idnits 2.17.1 draft-ietf-v6ops-6to4-to-historic-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document obsoletes RFC3056, but the abstract doesn't seem to directly say this. It does mention RFC3056 though, so this could be OK. -- The draft header indicates that this document obsoletes RFC3068, but the abstract doesn't seem to directly say this. It does mention RFC3068 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 24, 2011) is 4690 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 3068 (Obsoleted by RFC 7526) ** Obsolete normative reference: RFC 5156 (Obsoleted by RFC 6890) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) ** Obsolete normative reference: RFC 5735 (Obsoleted by RFC 6890) == Outdated reference: A later version (-05) exists of draft-ietf-6man-rfc3484-revise-03 Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 v6ops WG O. Troan 3 Internet-Draft Cisco 4 Obsoletes: 3056, 3068 June 24, 2011 5 (if approved) 6 Intended status: Informational 7 Expires: December 26, 2011 9 Request to move Connection of IPv6 Domains via IPv4 Clouds (6to4) to 10 Historic status 11 draft-ietf-v6ops-6to4-to-historic-05.txt 13 Abstract 15 Experience with the "Connection of IPv6 Domains via IPv4 Clouds 16 (6to4)" IPv6 transitioning mechanism has shown that the mechanism is 17 unsuitable for widespread deployment and use in the Internet. This 18 document requests that RFC3056 and the companion document "An Anycast 19 Prefix for 6to4 Relay Routers" RFC3068 are made obsolete and moved to 20 historic status. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on December 26, 2011. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 1. Introduction 56 There would appear to be no evidence of any substantial deployment of 57 the variant of 6to4 described in [RFC3056]. Its extension specified 58 in "An Anycast Prefix for 6to4 Relay Routers" [RFC3068] has been 59 shown to have severe practical problems when used in the Internet. 60 This document requests that RFC3056 and RFC3068 be moved to Historic 61 status as defined in section 4.2.4 [RFC2026]. 63 6to4 was designed to help transition the Internet from IPv4 to IPv6. 64 It has been a good mechanism for experimenting with IPv6, but because 65 of the high failure rates seen with 6to4 [HUSTON], end users may end 66 up disabling IPv6 on hosts, and content providers are reluctant to 67 make content available over IPv6. 69 [I-D.ietf-v6ops-6to4-advisory] analyses the known operational issues 70 and describes a set of suggestions to improve 6to4 reliability, given 71 the widespread presence of hosts and customer premises equipment that 72 support it. 74 The IETF sees no evolutionary future for the mechanism and it is not 75 recommended to include this mechanism in new implementations. 77 IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) [RFC5969] 78 utilizes the same encapsulation and base mechanism as 6to4, and could 79 be viewed as a superset of 6to4 (6to4 could be achieved by setting 80 the 6rd prefix to 2002::/16). However, the deployment model is such 81 that 6rd can avoid the problems described here. In this sense, 6rd 82 can be viewed as superseding 6to4 as described in section 4.2.4 of 83 [RFC2026] 85 2. Conventions 87 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 88 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 89 document are to be interpreted as described in RFC 2119 [RFC2119]. 91 3. 6to4 operational problems 93 6to4 is a mechanism designed to allow isolated IPv6 islands to reach 94 each other using IPv6 over IPv4 automatic tunneling. To reach the 95 native IPv6 Internet the mechanism uses relay routers both in the 96 forward and reverse direction. The mechanism is supported in many 97 IPv6 implementations. With the increased deployment of IPv6, the 98 mechanism has been shown to have a number of fundamental 99 shortcomings. 