Discovering PREF64 in Router AdvertisementsGoogleShibuya 3-21-3ShibuyaTokyo150-0002Japanlorenzo@google.comGoogle1 Darling Island RdPyrmontNSW2009Australiafurry@google.com
Internet
IPv6 MaintenanceThis document specifies a Neighbor Discovery option to be used in
Router Advertisements (RAs) to communicate prefixes of Network Address and Protocol
Translation from IPv6 clients to IPv4 servers (NAT64) to hosts.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Requirements Language
. Terminology
. Use Cases for Communicating the NAT64 Prefix to Hosts
. Why Include the NAT64 Prefix in Router Advertisements?
. Option Format
. Scaled Lifetime Processing
. Usage Guidelines
. Handling Multiple NAT64 Prefixes
. PREF64 Consistency
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Authors' Addresses
IntroductionNAT64 with DNS Extensions
for Network Address Translation from IPv6 clients to IPv4 servers (DNS64) is a widely deployed mechanism to
provide IPv4 access on IPv6-only networks. In various scenarios, the
host must be aware of the NAT64 prefix in use by the network. This
document specifies a Neighbor Discovery option to be used in Router Advertisements
(RAs) to
communicate NAT64 prefixes to hosts.Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Terminology
PREF64 (or NAT64 prefix):
An IPv6 prefix used for IPv6 address
synthesis ;
NAT64:
Network Address and Protocol Translation from IPv6 clients to
IPv4 servers ;
Router Advertisement (RA):
A message used by IPv6 routers to
advertise their presence together
with various link and Internet parameters ;
DNS64: a mechanism for synthesizing AAAA records from A records
;
Use Cases for Communicating the NAT64 Prefix to Hosts
On networks employing NAT64, it is useful for hosts to know the NAT64 prefix for several reasons, including the following:
Enabling DNS64 functions on end hosts. In particular:
Local DNSSEC validation (DNS64 in stub-resolver mode). As
discussed in ,
the stub resolver in the host "will try to obtain (real)
AAAA RRs,
and in case they are not available, the DNS64 function will
synthesize AAAA RRs for internal usage." Therefore, to perform the
DNS64 function, the stub resolver needs to know the NAT64
prefix. This is required in order to use DNSSEC on a NAT64
network.
Trusted DNS server. AAAA synthesis is required for the host to
be able to use a DNS server not provided by the network (e.g., a
DNS-over-TLS or
DNS-over-HTTPS server
with which the host has an existing trust relationship).
Networks with no DNS64 server. Hosts that support AAAA
synthesis and are aware of the NAT64 prefix in use do not need the
network to perform the DNS64 function at all.
Enabling NAT64 address-translation functions on end hosts. For example:
IPv4 address literals on an IPv6-only host. As described in
, IPv6-only
hosts connecting to IPv4 address literals can translate the IPv4
literal to an IPv6 literal.
464XLAT . 464XLAT
requires the host be aware of the NAT64 prefix.
Why Include the NAT64 Prefix in Router Advertisements?
Fate sharing:
NAT64 requires routing to be configured. IPv6 routing
configuration requires receiving an IPv6 RA . Therefore, using RAs to provide hosts with the NAT64 prefix ensures that NAT64
reachability information shares the fate of the rest of the network
configuration on the host.
Atomic configuration:
Including the NAT64 prefix in the RA minimizes the number of packets required to configure a
host. Only one packet (an RA) is required to complete
the network configuration. This speeds up the process of connecting to a
network that supports NAT64/DNS64. It also simplifies host implementation by
removing the possibility that the host can have an incomplete
Layer 3
configuration (e.g., IPv6 addresses and prefixes, but no NAT64
prefix).
Updatability:
It is possible to change the NAT64 prefix at any time,
because when it changes, it is possible to notify hosts by sending a new
RA.
Deployability:
All IPv6 hosts and networks are required to support
Neighbor Discovery so just a
minor extension to the existing implementation is required. Other
options, such as , require
implementing other protocols (e.g., Port Control Protocol (PCP) ), which could be considered an obstacle for
deployment.
