idnits 2.17.1 draft-ietf-softwire-map-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 6 instances of too long lines in the document, the longest one being 7 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 29, 2013) is 3984 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-softwire-stateless-4v6-motivation' is defined on line 939, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-tsvwg-iana-ports' is defined on line 946, but no explicit reference was found in the text == Unused Reference: 'RFC6052' is defined on line 1014, but no explicit reference was found in the text == Outdated reference: A later version (-12) exists of draft-ietf-softwire-map-dhcp-01 -- Obsolete informational reference (is this intentional?): RFC 1933 (Obsoleted by RFC 2893) -- Obsolete informational reference (is this intentional?): RFC 3633 (Obsoleted by RFC 8415) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group O. Troan, Ed. 3 Internet-Draft W. Dec 4 Intended status: Standards Track Cisco Systems 5 Expires: November 30, 2013 X. Li 6 C. Bao 7 CERNET Center/Tsinghua University 8 S. Matsushima 9 SoftBank Telecom 10 T. Murakami 11 IP Infusion 12 T. Taylor, Ed. 13 Huawei Technologies 14 May 29, 2013 16 Mapping of Address and Port with Encapsulation (MAP) 17 draft-ietf-softwire-map-07 19 Abstract 21 This document describes a mechanism for transporting IPv4 packets 22 across an IPv6 network using IP encapsulation, and a generic 23 mechanism for mapping between IPv6 addresses and IPv4 addresses and 24 transport layer ports. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on November 30, 2013. 43 Copyright Notice 45 Copyright (c) 2013 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 4. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 5. Mapping Algorithm . . . . . . . . . . . . . . . . . . . . . . 7 65 5.1. Port mapping algorithm . . . . . . . . . . . . . . . . . . 8 66 5.2. Basic mapping rule (BMR) . . . . . . . . . . . . . . . . . 9 67 5.3. Forwarding mapping rule (FMR) . . . . . . . . . . . . . . 12 68 5.4. Destinations outside the MAP domain . . . . . . . . . . . 12 69 6. The IPv6 Interface Identifier . . . . . . . . . . . . . . . . 13 70 7. MAP Configuration . . . . . . . . . . . . . . . . . . . . . . 13 71 7.1. MAP CE . . . . . . . . . . . . . . . . . . . . . . . . . . 14 72 7.2. MAP BR . . . . . . . . . . . . . . . . . . . . . . . . . . 14 73 7.3. Backwards compatibility . . . . . . . . . . . . . . . . . 15 74 8. Forwarding Considerations . . . . . . . . . . . . . . . . . . 15 75 8.1. Receiving Rules . . . . . . . . . . . . . . . . . . . . . 15 76 8.2. ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 77 8.3. Fragmentation and Path MTU Discovery . . . . . . . . . . . 16 78 8.3.1. Fragmentation in the MAP domain . . . . . . . . . . . 16 79 8.3.2. Receiving IPv4 Fragments on the MAP domain borders . . 17 80 8.3.3. Sending IPv4 fragments to the outside . . . . . . . . 17 81 9. NAT44 Considerations . . . . . . . . . . . . . . . . . . . . . 18 82 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 83 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18 84 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 19 85 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19 86 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 87 14.1. Normative References . . . . . . . . . . . . . . . . . . 20 88 14.2. Informative References . . . . . . . . . . . . . . . . . 20 89 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 22 90 Appendix B. A More Detailed Description of the Derivation of the 91 Port Mapping Algorithm . . . . . . . . . . . . . . . 26 92 B.1. Bit Representation of the Algorithm . . . . . . . . . . . 28 93 B.2. GMA examples . . . . . . . . . . . . . . . . . . . . . . . 28 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 96 1. Introduction 97 Mapping of IPv4 addresses in IPv6 addresses has been described in 98 numerous mechanisms dating back to 1996 [RFC1933]. The Automatic 99 tunneling mechanism described in RFC1933, assigned a globally unique 100 IPv6 address to a host by combining the host's IPv4 address with a 101 well-known IPv6 prefix. Given an IPv6 packet with a destination 102 address with an embedded IPv4 address, a node could automatically 103 tunnel this packet by extracting the IPv4 tunnel end-point address 104 from the IPv6 destination address. 106 There are numerous variations of this idea, described in 6over4 107 [RFC2529], 6to4 [RFC3056], ISATAP [RFC5214], and 6rd [RFC5969]. 109 The commonalities of all these IPv6 over IPv4 mechanisms are: 111 o Automatically provisions an IPv6 address for a host or an IPv6 112 prefix for a site 114 o Algorithmic or implicit address resolution of tunnel end point 115 addresses. Given an IPv6 destination address, an IPv4 tunnel 116 endpoint address can be calculated. 118 o Embedding of an IPv4 address or part thereof into an IPv6 address. 120 In phases of IPv4 to IPv6 migration, IPv6 only networks will be 121 common, while there will still be a need for residual IPv4 122 deployment. This document describes a generic mapping of IPv4 to 123 IPv6, and a mechanism for encapsulating IPv4 over IPv6. 125 Just as the IPv6 over IPv4 mechanisms referred to above, the residual 126 IPv4 over IPv6 mechanism must be capable of: 128 o Provisioning an IPv4 prefix, an IPv4 address or a shared IPv4 129 address. 131 o Algorithmically map between an IPv4 prefix, IPv4 address or a 132 shared IPv4 address and an IPv6 address. 134 The mapping scheme described here supports encapsulation of IPv4 135 packets in IPv6 in both mesh and hub and spoke topologies, including 136 address mappings with full independence between IPv6 and IPv4 137 addresses. 139 This document describes delivery of IPv4 unicast service across an 140 IPv6 infrastructure. IPv4 multicast is not considered further in 141 this document. 143 The A+P (Address and Port) architecture of sharing an IPv4 address by 144 distributing the port space is described in [RFC6346]. Specifically 145 section 4 of [RFC6346] covers stateless mapping. The corresponding 146 stateful solution DS-lite is described in [RFC6333]. The motivation 147 for the work is described in [I-D.ietf-softwire-stateless- 148 4v6-motivation]. 150 A companion document defines a DHCPv6 option for provisioning of MAP 151 [I-D.ietf-softwire-map-dhcp]. Other means of provisioning is 152 possible. Deployment considerations are described in [I-D.mdt- 153 softwire-map-deployment]. 155 MAP relies on IPv6 and is designed to deliver production-quality 156 dual-stack service while allowing IPv4 to be phased out within the SP 157 network. The phasing out of IPv4 within the SP network is 158 independent of whether the end user disables IPv4 service or not. 159 Further, "Greenfield"; IPv6-only networks may use MAP in order to 160 deliver IPv4 to sites via the IPv6 network. 