public IPv4 address consumption and a way for hosts to migrate to
IPv6 connectivity -- while providing reasonable access for those IPv6 IPv6 connectivity -- while providing reasonable access for those IPv6
hosts to access the IPv4 Internet. hosts to access the IPv4 Internet.
This draft compares eight proposals for IPv6 and IPv4 coexistence. This draft compares eight proposals for IPv6 and IPv4 coexistence.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview of Proposals . . . . . . . . . . . . . . . . . . . . 5 3. Overview of Proposals . . . . . . . . . . . . . . . . . . . . 5
3.1. IPv4 hosts in Customer Premise . . . . . . . . . . . . . . 6 3.1. IPv4 hosts in Customer Premise . . . . . . . . . . . . . . 6
3.1.1. Address Plus Port (A+P) . . . . . . . . . . . . . . . 6 3.1.1. Address Plus Port (A+P) . . . . . . . . . . . . . . . 6
3.1.2. APB-Revised (APBR) . . . . . . . . . . . . . . . . . . 7 3.1.2. Stateless Address Mapping (SAM) (previously
APB-Revised) . . . . . . . . . . . . . . . . . . . . . 7
3.1.3. Dual-Stack Lite (DS-Lite) . . . . . . . . . . . . . . 9 3.1.3. Dual-Stack Lite (DS-Lite) . . . . . . . . . . . . . . 9
3.1.4. NAT444 . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1.4. NAT444 . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2. IPv6 hosts in Customer Premise . . . . . . . . . . . . . . 11 3.2. IPv6 hosts in Customer Premise . . . . . . . . . . . . . . 11
3.2.1. IVI . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2.1. IVI . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.2. NAT6 . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2.2. NAT6 . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.3. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2.3. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.4. NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2.4. NAT-PT . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.5. sNAT-PT . . . . . . . . . . . . . . . . . . . . . . . 14 3.2.5. sNAT-PT . . . . . . . . . . . . . . . . . . . . . . . 14
4. Changes Required in Network Elements . . . . . . . . . . . . . 14 4. Changes Required in Network Elements . . . . . . . . . . . . . 15
4.1. IPv4 and IPv6 Hosts Accessing the IPv4 Internet . . . . . 15 4.1. IPv4 and IPv6 Hosts Accessing the IPv4 Internet . . . . . 15
4.2. IPv4 Hosts Accessing the IPv4 Internet . . . . . . . . . . 17 4.2. IPv4 Hosts Accessing the IPv4 Internet . . . . . . . . . . 18
4.3. IPv4 Internet Accessing IPv6 hosts . . . . . . . . . . . . 18 4.3. IPv4 Internet Accessing IPv6 hosts . . . . . . . . . . . . 19
5. Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . 18 5. Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . 19
5.1. Static Incoming Ports . . . . . . . . . . . . . . . . . . 19 5.1. Static Incoming Ports . . . . . . . . . . . . . . . . . . 20
5.2. Dynamic Incoming Ports . . . . . . . . . . . . . . . . . . 20 5.2. Dynamic Incoming Ports . . . . . . . . . . . . . . . . . . 21
6. Transport Protocol Support . . . . . . . . . . . . . . . . . . 21 6. Transport Protocol Support . . . . . . . . . . . . . . . . . . 21
7. Analysis with V6OPS's NAT64 Problem Statement . . . . . . . . 21 7. Analysis with V6OPS's NAT64 Problem Statement . . . . . . . . 22
8. Comparison of Proposals with NAT-PT Problems . . . . . . . . . 21 8. Comparison of Proposals with NAT-PT Problems . . . . . . . . . 22
8.1. Issues Unrelated to an DNS-ALG . . . . . . . . . . . . . . 21 8.1. Issues Unrelated to an DNS-ALG . . . . . . . . . . . . . . 22
8.1.1. Issues with Protocols Embedding IP Addresses . . . . . 21 8.1.1. Issues with Protocols Embedding IP Addresses . . . . . 22
8.1.2. NAPT-PT Redirection Issues . . . . . . . . . . . . . . 21 8.1.2. NAPT-PT Redirection Issues . . . . . . . . . . . . . . 22
8.1.3. NAT-PT Binding State Decay . . . . . . . . . . . . . . 22 8.1.3. NAT-PT Binding State Decay . . . . . . . . . . . . . . 22
8.1.4. Loss of Information through Incompatible Semantics . . 22 8.1.4. Loss of Information through Incompatible Semantics . . 22
8.1.5. NAT-PT and Fragmentation . . . . . . . . . . . . . . . 22 8.1.5. NAT-PT and Fragmentation . . . . . . . . . . . . . . . 22
8.1.6. NAT-PT Interaction with SCTP and Multihoming . . . . . 22 8.1.6. NAT-PT Interaction with SCTP and Multihoming . . . . . 22
8.1.7. NAT-PT as a Proxy Correspondent Node for MIPv6 . . . . 22 8.1.7. NAT-PT as a Proxy Correspondent Node for MIPv6 . . . . 23
8.1.8. NAT-PT and Multicast . . . . . . . . . . . . . . . . . 22 8.1.8. NAT-PT and Multicast . . . . . . . . . . . . . . . . . 23
8.2. Issues Exacerbated by the Use of DNS-ALG . . . . . . . . . 23 8.2. Issues Exacerbated by the Use of DNS-ALG . . . . . . . . . 23
8.2.1. Network Topology Constraints Implied by NAT-PT . . . . 23 8.2.1. Network Topology Constraints Implied by NAT-PT . . . . 23
8.2.2. Scalability and Single Point of Failure Concerns . . . 23 8.2.2. Scalability and Single Point of Failure Concerns . . . 23
8.2.3. Issues with Lack of Address Persistence . . . . . . . 23 8.2.3. Issues with Lack of Address Persistence . . . . . . . 23
8.2.4. DoS Attacks on Memory and Address/Port Pool . . . . . 23 8.2.4. DoS Attacks on Memory and Address/Port Pool . . . . . 24
8.3. Issues Directly Related to Use of DNS-ALG . . . . . . . . 23 8.3. Issues Directly Related to Use of DNS-ALG . . . . . . . . 24
8.3.1. Address Selection Issues when Communicating with 8.3.1. Address Selection Issues when Communicating with
Dual-Stack End-Hosts . . . . . . . . . . . . . . . . . 23 Dual-Stack End-Hosts . . . . . . . . . . . . . . . . . 24
8.3.2. Non-Global Validity of Translated RR Records . . . . . 23 8.3.2. Non-Global Validity of Translated RR Records . . . . . 24
8.3.3. Inappropriate Translation of Responses to A Queries . 24 8.3.3. Inappropriate Translation of Responses to A Queries . 24
8.3.4. DNS-ALG and Multi-Addressed Nodes . . . . . . . . . . 24 8.3.4. DNS-ALG and Multi-Addressed Nodes . . . . . . . . . . 24
8.3.5. Limitations on Deployment of DNS Security 8.3.5. Limitations on Deployment of DNS Security
Capabilities . . . . . . . . . . . . . . . . . . . . . 24 Capabilities . . . . . . . . . . . . . . . . . . . . . 24
8.4. Impact on IPv6 Application Development . . . . . . . . . . 25
8.4. Impact on IPv6 Application Development . . . . . . . . . . 24 9. Security Considerations . . . . . . . . . . . . . . . . . . . 25
9. Security Considerations . . . . . . . . . . . . . . . . . . . 24 9.1. Address Sharing . . . . . . . . . . . . . . . . . . . . . 25
9.1. Address Sharing . . . . . . . . . . . . . . . . . . . . . 24 9.2. IPsec Compatibility . . . . . . . . . . . . . . . . . . . 26
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 26
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
12.1. Normative References . . . . . . . . . . . . . . . . . . . 26 12.1. Normative References . . . . . . . . . . . . . . . . . . . 27
12.2. Informative References . . . . . . . . . . . . . . . . . . 27 12.2. Informative References . . . . . . . . . . . . . . . . . . 28
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . . 28 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . . 30
A.1. Changes from 00 to 01 . . . . . . . . . . . . . . . . . . 28 A.1. Changes from 01 to 02 . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 A.2. Changes from 00 to 01 . . . . . . . . . . . . . . . . . . 30
Intellectual Property and Copyright Statements . . . . . . . . . . 30 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30
Intellectual Property and Copyright Statements . . . . . . . . . . 32
1. Terminology 1. Terminology
The following terms are used throughout this document. The following terms are used throughout this document.
