idnits 2.17.1 draft-ietf-behave-v6v4-xlate-23.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 18, 2010) is 4931 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 1883 (Obsoleted by RFC 2460) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 2765 (Obsoleted by RFC 6145) -- Obsolete informational reference (is this intentional?): RFC 879 (Obsoleted by RFC 7805, RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 2766 (Obsoleted by RFC 4966) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 behave X. Li 3 Internet-Draft C. Bao 4 Obsoletes: 2765 (if approved) CERNET Center/Tsinghua University 5 Intended status: Standards Track F. Baker 6 Expires: March 22, 2011 Cisco Systems 7 September 18, 2010 9 IP/ICMP Translation Algorithm 10 draft-ietf-behave-v6v4-xlate-23 12 Abstract 14 This document describes the Stateless IP/ICMP Translation Algorithm 15 (SIIT), which translates between IPv4 and IPv6 packet headers 16 (including ICMP headers). This document obsoletes RFC2765. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on March 22, 2011. 35 Copyright Notice 37 Copyright (c) 2010 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 This document may contain material from IETF Documents or IETF 51 Contributions published or made publicly available before November 52 10, 2008. The person(s) controlling the copyright in some of this 53 material may not have granted the IETF Trust the right to allow 54 modifications of such material outside the IETF Standards Process. 55 Without obtaining an adequate license from the person(s) controlling 56 the copyright in such materials, this document may not be modified 57 outside the IETF Standards Process, and derivative works of it may 58 not be created outside the IETF Standards Process, except to format 59 it for publication as an RFC or to translate it into languages other 60 than English. 62 Table of Contents 64 1. Introduction and Motivation . . . . . . . . . . . . . . . . . 3 65 1.1. IPv4-IPv6 Translation Model . . . . . . . . . . . . . . . 3 66 1.2. Applicability and Limitations . . . . . . . . . . . . . . 3 67 1.3. Stateless vs. Stateful Mode . . . . . . . . . . . . . . . 4 68 1.4. Path MTU Discovery and Fragmentation . . . . . . . . . . . 5 69 2. Changes from RFC2765 . . . . . . . . . . . . . . . . . . . . . 5 70 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 4. Translating from IPv4 to IPv6 . . . . . . . . . . . . . . . . 6 72 4.1. Translating IPv4 Headers into IPv6 Headers . . . . . . . . 8 73 4.2. Translating ICMPv4 Headers into ICMPv6 Headers . . . . . . 10 74 4.3. Translating ICMPv4 Error Messages into ICMPv6 . . . . . . 14 75 4.4. Generation of ICMPv4 Error Message . . . . . . . . . . . . 14 76 4.5. Transport-layer Header Translation . . . . . . . . . . . . 15 77 4.6. Knowing When to Translate . . . . . . . . . . . . . . . . 15 78 5. Translating from IPv6 to IPv4 . . . . . . . . . . . . . . . . 16 79 5.1. Translating IPv6 Headers into IPv4 Headers . . . . . . . . 17 80 5.1.1. IPv6 Fragment Processing . . . . . . . . . . . . . . . 19 81 5.2. Translating ICMPv6 Headers into ICMPv4 Headers . . . . . . 20 82 5.3. Translating ICMPv6 Error Messages into ICMPv4 . . . . . . 23 83 5.4. Generation of ICMPv6 Error Message . . . . . . . . . . . . 24 84 5.5. Transport-layer Header Translation . . . . . . . . . . . . 24 85 5.6. Knowing When to Translate . . . . . . . . . . . . . . . . 24 86 6. Special Considerations for ICMPv6 Packet Too Big . . . . . . . 24 87 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 88 8. Security Considerations . . . . . . . . . . . . . . . . . . . 26 89 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 26 90 10. Appendix: Stateless translation workflow example . . . . . . . 27 91 10.1. H6 establishes communication with H4 . . . . . . . . . . . 28 92 10.2. H4 establishes communication with H6 . . . . . . . . . . . 29 93 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 94 11.1. Normative References . . . . . . . . . . . . . . . . . . . 30 95 11.2. Informative References . . . . . . . . . . . . . . . . . . 31 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32 98 1. Introduction and Motivation 100 This document is a product of the 2008-2010 effort to define a 101 replacement for NAT-PT [RFC2766]. It is directly derivative from 102 Erik Nordmark's "Stateless IP/ICMP Translation Algorithm (SIIT)" 103 [RFC2765], which provides stateless translation between IPv4 104 [RFC0791] and IPv6 [RFC2460], and between ICMPv4 [RFC0792] and ICMPv6 105 [RFC4443]. This document obsoletes RFC2765 [RFC2765]. The changes 106 from RFC2765 [RFC2765] are listed in Section 2. 108 Readers of this document are expected to have read and understood the 109 framework described in [I-D.ietf-behave-v6v4-framework]. 110 Implementations of this IPv4/IPv6 translation specification MUST also 111 support the address translation algorithms in 112 [I-D.ietf-behave-address-format]. Implementations MAY also support 113 stateful translation [I-D.ietf-behave-v6v4-xlate-stateful]. 115 1.1. IPv4-IPv6 Translation Model 117 The translation model consists of two or more network domains 118 connected by one or more IP/ICMP translators (XLATs) as shown in 119 Figure 1. 121 --------- --------- 122 // \\ // \\ 123 / +----+ \ 124 | |XLAT| | XLAT: IP/ICMP 125 | IPv4 +----+ IPv6 | Translator 126 | Domain | | Domain | 127 | | | | 128 \ | | / 129 \\ // \\ // 130 -------- --------- 132 Figure 1: IPv4-IPv6 Translation Model 134 The scenarios of the translation model are discussed in 135 [I-D.ietf-behave-v6v4-framework]. 137 1.2. Applicability and Limitations 139 This document specifies the translation algorithms between IPv4 140 packets and IPv6 packets. 142 As with [RFC2765], the translating function specified in this 143 document does not translate any IPv4 options and it does not 144 translate IPv6 extension headers except fragmentation header. 146 The issues and algorithms in the translation of datagrams containing 147 TCP segments are described in [RFC5382]. 149 Fragmented IPv4 UDP packets that do not contain a UDP checksum (i.e., 150 the UDP checksum field is zero) are not of significant use in the 151 Internet and in general will not be translated by the IP/ICMP 152 translator. However, when the translator is configured to forward 153 the packet without a UDP checksum, the fragmented IPv4 UDP packets 154 will be translated. 156 Fragmented ICMP/ICMPv6 packets will not be translated by the IP/ICMP 157 translator. 159 The IP/ICMP header translation specified in this document is 160 consistent with requirements of multicast IP/ICMP headers. However 161 IPv4 multicast addresses [RFC5771] cannot be mapped to IPv6 multicast 162 addresses [RFC3307] based on the unicast mapping rule 163 [I-D.ietf-behave-address-format]. 165 1.3. Stateless vs. Stateful Mode 167 An IP/ICMP translator has two possible modes of operation: stateless 168 and stateful [I-D.ietf-behave-v6v4-framework]. In both cases, we 169 assume that a system (a node or an application) that has an IPv4 170 address but not an IPv6 address is communicating with a system that 171 has an IPv6 address but no IPv4 address, or that the two systems do 172 not have contiguous routing connectivity and hence are forced to have 173 their communications translated. 175 In the stateless mode, a specific IPv6 address range will represent 176 IPv4 systems (IPv4-converted addresses), and the IPv6 systems have 177 addresses (IPv4-translatable addresses) that can be algorithmically 178 mapped to a subset of the service provider's IPv4 addresses. Note 179 that IPv4-translatable addresses is a subset of IPv4-converted 180 addresses. In general, there is no need to concern oneself with 181 translation tables, as the IPv4 and IPv6 counterparts are 182 algorithmically related. 184 In the stateful mode, a specific IPv6 address range will represent 185 IPv4 systems (IPv4-converted addresses), but the IPv6 systems may use 186 any IPv6 addresses [RFC4291] except in that range. In this case, a 187 translation table is required to bind the IPv6 systems' addresses to 188 the IPv4 addresses maintained in the translator. 190 The address translation mechanisms for the stateless and the stateful 191 translations are defined in [I-D.ietf-behave-address-format]. 