[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-anderson-v6ops-siit-dc-2xlat) 00 01 02 RFC 7756

IPv6 Operations                                              T. Anderson
Internet-Draft                                            Redpill Linpro
Intended status: Standards Track                        January 25, 2015
Expires: July 29, 2015


                     SIIT-DC: Dual Translation Mode
                   draft-ietf-v6ops-siit-dc-2xlat-00

Abstract

   This document describes an extension of the Stateless IP/ICMP
   Translation for IPv6 Data Centre Environments architecture (SIIT-DC),
   which allows applications, protocols, or nodes that are incompatible
   with IPv6, SIIT-DC and/or Network Address Translation in general to
   operate correctly in an SIIT-DC environment.  This is accomplished by
   introducing a new component called an Edge Translator, which reverses
   the translations made by an SIIT-DC Gateway.  The application or
   device is thus provided with seemingly native IPv4 connectivity.

   The reader is expected to be familiar with the SIIT-DC architecture
   described in I-D.ietf-v6ops-siit-dc.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 29, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Anderson                  Expires July 29, 2015                 [Page 1]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Edge Translator Description . . . . . . . . . . . . . . . . .   4
     3.1.  Host-Based Edge Translator  . . . . . . . . . . . . . . .   5
     3.2.  Network-Based Edge Translator . . . . . . . . . . . . . .   6
   4.  Detailed Topology Example . . . . . . . . . . . . . . . . . .   9
   5.  Deployment Considerations . . . . . . . . . . . . . . . . . .  12
     5.1.  IPv6 Path MTU . . . . . . . . . . . . . . . . . . . . . .  12
     5.2.  IPv4 MTU  . . . . . . . . . . . . . . . . . . . . . . . .  12
     5.3.  IPv4 Identification Header  . . . . . . . . . . . . . . .  12
   6.  Intra-DC IPv4 Communication . . . . . . . . . . . . . . . . .  13
     6.1.  Between IPv4-Only and IPv6-Only Services  . . . . . . . .  13
     6.2.  Between Two IPv4-Only Services  . . . . . . . . . . . . .  15
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  17
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  17
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  18
     9.1.  Address Spoofing  . . . . . . . . . . . . . . . . . . . .  18
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  18
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  18
     10.2.  Informative References . . . . . . . . . . . . . . . . .  19
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  19

1.  Introduction

   SIIT-DC [I-D.ietf-v6ops-siit-dc] describes an architecture where
   IPv4-only users can access IPv6-only services through a stateless
   translator called an SIIT-DC Gateway.  This approach has certain
   limitations, however.  In particular, the following cases will work
   poorly or not at all:

   o  Application protocols that do not support NAT (i.e., the lack of
      end-to-end transparency of IP addresses).

   o  Devices which cannot connect to IPv6 networks at all, or which can
      only connect such networks if they also provide IPv4 connectivity
      (i.e., dual-stacked networks).

   o  Application software which makes use of legacy IPv4-only APIs, or
      otherwise makes assumptions that IPv4 connectivity is available.



Anderson                  Expires July 29, 2015                 [Page 2]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   By extending the SIIT-DC architecture with a new component called an
   Edge Translator (ET), all of the above can be made to work correctly
   in an otherwise IPv6-only network environment using SIIT-DC.

   The purpose of the Edge Translator is to reverse the IPv4-to-IPv6
   packet translations previously done by the SIIT-DC Gateway for
   traffic arriving from IPv4 clients and forward this as "native" IPv4
   to the application software or device.  In the reverse direction,
   IPv4 packets transmitted by the application software or device is
   intercepted by the Edge Translator, which will translate them to IPv6
   before they are forwarded to the SIIT-DC Gateway, which in turn will
   reverse the translations and forward them to the IPv4 End User.  In
   short, the device or application software is provided with "virtual"
   IPv4 Internet connectivity that retains end-to-end transparency for
   the IPv4 addresses.

2.  Terminology

   This document makes use of the following terms:

   Edge Translator (ET)
      A device or logical function that provides "native" IPv4
      connectivity to IPv4-only devices or application software.  It is
      very similar in function to an SIIT-DC Gateway, but is typically
      located close to the IPv4-only component(s) it is supporting
      rather than on the network border.

