draft-ietf-v6ops-siit-dc-2xlat-02.txt   rfc7756.txt 
IPv6 Operations T. Anderson Internet Engineering Task Force (IETF) T. Anderson
Internet-Draft Redpill Linpro Request for Comments: 7756 Redpill Linpro
Intended status: Informational S. Steffann Category: Informational S. Steffann
Expires: April 14, 2016 S.J.M. Steffann Consultancy ISSN: 2070-1721 S.J.M. Steffann Consultancy
October 12, 2015 February 2016
SIIT-DC: Dual Translation Mode Stateless IP/ICMP Translation for IPv6 Internet Data Center
draft-ietf-v6ops-siit-dc-2xlat-02 Environments (SIIT-DC): Dual Translation Mode
Abstract Abstract
This document describes an extension of the Stateless IP/ICMP This document describes an extension of the Stateless IP/ICMP
Translation for IPv6 Internet Data Centre Environments architecture Translation for IPv6 Internet Data Center Environments (SIIT-DC)
(SIIT-DC), which allows applications, protocols, or nodes that are architecture, which allows applications, protocols, or nodes that are
incompatible with IPv6, and/or Network Address Translation to operate incompatible with IPv6 and/or Network Address Translation to operate
correctly in an SIIT-DC environment. This is accomplished by correctly with SIIT-DC. This is accomplished by introducing a new
introducing a new component called an SIIT-DC Edge Relay, which component called an SIIT-DC Edge Relay, which reverses the
reverses the translations made by an SIIT-DC Border Relay. The translations made by an SIIT-DC Border Relay. The application and/or
application and/or node is thus provided with seemingly native IPv4 node is thus provided with seemingly native IPv4 connectivity that
connectivity that provides end-to-end address transparency. provides end-to-end address transparency.
The reader is expected to be familiar with the SIIT-DC architecture The reader is expected to be familiar with the SIIT-DC architecture
described in I-D.ietf-v6ops-siit-dc. described in RFC 7755.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on April 14, 2016. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7756.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Edge Relay Description . . . . . . . . . . . . . . . . . . . 4 3. Edge Relay Description . . . . . . . . . . . . . . . . . . . 5
3.1. Node-Based Edge Relay . . . . . . . . . . . . . . . . . . 5 3.1. Node-Based Edge Relay . . . . . . . . . . . . . . . . . . 6
3.2. Network-Based Edge Relay . . . . . . . . . . . . . . . . 7 3.2. Network-Based Edge Relay . . . . . . . . . . . . . . . . 7
3.2.1. Edge Router "On A Stick" . . . . . . . . . . . . . . 8 3.2.1. Edge Relay "on a Stick" . . . . . . . . . . . . . . . 8
3.2.2. Edge Router that Bridges IPv6 Packets . . . . . . . . 9 3.2.2. Edge Relay That Bridges IPv6 Packets . . . . . . . . 9
4. Deployment Considerations . . . . . . . . . . . . . . . . . . 9 4. Deployment Considerations . . . . . . . . . . . . . . . . . . 9
4.1. IPv6 Path MTU . . . . . . . . . . . . . . . . . . . . . . 9 4.1. IPv6 Path MTU . . . . . . . . . . . . . . . . . . . . . . 9
4.2. IPv4 MTU . . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. IPv4 MTU . . . . . . . . . . . . . . . . . . . . . . . . 10
4.3. IPv4 Identification Header . . . . . . . . . . . . . . . 10 4.3. IPv4 Identification Header . . . . . . . . . . . . . . . 10
5. Intra-IDC IPv4 Communication . . . . . . . . . . . . . . . . 10 5. Intra-IDC IPv4 Communication . . . . . . . . . . . . . . . . 10
5.1. Hairpinning by the SIIT-DC Border Relay . . . . . . . . . 10 5.1. Hairpinning by the SIIT-DC Border Relay . . . . . . . . . 11
5.2. Additional EAMs Configured in Edge Relay . . . . . . . . 11 5.2. Additional EAMs Configured in Edge Relay . . . . . . . . 12
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7.1. Normative References . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 7.2. Informative References . . . . . . . . . . . . . . . . . 14
9.1. Normative References . . . . . . . . . . . . . . . . . . 14 Appendix A. Examples: Network-Based IPv4 Connectivity . . . . . 16
9.2. Informative References . . . . . . . . . . . . . . . . . 14
Appendix A. Examples: Network-Based IPv4 Connectivity . . . . . 15
A.1. Subnet with IPv4 Service Addresses . . . . . . . . . . . 16 A.1. Subnet with IPv4 Service Addresses . . . . . . . . . . . 16
A.2. Subnet with Unrouted IPv4 Addresses . . . . . . . . . . . 16 A.2. Subnet with Unrouted IPv4 Addresses . . . . . . . . . . . 16
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
SIIT-DC [I-D.ietf-v6ops-siit-dc] describes an architecture where SIIT-DC [RFC7755] describes an architecture where IPv4-only users can
IPv4-only users can access IPv6-only services through a stateless access IPv6-only services through a stateless translator called an
translator called an SIIT-DC Border Relay (BR). This approach has SIIT-DC Border Relay (BR). This approach has certain limitations,
certain limitations, however. In particular, the following cases however. In particular, the following cases will work poorly or not
will work poorly or not at all: at all:
o Application protocols that do not support NAT (i.e., the lack of o Application protocols that do not support NAT (i.e., the lack of
end-to-end transparency of IP addresses). end-to-end transparency of IP addresses).
o Nodes that cannot connect to IPv6 networks at all, or that can o Nodes that cannot connect to IPv6 networks at all or that can only
only connect such networks if they also provide IPv4 connectivity connect such networks if they also provide IPv4 connectivity
(i.e., dual-stacked networks). (i.e., dual-stacked networks).
o Application software which makes use of legacy IPv4-only APIs, or o Application software that makes use of legacy IPv4-only APIs or
otherwise makes assumptions that IPv4 connectivity is available. otherwise makes assumptions that IPv4 connectivity is available.
By extending the SIIT-DC architecture with a new component called an By extending the SIIT-DC architecture with a new component called an
Edge Relay (ER), all of the above can be made to work correctly in an Edge Relay (ER), all of the above can be made to work correctly in an
otherwise IPv6-only network environment using SIIT-DC. otherwise IPv6-only network environment using SIIT-DC.
The purpose of the ER is to reverse the IPv4-to-IPv6 packet The purpose of the ER is to reverse the IPv4-to-IPv6 packet
translations previously done by the BR for traffic arriving from IPv4 translations previously done by the BR for traffic arriving from IPv4
clients and forward this as "native" IPv4 to the node or application. clients and forward this as "native" IPv4 to the node or application.
In the reverse direction, IPv4 packets transmitted by the node or In the reverse direction, IPv4 packets transmitted by the node or
skipping to change at page 3, line 31 skipping to change at page 3, line 42
before they are forwarded to the BR, which in turn will reverse the before they are forwarded to the BR, which in turn will reverse the
translations and forward them to the IPv4 client. The node or translations and forward them to the IPv4 client. The node or
application is thus provided with "virtual" IPv4 Internet application is thus provided with "virtual" IPv4 Internet
connectivity that retains end-to-end transparency for the IPv4 connectivity that retains end-to-end transparency for the IPv4
addresses. addresses.
