[Docs] [txt|pdf] [Tracker] [Email] [Nits] [IPR]

Versions: 00 01 02 03 draft-ietf-behave-v6v4-xlate-stateful

BEHAVE WG                                                     M. Bagnulo
Internet-Draft                                                      UC3M
Intended status: Standards Track                             P. Matthews
Expires: December 12, 2008                                  Unaffiliated
                                                          I. van Beijnum
                                                          IMDEA Networks
                                                           June 10, 2008


NAT64/DNS64: Network Address and Protocol Translation from IPv6 Clients
                            to IPv4 Servers
                     draft-bagnulo-behave-nat64-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 12, 2008.

Abstract

   NAT64 is a mechanism for translating IPv6 packets to IPv4 packets and
   vice-versa.  DNS64 is a mechanism for synthesizing AAAA records from
   A records.  These two mechanisms together enable client-server
   communication between an IPv6-only client and an IPv4-only server,
   without requiring any changes to either the IPv6 or the IPv4 node,
   for the class of applications that work through NATs.  They also
   enable peer-to-peer communication between an IPv4 and an IPv6 node,
   where the communication can be initiated by either end using



Bagnulo, et al.         Expires December 12, 2008               [Page 1]


Internet-Draft               NAT64 and DNS64                   June 2008


   existing, NAT-traversing, peer-to-peer communication techniques.
   This document specifies NAT64 and DNS64, and gives suggestions on how
   they should be deployed.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Features of NAT64  . . . . . . . . . . . . . . . . . . . .  3
     1.2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .  4
       1.2.1.  NAT64 solution elements  . . . . . . . . . . . . . . .  5
       1.2.2.  Walkthough . . . . . . . . . . . . . . . . . . . . . .  7
       1.2.3.  Dual stack nodes . . . . . . . . . . . . . . . . . . .  9
       1.2.4.  IPv6 nodes implementing DNSSEC . . . . . . . . . . . . 10
       1.2.5.  Filtering  . . . . . . . . . . . . . . . . . . . . . . 10
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 10
   3.  Normative Specification  . . . . . . . . . . . . . . . . . . . 12
     3.1.  Synthentic AAAA RRs  . . . . . . . . . . . . . . . . . . . 12
     3.2.  The EDNS SAS option  . . . . . . . . . . . . . . . . . . . 13
     3.3.  DNS64  . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     3.4.  NAT64  . . . . . . . . . . . . . . . . . . . . . . . . . . 15
       3.4.1.  Determining the Incoming 5-tuple . . . . . . . . . . . 17
       3.4.2.  Filtering and Updating Session Information . . . . . . 17
         3.4.2.1.  UDP Session Handling . . . . . . . . . . . . . . . 18
         3.4.2.2.  TCP Session Handling . . . . . . . . . . . . . . . 18
       3.4.3.  Computing the Outgoing 5-Tuple . . . . . . . . . . . . 18
       3.4.4.  Translating the Packet . . . . . . . . . . . . . . . . 20
       3.4.5.  Handling Hairpinning . . . . . . . . . . . . . . . . . 21
     3.5.  FTP ALG  . . . . . . . . . . . . . . . . . . . . . . . . . 21
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 21
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 23
   6.  Changes from Previous Draft Versions . . . . . . . . . . . . . 23
   7.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 23
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 24
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 24
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
   Intellectual Property and Copyright Statements . . . . . . . . . . 27












Bagnulo, et al.         Expires December 12, 2008               [Page 2]


Internet-Draft               NAT64 and DNS64                   June 2008


1.  Introduction

   This document specifies NAT64 and DNS64, two mechanisms for IPv6-IPv4
   transition and co-existence.  Together, these two mechanisms allow a
   IPv6-only client to initiate communications to an IPv4-only server,
   and also allow peer-to-peer communication between IPv6-only and IPv4-
   only hosts.

   NAT64 is a mechanism for translating IPv6 packets to IPv4 packets.
   The translation is done by translating the packet headers according
   to SIIT [RFC2765], translating the IPv4 server address by adding or
   removing a /96 prefix, and translating the IPv6 client address by
   installing mappings in the normal NAT manner.

   DNS64 is a mechanism for synthesizing AAAA resource records (RR) from
   A RR.  The synthesis is done by adding a /96 prefix to the IPv4
   address to create an IPv6 address, where the /96 prefix is assigned
   to a NAT64 device.

   Together, these two mechanisms allow a IPv6-only client to initiate
   communications to an IPv4-only server.

   These mechanisms are expected to play a critical role in the IPv4-
   IPv6 transition and co-existence.  Due to IPv4 address depletion,
   it's likely that in the future, a lot of IPv6-only clients will want
   to connect to IPv4-only servers.  The NAT64 and DNS64 mechanisms are
   easily deployable, since they require no changes to either the IPv6
   client nor the IPv6 server.  For basic functionality, the approach
   only requires the deployment of NAT64-enabled devices connecting an
   IPv6-only network to the IPv4-only Internet, along with the
   deployment of a few DNS64-enabled name servers in the IPv6-only
   network.  However, some advanced features require software updates to
   the IPv6-only hosts.

   The NAT64 and DNS64 mechanisms are related to the NAT-PT mechanism
   defined in [RFC2766], but significant differences exist.  First,
   NAT64 does not define the NATPT mechanisms used to support IPv6 only
   servers to be contacted by IPv4 only clients, but only defines the
   mechanisms for IPv6 clients to contact IPv4 servers and its potential
   reuse to support peer to peer communications through standard NAT
   traversal techniques.  Second, NAT64 includes a set of features that
   overcomes many of the reasons the original NAT-PT specification was
   moved to historic status [RFC4966].

1.1.  Features of NAT64

   The features of NAT64 and DNS64 are:




Bagnulo, et al.         Expires December 12, 2008               [Page 3]


Internet-Draft               NAT64 and DNS64                   June 2008


   o  It enables IPv6-only nodes to initiate a client-server connection
      with an IPv4-only server, without needing any changes on either
      IPv4 or IPv6 nodes.  This works for the same class of applications
      that work through IPv4-to-IPv4 NATs.

   o  It supports peer-to-peer communication between IPv4 and IPv6
      nodes, including the ability for IPv4 nodes to initiate
      communcation with IPv6 nodes using peer-to-peer techniques (i.e.,
      using a rendezvous server and ICE).  To this end, NAT64 is
      compliant with the recommendations for how NATs should handle UDP
      [RFC4787], TCP [I-D.ietf-behave-tcp], and ICMP
      [I-D.ietf-behave-nat-icmp].

   o  Compatible with ICE.

   o  Supports additional features with some changes on nodes.  These
      features include:

      *  Support for DNSSec

      *  Some forms of IPSec support

      *  Increased ability to detect when there is a communication path
         that does not involve translating between IPv6 and IPv4.  This
         is achieved by marking synthetic DNS AAAA resource records
         which usage would result in translated connectivity, so that
         the sender can prefer using non-synthetic records when it is
         possible.

