-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-ietf-6man-ra-pref64-09.xml
361 lines (309 loc) · 21.8 KB
/
draft-ietf-6man-ra-pref64-09.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC1918 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1918.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC4033 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4033.xml">
<!ENTITY RFC4861 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4861.xml">
<!ENTITY RFC6052 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6052.xml">
<!ENTITY RFC6104 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6104.xml">
<!ENTITY RFC6105 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6105.xml">
<!ENTITY RFC6146 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6146.xml">
<!ENTITY RFC6147 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6147.xml">
<!ENTITY RFC6877 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6877.xml">
<!ENTITY RFC7050 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7050.xml">
<!ENTITY RFC7225 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7225.xml">
<!ENTITY RFC7556 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7556.xml">
<!ENTITY RFC7858 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7858.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8305 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8305.xml">
<!ENTITY RFC8484 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8484.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc ipr="trust200902"
obsoletes=""
category="std"
docName="draft-ietf-6man-ra-pref64-09">
<!-- category values: std, bcp, info, exp, and historic -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the
full title is longer than 39 characters -->
<title>Discovering PREF64 in Router Advertisements</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<author fullname="Lorenzo Colitti" initials="L." surname="Colitti">
<organization>Google</organization>
<address>
<postal>
<street>Shibuya 3-21-3</street>
<city>Shibuya</city>
<region>Tokyo</region>
<code>150-0002</code>
<country>JP</country>
</postal>
<phone></phone>
<email>[email protected]</email>
</address>
</author>
<author fullname="Jen Linkova" initials="J." surname="Linkova">
<organization>Google</organization>
<address>
<postal>
<street>1 Darling Island Rd</street>
<city>Pyrmont</city>
<region>NSW</region>
<code>2009</code>
<country>AU</country>
</postal>
<phone></phone>
<email>[email protected]</email>
</address>
</author>
<date/>
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill
in the current day for you. If only the current year is specified, xml2rfc will fill
in the current day and month for you. If the year is not the current one, it is
necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the
purpose of calculating the expiry date). With drafts it is normally sufficient to
specify just the year. -->
<!-- Meta-data Declarations -->
<area>Internet</area>
<workgroup>IPv6 Maintenance</workgroup>
<!-- WG name at the upperleft corner of the doc,
IETF is fine for individual submissions.
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>template</keyword>
<!-- Keywords will be incorporated into HTML output
files in a meta tag but they have no effect on text or nroff
output. If you submit your draft to the RFC Editor, the
keywords will be used for the search engine. -->
<abstract>
<t>This document specifies a Neighbor Discovery option to be used in Router Advertisements to communicate NAT64 prefixes to hosts.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>NAT64 <xref target="RFC6146"/> with DNS64 <xref target="RFC6147"/> is a widely-deployed mechanism to provide IPv4 access on IPv6-only networks. In various scenarios, the host must be aware of the NAT64 prefix in use by the network. This document specifies a Neighbor Discovery <xref target="RFC4861"/> option to be used in Router Advertisements to communicate NAT64 prefixes to hosts.</t>
<section title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
</section>
<section title="Terminology">
<t>
PREF64 (or NAT64 prefix): an IPv6 prefix used for IPv6 address synthesis <xref target="RFC6146"/>;
</t>
<t>
NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers <xref target="RFC6146"/>;
</t>
<t>
RA: Router Advertisement, a message used by IPv6 routers to advertise their presence together
with various link and Internet parameters <xref target="RFC4861"/>;
</t>
<t>
DNS64: a mechanism for synthesizing AAAA records from A records <xref target="RFC6147"/>;
</t>
</section>
</section>
<section title="Use cases for communicating the NAT64 prefix to hosts">
<t>
On networks employing NAT64, it is useful for hosts to know the NAT64 prefix for several reasons, including the following:
