draft-ietf-behave-address-format-10.txt   rfc6052.txt 
Network Working Group C. Bao Internet Engineering Task Force (IETF) C. Bao
Internet-Draft CERNET Center/Tsinghua University Request for Comments: 6052 CERNET Center/Tsinghua University
Updates: 4291 (if approved) C. Huitema Updates: 4291 C. Huitema
Intended status: Standards Track Microsoft Corporation Category: Standards Track Microsoft Corporation
Expires: February 17, 2011 M. Bagnulo ISSN: 2070-1721 M. Bagnulo
UC3M UC3M
M. Boucadair M. Boucadair
France Telecom France Telecom
X. Li X. Li
CERNET Center/Tsinghua University CERNET Center/Tsinghua University
August 16, 2010 October 2010
IPv6 Addressing of IPv4/IPv6 Translators IPv6 Addressing of IPv4/IPv6 Translators
draft-ietf-behave-address-format-10.txt
Abstract Abstract
This document discusses the algorithmic translation of an IPv6 This document discusses the algorithmic translation of an IPv6
address to a corresponding IPv4 address, and vice versa, using only address to a corresponding IPv4 address, and vice versa, using only
statically configured information. It defines a well-known prefix statically configured information. It defines a well-known prefix
for use in algorithmic translations, while allowing organizations to for use in algorithmic translations, while allowing organizations to
also use network-specific prefixes when appropriate. Algorithmic also use network-specific prefixes when appropriate. Algorithmic
translation is used in IPv4/IPv6 translators, as well as other types translation is used in IPv4/IPv6 translators, as well as other types
of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This is an Internet Standards Track document.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on February 17, 2011. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6052.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 26
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Applicability Scope . . . . . . . . . . . . . . . . . . . 3 1.1. Applicability Scope . . . . . . . . . . . . . . . . . . . 3
1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. IPv4-Embedded IPv6 Address Prefix and Format . . . . . . . . . 4 2. IPv4-Embedded IPv6 Address Prefix and Format . . . . . . . . . 5
2.1. Well Known Prefix . . . . . . . . . . . . . . . . . . . . 4 2.1. Well-Known Prefix . . . . . . . . . . . . . . . . . . . . 5
2.2. IPv4-Embedded IPv6 Address Format . . . . . . . . . . . . 5 2.2. IPv4-Embedded IPv6 Address Format . . . . . . . . . . . . 5
2.3. Address Translation Algorithms . . . . . . . . . . . . . . 6 2.3. Address Translation Algorithms . . . . . . . . . . . . . . 7
2.4. Text Representation . . . . . . . . . . . . . . . . . . . 7 2.4. Text Representation . . . . . . . . . . . . . . . . . . . 7
3. Deployment Guidelines . . . . . . . . . . . . . . . . . . . . 7 3. Deployment Guidelines . . . . . . . . . . . . . . . . . . . . 8
3.1. Restrictions on the use of the Well-Known Prefix . . . . . 7 3.1. Restrictions on the Use of the Well-Known Prefix . . . . . 8
3.2. Impact on Inter-Domain Routing . . . . . . . . . . . . . . 8 3.2. Impact on Inter-Domain Routing . . . . . . . . . . . . . . 8
3.3. Choice of Prefix for Stateless Translation Deployments . . 8 3.3. Choice of Prefix for Stateless Translation Deployments . . 9
3.4. Choice of Prefix for Stateful Translation Deployments . . 11 3.4. Choice of Prefix for Stateful Translation Deployments . . 11
4. Design choices . . . . . . . . . . . . . . . . . . . . . . . . 12 4. Design Choices . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Choice of Suffix . . . . . . . . . . . . . . . . . . . . . 12 4.1. Choice of Suffix . . . . . . . . . . . . . . . . . . . . . 12
4.2. Choice of the Well-Known Prefix . . . . . . . . . . . . . 12 4.2. Choice of the Well-Known Prefix . . . . . . . . . . . . . 13
5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 5. Security Considerations . . . . . . . . . . . . . . . . . . . 14
5.1. Protection Against Spoofing . . . . . . . . . . . . . . . 14 5.1. Protection against Spoofing . . . . . . . . . . . . . . . 14
5.2. Secure Configuration . . . . . . . . . . . . . . . . . . . 14 5.2. Secure Configuration . . . . . . . . . . . . . . . . . . . 15
5.3. Firewall Configuration . . . . . . . . . . . . . . . . . . 14 5.3. Firewall Configuration . . . . . . . . . . . . . . . . . . 15
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 15 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9.1. Normative References . . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . . 17
9.2. Informative References . . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
This document is part of a series of IPv4/IPv6 translation documents. This document is part of a series of IPv4/IPv6 translation documents.
A framework for IPv4/IPv6 translation is discussed in A framework for IPv4/IPv6 translation is discussed in
[I-D.ietf-behave-v6v4-framework], including a taxonomy of scenarios [v4v6-FRAMEWORK], including a taxonomy of scenarios that will be used
that will be used in this document. Other documents specify the in this document. Other documents specify the behavior of various
behavior of various types of translators and gateways, including types of translators and gateways, including mechanisms for
mechanisms for translating between IP headers and other types of translating between IP headers and other types of messages that
messages that include IP addresses. This document specifies how an include IP addresses. This document specifies how an individual IPv6
individual IPv6 address is translated to a corresponding IPv4 address is translated to a corresponding IPv4 address, and vice
address, and vice versa, in cases where an algorithmic mapping is versa, in cases where an algorithmic mapping is used. While specific
used. While specific types of devices are used herein as examples, types of devices are used herein as examples, it is the
it is the responsibility of the specification of such devices to responsibility of the specification of such devices to reference this
reference this document for algorithmic mapping of the addresses document for algorithmic mapping of the addresses themselves.
themselves.
Section 2 describes the prefixes and the format of "IPv4-Embedded Section 2 describes the prefixes and the format of "IPv4-embedded
IPv6 addresses", i.e., IPv6 addresses in which 32 bits contain an IPv6 addresses", i.e., IPv6 addresses in which 32 bits contain an
IPv4 address. This format is common to both "IPv4-converted" and IPv4 address. This format is common to both "IPv4-converted" and
"IPv4-Translatable" IPv6 addresses. This section also defines the "IPv4-translatable" IPv6 addresses. This section also defines the
algorithms for translating addresses, and the text representation of algorithms for translating addresses, and the text representation of
IPv4-Embedded IPv6 addresses. IPv4-embedded IPv6 addresses.
Section 3 discusses the choice of prefixes, the conditions in which Section 3 discusses the choice of prefixes, the conditions in which
they can be used, and the use of IPv4-Embedded IPv6 addresses with they can be used, and the use of IPv4-embedded IPv6 addresses with
stateless and stateful translation. stateless and stateful translation.
Section 4 provides a summary of the discussions behind two specific Section 4 provides a summary of the discussions behind two specific
design decisions, the choice of a null suffix and the specific value design decisions, the choice of a null suffix and the specific value
of the selected prefix. of the selected prefix.
Section 5 discusses security concerns. Section 5 discusses security concerns.
In some scenarios, a dual-stack host will unnecessarily send its In some scenarios, a dual-stack host will unnecessarily send its
traffic through an IPv6/IPv4 translator. This can be caused by traffic through an IPv6/IPv4 translator. This can be caused by the
host's default address selection algorithm [RFC3484], referrals, or host's default address selection algorithm [RFC3484], referrals, or
other reasons. Optimizing these scenarios for dual-stack hosts is other reasons. Optimizing these scenarios for dual-stack hosts is
for future study. for future study.
