draft-ietf-v6ops-ivi-icmp-address-01.txt   draft-ietf-v6ops-ivi-icmp-address-02.txt 
Network Working Group X. Li Network Working Group X. Li
Internet-Draft C. Bao Internet-Draft C. Bao
Intended status: BCP CERNET Center/Tsinghua Intended status: BCP CERNET Center/Tsinghua
Expires: August 28, 2012 University Expires: January 4, 2013 University
D. Wing D. Wing
R. Vaithianathan R. Vaithianathan
Cisco Cisco
G. Huston G. Huston
APNIC APNIC
February 25, 2012 July 3, 2012
Stateless Source Address Mapping for ICMPv6 Packets Stateless Source Address Mapping for ICMPv6 Packets
draft-ietf-v6ops-ivi-icmp-address-01 draft-ietf-v6ops-ivi-icmp-address-02
Abstract Abstract
A stateless IPv4/IPv6 translator may receive ICMPv6 packets A stateless IPv4/IPv6 translator may receive ICMPv6 packets
containing non IPv4-translatable addresses as the source that should containing non IPv4-translatable addresses as the source that should
be passed across the translator as an ICMP packet directed to the the be passed across the translator as an ICMP packet directed to the
IPv4-translatable destination. This document discusses the IPv4-translatable destination. This document presents
considerations and presents a stateless address mapping algorithm for recommendations for source address translation in ICMPv6 headers for
source address translation in ICMPv6 headers for such cases. such cases.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 28, 2012. This Internet-Draft will expire on January 4, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . . 3
3. Problem Statement and Considerations . . . . . . . . . . . . . 3 3. Problem Statement and Considerations . . . . . . . . . . . . . 3
4. Routing Considerations . . . . . . . . . . . . . . . . . . . . 4 4. ICMP Extension . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Stateless Address Mapping Algorithm . . . . . . . . . . . . . . 4 5. Stateless Address Mapping Algorithm . . . . . . . . . . . . . . 4
6. ICMP Extension . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
7.1. Filtering Recommendations . . . . . . . . . . . . . . . . . 5 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4
7.2. Rate-limiting Recommendations . . . . . . . . . . . . . . . 5 9. Normative References . . . . . . . . . . . . . . . . . . . . . 5
7.3. RFC5837 Recommendations . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
10.1. Normative References . . . . . . . . . . . . . . . . . . . 6
10.2. Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
The IP/ICMP translation document of IPv4/IPv6 translation [RFC6145] The IP/ICMP translation document of IPv4/IPv6 translation [RFC6145]
states that "the IPv6 addresses in the ICMPv6 header may not be IPv4- states that "the IPv6 addresses in the ICMPv6 header may not be IPv4-
translatable addresses and there will be no corresponding IPv4 translatable addresses and there will be no corresponding IPv4
addresses represented of this IPv6 address. In this case, the addresses represented of this IPv6 address. In this case, the
translator can do stateful translation. A mechanism by which the translator can do stateful translation. A mechanism by which the
translator can instead do stateless translation is left for future translator can instead do stateless translation is left for future
work." This document defines such a stateless translation mechanism. work." This document presents recommendations for this case.
2. Notational Conventions 2. Notational Conventions
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in [RFC2119]. document, are to be interpreted as described in [RFC2119].
3. Problem Statement and Considerations 3. Problem Statement and Considerations
When a stateless IPv4/IPv6 translator receives an ICMPv6 message (for When a stateless IPv4/IPv6 translator receives an ICMPv6 message (for
skipping to change at page 3, line 44 skipping to change at page 3, line 44
It is also a consideration that the IPv4/IPv6 translation is intended It is also a consideration that the IPv4/IPv6 translation is intended
for use in contexts where IPv4 addresses may not be readily for use in contexts where IPv4 addresses may not be readily
available, so it is not considered to be appropriate to use IPv4- available, so it is not considered to be appropriate to use IPv4-
translatable IPv6 addresses for all internal points in the IPv6 translatable IPv6 addresses for all internal points in the IPv6
network that may originate ICMPv6 messages. network that may originate ICMPv6 messages.