   IPv4 Service Address
      A public IPv4 address with which IPv4-only clients will
      communicate.  This communication will be translated to IPv6 by the
      SIIT-DC Gateway and back to IPv4 again by the Edge Translator.

   SIIT-DC Gateway
      A device or a logical function that translates between IPv4 and
      IPv6 in accordance with [I-D.ietf-v6ops-siit-dc].

   Static Address Mapping
      A bi-directional mapping between an IPv4 Service Address and an
      IPv6 Service Address configured in the SIIT-DC Gateway.  When
      translating between IPv4 and IPv6, the SIIT-DC Gateway changes the
      address fields in the translated packet's IP header according to
      any matching Static Address Mapping.

   Translation Prefix
      An IPv6 prefix into which the entire IPv4 address space is mapped.
      This prefix is routed to the SIIT-DC Gateway's IPv6 interface.  It
      is either an Network-Specific Prefix or a Well-Known Prefix as
      specified in [RFC6052].  When translating between IPv4 and IPv6,



Anderson                  Expires July 29, 2015                 [Page 3]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


      the SIIT-DC Gateway will prepend or strip the Translation Prefix
      from the address fields in the translated packet's IP header,
      unless a Static Address Mapping exists for the IP address in
      question.

   XLAT
      Used in figures to indicate where the Stateless IP/ICMP
      Translation [RFC6145] algorithm is used to translate IPv4 packets
      to IPv6 and vice versa.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Edge Translator Description

   An Edge Translator (ET) is at its core an implementation of the
   Stateless IP/ICMP Translation algorithm [RFC6145], with the Static
   Address Mapping extension described in Section 5.2 of
   [I-D.ietf-v6ops-siit-dc].  It provides virtual IPv4 connectivity for
   application software or devices which require this to operate
   correctly in an SIIT-DC environment.

   Inbound IPv4 packets destined for an IPv4 Service Address is first
   translated to IPv6 by an SIIT-DC Gateway.  The resulting IPv6 packets
   are subsequently forwarded to the ET handling the IPv6 Service
   Address they are addressed to.  The ET then translates them back to
   IPv4 before forwarding them to the IPv4 application software or
   device.  In the other direction, the exact same translations happen,
   only in reverse.  This process provides end-to-end transparency of
   IPv4 addresses.

   An ET may handle an arbitrary number of IPv4 Service Addresses.  All
   the Static Address Mappings configured in the SIIT-DC Gateway(s) that
   involve the IPv4 Service Addresses handled by an ET MUST be
   duplicated in that ET's configuration.

   An ET may be implemented in two distinct ways; as a software-based
   service residing inside an otherwise IPv6-only host, or as a network-
   based service that provides an isolated IPv4 network segment to which
   devices which require IPv4 can connect.  In both cases native IPv6
   connectivity may be provided simultaneously with the virtual IPv4
   connectivity.  Thus, dual-stack connectivity is facilitated in case
   the device or application software support it.

   The choice between a host- or network-based ET is made on a per-
   service or -device basis.  An arbitrary number of each type of ET may
   co-exist in an SIIT-DC architecture.



Anderson                  Expires July 29, 2015                 [Page 4]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   This section describes the different approaches and discusses which
   approach fits best for the various use cases.

3.1.  Host-Based Edge Translator

                 Overview of a Host-based Edge Translator

                 [IPv4 Internet]   [IPv6 Internet]
                    |                         |
                 +--|--<SIIT-DC GW>--+        |
                 | [XLAT]            |        |
                 +--|----------------+        |
                    |                         |
                  [IPv6-only data centre network]
                    |
                 +--|--<IPv6-only server>---------------+
                 |  |                 +----------------+|
                 |  +--[ET/XLAT]--AF_INET  Dual-stack  ||
                 |  |                 |    Application ||
                 |  \------------AF_INET6  Software    ||
                 |                    +----------------+|
                 +--------------------------------------+

                                 Figure 1

   A host-based Edge Translator is typically implemented as a logical
   software function that runs inside the operating system of a host or
   server.  It provides software applications running on the same host
   with IPv4 connectivity.  The IPv4 Service Address it handles is
   considered local, allowing application software running on the same
   host to use traditional IPv4-only API calls, e.g., to create AF_INET
   sockets that listens for and accepts incoming connections to its IPv4
   Service Address.  An ET could accomplish this by creating an virtual
   network adapter to which it assigns the IPv4 Service Address and
   points a default IPv4 route.

