INTERNET DRAFT                                              C. Huitema
<draft-ietf-v6ops-unman-scenarios-00.txt>
<draft-ietf-v6ops-unman-scenarios-01.txt>                    Microsoft
January 10,
June 3, 2003                                                R. Austein
Expires July 10, December 3, 2003                           Bourgeois Dilettant
                                                           S. Satapati
                                                   Cisco Systems, Inc.
                                                        R. van der Pol
                                                            NLnet Labs

          Unmanaged Networks IPv6 Transition Scenarios

Status of this memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   This document is an Internet-Draft. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   In order to evaluate the suitability of IPv6 transition mechanisms,
   we need to define the scenarios in which these mechanisms have to be
   used. One specific scope is the "unmanaged networks", network", which typically correspond
   corresponds to a home networks or small office networks. network. The scenarios are
   specific to single link subnet, and are defined in terms of IP
   connectivity supported by the home gateway and the ISP. We first
   examine the generic requirements of four classes of applications:
   local, client, peer to peer and server. Then, for each scenario, we
   infer transition requirements by analyzing the needs for smooth
   migration of applications from IPv4 to IPv6.

1	Introduction

   In order to evaluate the suitability of transition mechanisms, we
   need to define the environment or scope in which these mechanisms
   have to be used. One specific scope is the "unmanaged networks",
   which typically correspond to home networks or small office
   networks.

   This document studies the requirement posed by various transition

Huitema et al.                                               [Page  1]
   scenarios, and is organized in four main sections. Section 2 defines
   the topology that we are considering. Section 3 presents the four
   classes of applications that we consider for unmanaged networks:
   local applications, client applications, peer-to-peer applications,
   and server applications. Section 4 studies the requirements of these
   four classes of applications. Section 5 analyses how these
   requirements translate into four configurations which we expect to
   encounter during IPv6 deployment: gateways which do not provide
   IPv6, dual-stack gateways connected to dual-stack ISPs, dual-stack
   gateways connected to IPv4-only ISPs, and IPv6-capable gateways
   connected to IPv6-only ISPs.  While these four configurations are
   certainly not an exhaustive list of possible configurations, we
   believe that they represent the common cases for unmanaged networks.

2	Topology

   The typical unmanaged network is composed of a single subnet,
   connected to the Internet through a single Internet Service Provider
   (ISP)connection.
   (ISP) connection. Several hosts are may be connected to the subnet:

Huitema et al.                                               [Page  1]

      +------+
      | Host +--+
      +------+  |
                |
      +------+  |
      | Host +--+                         +--------------
      +------+  |                         |
                :                   +-----+
                :  +---------+      |     |
                +--+ Gateway +------| ISP | Internet
                :  +---------+      |     |
                :                   +-----+
      +------+  |                         |
      | Host +--+                         +--------------
      +------+  |
                |
      +------+  |
      | Host +--+
      +------+

   Between the subnet and the ISP access link is a gateway, which may
   or may not perform NAT and firewall function. A key point of this
   configuration is that the gateway is typically not "managed". In
   most cases, it is a simple "appliance", which incorporates some
   static policies. There However, there are however many cases in which the gateway
   is procured and configured by the ISP, and there are also some
   common cases in which we find two gateways back to back gateways, back, one managed
   by the ISP and the other added by the owner of the unmanaged
   network.

   The access link between the unmanaged network and the ISP can might be
   either static, i.e. a static, permanent connection, connection or dynamically
   established, i.e. a dynamic connection such

Huitema et al.                                               [Page  2]
   as a dial-up or ISDN connection. line.

   In a degenerate case, an unmanaged network can be constituted might consist of a single
   host, directly connected to an ISP.

   Our definition of unmanaged networks explicitly exclude networks
   composed of multiple subnets. We will readily admit that some home
   networks and some small business networks contain multiple subnets,
   but in the current state of the technology these multiple subnet
   networks are not "unmanaged": some competent administrator has to
   explicitly configure the routers. We will thus concentrate on single
   subnet networks, where no such competent operator is expected.

3	Applications

   Users may use or wish to use the unmanaged network services in four
   types of applications: local, client, servers and peer-to-peers.
   These applications may or may not run easily on today's network:
   their status vary. networks
   (some do, some don't).

3.1	Local applications

   Local applications

   "Local applications" are only meant to only involve the hosts that are
   part of the unmanaged network. Typical examples are the sharing of would be file
   sharing or printers. printer sharing.

   Local applications work effectively in IPv4 unmanaged networks, even

Huitema et al.                                               [Page  2]
   when the gateway performs NAT or firewall function. In fact,
   firewall services at the gateway are often deemed desirable, as they
   isolate the local applications from interference by Internet users.

3.2	Client applications

   Client applications

   "Client applications" are those that involve a client on the
   unmanaged network and a server at a remote location. A typical example is Typical
   examples would be accessing a web server from a client inside the
   unmanaged network, or reading and sending e-mail with the help of a
   server outside the unmanaged network.