101 6to4 depends on relays both in the forward and reverse direction to 102 enable connectivity with the native IPv6 Internet. A 6to4 node will 103 send IPv4 encapsulated IPv6 traffic to a 6to4 relay, that is 104 connected both to the 6to4 cloud and to native IPv6. In the reverse 105 direction a 2002::/16 route is injected into the native IPv6 routing 106 domain to attract traffic from native IPv6 nodes to a 6to4 relay 107 router. It is expected that traffic will use different relays in the 108 forward and reverse direction. RFC3068 adds an extension that allows 109 the use of a well known IPv4 anycast address to reach the nearest 110 6to4 relay in the forward direction. 112 One model of 6to4 deployment as described in section 5.2, RFC3056, 113 suggests that a 6to4 router should have a set of managed connections 114 (via BGP connections) to a set of 6to4 relay routers. While this 115 makes the forward path more controlled, it does not guarantee a 116 functional reverse path. In any case this model has the same 117 operational burden as manually configured tunnels and has seen no 118 deployment in the public Internet. 120 List of some of the known issues with 6to4: 122 o Use of relays. 6to4 depends on an unknown third- party to operate 123 the relays between the 6to4 cloud and the native IPv6 Internet. 124 o The placement of the relay can lead to increased latency, and in 125 the case the relay is overloaded, packet loss. 126 o There is generally no customer relationship between the end-user 127 and the relay operator, or even a way for the end-user to know who 128 the relay operator is, so no support is possible. 129 o A 6to4 relay for the reverse path and an anycast 6to4 relay used 130 for the forward path, are openly accessible, limited only by the 131 scope of routing. 6to4 relays can be used to anonymize traffic and 132 inject attacks into IPv6 that are very difficult to trace. 133 o 6to4 may silently discard traffic in the case where protocol (41) 134 is blocked in intermediate firewalls. Even if a firewall sent an 135 ICMP message unreachable back, an IPv4 ICMP message rarely 136 contains enough of the original IPv6 packet so that it can be 137 relayed back to the IPv6 sender. That makes this problem hard to 138 detect and react upon by the sender of the packet. 139 o As 6to4 tunnels across the Internet, the IPv4 addresses used must 140 be globally reachable. RFC3056 states that a private address 141 [RFC1918] MUST NOT be used. 6to4 will not work in networks that 142 employ other addresses with limited topological span. 144 4. Deprecation 146 This document formally deprecates the 6to4 transition mechanism and 147 the IPv6 6to4 prefix defined in [RFC3056], i.e., 2002::/16. The 148 prefix MUST NOT be reassigned for other use except by a future IETF 149 standards action. 151 Disabling 6to4 in the IPv6 Internet will take some time. The initial 152 approach is to make 6to4 a service of "last resort" in host 153 implementations, ensure that the 6to4 service is disabled by default 154 in 6to4 routers, and deploy native IPv6 services. In order to limit 155 the impact of end-users, it is recommended that operators retain 156 their existing 6to4 relay routers and follow the recommendations 157 found in [I-D.ietf-v6ops-6to4-advisory]. When traffic levels 158 diminish, these routers can be decommissioned. 160 IPv6 nodes SHOULD treat 6to4 as a service of "last resort" as 161 recommended in [I-D.ietf-6man-rfc3484-revise] 163 Implementations capable of acting as 6to4 routers SHOULD NOT enable 164 6to4 without explicit user configuration. In particular, enabling 165 IPv6 forwarding on a device, SHOULD NOT automatically enable 6to4. 167 Existing implementations and deployments MAY continue to use 6to4. 169 The references to 6to4 should be removed as soon as practical from 170 the revision of the Special-Use IPv6 Addresses [RFC5156]. 172 The references to the 6to4 relay anycast addresses (192.88.99.0/24) 173 should be removed as soon as practical from the revision of the 174 Special Use IPv4 addresses [RFC5735]. 