It is also an objective that it is possible for the IPv4 recipient of It is also an objective that it is possible for the IPv4 recipient of
the ICMP message be able to distinguish between different IPv6 ICMPv6 the ICMP message be able to distinguish between different IPv6 ICMPv6
originations (for example, to support a traceroute diagnostic utility originations (for example, to support a traceroute diagnostic utility
that provides some limited network level visibility across the IPv4/ that provides some limited network level visibility across the IPv4/
IPv6 translator). This implies that a IPv4/IPv6 translator needs to IPv6 translator). This implies that an IPv4/IPv6 translator needs to
have a pool of IPv4 addresses to be used for mapping the source have a pool of IPv4 addresses for mapping the source address of
address of ICMPv6 packets generated from different originations. ICMPv6 packets generated from different originations, or to include
the IPv6 source address information for mapping the source address by
These addresses are for use in the source address of ICMP packets, others means.
and therefore are not intended to be used as a destination address
for any packet. It is therefore possible to use a common address
pool for the IPv4/IPv6 translation protocol, and, considering an
objective of constraining the use of these IPv4 addresses in this
application, it is feasible to use a common address pool for mapping
the source addresses of non-translatable ICMPv6 packets as a part of
the protocol specification.
These considerations leads to the recommendation of drawing an IPv4
/24 prefix from the IANA Special Purpose Address Registry as a "Well-
Known Prefix" for use by IPv4/IPv6 translators for the purpose of
mapping otherwise untranslatable IPv6 source addresses of ICMPv6
messages to IPv4 ICMP messages.
The ICMP extension defined by [RFC5837] provides a mechanism to These considerations leads to the recommendation of using the a
process the ICMPv4 messages that contain IP Address Sub-Objects that single (or small pool) of public IPv4 address as the source address
specify IPv6 addresses. However, an enhanced traceroute application of translated ICMP and using ICMP extension [RFC5837] to include IPv6
must be used, which has not yet been widely available. In this address as Interface IP Address Sub-Object.
document, a combined approach is proposed, i.e. non IPv4-translatable
address is mapped to IANA-assigned /24, and the resulting ICMP is
extended according to [RFC5837]. Therefore, ordinary ICMP processing
tools (traceroute) can be utilized in normal cases and when DDoS
happens, enhanced ICMP process tools can be utilized to identify the
real source.
4. Routing Considerations 4. ICMP Extension
Addresses from the assigned address prefix are intended to be used as No matter a single public IPv4 address (in the IPv4 interface or a
source addresses and not as destination addresses in the context of loopback address of the translator) or a pool of public IPv4
the public network. As packets passing through the public network addresses are used, the translator SHOULD implement ICMP extension
need to pass through conventional packet filters, including uRPF defined by [RFC5837]. The resulting ICMP extension SHOULD include
filters [RFC3704], this implies that the assigned address may be used the Interface IP Address Sub-Object that specify the source IPv6
in routing advertisements. Such routing advertisements are non- addresses in the original ICMPv6. When an enhanced traceroute
exclusive and should be accepted from any originating AS in an application is used, it can get the real IPv6 source addresses which
anycast fashion. generate the ICMPv6 messages. Therefore, it is able to traceback to
their origins and take filtering/rate-limiting actions if necessary.
5. Stateless Address Mapping Algorithm 5. Stateless Address Mapping Algorithm
When an IPv4 /24 prefix is allocated to represent the source address If a pool of public IPv4 addresses is configured in the translator,
of ICMP, the translator MUST copy the "Hop Count" in the IPv6 header it is RECOMMENDED to randomly pick up the IPv4 public address in the
of the ICMPv6 to the Last Octet. When routers emit ICMPv6 packets pool. This can somehow avoid the appearance of a routing loop to
with the same hop count, as the ICMPv6 packet is routed through the tools such as traceroute. An enhanced traceroute application is
network its hop count is decreased. However, if the routers emit still RECOMMENDED in order to obtain the real IPv6 source addresses
ICMPv6 packets with different hop counts, it may give the appearance which generate the ICMPv6 messages.
of a routing loop to tools such as traceroute. That minor side-
effect in that particular case cannot be avoided while still being
stateless.
6. ICMP Extension
When translator is configured to use the IANA-assigned /24 to map non
IPv4-translatable address, the translator MUST implement ICMP
extension defined by [RFC5837]. The resulting ICMP extension MUST
include the IP address Sub-Objects that specify the source IPv6
addresses in the original ICMPv6. Therefore, an enhanced traceroute
application can get the real IPv6 source addresses which generate the
ICMPv6 messages, be able to traceback to their origins and take
filtering/rate-limiting actions if necessary.
7. Security Considerations
The use of an address for source addresses in ICMP packets is
considered "safe" in so far as ICMP packets are not intended to
generate responses directed to the source address.