   Local

   Client applications tend to work correctly in IPv4 unmanaged
   networks, even when the gateway performs NAT or firewall function:
   these translation and firewall functions are precisely designed precisely to
   enable client applications.

3.3	Peer-to-peer applications

   There are really two kinds of peer-to-peer applications, the "local peer-
   to-peer" that "peer-to-peer" applications: ones
   which only involve hosts on the unmanaged network, and the
   "remote peer-to-peer" that ones which
   involve both one or more hosts on the unmanaged network and one or
   more hosts outside the unmanaged network.  We will only consider here the "remote peer-to-peer"
   latter kind of peer-to-peer applications, as since the local peer-to-peer
   applications are former can be
   considered a subset of the "local applications." kind of local applications discussed

Huitema et al.                                               [Page  3]
   in section 3.1.

   Peer-to-peer applications are a restricted subset of the server
   applications, "server
   applications" (discussed in section 3.4), in which the services are
   only meant to be used by
   well identified well-identified peers outside the unmanaged
   network. These applications are often facilitated by a server
   outside the unmanaged networks. Examples of a peer-to-peer application
   applications would be a video-
   conference video-conference over IP, facilitated by a SIP
   Session Invitation Protocol (SIP) server, or a distributed game
   application, facilitated by a "game lobby".

   Peer-to-peer applications often don't work well in unmanaged IPv4
   networks. Application developers often have to enlist the help of a
   "relay server", to effectively restructure in effect restructuring the peer-to-peer connection in two
   into a pair of back-to-back client/server connections.

3.4	Server applications

   Server applications

   "Server applications" involve running a server in the unmanaged
   network,
   network for use by other parties outside the network. Examples Typical
   examples would be running a web server or an e-mail server on one of
   the hosts inside the unmanaged network.

   Deploying these servers in most unmanaged IPv4 networks requires
   some special programming of the NAT or firewall, and is more complex
   when the NAT only publishes a small number of global IP addresses
   and relies on "port translation". In the common case in which the
   NAT manages exactly one global IP address and relies on "port
   translation", a given external port can only be used by one internal

Huitema et al.                                               [Page  3]
   server.

   Deploying servers usually requires providing the servers each server with a
   stable DNS name, and associating the a global IPv4 address with that
   name, whether the address be that of the
   nat/firewall with server itself or that name. of
   the router acting as a firewall or NAT. Since updating DNS is a
   management task, it somewhat falls somewhat outside the scope of an unmanaged
   network. On the other hand, it is also possible to use out-of-band
   techniques, such
   techniques (such as cut-and-paste into an instant message system, system) to
   pass around the address of the target server.

4	Application requirements of an IPv6 unmanaged network

   As we transition to IPv6, we must meet the requirements of the
   various applications, which we can summarize in the following way:
   the
   applications that used to work well with IPv4 should continue
   working well during the transition; it should be possible to use
   IPv6 to deploy new applications that are currently hard to deploy in
   IPv4 networks; and the deployment of these IPv6 applications should
   be simple and easy to manage. manage, but the solutions should also be
   robust and secure.

   The application requirements are expressed in mostly for IPv6 Unmanaged Networks fall into

Huitema et al.                                               [Page  4]
   three
   dimensions: general categories: connectivity, naming, and security.
   Connectivity issues include the provision of IPv6 addresses and
   their quality: do host hosts need a global scope address, global addresses, should this address these
   addresses be stable, or stable or, more
   precisely precisely, what should be the expected lifetime
   lifetimes of the address. these addresses be? Naming issues include the
   management of names for the hosts: do hosts need a DNS-name, DNS names, and is
   inverse name resolution a requirement. requirement? Security issues include
   possible restriction to connectivity, privacy concerns, and concerns and,
   generally speaking speaking, the security of the applications.

4.1	Requirements of local applications

   Local applications require local connectivity. They must continue
   working to
   work even if the unmanaged network is isolated from the Internet.

   Local applications typically use ad hoc naming systems. Many of
   these systems are proprietary; an example of a standard system is
   the service location protocol (SLP).

   The security of local applications is will usually be enhanced if these
   applications can be effectively isolated from the global Internet.

4.2	Requirements of client applications

   Client applications require global connectivity. In an IPv6 network,
   we would expect the client to use a global IPv6 address, which will
   have to remain stable for the duration of the client-server session.

   Client applications typically use the domain name system to locate
   servers. In an IPv6 network, the client must be able to locate a DNS
   server.

Huitema et al.                                               [Page  4]
   resolver.

   Many servers try to look up a DNS name associated to the IP address
   of the client. In an IPv4 network, this IP address will often be
   allocated by the Internet service provider to the gateway, and the
   corresponding PTR record will be maintained by the ISP. In most many
   cases, these PTR records are perfunctory, derived in an algorithmic
   fashion from the IPv4 address; the main information that they
   contain is the domain name of the ISP. Whether or not an equivalent
   function should be provided in an IPv6 network is unclear.

