idnits 2.17.1 draft-ietf-pcp-nat64-prefix64-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC3849-compliant IPv6 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 31, 2013) is 3920 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-08) exists of draft-ietf-mmusic-latching-03 == Outdated reference: A later version (-13) exists of draft-ietf-pcp-port-set-02 == Outdated reference: A later version (-19) exists of draft-ietf-rtcweb-overview-06 -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PCP Working Group M. Boucadair 3 Internet-Draft France Telecom 4 Intended status: Standards Track July 31, 2013 5 Expires: February 01, 2014 7 Learning NAT64 PREFIX64s using PCP 8 draft-ietf-pcp-nat64-prefix64-04 10 Abstract 12 This document defines a new PCP extension to learn the IPv6 13 prefix(es) used by a PCP-controlled NAT64 device to build 14 IPv4-converted IPv6 addresses. This extension is needed for 15 successful communications when IPv4 addresses are used in referrals. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on February 01, 2014. 34 Copyright Notice 36 Copyright (c) 2013 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 53 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 54 3.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3.2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3.2.1. AAAA Synthesis by the DNS Stub-resolver . . . . . . . 3 57 3.2.2. Application Referrals . . . . . . . . . . . . . . . . 4 58 4. PREFIX64 Option . . . . . . . . . . . . . . . . . . . . . . . 5 59 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4.2. Behavior . . . . . . . . . . . . . . . . . . . . . . . . 7 61 5. Flow Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 62 5.1. TCP Session Initiated from an IPv6-only Host . . . . . . 9 63 5.2. SIP Flow Example . . . . . . . . . . . . . . . . . . . . 9 64 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 65 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 66 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 67 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 68 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 69 9.2. Informative References . . . . . . . . . . . . . . . . . 13 70 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 72 1. Introduction 74 This document defines a new PCP extension [RFC6887] to inform PCP 75 clients about the Pref64::/n and suffix [RFC6052] used by a PCP- 76 controlled NAT64 device [RFC6146]. It does so by defining a new 77 PREFIX64 option. 79 This extension is a deterministic solution to help establish 80 communications between IPv6-only hosts and remote IPv4-only hosts. 81 Unlike [I-D.ietf-behave-nat64-discovery-heuristic], this extension 82 solves all the issues identified in 83 [I-D.ietf-behave-nat64-learn-analysis]. 85 Some illustration examples are provided in Section 5. Detailed 86 experiment results are available at 87 [I-D.boucadair-pcp-nat64-experiments]. 89 The use of this PCP extension for NAT64 load balancing purposes 90 ([I-D.zhang-behave-nat64-load-balancing]) is out of scope. 92 2. Requirements Language 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in [RFC2119]. 98 3. Problem Statement 100 3.1. Issues 102 This document proposes a deterministic solution to solve the 103 following issues: 105 o Learn the Pref64::/n used by an upstream NAT64 function. This is 106 needed to help: 108 * distinguish between IPv4-converted IPv6 addresses [RFC6052] and 109 native IPv6 addresses. 110 * implement IPv6 address synthesis for applications not relying 111 on DNS (where DNS64 [RFC6147] would provide the synthesis). 112 o Avoid stale Pref64::/n. 113 o Discover multiple Pref64::/n when multiple prefixes exist in a 114 network. 115 o Support destination-dependent Pref64::/n. 116 o Use DNSSEC ([RFC4033], [RFC4034], [RFC4035]) in the presence of 117 NAT64. 118 o Discover the suffix used by an NAT64 function when non-null 119 suffixes are in use (e.g., checksum neutral suffix). 120 o Support destination-based Pref64::/n (Section 5.1 of 121 [I-D.ietf-behave-nat64-discovery-heuristic]). 122 o Associate a Pref64::/n with a given NAT64 when distinct prefixes 123 are configured for each NAT64 enabled in a network. 