1.1. Applicability Scope 1.1. Applicability Scope
This document is part of a series defining address translation This document is part of a series defining address translation
services. We understand that the address format could also be used services. We understand that the address format could also be used
by other interconnection methods between IPv6 and IPv4, e.g., methods by other interconnection methods between IPv6 and IPv4, e.g., methods
based on encapsulation. If encapsulation methods are developed by based on encapsulation. If encapsulation methods are developed by
the IETF, we expect that their descriptions will document their the IETF, we expect that their descriptions will document their
specific use of IPv4-Embedded IPv6 addresses. specific use of IPv4-embedded IPv6 addresses.
1.2. Conventions 1.2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
1.3. Terminology 1.3. Terminology
This document makes use of the following terms: This document makes use of the following terms:
Address translator: any entity that has to derive an IPv4 address Address translator: any entity that has to derive an IPv4 address
from an IPv6 address or vice versa. This applies not only to from an IPv6 address or vice versa. This applies not only to
devices that do IPv4/IPv6 packet translation, but also to other devices that do IPv4/IPv6 packet translation, but also to other
entities that manipulate addresses, such as name resolution entities that manipulate addresses, such as name resolution
proxies (e.g. DNS64 [I-D.ietf-behave-dns64]) and possibly other proxies (e.g., DNS64 [DNS64]) and possibly other types of
types of Application Layer Gateways (ALGs). Application Layer Gateways (ALGs).
IPv4-converted IPv6 addresses: IPv6 addresses used to represent IPv4 IPv4-converted IPv6 addresses: IPv6 addresses used to represent IPv4
nodes in an IPv6 network. They are a variant of IPv4-Embedded nodes in an IPv6 network. They are a variant of IPv4-embedded
IPv6 addresses, and follow the format described in Section 2.2. IPv6 addresses and follow the format described in Section 2.2.
IPv4-Embedded IPv6 addresses: IPv6 addresses in which 32 bits
IPv4-embedded IPv6 addresses: IPv6 addresses in which 32 bits
contain an IPv4 address. Their format is described in contain an IPv4 address. Their format is described in
Section 2.2. Section 2.2.
IPv4/IPv6 translator: an entity that translates IPv4 packets to IPv6 IPv4/IPv6 translator: an entity that translates IPv4 packets to IPv6
packets, and vice versa. It may do "stateless" translation, packets, and vice versa. It may do "stateless" translation,
meaning that there is no per-flow state required, or "stateful" meaning that there is no per-flow state required, or "stateful"
translation where per-flow state is created when the first packet translation, meaning that per-flow state is created when the first
in a flow is received. packet in a flow is received.
IPv4-Translatable IPv6 addresses: IPv6 addresses assigned to IPv6
IPv4-translatable IPv6 addresses: IPv6 addresses assigned to IPv6
nodes for use with stateless translation. They are a variant of nodes for use with stateless translation. They are a variant of
IPv4-Embedded IPv6 addresses, and follow the format described in IPv4-embedded IPv6 addresses and follow the format described in
Section 2.2. Section 2.2.
Network-Specific Prefix: an IPv6 prefix assigned by an organization Network-Specific Prefix: an IPv6 prefix assigned by an organization
for use in algorithmic mapping. Options for the Network Specific for use in algorithmic mapping. Options for the Network-Specific
Prefix are discussed in Section 3.3 and Section 3.4. Prefix are discussed in Sections 3.3 and 3.4.
Well-Known Prefix: the IPv6 prefix defined in this document for use Well-Known Prefix: the IPv6 prefix defined in this document for use
in an algorithmic mapping. in an algorithmic mapping.
2. IPv4-Embedded IPv6 Address Prefix and Format 2. IPv4-Embedded IPv6 Address Prefix and Format
2.1. Well Known Prefix 2.1. Well-Known Prefix
This document reserves a "Well-Known Prefix" for use in an This document reserves a "Well-Known Prefix" for use in an
algorithmic mapping. The value of this IPv6 prefix is: algorithmic mapping. The value of this IPv6 prefix is:
64:ff9b::/96 64:ff9b::/96
2.2. IPv4-Embedded IPv6 Address Format 2.2. IPv4-Embedded IPv6 Address Format
IPv4-converted IPv6 addresses and IPv4-Translatable IPv6 addresses IPv4-converted IPv6 addresses and IPv4-translatable IPv6 addresses
follow the same format, described here as the IPv4-Embedded IPv6 follow the same format, described here as the IPv4-embedded IPv6
address Format. IPv4-Embedded IPv6 addresses are composed of a address Format. IPv4-embedded IPv6 addresses are composed of a
variable length prefix, the embedded IPv4 address, and a variable variable-length prefix, the embedded IPv4 address, and a variable-
length suffix, as presented in the following diagram, in which PL length suffix, as presented in the following diagram, in which PL
designates the prefix length: designates the prefix length:
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|PL| 0-------------32--40--48--56--64--72--80--88--96--104---------| |PL| 0-------------32--40--48--56--64--72--80--88--96--104---------|
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|32| prefix |v4(32) | u | suffix | |32| prefix |v4(32) | u | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|40| prefix |v4(24) | u |(8)| suffix | |40| prefix |v4(24) | u |(8)| suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
skipping to change at page 5, line 33 skipping to change at page 5, line 42
|56| prefix |(8)| u | v4(24) | suffix | |56| prefix |(8)| u | v4(24) | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|64| prefix | u | v4(32) | suffix | |64| prefix | u | v4(32) | suffix |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
|96| prefix | v4(32) | |96| prefix | v4(32) |
+--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
Figure 1 Figure 1
In these addresses, the prefix shall be either the "Well-Known In these addresses, the prefix shall be either the "Well-Known
Prefix", or a "Network-Specific Prefix" unique to the organization Prefix" or a "Network-Specific Prefix" unique to the organization
deploying the address translators. The prefixes can only have one of deploying the address translators. The prefixes can only have one of
the following lengths: 32, 40, 48, 56, 64 or 96. (The Well-Known the following lengths: 32, 40, 48, 56, 64, or 96. (The Well-Known
Prefix is 96 bits long, and can only be used in the last form of the Prefix is 96 bits long, and can only be used in the last form of the
table.) table.)
Various deployments justify different prefix lengths with Network- Various deployments justify different prefix lengths with Network-
Specific prefixes. The tradeoff between different prefix lengths are Specific Prefixes. The trade-off between different prefix lengths
discussed in Section 3.3 and Section 3.4. are discussed in Sections 3.3 and 3.4.
Bits 64 to 71 of the address are reserved for compatibility with the Bits 64 to 71 of the address are reserved for compatibility with the
host identifier format defined in the IPv6 addressing architecture host identifier format defined in the IPv6 addressing architecture
[RFC4291]. These bits MUST be set to zero. When using a /96 [RFC4291]. These bits MUST be set to zero. When using a /96
Network-Specific Prefix, the administrators MUST ensure that the bits Network-Specific Prefix, the administrators MUST ensure that the bits
64 to 71 are set to zero. A simple way to achieve that is to 64 to 71 are set to zero. A simple way to achieve that is to
construct the /96 Network-Specific Prefix by picking a /64 prefix, construct the /96 Network-Specific Prefix by picking a /64 prefix,
and then adding four octets set to zero. and then adding 4 octets set to zero.
