idnits 2.17.1 draft-chen-v6ops-nat64-cpe-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 179: '...ach NAT64 device MUST have at least on...' RFC 2119 keyword, line 182: '...4-CGN-R2:A NAT64 MUST have one or more...' RFC 2119 keyword, line 186: '... MUST silently discard all incoming ...' RFC 2119 keyword, line 189: '...CGN-R4:The NAT64 MUST only process inc...' RFC 2119 keyword, line 191: '... the NAT64 MUST only process incomin...' (11 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Oct 2011) is 4576 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC6147' is defined on line 300, but no explicit reference was found in the text == Unused Reference: 'RFC6204' is defined on line 305, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915) ** Obsolete normative reference: RFC 6204 (Obsoleted by RFC 7084) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Chen 3 Internet-Draft China Mobile 4 Intended status: Informational Oct 2011 5 Expires: April 3, 2012 7 NAT64 Operational Considerations 8 draft-chen-v6ops-nat64-cpe-03 10 Abstract 12 The document has summarized NAT64 usages on different modes, in which 13 NAT64 may serve for a large-scale network or would give enterprise or 14 residential service opportunities to be accessed by IPv6 remote 15 subscribers. The document has described different operations for 16 each usage and proposed operational considerations for each 17 particular NAT64-mode. 19 Status of this Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 3, 2012. 36 Copyright Notice 38 Copyright (c) 2011 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 This document may contain material from IETF Documents or IETF 52 Contributions published or made publicly available before November 53 10, 2008. The person(s) controlling the copyright in some of this 54 material may not have granted the IETF Trust the right to allow 55 modifications of such material outside the IETF Standards Process. 56 Without obtaining an adequate license from the person(s) controlling 57 the copyright in such materials, this document may not be modified 58 outside the IETF Standards Process, and derivative works of it may 59 not be created outside the IETF Standards Process, except to format 60 it for publication as an RFC or to translate it into languages other 61 than English. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 2. NAT64-CGN Deployment . . . . . . . . . . . . . . . . . . . . . 3 67 2.1. Deployment in IDC . . . . . . . . . . . . . . . . . . . . . 3 68 2.2. Connecting with IPv4 Internet . . . . . . . . . . . . . . . 4 69 2.3. NAT64-CGN Mode Requirements . . . . . . . . . . . . . . . . 5 70 3. NAT64-CE Mode . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3.1. NAT64 at Enterprise Network Edge . . . . . . . . . . . . . 6 72 3.2. NAT64 at Residential Network Edge . . . . . . . . . . . . . 7 73 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 74 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 75 6. Normative References . . . . . . . . . . . . . . . . . . . . . 8 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8 78 1. Introduction 80 With fast developments of global Internet, the demands for IP address 81 are rapidly increasing at present.This year, IANA announced that the 82 global free pool of IPv4 depleted on 3 February. IPv6 is the only 83 real option on the table. Operators have to accelerate the process 84 of deploying IPv6 networks in order to address IP address 85 strains.IPv6 deployment normally involves a step-wise approach where 86 parts of the network should properly updated gradually. As IPv6 87 deployment progresses it may be simpler for operators and ICP/ISP to 88 employ NAT64[RFC6146] functionalities at edge of IPv4 and IPv6 89 networks, since a significant part of network will still stay in IPv4 90 for long time. Especially, NAT64 could facilitate large ICP/ISP IPv6 91 transition process by eliminating upgrations of tremendous legacy 92 IPv4 servers. Therefore, it's quite popular to deploy NAT64 at the 93 front of IDC to shift the entire service to be IPv6-enable. 95 Depending on different usage, NAT64 could be deployed on different 96 places. The document has summarized NAT64 usages on different modes. 