1.2.  Overview

   This section provides a non-normative introduction to the mechanisms
   of NAT64 and DNS64.

   NAT64 mechanism is implemented in an NAT64 box which has two
   interfaces, an IPv4 interface connected to the the IPv4 network, and
   an IPv6 interface connected to the IPv6 network.  Packets generated
   in the IPv6 network for a receiver located in the IPv4 network will
   be routed within the IPv6 network towards the NAT64 box.  The NAT64
   box will translate them and forward them as IPv4 packets through the
   IPv4 network to the IPv4 receiver.  The reverse takes place for
   packets generated in the IPv4 network for an IPv6 receiver.  NAT64,
   however, is not symmetric.  In order to be able to perform IPv6 -
   IPv4 translation NAT64 requires state, binding an IPv6 address and
   port (hereafter called an IPv6 transport address) to an IPv4 address
   and port (hereafter called an IPv4 transport address).

   Such binding state is created when the first packet flowing from the



Bagnulo, et al.         Expires December 12, 2008               [Page 4]


Internet-Draft               NAT64 and DNS64                   June 2008


   IPv6 network to the IPv4 network is translated.  After the binding
   state has been created, packets flowing in either direction on that
   particular flow are translated.  The result is that NAT64 only
   supports communications initiated by the IPv6-only node towards an
   IPv4-only node.  Some additional mechanisms, like ICE, can be used in
   combination with NAT64 to provide support for communications
   initiated by the IPv4-only node to the IPv6-only node.  The
   specification of such mechanisms, however, is out of the scope of
   this document.

1.2.1.  NAT64 solution elements

   In this section we describe the different elements involved in the
   NAT64 approach.

   The main component of the proposed solution is the translator itself.
   The translator has essentially two main parts, the address
   translation mechanism and the protocol translation mechanism.

   Protocol translation from IPv4 packet header to IPv6 packet header
   and vice-versa is performed according to SIIT [RFC2765].

   Address translation maps IPv6 transport addresses to IPv4 transport
   addresses and vice-versa.  In order to create these mappings the
   NAT64 box has two pools of addresses i.e. an IPv6 address pool (to
   represent IPv4 addresses in the IPv6 network) and an IPv4 address
   pool (to represent IPv6 addresses in the IPv4 network).  Since there
   is enough IPv6 address space, it is possible to map every IPv4
   address into a different IPv6 address.

   NAT64 creates the required mappings by using as the IPv6 address pool
   a /96 IPv6 prefix (hereafter called Pref64::/96).  This allows each
   IPv4 address to be mapped into a different IPv6 address by simply
   concatenating the /96 prefix assigned as the IPv6 address pool of the
   NAT64, with the IPv4 address being mapped (i.e. an IPv4 address X is
   mapped into the IPv6 address Pref64:X).  The NAT64 prefix Pref64::/96
   is assigned by the administrator of the NAT64 box from the global
   unicast IPv6 address block assigned to the site.  It should be noted
   that the the prefix used as the IPv6 address pool is assigned to a
   specific NAT64 box and if there are multiple NAT64 boxes, each box is
   allocated a different prefix.  Assigning the same prefix to multiple
   boxes may lead to communication failures due to internal routing
   fluctuations.

   The IPv4 address pool, however, is a set of IPv4 addresses, normally
   a small prefix assigned by the local administrator to the NAT64's
   external (IPv4) interface.  Since IPv4 address space is a scarce
   resource, the IPv4 address pool is small and typicaly not sufficient



Bagnulo, et al.         Expires December 12, 2008               [Page 5]


Internet-Draft               NAT64 and DNS64                   June 2008


   to establish permanent one-to-one mappings with IPv6 addresses.  So,
   mappings using the IPv4 address pool will be created and released
   dynamically.  Moreover, because of the IPv4 address scarcity, the
   usual practice for NAT64 is likely to be the mapping of IPv6
   transport addresses into IPv4 transport addresses, instead of IPv6
   addresses into IPv4 addresses directly, which enable a higher
   utilization of the limited IPv4 address pool.

   Because of the dynamic nature of the IPv6 to IPv4 address mapping and
   the static nature of the IPv4 to IPv6 address mapping, it is easy to
   understand that it is far simpler to allow communication initiated
   from the IPv6 side toward an IPv4 node, which address is permanently
   mapped into an IPv6 address, than communications initiated from IPv4-
   only nodes to an IPv6 node in which case IPv4 address needs to be
   associated with it dynamically.  For this reason NAT64 supports only
   communications initiated from the IPv6 side.

   An IPv6 initiator can know or derive in advance the IPv6 address
   representing the IPv4 target and send packets to that address.  The
   packets are intercepted by the NAT64 device, which associates an IPv4
   transport address of its IPv4 pool to the IPv6 transport address of
   the initiator, creating binding state, so that reply packets can be
   translated and forwarded back to the initiator.  The binding state is
   kept while packets are flowing.  Once the flow stops, and based on a
   timer, the IPv4 transport address is returned to the IPv4 address
   pool so that it can be reused for other communications.

   To allow an IPv6 initiator to do the standard DNS lookup to learn the
   address of the responder, DNS64 is used to synthesize an AAAA record
   (pronounced "quad-A" and containing an IPv6 address) from the A
   record (containing the real IPv4 address of the responder).  DNS64
   receives the DNS queries generated by the IPv6 initiator.  If there
   is no AAAA record available for the target node (which is the normal
   case when the target node is an IPv4-only node), DNS64 performs a
   query for the A record.  If an A record is discovered, DNS64 creates
   a synthetic AAAA RR by adding the Pref64::/96 of a NAT64 to the
   responder's IPv4 address (i.e. if the IPv4 node has IPv4 address X,
   then the synthetic AAAA RR will contain the IPv6 address formed as
   Pref64:X).  The synthetic AAAA RR is passed back to the IPv6
   initiator, which will initiate an IPv6 communication with the IPv6
   address associated to the IPv4 receiver.  The packet will be routed
   to the NAT64 device, which will create the IPv6 to IPv4 address
   mapping as described before.