However it is possible to use this address as a means of gaining
anonymity when launching a denial of service attacks by using this
address as the source address for other forms of malicious traffic.
Packet firewall filters should be configured to treat addresses in
the IANA-assigned /24 network as martian addresses by discarding all
non-ICMP packets that use the IANA-assigned /24 network as a source
address, and all packets that use the IANA-assigned /24 network as a
destination address.
7.1. Filtering Recommendations
o SHOULD allow ICMP type 3 - Destination Unreachable (inc PTB).
o SHOULD allow ICMP type 11 - Time Exceeded.
o MAY allow ICMP type 12 - Parameter Problem.
o SHOULD NOT allow any of the various ICMP request messages.
7.2. Rate-limiting Recommendations
The rate limiting of traffic from the prefix SHOULD also be enabled
as additional countermeasure against abuse of this prefix. The
methods presented in [RFC4443] [RFC5597] [RFC6192] [RFC6398]
[RFC6450] can be used.
7.3. RFC5837 Recommendations
Advanced filtering and rate-limiting techniques which can process the
ICMP extension defined in [RFC5837] MAY also be used to control the
source of the ICMP.
8. IANA Considerations
IANA is requested to make a permanent assignment of a /24 from the
IPv4 Special Purpose Address Registry [RFC5736]. The assigned
address is to be used in the context of generating an IPv4 source
address for mapped ICMPv6 packets being passed through a stateless
IPv4/IPv6 translator. The assignment is under the category of a
specialized use of a designated address block in an anycast context
associated with an Internet Standards Track protocol.
The IANA IPv4 Special Purpose Address Registry records are:
o Prefix 192.70.192.0/24
o Description: To be used in the context of generating an IPv4
source address for mapped ICMPv6 packets being passed through a
stateless IPv4/IPv6 translator.
o Begin: 2011-06-01
o End: Never
o Purpose: Stateless ICMPv6/ICMP translation 6. Security Considerations
o Contact: See RFC This document does not introduce any new security considerations.
o Scope: Addresses from the assigned address prefix are intended to 7. IANA Considerations
be used as source addresses and not as destination addresses in
the context of the public network.
o RFC: This draft. None.
9. Acknowledgments 8. Acknowledgments
The authors would like to acknowledge the following contributors of The authors would like to acknowledge the following contributors of
this document: Kevin Yin, Chris Metz and Neeraj Gupta. this document: Kevin Yin, Chris Metz and Neeraj Gupta. The authors
would also like to thank Ronald Bonica, Ray Hunter, George Wes, Yu
10. References Guanghui, Sowmini Varadhan, David Farmer, Fred Baker, Leo Vegoda,
Joel Jaeggli, Henrik Levkowetz, Henrik Levkowetz, Randy Bush and
Warren Kumari for their comments and suggestions.
10.1. Normative References 9. Normative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996. BCP 5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004. Networks", BCP 84, RFC 3704, March 2004.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006. Version 6 (IPv6) Specification", RFC 4443, March 2006.
[RFC5597] Denis-Courmont, R., "Network Address Translation (NAT)
Behavioral Requirements for the Datagram Congestion
Control Protocol", BCP 150, RFC 5597, September 2009.
[RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR. [RFC5837] Atlas, A., Bonica, R., Pignataro, C., Shen, N., and JR.
Rivers, "Extending ICMP for Interface and Next-Hop Rivers, "Extending ICMP for Interface and Next-Hop
Identification", RFC 5837, April 2010. Identification", RFC 5837, April 2010.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, April 2011. Algorithm", RFC 6145, April 2011.
[RFC6398] Le Faucheur, F., "IP Router Alert Considerations and
Usage", BCP 168, RFC 6398, October 2011.
[RFC6450] Venaas, S., "Multicast Ping Protocol", RFC 6450,
December 2011.
10.2. Informative References
[RFC5736] Huston, G., Cotton, M., and L. Vegoda, "IANA IPv4 Special
Purpose Address Registry", RFC 5736, January 2010.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011.
Authors' Addresses Authors' Addresses
Xing Li Xing Li
CERNET Center/Tsinghua University CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University Room 225, Main Building, Tsinghua University
Beijing 100084 Beijing 100084
CN CN
Phone: +86 10-62785983 Phone: +86 10-62785983
Email: xing@cernet.edu.cn Email: xing@cernet.edu.cn
 End of changes. 22 change blocks. 
167 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/