193 1.4. Path MTU Discovery and Fragmentation 195 Due to the different sizes of the IPv4 and IPv6 header, which are 20+ 196 octets and 40 octets respectively, handling the maximum packet size 197 is critical for the operation of the IPv4/IPv6 translator. There are 198 three mechanisms to handle this issue: path MTU discovery (PMTUD), 199 fragmentation, and transport-layer negotiation such as the TCP MSS 200 option [RFC0879]. Note that the translator MUST behave as a router, 201 i.e. the translator MUST send a "Packet Too Big" error message or 202 fragment the packet when the packet size exceeds the MTU of the next 203 hop interface. 205 "Don't Fragment", ICMP "Packet Too Big", and packet fragmentation are 206 discussed in Section 4 and Section 5 of this document. The 207 reassembling of fragmented packets in the stateful translator is 208 discussed in [I-D.ietf-behave-v6v4-xlate-stateful], since it requires 209 state maintenance in the translator. 211 2. Changes from RFC2765 213 The changes from RFC2765 are the following: 215 1. Redescribing the network model to map to present and projected 216 usage. The scenarios, applicability and limitations originally 217 presented in RFC2765 [RFC2765] are moved to framework document 218 [I-D.ietf-behave-v6v4-framework]. 220 2. Moving the address format to the address format document 221 [I-D.ietf-behave-address-format], to coordinate with other 222 documents on the topic. 224 3. Describing the header translation for the stateless and stateful 225 operations. The details of the session database and mapping 226 table handling of the stateful translation is in stateful 227 translation document [I-D.ietf-behave-v6v4-xlate-stateful]. 229 4. Having refined the header translation, fragmentation handling, 230 ICMP translation and ICMP error translation in IPv4 to IPv6 231 direction, as well as in IPv6 to IPv4 direction. 233 5. Adding more discussion on transport-layer header translation. 235 6. Adding Section 5.1.1 for "IPv6 Fragment Processing". 237 7. Adding Section 6 for "Special Considerations for ICMPv6 Packet 238 Too Big". 240 8. Having updated Section 8 for "Security Considerations". 242 9. Adding Section 10 "Stateless translation workflow example". 244 3. Conventions 246 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 247 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 248 document are to be interpreted as described in [RFC2119]. 250 4. Translating from IPv4 to IPv6 252 When an IP/ICMP translator receives an IPv4 datagram addressed to a 253 destination towards the IPv6 domain, it translates the IPv4 header of 254 that packet into an IPv6 header. The original IPv4 header on the 255 packet is removed and replaced by an IPv6 header and the transport 256 checksum updated as needed, if that transport is supported by the 257 translator. The data portion of the packet is left unchanged. The 258 IP/ICMP translator then forwards the packet based on the IPv6 259 destination address. 261 +-------------+ +-------------+ 262 | IPv4 | | IPv6 | 263 | Header | | Header | 264 +-------------+ +-------------+ 265 | Transport | | Fragment | 266 | Layer | ===> | Header | 267 | Header | | (if needed) | 268 +-------------+ +-------------+ 269 | | | Transport | 270 ~ Data ~ | Layer | 271 | | | Header | 272 +-------------+ +-------------+ 273 | | 274 ~ Data ~ 275 | | 276 +-------------+ 278 Figure 2: IPv4-to-IPv6 Translation 280 Path MTU discovery is mandatory in IPv6 but it is optional in IPv4. 281 IPv6 routers never fragment a packet - only the sender can do 282 fragmentation. 284 When an IPv4 node performs path MTU discovery (by setting the Don't 285 Fragment (DF) bit in the header), path MTU discovery can operate end- 286 to-end, i.e., across the translator. In this case either IPv4 or 287 IPv6 routers (including the translator) might send back ICMP "Packet 288 Too Big" messages to the sender. When the IPv6 routers send these 289 ICMPv6 errors they will pass through a translator that will translate 290 the ICMPv6 error to a form that the IPv4 sender can understand. As a 291 result, an IPv6 fragment header is only included if the IPv4 packet 292 is already fragmented. 294 However, when the IPv4 sender does not set the Don't Fragment (DF) 295 bit, the translator MUST ensure that the packet does not exceed the 296 path MTU on the IPv6 side. This is done by fragmenting the IPv4 297 packet (with fragmentation headers) so that it fits in 1280-byte IPv6 298 packets, since that is the minimum IPv6 MTU. The IPv6 fragmentation 299 header has been shown to cause operational difficulties in practice 300 due to limited firewall fragmentation support, etc.. In an 301 environment where the network owned/operated by the same entity that 302 owns/operates the translator, the translator MAY provide a 303 configuration function for the network administrator to adjust the 304 threshold of the minimum IPv6 MTU to a value that reflects the real 305 value of the minimum IPv6 MTU in the network (greater than 1280- 306 byte). This will help reduce the chance of including the 307 fragmentation header in the packets. 309 When the IPv4 sender does not set the DF bit the translator SHOULD 310 always include an IPv6 fragment header to indicate that the sender 311 allows fragmentation. The translator MAY provide a configuration 312 function that allows the translator not to include the fragmentation 313 header for the non-fragmented IPv6 packets. 315 The rules in Section 4.1 ensure that when packets are fragmented, 316 either by the sender or by IPv4 routers, the low-order 16 bits of the 317 fragment identification are carried end-to-end, ensuring that packets 318 are correctly reassembled. In addition, the rules in Section 4.1 use 319 the presence of an IPv6 fragment header to indicate that the sender 320 might not be using path MTU discovery (i.e., the packet should not 321 have the DF flag set should it later be translated back to IPv4). 323 Other than the special rules for handling fragments and path MTU 324 discovery, the actual translation of the packet header consists of a 325 simple translation as defined below. Note that ICMPv4 packets 326 require special handling in order to translate the content of ICMPv4 327 error messages and also to add the ICMPv6 pseudo-header checksum. 329 The translator SHOULD make sure that the packets belonging to the 330 same flow leave the translator in the same order in which they 331 arrived. 333 4.1. Translating IPv4 Headers into IPv6 Headers 335 If the DF flag is not set and the IPv4 packet will result in an IPv6 336 packet larger than 1280 bytes, the packet SHOULD be fragmented so the 337 resulting IPv6 packet (with Fragment header added to each fragment) 338 will be less than or equal to 1280 bytes. For example, if the packet 339 is fragmented prior to the translation, the IPv4 packets should be 340 fragmented so that their length, excluding the IPv4 header, is at 341 most 1232 bytes (1280 minus 40 for the IPv6 header and 8 for the 342 Fragment header). The translator MAY provide a configuration 343 function for the network administrator to adjust the threshold of the 344 minimum IPv6 MTU to a value greater than 1280-byte if the real value 345 of the minimum IPv6 MTU in the network is known to the administrator. 346 The resulting fragments are then translated independently using the 347 logic described below. 349 If the DF bit is set and the MTU of the next-hop interface is less 350 than the total length value of the IPv4 packet plus 20, the 351 translator MUST send an ICMPv4 "Fragmentation Needed" error message 352 to the IPv4 source address. 354 If the DF bit is set and the packet is not a fragment (i.e., the MF 355 flag is not set and the Fragment Offset is equal to zero) then the 356 translator SHOULD NOT add a Fragment header to the resulting packet. 357 The IPv6 header fields are set as follows: 359 Version: 6 361 Traffic Class: By default, copied from IP Type Of Service (TOS) 362 octet. According to [RFC2474] the semantics of the bits are 363 identical in IPv4 and IPv6. However, in some IPv4 environments 364 these fields might be used with the old semantics of "Type Of 365 Service and Precedence". An implementation of a translator SHOULD 366 support an administratively-configurable option to ignore the IPv4 367 TOS and always set the IPv6 traffic class (TC) to zero. In 368 addition, if the translator is at an administrative boundary, the 369 filtering and update considerations of [RFC2475] may be 370 applicable. 