162 2. Conventions 164 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 165 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 166 document are to be interpreted as described in RFC 2119 [RFC2119]. 168 3. Terminology 170 MAP domain: One or more MAP CEs and BRs connected to the 171 same virtual link. A service provider may 172 deploy a single MAP domain, or may utilize 173 multiple MAP domains. 175 MAP Rule A set of parameters describing the mapping 176 between an IPv4 prefix, IPv4 address or 177 shared IPv4 address and an IPv6 prefix or 178 address. Each domain uses a different 179 mapping rule set. 181 MAP node A device that implements MAP. 183 MAP Border Relay (BR): A MAP enabled router managed by the service 184 provider at the edge of a MAP domain. A 185 Border Relay router has at least an 186 IPv6-enabled interface and an IPv4 interface 187 connected to the native IPv4 network. A MAP 188 BR may also be referred to simply as a "BR" 189 within the context of MAP. 191 MAP Customer Edge (CE): A device functioning as a Customer Edge 192 router in a MAP deployment. A typical MAP CE 193 adopting MAP rules will serve a residential 194 site with one WAN side interface, and one or 195 more LAN side interfaces. A MAP CE may also 196 be referred to simply as a "CE" within the 197 context of MAP. 199 Port-set: The separate part of the transport layer port 200 space; denoted as a port-set. 202 Port-set ID (PSID): Algorithmically identifies a set of ports 203 exclusively assigned to a CE. 205 Shared IPv4 address: An IPv4 address that is shared among multiple 206 CEs. Only ports that belong to the assigned 207 port-set can be used for communication. Also 208 known as a Port-Restricted IPv4 address. 210 End-user IPv6 prefix: The IPv6 prefix assigned to an End-user CE by 211 other means than MAP itself. E.g. 212 Provisioned using DHCPv6 PD [RFC3633], 213 assigned via SLAAC [RFC4862], or configured 214 manually. It is unique for each CE. 216 MAP IPv6 address: The IPv6 address used to reach the MAP 217 function of a CE from other CEs and from BRs. 219 Rule IPv6 prefix: An IPv6 prefix assigned by a Service Provider 220 for a mapping rule. 222 Rule IPv4 prefix: An IPv4 prefix assigned by a Service Provider 223 for a mapping rule. 225 Embedded Address (EA) bits: The IPv4 EA-bits in the IPv6 address 226 identify an IPv4 prefix/address (or part 227 thereof) or a shared IPv4 address (or part 228 thereof) and a port-set identifier. 230 4. Architecture 232 In accordance with the requirements stated above, the MAP mechanism 233 can operate with shared IPv4 addresses, full IPv4 addresses or IPv4 234 prefixes. Operation with shared IPv4 addresses is described here, 235 and the differences for full IPv4 addresses and prefixes are 236 described below. 238 The MAP mechanism uses existing standard building blocks. The 239 existing NAPT on the CE is used with additional support for 240 restricting transport protocol ports, ICMP identifiers and fragment 241 identifiers to the configured port set. For packets outbound from 242 the private IPv4 network, the CE NAPT MUST translate transport 243 identifiers (e.g. TCP and UDP port numbers) so that they fall within 244 the CE's assigned port-range. 246 The NAPT MUST in turn be connected to a MAP aware forwarding 247 function, that does encapsulation/ decapsulation of IPv4 packets in 248 IPv6. MAP supports the encapsulation mode specified in [RFC2473]. 249 In addition MAP specifies an algorithm to do "address resolution" 250 from an IPv4 address and port to an IPv6 address. This algorithmic 251 mapping is specified in Section 5. 253 The MAP architecture described here, restricts the use of the shared 254 IPv4 address to only be used as the global address (outside) of the 255 NAPT [RFC2663] running on the CE. A shared IPv4 address MUST NOT be 256 used to identify an interface. While it is theoretically possible to 257 make host stacks and applications port-aware, that is considered too 258 drastic a change to the IP model [RFC6250]. 260 For full IPv4 addresses and IPv4 prefixes, the architecture just 261 described applies with two differences. First, a full IPv4 address 262 or IPv4 prefix can be used as it is today, e.g., for identifying an 263 interface or as a DHCP pool, respectively. Secondly, the NAPT is not 264 required to restrict the ports used on outgoing packets. 266 This architecture is illustrated in Figure 1. 268 User N 269 Private IPv4 270 | Network 271 | 272 O--+---------------O 273 | | MAP CE | 274 | +-----+--------+ | 275 | NAPT44| MAP | | 276 | +-----+ | | |\ ,-------. .------. 277 | +--------+ | \ ,-' `-. ,-' `-. 278 O------------------O / \ O---------O / Public \ 279 / IPv6 only \ | MAP | / IPv4 \ 280 ( Network --+ Border +- Network ) 281 \ (MAP Domain) / | Relay | \ / 282 O------------------O \ / O---------O \ / 283 | MAP CE | /". ,-' `-. ,-' 284 | +-----+--------+ | / `----+--' ------' 285 | NAPT44| MAP | |/ 286 | +-----+ | | 287 | | +--------+ | 288 O---.--------------O 289 | 290 User M 291 Private IPv4 292 Network 293 Figure 1: Network Topology 295 The MAP BR is responsible for connecting external IPv4 networks to 296 the IPv4 nodes in one or more MAP domains. 298 5. Mapping Algorithm 300 A MAP node is provisioned with one or more mapping rules. 302 Mapping rules are used differently depending on their function. 303 Every MAP node must be provisioned with a Basic mapping rule. This 304 is used by the node to configure its IPv4 address, IPv4 prefix or 305 shared IPv4 address. This same basic rule can also be used for 306 forwarding, where an IPv4 destination address and optionally a 307 destination port is mapped into an IPv6 address. Additional mapping 308 rules are specified to allow for multiple different IPv4 sub-nets to 309 exist within the domain and optimize forwarding between them. 311 Traffic outside of the domain (i.e. When the destination IPv4 312 address does not match (using longest matching prefix) any Rule IPv4 313 prefix in the Rules database) is forwarded to the BR. 315 There are two types of mapping rules: 317 1. Basic Mapping Rule (BMR) - mandatory. A CE can be provisioned 318 with multiple End-user IPv6 prefixes. There can only be one 319 Basic Mapping Rule per End-user IPv6 prefix. However all CE's 320 having End-user IPv6 prefixes within (aggregated by) the same 321 Rule IPv6 prefix may share the same Basic Mapping Rule. In 322 combination with the End-user IPv6 prefix, the Basic Mapping Rule 323 is used to derive the IPv4 prefix, address, or shared address and 324 the PSID assigned to the CE. 326 2. Forwarding Mapping Rule (FMR) - optional, used for forwarding. 327 The Basic Mapping Rule is also a Forwarding Mapping Rule. Each 328 Forwarding Mapping Rule will result in an entry in the Rules 329 table for the Rule IPv4 prefix. Given a destination IPv4 address 330 and port within the MAP domain, a MAP node can use the matching 331 FMR to derive the End-user IPv6 address of the interface through 332 which that IPv4 destination address and port combination can be 333 reached. 