   Having DNS synthesize AAAA records creates a number of problems, as
   described in [RFC4966]:





Bagnulo, et al.         Expires December 12, 2008               [Page 6]


Internet-Draft               NAT64 and DNS64                   June 2008


   o  The synthesized AAAA records may leak outside their intended
      scope;

   o  Dual-stack hosts may communicate with IPv4-only servers using IPv6
      which is then translated to IPv4, rather than using their IPv4
      connectivity;

   o  The IPv6-only hosts will be unable to use DNSSEC to verify the
      legitimacy of the synthetic AAAA records.

   In order to avoid these issues, responses containing synthesized
   addresses are tagged with an Extended DNS [RFC2671] option defined in
   this document, called the SAS option, so the AAAA records can be
   recognized as synthetic.  This allows caching nameservers, dual stack
   nodes and nodes implementing DNSSEC to ignore synthetic addresses and
   perform an additional request for the original address records.

1.2.2.  Walkthough

   In this example, we consider an IPv6 node located in a IPv6-only site
   that initiates a communication to a IPv4 node located in the IPv6
   Internet.

   The notation used is the following: upper case letters are IPv4
   addresses; upper case letters with a prime(') are IPv6 addresses;
   lower case letters are ports; prefixes are indicated by "P::X", which
   is a IPv6 address built from an IPv4 address X by adding the prefix
   P, mappings are indicated as "(X,x) <--> (Y',y)".

   The scenario for this case is depicted in the following figure:


      +---------------------------------------+       +-----------+
      |IPv6 site       +-------------+        |       |           |
      |  +----+        | Name server |   +-------+    |   IPv4    |
      |  | H1 |        | with DNS64  |   | NAT64 |----| Internet  |
      |  +----+        +-------------+   +-------+    +-----------+
      |    |IP addr: Y'     |              |  |            |IP addr: X
      |    ---------------------------------  |          +----+
      +---------------------------------------+          | H2 |
                                                         +----+

   The figure shows a IPv6 node H1 which has an IPv6 address Y' and an
   IPv4 node H2 with IPv4 address X.

   A NAT64 connects the IPv6 network to the IPv4 Internet.  This NAT64
   has a /96 prefix (called Pref64::/96) associated to its IPv6
   interface and an IPv4 address T assigned to its IPv4 interface.



Bagnulo, et al.         Expires December 12, 2008               [Page 7]


Internet-Draft               NAT64 and DNS64                   June 2008


   Also shown is a local name server with DNS64 functionality.  For the
   purpose of this example, we assume that the name server is a dual-
   stack node, so that H1 can contact it via IPv6, while it can contact
   IPv4-only name servers via IPv4.

   The local name server needs to know the /96 prefix assigned to the
   local NAT64 (Pref64::/96).  For the purpose of this example, we
   assume it learns this through manual configuration.

   For this example, assume the typical DNS situation where IPv6 hosts
   have only stub resolvers and the local name server does the recursive
   lookups.

   The steps by which H1 establishes communication with H2 are:

   1.  H1 does a DNS lookup for the IPv6 address of H2.  H1 does this by
       sending a DNS query for an AAAA record for H2 to the local name
       server.  Assume the local name server is implementing DNS64
       functionality.

   2.  The local DNS server resolves the query, and discovers that there
       are no AAAA records for H2.

   3.  The name server queries for a A record for H2 and gets back an A
       record containing the IPv4 address X. The name server then
       synthesizes an AAAA record.  The IPv6 address in the AAAA record
       contains the prefix assigned to the NAT64 in the first 96 bits
       and the IPv4 address X in the lower 32 bits.

   4.  The name server sends a response back to H1.  If H1 has
       indicated, in its query, that it supports the EDNS0, then the
       name server will use the SAS option to indicate that the AAAA
       record is synthetic.

   5.  H1 receives the synthetic AAAA record and sends a packet towards
       H2.  The packet is sent from a source transport address of (Y',y)
       to a destination transport address of (Pref64:X,x), where y and x
       are ports chosen by H2.

   6.  The packet is routed to the IPv6 interface of the NAT64 (since
       Pref64::/96 has been associated to this interface).

   7.  The NAT64 receives the packet and performs the following actions:

       *  The NAT64 selects an unused port t on its IPv4 address T and
          creates the mapping entry (Y',y) <--> (T,t)





Bagnulo, et al.         Expires December 12, 2008               [Page 8]


Internet-Draft               NAT64 and DNS64                   June 2008


       *  The NAT64 translates the IPv6 header into an IPv4 header using
          SIIT.

       *  The NAT64 includes (T,t) as source transport address in the
          packet and (X,x) as destination transport address in the
          packet.  Note that X is extracted directly from the lower 32
          bits of the destination IPv6 address of the received IPv6
          packet that is being translated.

       The NAT64 sends the translated packet out its IPv4 interface and
       the packet arrives at H2.

   8.  H2 node responds by sending a packet with destination transport
       address (T,t) and source transport address (X,x).

   9.  The packet is routed to the NAT64 box, which will look for an
       existing mapping containing (T,t).  Since the mapping (Y',y) <-->
       (T,t) exists, the NAT64 performs the following operations:

       *  The NAT64 translates the IPv4 header into an IPv6 header using
          SIIT.

       *  The NAT64 includes (Y',y) as source transport address in the
          packet and (Pref64:X,x) as destination transport address in
          the packet.  Note that X is extracted directly from the source
          IPv4 address of the received IPv4 packet that is being
          translated.

       The translated packet is sent out the IPv6 interface to H2.

   The packet exchange between H1 and H2 continues and packets are
   translated in the different directions as previously described.

   It is important to note that the translation still works if the IPv6
   initiator H1 learns the IPv4 address through some scheme other than a
   DNS look-up.  This is because the DNS64 processing does NOT result in
   any state installed in the NAT64 box and because the mapping of the
   IPv4 address into an IPv6 address is the result of concatenating the
   prefix defined within the site for this purpose (called Pref64::/96
   in this document) to the original IPv4 address.