4.2.1	Privacy requirement of client applications

   We may debate

   It is debatable whether the IPv6 networking service should be
   engineered to enhance the privacy of the clients, and specifically
   whether the support of for RFC 3041 should be required. RFC 3041 enables
   hosts to pick IPv6 addresses in which the host identifier is
   randomized; this was designed to make sure that the IPv6 addresses
   and the host identifier cannot be used to track the Internet
   connections of a device's owner.

   Many observe that randomizing the host identifier portion of the

Huitema et al.                                               [Page  5]
   address is only a half measure. If the unmanaged network address
   prefix remains constant, the randomization only hides which host in
   the unmanaged network originates a given connection, e.g. the
   children's computer versus their parents'. This would place the
   privacy rating of such connections on a par with that of IPv4
   connections originating from an unmanaged network in which a NAT
   manages a static IPv4 address; in both case, the IPv4 address or the
   IPv6 prefix can be used to identify the unmanaged network, e.g. the
   specific home from which the connection originated.

   Randomization

   However, randomization of the host identifier does however provide benefits.
   First, if some of the hosts in the unmanaged network are mobile, the
   randomization destroys any correlation between the addresses used at
   various locations: the addresses alone could not be used to
   determine whether a given connection originates from the same laptop
   moving from work to home, or used on the road. Second, the
   randomization removes any information that could be extracted from a
   hardwired host identifier; for example, it will prevent outsiders to
   correlate
   from correlating a serial number with a specific brand of expensive
   electronic equipment, and to use this information for planning
   marketing campaigns or possibly burglary attempts.

   Randomization of the addresses is indeed not sufficient to guarantee
   privacy. Usage can be tracked by a variety of other means, from
   application level "cookies" to complex techniques involving data
   mining and traffic analysis. However, just because privacy can be
   breached by other means is not a sufficient reason to enable
   additional tracking through IPv6 addresses.

   Randomization of the host identifier has some cost: the address
   management in hosts is more complex for the hosts and the gateway

Huitema et al.                                               [Page  5]
   may have to maintain a larger cache of neighbor addresses; however,
   experience from existing implementation shows that these costs are
   not overwhelming. Given the limited benefits, it would be
   unreasonable to require that all hosts use privacy addresses;
   however, given the limited costs, it is reasonable to require that
   all unmanaged network networks allow use of privacy addresses by those hosts
   who so choose.
   that choose to do so.

4.3	Requirements of peer-to-peer applications

   Peer-to-peer applications require global connectivity. In an IPv6
   network, we would expect the peers to use a global IPv6 address,
   which will have to remain stable for the duration of the peer-to-
   peer between client and server. session.

   Peer-to-peer applications often use ad hoc naming systems, sometimes
   derived from an "instant messaging" service. (Peer-to-peer
   applications that rely on the DNS for name resolution have the same
   naming requirements as server applications, which are discussed in
   the next section.) Many of these systems are proprietary; an example
   of a standard system is the session
   initiation invitation protocol (SIP). In

Huitema et al.                                               [Page  6]
   these systems, the peers register their presence to a "rendezvous"
   server, using a name specific to the service; the case of SIP, they
   would use a SIP URL, of the form "sip:user@example.com". A peer to peer-to-
   peer session typically starts by with an exchange of synchronization
   messages through the rendezvous servers, during which the peers
   exchange the addresses that will be used for the session.

   There are multiple aspects to the security of peer-to-peer
   applications, many of which relate to the security of the rendezvous
   system. If we assume that the peers have been able to safely
   exchange their IPv6 addresses, the main security requirement is the
   capability to safely exchange data between the peers, without
   interference by third parties.

   Private conversations by one of the authors with developers of peer-to-peer peer-
   to-peer applications
   showed suggest that many would be willing to consider
   an "IPv6-only" model if they can get two guarantees:

   1) That there is no regression from IPv4, i.e. that all customers
   that
   who could participate in a peer-to-peer application using IPv4 can
   also be reached by IPv6.

   2) That IPv6 provides a solution for at least some of their hard
   problems, i.e. e.g. enabling peers located behind an IPv4 NAT to
   participate in a peer-to-peer application.

   Requiring IPv6 connectivity for a popular peer-to-peer application
   could create what economists refer to as a "network effect", which
   in turn could significantly speed up the deployment of IPv6.

4.4	Requirements of server applications

   Server applications require global connectivity, which in an IPv6

Huitema et al.                                               [Page  6]
   network implies global addresses. In an IPv4 network utilizing a
   NAT, for each service provided by a server, the NAT has to be
   configured to forward packets sent to that service to the server
   that offers the service.

   Server applications normally rely on the publication of the server's
   address in the DNS. This, in turns, turn, requires that the server be
   provisioned with a "global DNS name".