   As shown in Figure 1, if the application software supports dual-stack
   operation, IPv6 clients will be able to communicate with it directly
   using native IPv6.  Neither the SIIT-DC Gateway nor the ET will
   intercept this communication.  Support for IPv6 in the application
   software is however not a requirement; the application software may
   opt not to establish any IPv6 sockets.  Foregoing IPv6 in this manner
   will simply preclude connectivity to the service from IPv6-only
   clients; connectivity to the service from IPv4 clients (through the
   SIIT-DC Gateway) will work in the exact same manner in both cases.

   The ET requires a dedicated IPv6 Service Address for each IPv4
   Service Address it has configured.  The IPv6 network must forward



Anderson                  Expires July 29, 2015                 [Page 5]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   traffic to these IPv6 Service Addresses to the host, whose operating
   system must in turn forward them to the ET.  This document does not
   explore the multitude of ways this could be accomplished, however
   considering that the IPv6 protocol is designed for having multiple
   addresses assigned to a single node, one particularly straight-
   forward way would be to assign the ET's IPv6 Service Addresses as
   secondary IPv6 addresses on the host itself so that it the upstream
   router learns of their location using the IPv6 Neighbor Discovery
   Protocol [RFC4861].

3.2.  Network-Based Edge Translator

             Overview of a Basic Network-based Edge Translator

                   [IPv4 Internet]   [IPv6 Internet]
                      |                         |
                   +--|--<SIIT-DC GW>--+        |
                   | [XLAT]            |        |
                   +--|----------------+        |
                      |                         |
                    [IPv6-only data centre network]
                      |
                   +--|--<ET>--+
                   | [XLAT]    |
                   +--|--------+
                      |
                    [Isolated IPv4-only network segment]
                      |
                   +--|--<IPv4-only server>----+
                   |  |      +----------------+|
                   |  \--AF_INET  IPv4-only   ||
                   |         |    Application ||
                   |         |    Software    ||
                   |         +----------------+|
                   +---------------------------+

                                 Figure 2

   A network-based Edge Translator performs the exact same as a host-
   based ET does, only that instead of assigning the IPv4 Service
   Addresses to an internal-only virtual network adapter, traffic
   destined for them are forwarded onto a network segment to which hosts
   that require IPv4 connectivity connect to.  The ET also functions as
   the default IPv4 router for the hosts on this network segment.

   Each host on the IPv4 network segment must acquire and assign an IPv4
   Service Address to a local network interface.  This document does not
   attempt to explore all the various methods by which this can be



Anderson                  Expires July 29, 2015                 [Page 6]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   accomplished, however one relatively straight-forward possibility
   would be to ensure the IPv4 Service Address(es) can be enclosed in an
   IPv4 prefix.  The ET will then claim one address in this prefix for
   itself (used as the IPv4 default router address), and could assign
   the IPv4 Service Address(es) to the host(s) using DHCPv4.  For
   example, if the IPv4 Service Addresses are 192.0.2.26 and 192.0.2.27,
   the ET would configure the address 192.0.2.25/29 on its IPv4-facing
   interface and would add the two IPv4 Service Addresses to its DHCPv4
   pool.

   One disadvantage of this method is that IPv4 communication between
   the IPv4 hosts and other services made available through SIIT-DC
   using the method described in Section 6 becomes impossible, if those
   other services are assigned IPv4 Service Addresses that also are
   covered by the same IPv4 prefix (e.g., 192.0.2.28).  This is because
   the IPv4 nodes will mistakenly believe they have an on-link route to
   the entire prefix, and attempt to resolve the addresses using ARP
   (instead of forwarding them to the ET for translation to IPv6).  This
   problem could however be overcome by avoiding assigning IPv4 Service
   Addresses which overlaps with an IPv4 prefix handled by an ET (at the
   expense of wasting some potential IPv4 Service Addresses), or by
   ensuring that they are only assigned to services which do not need to
   communicate with the IPv4 host(s) behind the ET.