97 Considering the existing deployment approaches, the memo has proposed 98 different operational consideration for each particular NAT64-mode. 100 2. NAT64-CGN Deployment 102 2.1. Deployment in IDC 104 NAT has widely used in data center environments whenever IDC have to 105 make your IPv4-only content available to IPv6 clients. 107 Figure 1 illustrates the usage where an IPv6-only host would like to 108 initiate communications with IDC in IPv4 domain through NAT64. The 109 NAT64 would accept IPv6 incoming session and distribute them to 110 multiple IPv4 servers. 112 +----------------------+ +------------------------------+ 113 | IPv6-only network | | IPv4 IDC | 114 | | | | 115 | | | | 116 | | | +----------+ | 117 | +----+ +---------+ | | | 118 | | H1 |-----------| NAT64 |-------------| Servers | | 119 | +----+ +---------+ | | | 120 | v6 only / | | \ +----------+ | 121 | Host / | | \ IPv4-only | 122 | +------+ | | +-----+ | 123 | |DNS64 | | | | DNS | | 124 | +------+ | | +-----+ | 125 +----------------------+ +------------------------------+ 127 Figure 1: NAT64-CGN Mode Usage 129 NAT64 device in IDC may also take responsibilities of load balancer, 130 which can accept incoming TCP/UDP sessions on a single virtual IPv6 131 interface or multiple IPv6 interfaces. Afterwards, it distributes 132 them according to a specific algorithm it uses to multiple IPv4 133 servers. Ideally you could have a mix of IPv4 and IPv6 servers 134 sitting behind the virtual IPv6 address. 136 Therein, NAT64 has to pick a new source IPv4 address and associated 137 port number from local IPv4 address pool. DNS64 is a logical 138 function that synthesizes DNS resource records(e.g., AAAA records 139 containing IPv6 addresses) from DNS resource records actually 140 contained in the DNS (e.g., A records containing IPv4 addresses). 142 2.2. Connecting with IPv4 Internet 144 NAT64 may also be used to connecting IPv6 users with IPv4 Internet. 145 In this cases, NAT64 could colocated with BNG or Core Router to map 146 legacy IPv4 servers into a NAT64 prefix and performs 6-to-4 address. 148 Therein, NAT64 would perform protocol translation mechanism and 149 address translation mechanism. Protocol translation from an IPv4 150 packet header to an IPv6 packet header and vice versa is performed 151 according to the IP/ICMP Translation Algorithm [RFC6145]. Address 152 translation maps IPv6 transport addresses to IPv4 transport addresses 153 and vice versa. 155 Following illustrates normal process for this usage. 157 o Step1: IPv6-only host performs an AAAA DNS query to DNS64 for the 158 IPv6 address of the Pv4-only sever. 160 o Step2: DNS64 could not find the IPv6 address of the IPv4-only 161 sever. So it tries to get the IPv4 address of the Pv4-only sever 162 by sending A DNS query to DNS4. 164 o Step3: DNS4 return the A record to the DNS64. 166 o Step4: DNS64 map the IPv4 address to IPv6 address and send a 167 synthetic AAAA record which is translated from A record to IPv6- 168 only host. 170 o Step5: IPv6-only host send the IPv6 packet to the NAT64. NAT64 171 translates the IPv6 packet to IPv4 packet and send it to IPv4-only 172 server. 174 2.3. NAT64-CGN Mode Requirements 176 According to above description for NAT64-CGN, the NAT64-CGN 177 requirements are listed as following. 179 NAT64-CGN-R1: Each NAT64 device MUST have at least one unicast IPv6 180 prefix assigned to it, denoted Pref64::/n. 182 NAT64-CGN-R2:A NAT64 MUST have one or more unicast IPv4 addresses 183 assigned to it. 185 NAT64-CGN-R3:Irrespective of the transport protocol used, the NAT64 186 MUST silently discard all incoming IPv6 packets containing a source 187 address that contains the Pref64::/n. 189 NAT64-CGN-R4:The NAT64 MUST only process incoming IPv6 packets that 190 contain a destination address that contains Pref64::/n. Likewise, 191 the NAT64 MUST only process incoming IPv4 packets that contain a 192 destination address that belongs to the IPv4 pool assigned to the 193 NAT64. 195 NAT64-CGN-R5:NAT64 MUST support the algorithm for generating IPv6 196 representations of IPv4 addresses defined in RFC6052 as Address 197 Translation Algorithms. 