1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
|
<pre>Independent Submission R. Despres, Ed.
Request for Comments: 6751 RD-IPtech
Category: Experimental B. Carpenter
ISSN: 2070-1721 Univ. of Auckland
D. Wing
Cisco
S. Jiang
Huawei Technologies Co., Ltd.
October 2012
<span class="h1">Native IPv6 behind IPv4-to-IPv4 NAT Customer Premises Equipment (6a44)</span>
Abstract
In customer sites having IPv4-only Customer Premises Equipment (CPE),
Teredo (<a href="./rfc4380">RFC 4380</a>, <a href="./rfc5991">RFC 5991</a>, <a href="./rfc6081">RFC 6081</a>) provides last-resort IPv6
connectivity. However, because it is designed to work without the
involvement of Internet Service Providers, it has significant
limitations (connectivity between IPv6 native addresses and Teredo
addresses is uncertain; connectivity between Teredo addresses fails
for some combinations of NAT types). 6a44 is a complementary
solution that, being based on ISP cooperation, avoids these
limitations. At the beginning of 6a44 IPv6 addresses, it replaces
the Teredo well-known prefix, present at the beginning of Teredo IPv6
addresses, with network-specific /48 prefixes assigned by local ISPs
(an evolution similar to that from 6to4 to 6rd (IPv6 Rapid Deployment
on IPv4 Infrastructures)). The specification is expected to be
complete enough for running code to be independently written and the
solution to be incrementally deployed and used.
<span class="grey">Despres, et al. Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This is a contribution to the RFC Series, independently
of any other RFC stream. The RFC Editor has chosen to publish this
document at its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6751">http://www.rfc-editor.org/info/rfc6751</a>.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
<span class="grey">Despres, et al. Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Requirements Language ...........................................<a href="#page-5">5</a>
<a href="#section-3">3</a>. Definitions .....................................................<a href="#page-5">5</a>
<a href="#section-4">4</a>. Design Goals, Requirements, and Model of Operation ..............<a href="#page-7">7</a>
<a href="#section-4.1">4.1</a>. Hypotheses about NAT Behavior ..............................<a href="#page-7">7</a>
4.2. Native IPv6 Connectivity for Unmanaged Hosts behind
NAT44s .....................................................<a href="#page-7">7</a>
<a href="#section-4.3">4.3</a>. Operational Requirements ...................................<a href="#page-8">8</a>
<a href="#section-4.4">4.4</a>. Model of Operation .........................................<a href="#page-9">9</a>
<a href="#section-5">5</a>. 6a44 Addresses .................................................<a href="#page-12">12</a>
<a href="#section-6">6</a>. Specification of Clients and Relays ............................<a href="#page-14">14</a>
<a href="#section-6.1">6.1</a>. Packet Formats ............................................<a href="#page-14">14</a>
<a href="#section-6.2">6.2</a>. IPv6 Packet Encapsulations ................................<a href="#page-14">14</a>
<a href="#section-6.3">6.3</a>. 6a44 Bubbles ..............................................<a href="#page-14">14</a>
<a href="#section-6.4">6.4</a>. MTU Considerations ........................................<a href="#page-16">16</a>
<a href="#section-6.5">6.5</a>. 6a44 Client Specification .................................<a href="#page-16">16</a>
<a href="#section-6.5.1">6.5.1</a>. Tunnel Maintenance .................................<a href="#page-16">16</a>
<a href="#section-6.5.2">6.5.2</a>. Client Transmission ................................<a href="#page-19">19</a>
<a href="#section-6.5.3">6.5.3</a>. Client Reception ...................................<a href="#page-20">20</a>
<a href="#section-6.6">6.6</a>. 6a44 Relay Specification ..................................<a href="#page-23">23</a>
<a href="#section-6.6.1">6.6.1</a>. Relay Reception in IPv6 ............................<a href="#page-23">23</a>
<a href="#section-6.6.2">6.6.2</a>. Relay Reception in IPv4 ............................<a href="#page-24">24</a>
<a href="#section-6.7">6.7</a>. Implementation of Automatic Sunset ........................<a href="#page-26">26</a>
<a href="#section-7">7</a>. Security Considerations ........................................<a href="#page-26">26</a>
<a href="#section-8">8</a>. IANA Considerations ............................................<a href="#page-30">30</a>
<a href="#section-9">9</a>. Acknowledgments ................................................<a href="#page-30">30</a>
<a href="#section-10">10</a>. References ....................................................<a href="#page-30">30</a>
<a href="#section-10.1">10.1</a>. Normative References .....................................<a href="#page-30">30</a>
<a href="#section-10.2">10.2</a>. Informative References ...................................<a href="#page-31">31</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Although most Customer Premises Equipment (CPE) should soon be dual-
stack capable, a large installed base of IPv4-only CPEs is likely to
remain for several years. Their operation is based on IPv4-to-IPv4
NATs (NAT44s). Also, due to the IPv4 address shortage, more and more
Internet Service Providers (ISPs), and more and more mobile
operators, will assign private IPv4 addresses ([<a href="./rfc1918" title=""Address Allocation for Private Internets"">RFC1918</a>]) to their
customers (the [<a href="#ref-NAT444" title=""NAT444 addressing models"">NAT444</a>] model). For rapid and extensive use of IPv6
[<a href="./rfc2460" title=""Internet Protocol, Version 6 (IPv6) Specification"">RFC2460</a>], there is therefore a need for IPv6 connectivity behind
NAT44s, including those of the [<a href="#ref-NAT444" title=""NAT444 addressing models"">NAT444</a>] model.