   The DNS entries for the server will have to be updated, preferably
   in real time, if the server's address changes. In practice, updating
   the DNS is can be slow, which implies that server applications will
   have a better chance of being deployed if the IPv6 addresses remain
   stable for a long period.

   The security of server applications depends mostly on the
   correctness of the server, and also on the absence of collateral
   effects: many incidents occur when the opening of a server on the
   Internet inadvertently enables remote access to some other services

Huitema et al.                                               [Page  7]
   on the same host.

5	Stages of IPv6 deployment

   The

   We expect the deployment of IPv6 over time is expected to proceed from an initial state in
   which there is little or no deployment, deployment to a final stage in which we
   might retire the IPv4 infrastructure. We expect this process to
   stretch over several many years; we also expect it to not be synchronized,
   as different parties involved will deploy IPv6 at different pace. paces.
   In order to get some clarity, we distinguish three entities involved
   in the transition of an unmanaged network: the ISP (possibly
   including ISP CPE), consumer premise equipment (CPE)), the home gateway gateway,
   and the hosts (computers and appliances). Each can support IPv4-only, IPv4-
   only, both IPv4 and IPv6 or IPv6-only. That gives us 27
   possibilities.  We describe the most important cases. We will consider assume
   that in all cases the hosts are a combination of IPv4-only, dual
   stack and (perhaps) IPv6-only hosts.

   The cases we will consider are:

   A) Gateway a gateway which does not provide IPv6 at all;
   B) ISP and a dual-stack gateway are connected to a dual stack ISP;
   C) Gateway is IPv6 capable, a dual stack, stack gateway connected to an IPV4-only ISP; and
   D) a gateway connected to an IPv6-only ISP

   In most of these cases we will assume that the gateway includes a
   NAT: we realize that this is not always the case, but we submit that
   it is common enough that we have to deal with it; furthermore, we
   believe that the non-NAT variants of these cases map fairly closely
   to this same set of cases.  For example, the case in which there is
   no NAT and the CPE is not
   D) a bridge rather than a router maps fairly well
   to cases B, C, or D, depending on which protocols the ISP is IPv6-only

   The supports;
   similarly, the case where in which the ISP CPE is IPv6 capable a router but the gateway is not is
   similar a NAT
   maps either to case B or case C depending on what the    CPE router
   supports.  Last, note that the combination of an IPv6-capable ISP
   with a gateway that doesn't support IPv6 is, in effect, equivalent
   to case A.

5.1	Case A, host deployment of IPv6 applications

   In this case the gateway doesn't provide IPv6; the ISP may or may
   not provide IPv6, but this is not relevant, since the non-upgraded
   gateway would prevent the hosts from using the ISP service. Some
   hosts will try to get IPv6 connectivity, in order to run
   applications that require IPv6, or work better with IPv6. The hosts
   in this case will have to handle the IPv6 transition mechanisms on
   their own.

   There are two variations of this case, depending on the type of
   service implemented by the gateway. In many cases, the gateway is a
   direct obstacle to the deployment of IPv6, but a gateway which is
   some form of bridge-mode CPE or which is a plain (neither

Huitema et al.                                               [Page  7]  8]
   filtering nor NAT) router does not really fall into this category.

5.1.1	Application support in Case A

   The focus of Case A is to enable communication between a host on the
   unmanaged network and some IPv6-only hosts outside of the network.
   The primary focus in the immediate future, i.e. for the early
   adopters of IPv6, will be peer-to-peer applications. However, as
   IPv6 deployment progresses, we will likely find a situation where
   some networks have IPv6-only services deployed, at which point we
   would like case A client applications to be able to access those
   services.

   Local applications are not a primary focus of Case A. At this stage,
   we expect all clients in the unmanaged network to have either IPv4
   only or dual stack support. Local applications can continue working
   using IPv4.

   Server applications are also not a primary focus of Case A. Server
   applications require DNS support, which is difficult to engineer for
   clients located behind a NAT. NAT, which is likely to be present in this
   case. Besides, server applications, applications at this
   stage, present cater mostly to IPv4
   clients; putting up an IPv6-only server is not very attractive.

   In contrast, peer-to-peer applications are probably both attractive
   and easy to deploy: they are deployed in a coordinated fashion as
   part of a peer-to-peer network, which means that hosts can all
   receive some form of IPv6 upgrade; they often provide their own
   naming infrastructure, in which case they are not dependent on DNS
   services.

5.1.2	Addresses and connectivity in Case A

   We saw in 5.1.1 that a primary the likely motivation for the deployment of IPv6
   connectivity in hosts in case A is participation a desire to use peer-to-peer applications, and also to IPv6-only
   client IPv6 applications. These applications require that all
   participating nodes get some form of IPv6 connectivity, i.e. at
   least one globally reachable IPv6 address.