The IPv4 address is encoded following the prefix, most significant The IPv4 address is encoded following the prefix, most significant
bits first. Depending of the prefix length, the 4 octets of the bits first. Depending of the prefix length, the 4 octets of the
address may be separated by the reserved octet "u", whose 8 bits MUST address may be separated by the reserved octet "u", whose 8 bits MUST
be set to zero. In particular: be set to zero. In particular:
o When the prefix is 32 bits long, the IPv4 address is encoded in o When the prefix is 32 bits long, the IPv4 address is encoded in
positions 32 to 63. positions 32 to 63.
o When the prefix is 40 bits long, 24 bits of the IPv4 address are o When the prefix is 40 bits long, 24 bits of the IPv4 address are
encoded in positions 40 to 63, with the remaining 8 bits in encoded in positions 40 to 63, with the remaining 8 bits in
position 72 to 79. position 72 to 79.
o When the prefix is 48 bits long, 16 bits of the IPv4 address are o When the prefix is 48 bits long, 16 bits of the IPv4 address are
encoded in positions 48 to 63, with the remaining 16 bits in encoded in positions 48 to 63, with the remaining 16 bits in
position 72 to 87. position 72 to 87.
o When the prefix is 56 bits long, 8 bits of the IPv4 address are o When the prefix is 56 bits long, 8 bits of the IPv4 address are
encoded in positions 56 to 63, with the remaining 24 bits in encoded in positions 56 to 63, with the remaining 24 bits in
position 72 to 95. position 72 to 95.
o When the prefix is 64 bits long, the IPv4 address is encoded in o When the prefix is 64 bits long, the IPv4 address is encoded in
positions 72 to 103. positions 72 to 103.
o When the prefix is 96 bits long, the IPv4 address is encoded in o When the prefix is 96 bits long, the IPv4 address is encoded in
positions 96 to 127. positions 96 to 127.
There are no remaining bits, and thus no suffix, if the prefix is 96 There are no remaining bits, and thus no suffix, if the prefix is 96
bits long. In the other cases, the remaining bits of the address bits long. In the other cases, the remaining bits of the address
constitute the suffix. These bits are reserved for future constitute the suffix. These bits are reserved for future extensions
extensions, and SHOULD be set to zero. Address translators who and SHOULD be set to zero. Address translators who receive IPv4-
receive IPv4 embedded IPv6 addresses where these bits are not zero embedded IPv6 addresses where these bits are not zero SHOULD ignore
SHOULD ignore the bits' value and proceed as if the bits' value was the bits' value and proceed as if the bits' value were zero. (Future
zero. (Future extensions may specify a different behavior.) extensions may specify a different behavior.)
2.3. Address Translation Algorithms 2.3. Address Translation Algorithms
IPv4-Embedded IPv6 addresses are composed according to the following IPv4-embedded IPv6 addresses are composed according to the following
algorithm: algorithm:
o Concatenate the prefix, the 32 bits of the IPv4 address and the
suffix if needed to obtain a 128 bit address. o Concatenate the prefix, the 32 bits of the IPv4 address, and the
suffix (if needed) to obtain a 128-bit address.
o If the prefix length is less than 96 bits, insert the null octet o If the prefix length is less than 96 bits, insert the null octet
"u" at the appropriate position (bits 64 to 71), thus causing the "u" at the appropriate position (bits 64 to 71), thus causing the
least significant octet to be excluded, as documented in Figure 1. least significant octet to be excluded, as documented in Figure 1.
The IPv4 addresses are extracted from the IPv4-Embedded IPv6 The IPv4 addresses are extracted from the IPv4-embedded IPv6
addresses according to the following algorithm: addresses according to the following algorithm:
o If the prefix is 96 bit long, extract the last 32 bits of the IPv6
address; o If the prefix is 96 bits long, extract the last 32 bits of the
o for the other prefix lengths, remove the "u" octet to obtain a 120 IPv6 address;
bit sequence (effectively shifting bits 72-127 to positions 64-
119), then extract the 32 bits following the prefix. o For the other prefix lengths, remove the "u" octet to obtain a
120-bit sequence (effectively shifting bits 72-127 to positions
64-119), then extract the 32 bits following the prefix.
2.4. Text Representation 2.4. Text Representation
IPv4-Embedded IPv6 addresses will be represented in text in IPv4-embedded IPv6 addresses will be represented in text in
conformity with section 2.2 of [RFC4291]. IPv4-Embedded IPv6 conformity with Section 2.2 of [RFC4291]. IPv4-embedded IPv6
addresses constructed using the Well-Known Prefix or a /96 Network- addresses constructed using the Well-Known Prefix or a /96 Network-
Specific Prefix may be represented using the alternative form Specific Prefix may be represented using the alternative form
presented in section 2.2 of [RFC4291], with the embedded IPv4 address presented in Section 2.2 of [RFC4291], with the embedded IPv4 address
represented in dotted decimal notation. Examples of such represented in dotted decimal notation. Examples of such
representations are presented in Table 1 and Table 2. representations are presented in Tables 1 and 2.
+-----------------------+------------+------------------------------+ +-----------------------+------------+------------------------------+
| Network-Specific | IPv4 | IPv4-Embedded IPv6 address | | Network-Specific | IPv4 | IPv4-embedded IPv6 address |
| Prefix | address | | | Prefix | address | |
+-----------------------+------------+------------------------------+ +-----------------------+------------+------------------------------+
| 2001:db8::/32 | 192.0.2.33 | 2001:db8:c000:221:: | | 2001:db8::/32 | 192.0.2.33 | 2001:db8:c000:221:: |
| 2001:db8:100::/40 | 192.0.2.33 | 2001:db8:1c0:2:21:: | | 2001:db8:100::/40 | 192.0.2.33 | 2001:db8:1c0:2:21:: |
| 2001:db8:122::/48 | 192.0.2.33 | 2001:db8:122:c000:2:2100:: | | 2001:db8:122::/48 | 192.0.2.33 | 2001:db8:122:c000:2:2100:: |
| 2001:db8:122:300::/56 | 192.0.2.33 | 2001:db8:122:3c0:0:221:: | | 2001:db8:122:300::/56 | 192.0.2.33 | 2001:db8:122:3c0:0:221:: |
| 2001:db8:122:344::/64 | 192.0.2.33 | 2001:db8:122:344:c0:2:2100:: | | 2001:db8:122:344::/64 | 192.0.2.33 | 2001:db8:122:344:c0:2:2100:: |
| 2001:db8:122:344::/96 | 192.0.2.33 | 2001:db8:122:344::192.0.2.33 | | 2001:db8:122:344::/96 | 192.0.2.33 | 2001:db8:122:344::192.0.2.33 |
+-----------------------+------------+------------------------------+ +-----------------------+------------+------------------------------+
Table 1: Text representation of IPv4-Embedded IPv6 addresses using Table 1: Text Representation of IPv4-Embedded IPv6 Addresses Using
Network-Specific Prefixes Network-Specific Prefixes
+-------------------+--------------+----------------------------+ +-------------------+--------------+----------------------------+
| Well Known Prefix | IPv4 address | IPv4-Embedded IPv6 address | | Well-Known Prefix | IPv4 address | IPv4-Embedded IPv6 address |
+-------------------+--------------+----------------------------+ +-------------------+--------------+----------------------------+
| 64:ff9b::/96 | 192.0.2.33 | 64:ff9b::192.0.2.33 | | 64:ff9b::/96 | 192.0.2.33 | 64:ff9b::192.0.2.33 |
+-------------------+--------------+----------------------------+ +-------------------+--------------+----------------------------+
Table 2: Text representation of IPv4-Embedded IPv6 addresses using Table 2: Text Representation of IPv4-Embedded IPv6 Addresses Using
the Well-Known Prefix the Well-Known Prefix
The Network-Specific Prefix examples in Table 1 are derived from the The Network-Specific Prefix examples in Table 1 are derived from the
IPv6 prefix reserved for documentation in [RFC3849]. The IPv4 IPv6 prefix reserved for documentation in [RFC3849]. The IPv4
address 192.0.2.33 is part of the subnet 192.0.2.0/24 reserved for address 192.0.2.33 is part of the subnet 192.0.2.0/24 reserved for
documentation in [RFC5735]. The representation of IPv6 addresses is documentation in [RFC5735]. The representation of IPv6 addresses is
compatible with [I-D.ietf-6man-text-addr-representation]. compatible with [RFC5952].