Address Family Translation (AFT): The function of translating from Address Family Translation (AFT): The function of translating from
one IP address family (IPv4 or IPv6) to another (IPv6 or IPv4). one IP address family (IPv4 or IPv6) to another (IPv6 or IPv4).
Carrier Grade NAT (CGN): A NAT device used by many subscribers Carrier Grade NAT (CGN): A NAT device used by many subscribers
(homes or end sites), where 'many' would be on the order of (homes or end sites), where 'many' would be on the order of
skipping to change at page 5, line 44 skipping to change at page 5, line 44
Individual proposals are discussed on the mailing list indicated in Individual proposals are discussed on the mailing list indicated in
this document. this document.
3. Overview of Proposals 3. Overview of Proposals
This document classifies the proposals into two categories. The This document classifies the proposals into two categories. The
first category provides IPv4 and IPv6 access to the subscriber, and first category provides IPv4 and IPv6 access to the subscriber, and
the second category provides only IPv6 access to the subscriber. In the second category provides only IPv6 access to the subscriber. In
both categories, IPv4 addresses are conserved by using a NAT device. both categories, IPv4 addresses are conserved by using a NAT device.
This NAT device is placed in the carrier's network ("Carrier Grade This NAT device is placed in the carrier's network ("Carrier Grade
NAT") or (in the case of APB-Revised) in the CPE router. In all NAT") or (in the case of A+P and SAM) in the CPE router. In all
proposals (except NAT444) a host can obtain native IPv6 connectivity proposals (except NAT444) a host can obtain native IPv6 connectivity
with native IPv6 hosts without regard to the co-existence proposal. with native IPv6 hosts without regard to the co-existence proposal.
The descriptions below provide a very brief overview of each The descriptions below provide a very brief overview of each
proposal, in alphabetical order. proposal, in alphabetical order.
3.1. IPv4 hosts in Customer Premise 3.1. IPv4 hosts in Customer Premise
For Internet access, the following proposals allow for IPv4 hosts in For Internet access, the following proposals allow for IPv4 hosts in
the customer premise. the customer premise.
skipping to change at page 7, line 18 skipping to change at page 7, line 18
Dual-stack host--+ | Dual-stack host--+ |
|NAT| +--------+ +-------------+ |NAT| +--------+ +-------------+
IPv4 host----+ +===IPv6 tunnel===+ tunnel +--+IPv4 Internet| IPv4 host----+ +===IPv6 tunnel===+ tunnel +--+IPv4 Internet|
+---+ |concent.| +-------------+ +---+ |concent.| +-------------+
+--------+ +--------+
|<private IPv4>NAT<----------------------------public v4-----> |<private IPv4>NAT<----------------------------public v4----->
Figure 2: Address Plus Port, v6-only ISP (A+P-v6) Figure 2: Address Plus Port, v6-only ISP (A+P-v6)
3.1.2. APB-Revised (APBR) 3.1.2. Stateless Address Mapping (SAM) (previously APB-Revised)
APB-Revised (APBR) (no document yet available) shares each IPv4 Stateless Address Mapping (SAM) [I-D.despres-sam] shares each IPv4
address amongst several subscribers through a tunnel aggregation address amongst several subscribers through a tunnel aggregation
device. APBP was introduced in [I-D.despres-v6ops-apbp] and APB- device. The static mapping avoids the need for the service provider
Revised further evolves the concept so that mappings, between IPv6 equipment to NAT.
addresses and IPv4-address/port-ranges are static. The static
mapping avoids the need for the service provider equipment to NAT.
APBR can be implemented with subscriber site tunnel endpoints either SAM can be implemented with subscriber site tunnel endpoints either
in a router (CPE router or other router) or in the APBR host. In in a router (CPE router or other router) or in a SAM host. In both
both implementations, each subscriber site is assigned a subset of implementations, each subscriber site is assigned a shared IPv4
public IPv4 address range available to the CGN, typically limited to address (shared with other subscribers) and a port range. Figure 3
a single address and a restricted port range. Figure 3 shows the shows the SAM architecture in the case where the tunnel is
APBR architecture in the case where the tunnel is established between established between the CPE router (upgraded to support SAM) and the
the CPE router (upgraded to support APBR) and the APB-R-capable SAM-capable tunnel concentrator. Any IPv4 traffic from hosts behind
softwire tunnel concentrator. Any IPv4 traffic from hosts behind the the CPE router is NAT'd (using classic NAT44) and forwarded through
CPE router is NAT'd (using classic NAT44) and forwarded through the the tunnel to the SAM tunnel concentrator. The customer premise NATs
tunnel to the tunnel endpoint. The customer premise NATs using the using the external port range it is 'borrowing' from the SAM
external port range it is 'borrowing' from the APBR endpoint. This concentrator. This is abbreviated SAM-CPE in this document.
is abbreviated APBR-CPE in this document.
This proposal is discussed in [Softwires]. This proposal is discussed in [Softwires].
APBR allows for two implementations for IPv4 access. Figure 3 shows
APBR using a CGN (abbreviated APBR-CGN in this document).
+---+ +-------------+ +---+ +-------------+
IPv6 host-----+ | +----------------+IPv6 Internet| IPv6 host-----+ | +----------------+IPv6 Internet|
| +--IPv6------+ +-------------+ | +--IPv6------+ +-------------+
Dual-stack host--+ | +--------+ Dual-stack host--+ | +--------+
|NAT| | APB-R | +-------------+ |NAT| | SAM | +-------------+
IPv4 host----+ +===IPv6 tunnel===+softwire+--+IPv4 Internet| IPv4 host----+ +===IPv6 tunnel===+ tunnel +--+IPv4 Internet|
+---+ | tunnel | +-------------+ +---+ |concent.| +-------------+
|concent.|
+--------+ +--------+
|<private IPv4>NAT<----------------------------public v4------> |<private IPv4>NAT<----------------------------public v4------>
Figure 3: APBPR-CPE, tunnel between CPE and CGN Figure 3: SAM-CPE, tunnel between CPE and tunnel concentrator
In the figure above, the IPv6 tunnel is an IPv4-over-IPv6 tunnel. In the figure above, the IPv6 tunnel is an IPv4-over-IPv6 tunnel.
Figure 4 shows another APBR architecture where the tunnel is Figure 4 shows another SAM architecture where the tunnel is
established directly between the host (upgraded to support APBR) and established directly between the host (upgraded to support SAM) and
the APBR tunnel endpoint. Any IPv4 traffic from the APBR host is the SAM tunnel endpoint. Any IPv4 traffic from the SAM host is
routed through the tunnel to the APB-R-capable softwire tunnel routed through the tunnel to the SAM-capable tunnel concentrator.
concentrator. Tunnelling is sufficient; no NAT device is needed Tunnelling is sufficient; no NAT device is needed between the host
between the host and the public IPv4 network. This is abbreviated and the public IPv4 network. This is abbreviated SAM-host in this
APBR-host in this document. In Figure 4, the customer premise NAT document. In Figure 4, the customer premise NAT does not NAT traffic
does not NAT traffic to/from the APB-R host; however, it does NAT to/from the SAM host; however, it does NAT traffic to/from the IPv4-
traffic to/from the IPv4-only host. only host to support a non-SAM-capable IPv4 host.