1.2.3.  Dual stack nodes

   Nodes that have both IPv6 and IPv4 connectivity and are configured
   with an address for a DNS64 as their resolving nameserver may receive
   responses containing synthetic AAAA resource records.  If the node
   prefers IPv6 over IPv4, using the addresses in the synthetic AAAA RRs
   means that the node will attempt to communicate through the NAT64



Bagnulo, et al.         Expires December 12, 2008               [Page 9]


Internet-Draft               NAT64 and DNS64                   June 2008


   mechanism first, and only fall back to native IPv4 connectivity if
   connecting through NAT64 fails (if the application tries the full set
   of destination addresses).  To avoid this, dual stack nodes can
   ignore all replies to DNS requests that contain the EDNS SAS option,
   and use the destination addresses found in the responses for A
   resource record requests instead.

1.2.4.  IPv6 nodes implementing DNSSEC

   Synthesizing resource records is incompatible with DNSSEC.  So like
   dual stack nodes, IPv6 nodes implementing DNSSec must not use
   synthetic address records as indicated by the EDNS SAS option.  In
   this case, the node should perform the DNSSec validation on the
   original A RR and then locally synthesize the AAAA RR.  This
   basically means that the DNS64 functionality should be implemented in
   the local host for those hosts that want to be able to perform DNSSec
   validation.  In order to do that, hosts implementing DNS64
   functionality should be able to discover Pref64::/96 prefix that is
   needed to synthesize AAAA RR.  The means used to discover the prefix
   are out of the scope of this document.  So for the purposes of
   DNSSEC, the synthetic response doesn't exist, an IPv6 node
   implementing DNSSEC has to request the original A resource records
   and perform the normal DNSSEC validation steps.  When this is done,
   an IPv6 address is synthesized from the validated IPv4 address and
   the translator /96 prefix locally.

1.2.5.  Filtering

   A NAT64 box may do filtering, which means that it only allows a
   packet in through an interface if the appropriate permission exists.
   A NAT64 may do no filtering, or it may filter on its IPv4 interface.
   Filtering on the IPv6 interface is not supported, as mappings are
   only created by packets traveling in the IPv6 --> IPv4 direction.

   If a NAT64 filters on its IPv4 interface, then an incoming packet is
   dropped unless a packet has been recently sent out the interface with
   a destination IP address equal to the source IP address of the
   incoming packet.

   NAT64 filtering is consistent with the recommendations of RFC 4787.


2.  Terminology

   This section provides a definitive reference for all the terms used
   in document.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",



Bagnulo, et al.         Expires December 12, 2008              [Page 10]


Internet-Draft               NAT64 and DNS64                   June 2008


   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   The following terms are used in this document:

   DNS64:  A logical function that synthesizes AAAA records (containing
      IPv6 addresses) from A records (containing IPv4 addresses).

   Synthetic RR:  A DNS resource record (RR) that is not contained in
      any zone data file, but has been synthesized from other RRs.  An
      example is a synthetic AAAA record created from an A record.

   SAS Option:  An Extended DNS (EDNS) option used in DNS responses.
      Its primary purpose is to indicate that the set of AAAA RR
      contained in a DNS response are synthetic.

   NAT64:  A device that translates IPv6 packets to IPv4 packets and
      vice-versa, with the provision that the communication must be
      initiated from the IPv6 side.  The translation involves not only
      the IP header, but also the transport header (TCP or UDP).

   Session:  A TCP or UDP session.  In other words, the bi-directional
      flow of packets between two ports on two different hosts.  In
      NAT64, typically one host is an IPv4 host, and the other one is an
      IPv6 host.

   5-Tuple:  The tuple (source IP address, source port, destination IP
      address, destination port, transport protocol).  A 5-tuple
      uniquely identifies a session.  When a session flows through a
      NAT64, each session has two different 5-tuples: one with IPv4
      addresses and one with IPv6 addresses.

   Session table:  A table of sessions kept by a NAT64.  Each NAT64 has
      two session tables, one for TCP and one for UDP.

   Transport Address:  The combination of an IPv6 or IPv4 address and a
      port.  Typically written as (IP address, port); e.g. (192.0.2.15,
      8001).

   Mapping:  A mapping between an IPv6 transport address and a IPv4
      transport address.  Used to translate the addresses and ports of
      packets flowing between the IPv6 host and the IPv4 host.  In
      NAT64, the IPv4 transport address is always a transport address
      assigned to the NAT64 itself, while the IPv6 transport address
      belongs to some IPv6 host.






Bagnulo, et al.         Expires December 12, 2008              [Page 11]


Internet-Draft               NAT64 and DNS64                   June 2008


   BIB:  Binding Information Base.  A table of mappings kept by a NAT64.
      Each NAT64 has two BIBs, one for TCP and one for UDP.

   Endpoint-Independent Mapping:  In NAT64, using the same mapping for
      all sessions between an IPv6 that have the same IPv6 transport
      address endpoint.  Endpoint-independent mapping is important for
      peer-to-peer communication.  See [RFC4787] for the definition of
      the different types of mappings in IPv4-to-IPv4 NATs.

   Hairpinning:  Having a packet do a "U-turn" inside a NAT and come
      back out the same interface as it arrived on.  Hairpinning support
      is important for peer-to-peer applications, as there are cases
      when two different hosts on the same side of a NAT can only
      communicate using sessions that hairpin though the NAT.

   For a detailed understand of this document, the reader should also be
   familiar with DNS terminology [RFC1035] and current NAT terminology
   [RFC4787].


3.  Normative Specification

3.1.  Synthentic AAAA RRs

   A synthentic RR is an RR that does not appear in the master zone
   file.

   The rules on the usage of synthetic AAAA RRs are:

      Synthetic AAAA RRs MAY be included in the answer section of a
      response.

      Synthetic AAAA RRs MUST NOT be included in sections other than the
      answer section.

      A synthetic AAAA RR MUST NOT be included if the responder knows of
      at least one non-synthetic RR of the same type and class.

      If a synthetic AAAA RR is included in the answer section, then all
      RRs included in the answer section MUST be synthetic.

      If a synthetic AAAA RR is _not_ explicitly marked as synthetic
      (using the SAS option), then its TTL MUST be 0.

      If a synthetic AAAA RR is explicitly marked as synthetic (using
      the SAS option), then its TTL SHOULD be 0.

   TBD: Can/should the AA bit be set in a response containing synthetic



Bagnulo, et al.         Expires December 12, 2008              [Page 12]


Internet-Draft               NAT64 and DNS64                   June 2008


   RRs?