   If the local gateway provides global IPv4 addresses to the local
   hosts, then these hosts can individually exercise the mechanisms
   described in case C, "IPv6 connectivity without provider support."
   If the local gateway implements a NAT function, another type of
   mechanism is needed. The mechanism to provide connectivity to peers
   behind NAT should be easy to deploy, and light weight; it will have
   to involve tunneling over a protocol that can easily traverse NAT,
   either TCP or preferably UDP, as this is the practical way to traverse a NAT. tunneling over TCP can result in
   poor performances in case of time-outs and retransmission. If
   servers are needed, these servers will in practice have to be
   deployed as part of the "support infrastructure" for the peer-to-peer peer-to-
   peer network or for an IPv6 based IPv6-based service; economic reality implies
   that the cost of running these servers should be as low as possible.

Huitema et al.                                               [Page  9]

5.1.3	Naming services in Case A

   At this phase of IPv6 deployment, hosts in the unmanaged domain have
   access to DNS services over IPv4, through the existing gateway. DNS
   resolvers are supposed to serve AAAA records, even if they only
   implement IPv4; the local hosts should thus be able to obtain the
   IPv6 addresses of IPv6-only servers.

Huitema et al.                                               [Page  8]

   Reverse lookup is hard difficult to provide for hosts on the unmanaged
   network if the gateway is not upgraded. This is a potential issue
   for client applications. Some servers require a reverse lookup as
   part of accepting a client's connection, and may require that the
   direct lookup of the corresponding name matches the IPv6 address of
   the client. There is thus a requirement
   to either to provide a reverse
   lookup solution, or to make sure that IPv6 servers do not require
   reverse lookup.

5.2	Case B, IPv6 connectivity with provider support

   In this case the ISP and gateway are both dual stack. The gateway
   can use native IPv6 connectivity to the ISP and can use an IPv6
   prefix allocated by the ISP.

5.2.1	Application support in Case B

   If the ISP and the gateway are dual-stack, client applications,
   peer-to-peer applications and server applications can all be enabled
   easily on the unmanaged network.

   We expect the unmanaged network to include three kinds of hosts:
   IPv4 only, IPv6-only, and dual stack. Obviously, dual stack hosts
   can interact easily with either IPv4 only hosts or IPv6-only hosts,
   but an IPv4 only host and an IPv6-only host cannot communicate
   without a third party performing some kind of translation service.
   Our analysis concludes that unmanaged networks should not have to
   provide such translation services.

   The argument for providing translation services is that their
   availability would accelerate the deployment of IPv6-only devices,
   and thus the transition to IPv6. This is however a dubious argument,
   since it can also be argued that the availability of these
   translation services will reduce the pressure to provide IPv6 at
   all, and to just continue fielding IPv6-only IPv4-only devices. The remaining
   pressure to provide IPv6 connectivity would just be the difference
   in "quality of service" between a translated exchange and a native
   interconnect.

   The argument against translation service is the difficulty of
   providing these services for all applications, compared to the
   relative ease of installing dual stack solutions in an unmanaged
   network. Translation services can be provided either by application
   relays such as HTTP proxies, or by network level services such as
   NAT-PT. Application relays pose several operational problems: first,
   one must develop relays for all applications; second, one must
   develop a management infrastructure to provision the host with the
   addresses of the relays; in addition, the application may have to be
   modified if one wants to use the relay selectively, e.g. only when
   direct connection is not available. Network level translation poses
   similar problems: in practice, network level actions must be
   complemented by "application layer gateways" that will rewrite
   references to IP addresses in the protocol, and while these relays tend to

Huitema et al.                                               [Page  9]
   be
   are not necessary for every application; application, they are necessary for
   enough applications to make any sort of generalized translation
   quite problematic; hosts may need to be parameterized to use the
   translation service; and designing the right algorithm to decide
   when to translate DNS requests has proven very difficult.

   Not assuming translation services in the network appears to be both
   more practical and more robust. If the market requirement for a new
   device requires that it interacts interact with both IPv4 and IPv6 hosts, we
   may expect the manufacturers of these devices to program them with a
   dual stack capability; in particular, we expect general purpose
   systems such as personal computers to be effectively dual-stack. The
   only devices that are expected to be capable of only supporting IPv6
   are those who are designed for specific applications, which do not
   require interoperation with antique IPv4-only systems. We also observe that
   providing both IPv4 and IPv6 connectivity in an unmanaged network is
   not particularly difficult; indeed there is difficult: we have a
   well established experience fair amount of experience
   using IPv4 in these unmanaged networks in parallel with other protocols
   such as as, for example example, IPX.

5.2.2	Addresses and connectivity in Case B

   In Case B, the upgraded gateway will behave act as an IPv6 router; it will
   continue providing the IPv4 connectivity of a non-upgraded connectivity, perhaps using NAT. Nodes
   in the local network will typically obtain:

   	- IPv4 natted addresses, addresses (from or via the gateway),
   	- IPv6 link local addresses, and
   	- IPv6 global addresses.

