File: rfc2956.html

package info (click to toggle)
doc-rfc 20230121-1
links: PTS, VCS
area: non-free
in suites: bookworm, forky, sid, trixie
size: 1,609,944 kB
file content (893 lines) | stat: -rw-r--r-- 45,366 bytes
parent folder | download | duplicates (2)
<pre>Network Working Group                                            M. Kaat
Request for Comments: 2956                   SURFnet ExpertiseCentrum bv
Category: Informational                                     October 2000


              <span class="h1">Overview of 1999 IAB Network Layer Workshop</span>

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   This document is an overview of a workshop held by the Internet
   Architecture Board (IAB) on the Internet Network Layer architecture
   hosted by SURFnet in Utrecht, the Netherlands on 7-9 July 1999.  The
   goal of the workshop was to understand the state of the network layer
   and its impact on continued growth and usage of the Internet.
   Different technical scenarios for the (foreseeable) future and the
   impact of external influences were studied.  This report lists the
   conclusions and recommendations to the Internet Engineering Task
   Force (IETF) community.

Table of Contents

   <a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-2">2</a>
   <a href="#section-2">2</a>. Conclusions and Observations . . . . . . . . . . . . . . .  <a href="#page-3">3</a>
    <a href="#section-2.1">2.1</a>  Transparency. . . . . . . . . . . . . . . . . . . . . .  <a href="#page-3">3</a>
    <a href="#section-2.2">2.2</a>  NAT, Application Level Gateways &amp; Firewalls . . . . . .  <a href="#page-4">4</a>
    <a href="#section-2.3">2.3</a>  Identification and Addressing . . . . . . . . . . . . .  <a href="#page-4">4</a>
    <a href="#section-2.4">2.4</a>  Observations on Address Space . . . . . . . . . . . . .  <a href="#page-5">5</a>
    <a href="#section-2.5">2.5</a>  Routing Issues. . . . . . . . . . . . . . . . . . . . .  <a href="#page-5">5</a>
    <a href="#section-2.6">2.6</a>  Observations on Mobility. . . . . . . . . . . . . . . .  <a href="#page-6">6</a>
    <a href="#section-2.7">2.7</a>  DNS Issues. . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-7">7</a>
    <a href="#section-2.8">2.8</a>  NAT and RSIP. . . . . . . . . . . . . . . . . . . . . .  <a href="#page-7">7</a>
    <a href="#section-2.9">2.9</a>  NAT, RSIP and IPv6. . . . . . . . . . . . . . . . . . .  <a href="#page-8">8</a>
    <a href="#section-2.10">2.10</a> Observations on IPv6. . . . . . . . . . . . . . . . . .  <a href="#page-9">9</a>
   <a href="#section-3">3</a>. Recommendations. . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
    <a href="#section-3.1">3.1</a> Recommendations on Namespace . . . . . . . . . . . . . . <a href="#page-10">10</a>
    <a href="#section-3.2">3.2</a> Recommendations on RSIP. . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
    <a href="#section-3.3">3.3</a> Recommendations on IPv6. . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
    <a href="#section-3.4">3.4</a> Recommendations on IPsec . . . . . . . . . . . . . . . . <a href="#page-11">11</a>



<span class="grey">Kaat                         Informational                      [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


    <a href="#section-3.5">3.5</a> Recommendations on DNS . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
    <a href="#section-3.6">3.6</a> Recommendations on Routing . . . . . . . . . . . . . . . <a href="#page-12">12</a>
    <a href="#section-3.7">3.7</a> Recommendations on Application Layer and APIs. . . . . . <a href="#page-12">12</a>
   <a href="#section-4">4</a>. Security Considerations. . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
   References. . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
   <a href="#appendix-A">Appendix A</a>. Participants. . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
   Author's Address. . . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
   Full Copyright Statement  . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>

<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>

   From July 7 to July 9, 1999 the Internet Architecture Board (IAB)
   held a workshop on the architecture of the Internet Network Layer.
   The Network Layer is usually referred to as the IP layer.  The goal
   of the workshop was to discuss the current state of the Network Layer
   and the impact various currently deployed or future mechanisms and
   technologies might have on the continued growth and usage of the
   Internet.