+---+ +-------------+ +---+ +-------------+
IPv6 host-----+ | +----------------+IPv6 Internet| IPv6 host-----+ | +----------------+IPv6 Internet|
| +--IPv6------+ +-------------+ | +--IPv6------+ +-------------+
APB-R host--+ | +--------+ SAM host--+ | +--------+
|CPE| | APB-R | +-------------+ |CPE| | SAM | +-------------+
IPv4 host----+ +===IPv6 tunnel===+softwire+--+IPv4 Internet| IPv4 host----+ +===IPv6 tunnel===+ tunnel +--+IPv4 Internet|
+---+ | tunnel | +-------------+ +---+ |concent.| +-------------+
|concent.|
+--------+ +--------+
|<private IPv4>NAT<----------------------------public v4------> |<private IPv4>NAT<----------------------------public v4------>
Figure 4: APBR-host - tunnel between CPE and APBR tunnel endpoint Figure 4: SAM-host - tunnel between host and tunnel concentrator
Figure 5 shows the APBR architecture with two tunnels. One tunnel is Figure 5 shows the SAM architecture with two tunnels. One tunnel is
established between the CPE router and the APBR endpoint, and a established between the CPE router and the SAM endpoint, and a second
second tunnel between the subscriber host and the CPE router. In tunnel between the subscriber host and the CPE router. In this
this architecture, the CPE router is upgraded to establish a tunnel architecture, the CPE router is upgraded to establish a tunnel to the
to the APB-R-capable softwire tunnel concentrator (external side) and SAM-capable tunnel concentrator (external side) and to accept a
to accept a tunnel from the host (internal side); the APBR host IP tunnel from the host (internal side); the SAM-capable host IP stack
stack is upgraded to establish a tunnel to the CPE router. Any is upgraded to establish a tunnel to the CPE router. Any traffic
traffic from the APBR host is routed by the host's APBR stack and from the SAM-capable host is routed by the host's SAM stack and
forwarded through the tunnel to the CPE router. Tunnelling is forwarded through the tunnel to the CPE router. Tunnelling is
sufficient; no NAT device is needed between the host and the core sufficient; no NAT device is needed between the host and the core
IPv4 network. This is abbreviated APBR-HC (Host and CPE router) in IPv4 network. This is abbreviated SAM-HC (Host and CPE router) in
this document. this document.
+---+ +-------------+ +---+ +-------------+
IPv6 host-----+ | +----------------+IPv6 Internet| IPv6 host-----+ | +----------------+IPv6 Internet|
| +--IPv6------+ +-------------+ | +--IPv6------+ +-------------+
DS host==v4/v4==+ | +--------+ SAM host=v4/v4==+ | +--------+
|NAT| | APB-R | +-------------+ |NAT| | SAM | +-------------+
IPv4 host----+ +===IPv6 tunnel===+softwire+--+IPv4 Internet| IPv4 host----+ +===IPv6 tunnel===+ tunnel +--+IPv4 Internet|
+---+ | tunnel | +-------------+ +---+ |concent.| +-------------+
|concent.|
+--------+ +--------+
|<------- public v4 (partially in 2 consecutive tunnels ------> |<------- public v4 (partially in 2 consecutive tunnels ------>
|<-private v4-->|<--service provider IPv6--->|<----public v4--> |<-private v4-->|<--service provider IPv6--->|<----public v4-->
Figure 5: APBR-HC - tunnels between CPE and APBR-tunnel endpoint and Figure 5: SAM-HC - host and CPE tunnels
between host and CPE
3.1.3. Dual-Stack Lite (DS-Lite) 3.1.3. Dual-Stack Lite (DS-Lite)
Dual-Stack Lite (DS-Lite) provides a global IPv4 address that is Dual-Stack Lite (DS-Lite) [I-D.durand-softwire-dual-stack-lite]
shared amongst several subscribers through a CGN. Each subscriber provides a global IPv4 address that is shared amongst several
network is connected to the CGN through a tunnel, using IPv6 as the subscribers through a CGN. Each subscriber network is connected to
tunnel transport. All IPv4 traffic is sent inside of that tunnel. the CGN through a tunnel, using IPv6 as the tunnel transport. All
The tunnel endpoint implements Dual-Stack [RFC4213]. DS-lite is IPv4 traffic is sent inside of that tunnel. The tunnel endpoint
currently described in two Internet Drafts, implements Dual-Stack [RFC4213]. This draft is discussed in
[I-D.durand-dual-stack-lite] and [I-D.droms-softwires-snat], and is [Softwires].
discussed in [Softwires].
DS-Lite can be implemented with the tunnel endpoints either in a DS-Lite can be implemented with the tunnel endpoints either in a
router (CPE router or aggregation router) or in a host. In both router (CPE router or aggregation router) or in a host. In both
cases, a single subscriber IPv4 address or IPv4 prefix may overlap, cases, a single subscriber IPv4 address or IPv4 prefix may overlap,
or even be identical for all subscribers. Addresses from overlapping or even be identical for all subscribers. Addresses from overlapping
address spaces are disambiguated by the tunnels between the address spaces are disambiguated by the tunnels between the
subscriber networks and the CGN. subscriber networks and the CGN.
Figure 6 shows the DS-Lite architecture in the case where the tunnel Figure 6 shows the DS-Lite architecture in the case where the tunnel
is terminated in a router, which could be the CPE router or an is terminated in a router, which could be the CPE router or an
skipping to change at page 11, line 5 skipping to change at page 10, line 52
The choice of encapsulation for the IPv6 tunnel is outside the scope The choice of encapsulation for the IPv6 tunnel is outside the scope
of this document. of this document.
3.1.4. NAT444 3.1.4. NAT444
NAT444 (no written proposal) would NAT twice: first using a NAT NAT444 (no written proposal) would NAT twice: first using a NAT
device in the customer premise (as typically deployed today) and device in the customer premise (as typically deployed today) and
another NAT device in the ISP's network (a CGN). This proposal is another NAT device in the ISP's network (a CGN). This proposal is
discussed in [Behave]. discussed in [Behave].
This proposal does not provide native IPv6 access to the subscriber, The subscriber could access the IPv6 Internet using Teredo [RFC4380].
but doesn't preclude it if the host or its CPE router wanted to use a
tunneling solution (e.g., Teredo [RFC4380])
+---+ +---+ +-------------+ The Teredo service could be provided by the ISP (shown as "Teredo
IPv4 host----+NAT+------IPv4---------+CGN+--+IPv4 Internet| relay-1") or on the Internet (shown as "Teredo relay-2").
+-------------+
+----------|IPv6 Internet|
| +-+-----------|
Teredo relay-1 |
| Teredo relay-2
| |
+---+ | +---+ +-+-----------+
IPv4 host----+NAT+------IPv4-----+---+CGN+--+IPv4 Internet|
+---+ +---+ +-------------+ +---+ +---+ +-------------+
|<private v4->NAT<-----private v4---->NAT<----public v4---> |<private v4->NAT<-----private v4---->NAT<----public v4--->
Figure 8: NAT444 Figure 8: NAT444
3.2. IPv6 hosts in Customer Premise 3.2. IPv6 hosts in Customer Premise
For access to the IPv4 Internet, the following proposals require IPv6 For access to the IPv4 Internet, the following proposals require IPv6
hosts in the customer premise, and do not support IPv4 hosts. These hosts in the customer premise, and do not support IPv4 hosts. These
skipping to change at page 11, line 36 skipping to change at page 11, line 41
IVI ([I-D.xli-behave-ivi], [I-D.baker-behave-ivi]) uses an address IVI ([I-D.xli-behave-ivi], [I-D.baker-behave-ivi]) uses an address
and service architecture designed to facilitate transition from an and service architecture designed to facilitate transition from an
IPv4 Internet to an IPv6 Internet. This service contains three IPv4 Internet to an IPv6 Internet. This service contains three
parts: A DNS Application Layer Gateway, a stateful Network Address parts: A DNS Application Layer Gateway, a stateful Network Address
Translator that enables IPv6 clients to initiate connections to IPv4 Translator that enables IPv6 clients to initiate connections to IPv4
servers and peers, and a stateless Network Address Translator that servers and peers, and a stateless Network Address Translator that
enables IPv4 and IPv6 systems to interoperate freely. enables IPv4 and IPv6 systems to interoperate freely.