   The hosts could also obtain IPv6 site local addresses, if the
   gateway advertises a site local prefix. This is as debatable: site
   local addresses provide

   In some isolation to site local application
   from network connectivity events and network based attacks; however,
   managing non unique addresses can networks, NAT will not be problematic if some in use and the local hosts
   are multi-homed, will
   actually obtain global IPv4 addresses NAT will not be in use. We
   will not elaborate on this, as is common with VPN connections. the availability of global IPv4
   addresses does not bring any additional complexity to the transition
   mechanisms.

   To enable this scenario, the gateway need needs to use a mechanism to
   obtain a global IPv6 address prefix from the ISP, and advertise this
   address prefix to the hosts in the unmanaged network; several
   solutions will be assessed in a companion memo [EVAL].

5.2.3	Naming services in Case B

   At this phase of IPv6 deployment,
   In case B, hosts in the unmanaged domain have access to DNS services
   through the gateway. As the gateway and the ISP both support IPv4
   and IPv6, these services may be accessible by the IPv4 only IPv4-only hosts
   using IPv4, by the IPv6-only hosts using IPv6, and by the dual stack
   hosts using either. Currently, IPv4 only hosts usually discover the
   IPv4 address of the local DNS server resolver using DHCP; there must be a
   way for IPv6-only hosts to discover the IPv6 address of the DNS server.
   resolver.

   There must be a way to resolve the name of local hosts to their IPv4
   or IPv6 addresses. Typing auto-configured IPv6 addresses in a
   configuration file is impractical; this implies either some form of
   dynamic registration of IPv6 addresses in the local service, or a
   dynamic address discovery mechanism. Possible solutions will be
   compared in the evaluation draft.

   The requirement to support server applications in the unmanaged
   network implies a requirement to publish the IPv6 addresses of local
   servers in the DNS. There are multiple solutions, including
   variations of domain
   name delegation. If we want to provide efficient reverse lookup functions, functions are to be
   provided, delegation of a fraction of the ip6.arpa tree is also
   required.

   The response to a DNS request should not depend of on the protocol with by
   which the request is transported: dual-stack hosts may indifferently use either
   IPv4 or IPv6 to contact the local resolver; resolver, the choice of IPv4 or
   IPv6 will may be random; random, and the value of the response should not depend
   of a random event.

   DNS transition issues in a dual IPv4/IPv6 network are discussed in
   [DNSOPV6].

5.3	Case C, IPv6 connectivity without provider support

   In this case the gateway is IPv6 capable, dual stack, but the ISP is not.  The
   gateway has been upgraded and offers both IPv4 and IPv6 connectivity
   the hosts. It cannot rely on the ISP for IPv6 connectivity, because
   the ISP does not offer ISP connectivity yet.

5.3.1	Application support in Case C

   Application support in case C should be identical to that of case B.

5.3.2	Addresses and connectivity in Case C

   The upgraded gateway will behave as an IPv6 router; it will continue
   providing the IPv4 connectivity of non-upgraded connectivity, perhaps using NAT. Nodes in the
   local network will obtain:

   	- IPv4 natted addresses, addresses (from or via the gateway),
   	- IPv6 link local addresses,
   	- IPv6 global addresses.

   The clients could also obtain IPv6 site local addresses, if the
   gateway advertises a site local prefix; this raises the same issues
   already discussed in case B.

   There are two ways to bring immediate IPv6 connectivity on top of an
   IPv4 only infrastructure: automatic tunnels tunnels, e.g. provided by the
   [6TO4] technology, or configured tunnels. Both technologies have
   advantages and limitations, which will be studied in a companion
   document.

   There will be some cases where the local hosts actually obtain
   global IPv4 addresses. We will not discuss this scenario, as it does
   not make the use of transition technology harder, or more complex.
   Case A has already examined how hosts could obtain IPv6 connectivity
   individually.

5.3.3	Naming services in Case C

   The local naming requirements in case C are identical to the local
   naming requirements of case B, with two differences: delegation of
   domain names, and management of reverse lookup queries.

   A delegation of some domain name is required in order to publish the
   IPv6 addresses of servers in the DNS. As the ISP does not provide
   support for IPv6 in case C, the delegation mechanism will have name is required in order to be
   provided independently publish the
   IPv6 addresses of servers in the IP connectivity mechanism. DNS.

   A specific mechanism for handling reverse lookup queries will be
   required if the gateway uses a dynamic mechanism such as 6to4 to
   obtain a prefix independently of any IPv6 ISP.

5.4	Case D, ISP stops providing native IPv4 connectivity

   In this case the ISP is IPv6-only, so the gateway looses loses IPv4
   connectivity, and is faced with an IPv6-only service provider. The
   gateway itself is dual stack, and the unmanaged network includes
   IPv4 only, IPv6-only and dual stack hosts. Any interaction between
   hosts in the unmanaged network and IPv4 hosts on the Internet will
   require the provision of some inter-protocol services by the ISP.