335 Both mapping rules share the same parameters: 337 o Rule IPv6 prefix (including prefix length) 339 o Rule IPv4 prefix (including prefix length) 341 o Rule EA-bits length (in bits) 343 A MAP node finds its Basic Mapping Rule by doing a longest match 344 between the End-user IPv6 prefix and the Rule IPv6 prefix in the 345 Mapping Rules table. The rule is then used for IPv4 prefix, address 346 or shared address assignment. 348 A MAP IPv6 address is formed from the BMR Rule IPv6 prefix. This 349 address MUST be assigned to an interface of the MAP node and is used 350 to terminate all MAP traffic being sent or received to the node. 352 Port-aware IPv4 entries in the Rules table are installed for all the 353 Forwarding Mapping Rules and an default route to the MAP BR (see 354 section Section 5.4. 356 Forwarding rules are used to allow direct communication between MAP 357 CEs, known as mesh mode. In hub and spoke mode, there are no 358 forwarding rules, all traffic MUST be forwarded directly to the BR. 360 5.1. Port mapping algorithm 362 The port mapping algorithm is used in domains whose rules allow IPv4 363 address sharing. 365 The simplest way to represent a port range is using a notation 366 similar to CIDR [RFC4632]. For example the first 256 ports are 367 represented as port prefix 0.0/8. The last 256 ports as 255.0/8. In 368 hexadecimal, 0x0000/8 (PSID = 0) and 0xFF00/8 (PSID = 0xFF). Using 369 this technique, but wishing to avoid allocating the system ports [I-D 370 .ietf-tsvwg-iana-ports] to the user, one would have to exclude the 371 use of one or more PSIDs (e.g., PSIDs 0 to 3 in the example just 372 given). 374 As will be seen shortly, the PSID forms a portion of the End-user 375 IPv6 prefix. To minimise dependencies between the End-user IPv6 376 prefix and the assigned port set, it is desirable to minimize the 377 restrictions on the possible PSID values. This is achieved by using 378 an infix representation of the port value. Using such a 379 representation, the well-known ports are excluded by restrictions on 380 the value of the first bit field (A) rather than the PSID. 382 The infix algorithm allocates ports to a given CE as a series of 383 contiguous ranges spaced at regular intervals throughout the complete 384 range of possible port set values. 386 0 1 387 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 388 +-----------+-----------+-------+ 389 Ports in | A | PSID | M | 390 the CE port set | > 0 | | | 391 +-----------+-----------+-------+ 392 | a bits | k bits |m bits | 394 Figure 2: Structure of a port-restricted port field 396 a-bits The number of offset bits. The default Offset bits (a) are 6, 397 this excludes the system ports (0-1023). 399 A Selects the range of the port number. For a > 0, A MUST be larger 400 than 0. This ensures that the algorithm excludes the system 401 ports. For this value of a, the system ports, but no others, are 402 excluded by requiring that A be greater than 0. For smaller 403 values of a, A still has to be greater than 0, but this excludes 404 ports above 1023. For larger values of a, the minimum value of A 405 has to be higher to exclude all the system ports. The interval 406 between successive contiguous ranges assigned to the same user is 407 2^a. 409 PSID The Port Set Identifier. Different Port-Set Identifiers (PSID) 410 guarantee non-overlapping port-sets. 412 k-bits The length in bits of the PSID field. The sharing ratio is 413 2^k. The number of ports assigned to the user is 2^(16-k) - 2^m 414 (excluded ports) 416 M Selects the specific port within the particular range specified by 417 the concatenation of A and the PSID. 419 m bits The size contiguous ports. The number of contiguous ports is 420 given by 2^m. 422 5.2. Basic mapping rule (BMR) 424 The Basic Mapping Rule is mandatory, used by the CE to provision 425 itself with an IPv4 prefix, IPv4 address or shared IPv4 address. 426 Recall from Section 5 that the BMR consists of the following 427 parameters: 429 o Rule IPv6 prefix (including prefix length) 431 o Rule IPv4 prefix (including prefix length) 433 o Rule EA-bits length (in bits) 435 Figure 3 shows the structure of the complete MAP IPv6 address as 436 specified in this document. 438 | n bits | o bits | s bits | 128-n-o-s bits | 439 +--------------------+-----------+---------+-----------------------+ 440 | Rule IPv6 prefix | EA bits |subnet ID| interface ID | 441 +--------------------+-----------+---------+-----------------------+ 442 |<--- End-user IPv6 prefix --->| 444 Figure 3: MAP IPv6 Address Format 446 The Rule IPv6 prefix is the part of the End-user IPv6 prefix that is 447 common among all CEs using the same Basic Mapping Rule within the MAP 448 domain. The EA bits encode the CE specific IPv4 address and port 449 information. The EA bits, which are unique for a given Rule IPv6 450 prefix, can contain a full or part of an IPv4 address and, in the 451 shared IPv4 address case, a Port-Set Identifier (PSID). An EA-bit 452 length of 0 signifies that all relevant MAP IPv4 addressing 453 information is passed directly in the BMR, and not derived from the 454 End-user IPv6 prefix. 456 The MAP IPv6 address is created by concatenating the End-user IPv6 457 prefix with the MAP subnet identifier (if the End-user IPv6 prefix is 458 shorter than 64 bits) and the interface identifier as specified in 459 Section 6. 461 The MAP subnet identifier is defined to be the first subnet (all bits 462 set to zero). 464 Define: 466 r = length of the IPv4 prefix given by the BMR; 468 o = length of the EA bit field as given by the BMR; 470 p = length of the IPv4 suffix contained in the EA bit field. 472 The length r MAY be zero, in which case the complete IPv4 address or 473 prefix is encoded in the EA bits. If only a part of the IPv4 address 474 /prefix is encoded in the EA bits, the Rule IPv4 prefix is 475 provisioned to the CE by other means (e.g. a DHCPv6 option). To 476 create a complete IPv4 address (or prefix), the IPv4 address suffix 477 (p) from the EA bits, is concatenated with the Rule IPv4 prefix (r 478 bits). 480 The offset of the EA bits field in the IPv6 address is equal to the 481 BMR Rule IPv6 prefix length. The length of the EA bits field (o) is 482 given by the BMR Rule EA-bits length, and can be between 0 and 48. A 483 length of 48 means that the complete IPv4 address and port is 484 embedded in the End-user IPv6 prefix (a single port is assigned). A 485 length of 0 means that no part of the IPv4 address or port is 486 embedded in the address. The sum of the Rule IPv6 Prefix length and 487 the Rule EA-bits length MUST be less or equal than the End-user IPv6 488 prefix length. 490 If o + r < 32 (length of the IPv4 address in bits), then an IPv4 491 prefix is assigned. This case is shown in Figure 4. 