<list style="symbols">
<t>Enabling DNS64 functions on end hosts. In particular:
<list style="symbols">
<t>Local DNSSEC validation (DNS64 in stub-resolver mode). As discussed in <xref target="RFC6147"/> section 2, the stub resolver in the host "will try to obtain (real) AAAA RRs, and in case they are not available, the DNS64 function will synthesize AAAA RRs for internal usage." Therefore to perform the DNS64 function the stub resolver needs to know the NAT64 prefix. This is required in order to use DNSSEC on a NAT64 network.</t>
<t>Trusted DNS server. AAAA synthesis is required for the host to be able to use a DNS server not provided by the network (e.g., a DNS-over-TLS <xref target="RFC7858"/> or DNS-over-HTTPS <xref target="RFC8484"/> server with which the host has an existing trust relationship).</t>
<t>Networks with no DNS64 server. Hosts that support AAAA synthesis and that are aware of the NAT64 prefix in use do not need the network to perform the DNS64 function at all.</t>
</list></t>
<t> Enabling NAT64 address translation functions on end hosts. For example:
<list style="symbols">
<t>IPv4 address literals on an IPv6-only host. As described in <xref target="RFC8305"/> section 7.1, IPv6-only hosts connecting to IPv4 address literals can translate the IPv4 literal to an IPv6 literal.</t>
<t>464XLAT <xref target="RFC6877"/>. 464XLAT requires the host be aware of the NAT64 prefix.</t>
</list>
</t>
</list>
</t>
</section>
<section title="Why include the NAT64 prefix in Router Advertisements">
<t>Fate sharing: NAT64 requires routing to be configured. IPv6 routing configuration requires receiving an IPv6 Router Advertisement <xref target="RFC4861"/>. Therefore using Router Advertisements to provide hosts with NAT64 prefix ensures that NAT64 reachability information shares fate with the rest of network configuration on the host.</t>
<t>Atomic configuration: including the NAT64 prefix in the Router Advertisement minimizes the number of packets required to configure a host. Only one packet (a Router Advertisement) is required to complete the network configuration. This speeds up the process of connecting to a network that supports NAT64/DNS64, and simplifies host implementation by removing the possibility that the host can have an incomplete layer 3 configuration (e.g., IPv6 addresses and prefixes, but no NAT64 prefix).</t>
<t>Updatability: it is possible to change the NAT64 prefix at any time, because when it changes, it is possible to notify hosts by sending a new Router Advertisement.</t>
<t>Deployability: all IPv6 hosts and networks are required to support Neighbor Discovery <xref target="RFC4861"/> so just a minor extension to the existing implementation is required. Other options such as <xref target="RFC7225"/> require implementing other protocols (e.g. PCP <xref target="RFC7225"/>) which could be considered an obstacle for deployment.</t>
</section>
<section anchor="Format" title="Option format">
<figure align="center" anchor="fig_Option"
title="NAT64 Prefix Option Format">
<artwork align="center"><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Scaled Lifetime | PLC |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| Highest 96 bits of the Prefix |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t>Fields:</t>
<texttable style="none">
<ttcol></ttcol>
<ttcol></ttcol>
<c>Type</c> <c>8-bit identifier of the PREF64 option type as assigned by IANA: TBD</c>
<c>Length</c> <c> 8-bit unsigned integer. The length of the option
(including the Type and Length fields) is in units of 8 octets. The sender MUST set the length to 2. The receiver MUST ignore the PREF64 option if the length field value is not 2.</c>
<c></c><c></c>
<c>Scaled Lifetime</c> <c>13-bit unsigned integer. The maximum time in units of 8 seconds over which this NAT64 prefix MAY be used. See <xref target="lifetime"/> for the Scaled Lifetime field processing rules.
</c>
<c></c><c></c>
<c>PLC (Prefix Length Code)</c><c>3-bit unsigned integer. This field encodes the NAT64 Prefix Length defined in <xref target="RFC6052"/>. The PLC field values 0, 1, 2, 3, 4 and 5 indicate the NAT64 prefix length of 96, 64, 56, 48, 40 and 32 bits respectively. The receiver MUST ignore the PREF64 option if the prefix length code field is not set to one of those values. </c>
<c></c><c></c>
<c>Highest 96 bits of the prefix</c> <c>96-bit unsigned integer. Contains bits 0 - 95 of the NAT64 prefix.</c>
</texttable>
<section anchor="lifetime" title="Scaled Lifetime Processing">
<t>
It would be highly undesirable for the NAT64 prefix to have a lifetime shorter than the Router Lifetime, which is defined in the Section 4.2 of <xref target="RFC4861"/> as 16-bit unsigned integer.
