v6ops WG                                                        O. Troan
Internet-Draft                                                     Cisco
Obsoletes: 3056, 3068                                      June 24, 2011 (if approved)                    B. Carpenter, Ed.
Intended status: Informational Best Current Practice                 Univ. of Auckland
Expires: December 26, 2011

  Request to move April 23, 2015                                 October 20, 2014

     Deprecating Connection of IPv6 Domains via IPv4 Clouds (6to4) to
                            Historic status


   Experience with the "Connection of IPv6 Domains via IPv4 Clouds
   (6to4)" IPv6 transitioning transition mechanism has shown that the mechanism is
   unsuitable for widespread deployment and use in the Internet.  This
   document requests that RFC3056 and the companion document "An Anycast
   Prefix for 6to4 Relay Routers" RFC3068 are made obsolete and moved to
   historic status.  It also recommends that future products should not
   support 6to4 and that existing deployments should be reviewed.

Status of this This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 26, 2011. April 23, 2015.

Copyright Notice

   Copyright (c) 2011 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   There would appear to be no evidence of any substantial deployment of
   the variant of 6to4 described in [RFC3056].  Its extension specified
   in "An Anycast Prefix for 6to4 Relay Routers" [RFC3068] has been
   shown to have severe practical problems when used in the Internet.
   This document requests that RFC3056 and RFC3068 be moved to Historic
   status as defined in section 4.2.4 [RFC2026].

   6to4 was designed to help transition the Internet from IPv4 to IPv6.
   It has been a good mechanism for experimenting with IPv6, but because
   of the high failure rates seen with 6to4 [HUSTON], end users may end
   up disabling IPv6 on hosts, hosts as a result, and some content providers are
   have been reluctant to make content available over IPv6.


   [RFC6343] analyses the known operational issues in detail and
   describes a set of suggestions to improve 6to4 reliability, given the
   widespread presence of hosts and customer premises equipment that
   support it.

   The IETF sees no evolutionary future for  However, experience shows that operational failures have
   continued despite this advice being available.  Fortunately the mechanism and it is not
   advice to include this mechanism disable 6to4 by default has been widely adopted in new implementations. recent
   operating systems, and the failure modes have been largely hidden
   from users by many browsers adopting the "happy eyeballs" approach
   [RFC6555].  Nevertheless, operational problems caused by 6to4 still

   IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) [RFC5969]
   utilizes the same encapsulation and base mechanism as 6to4, and could
   be viewed as a superset of 6to4 (6to4 could be achieved by setting
   the 6rd prefix to 2002::/16).  However, the deployment model is such
   that 6rd can avoid the problems described here.  In this sense, 6rd
   can be viewed as superseding 6to4 as described in section 4.2.4 of

   Given that native IPv6 support and reliable transition mechanisms
   such as 6rd are now becoming common, the IETF sees no evolutionary
   future for the 6to4 mechanism.

2.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in RFC
   2119 [RFC2119].

3.  6to4 operational problems

   6to4 is a mechanism designed to allow isolated IPv6 islands to reach
   each other using IPv6 over IPv4 automatic tunneling.  To reach the
   native IPv6 Internet the mechanism uses relay routers both in the
   forward and reverse direction.  The mechanism is supported in many
   IPv6 implementations.  With the increased deployment of IPv6, the
   mechanism has been shown to have a number of fundamental

   6to4 depends on relays both in the forward and reverse direction to
   enable connectivity with the native IPv6 Internet.  A 6to4 node will
   send IPv4 encapsulated IPv6 traffic to a 6to4 relay, that is
   connected both to the 6to4 cloud and to native IPv6.  In the reverse
   direction a 2002::/16 route is injected into the native IPv6 routing
   domain to attract traffic from native IPv6 nodes to a 6to4 relay
   router.  It is expected that traffic will use different relays in the
   forward and reverse direction.  RFC3068 adds an extension that allows
   the use of a well known IPv4 anycast address to reach the nearest
   6to4 relay in the forward direction.

   One model of 6to4 deployment as described in section 5.2, RFC3056,
   suggests that a 6to4 router should have a set of managed connections
   (via BGP connections) to a set of 6to4 relay routers.  While this
   makes the forward path more controlled, it does not guarantee a
   functional reverse path.  In any case this model has the same
   operational burden as manually configured tunnels and has seen no
   deployment in the public Internet.