   The most important issues to be discussed were:

   o  Status of IPv6 deployment and transition issues
   o  Alternative technical strategies in case IPv6 is not adopted
   o  Globally unique addresses and 32 bit address depletion
   o  Global connectivity and reachability
   o  Fragmentation of the Internet
   o  End to end transparency and the progressive loss thereof
   o  End to end security
   o  Complications of address sharing mechanisms (NAT, RSIP)
   o  Separation of identification and location in addressing
   o  Architecture and scaling of the current routing system

   The participants looked into several technical scenarios and
   discussed the feasibility and probability of the deployment of each
   scenario.  Among the scenarios were for example full migration to
   IPv6, IPv6 deployment only in certain segments of the network, no
   significant deployment of IPv6 and increased segmentation of the IPv4
   address space due to the use of NAT devices.

   Based on the discussion of these scenarios several trends and
   external influences were identified which could have a large impact
   on the status of the network layer, such as the deployment of
   wireless network technologies, mobile networked devices and special
   purpose IP devices.







<span class="grey">Kaat                         Informational                      [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   The following technical issues were identified to be important goals:

   o  Deployment of end to end security
   o  Deployment of end to end transport
   o  Global connectivity and reachability should be maintained
   o  It should be easy to deploy new applications
   o  It should be easy to connect new hosts and networks to the
      Internet ("plug and ping")

   By the notion "deployment of end to end transport" it is meant that
   it is a goal to be able to deploy new applications that span from any
   host to any other host without intermediaries, and this requires
   transport protocols with similar span (see also [<a href="#ref-1" title="&quot;Internet Transparency&quot;">1</a>]).

   This document summarizes the conclusions and recommendations made by
   the workshop.  It should be noted that not all participants agreed
   with all of the statements, and it was not clear whether anyone
   agreed with all of them.  The recommendations made however are based
   on strong consensus among the participants.

<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Conclusions and Observations</span>

   The participants came to a number of conclusions and observations on
   several of the issues mentioned in <a href="#section-1">section 1</a>.  In the following
   sections <a href="#section-2.1">2.1</a>-<a href="#section-2.10">2.10</a> these conclusions will be described.

<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a> Transparency</span>

   In the discussions transparency was referred to as the original
   Internet concept of a single universal logical addressing scheme and
   the mechanisms by which packets may flow from source to destination
   essentially unaltered [<a href="#ref-1" title="&quot;Internet Transparency&quot;">1</a>].  This traditional end to end transparency
   has been lost in the current Internet, specifically the assumption
   that IPv4 addresses are globally unique or invariant is no longer
   true.

   There are multiple causes for the loss of transparency, for example
   the deployment of network address translation devices, the use of
   private addresses, firewalls and application level gateways, proxies
   and caches.  These mechanisms increase fragmentation of the network
   layer, which causes problems for many applications on the Internet.
   It adds up to complexity in applications design and inhibits the
   deployment of new applications.  In particular, it has a severe
   effect on the deployment of end to end IP security.







<span class="grey">Kaat                         Informational                      [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   Another consequence of fragmentation is the deployment of "split DNS"
   or "two faced DNS", which means that the correspondence between a
   given FQDN and an IPv4 address is no longer universal and stable over
   long periods (see <a href="#section-2.7">section 2.7</a>).

   End to end transparency will probably not be restored due to the fact
   that some of the mechanisms have an intrinsic value (e.g. firewalls,
   caches and proxies) and the loss of transparency may be considered by
   some as a security feature.  It was however concluded that end to end
   transparency is desirable and an important issue to pursue.
   Transparency is further explored in [<a href="#ref-1" title="&quot;Internet Transparency&quot;">1</a>].

<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a> NAT, Application Level Gateways &amp; Firewalls</span>

   The previous section indicated that the deployment of NAT (Network
   Address Translation), Application Level Gateways and firewalls causes
   loss of network transparency.  Each of them is incompatible with
   certain applications because they interfere with the assumption of
   end to end transparency.  NAT especially complicates setting up
   servers, peer to peer communications and "always-on" hosts as the
   endpoint identifiers, i.e. IP addresses, used to set up connections
   are globally ambiguous and not stable (see [<a href="#ref-2" title="&quot;Architectural Implications of NAT&quot;">2</a>]).