3. Deployment Guidelines 3. Deployment Guidelines
3.1. Restrictions on the use of the Well-Known Prefix 3.1. Restrictions on the Use of the Well-Known Prefix
The Well-Known Prefix MUST NOT be used to represent non global IPv4 The Well-Known Prefix MUST NOT be used to represent non-global IPv4
addresses, such as those defined in [RFC1918] or listed in section 3 addresses, such as those defined in [RFC1918] or listed in Section 3
of [RFC5735]. Address translators MUST NOT translate packets in of [RFC5735]. Address translators MUST NOT translate packets in
which an address is composed of the Well-Known Prefix and a non which an address is composed of the Well-Known Prefix and a non-
global IPv4 address, they MUST drop these packets. global IPv4 address; they MUST drop these packets.
The Well-Known Prefix SHOULD NOT be used to construct IPv4- The Well-Known Prefix SHOULD NOT be used to construct IPv4-
Translatable IPv6 addresses. The nodes served by IPv4-Translatable translatable IPv6 addresses. The nodes served by IPv4-translatable
IPv6 addresses should be able to receive global IPv6 traffic bound to IPv6 addresses should be able to receive global IPv6 traffic bound to
their IPv4-Translatable IPv6 address without incurring intermediate their IPv4-translatable IPv6 address without incurring intermediate
protocol translation. This is only possible if the specific prefix protocol translation. This is only possible if the specific prefix
used to build the IPv4-Translatable IPv6 addresses is advertized in used to build the IPv4-translatable IPv6 addresses is advertised in
inter-domain routing, but the advertisement of more specific prefixes inter-domain routing, but the advertisement of more specific prefixes
derived from the Well-Known Prefix is not supported, as explained in derived from the Well-Known Prefix is not supported, as explained in
Section 3.2. Network-Specific Prefixes SHOULD be used in these Section 3.2. Network-Specific Prefixes SHOULD be used in these
scenarios, as explained in Section 3.3. scenarios, as explained in Section 3.3.
The Well-Known Prefix MAY be used by organizations deploying The Well-Known Prefix MAY be used by organizations deploying
translation services, as explained in Section 3.4. translation services, as explained in Section 3.4.
3.2. Impact on Inter-Domain Routing 3.2. Impact on Inter-Domain Routing
The Well-Known Prefix MAY appear in inter-domain routing tables, if The Well-Known Prefix MAY appear in inter-domain routing tables, if
service providers decide to provide IPv6-IPv4 interconnection service providers decide to provide IPv6-IPv4 interconnection
services to peers. Advertisement of the Well-Known Prefix SHOULD be services to peers. Advertisement of the Well-Known Prefix SHOULD be
controlled either by upstream and/or downstream service providers controlled either by upstream and/or downstream service providers
according to inter-domain routing policies, e.g., through according to inter-domain routing policies, e.g., through
configuration of BGP [RFC4271]. Organizations that advertize the configuration of BGP [RFC4271]. Organizations that advertise the
Well-Known Prefix in inter-domain routing MUST be able to provide Well-Known Prefix in inter-domain routing MUST be able to provide
IPv4/IPv6 translation service. IPv4/IPv6 translation service.
When the IPv4/IPv6 translation relies on the Well-Known Prefix, IPv4 When the IPv4/IPv6 translation relies on the Well-Known Prefix, IPv4-
Embedded IPv6 prefixes longer than the Well-Known Prefix MUST NOT be embedded IPv6 prefixes longer than the Well-Known Prefix MUST NOT be
advertised in BGP (especially e-BGP) [RFC4271] because this leads to advertised in BGP (especially External BGP) [RFC4271] because this
importing the IPv4 routing table into the IPv6 one and therefore leads to importing the IPv4 routing table into the IPv6 one and
introduces scalability issues to the global IPv6 routing table. therefore introduces scalability issues to the global IPv6 routing
Administrators of BGP nodes SHOULD configure filters that discard table. Administrators of BGP nodes SHOULD configure filters that
advertisements of embedded IPv6 prefixes longer than the Well-Known discard advertisements of embedded IPv6 prefixes longer than the
Prefix. Well-Known Prefix.
When the IPv4/IPv6 translation service relies on Network-Specific When the IPv4/IPv6 translation service relies on Network-Specific
Prefixes, the IPv4-Translatable IPv6 prefixes used in stateless Prefixes, the IPv4-translatable IPv6 prefixes used in stateless
translation MUST be advertised with proper aggregation to the IPv6 translation MUST be advertised with proper aggregation to the IPv6
Internet. Similarly, if translators are configured with multiple Internet. Similarly, if translators are configured with multiple
Network-Specific Prefixes, these prefixes MUST be advertised to the Network-Specific Prefixes, these prefixes MUST be advertised to the
IPv6 Internet with proper aggregation. IPv6 Internet with proper aggregation.
3.3. Choice of Prefix for Stateless Translation Deployments 3.3. Choice of Prefix for Stateless Translation Deployments
Organizations may deploy translation services using stateless Organizations may deploy translation services using stateless
translation. In these deployments, internal IPv6 nodes are addressed translation. In these deployments, internal IPv6 nodes are addressed
using IPv4-Translatable IPv6 addresses, which enable them to be using IPv4-translatable IPv6 addresses, which enable them to be
accessed by IPv4 nodes. The addresses of these external IPv4 nodes accessed by IPv4 nodes. The addresses of these external IPv4 nodes
are then represented in IPv4-converted IPv6 addresses. are then represented in IPv4-converted IPv6 addresses.
Organizations deploying stateless IPv4/IPv6 translation SHOULD assign Organizations deploying stateless IPv4/IPv6 translation SHOULD assign
a Network-Specific Prefix to their IPv4/IPv6 translation service. a Network-Specific Prefix to their IPv4/IPv6 translation service.
IPv4-Translatable and IPv4-converted IPv6 addresses MUST be IPv4-translatable and IPv4-converted IPv6 addresses MUST be
constructed as specified in Section 2.2. IPv4-Translatable IPv6 constructed as specified in Section 2.2. IPv4-translatable IPv6
addresses MUST use the selected Network-Specific Prefix. Both IPv4- addresses MUST use the selected Network-Specific Prefix. Both IPv4-
Translatable IPv6 addresses and IPv4-converted IPv6 addresses SHOULD translatable IPv6 addresses and IPv4-converted IPv6 addresses SHOULD
use the same prefix. use the same prefix.
Using the same prefix ensures that IPv6 nodes internal to the Using the same prefix ensures that IPv6 nodes internal to the
organization will use the most efficient paths to reach the nodes organization will use the most efficient paths to reach the nodes
served by IPv4-Translatable IPv6 addresses. Specifically, if a node served by IPv4-translatable IPv6 addresses. Specifically, if a node
learns the IPv4 address of a target internal node without knowing learns the IPv4 address of a target internal node without knowing
that this target is in fact located behind the same translator that that this target is in fact located behind the same translator that
the node also uses, translation rules will ensure that the IPv6 the node also uses, translation rules will ensure that the IPv6
address constructed with the Network-Specific prefix is the same as address constructed with the Network-Specific Prefix is the same as
the IPv4-Translatable IPv6 address assigned to the target. Standard the IPv4-translatable IPv6 address assigned to the target. Standard
routing preference (more specific wins) will then ensure that the routing preference (i.e., "most specific match wins") will then
IPv6 packets are delivered directly, without requiring that ensure that the IPv6 packets are delivered directly, without
translators receive the packets and then return them in the direction requiring that translators receive the packets and then return them
they came from. in the direction from which they came.