Option FormatFields:
Type:
8-bit identifier of the PREF64 option
type (38)
Length:
8-bit unsigned integer. The length of the
option (including the Type and Length fields) is in units of 8
octets. The sender MUST set the length to 2. The
receiver MUST ignore the PREF64 option if the
Length field value is not 2.
Scaled Lifetime:
13-bit unsigned integer. The maximum time in
units of 8 seconds over which this NAT64 prefix MAY
be used. See for the
Scaled Lifetime field processing rules.
PLC (Prefix Length Code):
3-bit unsigned integer. This field encodes the
NAT64 Prefix Length defined in . The PLC field values 0, 1, 2, 3, 4, and 5
indicate the NAT64 prefix length of 96, 64, 56, 48, 40, and 32 bits,
respectively. The receiver MUST ignore the PREF64
option if the Prefix Length Code field is not set to one of those
values.
Highest 96 bits of the Prefix:
96-bit unsigned integer. Contains bits 0 - 95 of the NAT64 prefix.
Scaled Lifetime Processing
It would be highly undesirable for the NAT64 prefix to
have a lifetime shorter than the Router Lifetime, which
is defined in as a 16-bit unsigned integer.
If the NAT64 prefix lifetime is not at least equal to
the default Router Lifetime, it might lead to scenarios
in which the NAT64 prefix lifetime expires before the
arrival of the next unsolicited RA. Therefore, the
Scaled Lifetime encodes the NAT64 prefix lifetime in
units of 8 seconds. The receiver MUST
multiply the Scaled Lifetime value by 8 (for example,
by a logical left shift) to calculate the maximum time in
seconds the prefix MAY be used.
The maximum lifetime of the NAT64 prefix is thus 65528
seconds.
To ensure that the NAT64 prefix does not expire before the default
router, it is NOT RECOMMENDED
to configure default Router Lifetimes greater than 65528
seconds when using this option.
A lifetime of 0 indicates that the prefix SHOULD NOT be used anymore.
By default, the value of the Scaled Lifetime field SHOULD be set
to the lesser of 3 x MaxRtrAdvInterval divided by 8, or 8191.
Router vendors SHOULD allow administrators to specify
nonzero lifetime values that are not divisible by 8.
In such cases, the router SHOULD round the provided
value up to the nearest integer that is divisible by 8 and smaller
than 65536, then divide the result by 8 (or perform a logical
right shift by 3) and set the Scaled Lifetime field to the
resulting value.
If a nonzero lifetime value that is to be divided by 8 (or
subjected to a logical right shift by 3) is less than 8, then the
Scaled Lifetime field SHOULD be set to 1.
This last step ensures that lifetimes under 8 seconds are encoded as
a nonzero Scaled Lifetime.
Usage GuidelinesThis option specifies exactly one NAT64 prefix for all IPv4
destinations. If the network operator wants to route different parts
of the IPv4 address space to different NAT64 devices, this can be
accomplished by routing more specific subprefixes of the NAT64 prefix
to those devices.
For example, suppose an operator is using the address space 10.0.0.0/8 internally.
That operator might want to route 10.0.0.0/8 through NAT64 device A, and
the rest of the IPv4 space through NAT64 device B.
If the operator's NAT64 prefix is 2001:db8:a:b::/96, then the operator
can route 2001:db8:a:b::a00:0/104 to NAT64 A and 2001:db8:a:b::/96 to
NAT64 B.
This option may appear more than once in an RA
(e.g., when gracefully renumbering the network from one NAT64 prefix
to another). Host behavior with regard to synthesizing IPv6 addresses
from IPv4 addresses SHOULD follow the recommendations
given in , limited
to the NAT64 prefixes that have a nonzero lifetime.In a network (or a provisioning domain) that provides both IPv4 and
NAT64, it may be desirable for certain IPv4 addresses not to be
translated. An example might be private address ranges that are local to
the network/provisioning domain and that should not be reached through the
NAT64. This type of configuration cannot be conveyed to hosts using this
option, or through other NAT64 prefix provisioning mechanisms such as
or . This problem does not apply in IPv6-only
networks: the host in an IPv6-only network does not have an IPv4 address and
cannot reach any IPv4 destinations without the NAT64.