125 A more elaborated discussion can be found at 126 [I-D.ietf-behave-nat64-learn-analysis]. 128 3.2. Use Cases 130 This section provides some use cases to illustrate the problem space. 131 More details can be found at Section 4 of 132 [I-D.ietf-behave-nat64-learn-analysis]. 134 3.2.1. AAAA Synthesis by the DNS Stub-resolver 136 The extension defined in this document can be used for hosts with 137 DNS64 capability [RFC6147] added to the host's stub-resolver. 139 The stub resolver on the host will try to obtain (native) AAAA 140 records and if they are not found, the DNS64 function on the host 141 will query for A records and then synthesizes AAAA records. Using 142 the PREFIX64 PCP extension, the host's stub-resolver can learn the 143 prefix used for IPv6/IPv4 translation and synthesize AAAA records 144 accordingly. 146 Learning the Pref64::/n used to construct IPv4-converted IPv6 147 addresses allows the use of DNSSEC. 149 3.2.2. Application Referrals 151 As discussed in [I-D.carpenter-behave-referral-object], a frequently 152 occurring situation is that one entity A connected to a network needs 153 to inform another entity B how to reach either A itself or some 154 third-party entity C. This is known as address referral. 156 In the particular context of NAT64 [RFC6146], applications relying on 157 address referral will fail because an IPv6-only client won't be able 158 to make use of an IPv4 address received in a referral. A non- 159 exhaustive list of such applications is provided below: 161 o In SIP environments [RFC3261], the SDP part ([RFC4566]) of 162 exchanged SIP messages includes information required for 163 establishing RTP sessions (namely, IP address and port number). 164 When a NAT64 is involved in the path, an IPv6-only SIP User Agent 165 (UA) that receives an SDP offer/answer containing an IPv4 address, 166 cannot send media streams to the remote endpoint. 167 o An IPv6-only WebRTC (Web Real-Time Communication, 168 [I-D.ietf-rtcweb-overview]) agent cannot make use of an IPv4 169 address received in referrals to establish a successful session 170 with a remote IPv4-only WebRTC agent. 171 o BitTorrent is a distributed file sharing infrastructure that is 172 based on P2P techniques for exchanging files between connected 173 users. To download a given file, a BitTorrent client needs to 174 obtain the corresponding torrent file. Then, it connects to a 175 tracker to retrieve a list of leechers (clients that are currently 176 downloading the file but do not yet possess all portions of the 177 file) and seeders (clients that possess all portions of the file 178 and are uploading them to other requesting clients). The client 179 connects to those machines and downloads the available portions of 180 the requested file. In the presence of an address sharing 181 function (see Appendix A of [RFC6269]), some encountered issues 182 are solved if PCP is enabled (see [I-D.boucadair-pcp-bittorrent]). 183 Nevertheless, an IPv6-only client cannot connect to a remote 184 IPv4-only machine even if the base PCP protocol is used. 186 Learning the Pref64::/n solves the issues listed above. 188 4. PREFIX64 Option 190 4.1. Format 192 The format of the PREFIX64 option is depicted in Figure 1. This 193 option follows the guidelines specified in Section 7.3 of [RFC6887]. 195 0 1 2 3 196 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 198 | Option Code | Reserved | Option Length | 199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 | Pref64 Length | | 201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 202 : Pref64 (Variable) : 203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 204 | | 205 : Suffix (Variable) : 206 | | 207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 208 | (optional) | 209 : IPv4 Prefix List (Variable) : 210 | | 211 | | 212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 Figure 1: Prefix64 PCP Option 216 The description of the fields is as follows: 218 o Option Code: To be assigned by IANA. 219 o Option Length: Indicates in octets the length of the enclosed 220 data. 221 o Pref64 Length: Indicates in octets the length of the Pref64::/n. 222 Allowed values are 4, 5, 6, 7, 8, or 12 [RFC6052]. 