372 Flow Label: 0 (all zero bits) 374 Payload Length: Total length value from IPv4 header, minus the size 375 of the IPv4 header and IPv4 options, if present. 377 Next Header: For ICMPv4 (1) changed to ICMPv6 (58), otherwise 378 protocol field MUST be copied from IPv4 header. 380 Hop Limit: The hop limit is derived from the TTL value in the IPv4 381 header. Since the translator is a router, as part of forwarding 382 the packet it needs to decrement either the IPv4 TTL (before the 383 translation) or the IPv6 Hop Limit (after the translation). As 384 part of decrementing the TTL or Hop Limit the translator (as any 385 router) MUST check for zero and send the ICMPv4 "TTL Exceeded" or 386 ICMPv6 "Hop Limit Exceeded" error. 388 Source Address: The IPv4-converted address derived from the IPv4 389 source address per [I-D.ietf-behave-address-format] Section 2.1. 391 If the translator gets an illegal source address (e.g. 0.0.0.0, 392 127.0.0.1, etc.), the translator SHOULD silently drop the packet 393 (as discussed in Section 5.3.7 of [RFC1812]). 395 Destination Address: In the stateless mode, which is to say that if 396 the IPv4 destination address is within a range of configured IPv4 397 stateless translation prefix, the IPv6 destination address is the 398 IPv4-translatable address derived from the IPv4 destination 399 address per [I-D.ietf-behave-address-format] Section 2.1. A 400 workflow example of stateless translation is shown in Section 10 401 of this document. 403 In the stateful mode, which is to say that if the IPv4 destination 404 address is not within the range of any configured IPv4 stateless 405 translation prefix, the IPv6 destination address and corresponding 406 transport-layer destination port are derived from the Binding 407 Information Bases (BIBs) reflecting current session state in the 408 translator as described in [I-D.ietf-behave-v6v4-xlate-stateful]. 410 If any IPv4 options are present in the IPv4 packet, the IPv4 options 411 MUST be ignored and the packet translated normally; there is no 412 attempt to translate the options. However, if an unexpired source 413 route option is present then the packet MUST instead be discarded, 414 and an ICMPv4 "Destination Unreachable/Source Route Failed" (Type 415 3/Code 5) error message SHOULD be returned to the sender. 417 If there is a need to add a Fragment header (the DF bit is not set or 418 the packet is a fragment) the header fields are set as above with the 419 following exceptions: 421 IPv6 fields: 423 Payload Length: Total length value from IPv4 header, plus 8 for 424 the fragment header, minus the size of the IPv4 header and IPv4 425 options, if present. 427 Next Header: Fragment header (44). 429 Fragment header fields: 431 Next Header: For ICMPv4 (1) changed to ICMPv6 (58), otherwise 432 protocol field MUST be copied from IPv4 header. 434 Fragment Offset: Fragment Offset copied from the IPv4 header. 436 M flag: More Fragments bit copied from the IPv4 header. 438 Identification: The low-order 16 bits copied from the 439 Identification field in the IPv4 header. The high-order 16 440 bits set to zero. 442 4.2. Translating ICMPv4 Headers into ICMPv6 Headers 444 All ICMPv4 messages that are to be translated require that the ICMPv6 445 checksum field be calculated as part of the translation since ICMPv6, 446 unlike ICMPv4, has a pseudo-header checksum just like UDP and TCP. 448 In addition, all ICMPv4 packets MUST have the Type value translated 449 and, for ICMPv4 error messages, the included IP header also MUST be 450 translated. 452 The actions needed to translate various ICMPv4 messages are as 453 follows: 455 ICMPv4 query messages: 457 Echo and Echo Reply (Type 8 and Type 0): Adjust the Type values 458 to 128 and 129, respectively, and adjust the ICMP checksum both 459 to take the type change into account and to include the ICMPv6 460 pseudo-header. 462 Information Request/Reply (Type 15 and Type 16): Obsoleted in 463 ICMPv6. Silently drop. 465 Timestamp and Timestamp Reply (Type 13 and Type 14): Obsoleted in 466 ICMPv6. Silently drop. 468 Address Mask Request/Reply (Type 17 and Type 18): Obsoleted in 469 ICMPv6. Silently drop. 471 ICMP Router Advertisement (Type 9): Single hop message. Silently 472 drop. 474 ICMP Router Solicitation (Type 10): Single hop message. Silently 475 drop. 477 Unknown ICMPv4 types: Silently drop. 479 IGMP messages: While the MLD messages [RFC2710][RFC3590][RFC3810] 480 are the logical IPv6 counterparts for the IPv4 IGMP messages 481 all the "normal" IGMP messages are single-hop messages and 482 SHOULD be silently dropped by the translator. Other IGMP 483 messages might be used by multicast routing protocols and, 484 since it would be a configuration error to try to have router 485 adjacencies across IP/ICMP translators those packets SHOULD 486 also be silently dropped. 488 ICMPv4 error messages: 490 Destination Unreachable (Type 3): Translate the Code field as 491 described below, set the Type field to 1, and adjust the 492 ICMP checksum both to take the type/code change into account 493 and to include the ICMPv6 pseudo-header. 495 Translate the Code field as follows: 497 Code 0, 1 (Net, host unreachable): Set Code value to 0 (no 498 route to destination). 500 Code 2 (Protocol unreachable): Translate to an ICMPv6 501 Parameter Problem (Type 4, Code value 1) and make the 502 Pointer point to the IPv6 Next Header field. 504 Code 3 (Port unreachable): Set Code value to 4 (port 505 unreachable). 507 Code 4 (Fragmentation needed and DF set): Translate to an 508 ICMPv6 Packet Too Big message (Type 2) with Code value 509 set to 0. The MTU field MUST be adjusted for the 510 difference between the IPv4 and IPv6 header sizes, i.e. 511 minimum(advertised MTU+20, MTU_of_IPv6_nexthop, 512 (MTU_of_IPv4_nexthop)+20). Note that if the IPv4 router 513 set the MTU field to zero, i.e., the router does not 514 implement [RFC1191], then the translator MUST use the 515 plateau values specified in [RFC1191] to determine a 516 likely path MTU and include that path MTU in the ICMPv6 517 packet. (Use the greatest plateau value that is less 518 than the returned Total Length field.) 520 See also the requirements in Section 6. 522 Code 5 (Source route failed): Set Code value to 0 (No route 523 to destination). Note that this error is unlikely since 524 source routes are not translated. 526 Code 6, 7, 8: Set Code value to 0 (No route to 527 destination). 529 Code 9, 10 (Communication with destination host 530 administratively prohibited): Set Code value to 1 531 (Communication with destination administratively 532 prohibited) 534 Code 11, 12: Set Code value to 0 (no route to destination). 536 Code 13 (Communication Administratively Prohibited): Set 537 Code value to 1 (Communication with destination 538 administratively prohibited). 540 Code 14 (Host Precedence Violation): Silently drop. 542 Code 15 (Precedence cutoff in effect): Set Code value to 1 543 (Communication with destination administratively 544 prohibited). 546 Other Code values: Silently drop. 548 Redirect (Type 5): Single hop message. Silently drop. 550 Alternative Host Address (Type 6): Silently drop. 552 Source Quench (Type 4): Obsoleted in ICMPv6. Silently drop. 554 Time Exceeded (Type 11): Set the Type field to 3, and adjust 555 the ICMP checksum both to take the type change into account 556 and to include the ICMPv6 pseudo-header. The Code field is 557 unchanged. 559 Parameter Problem (Type 12): Set the Type field to 4, and 560 adjust the ICMP checksum both to take the type/code change 561 into account and to include the ICMPv6 pseudo-header. 563 Translate the Code field as follows: 565 Code 0 (Pointer indicates the error): Set the Code value to 566 0 (Erroneous header field encountered) and update the 567 pointer as defined in Figure 3 (If the Original IPv4 568 Pointer Value is not listed or the Translated IPv6 569 Pointer Value is listed as "n/a", silently drop the 570 packet). 