2. Terminology 2. Terminology
This document makes use of the following terms: This document makes use of the following terms:
SIIT-DC Border Relay (BR) SIIT-DC Border Relay (BR):
A device or a logical function that performs stateless protocol A device or a logical function that performs stateless protocol
translation between IPv4 and IPv6. It MUST do so in accordance translation between IPv4 and IPv6. It MUST do so in accordance
with [RFC6145] and [I-D.ietf-v6ops-siit-eam]. with [RFC6145] and [RFC7757].
SIIT-DC Edge Relay (ER) SIIT-DC Edge Relay (ER):
A device or logical function that provides "native" IPv4 A device or logical function that provides "native" IPv4
connectivity to IPv4-only devices or application software. It is connectivity to IPv4-only devices or application software. It is
very similar in function to a BR, but is typically located close very similar in function to a BR but is typically located close to
to the IPv4-only component(s) it is supporting rather than on the the IPv4-only component(s) it is supporting rather than on the
IDC's outer network border. An ER may be either Node-Based outer network border of the Internet Data Center (IDC). An ER may
(Section 3.1) or Network-Based (Section 3.2). be either node based (Section 3.1) or network based (Section 3.2).
IPv4 Service Address IPv4 Service Address:
An IPv4 address representing a node or service located in an IPv6 An IPv4 address representing a node or service located in an IPv6
network. It is coupled with an IPv6 Service Address using an EAM. network. It is coupled with an IPv6 Service Address using an
Packets sent to this address is translated to IPv6 by the BR, and Explicit Address Mapping (EAM). Packets sent to this address are
possibly back to IPv4 by an ER, before reaching the node or translated to IPv6 by the BR, and possibly back to IPv4 by an ER,
service. before reaching the node or service.
IPv6 Service Address IPv6 Service Address:
An IPv6 address assigned to an application, node, or service; An IPv6 address assigned to an application, node, or service
either directly or indirectly (through an ER). It is coupled with either directly or indirectly (through an ER). It is coupled with
an IPv4 Service Address using an EAM. IPv4-only clients an IPv4 Service Address using an EAM. IPv4-only clients
communicates with the IPv6 Service Address through SIIT-DC. communicate with the IPv6 Service Address through SIIT-DC.
Explicit Address Mapping (EAM) Explicit Address Mapping (EAM):
A bi-directional coupling between an IPv4 Service Address and an A bidirectional coupling between an IPv4 Service Address and an
IPv6 Service Address configured in a BR or ER. When translating IPv6 Service Address configured in a BR or ER. When translating
between IPv4 and IPv6, the BR/ER changes the address fields in the between IPv4 and IPv6, the BR/ER changes the address fields in the
translated packet's IP header according to any matching EAM. The translated packet's IP header according to any matching EAM. The
EAM algorithm is specified in [I-D.ietf-v6ops-siit-eam]. EAM algorithm is specified in [RFC7757].
Translation Prefix Translation Prefix:
An IPv6 prefix into which the entire IPv4 address space is mapped, An IPv6 prefix into which the entire IPv4 address space is mapped,
according to the algorithm in [RFC6052]. The Translation Prefix according to the algorithm in [RFC6052]. The translation prefix
is routed to the BR's IPv6 interface. When translating between is routed to the BR's IPv6 interface. When translating between
IPv4 and IPv6, an BR/ER will insert/remove the Translation Prefix IPv4 and IPv6, a BR/ER will insert/remove the translation prefix
into/from the address fields in the translated packet's IP header, into/from the address fields in the translated packet's IP header,
unless an EAM exists for the IP address that is being translated. unless an EAM exists for the IP address that is being translated.
IPv4-converted IPv6 addresses IPv4-Converted IPv6 Addresses:
As defined in Section 1.3 of [RFC6052]. As defined in Section 1.3 of [RFC6052].
IDC IDC:
Short for "Internet Data Centre"; a data centre whose main purpose Short for "Internet Data Center"; a data center whose main purpose
is to deliver services to the public Internet, the use case SIIT- is to deliver services to the public Internet. SIIT-DC is
DC is primarily targeted at. IDCs are typically operated by primarily targeted at being deployed in an IDC. An IDC is
Internet Content Providers or Managed Services Providers. typically operated by an Internet Content Provider or a Managed
Services Provider.
SIIT SIIT:
The Stateless IP/ICMP Translation algorithm, as specified in The Stateless IP/ICMP Translation Algorithm, as specified in
[RFC6145]. [RFC6145].
XLAT XLAT:
Short for "Translation". Used in figures to indicate where a BR/ Short for "Translation". Used in figures to indicate where a BR/
ER uses SIIT [RFC6145] to translate IPv4 packets to IPv6 and vice ER uses SIIT [RFC6145] to translate IPv4 packets to IPv6 and vice
versa. versa.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Edge Relay Description 3. Edge Relay Description
An Edge Relay (ER) is at its core an implementation of the Stateless
IP/ICMP Translation algorithm [RFC6145] that supports Explicit An ER is at its core an implementation of the Stateless IP/ICMP
Address Mappings [I-D.ietf-v6ops-siit-eam]. It provides virtual IPv4 Translation Algorithm [RFC6145] that supports Explicit Address
connectivity for nodes or applications which require this to operate Mappings [RFC7757]. It provides virtual IPv4 connectivity for nodes
correctly in an SIIT-DC environment. or applications that require this to operate correctly with SIIT-DC.
Packets from the IPv4 Internet destined for an IPv4 Service Address Packets from the IPv4 Internet destined for an IPv4 Service Address
is first translated to IPv6 by a BR. The resulting IPv6 packets are are first translated to IPv6 by a BR. The resulting IPv6 packets are
subsequently forwarded to the ER that owns the IPv6 Service Address subsequently forwarded to the ER that owns the IPv6 Service Address
the translated packets are addressed to. The ER then translates them the translated packets are addressed to. The ER then translates them
back to IPv4 before forwarding them to the IPv4 application or node. back to IPv4 before forwarding them to the IPv4 application or node.
In the other direction, the exact same translations happen, only in In the other direction, the exact same translations happen, only in
reverse. This process provides end-to-end transparency of IPv4 reverse. This process provides end-to-end transparency of IPv4
addresses. addresses.
An ER may handle an arbitrary number of IPv4/IPv6 Service Addresses. An ER may handle an arbitrary number of IPv4/IPv6 Service Addresses.
All the EAMs configured in the BR that involve the IPv4/IPv6 Service All the EAMs configured in the BR that involve the IPv4/IPv6 Service
Addresses handled by an ER MUST also be present in the ER's Addresses handled by an ER MUST also be present in the ER's
configuration. configuration.