The intra-domain routing protocol must be able to deliver packets to The intra-domain routing protocol must be able to deliver packets to
the nodes served by IPv4-Translatable IPv6 addresses. This may the nodes served by IPv4-translatable IPv6 addresses. This may
require routing on some or all of the embedded IPv4 address bits. require routing on some or all of the embedded IPv4 address bits.
Security considerations detailed in Section 5 require that routers Security considerations detailed in Section 5 require that routers
check the validity of the IPv4-Translatable IPv6 source addresses, check the validity of the IPv4-translatable IPv6 source addresses,
using some form of reverse path check. using some form of reverse path check.
The management of stateless address translation can be illustrated The management of stateless address translation can be illustrated
with a small example: with a small example:
We will consider an IPv6 network with the prefix 2001:db8: We will consider an IPv6 network with the prefix 2001:db8:
122::/48. The network administrator has selected the Network- 122::/48. The network administrator has selected the Network-
Specific prefix 2001:db8:122:344::/64 for managing stateless IPv4/ Specific Prefix 2001:db8:122:344::/64 for managing stateless IPv4/
IPv6 translation. The IPv4-Translatable address block for IPv4 IPv6 translation. The IPv4-translatable address block for IPv4
subnet 192.0.2.0/24 is 2001:db8:122:344:c0:2::/96. In this subnet 192.0.2.0/24 is 2001:db8:122:344:c0:2::/96. In this
network, the host A is assigned the IPv4-Translatable IPv6 address network, the host A is assigned the IPv4-translatable IPv6 address
2001:db8:122:344:c0:2:2100::, which corresponds to the IPv4 2001:db8:122:344:c0:2:2100::, which corresponds to the IPv4
address 192.0.2.33. Host A's address is configured either address 192.0.2.33. Host A's address is configured either
manually or through DHCPv6. manually or through DHCPv6.
In this example, host A is not directly connected to the In this example, host A is not directly connected to the
translator, but instead to a link managed by a router R. The translator, but instead to a link managed by a router R. The
router R is configured to forward to A the packets bound to 2001: router R is configured to forward to A the packets bound to 2001:
db8:122:344:c0:2:2100::. To receive these packets, R will db8:122:344:c0:2:2100::. To receive these packets, R will
advertise reachability of the prefix 2001:db8:122:344:c0:2:2100::/ advertise reachability of the prefix 2001:db8:122:344:c0:2:2100::/
104 in the intra-domain routing protocol -- or perhaps a shorter 104 in the intra-domain routing protocol -- or perhaps a shorter
prefix if many hosts on link have IPv4-Translatable IPv6 addresses prefix if many hosts on link have IPv4-translatable IPv6 addresses
derived from the same IPv4 subnet. If a packet bound to derived from the same IPv4 subnet. If a packet bound to
192.0.2.33 reaches the translator, the destination address will be 192.0.2.33 reaches the translator, the destination address will be
translated to 2001:db8:122:344:c0:2:2100::, and the packet will be translated to 2001:db8:122:344:c0:2:2100::, and the packet will be
routed towards R and then to A. routed towards R and then to A.
Let's suppose now that a host B of the same domain learns the IPv4 Let's suppose now that a host B of the same domain learns the IPv4
address of A, maybe through an application-specific referral. If address of A, maybe through an application-specific referral. If
B has translation-aware software, B can compose a destination B has translation-aware software, B can compose a destination
address by combining the Network-Specific Prefix 2001:db8:122: address by combining the Network-Specific Prefix 2001:db8:122:
344::/64 and the IPv4 address 192.0.2.33, resulting in the address 344::/64 and the IPv4 address 192.0.2.33, resulting in the address
2001:db8:122:344:c0:2:2100::. The packet sent by B will be 2001:db8:122:344:c0:2:2100::. The packet sent by B will be
forwarded towards R, and then to A, avoiding protocol translation. forwarded towards R, and then to A, avoiding protocol translation.
Forwarding, and reverse path checks, are more efficient when Forwarding, and reverse path checks, are more efficient when
performed on the combination of the prefix and the IPv4 address. In performed on the combination of the prefix and the IPv4 address. In
theory, routers are able to route on prefixes of any length, but in theory, routers are able to route on prefixes of any length, but in
practice there may be routers for which routing on prefixes larger practice there may be routers for which routing on prefixes larger
than 64 bits is slower. But routing efficiency is not the only than 64 bits is slower. However, routing efficiency is not the only
consideration in the choice of a prefix length. Organizations also consideration in the choice of a prefix length. Organizations also
need to consider the availability of prefixes, and the potential need to consider the availability of prefixes, and the potential
impact of all-zeroes identifiers. impact of all-zero identifiers.
If a /32 prefix is used, all the routing bits are contained in the If a /32 prefix is used, all the routing bits are contained in the
top 64 bits of the IPv6 address, leading to excellent routing top 64 bits of the IPv6 address, leading to excellent routing
properties. These prefixes may however be hard to obtain, and properties. These prefixes may however be hard to obtain, and
allocation of a /32 to a small set of IPv4-Translatable IPv6 allocation of a /32 to a small set of IPv4-translatable IPv6
addresses may be seen as wasteful. In addition, the /32 prefix and a addresses may be seen as wasteful. In addition, the /32 prefix and a
zero suffix leads to an all-zeroes interface identifier, an issue zero suffix lead to an all-zero interface identifier, which is an
that we discuss in Section 4.1. issue that we discuss in Section 4.1.
Intermediate prefix lengths such as /40, /48 or /56 appear as Intermediate prefix lengths such as /40, /48, or /56 appear as
compromises. Only some of the IPv4 bits are part of the /64 compromises. Only some of the IPv4 bits are part of the /64
prefixes. Reverse path checks, in particular, may have a limited prefixes. Reverse path checks, in particular, may have a limited
efficiency. Reverse path checks limited to the most significant bits efficiency. Reverse path checks limited to the most significant bits
of the IPv4 address will reduce the possibility of spoofing external of the IPv4 address will reduce the possibility of spoofing external
IPv4 addresses, but would allow IPv6 nodes to spoof internal IPv4- IPv4 addresses, but would allow IPv6 nodes to spoof internal IPv4-
Translatable IPv6 addresses. translatable IPv6 addresses.
We propose here a compromise, based on using no more than 1/256th of We propose a compromise, based on using no more than 1/256th of an
an organization's allocation of IPv6 addresses for the IPv4/IPv6 organization's allocation of IPv6 addresses for the IPv4/IPv6
translation service. For example, if the organization is an Internet translation service. For example, if the organization is an Internet
Service Provider with an allocated IPv6 prefix /32 or shorter, the Service Provider with an allocated IPv6 prefix /32 or shorter, the
ISP could dedicate a /40 prefix to the translation service. An end ISP could dedicate a /40 prefix to the translation service. An end
site with a /48 allocation could dedicate a /56 prefix to the site with a /48 allocation could dedicate a /56 prefix to the
translation service, or possibly a /96 prefix if all IPv4- translation service, or possibly a /96 prefix if all IPv4-
Translatable IPv6 addresses are located on the same link. translatable IPv6 addresses are located on the same link.
The recommended prefix length is also a function of the deployment The recommended prefix length is also a function of the deployment
scenario. The stateless translation can be used for Scenario 1, scenario. The stateless translation can be used for Scenario 1,
Scenario 2, Scenario 5, and Scenario 6 defined in Scenario 2, Scenario 5, and Scenario 6 defined in [v4v6-FRAMEWORK].