For an IPv6 host needing access to IPv4 hosts, IVI is similar to both For an IPv6 host needing access to IPv4 hosts, IVI is similar to both
SIIT [RFC2765] and NAT-PT [RFC2766] but with a different address SIIT [RFC2765] and NAT-PT [RFC2766] but with a different address
format. Rather than using the DNS-ALG described in [RFC2766], the format. IVI's DNS rewriting function (A to AAAA) returns an IPv6
DNS rewriting function (A to AAAA) is fixed and points to a specific address that routes to a specific translation gateway that advertises
IVI gateway, which removes the relationship between the NAT function that IPv6 prefix in the service provider's network. The DNS server
and DNS function. The DNS server may be in the IVI gateway or in a may be in the IVI gateway or in a separate system related to it.
separate system related to it.
IVI also allows IPv4 hosts to access a IPv6 host, using a stateless IVI also allows IPv4 hosts to access a IPv6 host, using a stateless
NAT. This is accomplished by providing the IPv6 host an IVI address, NAT. This is accomplished by providing the IPv6 host an IVI address,
which is simply an IPv6 address from a pool of IPv6 addresses. This which is simply an IPv6 address from a pool of IPv6 addresses. This
pool of IPv6 addresses has a fixed IPv4-to-IPv6 mapping algorithm pool of IPv6 addresses has a fixed IPv4-to-IPv6 mapping algorithm
applied to translate between the two address families and the applied to translate between the two address families and the
translation is implemented by an IVI gateway. The IPv6 address would translation is implemented by an IVI gateway. The IPv6 address would
be advertised in DNS with an A record, pointing to the IVI gateway. be advertised in DNS with an A record, pointing to the IVI gateway.
This allows IPv6-only hosts to have a presence on the IPv4 Internet. This allows IPv6-only hosts to have a presence on the IPv4 Internet.
In this scheme, subsets of the IPv4 addresses are embedded in prefix- In this scheme, subsets of the IPv4 addresses are embedded in prefix-
specific IPv6 addresses and these IPv6 addresses can therefore specific IPv6 addresses and these IPv6 addresses can therefore
communicate with the global IPv6 networks directly and can communicate with the global IPv6 networks directly and can
communicate with the global IPv4 networks via stateless (or almost communicate with the global IPv4 networks via stateless (or almost
stateless) gateways. DNS rewriting is not used, or necessary, for stateless) gateways. DNS rewriting is not used, or necessary, for
this fixed mapping of IPv4 addresses to IPv6 address. this fixed mapping of IPv4 addresses to IPv6 address.
This proposal is discussed in [Behave]. This proposal is discussed in [Behave].
skipping to change at page 13, line 21 skipping to change at page 13, line 30
| +-----+ | +-----+
+------+ | +----+NAT64+----+ +------+ | +----+NAT64+----+
IPv6 host-+ | | / +-----+ \ +-------------+ IPv6 host-+ | | / +-----+ \ +-------------+
| CPE +--IPv6-< >-+IPv4 Internet| | CPE +--IPv6-< >-+IPv4 Internet|
IPv6 host-+router| \ +-------------+ / +-------------+ IPv6 host-+router| \ +-------------+ / +-------------+
+------+ ++DNS rewriting|+ +------+ ++DNS rewriting|+
+-------------+ +-------------+
Figure 11: NAT64 Figure 11: NAT64
Note: the following network architecture is not described in NAT64
[I-D.bagnulo-behave-nat64], but is included here for completeness.
It is also possible to utilize NAT64 to access private IPv4 address It is also possible to utilize NAT64 to access private IPv4 address
(Figure 12). This is useful if there are a lot of IPv4 servers and (Figure 12). To perform this function, NAT64 allows using a locally-
it is too difficult or expensive to put each of them on a global IPv4 assigned IPv6 prefix out of the address block of the site running the
address, and it is not possible to upgrade them to IPv6. NAT64 device, and allows using a well-known prefix assigned to this
purpose.
IPv4 host IPv4 host
+-----+ / +-----+ /
IPv6------------+NAT64+-------<-IPv4 host IPv6------------+NAT64+-------<-IPv4 host
Internet +-----+ \ Internet +-----+ \
IPv4 host IPv4 host
NAT<--private IPv4----> NAT<--private IPv4---->
Figure 12: NAT64 to Private IPv4 Addresses Figure 12: NAT64 to Private IPv4 Addresses
skipping to change at page 14, line 29 skipping to change at page 14, line 32
NAT-PT [RFC2766] and [RFC4966] can be discussed in [Behave]. NAT-PT [RFC2766] and [RFC4966] can be discussed in [Behave].
3.2.5. sNAT-PT 3.2.5. sNAT-PT
For an IPv6 host needing access to IPv4 hosts, sNAT-PT For an IPv6 host needing access to IPv4 hosts, sNAT-PT
[I-D.miyata-v6ops-snatpt] provides DNS rewriting and NAT [I-D.miyata-v6ops-snatpt] provides DNS rewriting and NAT
functionality. The DNS rewriting component is described in functionality. The DNS rewriting component is described in
[I-D.endo-v6ops-dnsproxy]. [I-D.endo-v6ops-dnsproxy].
sNAT-PT also provides access from the IPv4 Internet to IPv6 hosts
with a 1:1 mapping.
This proposal is discussed in [Behave]. This proposal is discussed in [Behave].
+-------------+ +-------------+
+-----------------------------+IPv6 Internet| +-----------------------------+IPv6 Internet|
| +-------------+ | +-------------+
| +-------+ | +-------+
+------+ | +-----+sNAT-PT|----+ +------+ | +-----+sNAT-PT|----+
IPv6 host-+ | | / +-------+ \ +-------------+ IPv6 host-+ | | / +-------+ \ +-------------+
| CPE +-IPv6-< >--+IPv4 Internet| | CPE +-IPv6-< >--+IPv4 Internet|
IPv6 host-+router| \ +-------------+ / +-------------+ IPv6 host-+router| \ +-------------+ / +-------------+
+------+ +--+DNS rewriting|-+ +------+ +--+DNS rewriting|-+
+-------------+ +-------------+
Figure 14: sNAT-PT Figure 14: sNAT-PT
sNAT-PT also provides access from the IPv4 Internet to IPv6 hosts.
This can be done with a 1-for-1 mapping or with a 1-for-N mapping
using IPv4 ports. These do not require a DNS rewriting function.
IPv4 host
+-------+ /
IPv6------------+sNAT-PT+-------<-IPv4 host
Internet +-------+ \
IPv4 host
NAT<------------IPv4---->
Figure 15: sNAT-PT
4. Changes Required in Network Elements 4. Changes Required in Network Elements
This section describes changes to network elements for various This section describes changes to network elements for various
scenarios. In all cases, the content provider's DNS and content scenarios. In all cases, the content provider's DNS and content
provider's network does not need to change (except due to the problem provider's network does not need to change (except due to the problem
of port limitations as described in Section 2). of port limitations as described in Section 2).