5.4.1	Application support in Case D

   At this phase of the transition, IPv6 hosts can perform participate in all
   types of applications with other IPv6 hosts. IPv4 hosts in the
   unmanaged network will be able to perform local applications with
   IPv4 or dual stack local hosts.

   As in case B, we will assume that IPv6-only hosts will not interact
   with IPv4-only hosts, either local or remote. We must however assume
   that IPv4-only hosts and dual stack hosts will desire to interact
   with IPv4 services available on the Internet: the inability to do so
   would place the IPv6-only provider at a great commercial
   disadvantage compared to other Internet service providers.

   There are three possible ways that an ISP can provide hosts in the
   unmanaged network with access to IPv4 application: applications: by using a set
   of application relays, by providing an address translation service,
   or by providing IPv4-over-IPv6 tunnels. Our analysis concludes that
   a tunnel service will seems to be vastly preferable.

   We already mentioned the drawbacks of the application gateway
   approach when analyzing case B: it is necessary to provide relays
   for all applications, to develop a way to provision the hosts with
   the addresses of these relays, and to modify the applications so
   that they will only use the relays when needed. We also observe that
   in an IPv6-only ISP the application relays would only be accessible
   over IPv6, and would thus not be accessible by the "legacy" IPv4-
   only hosts. The application relay approach is thus not very
   attractive.

   Providing a network address and protocol translation service between
   IPv6 and IPv4 would also have many drawbacks. As in case B, it will
   have to be complemented by "application layer gateways" that will
   rewrite references to IP addresses in the protocol; hosts may need
   to be parameterized to use the translation service; and we would
   have to solve DNS issues. In addition, in an IPv6-only ISP, an IPv6-
   to-IPv4 translation service would not be accessible by legacy IPv4-
   only hosts through the IPv6 only ISP service. The network level protocol translation
   service appears doesn't appear to not be very desirable.

   The proper preferable alternative to application relays and network address
   translation is the provision of an IPv4-over-IPv6 service.

5.4.2	Addresses and connectivity in Case D

   The ISP assigns an IPv6 prefix to the unmanaged network, so hosts
   have a global IPv6 address and use it for global IPv6 connectivity.
   This will require delegation of an IPv6 address prefix, as
   investigated in case C.

   To enable IPv4 hosts and dual stack host to access remote IPv4
   services, the ISP must provide the gateway with at least one IPv4
   address, using some form of IPv4-over-IPv6 tunneling. Once such
   addresses have been provided, the gateway effectively acquires dual-
   stack connectivity; for hosts inside the unmanaged network, this
   will be indistinguishable from the IPv4 connectivity obtained in
   case B or C.

5.4.3	Naming services in Case D

   The loss of IPv4 connectivity has a direct impact on the provision
   of naming services. An obvious consequence In many IPv4 unmanaged networks, hosts obtain
   their DNS configuration parameters from the local gateway, typically
   through the DHCP service. If the same mode of operation is desired
   in case D, the gateway will have to be provisioned with the address
   of a DNS server resolver and with other DNS parameters, and that this
   provisioning will have to use IPv6 mechanisms. Another consequence
   is that the DNS service in the gateway will only be able to use IPv6
   connectivity to resolve queries; if local hosts perform DNS
   resolution autonomously, they will have the same restriction.

   On the surface, this seems to indicate that the local hosts will
   only be able to resolve names if the domain servers are accessible
   through an IPv6 address documented in a an AAAA record. However, the
   DNS services are just one case of "IPv4 servers accessed by IPv6
   hosts": it should be possible to simply send queries through the
   address translation
   IPv4 connectivity services to reach the IPv4 only servers.

   The gateway should be able to act as a "DNS proxy" recursive DNS name server for
   the remaining IPv4 only hosts.

6	Security Considerations

   Security considerations are discussed as part of the applications'
   requirements. They include:

   - the guarantee that local applications are only used locally,
   - the protection of the privacy of clients
   - the requirement that peer-to-peer connections are only used by
   authorized peers.

   The security solutions currently used in IPv4 networks include a
   combination of firewall functions in the gateway, authentication and
   authorization functions in the applications, encryption and
   authentication services provides by IP security, Transport Layer
   Security and application specific services, and host-based security
   products such as anti-virus software, and host firewalls. The
   applicability of these tools in IPv6 unmanaged networks will be
   studied in a companion document.

7	IANA Considerations

   This memo does not include any request to IANA.

8	Copyright

   The following copyright notice is copied from RFC 2026 [Bradner,
   1996], Section 10.4, and describes the applicable copyright for this
   document.

   Copyright (C) The Internet Society July 12, 2001. All Rights
   Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

9	Intellectual Property

   The following notice is copied from RFC 2026 [Bradner, 1996],
   Section 10.4, and describes the position of the IETF concerning
   intellectual property claims made against this document.

