idnits 2.17.1 draft-ietf-ngtrans-siit-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 24, 1999) is 9070 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'IPv4' is defined on line 982, but no explicit reference was found in the text == Unused Reference: 'DISCOVERY' is defined on line 990, but no explicit reference was found in the text == Unused Reference: 'IPv6-SA' is defined on line 994, but no explicit reference was found in the text == Unused Reference: 'IPv6-AUTH' is defined on line 997, but no explicit reference was found in the text == Unused Reference: 'IPv6-ESP' is defined on line 1000, but no explicit reference was found in the text == Unused Reference: 'ICMPv4' is defined on line 1003, but no explicit reference was found in the text == Unused Reference: 'ICMPv6' is defined on line 1006, but no explicit reference was found in the text == Unused Reference: 'IGMP' is defined on line 1010, but no explicit reference was found in the text == Unused Reference: 'PMTUv6' is defined on line 1016, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (ref. 'IPv6') (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 2373 (ref. 'ADDR-ARCH') (Obsoleted by RFC 3513) ** Obsolete normative reference: RFC 1933 (ref. 'TRANS-MECH') (Obsoleted by RFC 2893) ** Obsolete normative reference: RFC 2461 (ref. 'DISCOVERY') (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 2401 (ref. 'IPv6-SA') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2402 (ref. 'IPv6-AUTH') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2406 (ref. 'IPv6-ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2463 (ref. 'ICMPv6') (Obsoleted by RFC 4443) ** Obsolete normative reference: RFC 1981 (ref. 'PMTUv6') (Obsoleted by RFC 8201) -- Possible downref: Non-RFC (?) normative reference: ref. 'MLD' -- Possible downref: Non-RFC (?) normative reference: ref. 'MILLER' Summary: 13 errors (**), 0 flaws (~~), 12 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT Erik Nordmark, Sun Microsystems 2 June 24, 1999 4 Stateless IP/ICMP Translator (SIIT) 6 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with 11 all provisions of Section 10 of RFC2026. 13 Internet-Drafts are working documents of the Internet Engineering 14 Task Force (IETF), its areas, and its working groups. Note that 15 other groups may also distribute working documents as Internet- 16 Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference 21 material or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 This Internet Draft expires December 24, 1999. 31 Abstract 33 This document specifies a transition mechanism in addition to the 34 mechanisms already specified in RFC 1933. The new mechanism can be 35 used as part of a solution that allows IPv6 hosts which do not have a 36 permanently assigned IPv4 address to communicate with IPv4-only 37 hosts. The document neither specifies address assignment nor routing 38 to and from the IPv6 hosts when they communicate with the IPv4-only 39 hosts. 41 Acknowledgements 43 Some text has been extracted from an old Internet Draft titled "IPAE: 44 The SIPP Interoperability and Transition Mechanism" authored by R. 45 Gilligan, E. Nordmark, and B. Hinden. George Tsirtsis provides the 46 figures for Section 1. 48 Contents 50 Status of this Memo.......................................... 1 52 1. INTRODUCTION AND MOTIVATION.............................. 3 53 1.1. Applicability and Limitations....................... 5 54 1.2. Impact Outside the Network Layer.................... 6 56 2. TERMINOLOGY.............................................. 7 57 2.1. Addresses........................................... 8 58 2.2. Requirements........................................ 8 60 3. OVERVIEW................................................. 9 61 3.1. Assumptions......................................... 9 63 4. TRANSLATING FROM IPv4 TO IPv6............................ 9 64 4.1. Translating IPv4 Headers............................ 11 65 4.2. Translating UDP over IPv4........................... 13 66 4.3. Translating ICMPv4.................................. 13 67 4.4. Translating ICMPv4 Error Messages................... 15 68 4.5. Knowing when to Translate........................... 16 70 5. TRANSLATING FROM IPv6 TO IPv4............................ 16 71 5.1. Translating IPv6 Headers............................ 18 72 5.2. Translating ICMPv6.................................. 20 73 5.3. Translating ICMPv6 Error Messages................... 21 74 5.4. Knowing when to Translate........................... 22 76 6. SECURITY CONSIDERATIONS.................................. 22 78 7. CHANGE LOG............................................... 22 80 REFERENCES................................................... 23 82 AUTHOR'S ADDRESS............................................. 24 84 1. INTRODUCTION AND MOTIVATION 86 The transition mechanisms specified in [TRANS-MECH] handle the case 87 of dual IPv4/IPv6 hosts interoperating with both dual hosts and 88 IPv4-only hosts which is needed early in the transition to IPv6. The 89 dual hosts are assigned both an IPv4 and one or more IPv6 addresses. 90 As the pool of globally unique IPv4 addresses becomes smaller and 91 smaller as the Internet grows there will be a desire to take 92 advantage of the large IPv6 address and not require that every new 93 Internet node have a permanently assigned IPv4 address. 95 There are several different scenarios where there might be IPv6-only 96 hosts that need to communicate with IPv4-only hosts. These IPv6 97 hosts might be IPv4-capable, i.e. include an IPv4 implementation but 98 not be assigned an IPv4 address, or they might not even include an 99 IPv4 implementation. 