   List of some of the known issues with 6to4:

   o  Use of relays. 6to4 depends on an unknown third- third party to operate
      the relays between the 6to4 cloud and the native IPv6 Internet.
   o  The placement of the relay can lead to increased latency, and in
      the case the relay is overloaded, packet loss.
   o  There is generally no customer relationship between the end-user
      and the relay operator, or even a way for the end-user to know who
      the relay operator is, so no support is possible.
   o  A 6to4 relay for the reverse path and an anycast 6to4 relay used
      for the forward path, are openly accessible, limited only by the
      scope of routing. 6to4 relays can be used to anonymize traffic and
      inject attacks into IPv6 that are very difficult to trace.
   o  6to4 may silently discard traffic in the case where protocol (41)
      is blocked in intermediate firewalls.  Even if a firewall sent an
      ICMP message unreachable back, an IPv4 ICMP message rarely
      contains enough of the original IPv6 packet so that it can be
      relayed back to the IPv6 sender.  That makes this problem hard to
      detect and react upon by the sender of the packet.

   o  As 6to4 tunnels across the Internet, the IPv4 addresses used must
      be globally reachable.  RFC3056 states that a private address
      [RFC1918] MUST NOT be used. 6to4 will not work in networks that
      employ other addresses with limited topological span.  In
      particular it will predictably fail in the case of double network
      address translation (NAT444).

   For further analysis, see [RFC6343].

4.  Deprecation

   This document formally deprecates the 6to4 transition mechanism and
   the IPv6 6to4 prefix defined in [RFC3056], i.e., 2002::/16.  The
   prefix MUST NOT be reassigned for other use except by a future IETF
   standards action.

   Disabling 6to4 in the IPv6 Internet will take some time.  The initial
   approach  Firstly, it
   is NOT RECOMMENDED to make 6to4 a service of "last resort" include this mechanism in host
   implementations, ensure that the 6to4 service is new implementations.
   If included, it MUST be disabled by default
   in 6to4 routers, and deploy native IPv6 services.  In order to limit
   the impact of end-users, it default.  It is recommended that operators retain
   their existing 6to4 relay routers and follow the recommendations
   found in [I-D.ietf-v6ops-6to4-advisory].  When traffic levels
   diminish, these routers can no longer
   considered to be decommissioned.

   IPv6 nodes SHOULD treat 6to4 as a useful service of "last resort" as
   recommended in [I-D.ietf-6man-rfc3484-revise] supported by

   Implementations capable of acting as 6to4 routers SHOULD MUST NOT enable
   6to4 without explicit user configuration.  In particular, enabling
   IPv6 forwarding on a device, SHOULD MUST NOT automatically enable 6to4.

   Existing implementations

   Current operators of an anycast 6to4 relay with the IPv4 address SHOULD review the information in [RFC6343] and deployments MAY the
   present document, and then consider carefully when the anycast relay
   can be discontinued as traffic diminishes.

   Operators of a 6to4 return relay announcing the IPv6 prefix 2002::/16
   SHOULD review the information in [RFC6343] and the present document,
   and then consider carefully when the return relay can be discontinued
   as traffic diminishes.  As discussed in Section 4.5 of RFC 6343,
   content providers might choose to continue operating such a relay for
   the benefit of any residual 6to4 clients.

   Peer-to-peer usage of the 6to4 mechanism, not depending on the
   anycast mechanism, might exist in the Internet, largely unknown to use 6to4.
   operators.  This is harmless to third parties and the current
   document is not intended to prevent such traffic continuing.

   The references to 6to4 should be removed as soon as practical from
   the revision of the Special-Use IPv6 Addresses [RFC5156]. [RFC6890].

   The references to the 6to4 relay anycast addresses (
   should be removed as soon as practical from the revision of the
   Special Use IPv4 addresses [RFC5735]. [RFC6890].

   Incidental references to 6to4 should be removed from other IETF
   documents if and when they are updated.  These documents include
   RFC3162, RFC3178, RFC3790, RFC4191, RFC4213, RFC4389, RFC4779,
   RFC4852, RFC4891, RFC4903, RFC5157, RFC5245, RFC5375, RFC5971, and

5.  IANA Considerations

   IANA is requested to mark the 2002::/16 prefix as "deprecated",
   pointing to this document.  Reassignment of the prefix for any usage
   requires justification via an IETF Standards Action [RFC5226].

   The delegation of the domain [RFC5158] should be
   left in place.  Redelegation of the domain for any usage requires
   justification via an IETF Standards Action [RFC5226].