An ER may be implemented in two distinct ways; as a software-based An ER may be implemented in two distinct ways: as a software-based
service residing inside an otherwise IPv6-only node, or as a network- service residing inside an otherwise IPv6-only node or as a network-
based service that provides an isolated IPv4 network segment to which based service that provides an isolated IPv4 network segment to which
nodes that require IPv4 can connect. In both cases native IPv6 nodes that require IPv4 can connect. In both cases, native IPv6
connectivity may be provided simultaneously with the virtual IPv4 connectivity may be provided simultaneously with the virtual IPv4
connectivity. Thus, dual-stack connectivity is facilitated in case connectivity. Thus, dual-stack connectivity is facilitated in case
the node or application support it. the node or application supports it.
The choice between a node- or network-based ER is made on a per- The choice between a node- or network-based ER is made on a per-
service or per-node basis. An arbitrary number of each type of ER service or per-node basis. An arbitrary number of each type of ER
may co-exist in an SIIT-DC architecture. may co-exist in an SIIT-DC architecture.
This section describes the different approaches and discusses which This section describes the different approaches and discusses which
approach fits best for the various use cases. approach fits best for the various use cases.
3.1. Node-Based Edge Relay 3.1. Node-Based Edge Relay
A Node-based Edge Relay
[IPv4 Internet] [IPv6 Internet] [IPv4 Internet] [IPv6 Internet]
| | | |
+-----|-----+ | +-----|-----+ |
| (BR/XLAT) | | | (BR/XLAT) | |
+-----|-----+ | +-----|-----+ |
| | +-----<IPv6-only node/server>----------+ | | +-----<IPv6-only node/server>----------+
[IPv6-only IDC network] | +----------------+| [IPv6-only IDC network] | +----------------+|
| | /--(ER/XLAT)--AF_INET Dual-stack || | | /--(ER/XLAT)--AF_INET Dual-stack ||
\-------------------------+ | Application || \-------------------------+ | application ||
| \------------AF_INET6 Software || | \------------AF_INET6 software ||
| +----------------+| | +----------------+|
+--------------------------------------+ +--------------------------------------+
Figure 1 Figure 1: A Node-Based Edge Relay
A node-based ER is typically implemented as a logical software A node-based ER is typically implemented as a logical software
function that runs inside the operating system of an IPv6 node. It function that runs inside the operating system of an IPv6 node. It
provides applications running on the same node with IPv4 provides applications running on the same node with IPv4
connectivity. Its IPv4 Service Address SHOULD be considered a connectivity. Its IPv4 Service Address SHOULD be considered a
regular local address that allows application running on the same regular local address that allows applications running on the same
node to use it with IPv4-only API calls, e.g., to create AF_INET node to use it with IPv4-only API calls, e.g., to create AF_INET
sockets that listen for and accept incoming connections to its IPv4 sockets that listen for and accept incoming connections to its IPv4
Service Address. An ER may accomplish this by creating a virtual Service Address. An ER may accomplish this by creating a virtual
network adapter to which it assigns the IPv4 Service Address and network adapter to which it assigns the IPv4 Service Address and
points a default IPv4 route. This approach is similar to the "Bump- points a default IPv4 route. This approach is similar to the
in-the-Stack" approach discussed in [RFC6535], however it does not "Bump-in-the-Stack" approach discussed in [RFC6535]; however, it does
include an Extension Name Resolver. not include an Extension Name Resolver.
As shown in Figure 1, if the application supports dual-stack As shown in Figure 1, if the application supports dual-stack
operation, IPv6 clients will be able to communicate with it directly operation, IPv6 clients will be able to communicate with it directly
using native IPv6. Neither the BR nor the ER will intercept this using native IPv6. Neither the BR nor the ER will intercept this
communication. Support for IPv6 in the application is however not a communication. Support for IPv6 in the application is, however, not
requirement; the application may opt not to establish any IPv6 a requirement; the application may opt not to establish any IPv6
sockets. Foregoing IPv6 in this manner will simply preclude sockets. Foregoing IPv6 in this manner will simply preclude
connectivity to the service from IPv6-only clients; connectivity to connectivity to the service from IPv6-only clients; connectivity to
the service from IPv4 clients (through the BR) will continue work in the service from IPv4 clients (through the BR) will continue work in
the same way. the same way.
The ER requires a dedicated IPv6 Service Address for each IPv4 The ER requires a dedicated IPv6 Service Address for each IPv4
Service Address it has configured. The IPv6 network MUST forward Service Address it has configured. The IPv6 network MUST forward
traffic to these IPv6 Service Addresses to the node, whose operating traffic to these IPv6 Service Addresses to the node, whose operating
system MUST in turn forward them to the ER. This document does not system MUST in turn forward them to the ER. This document does not
attempt to fully explore the multitude of ways this could be attempt to fully explore the multitude of ways this could be
accomplished, however considering that the IPv6 protocol is designed accomplished; however, considering that the IPv6 protocol is designed
for having multiple addresses assigned to a single node, one for having multiple addresses assigned to a single node, one
particularly straight-forward way would be to assign the ER's IPv6 particularly straight-forward way would be to assign the ER's IPv6
Service Addresses as secondary IPv6 addresses on the node itself so Service Addresses as secondary IPv6 addresses on the node itself so
that it the upstream router learns of their location using the IPv6 that the upstream router learns of their location using the IPv6
Neighbor Discovery Protocol [RFC4861]. Neighbor Discovery Protocol [RFC4861].
3.2. Network-Based Edge Relay 3.2. Network-Based Edge Relay
A Basic Network-based Edge Relay
[IPv4 Internet] [IPv6 Internet] [IPv4 Internet] [IPv6 Internet]
| | | |
+-----|-----+ | +-----|-----+ |
| (BR/XLAT) | | | (BR/XLAT) | |
+-----|-----+ | +-----|-----+ |
| | | |
[IPv6-only IDC network] +--<IPv4-only node/server>--+ [IPv6-only IDC network] +--<IPv4-only node/server>--+
| | +----------------+| | | +----------------+|
+-----|-----+ [v4-only] | | IPv4-only || +-----|-----+ [v4-only] | | IPv4-only ||
| (ER/XLAT)-----[network]--------AF_INET Application || | (ER/XLAT)-----[network]--------AF_INET application ||
+-----------+ [segment] | | Software || +-----------+ [segment] | | software ||
| +----------------+| | +----------------+|
+---------------------------+ +---------------------------+
Figure 2 Figure 2: A Basic Network-Based Edge Relay
A network-based ER performs the exact same as a node-based ER does, A network-based ER functions the exact same way as a node-based ER
only that instead of assigning the IPv4 Service Addresses to an does, only that instead of assigning the IPv4 Service Addresses to an
internal-only virtual network adapter, traffic destined for them are internal-only virtual network adapter, traffic destined for them are
forwarded onto a network segment to which nodes that require IPv4 forwarded onto a network segment to which nodes that require IPv4
connectivity connect to. The ER also functions as the default IPv4 connectivity connect to. The ER also functions as the default IPv4
router for the nodes on this network segment. router for the nodes on this network segment.