101 - A completely new network with new devices that all support IPv6. 102 In this case it might be beneficial to not have to configure the 103 routers within the new network to route IPv4 since none of the 104 hosts in the new network are configured with IPv4 addresses. But 105 these new IPv6 devices might occasionally need to communicate with 106 some IPv4 nodes out on the Internet. 108 - An existing network where a large number of IPv6 devices are 109 added. The IPv6 devices might have both an IPv4 and an IPv6 110 protocol stack but there is not enough global IPv4 address space 111 to give each one of them a permanent IPv4 address. In this case 112 it is more likely that the routers in the network already route 113 IPv4 and are upgraded to dual routers. 115 However, there are other potential solutions in this area: 116 - If there is no IPv4 routing inside the network i.e., the cloud 117 that contains the new devices, some possible solutions are to 118 either use the translators specified in this document at the 119 boundary of the cloud, or to use Application Layer Gateways (ALG) 120 on dual nodes at the cloud's boundary. The ALG solution is less 121 flexible in that it is application protocol specific and it is 122 also less robust since a the ALG box is likely to be a single 123 point of failure for a connection using that box. 125 - Otherwise, if there IPv4 routing is supported inside the cloud and 126 the implementations support both IPv6 and IPv4 it might suffice to 127 have a mechanism for allocating temporary IPv4 and use IPv4 end to 128 end when communicating with IPv4-only nodes. However, it would 129 seem that such a solution would require the pool of temporary IPv4 130 addresses to be partitioned across all the subnets in the cloud 131 which would either require a larger pool of IPv4 addresses or 132 result in cases where communication would fail due to no available 133 IPv4 address for the node's subnet. 135 This document specifies a mechanism that is one of the components 136 needed to make IPv6-only nodes interoperate with IPv4-only nodes. 137 Other components, no specified in this document, are a mechanism for 138 the IPv6-only node to somehow acquire a temporary IPv4 address, and a 139 mechanism for providing routing (perhaps using tunneling) to and from 140 the temporary IPv4 address assigned to the node. 142 The temporary IPv4 address will be used as an IPv4-translated IPv6 143 address and the packets will travel through a stateless IP/ICMP 144 translator that will translate the packet headers between IPv4 and 145 IPv6 and translate the addresses in those headers between IPv4 146 addresses on one side and IPv4-translated or IPv4-mapped IPv6 147 addresses on the other side. 149 This specification does not cover how an IPv6 node can acquire a 150 temporary IPv4 address and how such a temporary address be registered 151 in the DNS. The DHCP protocol, perhaps with some extensions, could 152 probably be used to acquire temporary addresses with short leases but 153 that is outside the scope of this document. Also, the mechanism for 154 routing this IPv4-translated IPv6 address in the site is not 155 specified in this document. 157 The figures below show how the Stateless IP/ICMP Translator (SIIT) 158 can be used initially for small networks (e.g., a single subnet) and 159 later for a site which has IPv6-only hosts in a dual IPv4/IPv6 160 network. This use assumes a mechanism for the IPv6 nodes to acquire 161 an temporary address from the pool of IPv4 addresses. Note that SIIT 162 is not likely to be useful later during transition when most of the 163 Internet is IPv6 and there are only small islands of IPv4 nodes, 164 since such use would either require the IPv6 nodes to acquire 165 temporary IPv4 addresses from a "distant" SIIT box operated by a 166 different administration, or require that the IPv6 routing contain 167 routes for IPv6-mapped addresses. (The latter is known to be a very 168 bad idea.) 170 ___________ 171 / \ 172 [IPv6 Host]---[SIIT]---------< IPv4 network>--[IPv4 Host] 173 | \___________/ 174 (pool of IPv4 addresses) 176 Figure 1. Using SIIT for a single IPv6-only subnet. 178 ___________ ___________ 179 / \ / \ 180 [IPv6 Host]--< Dual network>--[SIIT]--< IPv4 network>--[IPv4 Host] 181 \___________/ | \___________/ 182 (pool of IPv4 addresses) 184 Figure 2. Using SIIT for an IPv6-only or dual cloud (e.g. a site) 185 which contains some IPv6-only hosts as well as IPv4 hosts. 187 1.1. Applicability and Limitations 189 The IPv6 protocol [IPv6] has been designed so that the transport 190 pseudo-header checksums are not affected by such a translation thus 191 the translator does not need to modify normal TCP and UDP headers. 192 The only exception being unfragmented IPv4 UDP packets which need to 193 have a UDP checksum computed since a pseudo-header checksum is 194 required for UDP in IPv6. Also, ICMPv6 include a pseudo-header 195 checksum but it is not present in ICMPv4 thus the checksum in ICMP 196 messages need to be modified by the translator. In addition, ICMP 197 error messages contain an IP header as part of the payload thus the 198 translator need to rewrite those parts of the packets to make the 199 receiver be able to understand the included IP header. However, all 200 of the translators operations, including path MTU discovery, are 201 stateless in the sense that the translator operates independently on 202 each packet and does not retain any state from one packet to another. 