[I-D.ietf-behave-v6v4-framework]. For different scenarios, the For different scenarios, the prefix length recommendations are:
prefix length recommendations are:
o For scenario 1 (an IPv6 network to the IPv4 Internet) and scenario o For Scenario 1 (an IPv6 network to the IPv4 Internet) and Scenario
2 (the IPv4 Internet to an IPv6 network), an ISP holding a /32 2 (the IPv4 Internet to an IPv6 network), an ISP holding a /32
allocation SHOULD use a /40 prefix , and a site holding a /48 allocation SHOULD use a /40 prefix, and a site holding a /48
allocation SHOULD use a /56 prefix. allocation SHOULD use a /56 prefix.
o For scenario 5 (an IPv6 network to an IPv4 network) and scenario 6
o For Scenario 5 (an IPv6 network to an IPv4 network) and Scenario 6
(an IPv4 network to an IPv6 network), the deployment SHOULD use a (an IPv4 network to an IPv6 network), the deployment SHOULD use a
/64 or a /96 prefix. /64 or a /96 prefix.
3.4. Choice of Prefix for Stateful Translation Deployments 3.4. Choice of Prefix for Stateful Translation Deployments
Organizations may deploy translation services based on stateful Organizations may deploy translation services based on stateful
translation technology. An organization may decide to use either a translation technology. An organization may decide to use either a
Network-Specific Prefix or the Well-Known Prefix for its stateful Network-Specific Prefix or the Well-Known Prefix for its stateful
IPv4/IPv6 translation service. IPv4/IPv6 translation service.
When these services are used, IPv6 nodes are addressed through When these services are used, IPv6 nodes are addressed through
standard IPv6 addresses, while IPv4 nodes are represented by IPv4- standard IPv6 addresses, while IPv4 nodes are represented by IPv4-
converted IPv6 addresses, as specified in Section 2.2. converted IPv6 addresses, as specified in Section 2.2.
The stateful nature of the translation creates a potential stability The stateful nature of the translation creates a potential stability
issue when the organization deploys multiple translators. If several issue when the organization deploys multiple translators. If several
translators use the same prefix, there is a risk that packets translators use the same prefix, there is a risk that packets
belonging to the same connection may be routed to different belonging to the same connection may be routed to different
translators as the internal routing state changes. This issue can be translators as the internal routing state changes. This issue can be
avoided either by assigning different prefixes to different avoided either by assigning different prefixes to different
translators, or by ensuring that all translators using same prefix translators or by ensuring that all translators using the same prefix
coordinate their state. coordinate their state.
Stateful translation can be used in scenarios defined in Stateful translation can be used in scenarios defined in
[I-D.ietf-behave-v6v4-framework]. The Well Known Prefix SHOULD be [v4v6-FRAMEWORK]. The Well-Known Prefix SHOULD be used in these
used in these scenarios, with two exceptions: scenarios, with two exceptions:
o In all scenarios, the translation MAY use a Network-Specific o In all scenarios, the translation MAY use a Network-Specific
Prefix, if deemed appropriate for management reasons. Prefix, if deemed appropriate for management reasons.
o The Well-Known Prefix MUST NOT be used for scenario 3 (the IPv6
o The Well-Known Prefix MUST NOT be used for Scenario 3 (the IPv6
Internet to an IPv4 network), as this would lead to using the Internet to an IPv4 network), as this would lead to using the
Well-Known Prefix with non-global IPv4 addresses. That means a Well-Known Prefix with non-global IPv4 addresses. That means a
Network-Specific Prefix MUST be used in that scenario, for example Network-Specific Prefix (for example, a /96 prefix) MUST be used
a /96 prefix. in that scenario.
4. Design choices 4. Design Choices
The prefix that we have chosen reflects two design choices, the null The prefix that we have chosen reflects two design choices, the null
suffix and the specific value of the Well Known Prefix. We provide suffix and the specific value of the Well-Known Prefix. We provide
here a summary of the discussions leading to those two choices. here a summary of the discussions leading to those two choices.
4.1. Choice of Suffix 4.1. Choice of Suffix
The address format described in Section 2.2 recommends a zero suffix. The address format described in Section 2.2 recommends a zero suffix.
Before making this recommendation, we considered different options: Before making this recommendation, we considered different options:
checksum neutrality; the encoding of a port range; and a value checksum neutrality, the encoding of a port range, and a value
different than 0. different than 0.
In the case of stateless translation, there would be no need for the In the case of stateless translation, there would be no need for the
translator to recompute a one's complement checksum if both the IPv4- translator to recompute a one's complement checksum if both the IPv4-
Translatable and the IPv4-converted IPv6 addresses were constructed translatable and the IPv4-converted IPv6 addresses were constructed
in a "checksum-neutral" manner, that is if the IPv6 addresses would in a "checksum-neutral" manner, that is, if the IPv6 addresses would
have the same one's complement checksum as the embedded IPv4 address. have the same one's complement checksum as the embedded IPv4 address.
In the case of stateful translation, checksum neutrality does not In the case of stateful translation, checksum neutrality does not
eliminate checksum computation during translation, as only one of the eliminate checksum computation during translation, as only one of the
two addresses would be checksum neutral. We considered reserving 16 two addresses would be checksum neutral. We considered reserving 16
bits in the suffix to guarantee checksum neutrality, but declined bits in the suffix to guarantee checksum neutrality, but declined
because it would not help with stateful translation, and because because it would not help with stateful translation and because
checksum neutrality can also be achieved by an appropriate choice of checksum neutrality can also be achieved by an appropriate choice of
the Network-Specific Prefix, i.e. selecting a prefix whose one's the Network-Specific Prefix, i.e., selecting a prefix whose one's
complement checksum equals either 0 or 0xffff. complement checksum equals either 0 or 0xffff.
There have been proposals to complement stateless translation with a There have been proposals to complement stateless translation with a
port-range feature. Instead of mapping an IPv4 address to exactly port-range feature. Instead of mapping an IPv4 address to exactly
one IPv6 prefix, the options would allow several IPv6 nodes to share one IPv6 prefix, the options would allow several IPv6 nodes to share
an IPv4 address, with each node managing a different range of ports. an IPv4 address, with each node managing a different range of ports.
If a port range extension is needed, it could be defined later, using If a port range extension is needed, it could be defined later, using
bits currently reserved as null in the suffix. bits currently reserved as null in the suffix.
When a /32 prefix is used, an all-zero suffix results in an all-zero When a /32 prefix is used, an all-zero suffix results in an all-zero
interface identifier. We understand the conflict with Section 2.6.1 interface identifier. We understand the conflict with Section 2.6.1
of RFC4291, which specifies that all zeroes are used for the subnet- of RFC4291, which specifies that all zeroes are used for the subnet-
router anycast address. However, in our specification, there would router anycast address. However, in our specification, there is only
be only one node with an IPv4-Translatable IPv6 address in the /64 one node with an IPv4-translatable IPv6 address in the /64 subnet, so
subnet, and the anycast semantic would not create confusion. We thus the anycast semantic does not create confusion. We thus decided to
decided to keep the null suffix for now. This issue does not exist keep the null suffix for now. This issue does not exist for prefixes
for prefixes larger than 32 bits, such as the /40, /56, /64 and /96 larger than 32 bits, such as the /40, /56, /64, and /96 prefixes that
prefixes that we recommend in Section 3.3. we recommend in Section 3.3.
4.2. Choice of the Well-Known Prefix 4.2. Choice of the Well-Known Prefix
Before making our recommendation of the Well-Known Prefix, we were Before making our recommendation of the Well-Known Prefix, we were
faced with three choices: faced with three choices:
o reuse the IPv4-mapped prefix, ::ffff:0:0/96, as specified in RFC o reuse the IPv4-mapped prefix, ::ffff:0:0/96, as specified in RFC
2765 Section 2.1; 2765, Section 2.1;
o request IANA to allocate a /32 prefix,
o or request allocation of a new /96 prefix. o request IANA to allocate a /32 prefix, or
o request allocation of a new /96 prefix.