   NAT, application level gateways and firewalls however are being
   increasingly widely deployed as there are also advantages to each,
   either real or perceived.  Increased deployment causes a further
   decline of network transparency and this inhibits the deployment of
   new applications.  Many new applications will require specialized
   Application Level Gateways (ALGs) to be added to NAT devices, before
   those applications will work correctly when running through a NAT
   device.  However, some applications cannot operate effectively with
   NAT even with an ALG.

<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a> Identification and Addressing</span>

   In the original IPv4 network architecture hosts are globally,
   permanently and uniquely identified by an IPv4 address.  Such an IP
   address is used for identification of the node as well as for
   locating the node on the network.  IPv4 in fact mingles the semantics
   of node identity with the mechanism used to deliver packets to the
   node.  The deployment of mechanisms that separate the network into
   multiple address spaces breaks the assumption that a host can be
   uniquely identified by a single IP address.  Besides that, hosts may
   wish to move to a different location in the network but keep their
   identity the same.  The lack of differentiation between the identity
   and the location of a host leads to a number of problems in the
   current architecture.




<span class="grey">Kaat                         Informational                      [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   Several technologies at this moment use tunneling techniques to
   overcome the problem or cannot be deployed in the case of separate
   address spaces.  If a node could have some sort of a unique
   identifier or endpoint name this would help in solving a number of
   problems.

   It was concluded that it may be desirable on theoretical grounds to
   separate the node identity from the node locator.  This is especially
   true for IPsec, since IP addresses are used (in transport mode) as
   identifiers which are cryptographically protected and hence MUST
   remain unchanged during transport.  However, such a separation of
   identity and location will not be available as a near-term solution,
   and will probably require changes to transport level protocols.
   However, the current specification of IPsec does allow to use some
   other identifier than an IP address.

<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a> Observations on Address Space</span>

   There is a significant risk that a single 32 bit global address space
   is insufficient for foreseeable needs or desires.  The participants'
   opinions about the time scale over which new IPv4 addresses will
   still be available for assignment ranged from 2 to 20 years.
   However, there is no doubt that at the present time, users cannot
   obtain as much IPv4 address space as they desire.  This is partly a
   result of the current stewardship policies of the Regional Internet
   Registries (RIRs).

   It was concluded that it ought to be possible for anybody to have
   global addresses when required or desired.  The absence of this
   inhibits the deployment of some types of applications.  It should
   however be noted that there will always be administrative boundaries,
   firewalls and intranets, because of the need for security and the
   implementation of policies.  NAT is seen as a significant
   complication on these boundaries.  It is often perceived as a
   security feature because people are confusing NATs with firewalls.

<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a> Routing Issues</span>

   A number of concerns were raised regarding the scaling of the current
   routing system.  With current technology, the number of prefixes that
   can be used is limited by the time taken for the routing algorithm to
   converge, rather than by memory size, lookup time, or some other
   factor.  The limit is unknown, but there is some speculation, of
   extremely unclear validity, that it is on the order of a few hundred
   thousand prefixes.  Besides the computational load of calculating
   routing tables, the time it takes to distribute routing updates
   across the network, the robustness and security of the current
   routing system are also important issues.  The only known addressing



<span class="grey">Kaat                         Informational                      [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   scheme which produces scalable routing mechanisms depends on
   topologically aggregated addresses, which requires that sites
   renumber when their position in the global topology changes.
   Renumbering remains operationally difficult and expensive ([<a href="#ref-3" title="&quot;Renumbering Needs Work&quot;">3</a>], [<a href="#ref-4" title="&quot;Network Renumbering Overview: Why would I want it and what is it anyway?&quot;">4</a>]).
   It is not clear whether the deployment of IPv6 would solve the
   current routing problems, but it should do so if it makes renumbering
   easier.

   At least one backbone operator has concerns about the convergence
   time of internetwork-wide routing during a failover.  This operator
   believes that current convergence times are on the order of half a
   minute, and possibly getting worse.  Others in the routing community
   did not believe that the convergence times are a current issue. Some,
   who believe that real-time applications (e.g. telephony) require
   sub-second convergence, are concerned about the implications of
   convergence times of a half minute on such applications.

   Further research is needed on routing mechanisms that might help
   palliate the current entropy in the routing tables, and can help
   reduce the convergence time of routing computations.

   The workshop discussed global routing in a hypothetical scenario with
   no distinguished root global address space.  Nobody had an idea how
   to make such a system work.  There is currently no well-defined
   proposal for a new routing system that could solve such a problem.