572 Code 1 (Missing a required option): Silently drop 574 Code 2 (Bad length): Set the Code value to 0 (Erroneous 575 header field encountered) and update the pointer as 576 defined in Figure 3 (If the Original IPv4 Pointer Value 577 is not listed or the Translated IPv6 Pointer Value is 578 listed as "n/a", silently drop the packet). 580 Other Code values: Silently drop 582 Unknown ICMPv4 types: Silently drop. 584 | Original IPv4 Pointer Value | Translated IPv6 Pointer Value | 585 +--------------------------------+--------------------------------+ 586 | 0 | Version/IHL | 0 | Version/Traffic Class | 587 | 1 | Type Of Service | 1 | Traffic Class/Flow Label | 588 | 2,3 | Total Length | 4 | Payload Length | 589 | 4,5 | Identification | n/a | | 590 | 6 | Flags/Fragment Offset | n/a | | 591 | 7 | Fragment Offset | n/a | | 592 | 8 | Time to Live | 7 | Hop Limit | 593 | 9 | Protocol | 6 | Next Header | 594 |10,11| Header Checksum | n/a | | 595 |12-15| Source Address | 8 | Source Address | 596 |16-19| Destination Address | 24 | Destination Address | 597 +--------------------------------+--------------------------------+ 599 Figure 3: Pointer value for translating from IPv4 to IPv6 601 ICMP Error Payload: If the received ICMPv4 packet contains an 602 ICMPv4 Extension [RFC4884], the translation of the ICMPv4 603 packet will cause the ICMPv6 packet to change length. When 604 this occurs, the ICMPv6 Extension length attribute MUST be 605 adjusted accordingly (e.g., longer due to the translation 606 from IPv4 to IPv6). If the ICMPv4 Extension exceeds the 607 maximum size of an ICMPv6 message on the outgoing interface, 608 the ICMPv4 extension SHOULD be simply truncated. For 609 extensions not defined in [RFC4884], the translator passes 610 the extensions as opaque bit strings and those containing 611 IPv4 address literals will not have those addresses 612 translated to IPv6 address literals; this may cause problems 613 with processing of those ICMP extensions. 615 4.3. Translating ICMPv4 Error Messages into ICMPv6 617 There are some differences between the ICMPv4 and the ICMPv6 error 618 message formats as detailed above. The ICMP error messages 619 containing the packet in error MUST be translated just like a normal 620 IP packet. If the translation of this "packet in error" changes the 621 length of the datagram, the Total Length field in the outer IPv6 622 header MUST be updated. 624 +-------------+ +-------------+ 625 | IPv4 | | IPv6 | 626 | Header | | Header | 627 +-------------+ +-------------+ 628 | ICMPv4 | | ICMPv6 | 629 | Header | | Header | 630 +-------------+ +-------------+ 631 | IPv4 | ===> | IPv6 | 632 | Header | | Header | 633 +-------------+ +-------------+ 634 | Partial | | Partial | 635 | Transport | | Transport | 636 | Layer | | Layer | 637 | Header | | Header | 638 +-------------+ +-------------+ 640 Figure 4: IPv4-to-IPv6 ICMP Error Translation 642 The translation of the inner IP header can be done by invoking the 643 function that translated the outer IP headers. This process MUST 644 stop at the first embedded header and drop the packet if it contains 645 more. 647 4.4. Generation of ICMPv4 Error Message 649 If the IPv4 packet is discarded, then the translator SHOULD be able 650 to send back an ICMPv4 error message to the original sender of the 651 packet, unless the discarded packet is itself an ICMPv4 message. The 652 ICMPv4 message, if sent, has a Type value of 3 (Destination 653 Unreachable) and a Code value of 13 (Communication Administratively 654 Prohibited), unless otherwise specified in this document or in 655 [I-D.ietf-behave-v6v4-xlate-stateful]. The translator SHOULD allow 656 an administrator to configure whether the ICMPv4 error messages are 657 sent, rate-limited, or not sent. 659 4.5. Transport-layer Header Translation 661 If the address translation algorithm is not checksum neutral (Section 662 4.1 of [I-D.ietf-behave-address-format]), the recalculation and 663 updating of the transport-layer headers which contain pseudo headers 664 needs to be performed. Translators MUST do this for TCP and ICMP 665 packets and for UDP packets that contain a UDP checksum (i.e. the UDP 666 checksum field is not zero). 668 For UDP packets that do not contain a UDP checksum (i.e. the UDP 669 checksum field is zero), the translator SHOULD provide a 670 configuration function to allow: 672 1. Dropping the packet and generating a system management event 673 specifying at least the IP addresses and port numbers of the 674 packet. 676 2. Calculating an IPv6 checksum and forward the packet (which has 677 performance implications). 679 A stateless translator cannot compute the UDP checksum of 680 fragmented packets, so when a stateless translator receives the 681 first fragment of a fragmented UDP IPv4 packet and the checksum 682 field is zero, the translator SHOULD drop the packet and generate 683 a system management event specifying at least the IP addresses 684 and port numbers in the packet. 686 For stateful translator, the handling of fragmented UDP IPv4 687 packets with a zero checksum is discussed in 688 [I-D.ietf-behave-v6v4-xlate-stateful]), Section 3.1. 690 Other transport protocols (e.g., DCCP) are OPTIONAL to support. In 691 order to ease debugging and troubleshooting, translators MUST forward 692 all transport protocols as described in the "Next Header" step of 693 Section 4.1. 695 4.6. Knowing When to Translate 697 If the IP/ICMP translator also provides normal forwarding function, 698 and the destination IPv4 address is reachable by a more specific 699 route without translation, the translator MUST forward it without 700 translating it. Otherwise, when an IP/ICMP translator receives an 701 IPv4 datagram addressed to an IPv4 destination representing a host in 702 the IPv6 domain, the packet MUST be translated to IPv6. 704 5. Translating from IPv6 to IPv4 706 When an IP/ICMP translator receives an IPv6 datagram addressed to a 707 destination towards the IPv4 domain, it translates the IPv6 header of 708 the received IPv6 packet into an IPv4 header. The original IPv6 709 header on the packet is removed and replaced by an IPv4 header. 710 Since the ICMPv6 [RFC4443], TCP [RFC0793], UDP [RFC0768] and DCCP 711 [RFC4340] headers contain checksums that cover the IP header, if the 712 address mapping algorithm is not checksum-neutral, the checksum MUST 713 be evaluated before translation and the ICMP and transport-layer 714 headers MUST be updated. The data portion of the packet is left 715 unchanged. The IP/ICMP translator then forwards the packet based on 716 the IPv4 destination address. 718 +-------------+ +-------------+ 719 | IPv6 | | IPv4 | 720 | Header | | Header | 721 +-------------+ +-------------+ 722 | Fragment | | Transport | 723 | Header | ===> | Layer | 724 |(if present) | | Header | 725 +-------------+ +-------------+ 726 | Transport | | | 727 | Layer | ~ Data ~ 728 | Header | | | 729 +-------------+ +-------------+ 730 | | 731 ~ Data ~ 732 | | 733 +-------------+ 735 Figure 5: IPv6-to-IPv4 Translation 737 There are some differences between IPv6 and IPv4 in the area of 738 fragmentation and the minimum link MTU that affect the translation. 739 An IPv6 link has to have an MTU of 1280 bytes or greater. The 740 corresponding limit for IPv4 is 68 bytes. Path MTU Discovery across 741 a translator relies on ICMP Packet Too Big messages being received 742 and processed by IPv6 hosts, including an ICMP Packet Too Big that 743 indicates the MTU is less than the IPv6 minimum MTU. This 744 requirement is described in Section 5 of [RFC2460] (for IPv6's 1280 745 octet minimum MTU) and Section 5 of [RFC1883] (for IPv6's previous 746 576 octet minimum MTU). 748 In an environment where an ICMPv4 Packet Too Big message is 749 translated to an ICMPv6 Packet Too Big messages, and the ICMPv6 750 Packet Too Big message is successfully delivered to and correctly 751 processed by the IPv6 hosts (e.g., a network owned/operated by the 752 same entity that owns/operates the translator), the translator can 753 rely on IPv6 hosts sending subsequent packets to the same IPv6 754 destination with IPv6 fragment headers. In such an environment, when 755 the translator receives an IPv6 packet with a fragmentation header, 756 the translator SHOULD generate the IPv4 packet with a cleared Don't 757 Fragment bit, and with its identification value from the IPv6 758 fragment header, for all of the IPv6 fragments (MF=0 or MF=1). 