We weighted the pros and cons of these choices before settling on the We weighted the pros and cons of these choices before settling on the
recommended /96 Well-Known Prefix. recommended /96 Well-Known Prefix.
The main advantage of the existing IPv4-mapped prefix is that it is The main advantage of the existing IPv4-mapped prefix is that it is
already defined. Reusing that prefix would require minimal already defined. Reusing that prefix would require minimal
standardization efforts. However, being already defined is not just standardization efforts. However, being already defined is not just
an advantage, as there may be side effects of current an advantage, as there may be side effects of current
implementations. When presented with the IPv4-mapped prefix, current implementations. When presented with the IPv4-mapped prefix, current
versions of Windows and MacOS generate IPv4 packets, but will not versions of Windows and Mac OS generate IPv4 packets, but will not
send IPv6 packets. If we used the IPv4-mapped prefix, these nodes send IPv6 packets. If we used the IPv4-mapped prefix, these nodes
would not be able to support translation without modification. This would not be able to support translation without modification. This
will defeat the main purpose of the translation techniques. We thus will defeat the main purpose of the translation techniques. We thus
eliminated the first choice, and decided to not reuse the IPv4-mapped eliminated the first choice, i.e., decided to not reuse the IPv4-
prefix, ::ffff:0:0/96. mapped prefix, ::ffff:0:0/96.
A /32 prefix would have allowed the embedded IPv4 address to fit A /32 prefix would have allowed the embedded IPv4 address to fit
within the top 64 bits of the IPv6 address. This would have within the top 64 bits of the IPv6 address. This would have
facilitated routing and load balancing when an organization deploys facilitated routing and load balancing when an organization deploys
several translators. However, such destination-address based load several translators. However, such destination-address-based load
balancing may not be desirable. It is not compatible with STUN balancing may not be desirable. It is not compatible with Session
[RFC5389] in the deployments involving multiple stateful translators, Traversal Utilities for NAT (STUN) [RFC5389] in the deployments
each one having a different pool of IPv4 addresses. STUN involving multiple stateful translators, each one having a different
compatibility would only be achieved if the translators managed the pool of IPv4 addresses. STUN compatibility would only be achieved if
same pool of IPv4 addresses and were able to coordinate their the translators managed the same pool of IPv4 addresses and were able
translation state, in which case there is no big advantage to using a to coordinate their translation state, in which case there is no big
/32 prefix rather than a /96 prefix. advantage to using a /32 prefix rather than a /96 prefix.
According to Section 2.2 of [RFC4291], in the legal textual According to Section 2.2 of [RFC4291], in the legal textual
representations of IPv6 addresses, dotted decimal can only appear at representations of IPv6 addresses, dotted decimal can only appear at
the end. The /96 prefix is compatible with that requirement. It the end. The /96 prefix is compatible with that requirement. It
enables the dotted decimal notation without requiring an update to enables the dotted decimal notation without requiring an update to
[RFC4291]. This representation makes the address format easier to [RFC4291]. This representation makes the address format easier to
use, and log files easier to read. use and the log files easier to read.
The prefix that we recommend has the particularity of being "checksum The prefix that we recommend has the particularity of being "checksum
neutral". The sum of the hexadecimal numbers "0064" and "ff9b" is neutral". The sum of the hexadecimal numbers "0064" and "ff9b" is
"ffff", i.e. a value equal to zero in one's complement arithmetic. "ffff", i.e., a value equal to zero in one's complement arithmetic.
An IPv4-Embedded IPv6 address constructed with this prefix will have An IPv4-embedded IPv6 address constructed with this prefix will have
the same one's complement checksum as the embedded IPv4 address. the same one's complement checksum as the embedded IPv4 address.
5. Security Considerations 5. Security Considerations
5.1. Protection Against Spoofing 5.1. Protection against Spoofing
IPv4/IPv6 translators can be modeled as special routers, are subject IPv4/IPv6 translators can be modeled as special routers, are subject
to the same risks, and can implement the same mitigations. (The to the same risks, and can implement the same mitigations. (The
discussion of generic threats to routers and their mitigations is discussion of generic threats to routers and their mitigations is
beyond the scope of this document.) There is however a particular beyond the scope of this document.) There is, however, a particular
risk that directly derives from the practice of embedding IPv4 risk that directly derives from the practice of embedding IPv4
addresses in IPv6: address spoofing. addresses in IPv6: address spoofing.
An attacker could use an IPv4-Embedded IPv6 address as the source An attacker could use an IPv4-embedded IPv6 address as the source
address of malicious packets. After translation, the packets will address of malicious packets. After translation, the packets will
appear as IPv4 packets from the specified source, and the attacker appear as IPv4 packets from the specified source, and the attacker
may be hard to track. If left without mitigation, the attack would may be hard to track. If left without mitigation, the attack would
allow malicious IPv6 nodes to spoof arbitrary IPv4 addresses. allow malicious IPv6 nodes to spoof arbitrary IPv4 addresses.
The mitigation is to implement reverse path checks, and to verify The mitigation is to implement reverse path checks and to verify
throughout the network that packets are coming from an authorized throughout the network that packets are coming from an authorized
location. location.
5.2. Secure Configuration 5.2. Secure Configuration
The prefixes used for address translation are used by IPv6 nodes to The prefixes used for address translation are used by IPv6 nodes to
send packets to IPv6/IPv4 translators. Attackers could attempt to send packets to IPv6/IPv4 translators. Attackers could attempt to
fool nodes, DNS gateways, and IPv4/IPv6 translators into using wrong fool nodes, DNS gateways, and IPv4/IPv6 translators into using wrong
values for these parameters, resulting in network disruption, denial values for these parameters, resulting in network disruption, denial
of service, and possible information disclosure. To mitigate such of service, and possible information disclosure. To mitigate such
skipping to change at page 14, line 47 skipping to change at page 15, line 26
beyond the scope of this document. beyond the scope of this document.
5.3. Firewall Configuration 5.3. Firewall Configuration
Many firewalls and other security devices filter traffic based on Many firewalls and other security devices filter traffic based on
IPv4 addresses. Attackers could attempt to fool these firewalls by IPv4 addresses. Attackers could attempt to fool these firewalls by
sending IPv6 packets to or from IPv6 addresses that translate to the sending IPv6 packets to or from IPv6 addresses that translate to the
filtered IPv4 addresses. If the attack is successful, traffic that filtered IPv4 addresses. If the attack is successful, traffic that
was previously blocked might be able to pass through the firewalls was previously blocked might be able to pass through the firewalls
disguised as IPv6 packets. In all such scenarios, administrators disguised as IPv6 packets. In all such scenarios, administrators
should assure that packets that send to or from IPv4 embedded IPv6 should assure that packets that send to or from IPv4-embedded IPv6
addresses are subject to the same filtering as those directly sent to addresses are subject to the same filtering as those directly sent to
or from the embedded IPv4 addresses. or from the embedded IPv4 addresses.
The mechanisms for configuring firewalls and security devices to The mechanisms for configuring firewalls and security devices to
achieve this filtering are beyond the scope of this document. achieve this filtering are beyond the scope of this document.