If the NAT64 prefix lifetime is not at least equal to the default router lifetime it might lead to scenarios when the NAT64 prefix lifetime expires before the arrival of the next unsolicited RA.
Therefore the Scaled Lifetime encodes the NAT64 prefix lifetime in units of 8 seconds.
The receiver MUST multiply the Scaled Lifetime value by 8 (for example, by logical left shift) to calculate the maximum time in seconds the prefix MAY be used.
The maximum lifetime of the NAT64 prefix is thus 65528 seconds.
To ensure that the NAT64 prefix does not expire before the default router, when using this option it is NOT RECOMMENDED to configure default router lifetimes greater than 65528 seconds.
Lifetime of 0 indicates that the prefix SHOULD NOT be used anymore.
</t>
<t>
The value of the Scaled Lifetime field SHOULD by default be set to the lesser of 3 x MaxRtrAdvInterval (<xref target="RFC4861"/>) divided by 8, or 8191.
</t>
<t>
Router vendors SHOULD allow administrators to specify non-zero lifetime values which are not divisible by 8.
In such cases the router SHOULD round the provided value up to the nearest integer that is divisible by 8 and smaller than 65536, then divide the result by 8 (or perform a logical right-shift by 3), and set the Scaled Lifetime field to the resulting value.
If such a non-zero lifetime value to be divided by 8 (to be subjected to a logical right-shift by 3) is less than 8 then the Scaled Lifetime field SHOULD be set to 1.
This last step ensures that lifetimes under 8 seconds are encoded as a non-zero Scaled Lifetime.
</t>
</section>
</section>
<section title="Usage Guidelines">
<t>This option specifies exactly one NAT64 prefix for all IPv4 destinations. If the network operator desires to route different parts of the IPv4 address space to different NAT64 devices, this can be accomplished by routing more specific sub-prefixes of the NAT64 prefix to those devices.
For example, suppose an operator is using the <xref target="RFC1918"/> address space 10.0.0.0/8 internally.
That operator might want to route 10.0.0.0/8 through NAT64 device A, and the rest of the IPv4 space through NAT64 device B.
If the operator's NAT64 prefix is 2001:db8:a:b::/96, then the operator can route 2001:db8:a:b::a00:0/104 to NAT64 A and 2001:db8:a:b::/96 to NAT64 B.
</t>
<t>This option may appear more than once in a Router Advertisement (e.g. in case of graceful renumbering the network from one NAT64 prefix to another). Host behaviour with regards to synthesizing IPv6 addresses from IPv4 addresses SHOULD follow the recommendations given in Section 3 of <xref target="RFC7050"/>, limited to the NAT64 prefixes that have non-zero lifetime.</t>
<t>In a network (or a provisioning domain) that provides both IPv4 and NAT64, it may be desirable for certain IPv4 addresses not to be translated. An example might be private address ranges that are local to the network/provisioning domain and should not be reached through the NAT64. This type of configuration cannot be conveyed to hosts using this option, or through other NAT64 prefix provisioning mechanisms such as <xref target="RFC7050"/> or <xref target="RFC7225"/>. This problem does not apply in IPv6-only networks, because in such networks, the host does not have an IPv4 address and cannot reach any IPv4 destinations without the NAT64.</t>
<section anchor="mult_src" title="Handling Multiple NAT64 Prefixes">
<t>
In some cases a host may receive multiple NAT64 prefixes from different sources. Possible scenarios include (but are not limited to):
</t>
<t><list style="symbols">
<t> the host is using multiple mechanisms to discover PREF64 prefixes (e.g. by using PCP <xref target="RFC7225"/>) and/or by resolving IPv4-only fully qualified domain name <xref target="RFC7050"/> in addition to receiving the PREF64 RA option);</t>
<t> the PREF64 option presents in a single RA more than once;</t>
<t> the host receives multiple RAs with different PREF64 prefixes on a given interface.</t>
</list>
</t>
<t>When multiple PREF64 were discovered via RA PREF64 Option (the Option presents more than once in a single RA or multiple RAs were received), host behaviour with regards to synthesizing IPv6 addresses from IPv4 addresses SHOULD follow the recommendations given in Section 3 of <xref target="RFC7050"/>, limited to the NAT64 prefixes that have non-zero lifetime.</t>
<t>
When different PREF64 are discovered by using multiple mechanisms, hosts SHOULD select one source of information only. The RECOMMENDED order is:
<list style="symbols">
<t>PCP-discovered prefixes <xref target="RFC7225"/>, if supported;</t>
<t>PREF64 discovered via RA Option;</t>
<t>PREF64 resolving IPv4-only fully qualified domain name <xref target="RFC7050"/> </t>
</list>
</t>
<t>Note that if the network provides PREF64 both via this RA option and <xref target="RFC7225"/>, hosts that receive the PREF64 via RA option may choose to use it immediately before waiting for PCP to complete, and therefore some traffic may not reflect any more detailed configuration provided by PCP.</t>
<t>
The host SHOULD treat the PREF64 as being specific to the network interface it was received on.