<span class="grey">Despres, et al. Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
At the moment, there are two tunneling techniques specified for IPv6
connectivity behind NAT44s:
o Configured tunnels. These involve tunnel brokers with which users
must register [<a href="./rfc3053" title=""IPv6 Tunnel Broker"">RFC3053</a>]. Well-known examples include deployments
of the Hexago tool, and the SixXS collaboration, which are
suitable for IPv6 early trials. However, this approach is not
adequate for mass deployment: it imposes the restriction that even
if two hosts are in the same customer site, IPv6 packets between
them must transit via tunnel servers, which may be far away.
o Automatic Teredo tunnels [<a href="./rfc4380" title=""Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)"">RFC4380</a>] [<a href="./rfc5991" title=""Teredo Security Updates"">RFC5991</a>]. Teredo is specified
as a last-resort solution that, due to its objective to work
without local ISP involvement, has the following limitations:
* Connectivity between IPv6 native addresses and Teredo addresses
is uncertain. (As explained in <a href="./rfc4380#section-8.3">[RFC4380] Section 8.3</a>, this
connectivity depends on paths being available from all IPv6
native addresses to some Teredo relays. ISPs lack sufficient
motivations to ensure it.)
* Between two Teredo addresses, IPv6 connectivity fails for some
combinations of NAT44 types (<a href="./rfc6081#section-3">[RFC6081] Section 3</a>).
* According to <a href="./rfc4380#section-5.2">[RFC4380] Section 5.2</a>, each Teredo host has to be
configured with the IPv4 address of a Teredo server (a
constraint that can, however, be avoided in some
implementations).
6a44 is designed to avoid Teredo limitations: with 6a44, ISPs can
participate in the solution. The approach for this is similar to the
approach that permitted 6rd [<a href="./rfc5569" title=""IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)"">RFC5569</a>] [<a href="./rfc5969" title=""IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -- Protocol Specification"">RFC5969</a>] to avoid the
limitations of 6to4 [<a href="./rfc3056" title=""Connection of IPv6 Domains via IPv4 Clouds"">RFC3056</a>] [<a href="./rfc3068" title=""An Anycast Prefix for 6to4 Relay Routers"">RFC3068</a>]: at the beginning of IPv6
addresses, the Teredo well-known prefix is replaced by network-
specific prefixes assigned by local ISPs.
This document is organized as follows: terms used in the document are
defined in <a href="#section-3">Section 3</a>; design goals and model of operation are
presented in <a href="#section-4">Section 4</a>; <a href="#section-5">Section 5</a> describes the format of 6a44 IPv6
addresses; <a href="#section-6">Section 6</a> specifies in detail the behaviors of 6a44
clients and 6a44 relays; security and IANA considerations are covered
in Sections <a href="#section-7">7</a> and <a href="#section-8">8</a>, respectively.
This specification is expected to be complete enough for running code
to be independently written and the solution to be incrementally
deployed and used. Its status is Experimental rather than Standards
Track, to reflect uncertainty as to which major Internet players may
be willing to support it.
<span class="grey">Despres, et al. Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Requirements Language</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Definitions</span>
The following definitions are used in this document:
MAJOR NEW DEFINITIONS
6a44 ISP network: An IPv4-capable ISP network that supports at least
one 6a44 relay. Additional conditions are that it assigns
individual IPv4 addresses to its customer sites (global or
private), that it supports ingress filtering [<a href="./rfc2827" title=""Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"">RFC2827</a>], and that
its path MTUs are at least 1308 octets.
6a44 relay: A node that supports the 6a44 relay function defined in
this document and that has interfaces to an IPv6-capable upstream
network and to an IPv4-capable downstream network.
6a44 client: A host that supports the 6a44 client function defined
in this document and has no means other than 6a44 to have an IPv6
native address.
6a44 tunnel: A tunnel established and maintained between a 6a44
client and 6a44 relays of its ISP network.
6a44 bubble: A UDP/IPv4 packet sent from a 6a44 client to the
6a44-relay address, or vice versa, and having a UDP payload that
cannot be confused with an IPv6 packet. In the client-to-relay
direction, it is a request for a response bubble. In the relay-
to-client direction, it conveys the up-to-date IPv6 prefix of the
client.
SECONDARY NEW DEFINITIONS
(This list is for reference and can be skipped by readers familiar
with the usual terminology.)
6a44 service: The service offered by a 6a44 ISP network to its 6a44
clients.
6a44-client IPv6 address: The IPv6 address of a 6a44 client. It is
composed of the client IPv6 prefix, received from a 6a44 relay,
followed by the client local IPv4 address.
<span class="grey">Despres, et al. Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
6a44-client IPv6 prefix: For a 6a44 client, the IPv6 prefix (/96)
composed of the IPv6 prefix of the local 6a44 network (/48)
followed by the UDP/IPv4 mapped address of the client (32 +
16 bits).