Each node on the IPv4 network segment MUST acquire and assign an IPv4 Each node on the IPv4 network segment MUST acquire and assign an IPv4
Service Address to a local network interface. While this document Service Address to a local network interface. While this document
does not attempt to explore all the various methods by which this does not attempt to explore all the various methods by which this
could be accomplished, some examples are provided in Appendix A. could be accomplished, some examples are provided in Appendix A.
The basic ER illustrated in Figure 2 establishes an IPv4-only network The basic ER illustrated in Figure 2 establishes an IPv4-only network
segment between itself and the IPv4-only nodes it serves. This is segment between itself and the IPv4-only nodes it serves. This is
fine if the nodes it provides IPv4 access have no support for IPv6 fine if the nodes it provides IPv4 access to have no support for IPv6
whatsoever; however if they are dual-stack capable, it is would not whatsoever; however, if they are dual-stack capable, it would not be
be ideal to take away their IPv6 connectivity in this manner. While ideal to take away their IPv6 connectivity in this manner. While it
it is RECOMMENDED to use a node-based ER in this case, appropriate is RECOMMENDED to use a node-based ER in this case, appropriate
implementations of a node-based ER might not be available for every implementations of a node-based ER might not be available for every
node. If the application protocol in question does not work node. If the application protocol in question does not work
correctly in a NAT environment, standard SIIT-DC cannot be used correctly in a NAT environment, standard SIIT-DC cannot be used
either, which leaves a network-based ER is the only remaining either, which leaves a network-based ER as the only remaining
solution. The following subsections contains examples on how the ER solution. The following subsections contain examples on how the ER
could be implemented in a way that provides IPv6 connectivity for could be implemented in a way that provides IPv6 connectivity for
dual-stack capable nodes. dual-stack capable nodes.
3.2.1. Edge Router "On A Stick" 3.2.1. Edge Relay "on a Stick"
A Network-based Edge Relay "On A Stick"
[IPv4 Internet] [IPv6 Internet] [IPv4 Internet] [IPv6 Internet]
| | | |
+-----|-----+ | +-----|-----+ |
| (BR/XLAT) | | | (BR/XLAT) | |
+-----|-----+ | +-----|-----+ |
| | | |
[IPv6-only IDC network] [IPv6-only IDC network]
| |
| +-------------+ | +-------------+
| | _IPv6_ | | | _IPv6_ |
| | / \ | | | / \ |
+==== (ER/XLAT) | +==== (ER/XLAT) |
| | \_ _/ | | | \_ _/ |
| | IPv4 | +--<Dual stack node/server>--+ | | IPv4 | +--<Dual-stack node/server>--+
| +-------------+ | +----------------+| | +-------------+ | +----------------+|
| | /---AF_INET Dual-stack || | | /---AF_INET Dual-stack ||
[Dual-stack network segment]----< | Application || [Dual-stack network segment]----< | application ||
| \--AF_INET6 Software || | \--AF_INET6 software ||
| +----------------+| | +----------------+|
+----------------------------+ +----------------------------+
Figure 3 Figure 3: A Network-Based Edge Relay "on a Stick"
The ER "On A Stick" approach illustrated in Figure 3 ensures that the The ER "on a stick" approach illustrated in Figure 3 ensures that the
dual-stack capable node retains native IPv6 connectivity by dual-stack capable node retains native IPv6 connectivity by
connecting the ER's IPv4 and IPv6 interfaces to the same network connecting the ER's IPv4 and IPv6 interfaces to the same network
segment, alternatively by using a single dual-stacked interface. segment, alternatively by using a single dual-stacked interface.
Native IPv6 traffic between the IDC network and the node bypasses the Native IPv6 traffic between the IDC network and the node bypasses the
ER entirely, while IPv4 traffic from the node will be routed directly ER entirely, while IPv4 traffic from the node will be routed directly
to the ER (because it acts as its default IPv4 router), where it is to the ER (because it acts as its default IPv4 router), where it is
translated to IPv6 before being transmitted to the upstream default translated to IPv6 before being transmitted to the upstream default
IPv6 router. The ER could attract inbound traffic to the IPv6 IPv6 router. The ER could attract inbound traffic to the IPv6
Service Addresses by responding to the upstream router's IPv6 Service Addresses by responding to the upstream router's IPv6
Neighbor Discovery [RFC4861] messages for them. Neighbor Discovery [RFC4861] messages for them.
3.2.2. Edge Router that Bridges IPv6 Packets 3.2.2. Edge Relay That Bridges IPv6 Packets
A Network-based Edge Relay containing an IPv6 Bridge
[IPv4 Internet] [IPv6 Internet] [IPv4 Internet] [IPv6 Internet]
| | | |
+-----|-----+ | +-----|-----+ |
| (BR/XLAT) | | | (BR/XLAT) | |
+-----|-----+ | +-----|-----+ |
| | | |
[IPv6-only IDC network] [IPv6-only IDC network]
| |
+-----------|--------------+ +-----------|--------------+
| ____/ \_IPv6_ | | ____/ \_IPv6_ |
| / \ | | / \ |
| (IPv6 Bridge) (ER/XLAT) | | (IPv6 Bridge) (ER/XLAT) |
| \____ _ _/ | | \____ _ _/ |
| \ / IPv4 | +--<Dual stack node/server>--+ | \ / IPv4 | +--<Dual-stack node/server>--+
+-----------|--------------+ | +----------------+| +-----------|--------------+ | +----------------+|
| | /---AF_INET Dual-stack || | | /---AF_INET Dual-stack ||
[Dual-stack network segment]----< | Application || [Dual-stack network segment]----< | application ||
| \--AF_INET6 Software || | \--AF_INET6 software ||
| +----------------+| | +----------------+|
+----------------------------+ +----------------------------+
Figure 4 Figure 4: A Network-Based Edge Relay Containing an IPv6 Bridge
The ER illustrated in Figure 4 will transparently bridge IPv6 frames The ER illustrated in Figure 4 will transparently bridge IPv6 frames
between its upstream and downstream interfaces. IPv6 packets between its upstream and downstream interfaces. IPv6 packets sent
addressed the ER's own IPv6 Service Addresses from the upstream IDC from the upstream IDC network to an IPv6 Service Address are
network are intercepted (e.g., by responding to IPv6 Neighbor intercepted by the ER (e.g., by responding to IPv6 Neighbor Discovery
Discovery [RFC4861] messages for them) and routed through the [RFC4861] messages for them) and routed through the translation
translation function before being forwarded out its downstream function before being forwarded out the ER's downstream interface as
interface as IPv4 packets. The downstream network segment thus IPv4 packets. The downstream network segment thus becomes dual
becomes dual-stacked. stacked.