Provisioning Domain (PvD, <xref target="RFC7556"/>) aware hosts MUST treat the PREF64 as being scoped to the implicit or explicit PvD.
</t>
</section>
<section anchor="cons" title="PREF64 Consistency">
<t>
Section 6.2.7 of <xref target="RFC4861"/> recommends that routers inspect RAs sent by other routers to ensure that all routers onlink advertise consistent information. Routers SHOULD inspect valid PREF64 options received on a given link and verify the consistency. Detected inconsistencies indicate that one or more routers might be misconfigured. Routers SHOULD log such cases to system or network management.
Routers SHOULD check and compare the following information:
<list style="symbols">
<t>set of PREF64 with non-zero lifetime;</t>
<t>set of PREF64 with zero lifetime.</t>
</list>
Provisioning Domain (PvD, <xref target="RFC7556"/>) aware routers MUST only compare information scoped to the same implicit or explicit PvD.
</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>The IANA is requested to assign a new IPv6 Neighbor Discovery Option type for the PREF64 option defined in this document.</t>
<texttable anchor="option_table">
<ttcol align="left">Option Name</ttcol>
<ttcol align="left">Type</ttcol>
<c>PREF64 option</c>
<c>(TBD)</c>
</texttable>
<t>The IANA registry for these options is:
<list><t>
<eref target="https://www.iana.org/assignments/icmpv6-parameters">
https://www.iana.org/assignments/icmpv6-parameters</eref>
</t></list></t>
</section>
<section anchor="Security" title="Security Considerations">
<t>Because Router Advertisements are required in all IPv6 configuration scenarios, on IPv6-only networks, Router Advertisements must already be secured, e.g., by deploying RA guard <xref target="RFC6105"/>. Providing all configuration in Router Advertisements reduces the attack surface to be targeted by malicious attackers to provide hosts with invalid configuration as compared to distributing the configuration through multiple different mechanisms that need to be secured independently.</t>
<t>
If a host is provided with an incorrect NAT64 prefix the IPv6-only host might not be able to communicate with IPv4-only destinations.
Connectivity to destinations reachable over IPv6 would not be impacted just by providing a host with an incorrect prefix (however if attackers are capable of sending rogue RAs they can perform denial-of-service or man-in-the-middle attacks, as described in <xref target="RFC6104"/>).
</t>
<t>The security measures that must already be in place to ensure that Router Advertisements are only received from legitimate sources eliminate the problem of NAT64 prefix validation described in section 3.1 of <xref target="RFC7050"/>.</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>
Thanks to the following people (in alphabetical order) for their review and feedback:
Mikael Abrahamsson, Mark Andrews, Brian E Carpenter, David Farmer, Nick Heatley, Robert Hinden, Martin Hunek, Tatuya Jinmei, Benjamin Kaduk, Erik Kline, Suresh Krishnan, Warren Kumari, David Lamparter, Barry Leiba, Jordi Palet Martinez, Tommy Pauly, Alexandre Petrescu, Michael Richardson, David Schinazi, Ole Troan, Eric Vynke, Bernie Volz.
</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<references title="Normative References">
&RFC2119;
&RFC4861;
&RFC6052;
&RFC7050;
&RFC8174;
</references>
<references title="Informative References">
&RFC1918;
&RFC6104;
&RFC6105;
&RFC6146;
&RFC6147;
&RFC6877;
&RFC7225;
&RFC7556;
&RFC7858;
&RFC8305;
&RFC8484;
</references>
</back>
</rfc>