6a44-client UDP/IPv4 mapped address: For a 6a44 client, the external
UDP/IPv4 address that, in the CPE NAT44 of the site, is that of
its 6a44 tunnel.
6a44-client UDP/IPv4 local address: For a 6a44 client, the
combination of its local IPv4 address and the 6a44 port.
6a44 port: UDP port 1027, reserved by IANA for 6a44 (see <a href="#section-8">Section 8</a>).
6a44-relay UDP/IPv4 address: The UDP/IPv4 address composed of the
6a44-relay anycast address and the 6a44 port.
6a44-relay anycast address: IPv4 anycast address 192.88.99.2,
reserved by IANA for 6a44 (see <a href="#section-8">Section 8</a>).
6a44-network IPv6 prefix: An IPv6 /48 prefix assigned by an ISP to a
6a44 network.
USUAL DEFINITIONS
(This list is for reference and can be skipped by readers familiar
with the usual terminology.)
Upstream direction: For a network border node, the direction toward
the Internet core.
Downstream direction: For a network border node, the direction
toward end-user nodes (opposite to the upstream direction).
IPv4 private address: An address that starts with one of the three
[<a href="./rfc1918" title=""Address Allocation for Private Internets"">RFC1918</a>] prefixes (10/8, 172.16/12, or 192.168/16).
IPv6 native address: An IPv6 global unicast address that starts with
an aggregatable prefix assigned to an ISP.
UDP/IPv4 address: The combination of an IPv4 address and a UDP port.
UDP/IPv4 packet: A UDP datagram contained in an IPv4 packet.
IPv6/UDP/IPv4 packet: An IPv6 packet contained in a UDP/IPv4 packet.
<span class="grey">Despres, et al. Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Design Goals, Requirements, and Model of Operation</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Hypotheses about NAT Behavior</span>
6a44 is designed to work with NAT44 behaviors identified in <a href="./rfc6081#section-3">Section 3
of [RFC6081]</a>. In particular, it has to work with endpoint-dependent
mappings as well as with endpoint-independent mappings, including
cases where there are dynamic changes from one mode to the other.
The only assumption is that, after a mapping has been established in
the NAT44, it is maintained as long as it is reused at least once, in
each direction, every 30 seconds.
NOTE: 30 seconds is the value used for the same mapping-maintenance
purpose in Teredo [<a href="./rfc4380" title=""Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)"">RFC4380</a>] and in SIP [<a href="./rfc5626" title=""Managing Client-Initiated Connections in the Session Initiation Protocol (SIP)"">RFC5626</a>].
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Native IPv6 Connectivity for Unmanaged Hosts behind NAT44s</span>
The objective remains that, as soon as possible, CPEs and ISPs
support IPv6 native prefixes. 6a44 is therefore designed only as a
temporary solution for hosts to obtain IPv6 native addresses in sites
whose CPEs are not IPv6 capable yet.
As noted in <a href="#section-1">Section 1</a>, IPv6 native addresses obtainable with
configured tunnels have important limitations. However, compared to
6a44 addresses, they have the advantage of remaining unchanged in the
case of NAT44 reset. 6a44 therefore remains the last-resort solution
for IPv6 native addresses in unmanaged hosts of IPv4-only-CPE sites,
while configured tunnels may still be preferred for some managed
hosts if reported limitations of configured tunnels are judged to be
acceptable. As their scopes are different, the two solutions can
usefully coexist.
Note that Teredo remains a last-resort solution for hosts to have
IPv6 addresses where IPv6 native addresses cannot be made available
(and where Teredo limitations are judged to be acceptable).
<span class="grey">Despres, et al. Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Operational Requirements</span>
Operational requirements of 6a44 include the following:
Robust IPv6 connectivity: A node having a 6a44 address must have
paths across the Internet to and from all IPv6 native addresses
that are not subject to voluntary firewall filtering.
Intra-site path efficiency: Packets exchanged between 6a44 clients
that are behind the same CPE NAT44 must not have to traverse it.
If these clients have IPv4 connectivity using their private IPv4
addresses, they must also have IPv6 connectivity using their 6a44
addresses.
Plug-and-play operation of 6a44 clients: In order to obtain a 6a44
address from its local ISP, a 6a44 client must need no parameter
configuration.
Scalability of ISP functions: For the solution to be easily
scalable, ISP-supported functions have to be completely stateless.
Anti-spoofing protection: Where address anti-spoofing is ensured in
IPv4 with ingress filtering [<a href="./rfc2827" title=""Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"">RFC2827</a>] [<a href="./rfc3704" title=""Ingress Filtering for Multihomed Networks"">RFC3704</a>], IPv6 addresses
must benefit from the same degree of anti-spoofing protection.
Overall operational simplicity: To paraphrase what Antoine de Saint-
Exupery said in [<a href="#ref-TheTool" title=""Wind, Sand and Stars"">TheTool</a>], "it seems that perfection is attained
not when there is nothing more to add, but when there is nothing
more to remove".
Incremental deployability: Hosts and ISP networks must be able to
become 6a44 capable independently of each other. IPv6 must be
operational where both are available, and there must be no
perceptible effect where they are not both available.