203 This allows redundant translator boxes without any coordination and a 204 given TCP connection can have the two directions of packets go 205 through different translator boxes. 207 The translating function as specified in this document does not 208 translate any IPv4 options and it does not translate IPv6 routing 209 headers, hop-by-hop extension headers, or destination options 210 headers. It could be possible to define a translation between source 211 routing in IPv4 and IPv6. However such a translation would not be 212 semantically correct since the IPv4 source routing option performs a 213 "record route" function as the nodes listed in the source route are 214 traversed and the IPv6 routing header does not include the record 215 route aspect. Also, the usefulness of source routing when going 216 through a header translator might be limited since all the IPv6-only 217 routers would need to have an IPv4-translated IPv6 address since the 218 IPv4-only node will send a source route option containing only IPv4 219 addresses. 221 At first sight it might appear that the IPsec functionality [IPv6-SA, 222 IPv6-ESP, IPv6-AH] can not be carried across the translator. 223 However, since the translator does not modify any headers above the 224 logical IP layer (IP headers, IPv6 fragment headers, and ICMP 225 messages) packets encrypted using ESP in Transport-mode can be 226 carried through the translator. [Note that this assumes that the key 227 management can operate between the IPv6-only and the IPv4-only node.] 228 The use of AH headers is more complex since the AH computation covers 229 most of the fields in the IP header. Should it be possible for the 230 IPv6 node to predict the value of all the IPv4 header fields on the 231 other side of the translator then the IPv6 node could calculate the 232 authentication data using an IPv4 header instead of the IPv6 header 233 even though it is sending and receiving IPv6 packets. [Currently 234 this is not possible since the IP fragment identification field is 235 not carried end-to-end through the translator in all cases. This 236 could be resolved by changing AH to not include the fragment 237 identification field in the AH computation for either IPv4 or IPv6.] 238 For ESP Tunnel-mode the IPv6 node would have to be able to parse and 239 generate "inner" IPv4 headers since the inner IP will be encrypted 240 together with the transport protocol. 242 IPv4 multicast addresses can not be mapped to IPv6 multicast 243 addresses. For instance, ::ffff:224.1.2.3 is an IPv4 mapped IPv6 244 address with a class D address, however it is not an IPv6 multicast 245 address. While the IP/ICMP translation aspect of this draft works 246 for multicast packets this address mapping limitation makes it hard 247 to the techniques in this draft for multicast traffic. 249 1.2. Impact Outside the Network Layer 251 The potential existence of stateless IP/ICMP translators is already 252 taken care of from a protocol perspective in [IPv6]. However, an 253 IPv6 node that wants to be able to use translators need some 254 additional logic in the network layer. 256 The network layer in an IPv6-only node when presented with either an 257 IPv4 destination address or an IPv4-mapped IPv6 destination address 258 by the application is likely to drop the packet and return some error 259 message to the application. In order to take advantage of 260 translators such a node should instead send an IPv6 packet where the 261 destination address is the IPv4-mapped address and the source address 262 is the nodes temporarily assigned IPv4-translated address. If the 263 node does not have a temporarily assigned IPv4-translated address it 264 should acquire one using mechanisms that are not discussed in this 265 document. 267 Note that the above also applies to a dual IPv4/IPv6 implementation 268 node which is not configured with any IPv4 address. 270 There are no extra changes needed to applications to operate through 271 a translator beyond what applications already need to do to operate 272 on a dual node. The applications that have been modified to work on 273 a dual node already have the mechanisms to determine whether they are 274 communicating with an IPv4 or an IPv6 peer. Thus if the applications 275 need to modify their behavior depending on the type of the peer, such 276 as ftp determining whether to fallback to using the PORT/PASV command 277 when EPRT/EPSV fails (as specified in [FTPEXT]), they already need to 278 do that when running on dual nodes and the presense of translators 279 does not add anything. For example, when using the socket API [RFC 280 2133] the applications know that the peer is IPv6 if they get an 281 AF_INET6 address from the name service and the address is not an 282 IPv4-mapped address (i.e., IN6_IS_ADDR_V4MAPPED returns false). If 283 this is not the case, i.e., the address is AF_INET or an IPv4-mapped 284 IPv6 address, the peer is IPv4. 286 One way of viewing the translator, which might help clarify why 287 applications do not need to know that a translator is used, is to 288 look at the information that is passed from the transport layer to 289 the network layer. If the transport passes down an IPv4 address 290 (whether or not is in the IPv4-mapped encoding) this means that at 291 some point there will be IPv4 packets generated. In a dual node the 292 generation of the IPv4 packets takes place in the sending node. In 293 an IPv6-only node conceptually the only difference is that the IPv4 294 packet is generated by the translator - all the information that the 295 transport layer passed to the network layer will be conveyed to the 296 translator in some form. That form just "happens" to be in the form 297 of an IPv6 header. 