   Another way to avoid the problem is to use a private unrouted IPv4
   network that does not encompass the IPv4 Service Addresses as the
   IPv4, and instead assign the IPv4 Service Addresses as secondary
   addresses on the servers.  The ET must then route each IPv4 Service
   Address to its respective server using the server's private on-link
   IPv4 address as the next-hop.  This approach would ensure there are
   no overlaps, but on the other hand it would preclude the use of
   DHCPv4 for assigning the IPv4 Service Addresses, as well as create a
   need to ensure that the IPv4 application software is selecting the
   IPv4 Service Address (as opposed to its private on-link IPv4 address)
   as its source address when initiating outbound connections.

   The basic ET illustrated in Figure 2 establishes an IPv4-only network
   segment behind itself.  This is fine if the devices it provides IPv4
   access have no support for IPv6 whatsoever; however if they are dual-
   stack capable, it is would not be ideal to take away their IPv6
   connectivity.  While it is recommended to use a host-based ET in this
   case, appropriate implementations of a host-based ET might not be
   available for every device.  If the application protocol does not
   work correctly in a NAT environment, standard SIIT-DC cannot be used
   either.  Thus, a network-based ET is the only solution.

   The operator could avoid breaking the hosts' IPv4 connectivity by
   connecting the ET's IPv4 and IPv6 interfaces to the same network



Anderson                  Expires July 29, 2015                 [Page 7]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   segment, or by using a single dual-stacked interface instead.  The
   latter alternative is shown in Figure 3.  This could be thought of as
   an "ET on a stick".  IPv6 traffic between the network and the hosts
   will bypass the ET entirely.  IPv4 traffic from the hosts will be
   routed directly to the ET (because it's their default IPv4 router),
   and translated to IPv6 before its being transmitted to the upstream
   default IPv6 router.  The ET could attract inbound traffic to its
   IPv6 Service Addresses by responding to the upstream router's IPv6
   Neighbor Discovery [RFC4861] messages for them.

               A Network-based Edge Translator "on a stick"

                     [IPv4 Internet]   [IPv6 Internet]
                        |                         |
                     +--|--<SIIT-DC GW>--+        |
                     | [XLAT]            |        |
                     +--|----------------+        |
                        |                         |
                      [IPv6-only data centre network]
                        |
                        |  +--<ET>------+
                        |  |  ____      |
                        |  | /    \     |
                        +====   [XLAT]  |
                        |  | \____/     |
                        |  |            |
                        |  +------------+
                        |
                      [Dual-stack network segment]
                        |
                     +--|--<Dual-stack server>----+
                     |  |       +----------------+|
                     |  +---AF_INET  Dual-stack  ||
                     |  |       |    Application ||
                     |  \--AF_INET6  Software    ||
                     |          +----------------+|
                     +----------------------------+

                                 Figure 3












Anderson                  Expires July 29, 2015                 [Page 8]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   Yet another variation would be to implement the ET so that it
   transparently passes IPv6 traffic between its downstream and upstream
   network ports unmodified, e.g., using Layer-2 bridging.  Packets sent
   to its own IPv6 Service Addresses from the upstream network are
   intercepted (e.g, by responding to IPv6 Neighbor Discovery [RFC4861]
   messages for them) and routed through the translation function, and
   forwarded out its downstream interface.  The downstream network
   segment is thus becomes dual-stacked.  This model is shown in Figure
   4.

                A Transparent Network-based Edge Translator

                     [IPv4 Internet]   [IPv6 Internet]
                        |                         |
                     +--|--<SIIT-DC GW>--+        |
                     | [XLAT]            |        |
                     +--|----------------+        |
                        |                         |
                      [IPv6-only data centre network]
                        |
                     +--|--<Edge Translator>--+
                     |  |\_____________       |
                     |  |              \      |
                     | [Bridged IPv6] [XLAT]  |
                     |  | _____________/      |
                     |  |/                    |
                     +--|---------------------+
                        |
                      [Dual-stack network segment]
                        |
                     +--|--<Dual-stack server>----+
                     |  |       +----------------+|
                     |  +---AF_INET  Dual-stack  ||
                     |  |       |    Application ||
                     |  \--AF_INET6  Software    ||
                     |          +----------------+|
                     +----------------------------+

                                 Figure 4

4.  Detailed Topology Example

   The following figure shows how an application (that is presumably
   incompatible with standard SIIT-DC) is being made available to the
   IPv4 Internet on the IPv4 address 192.0.2.4.  The application will be
   able to know that this is its local address and thus be able to
   provide correct references to it in application payload.