<span class="grey">Despres, et al. Experimental [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Model of Operation</span>
Operation of 6a44 involves two types of nodes: 6a44 clients and 6a44
relays. Figure 1 shows the two applicability scenarios:
o In the first one, IPv4 addresses assigned to customer sites are
global IPv4.
o In the second one, they are private IPv4 addresses (the [<a href="#ref-NAT444" title=""NAT444 addressing models"">NAT444</a>]
model, where ISPs operate one or several NAT44s, also called
Carrier-Grade NATs (CGNs)).
(A) GLOBAL IPv4 ISP NETWORK
+------------------+
6a44 customer network(s) |GLOBAL IPv4 | Upstream
+-----------+ ---| MTU >= 1308 +--- IPv4 network
---| Private | | ingress filtering| (<== no route
+----+ | IPv4 +-----+ | IPv6 optional | to 6a44 relays)
| |-----| |NAT44|----+ |
+----+ | +-----+ | +-------------+
6a44 ---|MTU >= 1308| | --+6a44 relay(s)|--- Upstream
client(s) | no | ---| +-------------+ IPv6 network
|native IPv6| | |
+-----------+ +------------------+
(B) PRIVATE IPv4 ISP NETWORK
+------------------+
|PRIVATE IPv4 |
| as above |
---| |
| +--------------+
| --+ ISP NAT44(s) |--- Upstream
as above ----+ +--------------+ IPv4 network
| |
| +--------------+
---| --+6a44 relay(s) |--- Upstream
| +--------------+ IPv6 network
| |
+------------------+
Figure 1: 6a44 Applicability Scenarios
<span class="grey">Despres, et al. Experimental [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
In both configurations, the ISP network may also assign IPv6 prefixes
to customer sites:
o If customer sites are only assigned IPv4 addresses (IPv6 prefix
available neither natively nor with any tunnel), 6a44 applies not
only to sites whose CPEs are IPv4-only capable but also to those
whose CPEs are dual-stack capable.
o If customer sites are assigned both IPv4 addresses and IPv6
prefixes, 6a44 only applies to sites whose CPEs are IPv4-only
capable.
Figure 2 illustrates paths of IPv6 packets between a 6a44 client, A,
and various possible locations of remote hosts (E in the same site, F
in another 6a44 site of the same ISP, G in a non-6a44 IPv6 site of
the same ISP, D in an IPv6 site of another ISP). Between 6a44
clients of a same site, IPv6 packets are encapsulated in IPv4
packets. Those between 6a44 clients and 6a44 relays are encapsulated
in UDP/IPv4 packets.
6a44 operates as follows (details in <a href="#section-6">Section 6</a>):
1. A 6a44 client starts operation by sending a 6a44 bubble to the
6a44-relay UDP/IPv4 address.
2. When a 6a44 relay receives a bubble from one of its 6a44
clients, it returns to this client a bubble containing the IPv6
prefix of this client.
3. When a 6a44 client receives a bubble from a 6a44 relay, it
updates (or confirms) its 6a44 address. It is an update if the
client has no IPv6 address yet or if, due to a CPE reset, this
address has changed. After receiving a bubble, a client is
ready to start, or to continue, IPv6 operation.
4. When a 6a44 client having a 6a44 address has an IPv6 packet to
send whose destination IS in the same customer site, it
encapsulates it in an IPv4 packet whose destination is found in
the IPv6 destination address. It then sends the resulting IPv6/
IPv4 packet.
5. When a 6a44 client receives a valid IPv6/IPv4 packet from a 6a44
client of the same site, it decapsulates the IPv6 packet and
submits it to further IPv6 processing.
<span class="grey">Despres, et al. Experimental [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
6. When a 6a44 client having a 6a44 address has an IPv6 packet to
send whose destination IS NOT in the same customer site, it
encapsulates the packet in a UDP/IPv4 packet whose destination
is the 6a44-relay UDP/IPv4 address. It then sends the IPv6/UDP/
IPv4 packet.
7. When a 6a44 relay receives via its IPv4 interface a valid IPv6/
UDP/IPv4 packet whose destination IS one of its 6a44 clients, it
forwards the contained IPv6 packet in a modified IPv6/UDP/IPv4
packet. The UDP/IPv4 destination of this packet is found in the
IPv6 destination address.
8. When a 6a44 client receives a valid IPv6/UDP/IPv4 packet from a
6a44 relay, it decapsulates the IPv6 packet and submits it to
further IPv6 processing.
9. When a 6a44 relay receives via its IPv4 interface a valid IPv6/
UDP/IPv4 packet whose IPv6 destination IS NOT one of its 6a44
clients, it decapsulates the IPv6 packet and sends it via its
IPv6 interface.
10. When a 6a44 relay receives via its IPv6 interface a valid IPv6
packet whose destination is one of its 6a44 clients, it
encapsulates the packet in a UDP/IPv4 packet whose destination
is the UDP/IPv4 address found in the IPv6 destination address.
It then sends the resulting IPv6/UDP/IPv4 packet via its IPv4
interface.
11. To maintain the NAT44 mapping of its 6a44 tunnel, and to quickly
detect the need to change its 6a44 address in case of NAT44
reset, a 6a44 client from time to time sends a bubble to the
6a44-relay address (see <a href="#section-6.5.1">Section 6.5.1</a>).