4. Deployment Considerations 4. Deployment Considerations
4.1. IPv6 Path MTU 4.1. IPv6 Path MTU
The IPv6 Path MTU between the ER and the BR will typically be larger The IPv6 Path MTU between the ER and the BR will typically be larger
than the default value defined in Section 4 of [RFC6145] (1280 than the default value defined in Section 4 of [RFC6145] (1280
bytes), as it will typically contained within a single administrative bytes), as it will typically be contained within a single
domain. Therefore, it is RECOMMENDED that the IPv6 Path MTU administrative domain. Therefore, it is RECOMMENDED that the IPv6
configured in the ER is raised accordingly. It is RECOMMENDED that Path MTU configured in the ER be raised accordingly. It is
the ER and the BR use identical configured IPv6 Path MTU values. RECOMMENDED that the ER and the BR use identical configured IPv6 Path
MTU values.
4.2. IPv4 MTU 4.2. IPv4 MTU
In order to avoid IPv6 fragmentation, an ER SHOULD ensure that the In order to avoid IPv6 fragmentation, an ER SHOULD ensure that the
IPv4 MTU used by applications or nodes is equal to the configured IPv4 MTU used by applications or nodes is equal to the configured
IPv6 Path MTU - 20, so that an maximum-sized IPv4 packet can fit in IPv6 Path MTU - 20 so that a maximum-sized IPv4 packet can fit in an
an unfragmented IPv6 packet. This ensures that the application may unfragmented IPv6 packet. This ensures that the application may do
do its part in avoiding IP-level fragmentation from occurring, e.g., its part in avoiding IP-level fragmentation from occurring, e.g., by
by segmenting/fragmenting outbound packets at the application layer, segmenting/fragmenting outbound packets at the application layer, and
and advertising the maximum size its peer may use for inbound packets advertising the maximum size its peer may use for inbound packets
(e.g., through the use of the TCP MSS option). (e.g., through the use of the TCP Maximum Segment Size (MSS) option).
A node-based ER could accomplish this by configuring this MTU value A node-based ER could accomplish this by configuring this MTU value
on the virtual network adapter, while a network-based ER could do so on the virtual network adapter, while a network-based ER could do so
by advertising the MTU to its downstream nodes using the DHCPv4 by advertising the MTU to its downstream nodes using the DHCPv4
Interface MTU Option [RFC2132]. Interface MTU option [RFC2132].
4.3. IPv4 Identification Header 4.3. IPv4 Identification Header
If the generation of IPv6 Atomic Fragments is disabled, the value of If the generation of IPv6 Atomic Fragments is disabled, the value of
the IPv4 Identification header will be lost during the translation. the IPv4 Identification header will be lost during the translation.
Conversely, enabling the generation of IPv6 Atomic Fragments will Conversely, enabling the generation of IPv6 Atomic Fragments will
ensure that the IPv4 Identification Header will carried end-to-end. ensure that the IPv4 Identification header will be carried end to
Note that for this to work bi-directionally, IPv6 Atomic Fragment end. Note that for this to work bidirectionally, IPv6 Atomic
generation MUST be enabled on both the BR and the ER. Fragment generation MUST be enabled on both the BR and the ER.
Apart from certain diagnostic tools, there are few (if any) Apart from certain diagnostic tools, there are few (if any)
application protocols that make use of the IPv4 Identification application protocols that make use of the IPv4 Identification
header. Therefore, the loss of the IPv4 Identification value will header. Therefore, the loss of the IPv4 Identification value will
therefore generally not cause any problems. generally not cause any problems.
IPv6 Atomic Fragments and their impact on the IPv4 Identification IPv6 Atomic Fragments and their impact on the IPv4 Identification
header is further discussed in Section 4.9.2 of header is further discussed in Section 4.9.2 of [RFC7755].
[I-D.ietf-v6ops-siit-dc].
5. Intra-IDC IPv4 Communication 5. Intra-IDC IPv4 Communication
Although SIIT-DC is primarily intended to facilitate communication Although SIIT-DC is primarily intended to facilitate communication
between IPv4-only nodes on the Internet and services located in an between IPv4-only nodes on the Internet and services located in an
IPv6-only IDC network, an IPv4-only node or application located IPv6-only IDC network, an IPv4-only node or application located
behind an ER might need to communicate with other nodes or services behind an ER might need to communicate with other nodes or services
in the IDC. The IPv4-only node or application will need to so in the IDC. The IPv4-only node or application will need to go
through the ER, as it will typically be incapable to contact IPv6 through the ER, as it will typically be incapable of contacting IPv6
destinations directly. The following subsections discusses various destinations directly. The following subsections discuss various
methods on how to facilitate such communication. methods on how to facilitate such communication.
5.1. Hairpinning by the SIIT-DC Border Relay 5.1. Hairpinning by the SIIT-DC Border Relay
If the BR supports hairpinning as described in Section 4.2 of If the BR supports hairpinning as described in Section 4.2 of
[I-D.ietf-v6ops-siit-eam], the easiest solution is to make the target [RFC7757], the easiest solution is to make the target service
service available through SIIT-DC in the normal way, that is, by available through SIIT-DC in the normal way; that is, by provisioning
provisioning an EAM to the BR that assigns an IPv4 Service Address an EAM to the BR that assigns an IPv4 Service Address with the target
with the target service's IPv6 Service Address. service's IPv6 Service Address.
This allows the IPv4-only node or application to transmit packets This allows the IPv4-only node or application to transmit packets
destined for the target service's IPv4 Service Address, which the ER destined for the target service's IPv4 Service Address, which the ER
will then translate to a corresponding IPv4-converted IPv6 address by will then translate to a corresponding IPv4-converted IPv6 address by
inserting the Translation Prefix [RFC6052]. When this IPv6 packet inserting the translation prefix [RFC6052]. When this IPv6 packet
reaches the BR, it will be hairpinned and transmitted back to the reaches the BR, it will be hairpinned and transmitted back to the
target service's IPv6 Service Address (where it could possibly pass target service's IPv6 Service Address (where it could possibly pass
through another ER before reaching the target service). Return through another ER before reaching the target service). Return
traffic from the target service will be hairpinned in the same traffic from the target service will be hairpinned in the same
fashion. fashion.