   For IPv6 routing in particular, the GSE/8+8 proposal and IPNG WG
   analysis of this proposal ([<a href="#ref-5" title="&quot;Separating Identifiers and Locators in Addresses: An Analysis of the GSE Proposal for IPv6&quot;">5</a>]) are still being examined by the IESG.
   There is no consensus in the workshop whether this proposal could be
   made deployable.

<span class="h3"><a class="selflink" id="section-2.6" href="#section-2.6">2.6</a> Observations on Mobility</span>

   Mobility and roaming require a globally unique identifier. This does
   not have to be an IP address.  Mobile nodes must have a widely usable
   identifier for their location on the network, which is an issue if
   private IP addresses are used or the IP address is ambiguous (see
   also <a href="#section-2.3">section 2.3</a>).  Currently tunnels are used to route traffic to a
   mobile node.  Another option would be to maintain state information
   at intermediate points in the network if changes are made to the
   packets.  This however reduces the flexibility and it breaks the end
   to end model of the network.  Keeping state in the network is usually
   considered a bad thing.  Tunnels on the other hand reduce the MTU
   size.  Mobility was not discussed in detail as a separate IAB
   workshop is planned on this topic.






<span class="grey">Kaat                         Informational                      [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


<span class="h3"><a class="selflink" id="section-2.7" href="#section-2.7">2.7</a> DNS issues</span>

   If IPv6 is widely deployed, the current line of thinking is that site
   renumbering will be significantly more frequent than today.  This
   will have an impact on DNS updates.  It is not clear what the scale
   of DNS updates might be, but in the most aggressive models it could
   be millions a day.  Deployment of the A6 record type which is defined
   to map a domain name to an IPv6 address, with the provision for
   indirection for leading prefix bits, could make this possible ([<a href="#ref-6" title="&quot;DNS Extensions to Support IPv6 Address Aggregation and Renumbering&quot;">6</a>]).

   Another issue is the security aspect of frequent updates, as they
   would have to been done dynamically.  Unless we have fully secured
   DNS, it could increase security risks.  Cached TTL values might
   introduce problems as the cached records of renumbered hosts will not
   be updated in time.  This will become especially a problem if rapid
   renumbering is needed.

   Another already mentioned issue is the deployment of split DNS (see
   <a href="#section-2.1">section 2.1</a>).  This concept is widely used in the Intranet model,
   where the DNS provides different information to inside and outside
   queries.  This does not necessarily depend on whether private
   addresses are used on the inside, as firewalls and policies may also
   make this desirable.  The use of split DNS seems inevitable as
   Intranets will remain widely deployed.  But operating a split DNS
   raises a lot of management and administrative issues.  As a work
   around, a DNS Application Level Gateway ([<a href="#ref-7" title="&quot;DNS extensions to Network Address Translators (DNS_ALG)&quot;">7</a>]) (perhaps as an
   extension to a NAT device) may be deployed, which intercepts DNS
   messages and modifies the contents to provide the appropriate
   answers.  This has the disadvantage that it interferes with the use
   of DNSSEC ([<a href="#ref-8" title="&quot;Domain Name System Security Extensions&quot;">8</a>]).

   The deployment of split DNS, or more generally the existence of
   separate name spaces, makes the use of Fully Qualified Domain Names
   (FQDNs) as endpoint identifiers more complex.

<span class="h3"><a class="selflink" id="section-2.8" href="#section-2.8">2.8</a> NAT and RSIP</span>

   Realm-Specific IP (RSIP), a mechanism for use with IPv4, is a work
   item of the IETF NAT WG.  It is intended as an alternative (or as a
   complement) to network address translation (NAT) for IPv4, but other
   uses are possible (for example, allowing end to end traffic across
   firewalls).  It is similar to NAT, in that it allows sharing a small
   number of external IPv4 addresses among a number of hosts in a local
   address domain (called a 'realm').  However, it differs from NAT in
   that the hosts know that different externally-visible IPv4 addresses
   are being used to refer to them outside their local realm, and they





<span class="grey">Kaat                         Informational                      [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   know what their temporary external address is.  The addresses and
   other information are obtained from an RSIP server, and the packets
   are tunneled across the first routing realm ([<a href="#ref-9" title="&quot;Realm Specific IP: Protocol Specification&quot;">9</a>], [<a href="#ref-10" title="&quot;Realm Specific IP: Framework&quot;">10</a>]).