12. When a 6a44 relay receives via its IPv4 interface an IPv6/UDP/
IPv4 packet whose IPv6 and UDP/IPv4 source addresses are not
consistent, it discards the invalid packet and returns a bubble
to the UDP/IPv4 source address. (This permits the 6a44 client
at this address to update its IPv6 address.)
<span class="grey">Despres, et al. Experimental [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
CUSTOMER +-------------------------+
SITES | ISP NETWORK |
+---------+ +----------------+ |
| | |6a44 ISP NETWORK| | GLOBAL
| | | | | INTERNET
HOSTS | IPv6/UDP/IPv4 +---------+ | HOST
+-+ | +-----+ | B| 6a44 |C/48| IPv6 +-+
|A|---|--.---|NAT44|----|----------.---------.----|--- - - - ---|D|
+-+ | \ +-----+ | /| relay(s)|\ | +-+
+-+ | / | | ' +---------+ ' |
|E|---|--' | | | | | |
+-+ IPv6/IPv4 | | | | | |
+---------+ | | | | |
| | | | |
+---------+ | | | | |
| IPv6/UDP/IPv4 . | | |
+-+ | +-----+ | / | | |
|F|---|------|NAT44|----|------' | | |
+-+ | +-----+ | | | |
| | +----------------+ | |
+---------+ | . |
+-+ | / |
|G|---- - - - - - - ----|--------------------' |
+-+ IPv6 | |
+-------------------------+
IPv6 PATHS A-D: D is IPv6 of another ISP
A-E: E is a 6a44 client in the same site
A-F: F is a 6a44 client in another site of the same ISP
A-G: G is IPv6 of the same ISP, other than 6a44
Figure 2: IPv6 Paths between 6a44 Hosts and Remote Hosts
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. 6a44 Addresses</span>
The 6a44 IPv6 address an ISP assigns to a host must contain all
pieces of information needed to reach it from other IPv6 addresses.
These pieces are described below and illustrated in Figure 3:
o the 6a44-network IPv6 prefix C (a /48 the ISP has assigned to its
6a44 relays);
o the customer-site IPv4 address N (either global IPv4 or, if the
ISP uses a [<a href="#ref-NAT444" title=""NAT444 addressing models"">NAT444</a>] model, private IPv4);
<span class="grey">Despres, et al. Experimental [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
o the mapped port Z of the 6a44 tunnel (i.e., the external port
assigned by the NAT44 to the tunnel that the client maintains
between its UDP/IPv4 local address A:W and the 6a44-relay UDP/IPv4
address B:W);
o the client local IPv4 address A (i.e., the private IPv4 address
assigned to the client in its customer site; it is needed for
intra-site IPv6 connectivity).
Customer network ISP network
+--------------+ +------------------+
Client |IPv4 CPE |IPv4 |
+----+ | +-----+ | +----------+
| ^ |-----| |NAT44|----+ |6a44 relay|---- IPv6
+-|-^+ | +-----+ | +----------+^
| | | ^ | ^ | ^ | |
| | +----------|---+ | +---------|--------+ |
| | | ^ | | |
| | >0/0| | |N/32< | |
| | | | |
| | Mapping | |
| | <a:w>-<N:Z> (*) | |
| | | |
| |A:W< >B:W| |
| |
IPv6 |C.N.Z.A/128< |C/48<
(*) With NAT44(s) between client and CPE, a:w may differ from A:W
|0 47|48 79|80 95|96 127|
+-------+-------+-------+-------+-------+-------+-------+-------+
| 6a44-network | Customer-site |Tunnel | 6a44-client |
| IPv6 prefix | IPv4 address |mapped | local IPv4 |
| (C) | (N) |port(Z)| address (A) |
+-------+-------+-------+-------+-------+-------+-------+-------+
6a44-client
<-- UDP/IPv4 address -->
<------------ 6a44-client IPv6 prefix --------->
<---------------- 6a44-client IPv6 address --------------------->
Figure 3: Host-Address Construction
NOTE: 6a44 addresses are not guaranteed to comply with the rule
listed in [<a href="./rfc4291" title=""IP Version 6 Addressing Architecture"">RFC4291</a>], according to which bits 64-127 of aggregatable
unicast addresses have to be in Modified-EUI-64 Interface Identifier
(IID) format. However, these bits within the 6a44 addresses are
interpreted only where 6a44 addresses are processed, i.e., in 6a44
<span class="grey">Despres, et al. Experimental [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
relays and clients. No operational problem is therefore foreseen.
Besides, because it is a purely transitional tool, it shouldn't
prevent any "development of future technology that can take advantage
of interface identifiers with universal scope" (the purpose of this
format, as expressed in [<a href="./rfc4291" title=""IP Version 6 Addressing Architecture"">RFC4291</a>].
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Specification of Clients and Relays</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Packet Formats</span>
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. IPv6 Packet Encapsulations</span>
For NAT44 traversal, an IPv6 packet transmitted from a 6a44 client to
a 6a44 relay, or vice versa, is encapsulated in a UDP/IP packet whose
source and destination addresses are those of the two endpoints (A:W
and B:W in the notations of Figure 3). The IPv4 packet is that of a
complete datagram (its more-fragment bit is set to 0, its offset is
set to 0, and its datagram identification may be set to 0). The UDP
checksum is set to 0 (there is no need for an additional layer of
checksum protection). The length of the IPv6 packet SHOULD NOT
exceed 1280 octets (see <a href="#section-6.4">Section 6.4</a>).