299 2. TERMINOLOGY 301 This documents uses the terminology defined in [IPv6] and [TRANS- 302 MECH] with these clarifications: 304 IPv4 capable node: 306 A node which has an IPv4 protocol stack. In order 307 for the stack to be usable the node must be assigned 308 one or more IPv4 addresses. 310 IPv4 enabled node: A node which has an IPv4 protocol stack 311 and is assigned one or more IPv4 addresses. Both 312 IPv4-only and IPv6/IPv4 nodes are IPv4 enabled. 314 IPv6 capable node: 316 A node which has an IPv6 protocol stack. In order 317 for the stack to be usable the node must be assigned 318 one or more IPv6 addresses. 320 IPv6 enabled node: A node which has an IPv6 protocol stack 321 and is assigned one or more IPv6 addresses. Both 322 IPv6-only and IPv6/IPv4 nodes are IPv6 enabled. 324 2.1. Addresses 326 In addition to the forms of addresses defined in [ADDR-ARCH] this 327 document also introduces the new form of IPv4-translated address. 328 This is needed to avoid using IPv4-compatible addresses outside the 329 intended use of automatic tunneling. Thus the address forms are: 331 IPv4-mapped: 332 An address of the form 0::ffff:a.b.c.d which refers 333 to a node that is not IPv6-capable. In addition to 334 its use in the API this protocol uses IPv4-mapped 335 addresses in IPv6 packets to refer to an IPv4 node. 336 IPv4-compatible: 337 An address of the form 0::0:a.b.c.d which refers to 338 an IPv6/IPv4 node that supports automatic tunneling. 339 Such addresses are not used in this protocol. 340 IPv4-translated: 341 An address of the form 0::ffff:0:a.b.c.d which refers 342 to an IPv6-enabled node. Note that the prefix 343 0::ffff:0:0:0/96 is chosen to checksum to zero to 344 avoid any changes to the transport protocol's pseudo 345 header checksum. 347 2.2. Requirements 349 The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, 350 SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this 351 document, are to be interpreted as described in [KEYWORDS]. 353 3. OVERVIEW 355 The protocol translators are assumed to fit around some piece of 356 topology that includes some IPv6-only nodes and that may also include 357 IPv4 nodes as well as dual nodes. There has to be a translator on 358 each path used by routing the "translatable" packets in and out of 359 this cloud to ensure that the packets always get translated. This 360 does not require a translator at every physical connection between 361 the cloud and the rest of the Internet since the routing can be used 362 to deliver the packets to the translator. 364 3.1. Assumptions 366 The IPv6 nodes using the translator must have an IPv4-translated IPv6 367 address while it is communicating with IPv4-only nodes. 369 Fragmented IPv4 UDP packets that do not contain a UDP checksum (i.e. 370 the UDP checksum field is zero)d are not of significant use over 371 wide-areas in the Internet and will not be translated by the 372 translator. An informal trace [MILLER] in the backbone showed that 373 out of 34,984,468 IP packets there were 769 fragmented UDP packets 374 with a zero checksum. However, all of them are due to malicious or 375 broken behavior; a port scan and first fragments of IP packets that 376 are not a multiple of 8 bytes. 378 4. TRANSLATING FROM IPv4 TO IPv6 380 When an IPv4-to-IPv6 translator receives an IPv4 datagram addressed 381 to a destination that lies outside of the attached IPv4 island, it 382 translates the IPv4 header of that packet into an IPv6 header. It 383 then forwards the packet based on the IPv6 destination address. The 384 original IPv4 header on the packet is removed and replaced by a IPv6 385 header. Except for ICMP packets the transport layer header and data 386 portion of the packet are left unchanged. 388 +-------------+ +-------------+ 389 | IPv4 | | IPv6 | 390 | Header | | Header | 391 +-------------+ +-------------+ 392 | Transport | | Fragment | 393 | Layer | ===> | Header | 394 | Header | |(not always) | 395 +-------------+ +-------------+ 396 | | | Transport | 397 ~ Data ~ | Layer | 398 | | | Header | 399 +-------------+ +-------------+ 400 | | 401 ~ Data ~ 402 | | 403 +-------------+ 405 IPv4-to-IPv6 Translation 407 One of the differences between IPv4 and IPv6 is that in IPv6 path MTU 408 discovery is mandatory but it is optional in IPv4. This implies that 409 IPv6 routers will never fragment a packet - only the sender can do 410 fragmentation. 412 When the IPv4 node performs path MTU discovery (by setting the DF bit 413 in the header) the path MTU discovery can operate end-to-end i.e. 414 across the translator. In this case either IPv4 or IPv6 routers 415 might send back ICMP "packet too big" messages to the sender. When 416 these ICMP errors are sent by the IPv6 routers they will pass through 417 a translator which will translate the ICMP error to a form that the 418 IPv4 sender can understand. In this case an IPv6 fragment header is 419 only included if the IPv4 packet is already fragmented. 421 However, when the IPv4 sender does not perform path MTU discovery the 422 translator has to ensure that the packet does not exceed the path MTU 423 on the IPv6 side. This is done by fragmenting the IPv4 packet so 424 that it fits in 1280 byte IPv6 packet since IPv6 guarantees that 1280 425 byte packets never need to be fragment. Also, when the IPv4 sender 426 does not perform path MTU discovery the translator MUST always 427 include an IPv6 fragment header to indicate that the sender allows 428 fragmentation. That is needed should the packet pass through an 429 IPv6-to-IPv4 translator. 