Anderson                  Expires July 29, 2015                 [Page 9]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


   The figure also shows how the same application is available over IPv6
   on its IPv6 Service Address 2001:db8:12:34::3.  This is included in
   order to illustrate how native IPv6 connectivity is not impacted by
   the Edge Translator, and also to illustrate how the address assigned
   to the ET (2001:db8:12:34::4) is separate from the primary IPv6
   address of the server.  It is however important to note that the
   application in question does not have to be dual-stack capable at
   all.  IPv4-only applications would also be able to operate behind an
   ET in the exact same manner.

   Note that the figure below could be considered a more detailed view
   of Customer A's FTP server from the example topology figure in
   Appendix A of [I-D.ietf-v6ops-siit-dc].  Both figures intentionally
   use the exact same example IP addresses and prefixes.

              SIIT-DC Host Architecture with Edge Translation



































Anderson                  Expires July 29, 2015                [Page 10]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


             +-------------------+         +----------------+
             | IPv6-capable user |         | IPv4-only user |
             | ================= |         | ============== |
             |                   |         |                |
             +-<2001:db8::ab:cd>-+         +-<203.0.113.50>-+
                 |                                  |
              (the IPv6 internet)         (the IPv4 Internet)
                 |                                  |
                 |        +------------------<192.0.2.0/24>-+
                 |        |                                 |
                 |        |         SIIT-DC Gateway         |
                 |        |         ===============         |
                 |        |                                 |
                 |        |       Translation Prefix:       |
                 |        |         2001:db8:46::/96        |
                 |        |                                 |
                 |        |     Static Address Mapping:     |
                 |        | 192.0.2.4 <=> 2001:db8:12:34::4 |
                 |        |                                 |
                 |        +--------------<2001:db8:46::/96>-+
                 |                               |
                (the IPv6-only data centre network)
                 |                               |
           +--<2001:db8:12:34::3>-------<2001:db8:12:34::4>---+
           |     |                               |            |
           |     |          IPv6-only server     |            |
           |     |          ================     |            |
           |     |                               |            |
           |     |        +-------------<2001:db8:12:34::4>-+ |
           |     |        |                                 | |
           |     |        |         Edge Translator         | |
           |     |        |         ===============         | |
           |     |        |                                 | |
           |     |        |       Translation Prefix:       | |
           |     |        |         2001:db8:46::/96        | |
           |     |        |                                 | |
           |     |        |     Static Address Mapping:     | |
           |     |        | 192.0.2.4 <=> 2001:db8:12:34::4 | |
           |     |        |                                 | |
           |     |        +---------------------<192.0.2.4>-+ |
           |     |                                   |        |
           | +-[2001:db8:12:34::3]--------------[192.0.2.4]-+ |
           | |      AF_INET6                      AF_INET   | |
           | |                                              | |
           | |           Dual-stacked application           | |
           | |                                              | |
           | +----------------------------------------------+ |
           +--------------------------------------------------+



Anderson                  Expires July 29, 2015                [Page 11]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


                                 Figure 5

5.  Deployment Considerations

5.1.  IPv6 Path MTU

   The IPv6 Path MTU between the Edge Translator and the SIIT-DC Gateway
   will typically be larger than the default value defined in Section 4
   of [RFC6145] (1280), as it will typically contained within a single
   administrative domain.  Therefore, it is recommended that the IPv6
   Path MTU configured in the ET is raised accordingly.  It is
   RECOMMENDED that the ET and the SIIT-DC Gateway use identical
   configured IPv6 Path MTU values.

5.2.  IPv4 MTU

   In order to avoid IPv6 fragmentation, an Edge Translator should
   ensure that the IPv4 MTU used by applications or hosts is equal to
   the configured IPv6 Path MTU - 20, so that an maximum-sized IPv4
   packet can fit in an unfragmented IPv6 packet.  This ensures that the
   application may do its part in avoiding IP-level fragmentation from
   occurring, e.g., by segmenting/fragmenting outbound packets at the
   application layer, and advertising the maximum size its peer may use
   for inbound packets (e.g., through the use of the TCP MSS option).