760 In an environment where an ICMPv4 Packet Too Big message are filtered 761 (by a network firewall or by the host itself) or not correctly 762 processed by the IPv6 hosts, the IPv6 host will never generate an 763 IPv6 packet with the IPv6 fragment header. In such an environment, 764 the translator SHOULD set the IPv4 Don't Fragment bit. While setting 765 the Don't Fragment bit may create PMTUD black holes [RFC2923] if 766 there are IPv4 links smaller than 1260 octets, this is considered 767 safer than causing IPv4 reassembly errors [RFC4963]. 769 Other than the special rules for handling fragments and path MTU 770 discovery, the actual translation of the packet header consists of a 771 simple translation as defined below. Note that ICMPv6 packets 772 require special handling in order to translate the contents of ICMPv6 773 error messages and also to remove the ICMPv6 pseudo-header checksum. 775 The translator SHOULD make sure that the packets belonging to the 776 same flow leave the translator in the same order in which they 777 arrived. 779 5.1. Translating IPv6 Headers into IPv4 Headers 781 If there is no IPv6 Fragment header, the IPv4 header fields are set 782 as follows: 784 Version: 4 786 Internet Header Length: 5 (no IPv4 options) 788 Type of Service (TOS) Octet: By default, copied from the IPv6 789 Traffic Class (all 8 bits). According to [RFC2474] the semantics 790 of the bits are identical in IPv4 and IPv6. However, in some IPv4 791 environments, these bits might be used with the old semantics of 792 "Type Of Service and Precedence". An implementation of a 793 translator SHOULD provide the ability to ignore the IPv6 traffic 794 class and always set the IPv4 TOS Octet to a specified value. In 795 addition, if the translator is at an administrative boundary, the 796 filtering and update considerations of [RFC2475] may be 797 applicable. 799 Total Length: Payload length value from IPv6 header, plus the size 800 of the IPv4 header. 802 Identification: All zero. In order to avoid black holes caused by 803 ICMPv4 filtering or non [RFC2460] compatible IPv6 hosts (a 804 workaround discussed in Section 6), the translator MAY provide a 805 function such as if the packet size is equal to or smaller than 806 1280 bytes and greater than 88 bytes, generate the identification 807 value. The translator SHOULD provide a method for operators to 808 enable or disable this function. 810 Flags: The More Fragments flag is set to zero. The Don't Fragments 811 flag is set to one. In order to avoid black holes caused by 812 ICMPv4 filtering or non [RFC2460] compatible IPv6 hosts (a 813 workaround discussed in Section 6), the translator MAY provide a 814 function such as if the packet size is equal to or smaller than 815 1280 bytes and greater than 88 bytes, the Don't Fragments (DF) 816 flag is set to zero, otherwise the Don't Fragments (DF) flag is 817 set to one. The translator SHOULD provide a method for operators 818 to enable or disable this function. 820 Fragment Offset: All zeros. 822 Time to Live: Time to Live is derived from Hop Limit value in IPv6 823 header. Since the translator is a router, as part of forwarding 824 the packet it needs to decrement either the IPv6 Hop Limit (before 825 the translation) or the IPv4 TTL (after the translation). As part 826 of decrementing the TTL or Hop Limit the translator (as any 827 router) MUST check for zero and send the ICMPv4 "TTL Exceeded" or 828 ICMPv6 "Hop Limit Exceeded" error. 830 Protocol: The IPv6-Frag (44) header is handled as discussed in 831 Section 5.1.1. ICMPv6 (58) is changed to ICMPv4 (1), and the 832 payload is translated as discussed in Section 5.2. The IPv6 833 headers HOPOPT (0), IPv6-Route (43), and IPv6-Opts (60) are 834 skipped over during processing as they have no meaning in IPv4. 835 For the first 'next header' that does not match one of the cases 836 above, its next header value (which contains the transport 837 protocol number) is copied to the protocol field in the IPv4 838 header. This means that all transport protocols are translated. 840 Note: Some translated protocols will fail at the receiver for 841 various reasons: some are known to fail when translated (e.g., 842 IPsec AH (51)), and others will fail checksum validation if the 843 address translation is not checksum neutral 844 [I-D.ietf-behave-address-format] and the translator does not 845 update the transport protocol's checksum (because the 846 translator doesn't support recalculating the checksum for that 847 transport protocol, see Section 5.5). 849 Header Checksum: Computed once the IPv4 header has been created. 851 Source Address: In the stateless mode, which is to say that if the 852 IPv6 source address is within the range of a configured IPv6 853 translation prefix, the IPv4 source address is derived from the 854 IPv6 source address per [I-D.ietf-behave-address-format] Section 855 2.1. Note that the original IPv6 source address is an IPv4- 856 translatable address. A workflow example of stateless translation 857 is shown in Appendix of this document. If the translator only 858 supports stateless mode and if the IPv6 source address is not 859 within the range of configured IPv6 prefix(es), the translator 860 SHOULD drop the packet and respond with an ICMPv6 Type=1, Code=5 861 (Destination Unreachable, Source address failed ingress/egress 862 policy). 864 In the stateful mode, which is to say that if the IPv6 source 865 address is not within the range of any configured IPv6 stateless 866 translation prefix, the IPv4 source address and transport-layer 867 source port corresponding to the IPv4-related IPv6 source address 868 and source port are derived from the Binding Information Bases 869 (BIBs) as described in [I-D.ietf-behave-v6v4-xlate-stateful]. 871 In stateless and stateful modes, if the translator gets an illegal 872 source address (e.g. ::1, etc.), the translator SHOULD silently 873 drop the packet. 875 Destination Address: The IPv4 destination address is derived from 876 the IPv6 destination address of the datagram being translated per 877 [I-D.ietf-behave-address-format] Section 2.1. Note that the 878 original IPv6 destination address is an IPv4-converted address. 880 If a Routing header with a non-zero Segments Left field is present 881 then the packet MUST NOT be translated, and an ICMPv6 "parameter 882 problem/erroneous header field encountered" (Type 4/Code 0) error 883 message, with the Pointer field indicating the first byte of the 884 Segments Left field, SHOULD be returned to the sender. 886 5.1.1. IPv6 Fragment Processing 888 If the IPv6 packet contains a Fragment header, the header fields are 889 set as above with the following exceptions: 891 Total Length: Payload length value from IPv6 header, minus 8 for the 892 Fragment header, plus the size of the IPv4 header. 894 Identification: Copied from the low-order 16-bits in the 895 Identification field in the Fragment header. 897 Flags: The IPv4 More Fragments (MF) flag is copied from the M flag 898 in the IPv6 Fragment header. The IPv4 Don't Fragments (DF) flag 899 is cleared (set to zero) allowing this packet to be further 900 fragmented by IPv4 routers. 902 Fragment Offset: Copied from the Fragment Offset field of the IPv6 903 Fragment header. 905 Protocol: For ICMPv6 (58) changed to ICMPv4 (1), otherwise skip 906 extension headers, Next Header field copied from the last IPv6 907 header. 909 If a translated packet with DF set to 1 will be larger than the MTU 910 of the next-hop interface, then the translator MUST drop the packet 911 and send the ICMPv6 "Packet Too Big" (Type 2/Code 0) error message to 912 the IPv6 host with an adjusted MTU in the ICMPv6 message. 