4.1. IPv4 and IPv6 Hosts Accessing the IPv4 Internet 4.1. IPv4 and IPv6 Hosts Accessing the IPv4 Internet
For the case of an IPv4 host, IPv6 host, or dual-stack host that need For the case of an IPv4 host, IPv6 host, or dual-stack host that need
to connect to IPv4 hosts on the Internet, the following table to connect to IPv4 hosts on the Internet, the following table
summarizes the changes required to subscriber's hosts (when CPE summarizes the changes required to subscriber's hosts (when CPE
routers are present and when CPE routers are not present) and to some routers are present and when CPE routers are not present) and to some
network elements: network elements:
+-----------+-------------+--------------+-----------+--------------+ +----------+-------------+--------------+------------+--------------+
| Proposal | Subscriber | Subscriber | CPE | ISP Access | | Proposal | Subscriber | Subscriber | CPE router | ISP Access |
| | Hosts w/CPE | Hosts w/o | router | Network | | | Hosts w/CPE | Hosts w/o | | Edge Network |
| | router | CPE router | | | | | router | CPE router | | |
+-----------+-------------+--------------+-----------+--------------+ +----------+-------------+--------------+------------+--------------+
| A+P-v4 | no change | no change | A+P | route using | | A+P-v4 | no change | no change | A+P | route using |
| | | (A+P NAT | support | destination | | | | (A+P NAT | support | destination |
| | | would be | | port | | | | would be | | port |
| | | performed by | | | | | | performed by | | |
| | | SP) | | | | | | SP) | | |
+-----------+-------------+--------------+-----------+--------------+ +----------+-------------+--------------+------------+--------------+
| A+P-v6 | no change | no change | A+P | tunnel | | A+P-v6 | no change | no change | A+P | tunnel |
| | | (A+P NAT | support | concentrator | | | | (A+P NAT | support | concentrator |
| | | would be | | | | | | would be | | |
| | | performed by | | | | | | performed by | | |
| | | SP) | | | | | | SP) | | |
+-----------+-------------+--------------+-----------+--------------+ +----------+-------------+--------------+------------+--------------+
| APBR-CPE | no change | (not | APBR CPE | APBR | | SAM-CPE | no change | (not | SAM CPE | tunnel |
| | | applicable) | | endpoint | | | | applicable) | | concentrator |
| | | | | (stateless) | +----------+-------------+--------------+------------+--------------+
+-----------+-------------+--------------+-----------+--------------+ | SAM-host | SAM-host | SAM-host | no change | tunnel |
| APBR-host | (not | APBR CPE | APBR CPE | APBR | | | | | | concentrator |
| | applicable) | | | endpoint | +----------+-------------+--------------+------------+--------------+
| | | | | (stateless) | | SAM-HC | SAM support | (not | SAM CPE | tunnel |
+-----------+-------------+--------------+-----------+--------------+ | | | applicable) | internal & | concentrator |
| APBR-HC | APBR | (not | APBR CPE | APBR | | | | | external | |
| | support | applicable) | internal | endpoint | +----------+-------------+--------------+------------+--------------+
| | | | & | (stateless) | | NAT444 | no change | no change | no change | NAT v4v4 |
| | | | external | | +----------+-------------+--------------+------------+--------------+
+-----------+-------------+--------------+-----------+--------------+ | DS-Lite | no change | (not | DS-Lite | NAT v4v4 |
| NAT444 | no change | no change | no change | NAT v4v4 | | router | | supported; | CPE | w/tunnel |
+-----------+-------------+--------------+-----------+--------------+ | | | use DS-Lite | | |
| DS-Lite | no change | (not | DS-Lite | NAT v4v4 | | | | host) | | |
| router | | supported; | CPE | w/tunnel | +----------+-------------+--------------+------------+--------------+
| | | use DS-Lite | | | | DS-Lite | (not | DS-Lite v6 | no change | NAT v4v4 |
| | | host) | | | | host | supported; | | | w/tunnel |
+-----------+-------------+--------------+-----------+--------------+ | | use DS-Lite | | | |
+-----------+-------------+--------------+-----------+--------------+ | | router) | | | |
| DS-Lite | (not | DS-Lite v6 | no change | NAT v4v4 | +----------+-------------+--------------+------------+--------------+
| host | supported; | | | w/tunnel | | IVI | move to v6 | move to v6 | move to v6 | IVI + DNS |
| | use DS-Lite | | | | | | | | | rewriting |
| | router) | | | | +----------+-------------+--------------+------------+--------------+
+-----------+-------------+--------------+-----------+--------------+ | NAT6 | move to v6 | move to v6 | move to v6 | NAT6 |
| IVI | move to v6 | move to v6 | move to | IVI + DNS | +----------+-------------+--------------+------------+--------------+
| | | | v6 | rewriting | | NAT64 | move to v6 | move to v6 | move to v6 | NAT64 + DNS |
+-----------+-------------+--------------+-----------+--------------+ | | | | | rewriting |
| NAT6 | move to v6 | move to v6 | move to | NAT6 | +----------+-------------+--------------+------------+--------------+
| | | | v6 | | +----------+-------------+--------------+------------+--------------+
+-----------+-------------+--------------+-----------+--------------+ | NAT-PT | move to v6 | move to v6 | move to v6 | NAT-PT + |
| NAT64 | move to v6 | move to v6 | move to | NAT64 + DNS | | | | | | DNS-ALG |
| | | | v6 | rewriting | +----------+-------------+--------------+------------+--------------+
+-----------+-------------+--------------+-----------+--------------+ | sNAT-PT | move to v6 | move to v6 | move to v6 | sNAT-PT + |
| NAT-PT | move to v6 | move to v6 | move to | NAT-PT + | | | | | | DNS |
| | | | v6 | DNS-ALG | | | | | | rewriting |
+-----------+-------------+--------------+-----------+--------------+ +----------+-------------+--------------+------------+--------------+
| sNAT-PT | move to v6 | move to v6 | move to | sNAT-PT + |
| | | | v6 | DNS |
| | | | | rewriting |
+-----------+-------------+--------------+-----------+--------------+
Table 1: Changes Required to Network Elements Table 1: Changes Required to Network Elements
For IPv6 hosts that access the IPv4 Internet, the following table For IPv6 hosts that access the IPv4 Internet, the following table
describes the high-level technologies used by each proposal. describes the high-level technologies used by each proposal.
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| Proposal | ISP's Internal | DNS Impact | Carrier Grade NAT | | Proposal | ISP's Internal | DNS Impact | Carrier Grade NAT |
| | Network | | | | | Network | | |
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| A+P-v4 | IPv4 | no change | (no CGN, if | | A+P-v4 | IPv4 destination | no change | (no CGN, if |
| | destination | | subscriber's NAT | | | port routing | | subscriber's NAT |
| | port routing | | support A+P NAT) | | | | | support A+P NAT) |
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| A+P-v6 | IPv4/IPv6 | no change | (no CGN, if | | A+P-v6 | IPv4/IPv6 tunnel | no change | (no CGN, if |
| | tunnel | | subscriber's NAT | | | | | subscriber's NAT |
| | | | support A+P NAT) | | | | | support A+P NAT) |
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| APBR-CGN and | IPv4/IPv6 | no change | (no CGN) | | SAM | IPv4/IPv6 tunnel | no change | (no CGN) |
| APBP-borrow | tunnel | | | +----------+------------------+------------+------------------------+
+--------------+-----------------+------------+---------------------+ | DS-Lite | IPv4/IPv6 tunnel | no change | IPv4/IPv4 |
| DS-Lite | IPv4/IPv6 | no change | IPv4/IPv4 | | router | | | |
| router | tunnel | | | +----------+------------------+------------+------------------------+
+--------------+-----------------+------------+---------------------+ | DS-Lite | IPv4/IPv6 tunnel | no change | IPv4/IPv4 |
| DS-Lite host | IPv4/IPv6 | no change | IPv4/IPv4 | | host | | | |
| | tunnel | | | +----------+------------------+------------+------------------------+
| NAT444 | (v6 not | (v6 not | (v6 not supported) | | NAT444 | (v6 not | (v6 not | (v6 not supported) |
| | supported) | supported) | | | | supported) | supported) | |
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| IVI | v4 NATted, | DNS | IPv6/IPv4 | | IVI | v4 NATted, | DNS | IPv6/IPv4 |
| | native v6 | rewriting | | | | native v6 | rewriting | |
| | address | | | | | address | | |
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| NAT64 | v4 NATted, | DNS | IPv6/IPv4 | | NAT64 | v4 NATted, | DNS | IPv6/IPv4 |
| | native v6 | rewriting | | | | native v6 | rewriting | |
| | address | | | | | address | | |
+--------------+-----------------+------------+---------------------+ +----------+------------------+------------+------------------------+
| NAT-PT | v4 NATted, | DNS-ALG | IPv6/IPv4 | | NAT-PT | v4 NATted, | DNS-ALG | IPv6/IPv4 |
| | native v6 | | | | | native v6 | | |
| | address | | | | | address | | |
+--------------+-----------------+------------+---------------------+ | sNAT-PT | v4 NATted, | DNS | IPv6/IPv4 |
| sNAT-PT | v4 NATted, | DNS | IPv6/IPv4 | | | native v6 | rewriting | |
| | native v6 | rewriting | | | | address | | |
| | address | | | +----------+------------------+------------+------------------------+
+--------------+-----------------+------------+---------------------+
Table 2: IPv6 to IPv4 - technologies involved Table 2: IPv6 to IPv4 - technologies involved
4.2. IPv4 Hosts Accessing the IPv4 Internet 4.2. IPv4 Hosts Accessing the IPv4 Internet
The following table compares the five mechanisms that support end The following table compares the five mechanisms that support end
hosts running IPv4 to access the IPv4 Internet: APB-Revised, Dual- hosts running IPv4 to access the IPv4 Internet: SAM, Dual-Stack
Stack Lite, NAT444. Lite, NAT444.