223 o Prefix64: This field identifies the IPv6 unicast prefix to be used 224 for constructing an IPv4-converted IPv6 address from an IPv4 225 address as specified in Section 2.2 of [RFC6052]. This prefix can 226 be the Well-Known Prefix (i.e., 64:ff9b::/96) or a Network- 227 Specific Prefix. The address synthesis MUST follow the guidelines 228 documented in [RFC6052]. 229 o Suffix: The length of this field is (12 - Pref64 Length) octets. 230 This field identifies the suffix to be used for constructing an 231 IPv4-converted IPv6 address from an IPv4 address as specified in 232 Section 2.2 of [RFC6052]. No suffix is included if a /96 Prefix64 233 is conveyed in the option. 235 o IPv4 Prefix List: This is an optional field. The format of the 236 IPv4 Prefix List field is shown in Figure 2. This field may be 237 included by a PCP server to solve the destination-dependent 238 Pref64::/n discovery problem discussed in Section 5.1 of 239 [I-D.ietf-behave-nat64-discovery-heuristic]. 241 * IPv4 Prefix Count: indicates the number of IPv4 prefixes 242 included in the option. "IPv4 Prefix Count" field MUST be set 243 to 0 in a request and MUST be set to the number of included 244 IPv4 subnets in a response. 245 * An IPv4 prefix is represented as "IPv4 Address/IPv4 Prefix 246 Length" [RFC4632]. For example, to encode 192.0.2.0/24, "IPv4 247 Prefix Length" field is set to 24 and "IPv4 Address" field is 248 set to 192.0.2.0. If a Pref64::/n is configured for all IPv4 249 addresses, a wildcard IPv4 prefix (i.e., 0.0.0.0/0) may be 250 returned in the response together with the configured Pref64::/ 251 n. If no IPv4 Prefix List is returned in a PREFIX64 option, the 252 PCP client assumes the prefix is valid for any destination IPv4 253 address. Valid IPv4 prefixes are listed in Section 3.1 of 254 [RFC4632]. 256 0 1 2 3 257 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 259 | IPv4 Prefix Count | IPv4 Prefix Length | 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | IPv4 Address (32 bits) | 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 .... 264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 265 | IPv4 Prefix Length | IPv4 Address (32 bits)... | 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 | ... IPv4 Address (continued) | 268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 270 Figure 2: Format of IPv4 Prefix List field 272 Option Name: PREFIX64 273 Number: 274 Purpose: Learn the prefix used by the NAT64 to build 275 IPv4-converted IPv6 addresses. This is used by a host 276 is for local address synthesis (e.g., when an IPv4 address 277 is present in referrals). 278 Valid for Opcodes: MAP, ANNOUNCE 279 Length: Variable 280 May appear in: request, response. 282 Maximum occurrences: 1 for a request. As many as fit within 283 the maximum PCP message size for a response. 285 4.2. Behavior 287 The PCP client includes a PREFIX64 option in a MAP or ANNOUNCE 288 request to learn the IPv6 prefix and suffix used by an upstream PCP- 289 controlled NAT64 device. When enclosed in a PCP request, the 290 Prefix64 MUST be set to ::/96. The PREFIX64 option can be inserted 291 in a MAP request used to learn the external IP address as detailed in 292 Section 11.6 of [RFC6887]. 294 The PCP server controlling a NAT64 SHOULD be configured to return to 295 requesting PCP clients the value of the Pref64::/n and suffix used to 296 build IPv4-converted IPv6 addresses. When enabled, the PREFIX64 297 option conveys the value of Pref64::/n and configured suffix. If no 298 suffix is explicitly configured to the PCP server, the null suffix is 299 used as the default value (see Section 2.2 of [RFC6052]). 301 If the PCP server is configured to honor the PREFIX64 option but no 302 Pref64::/n is explicitly configured, the PCP server MUST NOT include 303 any PREFIX64 option in its PCP messages. 305 The PCP server controlling a NAT64 MAY be configured to include a 306 PREFIX64 option in all MAP responses even if the PREFIX64 option is 307 not listed in the associated request. The PCP server controlling a 308 NAT64 MAY be configured to include a PREFIX64 option in its ANNOUNCE 309 messages. 