   The difference between NAT and RSIP - that an RSIP client is aware of
   the fact that it uses an IP address from another address space, while
   with NAT, neither endpoint is aware that the addresses in the packets
   are being translated - is significant.  Unlike NAT, RSIP has the
   potential to work with protocols that require IP addresses to remain
   unmodified between the source and destination.  For example, whereas
   NAT gateways preclude the use of IPsec across them, RSIP servers can
   allow it [<a href="#ref-11" title="&quot;RSIP Support for End-to-end IPsec&quot;">11</a>].

   The addition of RSIP to NATs may allow them to support some
   applications that cannot work with traditional NAT ([<a href="#ref-12" title="&quot;Protocol Complications with the IP Network Address Translator&quot;">12</a>]), but it
   does require that hosts be modified to act as RSIP clients.  It
   requires changes to the host's TCP/IP stack, any layer-three protocol
   that needs to be made RSIP-aware will have to be modified (e.g. ICMP)
   and certain applications may have to be changed.  The exact changes
   needed to host or application software are not quite well known at
   this moment and further research into RSIP is required.

   Both NAT and RSIP assume that the Internet retains a core of global
   address space with a coherent DNS.  There is no fully prepared model
   for NAT or RSIP without such a core; therefore NAT and RSIP face an
   uncertain future whenever the IPv4 address space is finally exhausted
   (see <a href="#section-2.4">section 2.4</a>).  Thus it is also a widely held view that in the
   longer term the complications caused by the lack of globally unique
   addresses, in both NAT and RSIP, might be a serious handicap ([<a href="#ref-1" title="&quot;Internet Transparency&quot;">1</a>]).

   If optimistic assumptions are made about RSIP (it is still being
   defined and a number of features have not been implemented yet), the
   combination of NAT and RSIP seems to work in most cases.  Whether
   RSIP introduces specific new problems, as well as removing some of
   the NAT issues, remains to be determined.

   Both NAT and RSIP may have trouble with the future killer
   application, especially when this needs QoS features, security and/or
   multicast.  And if it needs peer to peer communication (i.e. there
   would be no clear distinction between a server and a client) or
   assumes "always-on" systems, this would probably be complex with both
   NAT and RSIP (see also <a href="#section-2.2">section 2.2</a>).

<span class="h3"><a class="selflink" id="section-2.9" href="#section-2.9">2.9</a> NAT, RSIP and IPv6</span>

   Assuming IPv6 is going to be widely deployed, network address
   translation techniques could play an important role in the transition
   process from IPv4 to IPv6 ([<a href="#ref-13" title="&quot;Network Address Translation - Protocol Translation (NAT-PT)&quot;">13</a>]).  The impact of adding RSIP support



<span class="grey">Kaat                         Informational                      [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   to hosts is not quite clear at this moment, but it is less than
   adding IPv6 support since most applications probably don't need to be
   changed.  And RSIP needs no changes to the routing infrastructure,
   but techniques such as automatic tunneling ([<a href="#ref-14" title="&quot;Transition Mechanisms for IPv6 Hosts and Routers&quot;">14</a>]) and 6to4 ([<a href="#ref-15" title="&quot;Connection of IPv6 Domains via IPv4 Clouds&quot;">15</a>])
   would also allow IPv6 traffic to be passed over the existing IPv4
   routing infrastructure.  While RSIP is principally a tool for
   extending the life of IPv4, it is not a roadblock for the transition
   to IPv6.  The development of RSIP is behind that of IPv6, and more
   study into RSIP is required to determine what the issues with RSIP
   might be.

<span class="h3"><a class="selflink" id="section-2.10" href="#section-2.10">2.10</a> Observations on IPv6</span>

   An important issue in the workshop was whether the deployment of IPv6
   is feasible and probable.  It was concluded that the transition to
   IPv6 is plausible modulo certain issues.  For example applications
   need to be ported to IPv6, and production protocol stacks and
   production IPv6 routers should be released.  The core protocols are
   finished, but other standards need to be pushed forward (e.g. MIBs).
   A search through all RFCs for dependencies on IPv4 should be made, as
   was done for the Y2K problem, and if problems are found they must be
   resolved.  As there are serious costs in implementing IPv6 code, good
   business arguments are needed to promote IPv6.