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
| Proposal | CPE router | ISP's Internal | Service Provider | | Proposal | CPE router | ISP's Internal | Service Provider |
| | | Network | Equipment | | | | Network | Equipment |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
| A+P-v4 | IPv6 support + | IPv4 and IPv6 | destination port | | A+P-v4 | IPv6 support + | IPv4 and IPv6 | destination port |
| | A+P NAT44 | | routing | | | A+P NAT44 | | routing |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
| A+P-v6 | IPv6 support + | IPv6 | IPv6 tunnel | | A+P-v6 | IPv6 support + | IPv6 | IPv6 tunnel |
| | IPv4/IPv6 tunnel | | termination | | | IPv4/IPv6 tunnel | | termination |
| | + A+P NAT44 | | | | | + A+P NAT44 | | |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
| APBR-CPE | IPv6 support + | IPv6 | IPv6 tunnel | | SAM-CPE | IPv6 support + | IPv6 | IPv6 tunnel |
| | IPv4/IPv6 tunnel | | termination | | | IPv4/IPv6 tunnel | | termination |
| | + NAT44 | | | | | + NAT44 | | |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
| DS-Lite | IPv6 support + | IPv6 | IPv6 tunnel | | DS-Lite | IPv6 support + | IPv6 | IPv6 tunnel |
| router | IPv4/IPv6 tunnel | | termination, | | router | IPv4/IPv6 tunnel | | termination, |
| | | | NAT44 (CGN) | | | | | NAT44 (CGN) |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
+----------+-------------------+-----------------+------------------+
| DS-Lite | IPv6 support (if | IPv6 (if using | IPv6 tunnel | | DS-Lite | IPv6 support (if | IPv6 (if using | IPv6 tunnel |
| host | using DS-Lite | DS-Lite IPv6 | termination, | | host | using DS-Lite | DS-Lite IPv6 | termination, |
| | IPv6 tunneling) | tunneling) | NAT44 | | | IPv6 tunneling) | tunneling) | NAT44 |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
| NAT444 | no change | multi-realm | NAT44 (CGN) | | NAT444 | no change | multi-realm | NAT44 (CGN) |
| | | IPv4 | | | | | IPv4 | |
+----------+-------------------+-----------------+------------------+ +----------+-------------------+-----------------+------------------+
Table 3: IPv4 Hosts Accessing the IPv4 Internet Table 3: IPv4 Hosts Accessing the IPv4 Internet
skipping to change at page 20, line 5 skipping to change at page 20, line 38
o BitTorrent o BitTorrent
o games (of particular note is that XBox uses UPnP IGD) o games (of particular note is that XBox uses UPnP IGD)
The solutions proposed for static ports are: The solutions proposed for static ports are:
A+P: The subscriber's customer premise NAT can forward ports A+P: The subscriber's customer premise NAT can forward ports
within the allocated port range. This port could be advertised by within the allocated port range. This port could be advertised by
the subscriber using DNS SRV resource records or other means. the subscriber using DNS SRV resource records or other means.
APBR-host and APBR-HC: assign a port in the available port range; SAM-host and SAM-HC: assign a port in the available port range;
advertise it with the IPv4 address using a DNS SRV resource advertise it with the IPv4 address using a DNS SRV resource
record. record.
Dual-Stack Lite: none Dual-Stack Lite: none
NAT444: none NAT444: none
IVI: assign IPv6 IVI address to IPv6 hosts that require incoming IVI: assign IPv6 IVI address to IPv6 hosts that require incoming
IPv4 connections IPv4 connections
skipping to change at page 20, line 42 skipping to change at page 21, line 26
o non-passive FTP client o non-passive FTP client
o games (of particular note is that XBox uses UPnP IGD) o games (of particular note is that XBox uses UPnP IGD)
The solutions proposed for dynamic ports are: The solutions proposed for dynamic ports are:
A+P: An ALG can be incorporated into the subscriber's A+P-aware A+P: An ALG can be incorporated into the subscriber's A+P-aware
NAT, as done today with subscriber's NAT44 devices. NAT, as done today with subscriber's NAT44 devices.
APBR-host and APBR-HC: assign a port in the available port range. SAM-host and SAM-HC: assign a port in the available port range.
Dual-Stack Lite: none Dual-Stack Lite: none
NAT444: none (although it is reasonable to expect that ALGs, as NAT444: none (although it is reasonable to expect that ALGs, as
they exist in today's IPv4 NATs, might be utilized) they exist in today's IPv4 NATs, might be utilized)
IVI: assign IPv6 IVI address to IPv6 hosts that require incoming IVI: assign IPv6 IVI address to IPv6 hosts that require incoming
IPv4 connections IPv4 connections
NAT6: none NAT6: none
NAT64: applications could be modified to support STUN (for TCP NAT64: applications could be modified to support STUN (for TCP
and UDP) to learn their public IPv4 address and TCP/UDP port. and UDP) to learn their public IPv4 address and TCP/UDP port.
sNAT-PT: assign IPv4 address to IPv6 hosts that require incoming sNAT-PT: assign IPv4 address to IPv6 hosts that require incoming
IPv4 connections. IPv4 connections.
6. Transport Protocol Support 6. Transport Protocol Support
skipping to change at page 22, line 26 skipping to change at page 23, line 5
[[NAT64, NAT6, DS-Lite, and IVI all mention fragmentation. Need to [[NAT64, NAT6, DS-Lite, and IVI all mention fragmentation. Need to
analyze how they differ.]] analyze how they differ.]]
8.1.6. NAT-PT Interaction with SCTP and Multihoming 8.1.6. NAT-PT Interaction with SCTP and Multihoming
IVI supports multi-homing if there is a 1:1 mapping between IPv4 and IVI supports multi-homing if there is a 1:1 mapping between IPv4 and
IPv6 addresses. However, 1:1 mapping is not sustainable as we IPv6 addresses. However, 1:1 mapping is not sustainable as we
approach IPv4 exhaustion. approach IPv4 exhaustion.
APBR (both APBR-host and APBR-HC) support SCTP. SAM (both SAM-host and SAM-HC) support SCTP.
sNAT-PT explicitly indicates SCTP is out-of-scope.
The other proposals are silent on this issue. All proposals seem to The other proposals are silent on this issue. All proposals seem to
be considering only TCP, UDP, and ICMP. be considering only TCP, UDP, and ICMP.
8.1.7. NAT-PT as a Proxy Correspondent Node for MIPv6 8.1.7. NAT-PT as a Proxy Correspondent Node for MIPv6
All proposals are silent on this issue. All proposals are silent on this issue.
8.1.8. NAT-PT and Multicast 8.1.8. NAT-PT and Multicast
IVI can support Source-Specific Multicast [RFC4607] (see Section 7 of IVI can support Source-Specific Multicast [RFC4607] (see Section 7 of
[I-D.xli-behave-ivi]). [I-D.xli-behave-ivi]).
Dual-Stack Lite does not support multicast. Dual-Stack Lite does not support multicast.
NAT6 does not specify how it can work with multicast. NAT6 does not specify how it can work with multicast.