493 IPv4 prefix: 495 | r bits | p bits | 496 +-------------+---------------------+ 497 | Rule IPv4 | IPv4 Address suffix | 498 +-------------+---------------------+ 499 | < 32 bits | 501 Figure 4: IPv4 prefix 503 If o + r is equal to 32, then a full IPv4 address is to be assigned. 504 The address is created by concatenating the Rule IPv4 prefix and the 505 EA-bits. This case is shown in Figure 5. 507 Complete IPv4 address: 509 | r bits | p bits | 510 +-------------+---------------------+ 511 | Rule IPv4 | IPv4 Address suffix | 512 +-------------+---------------------+ 513 | 32 bits | 515 Figure 5: Complete IPv4 address 517 If o + r is > 32, then a shared IPv4 address is to be assigned. The 518 number of IPv4 address suffix bits (p) in the EA bits is given by 32 519 - r bits. The PSID bits are used to create a port-set. The length 520 of the PSID bit field within EA bits is: q = o - p. 522 Shared IPv4 address: 524 | r bits | p bits | | q bits | 525 +-------------+---------------------+ +------------+ 526 | Rule IPv4 | IPv4 Address suffix | |Port-Set ID | 527 +-------------+---------------------+ +------------+ 528 | 32 bits | 529 Figure 6: Shared IPv4 address 531 The length of r MAY be 32, with no part of the IPv4 address embedded 532 in the EA bits. This results in a mapping with no dependence between 533 the IPv4 address and the IPv6 address. In addition the length of o 534 MAY be zero (no EA bits embedded in the End-User IPv6 prefix), 535 meaning that also the PSID is provisioned using e.g. the DHCP 536 option. 538 See Appendix A for an example of the Basic Mapping Rule. 540 5.3. Forwarding mapping rule (FMR) 542 The Forwarding Mapping Rule is optional, and used in mesh mode to 543 enable direct CE to CE connectivity. 545 On adding an FMR rule, an IPv4 route is installed in the Rules table 546 for the Rule IPv4 prefix. 548 On forwarding an IPv4 packet, a best matching prefix look up is done 549 in the Rules table and the correct FMR is chosen. 551 | 32 bits | | 16 bits | 552 +--------------------------+ +-------------------+ 553 | IPv4 destination address | | IPv4 dest port | 554 +--------------------------+ +-------------------+ 555 : : ___/ : 556 | p bits | / q bits : 557 +----------+ +------------+ 558 |IPv4 sufx| |Port-Set ID | 559 +----------+ +------------+ 560 \ / ____/ ________/ 561 \ : __/ _____/ 562 \ : / / 563 | n bits | o bits | s bits | 128-n-o-s bits | 564 +--------------------+-----------+---------+------------+----------+ 565 | Rule IPv6 prefix | EA bits |subnet ID| interface ID | 566 +--------------------+-----------+---------+-----------------------+ 567 |<--- End-user IPv6 prefix --->| 569 Figure 7: Deriving of MAP IPv6 address 571 See Appendix A for an example of the Forwarding Mapping Rule. 573 5.4. Destinations outside the MAP domain 574 IPv4 traffic between MAP nodes that are all within one MAP domain is 575 encapsulated in IPv6, with the senders MAP IPv6 address as the IPv6 576 source address and the receiving MAP node's MAP IPv6 address as the 577 IPv6 destination address. To reach IPv4 destinations outside of the 578 MAP domain, traffic is also encapsulated in IPv6, but the destination 579 IPv6 address is set to the configured IPv6 address of the MAP BR. 581 On the CE, the path to the BR can be represented as a point to point 582 IPv4 over IPv6 tunnel [RFC2473] with the source address of the tunnel 583 being the CE's MAP IPv6 address and the BR IPv6 address as the remote 584 tunnel address. When MAP is enabled, a typical CE router will 585 install a default route to the BR. 587 The BR forwards traffic received from the outside to CE's using the 588 normal MAP forwarding rules. 590 6. The IPv6 Interface Identifier 592 The Interface identifier format of a MAP node is described below. 594 | 128-n-o-s bits | 595 | 16 bits| 32 bits | 16 bits| 596 +--------+----------------+--------+ 597 | 0 | IPv4 address | PSID | 598 +--------+----+-----------+--------+ 600 Figure 8 602 In the case of an IPv4 prefix, the IPv4 address field is right-padded 603 with zeroes up to 32 bits. The PSID field is left-padded to create a 604 16 bit field. For an IPv4 prefix or a complete IPv4 address, the 605 PSID field is zero. 607 If the End-user IPv6 prefix length is larger than 64, the most 608 significant parts of the interface identifier is overwritten by the 609 prefix. 611 7. MAP Configuration 613 For a given MAP domain, the BR and CE MUST be configured with the 614 following MAP elements. The configured values for these elements are 615 identical for all CEs and BRs within a given MAP domain. 617 o The Basic Mapping Rule and optionally the Forwarding Mapping 618 Rules, including the Rule IPv6 prefix, Rule IPv4 prefix, and 619 Length of EA bits 621 o Hub and spoke mode or Mesh mode. (If all traffic should be sent 622 to the BR, or if direct CE to CE traffic should be supported). 624 In addition the MAP CE MUST be configured with the IPv6 address(es) 625 of the MAP BR (Section 5.4). 627 7.1. MAP CE 629 The MAP elements are set to values that are the same across all CEs 630 within a MAP domain. The values may be configured in a variety of 631 manners, including provisioning methods such as the Broadband Forum's 632 "TR-69" Residential Gateway management interface, an XML-based object 633 retrieved after IPv6 connectivity is established, or manual 634 configuration by an administrator. This document focuses on how to 635 configure the necessary parameters via IPv6 DHCP. A CE that allows 636 IPv6 configuration by DHCP SHOULD implement this option. Other 637 configuration and management methods may use the format described by 638 this option for consistency and convenience of implementation on CEs 639 that support multiple configuration methods. 641 The only remaining provisioning information the CE requires in order 642 to calculate the MAP IPv4 address and enable IPv4 connectivity is the 643 IPv6 prefix for the CE. The End-user IPv6 prefix is configured as 644 part of obtaining IPv6 Internet access. 646 The MAP provisioning parameters, and hence the IPv4 service itself, 647 is tied to the End-user IPv6 prefix lease; thus, the MAP service is 648 also tied to this in terms of authorization, accounting, etc. The 649 MAP IPv4 address, prefix or shared IPv4 address and port set has the 650 same lifetime as its associated End-user IPv6 prefix. 652 A single MAP CE MAY be connected to more than one MAP domain, just as 653 any router may have more than one IPv4-enabled service provider 654 facing interface and more than one set of associated addresses 655 assigned by DHCP. Each domain a given CE operates within would 656 require its own set of MAP configuration elements and would generate 657 its own IPv4 address. 659 The MAP DHCP option is specified in [I-D.ietf-softwire-map-dhcp]. 661 7.2. MAP BR 663 The MAP BR MUST be configured with the same MAP elements as the MAP 664 CEs operating within the same domain. 