   A host-based ET could accomplish this by configuring this MTU value
   on the virtual network adapter, while a network-based ET could do so
   by advertising the MTU to its downstream hosts using the DHCPv4
   Interface MTU Option [RFC2132].

5.3.  IPv4 Identification Header

   If the generation of IPv6 Atomic Fragments is disabled, the value of
   the IPv4 Identification header will be lost during the translation.
   Conversely, enabling the generation of IPv6 Atomic Fragments will
   ensure that the IPv4 Identification Header will carried end-to-end.
   Note that for this to work bi-directionally, IPv6 Atomic Fragment
   generation must be enabled on both the SIIT-DC Gateway(s) and on the
   Edge Translator.

   Note that apart from certain diagnostic tools, there are few (if any)
   application protocols that make use of the IPv4 Identification
   header.  Therefore, the loss of the IPv4 Identification value will
   therefore generally not cause any problems.

   IPv6 Atomic Fragments and their impact on the IPv4 Identification
   header is further discussed in Section 4.8.2 of
   [I-D.ietf-v6ops-siit-dc].



Anderson                  Expires July 29, 2015                [Page 12]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


6.  Intra-DC IPv4 Communication

   While SIIT-DC is primarily intended to facilitate communication
   between IPv4-only nodes on the Internet and services hosted in an
   IPv6-only network, it is also possible to facilitate communication
   between an IPv4-only service or application running behind an Edge
   Translator and another service/application made available over IPv4
   through SIIT-DC.  This other service/application may be a IPv6-only
   service, or it may also be an IPv4-only service running behind
   another ET.

   Facilitating such communication requires that another Static Address
   Mapping is configured in the ET (one for each service it wants to
   communicate to).  If there are two ETs involved, both of them must be
   configured in the same fashion for bi-directional communication to
   work.  The following two subsections contain examples that
   demonstrate how this may be set up.

   Note that for the intra-DC communication described in this section,
   the SIIT-DC Gateway is not involved at all.  Therefore there is no
   requirement that the Static Address Mappings in question are also
   configured on the SIIT-DC Gateway.  It is also possible to use
   private [RFC1918] IPv4 addresses, in order to reduce the need for
   publicly routable IPv4 addresses.  However, if the IPv4-only
   application(s) are also to be made available to the IPv4 Internet
   through an SIIT-DC Gateway, it is highly recommended that the Static
   Address Mappings configured in the ET match those configured in the
   SIIT-DC Gateway.  Otherwise one end up in the situation where a
   service is reached using different IPv4 addresses depending on
   whether one connects to it from the IPv4 Internet or from another
   IPv4-only application residing in the same data centre.  While it may
   still work, the overall architecture gets significantly more complex.

   Finally, if both services/applications support IPv6, it is highly
   recommended that IPv6 is used for all internal communications.  The
   approach described in this section should only be used if one or both
   of the services or applications only supports IPv4, making native
   IPv6 communication impossible.

6.1.  Between IPv4-Only and IPv6-Only Services

   This section demonstrates how an IPv4-only service/application "A"
   running behind an ET can communicate with an IPv6-only service "B".

                 Intra-DC IPv4-only to IPv6-only Overview






Anderson                  Expires July 29, 2015                [Page 13]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


      /--------------------------------------\
      |    IPv6-only data centre network     |
      \-+----------------------------------+-/
        |                                  |
        |                                  |
   +--<2001:db8:6::>----------------+ +--<2001:db8:7::>----------------+
   |    |                           | |    |                           |
   |    |  IPv6-only server A       | |    |  IPv6-only server B       |
   |    |  ==================       | |    |  ==================       |
   |    |                           | |    |                           |
   |+-<2001:db8:6::>---------------+| |+-[2001:db8:7::]---------------+|
   ||                              || ||    AF_INET6                  ||
   ||      Edge Translator A       || ||                              ||
   ||      =================       || ||   IPv6-only application B    ||
   ||                              || |+------------------------------+|
   ||   Static Address Mappings:   || +--------------------------------+
   ||  192.0.2.6 <=> 2001:db8:6::  ||
   ||  192.0.2.7 <=> 2001:db8:7::  ||
   ||                              ||
   |+-<192.0.2.6>------------------+|
   |       |                        |
   |+-[192.0.2.6]------------------+|
   ||   AF_INET                    ||
   ||                              ||
   ||   IPv4-only application A    ||
   |+------------------------------+|
   +--------------------------------+

                                 Figure 6

   In this example, the IPv4-only application on server "A" is listening
   on the IPv4 address 192.0.2.6, which is made available to the IPv6
   network on the IPv6 address 2001:db8:6:: (by the ET).  The IPv6-only
   application on server "B" is only listening on the IPv6 address
   2001:db8:7::, and has no knowledge of IPv4.