In sNAT-PT, multicasting in either direction requires manual mapping.
The other proposals are silent on this issue. The other proposals are silent on this issue.
Note: it may be possible for IGMP messages to be propagated and Note: it may be possible for IGMP messages to be propagated and
proxied [RFC4605] across their respective NAT device [RFC5135]. proxied [RFC4605] across their respective NAT device [RFC5135].
More study on this is needed. More study on this is needed.
8.2. Issues Exacerbated by the Use of DNS-ALG 8.2. Issues Exacerbated by the Use of DNS-ALG
8.2.1. Network Topology Constraints Implied by NAT-PT 8.2.1. Network Topology Constraints Implied by NAT-PT
skipping to change at page 25, line 7 skipping to change at page 25, line 36
subscriber access bandwidth (sharing between a subscriber's own subscriber access bandwidth (sharing between a subscriber's own
hosts). Subscribers are given an IP address(es) for their exclusive hosts). Subscribers are given an IP address(es) for their exclusive
use. With all of the NAT44 and NAT64 mechanisms proposed, an IPv4 use. With all of the NAT44 and NAT64 mechanisms proposed, an IPv4
address is shared amongst several subscribers. address is shared amongst several subscribers.
This address sharing raises some security considerations, including This address sharing raises some security considerations, including
DoS potential (a subscriber might accidentally or purposefully use DoS potential (a subscriber might accidentally or purposefully use
all available ports, denying ports to other subscribers all available ports, denying ports to other subscribers
[I-D.nishitani-cgn] and spoofing (a subscriber might send a packet [I-D.nishitani-cgn] and spoofing (a subscriber might send a packet
with the correct IP address, but the port belongs to a different with the correct IP address, but the port belongs to a different
subscriber [A+P]. subscriber). Address sharing causes false negatives and false
positives for existing IP sddress spoofing mechanisms (DHCP snooping,
ARP security, ingress filtering [RFC2827]).
For lack of a better identifier, many applications and systems use an For lack of a better identifier, many applications and systems use an
IPv4 address as an end-host identifier and take action based on that IPv4 address as an end-host identifier and take action based on that
identity. In the past, IP addresses sometimes provided additional identity. In the past, IP addresses sometimes provided additional
privileges (e.g., the ability to login without a password using privileges (e.g., the ability to login without a password using
Berkeley "r services"). This persists today with some systems (e.g., Berkeley "r services"). This persists today with some systems (e.g.,
Sender Policy Framework (SPF)). Conversely, undesired behavior of a DHCP snooping, ARP security, and email Sender Policy Framework
certain IP address can cause servers to refuse to provide service. (SPF)). Conversely, undesired behavior of a certain IP address can
For example, excessive connection attempts or excessive downloading cause servers to refuse to provide service. For example, excessive
can cause an HTTP server to delay (or refuse) providing service to connection attempts or excessive downloading can cause an HTTP server
that IP address. As another example, IP address blacklisting (e.g., to delay (or refuse) providing service to that IP address. As
DNSBL) might cause e-mail from that IP address to be considered more another example, IP address blacklisting (e.g., DNSBL) might cause
likely to be spam. Even with consumer NAT44, these systems work e-mail from that IP address to be considered more likely to be spam.
reasonably well because excessive connection attempts or spam Even with consumer NAT44, these systems work reasonably well because
originating from any host belonging to a subscriber is punished, excessive connection attempts or spam originating from any host
without harming other subscribers of that ISP. (Of course, some such belonging to a subscriber is punished, without harming other
systems apply their rate limiting to entire subnets in order to subscribers of that ISP. (Of course, some such systems apply their
purposefully punish other subscribers of that ISP.) However, when an rate limiting to entire subnets in order to purposefully punish other
ISP deploys a NAT44 that aggregates many subscribers behind the same subscribers of that ISP.) However, when an ISP aggregates many
public IPv4 address, all of those subscribers will be appear as one subscribers behind the same public IPv4 address (such as used by all
identity to the rest of the Internet. This will cause problems with systems described in this paper), all of those subscribers will be
existing systems that equate an IPv4 address with an identity, and appear as one identity to the rest of the Internet. This will cause
take action based on such identities. problems with existing systems that equate an IPv4 address with an
identity, and take action based on such identities.
9.2. IPsec Compatibility
It is well known that IPSec AH [RFC4302] does not work with NAT
[RFC3715]. However, IPsec ESP [RFC4303] can work with NATs because
it does not include source or destination addresses in its keyed
message integrity check. It is possible to carry IPsec ESP over UDP
[RFC3948], which survives well over NATs at the expense of a UDP
header (8 bytes).
To avoid the UDP overhead and to allow for IPsec ESP endpoints that
do not support IPsec over UDP, many deployed IPv4 NAT devices provide
an "IPsec Passthru" feature, which uses the destination IP address
and the IPsec ESP Security Parameters Index (SPI) field to perform
its NAT function. However, "IPsec passthru" has some drawbacks (not
described here).
10. Acknowledgements 10. Acknowledgements
Thanks to the authors of the contributions compared in this document, Thanks to the authors of the contributions compared in this document,
Cullen Jennings (NAT6); Marcelo Bagnulo, Philip Matthews, Iljitsch Cullen Jennings (NAT6); Marcelo Bagnulo, Philip Matthews, Iljitsch
van Beijnum (NAT64); Xing Li, Maoke Chen, Congxiao Bao, Hong Zhang, van Beijnum (NAT64); Xing Li, Maoke Chen, Congxiao Bao, Hong Zhang,
Jianping Wu, Fred Baker (IVI); Alain Durand, Ralph Droms, Brian Jianping Wu, Fred Baker (IVI); Alain Durand, Ralph Droms, Brian
Haberman (DS-Lite); Tomohiro Nishitani, Shin Miyakawa (CGN); Remi Haberman (DS-Lite); Tomohiro Nishitani, Shin Miyakawa (CGN); Remi
Despres (APB-Revised); Hiroshi Miyata, Masahito Endo (sNAT-PT); Olaf Despres (SAM); Hiroshi Miyata, Masahito Endo (sNAT-PT); Olaf Maennel,
Maennel, Randy Bush, Luca Cittadini, Steven M. Bellovin (A+P). Randy Bush, Luca Cittadini, Steven M. Bellovin (A+P).
Thanks to Fred Baker, Randy Bush, Thomas Narten, Dave Thaler and Eric Thanks to Fred Baker, Randy Bush, Wojciech Dec, Thomas Narten, Dave
Vyncke for their review and suggested improvements to the document. Thaler and Eric Vyncke for their review and suggested improvements to
the document.
11. IANA Considerations 11. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
12. References 12. References
12.1. Normative References 12.1. Normative References
[A+P] Maennel, O., Bush, R., Cittadini, L., and S. Bellovin, "A [A+P] Maennel, O., Bush, R., Cittadini, L., and S. Bellovin, "A
skipping to change at page 26, line 24 skipping to change at page 27, line 24
Bagnulo, M., Matthews, P., and I. Beijnum, "NAT64/DNS64: Bagnulo, M., Matthews, P., and I. Beijnum, "NAT64/DNS64:
Network Address and Protocol Translation from IPv6 Clients Network Address and Protocol Translation from IPv6 Clients
to IPv4 Servers", draft-bagnulo-behave-nat64-01 (work in to IPv4 Servers", draft-bagnulo-behave-nat64-01 (work in
progress), September 2008. progress), September 2008.
[I-D.baker-behave-ivi] [I-D.baker-behave-ivi]
Li, X., Bao, C., Baker, F., and K. Yin, "IVI Update to Li, X., Bao, C., Baker, F., and K. Yin, "IVI Update to
SIIT and NAT-PT", draft-baker-behave-ivi-01 (work in SIIT and NAT-PT", draft-baker-behave-ivi-01 (work in
progress), September 2008. progress), September 2008.