Hairpinned IPv4-IPv4 packet flow
+-[Pkt#1: IPv4]-+ +--[Pkt#2: IPv6]-------------+ +-[Pkt#1: IPv4]-+ +--[Pkt#2: IPv6]-------------+
| SRC 192.0.2.1 | (XLAT#1) | SRC 2001:db8:a:: | | SRC 192.0.2.1 | (XLAT#1) | SRC 2001:db8:a:: |
| DST 192.0.2.2 |--(@ ER A)-->| DST 2001:db8:46::192.0.2.2 |---\ | DST 192.0.2.2 |--(@ ER A)-->| DST 2001:db8:46::192.0.2.2 |---\
+---------------+ +----------------------------+ | +---------------+ +----------------------------+ |
(XLAT#2) (XLAT#2)
+-[Pkt#4: IPv4]-+ +--[Pkt#3: IPv6]-------------+ ( @ BR ) +-[Pkt#4: IPv4]-+ +--[Pkt#3: IPv6]-------------+ ( @ BR )
| SRC 192.0.2.1 | (XLAT#3) | SRC 2001:db8:46::192.0.2.1 | | | SRC 192.0.2.1 | (XLAT#3) | SRC 2001:db8:46::192.0.2.1 | |
| DST 192.0.2.2 |<--(@ ER B)--| DST 2001:db8:b:: |<--/ | DST 192.0.2.2 |<--(@ ER B)--| DST 2001:db8:b:: |<--/
+---------------+ +----------------------------+ +---------------+ +----------------------------+
Figure 5 Figure 5: Hairpinned IPv4-IPv4 Packet Flow
Figure 5 illustrates the flow of a hairpinned packet sent from the Figure 5 illustrates the flow of a hairpinned packet sent from the
IPv4-only node/app behind ER A towards an IPv6-only node/app behind IPv4-only node/app behind ER A towards an IPv6-only node/app behind
ER B. ER A is configured with the EAM {192.0.2.1,2001:db8:a::}, ER B ER B. ER A is configured with the EAM {192.0.2.1,2001:db8:a::} and
with {192.0.2.2,2001:db8:b::}. The BR is configured with both EAMs, ER B with {192.0.2.2,2001:db8:b::}. The BR is configured with both
and supports hairpinning. Note that if the target service had not EAMs and supports hairpinning. Note that if the target service had
been located behind an ER, the third and final translation (XLAT#3) not been located behind an ER, the third and final translation
would not have happened, i.e., the target service/node would have (XLAT#3) would not have happened, i.e., the target service/node would
received and responded to packet #3 directly. have received and responded to packet #3 directly.
If the IPv4-only nodes/services do not need connectivity with the If the IPv4-only nodes/services do not need connectivity with the
public IPv4 Internet, private IPv4 addresses [RFC1918] could be used public IPv4 Internet, private IPv4 addresses [RFC1918] could be used
as their IPv4 Service Addresses in order to conserve the IDC as their IPv4 Service Addresses in order to conserve the IDC
operator's pool of public IPv4 addresses. operator's pool of public IPv4 addresses.
5.2. Additional EAMs Configured in Edge Relay 5.2. Additional EAMs Configured in Edge Relay
If the BR does not support hairpinning, or if the hairpinning If the BR does not support hairpinning, or if the hairpinning
solution is not desired for some other reason, intra-IDC IPv4 traffic solution is not desired for some other reason, intra-IDC IPv4 traffic
skipping to change at page 12, line 15 skipping to change at page 12, line 20
service the IPv4-only node or application needs to communicate with. service the IPv4-only node or application needs to communicate with.
This makes the IPv6 traffic between the ER and the target service's This makes the IPv6 traffic between the ER and the target service's
IPv6 Service Address follow the direct path through the IPv6 network. IPv6 Service Address follow the direct path through the IPv6 network.
The traffic does not pass the BR, which means that this solution The traffic does not pass the BR, which means that this solution
might yield better latency than the hairpinning approach. might yield better latency than the hairpinning approach.
The additional EAM configured in the ER consists of the target's IPv6 The additional EAM configured in the ER consists of the target's IPv6
Service Address and an IPv4 Service Address. The IPv4-only node or Service Address and an IPv4 Service Address. The IPv4-only node or
application will contact the target's assigned IPv4 Service Address application will contact the target's assigned IPv4 Service Address
using its own IPv4 Service Address as the source. The ER will then using its own IPv4 Service Address as the source. The ER will then
proceed to translate this to an IPv6 packet with the local proceed to translate the original IPv4 packet to an IPv6 packet. The
application/node's own IPv6 Service Address as source and the target source address of the resulting IPv6 packet will be the IPv6 Service
service's IPv6 Service Address as the destination, and forward this Address of the local node or application, while the destination
to the IPv6 network. Replies from the target service will undergo address will be the IPv6 Service Address of the target. Any replies
these translations in reverse. from the target will undergo identical translation, only in reverse.
If the target service is also located behind another ER, that other
ER MUST also be provisioned with an additional EAM that contains the
origin IPv4-only application/node's IPv4 and IPv6 Service Addresses.
Otherwise, the target service's ER will be unable to translate the
source address of the incoming packets.
Non-hairpinned IPv4-IPv4 packet flow If the target service is located behind another ER, that other ER
MUST also be provisioned with an additional EAM that contains the
IPv4 and IPv6 Service Addresses of the origin IPv4-only node or
application. Otherwise, the target service's ER will be unable to
translate the source address of the incoming packets.
+-[Pkt#1: IPv4]-+ +--[Pkt#2: IPv6]---+ +-[Pkt#1: IPv4]-+ +--[Pkt#2: IPv6]---+
| SRC 192.0.2.1 | (XLAT#1) | SRC 2001:db8:a:: | | SRC 192.0.2.1 | (XLAT#1) | SRC 2001:db8:a:: |
| DST 192.0.2.2 |--(@ ER A)-->| DST 2001:db8:b:: | | DST 192.0.2.2 |--(@ ER A)-->| DST 2001:db8:b:: |
+---------------+ +------------------+ +---------------+ +------------------+
| |
+-[Pkt#3: IPv4]-+ | +-[Pkt#3: IPv4]-+ |
| SRC 192.0.2.1 | (XLAT#2) | | SRC 192.0.2.1 | (XLAT#2) |
| DST 192.0.2.2 |<-------(@ ER B)------/ | DST 192.0.2.2 |<-------(@ ER B)------/
+---------------+ +---------------+
Figure 6 Figure 6: Non-hairpinned IPv4-IPv4 Packet Flow
Figure 6 illustrates the flow of a packet carrying intra-IDC IPv4 Figure 6 illustrates the flow of a packet carrying intra-IDC IPv4
traffic between two IPv4-only nodes/applications that are both traffic between two IPv4-only nodes/applications that are both
located behind ERs. Both ER A and ER B are configured with two EAMs: located behind ERs. Both ER A and ER B are configured with two EAMs:
{192.0.2.1,2001:db8:a::} and {192.0.2.2,2001:db8:b::}. The packet {192.0.2.1,2001:db8:a::} and {192.0.2.2,2001:db8:b::}. The packet
will follow the regular routing path through the IPv6 IDC network; will follow the regular routing path through the IPv6 IDC network;
the BR is not involved and the packet will not be hairpinned. the BR is not involved, and the packet will not be hairpinned.
The above approach is not mutually exclusive with the hairpinning The above approach is not mutually exclusive with the hairpinning
approach described in Section 5.1: If both EAMs above are also approach described in Section 5.1: If both EAMs above are also
configured on the BR, both 192.0.2.1 and 192.0.2.2 would be reachable configured on the BR, both 192.0.2.1 and 192.0.2.2 would be reachable
from other IPv4-only services/nodes using the hairpinning approach. from other IPv4-only services/nodes using the hairpinning approach.
They would also be reachable from the IPv4 Internet. They would also be reachable from the IPv4 Internet.