   TBD: Do we always want synthetic RRs to have a TTL of 0?  Is it ever
   reasonable or desirable to cache them?

3.2.  The EDNS SAS option

   EDNS [RFC2671] defines a mechanism to add options to the DNS
   [RFC1035] protocol.  This section defines the SAS (Status of Answer
   Section) option that indicates the status (real or synethetic) of RRs
   in the answer section.

   The format of the SAS option is:
       0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
     |                          OPTION-CODE                          |
     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
     |                         OPTION-LENGTH                         |
     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
     |                                                               |
     /                          OPTION-DATA                          /
     |                                                               |
     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

   The fields are defined as follows:

   o  OPTION-CODE: (to be allocated by IANA)

   o  OPTION-LENGTH: the size (in octets) of the OPTION-DATA part of the
      option

   o  OPTION-DATA: variable length field.  No values for this field are
      defined by this document.

   For any OPTION-DATA defined in the future, the maximum length of the
   OPTION-DATA field in the SAS option is 12 bytes, and any SAS option
   with a OPTION-LENGTH of more than 8 SHOULD be silently ignored.

   The rules on the usage of the SAS option are:

      A requestor that understands the SAS option SHOULD include the OPT
      RR in all queries.

      A responder can include the SAS option in a response only if the
      OPT RR appeared in the corresponding query.

      Any options not understood or not meaningful in the current
      context MUST be ignored.



Bagnulo, et al.         Expires December 12, 2008              [Page 13]


Internet-Draft               NAT64 and DNS64                   June 2008


      A responder MUST include the SAS option in the response if it
      knows that all the RRs in the answer section are synthetic.

   The presence of the OPT RR in a query indicates that the requestor
   understands the OPT extension.

3.3.  DNS64

   A DNS64 is a logical function that synthesizes AAAA records from A
   records.  The DNS64 function may be implemented in a resolver, in a
   local recursive name server, or in some other device such as a NAT64.

   The only configuration parameter required by the DNS64 is the /96
   IPv6 prefix assigned to a NAT64.  This prefix is used to map IPv4
   addresses into IPv6 addresses, and is denoted Pref64::/96.  The DNS64
   learns this prefix through some means not specified here.

   When the DNS64 receives a query for RRs of type AAAA and class IN, it
   firsts attempts to retrieve non-synthetic RRs of this type and class
   (where "non-synthetic RRs" means RRs not explicitly marked as
   synthetic).  If this query results in one or more AAAA records or in
   an error condition, this result is returned to the client as per
   normal DNS semantics.  If the query is successful, but doesn't return
   any answers, the DNS64 resolver executes a recursive A RR lookup for
   the name in question.  If this query results in an empty result or in
   an error, this result is returned to the client.  If the query
   results in one or more A RRs, the DNS64 synthesizes AAAA RRs based on
   the A RRs and the /96 prefix of the translator.  The synthetic AAAA
   RRs get a TTL of 0 second.  The DNS64 resolver then returns the
   synthesized AAAA records to the client.  If the client included the
   EDNS0 OPT RR in the query, the DNS64 resolver MUST include an EDNS0
   OPT RR that contains the SAS option.  When synthesizing the answer to
   a query for ANY, the DNS64 MUST include the A records from which the
   AAAA records were synthesized.

   To ensure endpoint-independent mapping behavior, a given IPv6 host
   must always use the same NAT64.  This, in turn, means that any
   synthetic AAAA records used by the host must always use the same
   prefix.  To ensure this, if a DNS64 has multiple Pref64::/96 prefixes
   configured, it SHOULD ensure that the same prefix is used for all
   AAAA records returned to a given host across all queries.  A
   reasonable exception would be when the DNS64 knows, through some
   unspecified means, that the NAT64 associated with a Pref64::/96
   prefix is no longer functional.

   Furthermore, it is highly desirable to synthesize the AAAA records as
   close as possible to the host that will use them.  This helps ensure
   that a given host always uses the same NAT64.



Bagnulo, et al.         Expires December 12, 2008              [Page 14]


Internet-Draft               NAT64 and DNS64                   June 2008


   The DNS64 MUST obey the rules for synthetic RRs (Section 3.1) and the
   SAS option (Section 3.2).

   A synthetic AAAA record is created from an A record as follows:

   o  The NAME field is set to the NAME field from the A record

   o  The TYPE field is set to 28 (AAAA)

   o  The CLASS field is set to 1 (IN)

   o  The TTL field is set as described in Section 3.1

   o  The RDLENGTH field is set to 16

   o  The RDATA field is set to the IPv6 address whose upper 96 bits are
      Pref64::/96 and whose lower 32 bits are the IPv4 address from the
      RDATA field of the A record.

   TBD: What does a DNS64 do when a query for an A record returns a
   CNAME record and an A record?  The SAS option, as currently defined,
   flags ALL records in the answer section as synthetic.  Does the DNS64
   return just a CNAME record?  Does it return just an AAAA record?  Or
   does it return a real CNAME record and a synthetic AAAA record in the
   answer section -- something that the current rules do not allow.

3.4.  NAT64

   A NAT64 is a device with one IPv6 interface and one IPv4 interface.
   The IPv6 interface MUST have a unicast /96 IPv6 prefix assigned to
   it, denoted Pref64::/96.  The IPv4 interface MUST have one or more
   unicast IPv4 addresses assigned to it.

   A NAT64 uses the following dynamic data structures:

   o  UDP BIB

   o  UDP Session Table

   o  TCP BIB

   o  TCP Session Table

   A NAT64 has two Binding Information Bases: one for TCP and one for
   UDP.  Each BIB entry specifies a mapping between an IPv6 transport
   address and an IPv4 transport address:





Bagnulo, et al.         Expires December 12, 2008              [Page 15]


Internet-Draft               NAT64 and DNS64                   June 2008


      (X',x) <--> (T,t)

   where X' is some IPv6 address, T is an IPv4 address, and x and t are
   ports.  T will always be one of the IPv4 addresses assigned to the
   IPv4 interface of the NAT64.  A given IPv6 or IPv4 transport address
   can appear in at most one entry in a BIB: for example, (2001:db8::17,
   4) can appear in at most one TCP and at most one UDP BIB entry.  TCP
   and UDP have separate BIBs because the port number space for TCP and
   UDP are distinct.