Octets: |0 |20 |28 |68 |
+----------+---+-------------------+-------//-----+
| IPv4 |UDP| IPv6 header | IPv6 payload |
+----------+---+-------------------+-------//-----+
An IPv6 packet transmitted from a 6a44 client to another 6a44 client
of the same site is encapsulated in an IPv4 packet whose source and
destination addresses are the private IPv4 addresses of the two
hosts. The IPv4 packet is that of a complete datagram (its
more-fragment bit is set to 0, its offset is set to 0, and its
datagram identification may be set to 0). The size of the IPv6
packet SHOULD NOT exceed 1280 octets (see <a href="#section-6.4">Section 6.4</a>).
Octets: |0 |20 |60 |
+----------+-------------------+-------//-----+
| IPv4 | IPv6 header | IPv6 payload |
+----------+-------------------+-------//-----+
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. 6a44 Bubbles</span>
A "bubble" is a UDP/IPv4 packet whose UDP payload is comprised of a
"6a44-client IPv6 prefix" field and a "Bubble ID" field and whose UDP
checksum is set to 0. Having no UDP checksum protection in bubbles
is a simplification that is acceptable because bubble contents are
<span class="grey">Despres, et al. Experimental [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
regularly updated and non-critical (a client accepting a corrupted
IPv6 prefix never leads to any IPv6 packet being accepted by any
wrong destination).
"6a44-client IPv6 prefix" field
. from a 6a44 client = 0 (also denoted by ::/96)
. from a 6a44 relay = 6a44-client IPv6 prefix
|
Octets: |0 |20 |28| |40 |48
+----------+---+--|-+---+
| IPv4 |UDP| . | . |
+----------+---+----+-|-+
|
"Bubble ID" field
. from a 6a44 client: a client-selected value
. from a 6a44 relay:
- in a response bubble, copy of the received Bubble ID
- in an error-signaling bubble, 0
Figure 4: 6a44 Bubble Format
In a bubble from a 6a44 client to a 6a44 relay, the "6a44-client
IPv6 prefix" field is only reserved space for the response and is set
to 0. In a bubble from a 6a44 relay to a 6a44 client, this field
contains the IPv6 prefix of the client, left-justified.
In a bubble from a 6a44 client to a 6a44 relay, the "Bubble ID" field
contains a randomly chosen value, renewed under the circumstances
defined in <a href="#section-6.5.1">Section 6.5.1</a>. In a bubble from a 6a44 relay to a 6a44
client, if the bubble is a response to a bubble received from the
client, the field contains the value found in the received bubble; if
the bubble is a reaction to a received IPv6/UDP/IPv4 packet whose
IPv6 and UDP/IPv4 sources are inconsistent (i.e., not conforming to
R44-2 condition (3) in <a href="#section-6.6.2">Section 6.6.2</a>), the field is set to 0. The
purpose of this field is to protect against 6a44-relay spoofing
attacks (see <a href="#section-7">Section 7</a>).
In order to preserve forward compatibility with any extension of
bubble formats -- should one prove useful in the future -- 6a44
clients and 6a44 relays MUST be configured to receive bubbles whose
UDP payload lengths are longer than 20 octets (up to that of an IPv6-
packet header since, as detailed in Sections <a href="#section-6.5.3">6.5.3</a> and <a href="#section-6.6.2">6.6.2</a>, bubbles
are recognized by the fact that their lengths are shorter than that
of tunneled IPv6 packets).
<span class="grey">Despres, et al. Experimental [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. MTU Considerations</span>
Reassembly of a fragmented IPv4 datagram necessitates that its
identifier be remembered from reception of the first fragment to
reception of the last one, and necessitates a timeout protection
against packet losses. If such stateful IP-layer processing would be
necessary for 6a44, it would make it more complex than needed, would
introduce a vulnerability to denial-of-service attacks, and would
impose the restriction that all fragments of a fragmented IPv4
datagram go to the same relay. This last point would be a constraint
on how load balancing may be performed between multiple 6a44 relays,
and would therefore be detrimental to scalability.
For 6a44 processing to remain completely stateless, IPv4 packets
containing encapsulated IPv6 packets must never be fragmented (DF
always set to 1). For this requirement to be met, the following
apply:
o In customer sites, 6a44 clients MUST have IPv4 link MTUs that
support encapsulated IPv6 packets of lengths up to 1280 octets,
i.e., for IPv6/UDP/IPv4 packets that traverse the CPE, link MTUs
of at least 1280+20+8=1308 octets. (This condition is in general
satisfied.)
o For the same reason, 6a44 ISP networks must have IPv4 path MTUs of
at least 1308 octets. (This condition is in general satisfied.)
o 6a44 clients SHOULD limit the size of IPv6 packets they transmit
to 1280 octets.
o 6a44 relays SHOULD set their IPv6 MTU to 1280. (If a relay
receives an IPv6 packet longer than this MTU via its IPv6 upstream
interface, it MUST return an ICMPv6 Packet Too Big error message.)