Note that if the target service in this example was not located Note that if the target service in this example was not located
behind an ER, but instead was a native IPv6 service listening on behind an ER, but instead was a native IPv6 service listening on
2001:db8:b::, the second translation step in Figure 6 would not 2001:db8:b::, the second translation step in Figure 6 would not
skipping to change at page 13, line 25 skipping to change at page 13, line 25
directly. directly.
As with the hairpinning approach, if the IPv4-only nodes/services do As with the hairpinning approach, if the IPv4-only nodes/services do
not need connectivity to/from the public IPv4 Internet, private IPv4 not need connectivity to/from the public IPv4 Internet, private IPv4
addresses [RFC1918] could be used as their IPv4 Service Addresses. addresses [RFC1918] could be used as their IPv4 Service Addresses.
Alternatively, in the case where the target service is on native Alternatively, in the case where the target service is on native
IPv6, the target's assigned IPv4 Service Address has only local IPv6, the target's assigned IPv4 Service Address has only local
significance behind the ER. It could therefore be assigned from the significance behind the ER. It could therefore be assigned from the
IPv4 Service Continuity Prefix [RFC7335]. IPv4 Service Continuity Prefix [RFC7335].
6. Acknowledgements 6. Security Considerations
The author would like to especially thank the authors of 464XLAT
[RFC6877]: Masataka Mawatari, Masanobu Kawashima, and Cameron Byrne.
The architecture described by this document is merely an adaptation
of their work to a data centre environment, and could not have
happened without them.
The author would like also to thank the following individuals for
their contributions, suggestions, corrections, and criticisms: Fred
Baker, Tobias Brox, Olafur Gudmundsson, Christer Holmberg, Ray
Hunter, Shucheng LIU (Will), Andrew Yourtchenko.
7. IANA Considerations
This draft makes no request of the IANA.
8. Security Considerations
This section discusses security considerations specific to the use of This section discusses security considerations specific to the use of
an ER. See the Security Considerations section in an ER. See the Security Considerations section in [RFC7755] for
[I-D.ietf-v6ops-siit-dc] for security considerations applicable to security considerations applicable to the SIIT-DC architecture in
the SIIT-DC architecture in general. general.
If the ER receives an IPv4 packet from the application/node from a If the ER receives an IPv4 packet from the application/node from a
source address it does not have an EAM for, both the source and source address it does not have an EAM for, both the source and
destination addresses will be rewritten according to [RFC6052]. destination addresses will be rewritten according to [RFC6052].
After undergoing the reverse translation in the BR, the resulting After undergoing the reverse translation in the BR, the resulting
IPv4 packet routed to the IPv4 network will have a spoofed IPv4 IPv4 packet routed to the IPv4 network will have a spoofed IPv4
source address. The ER SHOULD therefore ensure that ingress source address. The ER SHOULD therefore ensure that ingress
filtering [RFC2827] is used on the ER's IPv4 interface, so that such filtering [RFC2827] is used on the ER's IPv4 interface so that such
packets are immediately discarded. packets are immediately discarded.
If the ER receives an IPv6 packet with both the source and If the ER receives an IPv6 packet with both the source and
destination address equal to one of its local IPv6 Service Addresses, destination address equal to one of its local IPv6 Service Addresses,
the resulting packet would appear to the IPv4-only application/node the resulting packet would appear to the IPv4-only application/node
as locally generated, as both the source address and the destination as locally generated, as both the source address and the destination
address will be the same address. This could trick the application address will be the same address. This could trick the application
into believing the packet came from a trusted source (itself). To into believing the packet came from a trusted source (itself). To
prevent this, the ER SHOULD discard any received IPv6 packets that prevent this, the ER SHOULD discard any received IPv6 packets that
have a source address that is either 1) equal to any of its local have a source address that is either 1) equal to any of its local
IPv6 Service Addresses, or 2) after translation from IPv6 to IPv4, IPv6 Service Addresses or 2) after translation from IPv6 to IPv4,
equal to any of its local IPv4 Service Addresses. equal to any of its local IPv4 Service Addresses.
9. References 7. References
9.1. Normative References
[I-D.ietf-v6ops-siit-dc]
Anderson, T., "SIIT-DC: Stateless IP/ICMP Translation for
IPv6 Data Centre Environments", draft-ietf-v6ops-siit-
dc-02 (work in progress), August 2015.
[I-D.ietf-v6ops-siit-eam] 7.1. Normative References
Anderson, T. and A. Leiva, "Explicit Address Mappings for
Stateless IP/ICMP Translation", draft-ietf-v6ops-siit-
eam-01 (work in progress), June 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
9.2. Informative References [RFC7755] Anderson, T., "SIIT-DC: Stateless IP/ICMP Translation for
IPv6 Data Center Environments", RFC 7755,
DOI 10.17487/RFC7755, February 2016,
<http://www.rfc-editor.org/info/rfc7755>.
[RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or [RFC7757] Anderson, T. and A. Leiva, "Explicit Address Mappings for
Stateless IP/ICMP Translation", RFC 7757,
DOI 10.17487/RFC7757, February 2016,
<http://www.rfc-editor.org/info/rfc7757>.
7.2. Informative References
[RFC826] Plummer, D., "Ethernet Address Resolution Protocol: Or
Converting Network Protocol Addresses to 48.bit Ethernet Converting Network Protocol Addresses to 48.bit Ethernet
Address for Transmission on Ethernet Hardware", STD 37, Address for Transmission on Ethernet Hardware", STD 37,
RFC 826, DOI 10.17487/RFC0826, November 1982, RFC 826, DOI 10.17487/RFC0826, November 1982,
<http://www.rfc-editor.org/info/rfc826>. <http://www.rfc-editor.org/info/rfc826>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<http://www.rfc-editor.org/info/rfc1918>. <http://www.rfc-editor.org/info/rfc1918>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
2131, DOI 10.17487/RFC2131, March 1997, RFC 2131, DOI 10.17487/RFC2131, March 1997,
<http://www.rfc-editor.org/info/rfc2131>. <http://www.rfc-editor.org/info/rfc2131>.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
<http://www.rfc-editor.org/info/rfc2132>. <http://www.rfc-editor.org/info/rfc2132>.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <http://www.rfc-editor.org/info/rfc2827>. May 2000, <http://www.rfc-editor.org/info/rfc2827>.
skipping to change at page 15, line 33 skipping to change at page 15, line 20
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
DOI 10.17487/RFC6052, October 2010, DOI 10.17487/RFC6052, October 2010,
<http://www.rfc-editor.org/info/rfc6052>. <http://www.rfc-editor.org/info/rfc6052>.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
<http://www.rfc-editor.org/info/rfc6145>. <http://www.rfc-editor.org/info/rfc6145>.
[RFC6535] Huang, B., Deng, H., and T. Savolainen, "Dual-Stack Hosts [RFC6535] Huang, B., Deng, H., and T. Savolainen, "Dual-Stack Hosts
Using "Bump-in-the-Host" (BIH)", RFC 6535, DOI 10.17487/ Using "Bump-in-the-Host" (BIH)", RFC 6535,
RFC6535, February 2012, DOI 10.17487/RFC6535, February 2012,
<http://www.rfc-editor.org/info/rfc6535>. <http://www.rfc-editor.org/info/rfc6535>.
[RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown, [RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown,
"Default Address Selection for Internet Protocol Version 6 "Default Address Selection for Internet Protocol Version 6
(IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012, (IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012,
<http://www.rfc-editor.org/info/rfc6724>. <http://www.rfc-editor.org/info/rfc6724>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation", RFC Combination of Stateful and Stateless Translation",
6877, DOI 10.17487/RFC6877, April 2013, RFC 6877, DOI 10.17487/RFC6877, April 2013,
<http://www.rfc-editor.org/info/rfc6877>. <http://www.rfc-editor.org/info/rfc6877>.
[RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, DOI [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
10.17487/RFC7335, August 2014, DOI 10.17487/RFC7335, August 2014,
<http://www.rfc-editor.org/info/rfc7335>. <http://www.rfc-editor.org/info/rfc7335>.
Appendix A. Examples: Network-Based IPv4 Connectivity Appendix A. Examples: Network-Based IPv4 Connectivity
A.1. Subnet with IPv4 Service Addresses A.1. Subnet with IPv4 Service Addresses
One relatively straight-forward way to provide IPv4 connectivity One relatively straight-forward way to provide IPv4 connectivity
between the ER and the IPv4 node(s) it serves is to ensure the IPv4 between a network-based ER and the IPv4 node(s) it serves is to
Service Address(es) can be enclosed within a larger IPv4 prefix. The ensure the IPv4 Service Address(es) can be enclosed within a larger
ER may then claim one address in this prefix for itself, and use it IPv4 prefix. The ER may then claim one address in this prefix for
to provide an IPv4 default router address. The ER may then proceed itself and use it to provide an IPv4 default router address and
to assign the IPv4 Service Address(es) to its downstream node(s) assign the IPv4 Service Address(es) to its downstream node(s) using
using DHCPv4 [RFC2131]. For example, if the IPv4 Service Addresses DHCPv4 [RFC2131]. For example, if the IPv4 Service Addresses are
are 192.0.2.26 and 192.0.2.27, the ER would configure the address 192.0.2.26 and 192.0.2.27, the ER would configure the address
192.0.2.25/29 on its IPv4-facing interface and would add the two IPv4 192.0.2.25/29 on its IPv4-facing interface and would add the two IPv4
Service Addresses to its DHCPv4 pool. Service Addresses to its DHCPv4 pool.
One disadvantage of this method is that IPv4 communication between One disadvantage of this method is that IPv4 communication between
the IPv4 node(s) behind the ER and other services made available the IPv4 node(s) behind the ER and other services made available
through SIIT-DC becomes impossible, if those other services are through SIIT-DC becomes impossible, if those other services are
assigned IPv4 Service Addresses that also are covered by the same assigned IPv4 Service Addresses that also are covered by the same
IPv4 prefix (e.g., 192.0.2.28). This happens because the IPv4 nodes IPv4 prefix (e.g., 192.0.2.28). This happens because the IPv4 nodes
will mistakenly believe they have an on-link route to the entire will mistakenly believe they have an on-link route to the entire
prefix, and attempt to resolve the addresses using ARP [RFC0826], prefix and attempt to resolve the addresses using ARP [RFC826],
instead of sending them to the ER for translation to IPv6. This instead of sending them to the ER for translation to IPv6. This
problem could however be overcome by avoiding assigning IPv4 Service problem could, however, be overcome by avoiding assigning IPv4
Addresses which overlaps with an IPv4 prefix handled by an ER (at the Service Addresses that overlap with an IPv4 prefix handled by an ER
expense of wasting some potential IPv4 Service Addresses), or by (at the expense of wasting some potential IPv4 Service Addresses) or
ensuring that the overlapping IPv6 Service Addresses are only by ensuring that the overlapping IPv4 Service Addresses are only
assigned to services which do not need to communicate with the IPv4 assigned to services that do not need to communicate with the IPv4
node(s) behind the ER. A third way to avoid this problem is node(s) behind the ER. A third way to avoid this problem is
discussed in Appendix A.2. discussed in Appendix A.2.
A.2. Subnet with Unrouted IPv4 Addresses A.2. Subnet with Unrouted IPv4 Addresses
In order to avoid the problem discussed in Appendix A.1, a private In order to avoid the problem discussed in Appendix A.1, a private
unrouted IPv4 network that does not encompass the IPv4 Service unrouted IPv4 network that does not encompass the IPv4 Service
Address(es) could be used to provide connectivity between the ER and Address(es) could be used to provide connectivity between the ER and
the IPv4-only node(s) it serves. An IPv4-only node must then assign the IPv4-only node(s) it serves. An IPv4-only node must then assign
its IPv4 Service Address as secondary local address, while the ER its IPv4 Service Address as a secondary local address, while the ER
routes each of the IPv4 Service Addresses to its assigned node using routes each of the IPv4 Service Addresses to its assigned node using
that node's private on-link IPv4 address as the next-hop. This that node's private on-link IPv4 address as the next hop. This
approach would ensure there are no overlaps with IPv4 Service approach would ensure there are no overlaps with IPv4 Service
addresses elsewhere in the infrastructure, but on the other hand it Addresses elsewhere in the infrastructure, but on the other hand, it
would preclude the use of DHCPv4 [RFC2131] for assigning the IPv4 would preclude the use of DHCPv4 [RFC2131] for assigning the IPv4
Service Addresses. Service Addresses.
This approach creates a need to ensure that the IPv4 application is This approach creates a need to ensure that the IPv4 application is
selecting the IPv4 Service Address (as opposed to its private on-link selecting the IPv4 Service Address (as opposed to its private on-link
IPv4 address) as its source address when initiating outbound IPv4 address) as its source address when initiating outbound
connections. This could be accomplished by altering the Default connections. This could be accomplished by altering the Default
Address Selection Policy Table [RFC6724] on the IPv4 node. Address Selection Policy Table [RFC6724] on the IPv4 node.
Acknowledgements
The authors would like to especially thank the authors of 464XLAT
[RFC6877]: Masataka Mawatari, Masanobu Kawashima, and Cameron Byrne.
The architecture described by this document is merely an adaptation
of their work to a data center environment and could not have
happened without them.
The authors would like also to thank the following individuals for
their contributions, suggestions, corrections, and criticisms: Fred
Baker, Tobias Brox, Olafur Gudmundsson, Christer Holmberg, Ray
Hunter, Shucheng LIU (Will), and Andrew Yourtchenko.
Authors' Addresses Authors' Addresses
Tore Anderson Tore Anderson
Redpill Linpro Redpill Linpro
Vitaminveien 1A Vitaminveien 1A
0485 Oslo 0485 Oslo
Norway Norway
Phone: +47 959 31 212 Phone: +47 959 31 212
Email: tore@redpill-linpro.com Email: tore@redpill-linpro.com
 End of changes. 101 change blocks. 
251 lines changed or deleted 236 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/