199 NAT64-CGN-R6:For incoming packets carrying TCP or UDP fragments with 200 a non-zero checksum, NAT64 MAY elect to queue the fragments as they 201 arrive and translate all fragments at the same time. 203 NAT64-CGN-R7: For incoming IPv4 packets carrying UDP packets with a 204 zero checksum, if the NAT64 has enough resources, the NAT64 MUST 205 reassemble the packets and MUST calculate the checksum. If the NAT64 206 does not have enough resources, then it MUST silently discard the 207 packets. 209 NAT64-CGN-R8: The NAT64 MAY require that the UDP, TCP, or ICMP header 210 be completely contained within the fragment that contains fragment 211 offset equal to zero. 213 NAT64-CGN-R9:The NAT64 MUST limit the amount of resources devoted to 214 the storage of fragmented packets in order to protect from DoS 215 attacks. 217 NAT64-CGN-R10:The NAT64 MUST make fragmentation process when MTU of 218 incoming IPv4 traffic exceed maximum MTU on IPv6 side. 220 NAT64-CGN-R11:The NAT64 MAY let hosts and applications know IPv6 221 prefix used by the NAT64 and DNS64 so as to hosts have knowledge 222 whether synthetic IPv6 address is targeted. 224 NAT64-CGN-R12:The NAT64 MAY decouple with DNS64 in order to establish 225 communication with IPv4-only servers. 227 NAT64-CGN-R13:The NAT64 MAY take load-balancing functionalities 228 incorporating with DNS64. 230 3. NAT64-CE Mode 232 NAT64-CE mode represents usages where there NAT64 is closed to 233 customer edges, like enterprise network edge or residential network 234 edge. 236 3.1. NAT64 at Enterprise Network Edge 238 Some enterprise would like to offers their employees with IPv6 239 access. However, the service may still stay in IPv4 domain. NAT64 240 useges in enterprise network could help shift all enterprise service 241 to be IPv6 enable. 243 Figure 2 illustrates a network usage where an IPv6-only client 244 attached to a dual-stack network, but the destination server is 245 running on a private site where there is NAT64-CE numbered with 246 public IPv6 addresses and private IPv4 addresses. 248 +----------------------+ +------------------------------+ 249 | Dual Stack Internet | | IPv4 Private site (Net 10) | 250 | | | | 251 | | | | 252 | | | +----------+ | 253 | +----+ +---------+ | | | 254 | | H1 |-----------|NAT64-CE |-------------| Server | | 255 | +----+ +---------+ | | | 256 | v6 only / | | +----------+ | 257 | Host / | | IPv4-only | 258 | +-----+ | | etc. 10.1.1.1 | 259 | | DNS | | | | 260 | +-----+ | | | 261 +----------------------+ +------------------------------+ 263 Figure 2: NAT64-CPE Mode Usage 265 3.2. NAT64 at Residential Network Edge 267 Residential servers are usually going beyond the operator's 268 management. They may not able to IPv6-enable due to limitations of 269 application supporting. In this case, ISP is still assigning private 270 IPv4 address to servers. However, The nature of private IPv4 would 271 block the end-to-end bi-directional communications. On the other 272 hand, IPv6 will bring end-to-end benefits to operators. NAT64-CPE 273 mode could let IPv6 users to access such IPv6-disable services in 274 residential areas. 276 This scenario may appears in ISP network for several cases. As the 277 instances, visitors go through distant network to take care of family 278 affairs, like monitoring house security via residential camera, 279 manipulating household appliances remotely prior to comeback home. 281 4. Security Considerations 283 Essentially, there are strong demands to have thorough security 284 mechanism to prevent privacy invasion in NAT64-CPE scenario. The 285 detailed considerations need to be further identified. 287 5. IANA Considerations 289 This memo includes no request to IANA. 291 6. Normative References 293 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation 294 Algorithm", RFC 6145, April 2011. 296 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 297 NAT64: Network Address and Protocol Translation from IPv6 298 Clients to IPv4 Servers", RFC 6146, April 2011. 300 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 301 Beijnum, "DNS64: DNS Extensions for Network Address 302 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 303 April 2011. 305 [RFC6204] Singh, H., Beebee, W., Donley, C., Stark, B., and O. 306 Troan, "Basic Requirements for IPv6 Customer Edge 307 Routers", RFC 6204, April 2011. 309 Author's Address 311 Gang Chen 312 China Mobile 313 53A,Xibianmennei Ave., 314 Xuanwu District, 315 Beijing 100053 316 China 318 Email: chengang@chinamobile.com