666 For increased reliability and load balancing, the BR IPv6 address MAY 667 be an anycast address shared across a given MAP domain. As MAP is 668 stateless, any BR may be used at any time. If the BR IPv6 address is 669 anycast the relay MUST use this anycast IPv6 address as the source 670 address in packets relayed to CEs. 672 Since MAP uses provider address space, no specific routes need to be 673 advertised externally for MAP to operate, neither in IPv6 nor IPv4 674 BGP. However, if anycast is used for the MAP IPv6 relays, the 675 anycast addresses must be advertised in the service provider's IGP. 677 7.3. Backwards compatibility 679 A MAP-E CE provisioned with only the IPv6 address of the BR, and with 680 no IPv4 address and port range configured by other means, MUST 681 disable its NAT44 functionality. This characteristic makes a MAP CE 682 compatible with DS-Lite [RFC6333] AFTRs, whose addresses are 683 configured as the MAP BR. 685 8. Forwarding Considerations 687 Figure 1 depicts the overall MAP architecture with IPv4 users (N and 688 M) networks connected to a routed IPv6 network. 690 MAP supports Encapsulation mode as specified in [RFC2473]. 692 For a shared IPv4 address, a MAP CE forwarding IPv4 packets from the 693 LAN performs NAT44 functions first and creates appropriate NAT44 694 bindings. The resulting IPv4 packets MUST contain the source IPv4 695 address and source transport identifiers defined by MAP. The IPv4 696 packet is forwarded using the CE's MAP forwarding function. The IPv6 697 source and destination addresses MUST then be derived as per Section 698 5 of this draft. 700 8.1. Receiving Rules 702 A MAP CE receiving an IPv6 packet to its MAP IPv6 address sends this 703 packet to the CE's MAP function where it is decapsulated. All other 704 IPv6 traffic is forwarded as per the CE's IPv6 routing rules. The 705 resulting IPv4 packet is then forwarded to the CE's NAT44 function 706 where the destination port number MUST be checked against the 707 stateful port mapping session table and the destination port number 708 MUST be mapped to its original value. 710 A MAP BR receiving IPv6 packets selects a best matching MAP domain 711 rule based on a longest address match of the packets' source address 712 against the BR's configured MAP BMR prefix(es), as well as a match of 713 the packet destination address against the configured BR IPv6 address 714 or FMR prefix(es). The selected MAP rule allows the BR to determine 715 the EA-bits from the source IPv6 address. The BR MUST perform a 716 validation of the consistency of the source IPv6 address and source 717 port number for the packet using BMR. If the packets source port 718 number is found to be outside the range allowed for this CE and the 719 BMR, the BR MUST drop the packet and respond with an ICMPv6 720 "Destination Unreachable, Source address failed ingress/egress 721 policy" (Type 1, Code 5). 723 In order to prevent spoofing of IPv4 addresses, the MAP node MUST 724 validate the embedded IPv4 source address of the encapsulated IPv6 725 packet with the IPv4 source address it is encapsulated by according 726 to the parameters of the matching mapping rule. If the two source 727 addresses do not match, the packet MUST be dropped and a counter 728 incremented to indicate that a potential spoofing attack may be 729 underway. Additionally, a CE MUST allow forwarding of packets 730 sourced by the configured BR IPv6 address. 732 By default, the CE router MUST drop packets received on the MAP 733 virtual interface (i.e., after decapsulation of IPv6) for IPv4 734 destinations not for its own IPv4 shared address, full IPv4 address 735 or IPv4 prefix. 737 8.2. ICMP 739 ICMP message should be supported in MAP domain. Hence, the NAT44 in 740 MAP CE must implement the behavior for ICMP message conforming to the 741 best current practice documented in [RFC5508]. 743 If a MAP CE receives an ICMP message having ICMP identifier field in 744 ICMP header, NAT44 in the MAP CE must rewrite this field to a 745 specific value assigned from the port-set. BR and other CEs must 746 handle this field similar to the port number in the TCP/UDP header 747 upon receiving the ICMP message with ICMP identifier field. 749 If a MAP node receives an ICMP error message without the ICMP 750 identifier field for errors that is detected inside a IPv6 tunnel, a 751 node should relay the ICMP error message to the original source. 752 This behavior should be implemented conforming to the section 8 of 753 [RFC2473]. 755 8.3. Fragmentation and Path MTU Discovery 757 Due to the different sizes of the IPv4 and IPv6 header, handling the 758 maximum packet size is relevant for the operation of any system 759 connecting the two address families. There are three mechanisms to 760 handle this issue: Path MTU discovery (PMTUD), fragmentation, and 761 transport-layer negotiation such as the TCP Maximum Segment Size 762 (MSS) option [RFC0897]. MAP uses all three mechanisms to deal with 763 different cases. 765 8.3.1. Fragmentation in the MAP domain 767 Encapsulating an IPv4 packet to carry it across the MAP domain will 768 increase its size (40 bytes). It is strongly recommended that the 769 MTU in the MAP domain is well managed and that the IPv6 MTU on the CE 770 WAN side interface is set so that no fragmentation occurs within the 771 boundary of the MAP domain. 773 Fragmentation on MAP domain entry is described in section 7.2 of 774 [RFC2473] 776 The use of an anycast source address could lead to any ICMP error 777 message generated on the path being sent to a different BR. 778 Therefore, using dynamic tunnel MTU Section 6.7 of [RFC2473] is 779 subject to IPv6 Path MTU black-holes. A MAP BR SHOULD NOT by default 780 use Path MTU discovery across the MAP domain. 782 Multiple BRs using the same anycast source address could send 783 fragmented packets to the same CE at the same time. If the 784 fragmented packets from different BRs happen to use the same fragment 785 ID, incorrect reassembly might occur. See [RFC4459] for an analysis 786 of the problem. Section 3.4 suggests solving the problem by 787 fragmenting the inner packet. 789 8.3.2. Receiving IPv4 Fragments on the MAP domain borders 791 Forwarding of an IPv4 packet received from the outside of the MAP 792 domain requires the IPv4 destination address and the transport 793 protocol destination port. The transport protocol information is 794 only available in the first fragment received. As described in 795 section 5.3.3 of [RFC6346] a MAP node receiving an IPv4 fragmented 796 packet from outside has to reassemble the packet before sending the 797 packet onto the MAP link. If the first packet received contains the 798 transport protocol information, it is possible to optimize this 799 behavior by using a cache and forwarding the fragments unchanged. A 800 description of this algorithm is outside the scope of this document. 