   One important question was whether IPv6 could help solve the current
   problems in the routing system and make the Internet scale better.
   It was concluded that "automatic" renumbering is really important
   when prefixes are to be changed periodically to get the addressing
   topology and routing optimized.  This also means that any IP layer
   and configuration dependencies in protocols and applications will
   have to be removed ([<a href="#ref-3" title="&quot;Renumbering Needs Work&quot;">3</a>]).  One example that was mentioned is the use
   of IP addresses in the PKI (IKE).  There might also be security
   issues with "automatic" renumbering as DNS records have to be updated
   dynamically (see also <a href="#section-2.7">section 2.7</a>).

   Realistically, because of the dependencies mentioned, IPv6
   renumbering cannot be truly automatic or instantaneous, but it has
   the potential to be much simpler operationally than IPv4 renumbering,
   and this is critical to market and ISP acceptance of IPv6.

   Another issue is whether existing TCP connections (using the old
   address(es)) should be maintained across renumbering.  This would
   make things much more complex and it is foreseen that old and new
   addresses would normally overlap for a long time.

   There was no consensus on how often renumbering would take place or
   how automatic it can be in practice; there is not much experience
   with renumbering (maybe only for small sites).



<span class="grey">Kaat                         Informational                      [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Recommendations</span>

<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a> Recommendation on Namespace</span>

   The workshop recommends the IAB to appoint a panel to make specific
   recommendations to the IETF about:

      i) whether we should encourage more parts of the stack to adopt a
         namespace for end to end interactions, so that a) NAT works
         'better', and b) we have a little more independence between the
         internetwork and transport and above layers;
     ii) if so, whether we should have a single system-wide namespace
         for this function, or whether it makes more sense to allow
         various subsystems to chose the namespace that makes sense for
         them;
    iii) and also, what namespace(s) [depending on the output of the
         point above] that ought to be.

<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a> Recommendations on RSIP</span>

   RSIP is an interesting idea, but it needs further refinement and
   study.  It does not break the end to end network model in the same
   way as NAT, because an RSIP host has explicit knowledge of its
   temporary global address.  Therefore, RSIP could solve some of the
   issues with NAT.  However, it is premature to recommend it as a
   mainstream direction at this time.

   It is recommended that the IETF should actively work on RSIP, develop
   the details and study the issues.

<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a> Recommendations on IPv6</span>

3.3.1
   The current model of TLA-based addressing and routing should be
   actively pursued.  However, straightforward site renumbering using
   TLA addresses is really needed, should be as nearly automatic as
   possible, and should be shown to be real and credible by the IPv6
   community.

3.3.2
   Network address translation techniques, in addition to their
   immediate use in pure IPv4 environments, should also be viewed as
   part of the starting point for migration to IPv6.  Also RSIP, if
   successful, can be a starting point for IPv6 transition.







<span class="grey">Kaat                         Informational                     [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   While the basic concepts of the IPv4 specific mechanisms NAT and RSIP
   are also being used in elements of the proposed migration path to
   IPv6 (in NAT-PT for NAT, and SIIT and AIIH for RSIP), NAT and RSIP
   for IPv4 are not directly part of a documented transition path to
   IPv6.

   The exact implications, for transition to IPv6, of having NAT and
   RSIP for IPv4 deployed, are not well understood.  Strategies for
   transition to IPv6, for use in IPv4 domains using NAT and RSIP for
   IPv4, should be worked out and documented by the IETF.

3.3.3
   The draft analysis of the 8+8/GSE proposal should be evaluated by the
   IESG and accepted or rejected, without disturbing ongoing IPv6
   deployment work.  The IESG should use broad expertise, including
   liaison with the endpoint namespace panel (see <a href="#section-3.1">section 3.1</a>) in their
   evaluation.

<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a> Recommendations on IPsec</span>

   It is urgent that we implement and deploy IPsec using some other
   identifier than 32-bit IP addresses (see <a href="#section-2.3">section 2.3</a>).  The current
   IPsec specifications support the use of several different Identity
   types (e.g. Domain Name, User@Domain Name).  The IETF should promote
   implementation and deployment of non-address Identities with IPsec.
   We strongly urge the IETF to completely deprecate the use of the
   binary 32-bit IP addresses within IPsec, except in certain very
   limited circumstances, such as router to router tunnels; in
   particular any IP address dependencies should be eliminated from
   ISAKMP and IKE.