431 The above rules ensure that when packets are fragmented either by the 432 sender or by IPv4 routers that the low-order 16 bits of the fragment 433 identification is carried end-end to ensure that packets are 434 correctly reassembled. In addition, the rules use the presence of an 435 IPv6 fragment header to indicate that the sender might not be using 436 path MTU discovery i.e. the packet should not have the DF flag set 437 should it later be translated back to IPv4. 439 Other than the special rules for handling fragments and path MTU 440 discovery the actual translation of the packet header consists of a 441 simple mapping as defined below. Note that ICMP packets require 442 special handling in order to translate the content of ICMP error 443 message and also to add the ICMP pseudo-header checksum. 445 4.1. Translating IPv4 Headers 447 If the DF flag is not set and the IPv4 packet will result in an IPv6 448 packet larger than 1280 bytes the IPv4 packet MUST be fragmented 449 prior to translating it. Since IPv4 packets with DF not set will 450 always result in a fragment header being added to the packet the IPv4 451 packets must be fragmented so that their length, excluding the IPv4 452 header, is at most 1232 bytes (1280 minus 40 for the IPv6 header and 453 8 for the Fragment header). The resulting fragments are then 454 translated independently using the logic described below. 456 If the DF bit is set and the packet is not a fragment (i.e., the MF 457 flag is not set and the Fragment Offset is zero) then there is no 458 need to add a fragment header to the packet. The IPv6 header fields 459 are set as follows: 461 Version: 462 6 464 Traffic Class: 465 Copied from IP Type Of Service and Precedence field 466 (all 8 bits are copied). According to [DIFFSERV] the 467 semantics of the bits are identical in IPv4 and IPv6. 468 However, in some IPv4 environments these fileds might 469 be used with the old semantics of "Type Of Service 470 and Precedence". An implementation of a translator 471 SHOULD provide a the ability to ignore the IPv4 "TOS" 472 and always set the IPv6 traffic class to zero. 474 Flow Label: 475 0 (all zero bits) 477 Payload Length: 478 Total length value from IPv4 header, minus the size 479 of the IPv4 header and IPv4 options, if present. 481 Next Header: 482 Protocol field copied from IPv4 header 484 Hop Limit: 485 TTL value copied from IPv4 header. Since the 486 translator is a router, as part of forwarding the 487 packet it needs to decrement either the IPv4 TTL 488 (before the translation) or the IPv6 Hop Limit (after 489 the translation). As part of decrementing the TTL or 490 Hop Limit the translator (as any router) needs to 491 check for zero and send the ICMPv4 or ICMPv6 "ttl 492 exceeded" error. 494 Source Address: 495 The low-order 32 bits is the IPv4 source address. 496 The high-order 96 bits is the IPv4-mapped prefix 497 (::ffff:0:0/96) 499 Destination Address: 500 The low-order 32 bits is the IPv4 destination 501 address. The high-order 96 bits is the IPv4- 502 translated prefix (0::ffff:0:0:0/96) 504 If IPv4 options are present in the IPv4 packet, they are ignored 505 i.e., there is no attempt to translate them. 507 If there is need to add a fragment header (the DF bit is not set or 508 the packet is a fragment) the header fields are set as above with the 509 following exceptions: 511 IPv6 fields: 513 Payload Length: 514 Total length value from IPv4 header, plus 8 for the 515 fragment header, minus the size of the IPv4 header 516 and IPv4 options, if present. 518 Next Header: 519 Fragment Header (44). 521 Fragment header fields: 523 Next Header: 524 Protocol field copied from IPv4 header. 526 Fragment Offset: 527 Fragment Offset copied from the IPv4 header. 529 M flag: 530 More Fragments bit copied from the IPv4 header. 532 Identification: 533 The low-order 16 bits copied from the Identification 534 field in the IPv4 header. The high-order 16 bits set 535 to zero. 537 4.2. Translating UDP over IPv4 539 If a UDP packet has a zero UDP checksum then a valid checksum must be 540 calculated in order to translate the packet. A stateless translator 541 can not do this for fragmented packets but [MILLER] indicates that 542 fragmented UDP packets with a zero checksum appear to only be used 543 for malicious purposes. Thus this is not believed to be a noticeable 544 limitation. 546 When a translator receives the first fragment of a fragmented UDP 547 IPv4 packet and the checksum field is zero the translator SHOULD drop 548 the packet and generate a system management event specifying at least 549 the IP addresses and port numbers in the packet. When it receives 550 fragments other than the first it SHOULD silently drop the packet, 551 since there is no port information to log. 553 When a translator receives an unfragmented UDP IPv4 packet and the 554 checksum field is zero the translator MUST compute the missing UDP 555 checksum as part of translating the packet. Also, the translator 556 SHOULD maintain a counter of how many UDP checksums are generated in 557 this manner. 559 4.3. Translating ICMPv4 561 All ICMP messages that are to be translated require that the ICMP 562 checksum field be updated as part of the translation since ICMPv6, 563 unlike ICMPv4, has a pseudo-header checksum just like UDP and TCP. 565 In addition all ICMP packets needs to have the Type value translated 566 and for ICMP error messages the included IP header also needs 567 translation. 