802 8.3.3. Sending IPv4 fragments to the outside 804 If two IPv4 host behind two different MAP CE's with the same IPv4 805 address sends fragments to an IPv4 destination host outside the 806 domain. Those hosts may use the same IPv4 fragmentation identifier, 807 resulting in incorrect reassembly of the fragments at the destination 808 host. Given that the IPv4 fragmentation identifier is a 16 bit 809 field, it could be used similarly to port ranges. A MAP CE SHOULD 810 rewrite the IPv4 fragmentation identifier to be within its allocated 811 port set. 813 9. NAT44 Considerations 815 The NAT44 implemented in the MAP CE SHOULD conform with the behavior 816 and best current practice documented in [RFC4787], [RFC5508], and 817 [RFC5382]. In MAP address sharing mode (determined by the MAP domain 818 /rule configuration parameters) the operation of the NAT44 MUST be 819 restricted to the available port numbers derived via the basic 820 mapping rule. 822 10. IANA Considerations 824 This specification does not require any IANA actions. 826 11. Security Considerations 828 Spoofing attacks: With consistency checks between IPv4 and IPv6 829 sources that are performed on IPv4/IPv6 packets received by MAP 830 nodes, MAP does not introduce any new opportunity for spoofing 831 attacks that would not already exist in IPv6. 833 Denial-of-service attacks: In MAP domains where IPv4 addresses are 834 shared, the fact that IPv4 datagram reassembly may be necessary 835 introduces an opportunity for DOS attacks. This is inherent to 836 address sharing, and is common with other address sharing 837 approaches such as DS-Lite and NAT64/DNS64. The best protection 838 against such attacks is to accelerate IPv6 deployment, so that, 839 where MAP is supported, it is less and less used. 841 Routing-loop attacks: This attack may exist in some automatic 842 tunneling scenarios are documented in [RFC6324]. They cannot 843 exist with MAP because each BRs checks that the IPv6 source 844 address of a received IPv6 packet is a CE address based on 845 Forwarding Mapping Rule. 847 Attacks facilitated by restricted port set: From hosts that 848 are not subject to ingress filtering of [RFC2827], some attacks 849 are possible by an attacker injecting spoofed packets during 850 ongoing transport connections ([RFC4953], [RFC5961], [RFC6056]. 851 The attacks depend on guessing which ports are currently used by 852 target hosts, and using an unrestricted port set is preferable, 853 i.e. Using native IPv6 connections that are not subject to MAP 854 port range restrictions. To minimize this type of attacks when 855 using a restricted port set, the MAP CE's NAT44 filtering behavior 856 SHOULD be "Address-Dependent Filtering". Furthermore, the MAP CEs 857 SHOULD use a DNS transport proxy function to handle DNS traffic, 858 and source such traffic from IPv6 interfaces not assigned to MAP. 859 Practicalities of these methods are discussed in Section 5.9 of 860 [I-D.dec-stateless-4v6]. 862 [RFC6269] outlines general issues with IPv4 address sharing. 864 12. Contributors 866 This document is the result of the IETF Softwire MAP design team 867 effort and numerous previous individual contributions in this area: 869 Chongfeng Xie (China Telecom) 870 Room 708, No.118, Xizhimennei Street Beijing 100035 CN 871 Phone: +86-10-58552116 872 Email: xiechf@ctbri.com.cn 874 Qiong Sun (China Telecom) 875 Room 708, No.118, Xizhimennei Street Beijing 100035 CN 876 Phone: +86-10-58552936 877 Email: sunqiong@ctbri.com.cn 879 Gang Chen (China Mobile) 880 53A,Xibianmennei Ave. Beijing 100053 P.R.China 881 Email: chengang@chinamobile.com 883 Yu Zhai 884 CERNET Center/Tsinghua University 885 Room 225, Main Building, Tsinghua University 886 Beijing 100084 887 CN 888 Email: jacky.zhai@gmail.com 890 Wentao Shang (CERNET Center/Tsinghua University) 891 Room 225, Main Building, Tsinghua University Beijing 100084 892 CN 893 Email: wentaoshang@gmail.com 895 Guoliang Han (CERNET Center/Tsinghua University) 896 Room 225, Main Building, Tsinghua University Beijing 100084 897 CN 898 Email: bupthgl@gmail.com 900 Rajiv Asati (Cisco Systems) 901 7025-6 Kit Creek Road Research Triangle Park NC 27709 USA 902 Email: rajiva@cisco.com 904 13. Acknowledgements 906 This document is based on the ideas of many, including Masakazu 907 Asama, Mohamed Boucadair, Gang Chen, Maoke Chen, Wojciech Dec, 908 Xiaohong Deng, Jouni Korhonen, Tomasz Mrugalski, Jacni Qin, Chunfa 909 Sun, Qiong Sun, and Leaf Yeh. The authors want in particular to 910 recognize Remi Despres, who has tirelessly worked on generalized 911 mechanisms for stateless address mapping. 913 The authors would like to thank Guillaume Gottard, Dan Wing, Jan 914 Zorz, Necj Scoberne, Tina Tsou, Kristian Poscic, and especially Tom 915 Taylor for the thorough review and comments of this document. 917 14. References 919 14.1. Normative References 921 [I-D.ietf-softwire-map-dhcp] 922 Mrugalski, T., Troan, O., Bao, C., Dec, W., and L. Yeh, 923 "DHCPv6 Options for Mapping of Address and Port", draft- 924 ietf-softwire-map-dhcp-01 (work in progress), August 2012. 926 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 927 Requirement Levels", BCP 14, RFC 2119, March 1997. 929 [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 930 IPv6 Specification", RFC 2473, December 1998. 932 14.2. Informative References 934 [I-D.dec-stateless-4v6] 935 Dec, W., Asati, R., and H. Deng, "Stateless 4Via6 Address 936 Sharing", draft-dec-stateless-4v6-04 (work in progress), 937 October 2011. 939 [I-D.ietf-softwire-stateless-4v6-motivation] 940 Boucadair, M., Matsushima, S., Lee, Y., Bonness, O., 941 Borges, I., and G. Chen, "Motivations for Carrier-side 942 Stateless IPv4 over IPv6 Migration Solutions", draft-ietf- 943 softwire-stateless-4v6-motivation-05 (work in progress), 944 November 2012. 946 [I-D.ietf-tsvwg-iana-ports] 947 Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 948 Cheshire, "Internet Assigned Numbers Authority (IANA) 949 Procedures for the Management of the Service Name and 950 Transport Protocol Port Number Registry", draft-ietf- 951 tsvwg-iana-ports-10 (work in progress), February 2011. 953 [RFC0897] Postel, J., "Domain name system implementation schedule", 954 RFC 897, February 1984. 956 [RFC1933] Gilligan, R. and E. Nordmark, "Transition Mechanisms for 957 IPv6 Hosts and Routers", RFC 1933, April 1996. 959 [RFC2529] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4 960 Domains without Explicit Tunnels", RFC 2529, March 1999. 962 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 963 Translator (NAT) Terminology and Considerations", RFC 964 2663, August 1999. 966 [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: 967 Defeating Denial of Service Attacks which employ IP Source 968 Address Spoofing", BCP 38, RFC 2827, May 2000. 970 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 971 via IPv4 Clouds", RFC 3056, February 2001. 