6. IANA Considerations 6. IANA Considerations
Upon approval of this document, IANA will make the following changes IANA has made the following changes in the "Internet Protocol Version
in the "Internet Protocol Version 6 Address Space" registry located 6 Address Space" registry located at http://www.iana.org.
at http://www.iana.org/assignments/ipv6-address-space:
OLD: OLD:
IPv6 Prefix Allocation Reference Note IPv6 Prefix Allocation Reference Note
----------- ---------------- ------------ ---------------- ----------- ---------------- ------------ ----------------
0000::/8 Reserved by IETF [RFC4291] [1][5] 0000::/8 Reserved by IETF [RFC4291] [1][5]
NEW: NEW:
IPv6 Prefix Allocation Reference Note IPv6 Prefix Allocation Reference Note
----------- ---------------- ------------ ---------------- ----------- ---------------- ------------ ----------------
0000::/8 Reserved by IETF [RFC4291] [1][5][TBD] 0000::/8 Reserved by IETF [RFC4291] [1][5][6]
[TBD] The "Well Known Prefix" 64:ff9b::/96 used in an algorithmic [6] The "Well-Known Prefix" 64:ff9b::/96 used in an algorithmic
mapping between IPv4 to IPv6 addresses is defined out of the mapping between IPv4 to IPv6 addresses is defined out of the
0000::/8 address block, per [RFC-ietf-behave-address-format]. 0000::/8 address block, per RFC 6052.
7. Acknowledgements 7. Acknowledgements
Many people in the Behave WG have contributed to the discussion that Many people in the BEHAVE WG have contributed to the discussion that
led to this document, including Andrew Sullivan, Andrew Yourtchenko, led to this document, including Andrew Sullivan, Andrew Yourtchenko,
Ari Keranen, Brian Carpenter, Charlie Kaufman, Dan Wing, Dave Thaler, Ari Keranen, Brian Carpenter, Charlie Kaufman, Dan Wing, Dave Thaler,
David Harrington, Ed Jankiewicz, Fred Baker, Hiroshi Miyata, Iljitsch David Harrington, Ed Jankiewicz, Fred Baker, Hiroshi Miyata, Iljitsch
van Beijnum, John Schnizlein, Keith Moore, Kevin Yin, Magnus van Beijnum, John Schnizlein, Keith Moore, Kevin Yin, Magnus
Westerlund, Margaret Wasserman, Masahito Endo, Phil Roberts, Philip Westerlund, Margaret Wasserman, Masahito Endo, Phil Roberts, Philip
Matthews, Remi Denis-Courmont, Remi Despres and William Waites. Matthews, Remi Denis-Courmont, Remi Despres, and William Waites.
Marcelo Bagnulo is partly funded by Trilogy, a research project Marcelo Bagnulo is partly funded by Trilogy, a research project
supported by the European Commission under its Seventh Framework supported by the European Commission under its Seventh Framework
Program. Program.
8. Contributors 8. Contributors
The following individuals co-authored drafts from which text has been The following individuals co-authored documents from which text has
incorporated, and are listed in alphabetical order. been incorporated, and are listed in alphabetical order.
Congxiao Bao
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing, 100084
China
Phone: +86 62785983
Email: congxiao@cernet.edu.cn
Dave Thaler Dave Thaler
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
USA USA
Phone: +1 425 703 8835 Phone: +1 425 703 8835
Email: dthaler@microsoft.com EMail: dthaler@microsoft.com
Fred Baker Fred Baker
Cisco Systems Cisco Systems
Santa Barbara, California 93117 Santa Barbara, California 93117
USA USA
Phone: +1-408-526-4257 Phone: +1-408-526-4257
Fax: +1-413-473-2403 Fax: +1-413-473-2403
Email: fred@cisco.com EMail: fred@cisco.com
Hiroshi Miyata Hiroshi Miyata
Yokogawa Electric Corporation Yokogawa Electric Corporation
2-9-32 Nakacho 2-9-32 Nakacho
Musashino-shi, Tokyo 180-8750 Musashino-shi, Tokyo 180-8750
JAPAN JAPAN
Email: h.miyata@jp.yokogawa.com EMail: h.miyata@jp.yokogawa.com
Marcelo Bagnulo
Universidad Carlos III de Madrid
Av. Universidad 30
Leganes, Madrid 28911
ESPANA
Email: marcelo@it.uc3m.es
Xing Li
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing, 100084
China
Phone: +86 62785983
Email: xing@cernet.edu.cn
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006. Architecture", RFC 4291, February 2006.
9.2. Informative References 9.2. Informative References
[I-D.ietf-6man-text-addr-representation] [DNS64] Bagnulo, M., Sullivan, A., Matthews, P., and I. Beijnum,
Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation",
draft-ietf-6man-text-addr-representation-07 (work in
progress), February 2010.
[I-D.ietf-behave-dns64]
Bagnulo, M., Sullivan, A., Matthews, P., and I. Beijnum,
"DNS64: DNS extensions for Network Address Translation "DNS64: DNS extensions for Network Address Translation
from IPv6 Clients to IPv4 Servers", from IPv6 Clients to IPv4 Servers", Work in Progress,
draft-ietf-behave-dns64-10 (work in progress), July 2010. October 2010.
[I-D.ietf-behave-v6v4-framework]
Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
IPv4/IPv6 Translation",
draft-ietf-behave-v6v4-framework-09 (work in progress),
May 2010.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets", E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996. BCP 5, RFC 1918, February 1996.
[RFC3484] Draves, R., "Default Address Selection for Internet [RFC3484] Draves, R., "Default Address Selection for Internet
Protocol version 6 (IPv6)", RFC 3484, February 2003. Protocol version 6 (IPv6)", RFC 3484, February 2003.
[RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix [RFC3849] Huston, G., Lord, A., and P. Smith, "IPv6 Address Prefix
Reserved for Documentation", RFC 3849, July 2004. Reserved for Documentation", RFC 3849, July 2004.
skipping to change at page 18, line 6 skipping to change at page 17, line 42
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", RFC 4271, January 2006. Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389, "Session Traversal Utilities for NAT (STUN)", RFC 5389,
October 2008. October 2008.
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses", [RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
BCP 153, RFC 5735, January 2010. BCP 153, RFC 5735, January 2010.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952, August 2010.
[v4v6-FRAMEWORK]
Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
IPv4/IPv6 Translation", Work in Progress, August 2010.
Authors' Addresses Authors' Addresses
Congxiao Bao Congxiao Bao
CERNET Center/Tsinghua University CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University Room 225, Main Building, Tsinghua University
Beijing, 100084 Beijing, 100084
China China
Phone: +86 10-62785983 Phone: +86 10-62785983
Email: congxiao@cernet.edu.cn EMail: congxiao@cernet.edu.cn
Christian Huitema Christian Huitema
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052-6399 Redmond, WA 98052-6399
U.S.A. U.S.A.
EMail: huitema@microsoft.com
Email: huitema@microsoft.com
Marcelo Bagnulo Marcelo Bagnulo
UC3M UC3M
Av. Universidad 30 Av. Universidad 30
Leganes, Madrid 28911 Leganes, Madrid 28911
Spain Spain
Phone: +34-91-6249500 Phone: +34-91-6249500
Fax: EMail: marcelo@it.uc3m.es
Email: marcelo@it.uc3m.es
URI: http://www.it.uc3m.es/marcelo URI: http://www.it.uc3m.es/marcelo
Mohamed Boucadair Mohamed Boucadair
France Telecom France Telecom
3, Av Francois Chateaux 3, Av Francois Chateaux
Rennes 350000 Rennes 350000
France France
EMail: mohamed.boucadair@orange-ftgroup.com
Email: mohamed.boucadair@orange-ftgroup.com
Xing Li Xing Li
CERNET Center/Tsinghua University CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University Room 225, Main Building, Tsinghua University
Beijing, 100084 Beijing, 100084
China China
Phone: +86 10-62785983 Phone: +86 10-62785983
Email: xing@cernet.edu.cn EMail: xing@cernet.edu.cn
 End of changes. 130 change blocks. 
251 lines changed or deleted 230 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/