Handling Multiple NAT64 Prefixes
In some cases, a host may receive multiple NAT64 prefixes from
different sources. Possible scenarios include (but are not limited
to):
the host is using multiple mechanisms to discover PREF64
prefixes (e.g., by using PCP ) and/or resolving an IPv4-only fully qualified
domain name in addition to
receiving the PREF64 RA option);
the PREF64 option presents in a single RA more than once;
the host receives multiple RAs with different PREF64 prefixes
on a given interface.
When multiple PREF64s are discovered via the RA PREF64 Option (either the
Option presents more than once in a single RA or multiple RAs are
received), host behavior with regard to synthesizing IPv6 addresses
from IPv4 addresses SHOULD follow the recommendations
given in ,
limited to the NAT64 prefixes that have a nonzero lifetime.
When different PREF64s are discovered using multiple mechanisms,
hosts SHOULD select one source of information
only. The RECOMMENDED order is:
PCP-discovered prefixes , if supported;
PREF64s discovered via the RA Option;
PREF64s resolving an IPv4-only fully qualified domain name
Note: If the network provides PREF64s via both this RA Option
and , hosts that receive the
PREF64 via the RA Option may choose to use it immediately (before waiting
for the PCP to complete); therefore, some traffic may not reflect any
more detailed configuration provided by the PCP.
The host SHOULD treat the PREF64 as being specific
to the network interface it was received on. Hosts that are aware
of Provisioning Domain (PvD, )
MUST treat the PREF64 as being scoped to the
implicit or explicit PvD.
PREF64 Consistency
recommends that routers inspect RAs sent by other routers to
ensure that all routers onlink advertise consistent
information. Routers SHOULD inspect valid PREF64
options received on a given link and verify the
consistency. Detected inconsistencies indicate that one or more
routers might be misconfigured. Routers SHOULD log
such cases to system or network management. Routers
SHOULD check and compare the following information:
set of PREF64s with a nonzero lifetime;
set of PREF64s with a zero lifetime.
Routers that are aware of PvD () MUST only compare information scoped to the
same
implicit or explicit PvD.
IANA ConsiderationsIANA has assigned a new IPv6 Neighbor Discovery Option
type for the PREF64 option defined in this document in the
"IPv6 Neighbor Discovery Option Formats" registry .
New IANA Registry Assignment
Description
Type
PREF64 option
38
Security ConsiderationsBecause RAs are required in all IPv6 configuration
scenarios, on IPv6-only networks, RAs must already be
secured -- e.g., by deploying an RA-Guard . Providing all configuration in RAs
reduces the attack surface to be targeted by malicious attackers trying to
provide hosts with invalid configuration, as compared to distributing the
configuration through multiple different mechanisms that need to be
secured independently.
If a host is provided with an incorrect NAT64 prefix, the IPv6-only host might
not be able to communicate with IPv4-only destinations.
Connectivity to destinations reachable over IPv6 would not be impacted just by
providing a host with an incorrect prefix; however, if attackers are capable
of sending rogue RAs, they can perform denial-of-service or man-in-the-middle
attacks, as described in .