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use other technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights.  Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.  Copies of
   claims of rights made available for publication and any assurances
   of licenses to be made available, or the result of an attempt made
   to obtain a general license or permission for the use of such
   proprietary rights by implementers or users of this specification
   can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard.  Please address the information to the IETF Executive
   Director.

10	Acknowledgements

   This draft has benefited from the comments of the members of the
   IETF V6OPS working group, and from extensive reviews by Chris
   Fischer, Tony Hain, Suresh
   K Satapati, Kurt Erik Lindqvist, Erik Nordmark, Pekka
   Savola, and Margaret Wasserman.

11	References

   Normative References
   [RFC791] J. Postel, "Internet Protocol", RFC 791, September 1981.

   [RFC2460] Deering, S., and R. Hinden, "Internet Protocol, Version 6
   (IPv6) Specification", RFC 2460, December 1998.

   [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
   Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998.

   [RFC2462] Narten, T., and S. Thomson, "IPv6 Stateless Address
   Autoconfiguration", RFC 2462, December 1998.

   Informative references

   [EVAL] Evaluation of Transition Mechanisms for Unmanaged Networks,
   work in progress.

   [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
   J., and E. Lear, "Address Allocation for Private Internets", RFC
   1918, February 1996.

   [RFC3056] Carpenter, B., and K. Moore, "Connection of IPv6 Domains
   via IPv4 Clouds", RFC 3056, February 2001.

   [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
   A., Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP:
   Session Initiation Protocol", RFC 3261, June 2002.

   [RFC3022] Srisuresh, P., and K. Egevang. "Traditional IP Network
   Address Translator (Traditional NAT)", RFC 3022, January 2001.

   [RFC2993] T. Hain. "Architectural Implications of NAT", RFC 2993,
   November 2000.

   [RFC2608] Guttman, E., Perkins, C., Veizades, J., and M. Day.
   "Service Location Protocol, Version 2", RFC 2993, June 1999.

   [RFC3041] Narten, T., and R. Draves. "Privacy Extensions for
   Stateless Address Autoconfiguration in IPv6", RFC 3041, January
   2001.

   [DNSOPV6] A. Durand. "IPv6 DNS transition issues", Work in progress.

   [DNSINADDR] D. Senie. "Requiring DNS IN-ADDR Mapping", Work in
   progress.

12	Authors' Addresses

   Christian Huitema
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA 98052-6399
   Email: huitema@microsoft.com

   Rob Austein
   Email: sra@hactrn.net

   Suresh Satapati
   Cisco Systems, Inc.
   San Jose, CA 95134
   USA
   EMail: satapati@cisco.com

   Ronald van der Pol
   NLnet Labs
   Kruislaan 419
   1098 VA Amsterdam
   NL
   Email: Ronald.vanderPol@surfnet.nl Ronald.vanderPol@nlnetlabs.nl

Table of Contents:

1 Introduction ....................................................   1
2 Topology ........................................................   1   2
3 Applications ....................................................   2   3
3.1 Local applications ............................................   2   3
3.2 Client applications ...........................................   3
3.3 Peer-to-peer applications .....................................   3
3.4 Server applications ...........................................   3   4
4 Application requirements of an IPv6 unmanaged network ...........   4
4.1 Requirements of local applications ............................   4   5
4.2 Requirements of client applications ...........................   4   5
4.2.1 Privacy requirement of client applications ..................   5
4.3 Requirements of peer-to-peer applications .....................   6
4.4 Requirements of server applications ...........................   6   7
5 Stages of IPv6 deployment .......................................   7   8
5.1 Case A, host deployment of IPv6 applications ..................   7   8
5.1.1 Application support in Case A ...............................   8   9
5.1.2 Addresses and connectivity in Case A ........................   8   9
5.1.3 Naming services in Case A ...................................   8  10
5.2 Case B, IPv6 connectivity with provider support ...............   9  10
5.2.1 Application support in Case B ...............................   9  10
5.2.2 Addresses and connectivity in Case B ........................  10  11
5.2.3 Naming services in Case B ...................................  10  11
5.3 Case C, IPv6 connectivity without provider support ............  11  12
5.3.1 Application support in Case C ...............................  11  12
5.3.2 Addresses and connectivity in Case C ........................  11  12
5.3.3 Naming services in Case C ...................................  11  13
5.4 Case D, ISP stops providing native IPv4 connectivity ..........  12  13
5.4.1 Application support in Case D ...............................  12  13
5.4.2 Addresses and connectivity in Case D ........................  13  14
5.4.3 Naming services in Case D ...................................  13  14
6 Security Considerations .........................................  13  15
7 IANA Considerations .............................................  14  15
8 Copyright .......................................................  14  15
9 Intellectual Property ...........................................  14  16
10 Acknowledgements ...............................................  15  16
11 References .....................................................  15  16
12 Authors' Addresses .............................................  15  17