Typical ISP networks have path MTUs that would permit IPv6 MTUs of
6a44 devices to be longer than 1280 octets, but accepting 1280
octets is a precaution that guarantees against problems with
customer sites that may have internal path MTUs smaller than those
supported by their ISP networks.
<span class="h3"><a class="selflink" id="section-6.5" href="#section-6.5">6.5</a>. 6a44 Client Specification</span>
<span class="h4"><a class="selflink" id="section-6.5.1" href="#section-6.5.1">6.5.1</a>. Tunnel Maintenance</span>
For a 6a44-client IPv6 address to remain valid, the port mapping of
the 6a44 tunnel MUST be maintained in the CPE NAT44.
For this, the 6a44 client SHOULD apply the equivalent of the
following TM-x rules, as illustrated in Figure 5.
<span class="grey">Despres, et al. Experimental [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
TM-1 At initialization, a timer value T1 is randomly chosen in the
recommended range of 1 to 1.5 seconds, and the "6a44 disabled"
state is entered. (Randomness of this value is a precaution to
avoid the following scenario: if many hosts happened to be
re-initialized at the same time, the bubble traffic resulting
from the following rules would be synchronized.)
TM-2 In the "6a44-disabled" state, if it appears that the interface
has no IPv6 native address BUT has a private IPv4 address, then
(1) the Attempt count (a local variable) is set to 1; (2) a new
Bubble ID (another local variable) is randomly chosen (it is
not critical how random this new value is, as explained in
<a href="#section-7">Section 7</a>); (3) a bubble is sent with this Bubble ID; (4) the
"Bubble sent" state is entered with the timer set to T1.
TM-3 In the "Bubble sent" state, if the timer expires AND the
Attempt count is less than 4, then (1) the Attempt count is
increased by 1; (2) a new bubble is sent with the current
Bubble ID; (3) the "Bubble sent" state is re-entered with the
timer reset to T1.
TM-4 In the "Bubble sent" state, if a bubble is received, then
(1) the 6a44-client IPv6 address is set to the received
6a44-client IPv6 prefix followed by the host local IPv4
address; (2) the "Bubble received" state is entered with the
timer set to T2, whose recommended value is 30 seconds minus 4
times T1.
TM-5 In the "Bubble sent" state, if timer T1 expires AND the Attempt
count is equal to 4, then the "No 6a44 relay" state is entered
with the timer set to T3, whose recommended value is 30
minutes.
TM-6 In the "Bubble sent" state, OR the "Bubble received" state, OR
the "No 6a44 relay" state, if an IPv6 native address is
obtained by some other means, OR if the private IPv4 address of
the host is no longer valid, then (1) the timer is disarmed;
(2) the "6a44 disabled" state is entered.
TM-7 In the "Bubble received" state, if timer T2 expires, then
(1) the Attempt count is reset to 1; (2) a new Bubble ID is
randomly chosen; (3) a bubble is sent with this Bubble ID;
(4) the "Bubble sent" state is entered with the timer set
to T1.
TM-8 In the "Bubble received" state, if a bubble is received, then
the timer is reset to T2. (NOTE: Since a bubble is received by
a 6a44 client either in response to a bubble it has sent or in
<span class="grey">Despres, et al. Experimental [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
reaction to a packet it has sent with inconsistent IPv6 and
UDP/IPv4 source addresses, receiving a bubble is a sign that
the tunnel mapping reported in the received bubble prefix has
recently been used in BOTH directions, a condition required by
some NAT44s to maintain their mappings.)
TM-9 In the "No 6a44 relay" state, if the timer expires, then
(1) the Attempt count is reset to 1; (2) a new Bubble ID is
randomly chosen; (3) a bubble is sent with this Bubble ID;
(4) the "Bubble sent" state is entered with the timer set
to T1.
Initialization
________v________
/ \
| "6a44 disabled" |------------<-----------------+
\_________________/ ^
v no v6-add AND v4-add ^
+--------->--------------v ^
^ +--------------v--------------+ ^
^ | Reset the Attempt count | ^
^ | Renew the Bubble ID | ^
^ +--------------+--------------+ ^
^ +----->-------------v ^
^ ^ +--------------v--------------+ ^
^ ^ | Send a bubble | ^
^ ^ +--------------v--------------+ ^
^ ^ ________v________ ^
^ ^ Timer T1 / \ 4 attempts without answer ^
^ +----<-----| "Bubble sent" |-------->----------------+ ^
^ (1 to 1.5 s)\_________________/ v ^
^ v \ v6-add OR no v4-add v ^
^ Bubble received v +-----------------------------+
^ v-----------------<-----------+ v ^
^ _________v_________ ^ v ^
^ Timer T2 / \Bubble received ^ v ^
+----------<---| "Bubble received" |-------->----------+ v ^
^ (30 s - 4*T1)\___________________/ v ^
^ \ v6-add OR no v4-add v ^
^ +------->--------------------+
^ v ^
^ +----------------------------------+ ^
^ _______v________ ^
^ Timer T3 / \ v6-add OR no v4-add ^
+-----------<----| "No 6a44 relay" |----->-----------------------+
(30 min) \_________________/
Figure 5: Tunnel Maintenance Algorithm
<span class="grey">Despres, et al. Experimental [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h4"><a class="selflink" id="section-6.5.2" href="#section-6.5.2">6.5.2</a>. Client Transmission</span>
A 6a44 client transmits packets according to the following CT-x
rules. In figures that illustrate these rules, symbols used in
<a href="#section-5">Section 5</a> are reused; packets are represented as a succession of
significant fields separated by commas, with sources preceding
destinations as usual; != means "different from".