973 [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic 974 Host Configuration Protocol (DHCP) version 6", RFC 3633, 975 December 2003. 977 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 978 Network Tunneling", RFC 4459, April 2006. 980 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 981 (CIDR): The Internet Address Assignment and Aggregation 982 Plan", BCP 122, RFC 4632, August 2006. 984 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 985 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 986 RFC 4787, January 2007. 988 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless 989 Address Autoconfiguration", RFC 4862, September 2007. 991 [RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", RFC 992 4953, July 2007. 994 [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site 995 Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, 996 March 2008. 998 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 999 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 1000 RFC 5382, October 2008. 1002 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1003 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1004 April 2009. 1006 [RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's 1007 Robustness to Blind In-Window Attacks", RFC 5961, August 1008 2010. 1010 [RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4 1011 Infrastructures (6rd) -- Protocol Specification", RFC 1012 5969, August 2010. 1014 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 1015 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 1016 October 2010. 1018 [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- 1019 Protocol Port Randomization", BCP 156, RFC 6056, January 1020 2011. 1022 [RFC6250] Thaler, D., "Evolution of the IP Model", RFC 6250, May 1023 2011. 1025 [RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P. 1026 Roberts, "Issues with IP Address Sharing", RFC 6269, June 1027 2011. 1029 [RFC6324] Nakibly, G. and F. Templin, "Routing Loop Attack Using 1030 IPv6 Automatic Tunnels: Problem Statement and Proposed 1031 Mitigations", RFC 6324, August 2011. 1033 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 1034 Stack Lite Broadband Deployments Following IPv4 1035 Exhaustion", RFC 6333, August 2011. 1037 [RFC6346] Bush, R., "The Address plus Port (A+P) Approach to the 1038 IPv4 Address Shortage", RFC 6346, August 2011. 1040 Appendix A. Examples 1042 Example 1 - Basic Mapping Rule 1043 Given the MAP domain information and an IPv6 address of 1044 an endpoint: 1046 End-user IPv6 prefix: 2001:db8:0012:3400::/56 1047 Basic Mapping Rule: {2001:db8:0000::/40 (Rule IPv6 prefix), 1048 192.0.2.0/24 (Rule IPv4 prefix), 1049 16 (Rule EA-bits length)} 1050 PSID length: (16 - (32 - 24) = 8. (Sharing ratio of 256) 1051 PSID offset: 6 (default) 1053 A MAP node (CE or BR) can via the BMR, or equivalent FMR, 1054 determine the IPv4 address and port-set as shown below: 1056 EA bits offset: 40 1057 IPv4 suffix bits (p) Length of IPv4 address (32) - 1058 IPv4 prefix length (24) = 8 1059 IPv4 address: 192.0.2.18 (0xc0000212) 1060 PSID start: 40 + p = 40 + 8 = 48 1061 PSID length: o - p = (56 - 40) - 8 = 8 1062 PSID: 0x34 1064 Available ports (63 ranges) : 1232-1235, 2256-2259, ...... , 1065 63696-63699, 64720-64723 1067 The BMR information allows a MAP CE to determine (complete) 1068 its IPv6 address within the indicated IPv6 prefix. 1070 IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034 1072 Example 2 - BR: 1074 Another example can be made of a MAP BR, 1075 configured with the following FMR when receiving a packet 1076 with the following characteristics: 1078 IPv4 source address: 1.2.3.4 (0x01020304) 1079 IPv4 source port: 80 1080 IPv4 destination address: 192.0.2.18 (0xc0000212) 1081 IPv4 destination port: 1232 1083 Configured Forwarding Mapping Rule: {2001:db8::/40 (Rule IPv6 prefix), 1084 192.0.2.0/24 (Rule IPv4 prefix), 1085 16 (Rule EA-bits length)} 1087 IPv6 address of MAP BR: 2001:db8:ffff::1 1089 The above information allows the BR to derive as follows 1090 the mapped destination IPv6 address for the corresponding 1091 MAP CE, and also the mapped source IPv6 address for 1092 the IPv4 source address. 1094 IPv4 suffix bits (p): 32 - 24 = 8 (18 (0x12)) 1095 PSID length: 8 1096 PSID: 0x34 (1232) 1098 The resulting IPv6 packet will have the following key fields: 1100 IPv6 source address: 2001:db8:ffff::1 1101 IPv6 destination address: 2001:db8:0012:3400:0000:c000:0212:0034 1103 Example 3 - FMR: 1105 An IPv4 host behind the MAP CE (addressed as per the previous 1106 examples) corresponding with IPv4 host 1.2.3.4 will have its 1107 packets encapsulated by IPv6 using the IPv6 address of the BR 1108 configured on the MAP CE as follows: 1110 IPv6 address of BR used by MAP CE: 2001:db8:ffff::1 1111 IPv4 source address: 192.0.2.18 1112 IPv4 destination address: 1.2.3.4 1113 IPv4 source port: 1232 1114 IPv4 destination port: 80 1115 IPv6 source address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034 1116 IPv6 destination address: 2001:db8:ffff::1 1118 Example 4 - Rule with no embedded address bits and no address sharing 1119 End-User IPv6 prefix: 2001:db8:0012:3400::/56 1120 Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix), 1121 192.0.2.1/32 (Rule IPv4 prefix), 1122 0 (Rule EA-bits length)} 1123 PSID length: 0 (Sharing ratio is 1) 1124 PSID offset: n/a 1126 A MAP node (CE or BR) can via the BMR or equivalent FMR, determine 1127 the IPv4 address and port-set as shown below: 1129 EA bits offset: 0 1130 IPv4 suffix bits (p): Length of IPv4 address (32) - 1131 IPv4 prefix length (32) = 0 1132 IPv4 address: 192.0.2.1 (0xc0000201) 1133 PSID start: 0 1134 PSID length: 0 1135 PSID: null 1137 The BMR information allows a MAP CE also to determine (complete) 1138 its full IPv6 address by combining the IPv6 prefix with the MAP 1139 interface identifier (that embeds the IPv4 address). 1141 IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0201:0000 1143 Example 5 - Rule with no embedded address bits and address sharing 1144 (sharing ratio 256) 1145 End-User IPv6 prefix: 2001:db8:0012:3400::/56 1146 Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix), 1147 192.0.2.1/32 (Rule IPv4 prefix), 1148 0 (Rule EA-bits length)} 1149 PSID length: 8. (Provisioned with DHCP. Sharing ratio of 256) 1150 PSID offset: 6 (Default) 1151 PSID : 0x20 (Provisioned with DHCP.) 1153 A MAP node can via the BMR determine the IPv4 address and port-set 1154 as shown below: 1156 EA bits offset: 0 1157 IPv4 suffix bits (p): Length of IPv4 address (32) - 1158 IPv4 prefix length (32) = 0 1159 IPv4 address: 192.0.2.1 (0xc0000201) 1160 PSID offset: 6 1161 PSID length: 8 1162 PSID: 0x20 1164 Available ports (63 ranges) : 1536-1551, 2560-2575, ...... , 1165 64000-64015, 65024-65039 1167 The BMR information allows a MAP CE also to determine (complete) 1168 its full IPv6 address by combining the IPv6 prefix with the MAP 1169 interface identifier (that embeds the IPv4 address and PSID). 