569 The actions needed to translate various ICMPv4 messages are: 571 ICMPv4 query messages: 573 Echo and Echo Reply (Type 8 and Type 0) 574 Adjust the type to 128 and 129, respectively, and adjust the 575 ICMP checksum both take the type change into account and to 576 include the ICMPv6 pseudo-header. 578 Information Request/Reply (Type 15 and Type 16) 579 Obsoleted in ICMPv4. Silently drop. 581 Timestamp and Timestamp Reply (Type 13 and Type 14) 582 Obsoleted in ICMPv6. Silently drop. 584 Address Mask Request/Reply (Type 17 and Type 18) 585 Obsoleted in ICMPv6. Silently drop. 587 ICMP Router Advertisement (Type 9) 588 Single hop message. Silently drop. 590 ICMP Router Solicitation (Type 10) 591 Single hop message. Silently drop. 593 Unknown ICMPv4 types 594 Silently drop. 596 IGMP messages: 598 While the MLD messages [MLD] are the logical IPv6 599 counterparts for the IPv4 IGMP messages all the "normal" IGMP 600 messages are single-hop messages and should be silently 601 dropped by the translator. Other IGMP messages might be used 602 by multicast routing protocols and, since it would be a 603 configuration error to try to have router adjacencies across 604 IPv4/IPv6 translators those packets should also be silently 605 dropped. 607 ICMPv4 error messages: 609 Destination Unreachable (Type 3) 610 For all that are not explicitly listed below set the Type to 611 1. 613 Translate the code field as follows: 614 Code 0, 1: Set Code to 0 (no route to destination). 616 Code 2: Translate to an ICMPv6 Parameter Problem (Type 4, 617 Code 1) and make the Pointer point to the IPv6 Next Header 618 field. 620 Code 3: Set Code to 4 (port unreachable). 622 Code 4: Translate to an ICMPv6 Packet Too Big message 623 (Type 2) with code 0. The MTU field needs to be adjusted 624 for the difference between the IPv4 and IPv6 header sizes. 625 Note that if the IPv4 router did not set the MTU field 626 i.e. the router does not implement [PMTUv4], then the 627 translator must use the plateau values specified in 628 [PMTUv4] to determine a likely path MTU and include that 629 path MTU in the ICMPv6 packet. (Use the greatest plateau 630 value that is less than the returned Total Length field.) 632 Code 5: Set Code to 2 (not a neighbor). 634 Code 6,7: Set Code to 0 (no route to destination). 636 Code 8: Set Code to 0 (no route to destination). 638 Code 9, 10: Set Code to 1 (communication with destination 639 administratively prohibited) 641 Code 11, 12: Set Code to 0 (no route to destination). 643 Redirect (Type 5) 644 Single hop message. Silently drop. 646 Source Quench (Type 4) 647 Obsoleted in ICMPv6. Silently drop. 649 Time Exceeded (Type 11) 650 Set the Type field to 3. The Code field is unchanged. 652 Parameter Problem (Type 12) 653 Set the Type field to 4. The Pointer needs to be updated to 654 point to the corresponding field in the translated include IP 655 header. 657 4.4. Translating ICMPv4 Error Messages 659 There are some differences between the IPv4 and the IPv6 ICMP error 660 message formats as detailed above. In addition, the ICMP error 661 messages contain the IP header for the packet in error which needs to 662 be translated just like a normal IP header. This translated is 663 likely to change the length of the datagram thus the Payload Length 664 field in the outer IPv6 header might need to be updated. 666 +-------------+ +-------------+ 667 | IPv4 | | IPv6 | 668 | Header | | Header | 669 +-------------+ +-------------+ 670 | ICMPv4 | | ICMPv6 | 671 | Header | | Header | 672 +-------------+ +-------------+ 673 | IPv4 | ===> | IPv6 | 674 | Header | | Header | 675 +-------------+ +-------------+ 676 | Partial | | Partial | 677 | Transport | | Transport | 678 | Layer | | Layer | 679 | Header | | Header | 680 +-------------+ +-------------+ 682 IPv4-to-IPv6 ICMP Error Translation 684 The translation of the inner IP header can be done by recursively 685 invoking the function that translated the outer IP headers. 687 4.5. Knowing when to Translate 689 The translator is assumed to know the pool(s) of IPv4 address that 690 are used to represent the internal IPv6-only nodes. Thus if the 691 destination address falls in these configured sets of prefixes the 692 packet needs to be translated to IPv6. 694 5. TRANSLATING FROM IPv6 TO IPv4 696 When an IPv6-to-IPv4 translator receives an IPv6 datagram addressed 697 to an IPv4-mapped IPv6 address, it translates the IPv6 header of that 698 packet into an IPv6 header. It then forwards the packet based on the 699 IPv4 destination address. The original IPv6 header on the packet is 700 removed and replaced by a IPv4 header. Except for ICMP packets the 701 transport layer header and data portion of the packet are left 702 unchanged. 704 +-------------+ +-------------+ 705 | IPv6 | | IPv4 | 706 | Header | | Header | 707 +-------------+ +-------------+ 708 | Fragment | | Transport | 709 | Header | ===> | Layer | 710 |(if present) | | Header | 711 +-------------+ +-------------+ 712 | Transport | | | 713 | Layer | ~ Data ~ 714 | Header | | | 715 +-------------+ +-------------+ 716 | | 717 ~ Data ~ 718 | | 719 +-------------+ 721 IPv6-to-IPv4 Translation 723 There are some differences between IPv6 and IPv4 in the area of 724 fragmentation and the minimum link MTU that effect the translation. 