914 5.2. Translating ICMPv6 Headers into ICMPv4 Headers 916 If a non-checksum neutral translation address is being used, ICMPv6 917 messages MUST have their ICMPv4 checksum field be updated as part of 918 the translation since ICMPv6 (unlike ICMPv4) includes a pseudo-header 919 in the checksum just like UDP and TCP. 921 In addition all ICMP packets MUST have the Type value translated and, 922 for ICMP error messages, the included IP header also MUST be 923 translated. Note that the IPv6 addresses in the IPv6 header may not 924 be IPv4-translatable addresses and there will be no corresponding 925 IPv4 addresses representing this IPv6 address. In this case, the 926 translator can do stateful translation. A mechanism by which the 927 translator can instead do stateless translation of this address is 928 left for future work. 930 The actions needed to translate various ICMPv6 messages are: 932 ICMPv6 informational messages: 934 Echo Request and Echo Reply (Type 128 and 129): Adjust the Type 935 values to 8 and 0, respectively, and adjust the ICMP checksum 936 both to take the type change into account and to exclude the 937 ICMPv6 pseudo-header. 939 MLD Multicast Listener Query/Report/Done (Type 130, 131, 132): 940 Single hop message. Silently drop. 942 Neighbor Discover messages (Type 133 through 137): Single hop 943 message. Silently drop. 945 Unknown informational messages: Silently drop. 947 ICMPv6 error messages: 949 Destination Unreachable (Type 1) Set the Type field to 3, and 950 adjust the ICMP checksum both to take the type/code change into 951 account and to exclude the ICMPv6 pseudo-header. 953 Translate the Code field as follows: 955 Code 0 (no route to destination): Set Code value to 1 (Host 956 unreachable). 958 Code 1 (Communication with destination administratively 959 prohibited): Set Code value to 10 (Communication with 960 destination host administratively prohibited). 962 Code 2 (Beyond scope of source address): Set Code value to 1 963 (Host unreachable). Note that this error is very unlikely 964 since an IPv4-translatable source address is typically 965 considered to have global scope. 967 Code 3 (Address unreachable): Set Code value to 1 (Host 968 unreachable). 970 Code 4 (Port unreachable): Set Code value to 3 (Port 971 unreachable). 973 Other Code values: Silently drop. 975 Packet Too Big (Type 2): Translate to an ICMPv4 Destination 976 Unreachable (Type 3) with Code value equal to 4, and adjust the 977 ICMPv4 checksum both to take the type change into account and 978 to exclude the ICMPv6 pseudo-header. The MTU field MUST be 979 adjusted for the difference between the IPv4 and IPv6 header 980 sizes taking into account whether or not the packet in error 981 includes a Fragment header, i.e. minimum(advertised MTU-20, 982 MTU_of_IPv4_nexthop, (MTU_of_IPv6_nexthop)-20). 984 See also the requirements in Section 6. 986 Time Exceeded (Type 3): Set the Type value to 11, and adjust the 987 ICMPv4 checksum both to take the type change into account and 988 to exclude the ICMPv6 pseudo-header. The Code field is 989 unchanged. 991 Parameter Problem (Type 4): Translate the Type and Code field as 992 follows, and adjust the ICMPv4 checksum both to take the type/ 993 code change into account and to exclude the ICMPv6 pseudo- 994 header. 996 Translate the Code field as follows: 998 Code 0 (Erroneous header field encountered): Set Type 12, Code 999 0 and update the pointer as defined in Figure 6 (If the 1000 Original IPv6 Pointer Value is not listed or the Translated 1001 IPv4 Pointer Value is listed as "n/a", silently drop the 1002 packet). 1004 Code 1 (Unrecognized Next Header type encountered): Translate 1005 this to an ICMPv4 protocol unreachable (Type 3, Code 2). 1007 Code 2 (Unrecognized IPv6 option encountered): Silently drop. 1009 Unknown error messages: Silently drop. 1011 | Original IPv6 Pointer Value | Translated IPv4 Pointer Value | 1012 +--------------------------------+--------------------------------+ 1013 | 0 | Version/Traffic Class | 0 | Version/IHL, Type Of Ser | 1014 | 1 | Traffic Class/Flow Label | 1 | Type Of Service | 1015 | 2,3 | Flow Label | n/a | | 1016 | 4,5 | Payload Length | 2 | Total Length | 1017 | 6 | Next Header | 9 | Protocol | 1018 | 7 | Hop Limit | 8 | Time to Live | 1019 | 8-23| Source Address | 12 | Source Address | 1020 |24-39| Destination Address | 16 | Destination Address | 1021 +--------------------------------+--------------------------------+ 1023 Figure 6: Pointer Value for translating from IPv6 to IPv4 1025 ICMP Error Payload: If the received ICMPv6 packet contains an 1026 ICMPv6 Extension [RFC4884], the translation of the ICMPv6 1027 packet will cause the ICMPv4 packet to change length. When 1028 this occurs, the ICMPv6 Extension length attribute MUST be 1029 adjusted accordingly (e.g., shorter due to the translation from 1030 IPv6 to IPv4). For extensions not defined in [RFC4884], the 1031 translator passes the extensions as opaque bit strings and 1032 those containing IPv6 address literals will not have those 1033 addresses translated to IPv4 address literals; this may cause 1034 problems with processing of those ICMP extensions. 1036 5.3. Translating ICMPv6 Error Messages into ICMPv4 1038 There are some differences between the ICMPv4 and the ICMPv6 error 1039 message formats as detailed above. The ICMP error messages 1040 containing the packet in error MUST be translated just like a normal 1041 IP packet. The translation of this "packet in error" is likely to 1042 change the length of the datagram thus the Total Length field in the 1043 outer IPv4 header MUST be updated. 1045 +-------------+ +-------------+ 1046 | IPv6 | | IPv4 | 1047 | Header | | Header | 1048 +-------------+ +-------------+ 1049 | ICMPv6 | | ICMPv4 | 1050 | Header | | Header | 1051 +-------------+ +-------------+ 1052 | IPv6 | ===> | IPv4 | 1053 | Header | | Header | 1054 +-------------+ +-------------+ 1055 | Partial | | Partial | 1056 | Transport | | Transport | 1057 | Layer | | Layer | 1058 | Header | | Header | 1059 +-------------+ +-------------+ 1061 Figure 7: IPv6-to-IPv4 ICMP Error Translation 1063 The translation of the inner IP header can be done by invoking the 1064 function that translated the outer IP headers. This process MUST 1065 stop at first embedded header and drop the packet if it contains 1066 more. Note that the IPv6 addresses in the IPv6 header may not be 1067 IPv4-translatable addresses and there will be no corresponding IPv4 1068 addresses. In this case, the translator can do stateful translation. 1069 A mechanism by which the translator can instead do stateless 1070 translation is left for future work. 1072 5.4. Generation of ICMPv6 Error Message 1074 If the IPv6 packet is discarded, then the translator SHOULD send back 1075 an ICMPv6 error message to the original sender of the packet, unless 1076 the discarded packet is itself an ICMPv6 message. 1078 If the ICMPv6 error message is being sent because the IPv6 source 1079 address is not an IPv4-translatable address and the translator is 1080 stateless, the ICMPv6 message, if sent, MUST have a Type value of 1 1081 and Code value of 5 (Source address failed ingress/egress policy). 1082 In other cases, the ICMPv6 message MUST have a Type value of 1 1083 (Destination Unreachable) and a Code value of 1 (Communication with 1084 destination administratively prohibited), unless otherwise specified 1085 in this document or [I-D.ietf-behave-v6v4-xlate-stateful]. The 1086 translator SHOULD allow an administrator to configure whether the 1087 ICMPv6 error messages are sent, rate-limited, or not sent. 1089 5.5. Transport-layer Header Translation 1091 If the address translation algorithm is not checksum neutral (Section 1092 4.1 of [I-D.ietf-behave-address-format]), the recalculation and 1093 updating of the transport-layer headers which contain pseudo headers 1094 need to be performed. Translators MUST do this for TCP, UDP and 1095 ICMP. 1097 Other transport protocols (e.g., DCCP) are OPTIONAL to support. In 1098 order to ease debugging and troubleshooting, translators MUST forward 1099 all transport protocols as described in the "Protocol" step of 1100 Section 5.1. 1102 5.6. Knowing When to Translate 1104 If the IP/ICMP translator also provides a normal forwarding function, 1105 and the destination address is reachable by a more specific route 1106 without translation, the router MUST forward it without translating 1107 it. When an IP/ICMP translator receives an IPv6 datagram addressed 1108 to an IPv6 address representing a host in the IPv4 domain, the IPv6 1109 packet MUST be translated to IPv4. 