1171 IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034 1173 Note that the IPv4 address and PSID is not derived from the IPv6 1174 prefix assigned to the CE, but provisioned separately using 1175 e.g. DHCP. 1177 Appendix B. A More Detailed Description of the Derivation of the Port 1178 Mapping Algorithm 1180 This Appendix describes how the port mapping algorithm described in 1181 Section 5.1 was derived. The algorithm is used in domains whose 1182 rules allow IPv4 address sharing. 1184 The basic requirement for a port mapping algorithm is that the port 1185 sets it assigns to different MAP CEs MUST be non-overlapping. A 1186 number of other requirements guided the choice of the algorithm: 1188 o In keeping with the general MAP algorithm the port set MUST be 1189 derivable from a port set identifier (PSID) that can be embedded 1190 in the End-user IPv6 prefix. 1192 o The mapping MUST be reversible, such that, given the port number, 1193 the PSID of the port set to which it belongs can be quickly 1194 derived. 1196 o The algorithm MUST allow a broad range of address sharing ratios. 1198 o It SHOULD be possible to exclude subsets of the complete port 1199 numbering space from assignment. Most operators would exclude the 1200 system ports (0-1023). A conservative operator might exclude all 1201 but the transient ports (49152-65535). 1203 o The effect of port exclusion on the possible values of the End- 1204 user IPv6 prefix (i.e., due to restrictions on the PSID value) 1205 SHOULD be minimized. 1207 o For administrative simplicity, the algorithm SHOULD allocate the 1208 the same or almost the same number of ports to each CE sharing a 1209 given IPv4 address. 1211 The two extreme cases that an algorithm satisfying those conditions 1212 might support are: (1) the port numbers are not contiguous for each 1213 PSID, but uniformly distributed across the allowed port range; (2) 1214 the port numbers are contiguous in a single range for each PSID. The 1215 port mapping algorithm proposed here is called the Generalized 1216 Modulus Algorithm (GMA) and supports both these cases. 1218 For a given IPv4 address sharing ratio (R) and the maximum number of 1219 contiguous ports (M) in a port set, the GMA is defined as: 1221 a. The port numbers (P) corresponding to a given PSID are generated 1222 by: 1224 (1) ... P = (R * M) * i + M * PSID + j 1226 where i and j are indices and the ranges of i, j, and the PSID are 1227 discussed in a moment. 1229 b. For any given port number P, the PSID is calculated as: 1231 (2) ... PSID = trunc((P modulo (R * M)) / M) 1233 where trunc() is the operation of rounding down to the nearest 1234 integer. 1236 Formula (1) can be interpreted as follows. First, the available port 1237 space is divided into blocks of size R * M. Each block is divided 1238 into R individual ranges of length M. The index i in formula (1) 1239 selects a block, PSID selects a range within that block, and the 1240 index j selects a specific port value within the range. On the basis 1241 of this interpretation: 1243 o i ranges from ceil(N / (R * M)) to trunc(65536/(R * M)) - 1, where 1244 ceil is the operation of rounding up to the nearest integer and N 1245 is the number of ports (e.g., 1024) excluded from the lower end of 1246 the range. That is, any block containing excluded values is 1247 discarded at the lower end, and if the final block has fewer than 1248 R * M values it is discarded. This ensures that the same number 1249 of ports is assigned to every PSID. 1251 o PSID ranges from 0 to R - 1; 1253 o j ranges from 0 to M - 1. 1255 B.1. Bit Representation of the Algorithm 1257 If R and M are powers of 2 (R = 2^k, M = 2^m), formula (1) translates 1258 to a computationally convenient structure for any port number 1259 represented as a 16-bit binary number. This structure is shown in 1260 Figure 9. 1262 0 8 15 1263 +---------------+----------+------+-------------------+ 1264 | P | 1265 ----------------+-----------------+-------------------+ 1266 | i | PSID | j | 1267 +---------------+----------+------+-------------------+ 1268 |<----a bits--->|<-----k bits---->|<------m bits----->| 1270 Figure 9: Bit Representation of a Port Number 1272 As shown in the figure, the index value i of formula (1) is given by 1273 the first a = 16 - k - m bits of the port number. The PSID value is 1274 given by the next k bits, and the index value j is given by the last 1275 m bits. 1277 For any port number, the PSID can be obtained by a bit mask 1278 operation. 1280 Note that when M and R are powers of 2, 65536 divides evenly by R * 1281 M. Hence the final block is complete and the upper bound on i is 1282 exactly 65536/(R * M) - 1. The lower bound on i is still the minimum 1283 required to ensure that the required set of ports is excluded. No 1284 port numbers are wasted through discarding of blocks at the lower end 1285 if block size R * M is a factor of N, the number of ports to be 1286 excluded. 1288 As a final note, the number of blocks into which the range 0-65535 is 1289 being divided in the above representation is given by 2^a. Hence the 1290 case where a = 0 can be interpreted as one where the complete range 1291 has been divided into a single block, and individual port sets are 1292 contained in contiguous ranges in that block. We cannot throw away 1293 the whole block in that case, so port exclusion has to be achieved by 1294 putting a lower bound equal to ceil(N / M) on the allowed set of PSID 1295 values instead. 1297 B.2. GMA examples 1299 For example, for R = 256, PSID = 0, offset: a = 6 and PSID length: k 1300 = 8 bits 1301 Available ports (63 ranges) : 1024-1027, 2048-2051, ...... , 1302 63488-63491, 64512-64515 1304 For example, for R = 64, PSID = 0, a = 0 (PSID offset = 0 and PSID 1305 length = 6 bits), no port exclusion: 1307 Available ports (1 range) : 0-1023 1309 Authors' Addresses 1311 Ole Troan (editor) 1312 Cisco Systems 1313 Philip Pedersens vei 1 1314 Lysaker 1366 1315 Norway 1317 Email: ot@cisco.com 1319 Wojciech Dec 1320 Cisco Systems 1321 Haarlerbergpark Haarlerbergweg 13-19 1322 Amsterdam, NOORD-HOLLAND 1101 CH 1323 Netherlands 1325 Email: wdec@cisco.com 1327 Xing Li 1328 CERNET Center/Tsinghua University 1329 Room 225, Main Building, Tsinghua University 1330 Beijing 100084 1331 CN 1333 Email: xing@cernet.edu.cn 1335 Congxiao Bao 1336 CERNET Center/Tsinghua University 1337 Room 225, Main Building, Tsinghua University 1338 Beijing 100084 1339 CN 1341 Email: congxiao@cernet.edu.cn 1342 Satoru Matsushima 1343 SoftBank Telecom 1344 1-9-1 Higashi-Shinbashi, Munato-ku 1345 Tokyo 1346 Japan 1348 Email: satoru.matsushima@g.softbank.co.jp 1350 Tetsuya Murakami 1351 IP Infusion 1352 1188 East Arques Avenue 1353 Sunnyvale 1354 USA 1356 Email: tetsuya@ipinfusion.com 1358 Tom Taylor (editor) 1359 Huawei Technologies 1360 Ottawa 1361 Canada 1363 Email: tom.taylor.stds@gmail.com