   Ubiquitous deployment of the Secure DNS Extensions ([<a href="#ref-8" title="&quot;Domain Name System Security Extensions&quot;">8</a>]) should be
   strongly encouraged to facilitate widespread deployment of IPsec
   (including IKE) without address-based Identity types.

<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a> Recommendations on DNS</span>

   Operational stability of DNS is paramount, especially during a
   transition of the network layer, and both IPv6 and some network
   address translation techniques place a heavier burden on DNS.  It is
   therefore recommended to the IETF that, except for those changes that
   are already in progress and will support easier renumbering of
   networks and improved security, no fundamental changes or additions
   to the DNS be made for the foreseeable future.

   In order to encourage widespread deployment of IPsec, rapid
   deployment of DNSSEC is recommended to the operational community.




<span class="grey">Kaat                         Informational                     [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


<span class="h3"><a class="selflink" id="section-3.6" href="#section-3.6">3.6</a> Recommendations on Routing</span>

   The only known addressing scheme which produces scalable routing
   mechanisms depends on topologically aggregated addresses, which
   requires that sites renumber when their position in the global
   topology changes.  Thus recommendation 3.3.1 is vital for routing
   IPv6.

   Although the same argument applies to IPv4, the installed base is
   simply too large and the PIER working group showed that little can be
   done to improve renumbering procedures for IPv4.  However, NAT and/or
   RSIP may help.

   In the absence of a new addressing model to replace topological
   aggregation, and of clear and substantial demand from the user
   community for a new routing architecture (i.e. path-selection
   mechanism) there is no reason to start work on standards for a "next
   generation" routing system in the IETF.  Therefore, we recommend that
   work should continue in the IRTF Routing Research Group.

<span class="h3"><a class="selflink" id="section-3.7" href="#section-3.7">3.7</a> Recommendations on Application layer and APIs</span>

   Most current APIs such as sockets are an obstacle to migration to a
   new network layer of any kind, since they expose network layer
   internal details such as addresses.

   It is therefore recommended, as originally recommended in <a href="./rfc1900">RFC 1900</a>
   [<a href="#ref-3" title="&quot;Renumbering Needs Work&quot;">3</a>], that IETF protocols, and third-party applications, avoid any
   explicit awareness of IP addresses, when efficient operation of the
   protocol or application is feasible in the absence of such awareness.
   Some applications and services may continue to need to be aware of IP
   addresses.  Until we once again have a uniform address space for the
   Internet, such applications and services will necessarily have
   limited deployability, and/or require ALG support in NATs.

   Also we recommend an effort in the IETF to generalize APIs to offer
   abstraction from all network layer dependencies, perhaps as a side-
   effect of the namespace study of <a href="#section-3.1">section 3.1</a>.

<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>

   The workshop did not address security as a separate topic, but the
   role of firewalls, and the desirability of end to end deployment of
   IPsec, were underlying assumptions.  Specific recommendations on
   security are covered in sections <a href="#section-3.4">3.4</a> and <a href="#section-3.5">3.5</a>.






<span class="grey">Kaat                         Informational                     [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


References

   [<a id="ref-1">1</a>]   Carpenter, B., "Internet Transparency", <a href="./rfc2775">RFC 2775</a>, February
         2000.

   [<a id="ref-2">2</a>]   Hain, T., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&amp;q=inurl:draft-+%22Architectural+Implications+of+NAT%22'>"Architectural Implications of NAT"</a>, Work in
         Progress.

   [<a id="ref-3">3</a>]   Carpenter, B. and Y. Rekhter, "Renumbering Needs Work", <a href="./rfc1900">RFC</a>
         <a href="./rfc1900">1900</a>, February 1996.

   [<a id="ref-4">4</a>]   Ferguson, P and H. Berkowitz, "Network Renumbering Overview:
         Why would I want it and what is it anyway?", <a href="./rfc2071">RFC 2071</a>, January
         1997.

   [<a id="ref-5">5</a>]   M. Crawford, A. Mankin, T. Narten, J.W. Stewart, III, L. Zhang,
         "Separating Identifiers and Locators in Addresses: An Analysis
         of the GSE Proposal for IPv6", Work in Progress.