311 The PCP server MAY be configured with a list of destination IPv4 312 prefixes associated with each Pref64::/n. This list is then included 313 by the PCP server in a PREFIX64 option sent to PCP clients. 315 If the PCP client receives a PREFIX64 option that includes an invalid 316 IPv4 prefix, the PCP client ignores that IPv4 prefix. Any other 317 valid IPv4 prefix, IPv6 prefix and suffix are not ignored by the PCP 318 client. 320 When multiple prefixes are configured in a network, the PCP server 321 MAY be configured to return multiple PREFIX64 options in the same 322 message to the PCP client. The client then does the following: 324 o If no destination IPv4 prefix list is configured, the PCP server 325 includes in the first PREFIX64 option, which appears in the PCP 326 message it sends to the PCP client, the prefix and suffix to 327 perform local IPv6 address synthesis [RFC6052]. Additional 328 PREFIX64 options convey any other Pref64::/n values configured. 330 Returning these prefixes allows an end host to identify them as 331 translated addresses, and instead prefer IPv4 or an alternative 332 network interface in order to avoid any NAT64 deployed in the 333 network. The PCP server is required to disambiguate prefixes used 334 for IPv6 address synthesis and other prefixes used to avoid any 335 NAT64 deployed in the network. The PCP server can be configured 336 with a customized IPv6 prefix list (i.e., specific to a PCP client 337 or a group of PCP clients) or system-wide IPv6 prefix list (i.e., 338 the same list is returned for any PCP client). 339 o If IPv4 prefix lists are configured, the PCP server includes in 340 the first PREFIX64 options the Pref64::/n and suffix that are 341 associated with an IPv4 prefix list. Additional PREFIX64 options 342 convey any other Pref64::/n values configured. 344 Upon receipt of the message from the PCP server, the PCP client 345 replaces any old prefix(es)/suffix(es) received from the same PCP 346 server with the new one(s) included in the PREFIX64 option(s). If no 347 PREFIX64 option includes a destination IPv4 prefix list, the host 348 embedding the PCP client uses the prefix/suffix included in the first 349 PREFIX64 option for local address synthesis. Other prefixes learned 350 can be used by the host to avoid any NAT64 deployed in the network. 351 If one or multiple received PREFIX64 options contain a destination 352 IPv4 prefix list, the PCP client MUST associate the included IPv4 353 prefixes with the Pref64::/n and the suffix indicated in the same 354 PREFIX64 option. In such case, the host embedding the PCP client 355 MUST enforce a destination-based prefix Pref64::/n selection for 356 local address synthesis purposes. How the content of the PREFIX64 357 option(s) is passed to the OS is implementation-specific. 359 The PCP client MUST be prepared to receive multiple prefix(es) (e.g., 360 if several PCP servers are deployed and each of them is configured 361 with a distinct Pref64::/n). The PCP client MUST associate each 362 received Pref64::/n and suffix with the PCP server from which the 363 Pref64::/n and suffix information was retrieved. If the PCP client 364 fails to contact a given PCP server, the PCP client SHOULD clear the 365 prefix(es) and suffix(es) it learned from that PCP server. 367 If a distinct Pref64::/n or suffix is configured to the PCP- 368 controlled NAT64 device, the PCP server SHOULD issue an unsolicited 369 PCP ANNOUNCE message to inform the PCP client about the new Pref64::/ 370 n and/or suffix. Upon receipt of this message, the PCP client 371 replaces the old prefix/suffix received from the same PCP server with 372 the new Pref64::/n and suffix included in the PREFIX64 option. 374 5. Flow Examples 376 This section provides a non-normative description of use cases 377 relying on the PREFIX64 option. 