[I-D.durand-dual-stack-lite] [I-D.durand-softwire-dual-stack-lite]
Durand, A., "Dual-stack lite broadband deployments post Durand, A., Droms, R., Haberman, B., and J. Woodyatt,
IPv4 exhaustion", draft-durand-dual-stack-lite-00 (work in "Dual-stack lite broadband deployments post IPv4
progress), July 2008. exhaustion", draft-durand-softwire-dual-stack-lite-00
(work in progress), September 2008.
[I-D.endo-v6ops-dnsproxy] [I-D.endo-v6ops-dnsproxy]
Endo, M. and H. Miyata, "Translator Friendly DNS Proxy", Endo, M. and H. Miyata, "Translator Friendly DNS Proxy",
draft-endo-v6ops-dnsproxy-00 (work in progress), draft-endo-v6ops-dnsproxy-00 (work in progress),
August 2008. August 2008.
[I-D.ietf-v6ops-nat64-pb-statement-req] [I-D.ietf-v6ops-nat64-pb-statement-req]
Bagnulo, M., Baker, F., and I. Beijnum, "IPv4/IPv6 Bagnulo, M., Baker, F., and I. Beijnum, "IPv4/IPv6
Coexistence and Transition: Requirements for solutions", Coexistence and Transition: Requirements for solutions",
draft-ietf-v6ops-nat64-pb-statement-req-00 (work in draft-ietf-v6ops-nat64-pb-statement-req-00 (work in
progress), May 2008. progress), May 2008.
[I-D.jennings-behave-nat6] [I-D.jennings-behave-nat6]
Jennings, C., "NAT for IPv6-Only Hosts", Jennings, C., "NAT for IPv6-Only Hosts",
draft-jennings-behave-nat6-00 (work in progress), draft-jennings-behave-nat6-00 (work in progress),
July 2008. July 2008.
[I-D.miyata-v6ops-snatpt] [I-D.miyata-v6ops-snatpt]
Miyata, H. and M. Endo, "sNAT-PT: Simplified Network Miyata, H. and M. Endo, "sNAT-PT: Simplified Network
Address Translation - Protocol Translation", Address Translation - Protocol Translation",
draft-miyata-v6ops-snatpt-01 (work in progress), draft-miyata-v6ops-snatpt-02 (work in progress),
September 2008. September 2008.
[I-D.nishitani-cgn] [I-D.nishitani-cgn]
Nishitani, T. and S. Miyakawa, "Carrier Grade Network Nishitani, T. and S. Miyakawa, "Carrier Grade Network
Address Translator (NAT) Behavioral Requirements for Address Translator (NAT) Behavioral Requirements for
Unicast UDP, TCP and ICMP", draft-nishitani-cgn-00 (work Unicast UDP, TCP and ICMP", draft-nishitani-cgn-00 (work
in progress), July 2008. in progress), July 2008.
[I-D.xli-behave-ivi] [I-D.xli-behave-ivi]
Li, X., Chen, M., Bao, C., Zhang, H., and J. Wu, "Prefix- Li, X., Chen, M., Bao, C., Zhang, H., and J. Wu, "Prefix-
skipping to change at page 27, line 27 skipping to change at page 28, line 28
12.2. Informative References 12.2. Informative References
[Behave] IETF, "BEHAVE working group mailing list", [Behave] IETF, "BEHAVE working group mailing list",
<https://www.ietf.org/mailman/listinfo/behave>. <https://www.ietf.org/mailman/listinfo/behave>.
[I-D.cheshire-nat-pmp] [I-D.cheshire-nat-pmp]
Cheshire, S., "NAT Port Mapping Protocol (NAT-PMP)", Cheshire, S., "NAT Port Mapping Protocol (NAT-PMP)",
draft-cheshire-nat-pmp-03 (work in progress), April 2008. draft-cheshire-nat-pmp-03 (work in progress), April 2008.
[I-D.despres-v6ops-apbp] [I-D.despres-sam]
Despres, R., "A Scalable IPv4-IPv6 Transition Architecture Despres, R., "Stateless Address Mapping with A+P Extended
Need for an address-port-borrowing-protocol (APBP)", IPv4 addressing (SAM)", draft-despres-sam-00 (work in
draft-despres-v6ops-apbp-01 (work in progress), July 2008. progress), September 2008.
[I-D.droms-softwires-snat]
Droms, R. and B. Haberman, "Softwires Network Address
Translation (SNAT)", draft-droms-softwires-snat-01 (work
in progress), July 2008.
[I-D.ietf-mmusic-ice] [I-D.ietf-mmusic-ice]
Rosenberg, J., "Interactive Connectivity Establishment Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT) (ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", Traversal for Offer/Answer Protocols",
draft-ietf-mmusic-ice-19 (work in progress), October 2007. draft-ietf-mmusic-ice-19 (work in progress), October 2007.
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, August 1999. RFC 2671, August 1999.
[RFC2765] Nordmark, E., "Stateless IP/ICMP Translation Algorithm [RFC2765] Nordmark, E., "Stateless IP/ICMP Translation Algorithm
(SIIT)", RFC 2765, February 2000. (SIIT)", RFC 2765, February 2000.
[RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address [RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address
Translation - Protocol Translation (NAT-PT)", RFC 2766, Translation - Protocol Translation (NAT-PT)", RFC 2766,
February 2000. February 2000.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC3715] Aboba, B. and W. Dixon, "IPsec-Network Address Translation
(NAT) Compatibility Requirements", RFC 3715, March 2004.
[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M.
Stenberg, "UDP Encapsulation of IPsec ESP Packets",
RFC 3948, January 2005.
[RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
for IPv6 Hosts and Routers", RFC 4213, October 2005. for IPv6 Hosts and Routers", RFC 4213, October 2005.
[RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
December 2005.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)", RFC 4380, Network Address Translations (NATs)", RFC 4380,
February 2006. February 2006.
[RFC4605] Fenner, B., He, H., Haberman, B., and H. Sandick, [RFC4605] Fenner, B., He, H., Haberman, B., and H. Sandick,
"Internet Group Management Protocol (IGMP) / Multicast "Internet Group Management Protocol (IGMP) / Multicast
Listener Discovery (MLD)-Based Multicast Forwarding Listener Discovery (MLD)-Based Multicast Forwarding
("IGMP/MLD Proxying")", RFC 4605, August 2006. ("IGMP/MLD Proxying")", RFC 4605, August 2006.
[RFC4607] Holbrook, H. and B. Cain, "Source-Specific Multicast for [RFC4607] Holbrook, H. and B. Cain, "Source-Specific Multicast for
skipping to change at page 28, line 42 skipping to change at page 30, line 7
UPnP Forum, "Universal Plug and Play Internet Gateway UPnP Forum, "Universal Plug and Play Internet Gateway
Device", 2000, Device", 2000,
<http://www.upnp.org/standardizeddcps/igd.asp>. <http://www.upnp.org/standardizeddcps/igd.asp>.
[v4v6interm-interest] [v4v6interm-interest]
IETF, "v4v6interm-interest mailing list", <https:// IETF, "v4v6interm-interest mailing list", <https://
www.ietf.org/mailman/listinfo/v4v6interm-interest>. www.ietf.org/mailman/listinfo/v4v6interm-interest>.
Appendix A. Changes Appendix A. Changes
A.1. Changes from 00 to 01 A.1. Changes from 01 to 02
o Updated DS-Lite reference; no changes to text
o Updated from APB-Revised to SAM; changed text
o Updated sNAT-PT reference; added description of IPv4-to-IPv6 1:N
port mapping
o Mentioned policing difficulties for shared addresses (DHCP
snooping, ARP security, ingress filtering)
o Discuss IPsec compatibility
o Added explanation of how NAT444 can support IPv6 using Teredo
A.2. Changes from 00 to 01
o Added A+P o Added A+P
o Refined security considerations for sharing addresses o Refined security considerations for sharing addresses
o "CPE" -> "CPE router" o "CPE" -> "CPE router"
o removed NAPT defintion (we use NAT to mean NAPT, as is done o removed NAPT defintion (we use NAT to mean NAPT, as is done
colloquially) colloquially)
 End of changes. 57 change blocks. 
263 lines changed or deleted 318 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/