   IANA is requested to mark the prefix [RFC3068] as
   "deprecated", pointing to this document.  Redelegation of the domain
   for any usage requires justification via an IETF Standards Action

6.  Security Considerations

   There are no new security considerations pertaining to this document.
   General security issues with tunnels are listed in
   [I-D.ietf-v6ops-tunnel-security-concerns] [RFC6169] and more
   specifically to 6to4 in [RFC3964] and [I-D.ietf-v6ops-tunnel-loops]. [RFC6324].

7.  Acknowledgements

   The authors would like to acknowledge Tore Anderson, Dmitry Anipko,
   Jack Bates, Cameron Byrne, Ben Campbell, Gert Doering, Ray Hunter,
   Joel Jaeggli, Kurt Erik Lindqvist, Jason Livingood, Keith Moore, Tom
   Petch, Daniel Roesen and Mark Townsley, James Woodyatt, for their
   contributions and discussions on this topic.

   Special thanks go to Fred Baker, Geoff Huston, Brian Carpenter, and Wes George for
   their significant contributions.

   Many thanks to Gunter Van de Velde for documenting the harm caused by
   non-managed tunnels and to stimulate the creation of this document.

8.  References

8.1.  Normative References

   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
              3", BCP 9, RFC 2026, October 1996.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
              via IPv4 Clouds", RFC 3056, February 2001.

   [RFC3068]  Huitema, C., "An Anycast Prefix for 6to4 Relay Routers",
              RFC 3068, June 2001.

   [RFC5156]  Blanchet, M., "Special-Use IPv6 Addresses", RFC 5156,
              April 2008.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [RFC5735]  Cotton, M.

   [RFC6724]  Thaler, D., Draves, R., Matsumoto, A., and L. T. Chown,
              "Default Address Selection for Internet Protocol Version 6
              (IPv6)", RFC 6724, September 2012.

   [RFC6890]  Cotton, M., Vegoda, "Special Use IPv4 Addresses", L., Bonica, R., and B. Haberman,
              "Special-Purpose IP Address Registries", BCP 153, RFC 5735, January 2010.
              6890, April 2013.

8.2.  Informative References

   [HUSTON]   Huston, , "Flailing IPv6", December 2010,

              Matsumoto, A., Kato, J., and T. Fujisaki, "Update to RFC
              3484 Default Address Selection for IPv6",
              draft-ietf-6man-rfc3484-revise-03 (work in progress),
              June 2011.

              Carpenter, B., "Advisory Guidelines for 6to4 Deployment",
              draft-ietf-v6ops-6to4-advisory-02 (work in progress),
              June 2011.

              Nakibly, G. and F. Templin, "Routing Loop Attack using
              IPv6 Automatic Tunnels: Problem Statement and Proposed
              Mitigations", draft-ietf-v6ops-tunnel-loops-07 (work in
              progress), May 2011.

              Krishnan, S., Thaler, D., and J. Hoagland, "Security
              Concerns With IP Tunneling",
              draft-ietf-v6ops-tunnel-security-concerns-04 (work in
              progress), October 2010.

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
              E. Lear, "Address Allocation for Private Internets", BCP
              5, RFC 1918, February 1996.

   [RFC3964]  Savola, P. and C. Patel, "Security Considerations for
              6to4", RFC 3964, December 2004.

   [RFC5158]  Huston, G., "6to4 Reverse DNS Delegation Specification",
              RFC 5158, March 2008.

   [RFC5969]  Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
              Infrastructures (6rd) -- Protocol Specification", RFC
              5969, August 2010.

Author's Address

   [RFC6169]  Krishnan, S., Thaler, D., and J. Hoagland, "Security
              Concerns with IP Tunneling", RFC 6169, April 2011.

   [RFC6324]  Nakibly, G. and F. Templin, "Routing Loop Attack Using
              IPv6 Automatic Tunnels: Problem Statement and Proposed
              Mitigations", RFC 6324, August 2011.

   [RFC6343]  Carpenter, B., "Advisory Guidelines for 6to4 Deployment",
              RFC 6343, August 2011.

   [RFC6555]  Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
              Dual-Stack Hosts", RFC 6555, April 2012.

Authors' Addresses

   Ole Troan

   Email: ot@cisco.com

   Brian Carpenter (editor)
   Department of Computer Science
   University of Auckland
   PB 92019
   Auckland  1142
   New Zealand

   Email: brian.e.carpenter@gmail.com