[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                  R. Denis-Courmont
Internet-Draft                                                     Nokia
Intended status: Informational                         February 17, 2009
Expires: August 21, 2009


       Problems with IPv6 source address selection and IPv4 NATs
                    draft-denis-v6ops-nat-addrsel-00

Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 21, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Abstract

   This memo details a problem and potential solution, when using the
   IPv6 source address selection algorithm with private IPv4 address



Denis-Courmont           Expires August 21, 2009                [Page 1]


Internet-Draft                NAT & RFC3484                February 2009


   space.

1.  Introduction

   When a host initiates an IP communication flow with a remote host, a
   pair of local and remote IP addresses to use must be chosen.  If
   either or both hosts is assigned multiple IP addresses, an address
   selection mechanism is required.  That can happen, for instance, if
   either or both hosts are dual-stacked.  The default address selection
   scheme[RFC3484] was specified to address this problem.

   One fundamental design assumption of this scheme is the ability to
   determine a scope for any address (IPv4 or IPv6).  To that end,
   static scoping rules were defined.  This memo explains why and how
   the current rules are inadequate when Network Address Translation
   (NAT) is involved, which is a common occurence in modern-day IPv4
   deployments.

2.  IPv4 address scopes

   As defined in [RFC3484], a unicast IPv4 address has one of three
   scopes:

   Link-local scope:  Loopback addresses (127.0.0.0/8) and
      autoconfigured addresses (169.254.0.0/16).

   Site-local scope:  Private addresses as defined in [RFC1918].

   Global scope:  All other unicast addresses.

   The address scopes are supposed to be universal; and hence they are
   statically defined.  Furthermore, per [RFC3484], scope matching rules
   (Rule 2) are normally applied before any other rule, except for the
   identical address rule (Rule 1).  In other words, apart from the
   corner case whereby the local and remote hosts are one and the same,
   the scope matching rule always "wins".

3.  NAT and address scope

   When it crosses a NAT, either the source or destination address of a
   packet will change.  As a consequence, the scope of that address
   might change as well.  In any case, the result of the source address
   selection scheme could be different when the original address is
   substitued with the translated address.

   In fact, many real-world NAT deployments use private addresses on one
   side of the NAT, and public addresses on the other side.  This is
   probably the most common scenario with IPv4 network in SOHO



Denis-Courmont           Expires August 21, 2009                [Page 2]


Internet-Draft                NAT & RFC3484                February 2009


   environment: a single public IPv4 address is provisioned to a
   customer, and all hosts on the customer network "share" that address
   using a NAT function within the Customer Premises Equipment (CPE).

   [RFC3484] assumes that a source address with a small scope cannot
   reach a destination address with a larger scope.  However, if private
   IPv4 addresses and a NAT are used to reach public IPv4 addresses,
   then this assumption does not hold.  In other words, the private IPv4
   addresses behind NATs effectively have a global scope, provided that
   the protocols above the IP network layer can cope with network
   address translation.

4.  Applicability to IPv6 transition mechanisms

   [RFC3484] states that "the use of transitional addresses when native
   addresses are available [should be avoided]".  Indeed, transitional
   addresses and transition mechanisms in general tend to be less
   reliable than native connectivity, including native IPv4
   connectivity.

   However, in a typical IPv4 NAT'ed private address deployments, if
   IPv6 transition mechanisms are available, a dual-stack host will
   typically have the following addresses.  They are the candidate
   source addresses:

   o  a link-local IPv6 address (autoconfigured),

   o  a site-local scope private IPv4 address (e.g. assigned by DHCPv4),

   o  a global scope transitional IPv6 address, such as Teredo[RFC4380],
      or 6to4[RFC3056] (e.g. if the CPE is a 6to4 gateway).

   If the destination host is also dual-stacked, then it will typically
   have two public addresses (though the number is not relevant).  They
   are the candidate destination addresses:

   o  a global native IPv6 address (e.g. from DNS AAAA record),

   o  a global IPv4 address (e.g. from DNS A record).

   Because the candidate source IPv4 address have a smaller scope (site-
   local) than the candidate destination IPv4 address (global), it will
   be eliminated.  The address selection algorithm will always select
   the IPv6 address pair:

   o  the transitional IPv6 address as source,





Denis-Courmont           Expires August 21, 2009                [Page 3]


Internet-Draft                NAT & RFC3484                February 2009


   o  the global native IPv6 address as destination.

   Thus, the transitional (IPv6) address will be used instead of the
   native (IPv4) address, even though that should have been avoided.

   There is no way to override this result with a compliant
   implementation of source address selection.  In particular, the
   policy table does not affect this result, because the scope rules
   preempt the policy table rules.

5.  Solutions

5.1.  Changing the private IPv4 address scope

   Several operating system vendors appear to work around this issue by
   assigning a global scope to IPv4 address.  Thus, rule 2 is no longer
   discriminating against the IPv4 address pair.

   In that case, provided the policy table has separate labels for
   transitional addresses, the IPv4 addresses pair will be selected.
   IPv4 addresses normally all have the same label.

   Note that the default policy table has a separate label for 6to4
   addresses.  However, as it predates Teredo, it lacks a distinct label
   for the Teredo prefix, 2001:0:/32.  An adequate extra label would be
   as follow:

   Prefix: 2001:0:/32, Precedence: 5, Label: 5

5.2.  Address selection parameter for NAT

   With the previous solution, IPv4 is always selected.  This is a
   potential drawback if the upper-layer protocol combination is not
   NAT-friendly.

   As an alternative, a "translation-friendly" source address selection
   parameter could be specified, as in [RFC5014].  However, a default
   value will be needed for the many existing applications that would
   fail to set this parameter.

6.  IPv6 Address Translation

   The implications of IPv6 Address Translation and protocol translation
   are left beyond the scope of this document.  However, it can only be
   recommended that RFC3484 be taken into account when designing such
   translation systems.





Denis-Courmont           Expires August 21, 2009                [Page 4]


Internet-Draft                NAT & RFC3484                February 2009


7.  Security Considerations

   TBD.

8.  IANA Considerations

   This document raises no IANA considerations.

9.  References

9.1.  Normative References

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
              E. Lear, "Address Allocation for Private Internets",
              BCP 5, RFC 1918, February 1996.

   [RFC3484]  Draves, R., "Default Address Selection for Internet
              Protocol version 6 (IPv6)", RFC 3484, February 2003.

   [RFC5014]  Nordmark, E., Chakrabarti, S., and J. Laganier, "IPv6
              Socket API for Source Address Selection", RFC 5014,
              September 2007.

9.2.  Informative References

   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
              via IPv4 Clouds", RFC 3056, February 2001.

   [RFC4380]  Huitema, C., "Teredo: Tunneling IPv6 over UDP through
              Network Address Translations (NATs)", RFC 4380,
              February 2006.

Author's Address

   Remi Denis-Courmont
   Nokia Corporation
   P.O. Box 407
   NOKIA GROUP  00045
   FI

   Phone: +358 50 487 6315
   EMail: remi.denis-courmont@nokia.com









Denis-Courmont           Expires August 21, 2009                [Page 5]


Html markup produced by rfcmarkup 1.120, available from https://tools.ietf.org/tools/rfcmarkup/