379 5.1. TCP Session Initiated from an IPv6-only Host 381 The usage shown in Figure 3 depicts a typical usage of the PREFIX64 382 option when a DNS64 capability is embedded in the host. 384 In the example shown in Figure 3, once the IPv6-only client discovers 385 the IPv4 address of the remote IPv4-only server, it retrieves the 386 Pref64::/n (i.e., 2001:db8:122:300::/56) to be used to build an 387 IPv4-converted IPv6 address for that server. This retrieval is 388 achieved using the PREFIX64 option (Steps (a) and (b)). The client 389 then 2001:db8:122:300::/56 to construct an IPv6 address and then 390 initiates a TCP connection (Steps (1) to (4)). 392 +---------+ +-----+ +---------+ 393 |IPv6-only| |NAT64| |IPv4-only| 394 | Client | | | | Server | 395 +---------+ +-----+ +---------+ 396 | | | 397 | (a) PCP MAP Request | | 398 | PREFIX64 | | 399 |======================>| | 400 | (b) PCP MAP Response | | 401 | PREFIX64 = | | 402 | 2001:db8:122:300::/56 | | 403 |<======================| | 404 | (1) TCP SYN | (2) TCP SYN | 405 |======================>|====================>| 406 | (4) TCP SYN/ACK | (3) TCP SYN/ACK | 407 |<======================|<====================| 408 | (5) TCP ACK | (6) TCP ACK | 409 |======================>|====================>| 410 | | | 412 Figure 3: Example of a TCP session initiated from an IPv6-only host 414 5.2. SIP Flow Example 416 Figure 4 shows an example of the use of the option defined in 417 Section 4 in a SIP context. In order for RTP/RTCP flows to be 418 exchanged between an IPv6-only SIP UA and an IPv4-only UA without 419 requiring any ALG (Application Level Gateway) at the NAT64 nor any 420 particular function at the IPv4-only SIP Proxy Server (e.g., Hosted 421 NAT traversal [I-D.ietf-mmusic-latching]), the PORT_SET option 422 [I-D.ietf-pcp-port-set] is used in addition to the PREFIX64 option. 424 In steps (a) and (b), the IPv6-only SIP UA retrieves a pair of ports 425 to be used for RTP/RTCP sessions, the external IPv4 address and the 426 Pref64::/n to build IPv4-embedded IPv6 addresses. This is achieved 427 by issuing a MAP request that includes a PREFIX64 option and a 428 PORT_SET option. A pair of ports (i.e., port_X/port_X+1) and an 429 external IPv4 address are then returned by the PCP server to the 430 requesting PCP client together with a Pref64::/n (i.e., 431 2001:db8:122::/48). 433 The returned external IPv4 address and external port numbers are used 434 by the IPv6-only SIP UA to build its SDP offer which contains 435 exclusively IPv4 addresses (especially in the "c=" line, the port 436 indicated for media port is the external port assigned by the PCP 437 server). The INVITE request including the SDP offer is then 438 forwarded by the NAT64 to the Proxy Server which will relay it to the 439 called party (i.e., the IPv4-only SIP UA) (Steps (1) to (3)). 441 The remote IPv4-only SIP UA accepts the offer and sends back its SDP 442 answer in a "200 OK" message which is relayed by the SIP Proxy Server 443 and NAT64 until being delivered to the IPv6-only SIP UA (Steps (4) to 444 (6)). 446 The Pref64::/n (2001:db8:122::/48) is used by the IPv6-only SIP UA to 447 construct a corresponding IPv6 address of the IPv4 address enclosed 448 in the SDP answer made by the IPv4-only SIP UA (Step 6). 450 The IPv6-only SIP UA and IPv4-only SIP UA are then able to exchange 451 RTP/RTCP flows without requiring any ALG at the NAT64 nor any special 452 function at the IPv4-only SIP Proxy Server. 454 +---------+ +-----+ +------------+ +---------+ 455 |IPv6-only| |NAT64| | IPv4 SIP | |IPv4-only| 456 | SIP UA | | | |Proxy Server| | SIP UA | 457 +---------+ +-----+ +------------+ +---------+ 458 | (a) PCP MAP Request | | | 459 | PORT_SET | | | 460 | PREFIX64 | | | 461 |======================>| | | 462 | (b) PCP MAP Response | | | 463 | PORT_SET | | | 464 | PREFIX64: | | | 465 | 2001:db8:122::/48 | | | 466 |<======================| | | 467 | (1) SIP INVITE | (2) SIP INVITE | (3) SIP INVITE | 468 |======================>|===============>|================>| 469 | (6) SIP 200 OK | (5) SIP 200 OK | (4) SIP 200 OK | 470 |<======================|<===============|<================| 471 | (7) SIP ACK | (8) SIP ACK | (9) SIP ACK | 472 |======================>|===============>|================>| 473 | | | | 474 |src port: dst port:|src port: dst port:| 475 |port_A port_B|port_X port_B| 476 |<======IPv6 RTP=======>|<============IPv4 RTP============>| 477 |<===== IPv6 RTCP======>|<============IPv4 RTCP===========>| 478 |src port: dst port:|src port: dst port:| 479 |port_A+1 port_B+1|port_X+1 port_B+1| 480 | | | 482 Figure 4: Example of IPv6 to IPv4 SIP initiated Session 484 When the session is initiated from the IPv4-only SIP UA (see Figure 485 5), the IPv6-only SIP UA retrieves a pair of ports to be used for the 486 RTP /RTCP session, the external IPv4 address and the Pref64::/n to 487 build IPv4-converted IPv6 addresses (Steps (a) and (b)). These two 488 steps could instead be delayed until the INVITE message is received 489 (Step 3). 