725 An IPv6 link has to have an MTU of 1280 bytes or greater. The 726 corresponding limit for IPv4 is 68 bytes. Thus, unless there were 727 special measures, it would not be possible to do end-to-end path MTU 728 discovery when the path includes an IPv6-to-IPv4 translator since the 729 IPv6 node might receive ICMP "packet too big" messages originated by 730 an IPv4 router that report an MTU less than 1280. However, [IPv6] 731 requires that IPv6 nodes handle such an ICMP "packet too big" message 732 by reducing the path MTU to 1280 and including an IPv6 fragment 733 header with each packet. This allows end-to-end path MTU discovery 734 across the translator as long as the path MTU is 1280 bytes or 735 greater. When the path MTU drops below the 1280 limit the IPv6 736 sender will originate 1280 byte packets that will be fragmented by 737 IPv4 routers along the path after being translated to IPv4. 739 The only drawback with this scheme is that it is not possible to use 740 PMTU to do optimal UDP fragmentation at sender. The presence of an 741 IPv6 Fragment header is interpreted that is it OK to fragment the 742 packet on the IPv4 side thus if the Fragment header is present 743 because UDP wants to send e.g. 8 kbyte packets even though the path 744 MTU is smaller the path MTU discovery will not be end-to-end but only 745 up to and including the translator. 747 Other than the special rules for handling fragments and path MTU 748 discovery the actual translation of the packet header consists of a 749 simple mapping as defined below. Note that ICMP packets require 750 special handling in order to translate the content of ICMP error 751 message and also to add the ICMP pseudo-header checksum. 753 5.1. Translating IPv6 Headers 755 If there is no IPv6 Fragment header the IPv4 header fields are set as 756 follows: 758 Version: 759 4 761 Internet Header Length: 762 5 (no IPv4 options) 764 Type of Service and Precedence: 765 Copied from the IPv6 Traffic Class (all 8 bits). 766 According to [DIFFSERV] the semantics of the bits are 767 identical in IPv4 and IPv6. 769 Total Length: 770 Payload length value from IPv6 header, plus the size 771 of the IPv4 header. 773 Identification: 774 All zero. 776 Flags: 777 The More Fragments flag is set to zero. The Don't 778 Fragments flag is set to one. 780 Fragment Offset: 781 All zero. 783 Time to Live: 784 Hop Limit value copied from IPv6 header. Since the 785 translator is a router, as part of forwarding the 786 packet it needs to decrement either the IPv6 Hop 787 Limit (before the translation) or the IPv4 TTL (after 788 the translation). As part of decrementing the TTL or 789 Hop Limit the translator (as any router) needs to 790 check for zero and send the ICMPv4 or ICMPv6 "ttl 791 exceeded" error. 793 Protocol: 794 Next Header field copied from IPv6 header. 796 Header Checksum: 797 Computed once the IPv4 header has been created. 799 Source Address: 800 If the IPv6 source address is an IPv4-translated or 801 an IPv4-mapped address then the low-order 32 bits of 802 the IPv6 source address is copied to the IPv4 source 803 address. Otherwise, the source address is set to 804 127.0.0.1. The use of 127.0.0.1 is to avoid 805 completely dropping e.g. ICMPv6 error messages sent 806 by IPv6-only routers. 808 Destination Address: 809 IPv6 packets that are translated have an IPv4-mapped 810 destination address. Thus the low-order 32 bits of 811 the IPv6 destination address is copied to the IPv4 812 source address. 814 If any of an IPv6 hop-by-hop options header, destination options 815 header, or routing header are present in the IPv6 packet, they are 816 ignored i.e., there is no attempt to translate them. However, the 817 Total Length field and the Protocol field would have to be adjusted 818 to "skip" these extension headers. 820 If the IPv6 packet contains a Fragment header the header fields are 821 set as above with the following exceptions: 823 Total Length: 824 Payload length value from IPv6 header, minus 8 for 825 the Fragment header, plus the size of the IPv4 826 header. 828 Identification: 829 Copied from the low-order 16-bits in the 830 Identification field in the Fragment header. 832 Flags: 833 The More Fragments flag is copied from the M flag in 834 the Fragment header. The Don't Fragments flag is set 835 to zero allowing this packet to be fragmented by IPv4 836 routers. 838 Fragment Offset: 839 Copied from the Fragment Offset field in the Fragment 840 Header. 842 Protocol: 843 Next Header value copied from Fragment header. 845 5.2. Translating ICMPv6 847 All ICMP messages that are to be translated require that the ICMP 848 checksum field be updated as part of the translation since ICMPv6, 849 unlike ICMPv4, has a pseudo-header checksum just like UDP and TCP. 851 In addition all ICMP packets needs to have the Type value translated 852 and for ICMP error messages the included IP header also needs 853 translation. 855 The actions needed to translate various ICMPv6 messages are: 857 ICMPv6 informational messages: 859 Echo Request and Echo Reply (Type 128 and 129) 860 Adjust the type to 0 and 8, respectively, and adjust the ICMP 861 checksum both take the type change into account and to 862 exclude the ICMPv6 pseudo-header. 864 MLD Multicast Listener Query/Report/Done (Type 130, 131, 132) 865 Single hop message. Silently drop. 867 Neighbor Discover messages (Type 133 through 137) 868 Single hop message. Silently drop. 870 Unknown informational messages 871 Silently drop. 873 ICMPv6 error messages: 875 Destination Unreachable (Type 1) 876 Set the Type field to 3. Translate the code field as 877 follows: 878 Code 0: Set Code to 1 (host unreachable). 880 Code 1: Set Code to 10 (communication with destination 881 host administratively prohibited). 