   A NAT64 also has two session tables: one for TCP sessions and one for
   UDP sessions.  Each entry keeps information on the state of the
   corresponding session: see Section 3.4.2.  The NAT64 uses the session
   state information to determine when the session is completed, and
   also uses session information for ingress filtering.  A session can
   be uniquely identified by either an incoming 5-tuple or an outgoing
   5-tuple.

   For each session, there is a corresponding BIB entry, uniquely
   specified by either the source IPv6 transport address (in the IPv6
   --> IPv4 direction) or the destination IPv4 transport address (in the
   IPv4 --> IPv6 direction).  However, a single BIB entry can have
   multiple corresponding sessions.  When the last corresponding session
   is deleted, the BIB entry is deleted.

   The processing of an incoming IP packet takes the following steps:

   1.  Determining the incoming 5-tuple

   2.  Filtering and updating session information

   3.  Computing the outgoing 5-tuple

   4.  Translating the packet

   5.  Handling hairpinning

   The details of these steps are specified in the following
   subsections.

   This breakdown of the NAT64 behavior into processing steps is done
   for ease of presentation.  A NAT64 MAY perform the steps in a
   different order, or MAY perform different steps, as long as the
   externally visible outcome in the same.

   TBD: Add support for ICMP Query packets.  (ICMP Error packets are
   handled).




Bagnulo, et al.         Expires December 12, 2008              [Page 16]


Internet-Draft               NAT64 and DNS64                   June 2008


3.4.1.  Determining the Incoming 5-tuple

   This step associates a incoming 5-tuple (source IP address, source
   port, destination IP address, destination port, transport protocol)
   with every incoming IP packet for use in subsequent steps.

   If the incoming IP packet contains a complete (un-fragmented) UDP or
   TCP protocol packet, then the 5-tuple is computed by extracting the
   appropriate fields from the packet.

   If the incoming IP packet contains a complete (un-fragmented) ICMP
   message, then the 5-tuple is computed by extracting the appropriate
   fields from the IP packet embedded inside the ICMP message.  However,
   the role of source and destination is swapped when doing this: the
   embedded source IP address becomes the destination IP address in the
   5-tuple, the embedded source port becomes the destination port in the
   5-tuple, etc.  If it is not possible to determine the 5-tuple
   (perhaps because not enough of the embedded packet is reproduced
   inside the ICMP message), then the incoming IP packet is silently
   discarded.

      NOTE: The transport protocol is always one of TCP or UDP, even if
      the IP packet contains an ICMP message.

   If the incoming IP packet contains a fragment, then more processing
   may be needed.  This specification leaves open the exact details of
   how a NAT64 handles incoming IP packets containing fragments, and
   simply requires that a NAT64 handle fragments arriving out-of-order.
   A NAT64 MAY elect to queue the fragments as they arrive and translate
   all fragments at the same time.  Alternatively, a NAT64 MAY translate
   the fragments as they arrive, by storing information that allows it
   to compute the 5-tuple for fragments other than the first.  In the
   latter case, the NAT64 will still need to handle the situation where
   subsequent fragments arrive before the first.

   Implementors of NAT64 should be aware that there are a number of
   well-known attacks against IP fragmentation; see [RFC1858] and
   [RFC3128].

   Assuming it otherwise has sufficient resources, a NAT64 MUST allow
   the fragments to arrive over a time interval of at least 10 seconds.
   A NAT64 MAY require that the UDP, TCP, or ICMP header be completely
   contained within the first fragment.

3.4.2.  Filtering and Updating Session Information

   This step updates the per-session information stored in the
   appropriate session table.  This affects the lifetime of the session,



Bagnulo, et al.         Expires December 12, 2008              [Page 17]


Internet-Draft               NAT64 and DNS64                   June 2008


   which in turn affects the lifetime of the corresponding BIB entry.
   This step may also filter incoming packets, if desired.

   The details of this step depend on the transport protocol (UDP or
   TCP).

3.4.2.1.  UDP Session Handling

   The state information stored for a UDP session is a timer that tracks
   the remaining lifetime of the UDP session.  The NAT64 decrements this
   timer at regular intervals.  When the timer expires, the UDP session
   is deleted.

   The incoming packet is processed as follows:

   1.  If the packet arrived on the IPv4 interface and the NAT64 filters
       on its IPv4 interface, then the NAT64 checks to see if the
       incoming packet is allowed according to the address-dependent
       filtering rule.  To do this, it searches for a session table
       entry with a source IPv4 address equal to the source IPv4 address
       in the incoming 5-tuple.  If such an entry is found (there may be
       more than one), packet processing continues.  Otherwise, the
       packet is discarded.  If the packet is discarded, then an ICMP
       message SHOULD be sent to the original sender of the packet,
       unless the discarded packet is itself an ICMP message.  The ICMP
       message, if sent, has a type of 3 (Destination Unreachable) and a
       code of 13 (Communication Administratively Prohibited).

   2.  The NAT64 searches for the session table entry corresponding to
       the incoming 5-tuple.  If no such entry if found, a new entry is
       created.

   3.  The NAT64 sets or resets the timer in the session table entry to
       maximum session lifetime.  By default, the maximum session
       lifetime is 5 minutes, but for specific destination ports in the
       Well-Known port range (0..1023), the NAT64 MAY use a smaller
       maximum lifetime.

3.4.2.2.  TCP Session Handling

   TBD: Describe the state machine required to track the state of the
   TCP session.  This is a simplified version of the state machine used
   by the endpoints.

3.4.3.  Computing the Outgoing 5-Tuple

   This step computes the outgoing 5-tuple by translating the addresses
   and ports in the incoming 5-tuple.  The transport protocol in the



Bagnulo, et al.         Expires December 12, 2008              [Page 18]


Internet-Draft               NAT64 and DNS64                   June 2008


   outgoing 5-tuple is always the same as that in the incoming 5-tuple.

   In the text below, a reference to the "the BIB" means either the TCP
   BIB or the UDP BIB as appropriate, as determined by the transport
   protocol in the 5-tuple.

      NOTE: Not all addresses are translated using the BIB.  BIB entries
      are used to translate IPv6 source transport addresses to IPv4
      source transport addresses, and IPv4 destination transport
      addresses to IPv6 destination transport addresses.  They are NOT
      used to translate IPv6 destination transport addresses to IPv4
      destination transport addresses, nor to translate IPv4 source
      transport addresses to IPv6 source transport addresses.  The
      latter cases are handled by adding or removing the /96 prefix.
      This distinction is important; without it, hairpinning doesn't
      work correctly.