491 The retrieved IPv4 address and port numbers are used to build the SDP 492 answer in Step (4) while the Pref64::/n is used to construct a IPv6 493 address corresponding to the IPv4 address enclosed in the SDP offer 494 made by the IPv4-only SIP UA (Step 3). RTP/RTCP flows are then 495 exchanged between the IPv6-only SIP UA and the IPv4-only UA without 496 requiring any ALG at the NAT64 nor any special function at the 497 IPv4-only SIP Proxy Server. 499 +---------+ +-----+ +------------+ +---------+ 500 |IPv6-only| |NAT64| | IPv4 SIP | |IPv4-only| 501 | SIP UA | | | |Proxy Server| | SIP UA | 502 +---------+ +-----+ +------------+ +---------+ 503 | (a) PCP MAP Request | | | 504 | PORT_SET | | | 505 | PREFIX64 | | | 506 |======================>| | | 507 | (b) PCP MAP Response | | | 508 | PORT_SET | | | 509 | PREFIX64: | | | 510 | 2001:db8:122::/48 | | | 511 |<======================| | | 512 | (3) SIP INVITE | (2) SIP INVITE | (1) SIP INVITE | 513 |<======================|<===============|<================| 514 | (4) SIP 200 OK | (5) SIP 200 OK | (6) SIP 200 OK | 515 |======================>|===============>|================>| 516 | (9) SIP ACK | (8) SIP ACK | (7) SIP ACK | 517 |<======================|<===============|<================| 518 | | | | 519 |src port: dst port:|src port: dst port:| 520 |port_a port_b|port_Y port_b| 521 |<======IPv6 RTP=======>|<============IPv4 RTP============>| 522 |<===== IPv6 RTCP======>|<============IPv4 RTCP===========>| 523 |src port: dst port:|src port: dst port:| 524 |port_a+1 port_b+1|port_Y+1 port_b+1| 525 | | | 527 Figure 5: Example of IPv4 to IPv6 SIP initiated Session 529 6. IANA Considerations 531 The following PCP Option Code is to be allocated in the optional-to- 532 process range (the registry is maintained in http://www.iana.org/ 533 assignments/pcp-parameters/pcp-parameters.xml#option-rules): 535 PREFIX64 537 7. Security Considerations 539 PCP-related security considerations are discussed in [RFC6887]. 541 As discussed in [RFC6147], if an attacker can manage to change the 542 Pref64::/n used by the DNS64 function, the traffic generated by the 543 host that receives the synthetic reply will be delivered to the 544 altered Pref64. This can result in either a denial-of-service (DoS) 545 attack, a flooding attack, or an eavesdropping attack. This attack 546 could be achieved either by altering PCP messages issued by a 547 legitimate PCP server or by using a fake PCP server. 549 Means to defend against attackers who can modify packets between the 550 PCP server and the PCP client, or who can inject spoofed packets that 551 appear to come from a legitimate PCP server SHOULD be enabled. For 552 example, access control lists (ACLs) can be installed on the PCP 553 client, PCP server, and the network between them, so those ACLs allow 554 only communications from a trusted PCP server to the PCP client. 556 PCP server discovery is out of scope of this document. It is the 557 responsibility of PCP server discovery document(s) to elaborate on 558 the security considerations to discover a legitimate PCP server. 560 Learning a Pref64::/n via PCP allows using DNSSEC in the presence of 561 NAT64. As such, NAT64 with DNSSEC and PCP is better than no DNSSEC 562 at all, but it is less safe than DNSSEC without DNS64/NAT64 and PCP. 563 The best mitigation action against Pref64::/n discovery attacks is 564 thus to add IPv6 support in all endpoints and hence reduce the need 565 to perform IPv6 address synthesis. 