The security measures that must already be in place to ensure that
RAs are only received from legitimate sources
eliminate the problem of NAT64 prefix validation described in .ReferencesNormative ReferencesInternet Control Message Protocol version 6 (ICMPv6) ParametersIANAKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Neighbor Discovery for IP version 6 (IPv6)This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK]IPv6 Addressing of IPv4/IPv6 TranslatorsThis document discusses the algorithmic translation of an IPv6 address to a corresponding IPv4 address, and vice versa, using only statically configured information. It defines a well-known prefix for use in algorithmic translations, while allowing organizations to also use network-specific prefixes when appropriate. Algorithmic translation is used in IPv4/IPv6 translators, as well as other types of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. [STANDARDS-TRACK]Discovery of the IPv6 Prefix Used for IPv6 Address SynthesisThis document describes a method for detecting the presence of DNS64 and for learning the IPv6 prefix used for protocol translation on an access network. The method depends on the existence of a well-known IPv4-only fully qualified domain name "ipv4only.arpa.". The information learned enables nodes to perform local IPv6 address synthesis and to potentially avoid NAT64 on dual-stack and multi-interface deployments.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Informative ReferencesAddress Allocation for Private InternetsThis document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Rogue IPv6 Router Advertisement Problem StatementWhen deploying IPv6, whether IPv6-only or dual-stack, routers are configured to send IPv6 Router Advertisements (RAs) to convey information to nodes that enable them to autoconfigure on the network. This information includes the implied default router address taken from the observed source address of the RA message, as well as on-link prefix information. However, unintended misconfigurations by users or administrators, or possibly malicious attacks on the network, may lead to bogus RAs being present, which in turn can cause operational problems for hosts on the network. In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem. We focus on the unintended causes of rogue RAs in the text. The goal of this text is to be Informational, and as such to present a framework around which solutions can be proposed and discussed. This document is not an Internet Standards Track specification; it is published for informational purposes.IPv6 Router Advertisement GuardRouted protocols are often susceptible to spoof attacks. The canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solution that is non-trivial to deploy. This document proposes a light-weight alternative and complement to SEND based on filtering in the layer-2 network fabric, using a variety of filtering criteria, including, for example, SEND status. This document is not an Internet Standards Track specification; it is published for informational purposes.Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 ServersDNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 ServersDNS64 is a mechanism for synthesizing AAAA records from A records. DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only server, without requiring any changes to either the IPv6 or the IPv4 node, for the class of applications that work through NATs. This document specifies DNS64, and provides suggestions on how it should be deployed in conjunction with IPv6/IPv4 translators. [STANDARDS-TRACK]464XLAT: Combination of Stateful and Stateless TranslationThis document describes an architecture (464XLAT) for providing limited IPv4 connectivity across an IPv6-only network by combining existing and well-known stateful protocol translation (as described in RFC 6146) in the core and stateless protocol translation (as described in RFC 6145) at the edge. 464XLAT is a simple and scalable technique to quickly deploy limited IPv4 access service to IPv6-only edge networks without encapsulation.Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)This document defines a new Port Control Protocol (PCP) option to learn the IPv6 prefix(es) used by a PCP-controlled NAT64 device to build IPv4-converted IPv6 addresses. This option is needed for successful communications when IPv4 addresses are used in referrals.Multiple Provisioning Domain ArchitectureThis document is a product of the work of the Multiple Interfaces Architecture Design team. It outlines a solution framework for some of the issues experienced by nodes that can be attached to multiple networks simultaneously. The framework defines the concept of a Provisioning Domain (PvD), which is a consistent set of network configuration information. PvD-aware nodes learn PvD-specific information from the networks they are attached to and/or other sources. PvDs are used to enable separation and configuration consistency in the presence of multiple concurrent connections.Specification for DNS over Transport Layer Security (TLS)This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.Happy Eyeballs Version 2: Better Connectivity Using ConcurrencyMany communication protocols operating over the modern Internet use hostnames. These often resolve to multiple IP addresses, each of which may have different performance and connectivity characteristics. Since specific addresses or address families (IPv4 or IPv6) may be blocked, broken, or sub-optimal on a network, clients that attempt multiple connections in parallel have a chance of establishing a connection more quickly. This document specifies requirements for algorithms that reduce this user-visible delay and provides an example algorithm, referred to as "Happy Eyeballs". This document obsoletes the original algorithm description in RFC 6555.DNS Queries over HTTPS (DoH)This document defines a protocol for sending DNS queries and getting DNS responses over HTTPS. Each DNS query-response pair is mapped into an HTTP exchange.Acknowledgements
Thanks to the following people (in alphabetical order) for their review and feedback:
, , , ,
, , , , , , , , ,
, , , ,
, , , , .
Authors' AddressesGoogleShibuya 3-21-3ShibuyaTokyo150-0002Japanlorenzo@google.comGoogle1 Darling Island RdPyrmontNSW2009Australiafurry@google.com