   When translating in the IPv6 --> IPv4 direction, let the incoming
   source and destination transport addresses in the 5-tuple be (S',s)
   and (D',d) respectively.  The outgoing source transport address is
   computed as follows:

      If the BIB contains a entry (S',s) <--> (T,t), then the outgoing
      source transport address is (T,t).

      Otherwise, create a new BIB entry (S',s) <--> (T,t) as described
      below.  The outgoing source transport address is (T,t).

   The outgoing destination address is computed as follows:

      If D' is composed of the NAT64's prefix followed by an IPv4
      address D, then the outgoing destination transport address is
      (D,d).

      Otherwise, discard the packet.

   When translating in the IPv4 --> IPv6 direction, let the incoming
   source and destination transport addresses in the 5-tuple be (S,s)
   and (D,d) respectively.  The outgoing source transport address is
   computed as follows:

      The outgoing source transport address is (Pref64::S,s).

   The outgoing destination transport address is computed as follows:

      If the BIB contains an entry (X',x) <--> (D,d), then the outgoing
      destination transport address is (X',x).




Bagnulo, et al.         Expires December 12, 2008              [Page 19]


Internet-Draft               NAT64 and DNS64                   June 2008


      Otherwise, discard the packet.

   If the rules specify that a new BIB entry is created for a source
   transport address of (S',s), then the NAT64 allocates an IPv4
   transport address for this BIB entry as follows:

      If there exists some other BIB entry containing S' as the IPv6
      address and mapping it to some IPv4 address T, then use T as the
      IPv4 address.  Otherwise, use any IPv4 address assigned to the
      IPv4 interface.

      If the port s is in the Well-Known port range 0..1023, then
      allocate a port t from this same range.  Otherwise, if the port s
      is in the range 1024..65535, then allocate a port t from this
      range.  Furthermore, if port s is even, then t must be even, and
      if port s is odd, then t must be odd.

      In all cases, the allocated IPv4 transport address (T,t) MUST NOT
      be in use in another entry in the same BIB, but MAY be in use in
      the other BIB.

   If it is not possible to allocate an appropriate IPv4 transport
   address or create a BIB entry for some reason, then the packet is
   discarded.

   TBD: Do we delete the session entry if we cannot create a BIB entry?

   If the rules specify that the packet is discarded, then the NAT64
   SHOULD send an ICMP reply to the original sender, unless the packet
   being translated contains an ICMP message.  The type should be 3
   (Destination Unreachable) and the code should be 0 (Network
   Unreachable in IPv4, and No Route to Destination in IPv6).

3.4.4.  Translating the Packet

   This step translates the packet from IPv6 to IPv4 or vica-versa.

   The translation of the packet is as specified in section 3 and
   section 4 of SIIT [RFC2765], with the following modifications:

   o  When translating an IP header (sections 3.1 and 4.1), the source
      and destination IP address fields are set to the source and
      destination IP addresses from the outgoing 5-tuple.

   o  When the protocol following the IP header is TCP or UDP, then the
      source and destination ports are modified to the source and
      destination ports from the 5-tuple.  In addition, the TCP or UDP
      checksum must also be updated to reflect the translated addresses



Bagnulo, et al.         Expires December 12, 2008              [Page 20]


Internet-Draft               NAT64 and DNS64                   June 2008


      and ports; note that the TCP and UDP checksum covers the pseudo-
      header which contains the source and destination IP addresses.  An
      algorithm for efficently updating these checksums is described in
      [RFC3022].

   o  When the protocol following the IP header is ICMP (sections 3.4
      and 4.4) the source and destination transport addresses in the
      embedded packet are set to the destination and source transport
      addresses from the outgoing 5-tuple (note the swap of source and
      destination).

3.4.5.  Handling Hairpinning

   This step handles hairpinning if necessary.

   If the destination IP address is an address assigned to the NAT64
   itself (i.e., is one of the IPv4 addresses assigned to the IPv4
   interface, or is covered by the /96 prefix assigned to the IPv6
   interface), then the packet is a hairpin packet.  The outgoing
   5-tuple becomes the incoming 5-tuple, and the packet is treated as if
   it was received on the outgoing interface.  Processing of the packet
   continues at step 2.

   TBD: Is there such a thing as a hairpin loop (likely not naturally,
   but perhaps through a special-crafted attack packet with a spoofed
   source address)?  If so, need to drop packets that hairpin more than
   once.

3.5.  FTP ALG

   TBD: Describe the FTP ALG, a mechanism for translating the embedded
   IP addresses inside FTP commands, that enables FTP sessions to pass
   through NAT64.


4.  Security Considerations

   Implications on end-to-end security, IPSec and TLS.

   Any protocol that protect IP header information are essentially
   incompatible with NAT64.  So, this implies that end to end IPSec
   verification will fail when AH is used (both transport and tunnel
   mode) and when ESP is used in transport mode.  This is inherent to
   any network layer translation mechanism.  End-to-end IPsec protection
   can be restored, using UDP encapsulation as described in [RFC2765].

   TBD: TLS implications




Bagnulo, et al.         Expires December 12, 2008              [Page 21]


Internet-Draft               NAT64 and DNS64                   June 2008


   Implications on DNS security and DNSSec.

   NAT64 uses synthetic DNS RR to enable IPv6 clients to initiate
   communications with IPv4 servers using the DNS.  This essentially
   means that the DNS64 component generates synthetic AAAA RR that are
   not contained in the master zone file.  From a DNSSec perspective,
   this means that the straight DNSSec verification of such RR would
   fail.  However, it is possible to restore DNSSec functionality if the
   verification is performed right before the DNS64 processing directly
   using the original A RR of the IPv4 server.  So, in order to jointly
   use the NAT64 appraoch described in thei specification and DNSSec
   validation, the DNS64 functionality should be performed in the
   resolver of the IPv6 client.  In this case, the IPv6 client would
   receive the original A RR with DNSSec information and it would first
   perform the DNSSec validation.  If it is succcessful, it would then
   proceed the synthetize the AAAA RR according to the mechanism
   described in this document.  It should be noted that the synthetic
   AAAA RR would stay within the IPv6 client and it would not leak
   outside, making further DNSSec validations unnecesary.