567 8. Acknowledgements 568 Many thanks to S. Perreault , R. Tirumaleswar, T. Tsou, D. Wing, J. 569 Zhao, R. Penno, I. van Beijnum, T. Savolainen, S. Savikumar, and D. 570 Thaler for the comments and suggestions. 572 9. References 574 9.1. Normative References 576 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 577 Requirement Levels", BCP 14, RFC 2119, March 1997. 579 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 580 (CIDR): The Internet Address Assignment and Aggregation 581 Plan", BCP 122, RFC 4632, August 2006. 583 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 584 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 585 October 2010. 587 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 588 NAT64: Network Address and Protocol Translation from IPv6 589 Clients to IPv4 Servers", RFC 6146, April 2011. 591 [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van 592 Beijnum, "DNS64: DNS Extensions for Network Address 593 Translation from IPv6 Clients to IPv4 Servers", RFC 6147, 594 April 2011. 596 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 597 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 598 2013. 600 9.2. Informative References 602 [I-D.boucadair-pcp-bittorrent] 603 Boucadair, M., Zheng, T., Deng, X., and J. Queiroz, 604 "Behavior of BitTorrent service in PCP-enabled networks 605 with Address Sharing", draft-boucadair-pcp-bittorrent-00 606 (work in progress), May 2012. 608 [I-D.boucadair-pcp-nat64-experiments] 609 Abdesselam, M., Boucadair, M., Hasnaoui, A., and J. 610 Queiroz, "PCP NAT64 Experiments", draft-boucadair-pcp- 611 nat64-experiments-00 (work in progress), September 2012. 613 [I-D.carpenter-behave-referral-object] 614 Carpenter, B., Boucadair, M., Halpern, J., Jiang, S., and 615 K. Moore, "A Generic Referral Object for Internet 616 Entities", draft-carpenter-behave-referral-object-01 (work 617 in progress), October 2009. 619 [I-D.ietf-behave-nat64-discovery-heuristic] 620 Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 621 the IPv6 Prefix Used for IPv6 Address Synthesis", draft- 622 ietf-behave-nat64-discovery-heuristic-17 (work in 623 progress), April 2013. 625 [I-D.ietf-behave-nat64-learn-analysis] 626 Korhonen, J. and T. Savolainen, "Analysis of solution 627 proposals for hosts to learn NAT64 prefix", draft-ietf- 628 behave-nat64-learn-analysis-03 (work in progress), March 629 2012. 631 [I-D.ietf-mmusic-latching] 632 Ivov, E., Kaplan, H., and D. Wing, "Latching: Hosted NAT 633 Traversal (HNT) for Media in Real-Time Communication", 634 draft-ietf-mmusic-latching-03 (work in progress), July 635 2013. 637 [I-D.ietf-pcp-port-set] 638 Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 639 and S. Perreault, "Port Control Protocol (PCP) Extension 640 for Port Set Allocation", draft-ietf-pcp-port-set-02 (work 641 in progress), July 2013. 643 [I-D.ietf-rtcweb-overview] 644 Alvestrand, H., "Overview: Real Time Protocols for Brower- 645 based Applications", draft-ietf-rtcweb-overview-06 (work 646 in progress), February 2013. 648 [I-D.zhang-behave-nat64-load-balancing] 649 Zhang, D., Xu, X., and M. Boucadair, "Considerations on 650 NAT64 Load-Balancing", draft-zhang-behave-nat64-load- 651 balancing-03 (work in progress), July 2011. 653 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 654 A., Peterson, J., Sparks, R., Handley, M., and E. 655 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 656 June 2002. 658 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 659 Rose, "DNS Security Introduction and Requirements", RFC 660 4033, March 2005. 662 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 663 Rose, "Resource Records for the DNS Security Extensions", 664 RFC 4034, March 2005. 666 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 667 Rose, "Protocol Modifications for the DNS Security 668 Extensions", RFC 4035, March 2005. 670 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 671 Description Protocol", RFC 4566, July 2006. 673 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 674 Roberts, "Issues with IP Address Sharing", RFC 6269, June 675 2011. 677 Author's Address 679 Mohamed Boucadair 680 France Telecom 681 Rennes 35000 682 France 684 Email: mohamed.boucadair@orange.com