   In order to facilitate communication between the two application,
   another Static Address Mapping must be configured in the ET on server
   "A".  This provides an IPv4 address (192.0.2.7) that the IPv4-only
   application can communicate with, which represents the IPv6 address
   used by application "B" (2001:db8:7::).

   The following figure shows the packet translations step by step, for
   a packet sent by the IPv4-only application "A" to the IPv6-only
   application "B".  For traffic in the opposite direction, you may read
   the figure from the bottom up and swap the Src/Dst addresses.





Anderson                  Expires July 29, 2015                [Page 14]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


                Intra-DC IPv4-only to IPv6-only Packet Flow

       (IPv4-only application A)  --\
         |                          |
        Src 192.0.2.6               |
        Dst 192.0.2.7               | Packet forwarding/translations
         |                          | happening inside server A
         V                          |
       [SIIT-DC ET A]               |
         |                        --/
         |                        --\
        Src 2001:db8:6::            | Actual IPv6 packets routed
        Dst 2001:db8:7::            | through the IPv6 network
         |                        --/
         V
       (IPv6-only application B)

                                 Figure 7

6.2.  Between Two IPv4-Only Services

   This section demonstrates how an IPv4-only service/application "A"
   running behind an ET can communicate with an IPv4-only service/
   application "B" running behind another ET.

                 Intra-DC IPv4-only to IPv6-only Overview

























Anderson                  Expires July 29, 2015                [Page 15]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


      /--------------------------------------\
      |    IPv6-only data centre network     |
      \-+----------------------------------+-/
        |                                  |
        |                                  |
   +--<2001:db8:8::>----------------+ +--<2001:db8:9::>----------------+
   |    |                           | |    |                           |
   |    |  IPv6-only server A       | |    |  IPv6-only server B       |
   |    |  ==================       | |    |  ==================       |
   |    |                           | |    |                           |
   |+-<2001:db8:8::>---------------+| |+-<2001:db8:9::>---------------+|
   ||                              || ||                              ||
   ||      Edge Translator A       || ||      Edge Translator B       ||
   ||      =================       || ||      =================       ||
   ||                              || ||                              ||
   ||   Static Address Mappings:   || ||   Static Address Mappings:   ||
   ||  192.0.2.8 <=> 2001:db8:8::  || ||  192.0.2.8 <=> 2001:db8:8::  ||
   ||  192.0.2.9 <=> 2001:db8:9::  || ||  192.0.2.9 <=> 2001:db8:9::  ||
   ||                              || ||                              ||
   |+-<192.0.2.8>------------------+| |+-<192.0.2.9>------------------+|
   |       |                        | |       |                        |
   |+-[192.0.2.8]------------------+| |+-[192.0.2.9]------------------+|
   ||   AF_INET                    || ||   AF_INET                    ||
   ||                              || ||                              ||
   ||   IPv4-only application A    || ||   IPv4-only application B    ||
   |+------------------------------+| |+------------------------------+|
   +--------------------------------+ +--------------------------------+

                                 Figure 8

   In this example, the IPv4-only application on server "A" is listening
   on the IPv4 address 192.0.2.8, which is made available to the IPv6
   network on the IPv6 address 2001:db8:8:: (by the ET).  In the same
   fashion, the IPv4-only application on server "B" is listening on the
   IPv4 address 192.0.2.9 and is made available by its ET on the IPv6
   address 2001:db8:9::.

   In order to facilitate communication between the two application, a
   second Static Address Mapping must be configured in the ET on both
   servers.  This provides each application with an IPv4 address that
   represents the other application.  Thus bi-directional communication
   between the two applications can commence.