   Filtering.

   NAT64 creates binding state using packets flowing from the IPv6 side
   to the IPv4 side.  So, NAT64 implements by definition, at least,
   endpoint independent filtering, meaning that in order to enable any
   packet to flow from the IPv4 side to the IPv6 side, there must have
   been a packet flowing from the IPv6 side to the IPv4 side the created
   the binding information to be used for packets in the other
   direction.  Endpoint independent filtering allows that once a binding
   is created, it can be used by any node on the IPv4 side to send
   packets to the IPv6 transport address that created the binding.  This
   basically means that as long a the IPv6 node does not open a hole in
   the NAT64, incoming communications are blocked and that once that the
   IPv6 node has sent the first packet, this packet opens the door for
   any node on the IPv4 side to send packets to that IPv6 transport
   address.  It is possible to configure the NAT64 to implement more
   stringent security policy, if endpoint independent mapping is
   considered not secure enough.  In particular, if the security policy
   of the NAT64 requires it, is it possible to configure the NAT64 to
   perform address dependent filtering.  This basically means that the
   binding state created can only be used by to send packets from the
   IPv4 address to which the original packet that created the binding
   was sent to.  This basically means that the door is open only for
   that IPv4 address to send packet to the IPv6 transport address.

   Attacks to NAT64.

   The NAT64 device itself is a potential victim of different type of



Bagnulo, et al.         Expires December 12, 2008              [Page 22]


Internet-Draft               NAT64 and DNS64                   June 2008


   attacks.  In particular, the NAT64 can be a victim of DoS attacks.
   The NAT64 box has a limited number of resources that can be consumed
   by attackers creating a DoS attack.  The NAT64 has a limited number
   of IPv4 address that is uses to create the bindings.  Even though the
   NAT64 performs address and port translation, it is possible for an
   attacker to consume all the IPv4 transport addresses by sending IPv6
   packets with different source IPv6 transport address.  It should be
   noted that this attack can only be launched from the IPv6 side, since
   IPv4 packets are not used to create binding state.  DoS attacks can
   also affect other limited resource available in the NAT64 such as
   memory or link capacity.  For instance, if the NAT64 implements
   reassembly of fragmented packets, it is possible for an attacker to
   launch a DoS attack to the memory of the NAT64 device by sending
   fragments that the NAT64 will store for a given period.  If the
   number of fragments if high enough, the memory of the NAT64 could be
   exhausted.  NAT64 devices should implement proper protection against
   such attacks, for instance allocating a limited amount of memory for
   fragmented packet storage.


5.  IANA Considerations

   The IANA is requested to assign an EDNS Option Code value for the SAS
   option.

   TBD: Set up an IANA registry for SAS flags??


6.  Changes from Previous Draft Versions

   Note to RFC Editor: Please remove this section prior to publication
   of this document as an RFC.

   [[This section lists the changes between the various versions of this
   draft.]]


7.  Contributors

      George Tsirtsis

      Qualcomm

      tsirtsis@googlemail.com







Bagnulo, et al.         Expires December 12, 2008              [Page 23]


Internet-Draft               NAT64 and DNS64                   June 2008


8.  Acknowledgements

   Alberto Garcia-Martinez and Joao Damas reviewed the document and
   provided useful comments to improve it.

   Marcelo Bagnulo and Iljitsch van Beijnum are partly funded by
   Trilogy, a research project supported by the European Commission
   under its Seventh Framework Program.


9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
              RFC 2671, August 1999.

   [RFC2765]  Nordmark, E., "Stateless IP/ICMP Translation Algorithm
              (SIIT)", RFC 2765, February 2000.

   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
              RFC 4787, January 2007.

   [I-D.ietf-behave-tcp]
              Guha, S., "NAT Behavioral Requirements for TCP",
              draft-ietf-behave-tcp-07 (work in progress), April 2007.

   [I-D.ietf-behave-nat-icmp]
              Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
              Behavioral Requirements for ICMP protocol",
              draft-ietf-behave-nat-icmp-08 (work in progress),
              June 2008.

9.2.  Informative References

   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
              Translation - Protocol Translation (NAT-PT)", RFC 2766,
              February 2000.

   [RFC1858]  Ziemba, G., Reed, D., and P. Traina, "Security
              Considerations for IP Fragment Filtering", RFC 1858,



Bagnulo, et al.         Expires December 12, 2008              [Page 24]


Internet-Draft               NAT64 and DNS64                   June 2008


              October 1995.

   [RFC3128]  Miller, I., "Protection Against a Variant of the Tiny
              Fragment Attack (RFC 1858)", RFC 3128, June 2001.

   [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network
              Address Translator (Traditional NAT)", RFC 3022,
              January 2001.

   [RFC4966]  Aoun, C. and E. Davies, "Reasons to Move the Network
              Address Translator - Protocol Translator (NAT-PT) to
              Historic Status", RFC 4966, July 2007.

   [I-D.ietf-mmusic-ice]
              Rosenberg, J., "Interactive Connectivity Establishment
              (ICE): A Protocol for Network Address  Translator (NAT)
              Traversal for Offer/Answer Protocols",
              draft-ietf-mmusic-ice-19 (work in progress), October 2007.

   [RFC3498]  Kuhfeld, J., Johnson, J., and M. Thatcher, "Definitions of
              Managed Objects for Synchronous Optical Network (SONET)
              Linear Automatic Protection Switching (APS)
              Architectures", RFC 3498, March 2003.


Authors' Addresses

   Marcelo Bagnulo
   UC3M
   Av. Universidad 30
   Leganes, Madrid  28911
   Spain

   Phone: +34-91-6249500
   Fax:
   Email: marcelo@it.uc3m.es
   URI:   http://www.it.uc3m.es/marcelo


   Philip Matthews
   Unaffiliated

   Email: philip_matthews@magma.ca
   URI:







Bagnulo, et al.         Expires December 12, 2008              [Page 25]


Internet-Draft               NAT64 and DNS64                   June 2008


   Iljitsch van Beijnum
   IMDEA Networks
   Av. Universidad 30
   Leganes, Madrid  28911
   Spain

   Phone: +34-91-6246245
   Email: iljitsch@muada.com











































Bagnulo, et al.         Expires December 12, 2008              [Page 26]


Internet-Draft               NAT64 and DNS64                   June 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.











Bagnulo, et al.         Expires December 12, 2008              [Page 27]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/