1111 6. Special Considerations for ICMPv6 Packet Too Big 1113 Two recent studies analyzed the behavior of IPv6-capable web servers 1114 on the Internet and found that approximately 95% responded as 1115 expected to an IPv6 Packet Too Big that indicated MTU=1280, but only 1116 43% responded as expected to an IPv6 Packet Too Big that indicated an 1117 MTU < 1280. It is believed firewalls violating Section 4.3.1 of 1118 [RFC4890] are at fault. These failures will both cause Path MTU 1119 Discovery (PMTUD) black holes [RFC2923]. Unfortunately the 1120 translator cannot improve the failure rate of the first case (MTU = 1121 1280), but the translator can improve the failure rate of the second 1122 case (MTU < 1280). There are two approaches to resolving the problem 1123 with sending ICMPv6 messages indicating an MTU < 1280. It SHOULD be 1124 possible to configure a translator for either of the two approaches. 1126 The first approach is to constrain the deployment of the IPv6/IPv4 1127 translator by observing that four of the scenarios intended for 1128 stateless IPv6/IPv4 translators do not have IPv6 hosts on the 1129 Internet (Scenarios 1, 2, 5 and 6 described in 1130 [I-D.ietf-behave-v6v4-framework], which refer to "An IPv6 network"). 1131 In these scenarios IPv6 hosts, IPv6 host-based firewalls, and IPv6 1132 network firewalls can be administered in compliance with Section 1133 4.3.1 of [RFC4890] and therefore avoid the problem witnessed with 1134 IPv6 hosts on the Internet. 1136 The second approach is necessary if the translator has IPv6 hosts, 1137 IPv6 host-based firewalls, or IPv6 network firewalls that do not (or 1138 cannot) comply with Section 5 of [RFC2460] -- such as IPv6 hosts on 1139 the Internet. This approach requires the translator to do the 1140 following: 1142 1. in the IPv4 to IPv6 direction: if the MTU value of ICMPv4 Packet 1143 Too Big messages is less than 1280, change it to 1280. This is 1144 intended to cause the IPv6 host and IPv6 firewall to process the 1145 ICMP PTB message and generate subsequent packets to this 1146 destination with an IPv6 fragmentation header. 1148 Note: Based on recent studies, this is effective for 95% of IPv6 1149 hosts on the Internet. 1151 2. in the IPv6 to IPv4 direction: 1153 A. if there is a Fragment header in the IPv6 packet, the last 16 1154 bits of its value MUST be used for the IPv4 identification 1155 value. 1157 B. if there is no Fragment header in the IPv6 packet: 1159 a. if the packet is less than or equal to 1280 bytes: 1161 - the translator SHOULD set DF to 0 and generate an IPv4 1162 identification value. 1164 - To avoid the problems described in [RFC4963], it is 1165 RECOMMENDED the translator maintain 3-tuple state for 1166 generating the IPv4 identification value. 1168 b. if the packet is greater than 1280 bytes, the translator 1169 SHOULD set the IPv4 DF bit to 1. 1171 7. IANA Considerations 1173 This memo adds no new IANA considerations. 1175 Note to RFC Editor: This section will have served its purpose if it 1176 correctly tells IANA that no new assignments or registries are 1177 required, or if those assignments or registries are created during 1178 the RFC publication process. From the author's perspective, it may 1179 therefore be removed upon publication as an RFC at the RFC Editor's 1180 discretion. 1182 8. Security Considerations 1184 The use of stateless IP/ICMP translators does not introduce any new 1185 security issues beyond the security issues that are already present 1186 in the IPv4 and IPv6 protocols and in the routing protocols that are 1187 used to make the packets reach the translator. 1189 There are potential issues that might arise by deriving an IPv4 1190 address from an IPv6 address - particularly addresses like broadcast 1191 or loopback addresses and the non IPv4-translatable IPv6 addresses, 1192 etc. The [I-D.ietf-behave-address-format] addresses these issues. 1194 As with network address translation of IPv4 to IPv4, the IPsec 1195 Authentication Header [RFC4302] cannot be used across an IPv6 to IPv4 1196 translator. 1198 As with network address translation of IPv4 to IPv4, packets with 1199 tunnel mode ESP can be translated since tunnel mode ESP does not 1200 depend on header fields prior to the ESP header. Similarly, 1201 transport mode ESP will fail with IPv6 to IPv4 translation unless 1202 checksum neutral addresses are used. In both cases, the IPsec ESP 1203 endpoints will normally detect the presence of the translator and 1204 encapsulate ESP in UDP packets [RFC3948]. 1206 9. Acknowledgements 1208 This is under development by a large group of people. Those who have 1209 posted to the list during the discussion include Alexey Melnikov, 1210 Andrew Sullivan, Andrew Yourtchenko, Brian Carpenter, Dan Wing, Dave 1211 Thaler, David Harrington, Ed Jankiewicz, Hiroshi Miyata, Iljitsch van 1212 Beijnum, Jari Arkko, Jerry Huang, John Schnizlein, Jouni Korhonen, 1213 Kentaro Ebisawa, Kevin Yin, Magnus Westerlund, Marcelo Bagnulo Braun, 1214 Margaret Wasserman, Masahito Endo, Phil Roberts, Philip Matthews, 1215 Reinaldo Penno, Remi Denis-Courmont, Remi Despres, Sean Turner, 1216 Senthil Sivakumar, Simon Perreault, Stewart Bryant, Tim Polk, Tero 1217 Kivinen and Zen Cao. 1219 10. Appendix: Stateless translation workflow example 1221 A stateless translation workflow example is depicted in the following 1222 figure. The documentation address blocks 2001:db8::/32 [RFC3849], 1223 192.0.2.0/24 and 198.51.100.0/24 [RFC5737] are used in this example. 1225 +--------------+ +--------------+ 1226 | IPv4 network | | IPv6 network | 1227 | | +-------+ | | 1228 | +----+ |-----| XLAT |---- | +----+ | 1229 | | H4 |-----| +-------+ |--| H6 | | 1230 | +----+ | | +----+ | 1231 +--------------+ +--------------+ 1233 Figure 8 1235 A translator (XLAT) connects the IPv6 network to the IPv4 network. 1236 This XLAT uses the Network Specific Prefix (NSP) 2001:db8:100::/40 1237 defined in [I-D.ietf-behave-address-format] to represent IPv4 1238 addresses in the IPv6 address space (IPv4-converted addresses) and to 1239 represent IPv6 addresses (IPv4-translatable addresses) in the IPv4 1240 address space. In this example, 192.0.2.0/24 is the IPv4 block of 1241 the corresponding IPv4-translatable addresses. 1243 Based on the address mapping rule, the IPv6 node H6 has an IPv4- 1244 translatable IPv6 address 2001:db8:1c0:2:21:: (address mapping from 1245 192.0.2.33). The IPv4 node H4 has IPv4 address 198.51.100.2. 1247 The IPv6 routing is configured in such a way that the IPv6 packets 1248 addressed to a destination address in 2001:db8:100::/40 are routed to 1249 the IPv6 interface of the XLAT. 1251 The IPv4 routing is configured in such a way that the IPv4 packets 1252 addressed to a destination address in 192.0.2.0/24 are routed to the 1253 IPv4 interface of the XLAT. 1255 10.1. H6 establishes communication with H4 1257 The steps by which H6 establishes communication with H4 are: 1259 1. H6 performs the destination address mapping, so the IPv4- 1260 converted address 2001:db8:1c6:3364:200:: is formed from 1261 198.51.100.2 based on the address mapping algorithm 1262 [I-D.ietf-behave-address-format]. 1264 2. H6 sends a packet to H4. The packet is sent from a source 1265 address 2001:db8:1c0:2:21:: to a destination address 1266 2001:db8:1c6:3364:200::. 1268 3. The packet is routed to the IPv6 interface of the XLAT (since 1269 IPv6 routing is configured that way). 1271 4. The XLAT receives the packet and performs the following actions: 1273 * The XLAT translates the IPv6 header into an IPv4 header using 1274 the IP/ICMP Translation Algorithm defined in this document. 1276 * The XLAT includes 192.0.2.33 as source address in the packet 1277 and 198.51.100.2 as destination address in the packet. Note 1278 that 192.0.2.33 and 198.51.100.2 are extracted directly from 1279 the source IPv6 address 2001:db8:1c0:2:21:: (IPv4-translatable 1280 address) and destination IPv6 address 2001:db8:1c6:3364:200:: 1281 (IPv4-converted address) of the received IPv6 packet that is 1282 being translated. 1284 5. The XLAT sends the translated packet out its IPv4 interface and 1285 the packet arrives at H4. 