   [<a id="ref-6">6</a>]   Crawford, M., and C. Huitema, "DNS Extensions to Support IPv6
         Address Aggregation and Renumbering", <a href="./rfc2874">RFC 2874</a>, July 2000.

   [<a id="ref-7">7</a>]   Srisuresh, P., Tsirtsis, G., Akkiraju, P. and A. Heffernan,
         "DNS extensions to Network Address Translators (DNS_ALG)", <a href="./rfc2694">RFC</a>
         <a href="./rfc2694">2694</a>, September 1999.

   [<a id="ref-8">8</a>]   Eastlake, D., "Domain Name System Security Extensions", <a href="./rfc2535">RFC</a>
         <a href="./rfc2535">2535</a>, March 1999.

   [<a id="ref-9">9</a>]   M. Borella, D. Grabelsky, J. Lo, K. Tuniguchi "Realm Specific
         IP: Protocol Specification", Work in Progress.

   [<a id="ref-10">10</a>]  M. Borella, J. Lo, D. Grabelsky, G. Montenegro "Realm Specific
         IP: Framework", Work in Progress.

   [<a id="ref-11">11</a>]  G. Montenegro, M. Borella, <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&amp;q=inurl:draft-+%22RSIP+Support+for+End-to-end+IPsec%22'>"RSIP Support for End-to-end IPsec"</a>,
         Work in Progress.

   [<a id="ref-12">12</a>]  M. Holdrege, P. Srisuresh, "Protocol Complications with the IP
         Network Address Translator", Work in Progress.

   [<a id="ref-13">13</a>]  Tsirtsis, G. and P. Srisuresh, "Network Address Translation -
         Protocol Translation (NAT-PT)", <a href="./rfc2766">RFC 2766</a>, February 2000.








<span class="grey">Kaat                         Informational                     [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


   [<a id="ref-14">14</a>]  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
         Hosts and Routers", <a href="./rfc2893">RFC 2893</a>, August 2000.

   [<a id="ref-15">15</a>]  B. Carpenter, K. Moore, "Connection of IPv6 Domains via IPv4
         Clouds", Work in Progress.














































<span class="grey">Kaat                         Informational                     [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Participants</span>

   Harald Alvestrand           harald@alvestrand.no
   Ran Atkinson                rja@corp.home.net
   Rob Austein                 sra@hactrn.net
   Steve Bellovin              smb@research.att.com
   Randy Bush                  randy@psg.com
   Brian E Carpenter           brian@hursley.ibm.com
   Vint Cerf                   vcerf@MCI.NET
   Noel Chiappa                jnc@lcs.mit.edu
   Matt Crawford               crawdad@fnal.gov
   Robert Elz                  kre@munnari.OZ.AU
   Tony Hain                   tonyhain@microsoft.com
   Matt Holdrege               matt@ipverse.com
   Erik Huizer                 huizer@cs.utwente.nl
   Geoff Huston                gih@telstra.net
   Van Jacobson                van@cisco.com
   Marijke Kaat                Marijke.Kaat@surfnet.nl
   Daniel Karrenberg           Daniel.Karrenberg@ripe.net
   John Klensin                klensin@jck.com
   Peter Lothberg              roll@Stupi.SE
   Olivier H. Martin           Olivier.Martin@cern.ch
   Gabriel Montenegro          gab@sun.com
   Keith Moore                 moore@cs.utk.edu
   Robert (Bob) Moskowitz      rgm@htt-consult.com
   Philip J. Nesser II         pjnesser@nesser.com
   Kathleen Nichols            kmn@cisco.com
   Erik Nordmark               nordmark@eng.sun.com
   Dave Oran                   oran@cisco.com
   Yakov Rekhter               yakov@cisco.com
   Bill Sommerfeld             sommerfeld@alum.mit.edu
   Bert Wijnen                 wijnen@vnet.ibm.com
   Lixia Zhang                 lixia@cs.ucla.edu

Author's Address

   Marijke Kaat
   SURFnet ExpertiseCentrum bv
   P.O. Box 19115
   3501 DC  Utrecht
   The Netherlands

   Phone: +31 30 230 5305
   Fax: +31 30 230 5329
   EMail: Marijke.Kaat@surfnet.nl






<span class="grey">Kaat                         Informational                     [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc2956">RFC 2956</a>            1999 IAB Network Layer Workshop         October 2000</span>


Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Kaat                         Informational                     [Page 16]
</pre>