883 Code 2: Set Code to 5 (source route failed). 885 Code 3: Set Code to 1 (host unreachable). 887 Code 4: Set Code to 3 (port unreachable). 889 Packet Too Big (Type 2) 890 Translate to an ICMPv4 Destination Unreachable with code 4. 892 The MTU field needs to be adjusted for the difference between 893 the IPv4 and IPv6 header sizes taking into account whether or 894 not the packet in error includes a Fragment header. 896 Time Exceeded (Type 3) 897 Set the Type to 11. The Code field is unchanged. 899 Parameter Problem (Type 4) 900 If the Code is 1 translate this to an ICMPv4 protocol 901 unreachable (Type 3, Code 2). Otherwise set the Type to 12 902 and the Code to zero. The Pointer needs to be updated to 903 point to the corresponding field in the translated include IP 904 header. 906 Unknown error messages 907 Silently drop. 909 5.3. Translating ICMPv6 Error Messages 911 There are some differences between the IPv4 and the IPv6 ICMP error 912 message formats as detailed above. In addition, the ICMP error 913 messages contain the IP header for the packet in error which needs to 914 be translated just like a normal IP header. This translated is 915 likely to change the length of the datagram thus the Payload Length 916 field in the outer IPv6 header might need to be updated. 918 +-------------+ +-------------+ 919 | IPv6 | | IPv4 | 920 | Header | | Header | 921 +-------------+ +-------------+ 922 | ICMPv6 | | ICMPv4 | 923 | Header | | Header | 924 +-------------+ +-------------+ 925 | IPv6 | ===> | IPv4 | 926 | Header | | Header | 927 +-------------+ +-------------+ 928 | Partial | | Partial | 929 | Transport | | Transport | 930 | Layer | | Layer | 931 | Header | | Header | 932 +-------------+ +-------------+ 934 IPv6-to-IPv4 ICMP Error Translation 936 The translation of the inner IP header can be done by recursively 937 invoking the function that translated the outer IP headers. 939 5.4. Knowing when to Translate 941 When the translator receives a IPv6 packet with an IPv4-mapped 942 destination address the packet will be translated to IPv4. 944 6. SECURITY CONSIDERATIONS 946 The use of stateless IP/ICMP translators does not introduce any new 947 security issues beyond the security issues that are already present 948 in the IPv4 and IPv6 protocols and in the routing protocols which are 949 used to make the packets reach the translator. 951 As the Authentication Header is currently specified to include the 952 IPv4 Identification field and the translating function not being able 953 to always preserve the Identification field, it is not possible for 954 an IPv6 endpoint to predict the content of a packet at the IPv4 side 955 of the translator. As such it is impossible to translate packets 956 with AH headers. 958 Packets with ESP can be translated since ESP does not depend on 959 header fields prior to the ESP header. Note that ESP transport mode 960 is preferred over ESP tunnel mode since it does not contain an 961 "extra" encrypted IP header which could confuse the peer. 963 7. CHANGE LOG 965 Changes since version -05 of the draft: 967 o Added description on how to handle UDP/IPv4 packets with a zero 968 UDP checksum. 969 o Clarified the scope of the document to be a component of a 970 solution. 971 o Updated ftp text to talk about EPRT/EPSV and RFC 2428. 972 o Editorial fixes. 974 REFERENCES 976 [KEYWORDS] S. Bradner, "Key words for use in RFCs to Indicate 977 Requirement Levels", RFC 2119, March 1997. 979 [IPv6] S. Deering, R. Hinden, Editors, "Internet Protocol, Version 980 6 (IPv6) Specification", RFC 2460, December 1998. 982 [IPv4] J. Postel, "Internet Protocol", RFC 791, September 1981. 984 [ADDR-ARCH] S. Deering, R. Hinden, Editors, "IP Version 6 985 Addressing Architecture", RFC 2373, July 1998. 987 [TRANS-MECH] R. Gilligan, E. Nordmark, "Transition Mechanisms for 988 IPv6 Hosts and Routers", RFC 1933, April 1996. 990 [DISCOVERY] T. Narten, E. Nordmark, and W. Simpson, "Neighbor 991 Discovery for IP Version 6 (IPv6)", RFC 2461, December 992 1998. 994 [IPv6-SA] R. Atkinson. "Security Architecture for the Internet 995 Protocol". RFC 2401, November 1998. 997 [IPv6-AUTH] R. Atkinson. "IP Authentication Header", RFC 2402, 998 November 1998. 1000 [IPv6-ESP] R. Atkinson. "IP Encapsulating Security Payload (ESP)", 1001 RFC 2406, November 1998. 1003 [ICMPv4] J. Postel, "Internet Control Message Protocol", RFC 792, 1004 September 1981. 1006 [ICMPv6] A. Conta, S. Deering, "Internet Control Message Protocol 1007 (ICMPv6) for the Internet Protocol Version 6 (IPv6)", RFC 1008 2463, December 1998. 1010 [IGMP] S. Deering, "Host extensions for IP multicasting", RFC 1112, 1011 August 1989. 1013 [PMTUv4] J. Mogul, S. Deering, "Path MTU Discovery", RFC 1191, 1014 November 1990. 1016 [PMTUv6] J. McCann, S. Deering, J. Mogul, "Path MTU Discovery for 1017 IP version 6", RFC 1981, August 1996. 1019 [DIFFSERV] K. Nichols, S. Blake, F. Baker, and D. L. Black, 1020 "Definition of the Differentiated Services Field (DS Field) 1021 in the IPv4 and IPv6 Headers", RFC 2474, December 1998. 1023 [MLD] S. Deering, W. Fenner, and B. Haberman, "Multicast Listener 1024 Discovery (MLD) for IPv6", Internet Draft, September 1998. 1026 [FTPEXT] M. Allman, S. Ostermann, C. Metz, "FTP Extensions for IPv6 1027 and NATs.", RFC 2428, September 1998. 1029 [MILLER] G. Miller, Email to the ngtrans mailing list on 26 March 1030 1999. 1032 AUTHOR'S ADDRESS 1034 Erik Nordmark 1035 Sun Microsystems, Inc. 1036 901 San Antonio Road 1037 Palo Alto, CA 94303 1038 USA 1040 phone: +1 650 786 5166 1041 fax: +1 650 786 5896 1042 email: nordmark@sun.com