1287 6. H4 node responds by sending a packet with destination address 1288 192.0.2.33 and source address 198.51.100.2. 1290 7. The packet is routed to the IPv4 interface of the XLAT (since 1291 IPv4 routing is configured that way). The XLAT performs the 1292 following operations: 1294 * The XLAT translates the IPv4 header into an IPv6 header using 1295 the IP/ICMP Translation Algorithm defined in this document. 1297 * The XLAT includes 2001:db8:1c0:2:21:: as destination address 1298 in the packet and 2001:db8:1c6:3364:200:: as source address in 1299 the packet. Note that 2001:db8:1c0:2:21:: and 1300 2001:db8:1c6:3364:200:: 1301 are formed directly from the destination IPv4 1302 address 192.0.2.33 and source IPv4 address 198.51.100.2 of the 1303 received IPv4 packet that is being translated. 1305 8. The translated packet is sent out the IPv6 interface to H6. 1307 The packet exchange between H6 and H4 continues until the session is 1308 finished. 1310 10.2. H4 establishes communication with H6 1312 The steps by which H4 establishes communication with H6 are: 1314 1. H4 performs the destination address mapping, so 192.0.2.33 is 1315 formed from IPv4-translatable address 2001:db8:1c0:2:21:: based 1316 on the address mapping algorithm 1317 [I-D.ietf-behave-address-format]. 1319 2. H4 sends a packet to H6. The packet is sent from a source 1320 address 198.51.100.2 to a destination address 192.0.2.33. 1322 3. The packet is routed to the IPv4 interface of the XLAT (since 1323 IPv4 routing is configured that way). 1325 4. The XLAT receives the packet and performs the following actions: 1327 * The XLAT translates the IPv4 header into an IPv6 header using 1328 the IP/ICMP Translation Algorithm defined in this document. 1330 * The XLAT includes 2001:db8:1c6:3364:200:: as source address in 1331 the packet and 2001:db8:1c0:2:21:: as destination address in 1332 the packet. Note that 2001:db8:1c6:3364:200:: (IPv4-converted 1333 address) and 2001:db8:1c0:2:21:: (IPv4-translatable address) 1334 are obtained directly from the source IPv4 address 1335 198.51.100.2 and destination IPv4 address 192.0.2.33 of the 1336 received IPv4 packet that is being translated. 1338 5. The XLAT sends the translated packet out its IPv6 interface and 1339 the packet arrives at H6. 1341 6. H6 node responds by sending a packet with destination address 1342 2001:db8:1c6:3364:200:: and source address 2001:db8:1c0:2:21::. 1344 7. The packet is routed to the IPv6 interface of the XLAT (since 1345 IPv6 routing is configured that way). The XLAT performs the 1346 following operations: 1348 * The XLAT translates the IPv6 header into an IPv4 header using 1349 the IP/ICMP Translation Algorithm defined in this document. 1351 * The XLAT includes 198.51.100.2 as destination address in the 1352 packet and 192.0.2.33 as source address in the packet. Note 1353 that 198.51.100.2 and 192.0.2.33 are formed directly from the 1354 destination IPv6 address 2001:db8:1c6:3364:200:: and source 1355 IPv6 address 2001:db8:1c0:2:21:: of the received IPv6 packet 1356 that is being translated. 1358 8. The translated packet is sent out the IPv4 interface to H4. 1360 The packet exchange between H4 and H6 continues until the session 1361 finished. 1363 11. References 1365 11.1. Normative References 1367 [I-D.ietf-behave-address-format] 1368 Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 1369 Li, "IPv6 Addressing of IPv4/IPv6 Translators", 1370 draft-ietf-behave-address-format-10 (work in progress), 1371 August 2010. 1373 [I-D.ietf-behave-v6v4-xlate-stateful] 1374 Bagnulo, M., Matthews, P., and I. Beijnum, "Stateful 1375 NAT64: Network Address and Protocol Translation from IPv6 1376 Clients to IPv4 Servers", 1377 draft-ietf-behave-v6v4-xlate-stateful-12 (work in 1378 progress), July 2010. 1380 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1381 August 1980. 1383 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1384 September 1981. 1386 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1387 RFC 792, September 1981. 1389 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1390 RFC 793, September 1981. 1392 [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", 1393 RFC 1812, June 1995. 1395 [RFC1883] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1396 (IPv6) Specification", RFC 1883, December 1995. 1398 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1399 Requirement Levels", BCP 14, RFC 2119, March 1997. 1401 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1402 (IPv6) Specification", RFC 2460, December 1998. 1404 [RFC2765] Nordmark, E., "Stateless IP/ICMP Translation Algorithm 1405 (SIIT)", RFC 2765, February 2000. 1407 [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. 1408 Stenberg, "UDP Encapsulation of IPsec ESP Packets", 1409 RFC 3948, January 2005. 1411 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 1412 Architecture", RFC 4291, February 2006. 1414 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1415 Congestion Control Protocol (DCCP)", RFC 4340, March 2006. 1417 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control 1418 Message Protocol (ICMPv6) for the Internet Protocol 1419 Version 6 (IPv6) Specification", RFC 4443, March 2006. 1421 [RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, 1422 "Extended ICMP to Support Multi-Part Messages", RFC 4884, 1423 April 2007. 1425 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 1426 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 1427 RFC 5382, October 2008. 1429 [RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for 1430 IPv4 Multicast Address Assignments", BCP 51, RFC 5771, 1431 March 2010. 1433 11.2. Informative References 1435 [I-D.ietf-behave-v6v4-framework] 1436 Baker, F., Li, X., Bao, C., and K. Yin, "Framework for 1437 IPv4/IPv6 Translation", 1438 draft-ietf-behave-v6v4-framework-10 (work in progress), 1439 August 2010. 1441 [RFC0879] Postel, J., "TCP maximum segment size and related topics", 1442 RFC 879, November 1983. 1444 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 1445 November 1990. 1447 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 1448 "Definition of the Differentiated Services Field (DS 1449 Field) in the IPv4 and IPv6 Headers", RFC 2474, 1450 December 1998. 1452 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 1453 and W. Weiss, "An Architecture for Differentiated 1454 Services", RFC 2475, December 1998. 1456 [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast 1457 Listener Discovery (MLD) for IPv6", RFC 2710, 1458 October 1999. 1460 [RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address 1461 Translation - Protocol Translation (NAT-PT)", RFC 2766, 1462 February 2000. 1464 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 1465 RFC 2923, September 2000. 1467 [RFC3307] Haberman, B., "Allocation Guidelines for IPv6 Multicast 1468 Addresses", RFC 3307, August 2002. 1470 [RFC3590] Haberman, B., "Source Address Selection for the Multicast 1471 Listener Discovery (MLD) Protocol", RFC 3590, 1472 September 2003. 1474 [RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery 1475 Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. 1477 [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix 1478 Reserved for Documentation", RFC 3849, July 2004. 1480 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 1481 December 2005. 1483 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1484 ICMPv6 Messages in Firewalls", RFC 4890, May 2007. 1486 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 1487 Errors at High Data Rates", RFC 4963, July 2007. 1489 [RFC5737] Arkko, J., Cotton, M., and L. Vegoda, "IPv4 Address Blocks 1490 Reserved for Documentation", RFC 5737, January 2010. 1492 Authors' Addresses 1494 Xing Li 1495 CERNET Center/Tsinghua University 1496 Room 225, Main Building, Tsinghua University 1497 Beijing, 100084 1498 China 1500 Phone: +86 10-62785983 1501 Email: xing@cernet.edu.cn 1503 Congxiao Bao 1504 CERNET Center/Tsinghua University 1505 Room 225, Main Building, Tsinghua University 1506 Beijing, 100084 1507 China 1509 Phone: +86 10-62785983 1510 Email: congxiao@cernet.edu.cn 1512 Fred Baker 1513 Cisco Systems 1514 Santa Barbara, California 93117 1515 USA 1517 Phone: +1-408-526-4257 1518 Email: fred@cisco.com