176 Incidental references to 6to4 should be removed from other IETF 177 documents if and when they are updated. These documents include 178 RFC3162, RFC3178, RFC3790, RFC4191, RFC4213, RFC4389, RFC4779, 179 RFC4852, RFC4891, RFC4903, RFC5157, RFC5245, RFC5375, RFC5971, and 180 RFC6071. 182 5. IANA Considerations 184 IANA is requested to mark the 2002::/16 prefix as "deprecated", 185 pointing to this document. Reassignment of the prefix for any usage 186 requires justification via an IETF Standards Action [RFC5226]. 188 The delegation of the 2.0.0.2.ip6.arpa domain [RFC5158] should be 189 left in place. Redelegation of the domain for any usage requires 190 justification via an IETF Standards Action [RFC5226]. 192 IANA is requested to mark the 192.88.99.0/24 prefix [RFC3068] as 193 "deprecated", pointing to this document. Redelegation of the domain 194 for any usage requires justification via an IETF Standards Action 195 [RFC5226]. 197 6. Security Considerations 199 There are no new security considerations pertaining to this document. 200 General security issues with tunnels are listed in 201 [I-D.ietf-v6ops-tunnel-security-concerns] and more specifically to 202 6to4 in [RFC3964] and [I-D.ietf-v6ops-tunnel-loops]. 204 7. Acknowledgements 206 The authors would like to acknowledge Tore Anderson, Dmitry Anipko, 207 Jack Bates, Cameron Byrne, Ben Campbell, Gert Doering, Ray Hunter, 208 Joel Jaeggli, Kurt Erik Lindqvist, Jason Livingood, Keith Moore, Tom 209 Petch, Daniel Roesen and Mark Townsley, James Woodyatt, for their 210 contributions and discussions on this topic. 212 Special thanks go to Fred Baker, Geoff Huston, Brian Carpenter, and 213 Wes George for their significant contributions. 215 Many thanks to Gunter Van de Velde for documenting the harm caused by 216 non-managed tunnels and to stimulate the creation of this document. 218 8. References 220 8.1. Normative References 222 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 223 3", BCP 9, RFC 2026, October 1996. 225 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 226 Requirement Levels", BCP 14, RFC 2119, March 1997. 228 [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains 229 via IPv4 Clouds", RFC 3056, February 2001. 231 [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", 232 RFC 3068, June 2001. 234 [RFC5156] Blanchet, M., "Special-Use IPv6 Addresses", RFC 5156, 235 April 2008. 237 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 238 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 239 May 2008. 241 [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", 242 BCP 153, RFC 5735, January 2010. 244 8.2. Informative References 246 [HUSTON] Huston, "Flailing IPv6", December 2010, 247 . 249 [I-D.ietf-6man-rfc3484-revise] 250 Matsumoto, A., Kato, J., and T. Fujisaki, "Update to RFC 251 3484 Default Address Selection for IPv6", 252 draft-ietf-6man-rfc3484-revise-03 (work in progress), 253 June 2011. 255 [I-D.ietf-v6ops-6to4-advisory] 256 Carpenter, B., "Advisory Guidelines for 6to4 Deployment", 257 draft-ietf-v6ops-6to4-advisory-02 (work in progress), 258 June 2011. 260 [I-D.ietf-v6ops-tunnel-loops] 261 Nakibly, G. and F. Templin, "Routing Loop Attack using 262 IPv6 Automatic Tunnels: Problem Statement and Proposed 263 Mitigations", draft-ietf-v6ops-tunnel-loops-07 (work in 264 progress), May 2011. 266 [I-D.ietf-v6ops-tunnel-security-concerns] 267 Krishnan, S., Thaler, D., and J. Hoagland, "Security 268 Concerns With IP Tunneling", 269 draft-ietf-v6ops-tunnel-security-concerns-04 (work in 270 progress), October 2010. 272 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 273 E. Lear, "Address Allocation for Private Internets", 274 BCP 5, RFC 1918, February 1996. 276 [RFC3964] Savola, P. and C. Patel, "Security Considerations for 277 6to4", RFC 3964, December 2004. 279 [RFC5158] Huston, G., "6to4 Reverse DNS Delegation Specification", 280 RFC 5158, March 2008. 282 [RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4 283 Infrastructures (6rd) -- Protocol Specification", 284 RFC 5969, August 2010. 286 Author's Address 288 Ole Troan 289 Cisco 290 Oslo, 291 Norway 293 Email: ot@cisco.com