   The following figure shows the packet translations step by step, for
   a packet sent by the IPv4-only application "A" to the IPv4-only
   application "B".  For traffic in the opposite direction, you may read
   the figure from the bottom up and swap the Src/Dst addresses.




Anderson                  Expires July 29, 2015                [Page 16]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


                Intra-DC IPv4-only to IPv4-only Packet Flow

       (IPv4-only application A) --\
         |                         |
        Src 192.0.2.8              |
        Dst 192.0.2.9              | Packet forwarding/translations
         |                         | happening inside server A
         V                         |
       [SIIT-DC ET A]              |
         |                       --/
         |                       --\
        Src 2001:db8:8::           | Actual IPv6 packets routed
        Dst 2001:db8:9::           | through the IPv6 network
         |                       --/
         V                       --\
       [SIIT-DC ET B]              |
         |                        |
        Src 192.0.2.8             | Packet forwarding/translations
        Dst 192.0.2.9             | happening inside server B
         |                        |
         V                        |
       (IPv4-only application B) --/

                                 Figure 9

7.  Acknowledgements

   The author would like to especially thank the authors of 464XLAT
   [RFC6877]: Masataka Mawatari, Masanobu Kawashima, and Cameron Byrne.
   The architecture described by this document is merely an adaptation
   of their work to a data centre environment, and could not have
   happened without them.

   The author would like also to thank the following individuals for
   their contributions, suggestions, corrections, and criticisms: Fred
   Baker, Tobias Brox, Ray Hunter, Shucheng LIU (Will), Andrew
   Yourtchenko.

8.  IANA Considerations

   This draft makes no request of the IANA.  The RFC Editor may remove
   this section prior to publication.









Anderson                  Expires July 29, 2015                [Page 17]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


9.  Security Considerations

   This section discusses security considerations specific to the use of
   an Edge Translator.  See the Security Considerations section in
   [I-D.ietf-v6ops-siit-dc] for additional security considerations
   applicable to the SIIT-DC architecture in general.

9.1.  Address Spoofing

   If the ET receives an IPv4 packet from the application from a
   different source address than the one it has a Static Address Mapping
   for, the both the source and destination addresses will be rewritten
   according to [RFC6052].  After undergoing the reverse translation in
   the SIIT-DC Gateway, the resulting IPv4 packet routed to the IPv4
   network will have a spoofed IPv4 source address.  The ET should
   therefore ensure that ingress filtering (cf. BCP38 [RFC2827]) is used
   on the ET's IPv4 interface, so that such packets are immediately
   discarded.

   If the ET receives an IPv6 packet with both the source and
   destination address equal to the one it has a Static Address Mapping
   for, the resulting packet would appear to the application as locally
   generated, as both the source address and the destination address
   will be the same address as the one configured on the virtual IPv4
   interface.  This could trick the application into thinking this
   packet came from a trusted source, and give elevated privileges
   accordingly.  To prevent this, the ET should discard any received
   IPv6 packets that have a source address that is equal either to
   either the IPv4 (after undergoing [RFC6052] translation) or the IPv6
   address in the Static Address Mapping.

10.  References

10.1.  Normative References

   [I-D.ietf-v6ops-siit-dc]
              tore, t., "SIIT-DC: Stateless IP/ICMP Translation for IPv6
              Data Centre Environments", draft-ietf-v6ops-siit-dc-00
              (work in progress), December 2014.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.









Anderson                  Expires July 29, 2015                [Page 18]


Internet-Draft                SIIT-DC-2XLAT                 January 2015


10.2.  Informative References

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
              E. Lear, "Address Allocation for Private Internets", BCP
              5, RFC 1918, February 1996.

   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
              Extensions", RFC 2132, March 1997.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, May 2000.

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              September 2007.

   [RFC6052]  Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
              Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
              October 2010.

   [RFC6145]  Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
              Algorithm", RFC 6145, April 2011.

   [RFC6877]  Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
              Combination of Stateful and Stateless Translation", RFC
              6877, April 2013.

Author's Address

   Tore Anderson
   Redpill Linpro
   Vitaminveien 1A
   0485 Oslo
   Norway

   Phone: +47 959 31 212
   Email: tore@redpill-linpro.com
   URI:   http://www.redpill-linpro.com












Anderson                  Expires July 29, 2015                [Page 19]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/