CT-1 BUBBLE SENT BY A 6a44 CLIENT
(IPv4, A, B, UDP[W, W, ::/96, <current Bubble ID>])
|
+-------+--------+ |
| | 6a44 | |
| | client +------>---------- >B:W
| |function|A:W< UDP/IPv4
+-------+--------+
Host
Bubbles are transmitted from time to time. Conditions of their
transmission are specified in <a href="#section-6.5.1">Section 6.5.1</a>, and their format is
specified in <a href="#section-6.3">Section 6.3</a>.
CT-2 IPv6/IPv4 PACKET SENT TO A HOST OF THE SAME SITE
[IPv6, <C.N.Z.A>, <C.N..E>,...]
|
| (IPv4, A, A2, IP-in-IP[encapsulated packet])
| |
+----|--+--------+ |
| | | 6a44 | |
| -->--+ client +------>------ >A2
| IPv6 |function|<A IPv4
+-------+--------+
Host
If an IPv6 packet is submitted for transmission with ALL the
following conditions satisfied, the 6a44 client MUST encapsulate the
IPv6 packet in an IPv4 packet whose protocol is set to IP in IP
(protocol = 41) and whose IPv4 destination is copied from the last 32
bits of the IPv6 destination: (1) the IPv6 source address is the
6a44-client IPv6 address; (2) the IPv6 destination is a 6a44 address
of the same site (it has the same 80 bits as the 6a44-client IPv6
address); (3) either the IPv6 packet does not exceed 1280 octets, or
it is longer but it does not exceed the IPv4 link MTU minus 20 octets
and the IPv4 destination address starts with the IPv4 link prefix.
<span class="grey">Despres, et al. Experimental [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
CT-3 IPv6/UDP/IPv4 PACKET TO A HOST OF ANOTHER SITE
[IPv6, <C.N.Z.A>, X != <C.N...>, ...]
|
| (IPv4, B, A, UDP(W, W, [encapsulated packet])
| |
+----|--+--------+ |
| | | 6a44 | |
| -->--+ client +------>---------- >B:W
| IPv6 |function|A:W< UDP/IPv4
+-------+--------+
Host
If an IPv6 packet is submitted for transmission and ALL the following
conditions are satisfied, the IPv6 packet MUST be encapsulated in a
UDP/IPv4 packet whose destination is the 6a44-relay anycast address
and whose source and destination ports are both the 6a44 port:
(1) the source address is the local 6a44-client IPv6 address; (2) the
destination is not a 6a44 address of the same site (its first 80 bits
differ from those of the 6a44-client IPv6 address); (3) the IPv6
packet does not exceed 1280 octets.
CT-4 IPv6 PACKET THAT DOESN'T CONCERN 6a44
If an IPv6 packet is submitted to the 6a44 client function for
transmission with an IPv6 source address that is not the
6a44-client IPv6 address, the packet does not concern 6a44. It
MUST be left for any other IPv6 transmission function that may
apply (the source address can be a link-local address or a
Unique Local Address (ULA) [<a href="./rfc4193" title=""Unique Local IPv6 Unicast Addresses"">RFC4193</a>]).
<span class="h4"><a class="selflink" id="section-6.5.3" href="#section-6.5.3">6.5.3</a>. Client Reception</span>
Upon reception of an IPv4 packet, a 6a44 client applies the following
CR-x rules:
CR-1 BUBBLE RECEIVED FROM A 6a44 RELAY
(IPv4, B, A, UDP(W, W, [<C.N.Z>, <current Bubble ID>])
|
+-------+--------+ |
| | 6a44 | |
| | client +------<---------- <B:W
| | |A:W< UDP/IPv4
+-------+--------+
Host
(updates C.N.Z)
<span class="grey">Despres, et al. Experimental [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
If ALL the following conditions are satisfied (i.e., the packet is a
6a44 bubble from a 6a44 relay), the 6a44-client IPv6 address MUST be
updated using the received IPv6 prefix C.N.Z: (1) the IPv4 packet
contains a complete UDP datagram (protocol = 17, offset = 0,
more-fragment bit = 0); (2) both ports of the UDP datagram are the
6a44 port, and the payload length is enough to contain a 6a44-client
IPv6 prefix and a Bubble ID but shorter than an IPv6-packet header
(protocol = 17, UDP payload length = at least 20 octets and less than
40 octets); (3) the received Bubble ID matches the current value of
the Bubble-ID local variable.
CR-2 IPv6/IPv4 PACKET FROM A HOST OF THE SAME SITE
(IPv4, E, A, IP-in-IP, [IPv6, <C.N..A2>, <C.N.Z.A>, ...])
|
[decapsulated packet] |
| |
+----|--+--------+ |
| | | 6a44 | |
| --<--+ client +------<------ <A2
| IPv6 | |A< IPv4
+-------+--------+
Host
If ALL the following conditions are satisfied (i.e., the packet comes
from a 6a44 client of the same site), the 6a44 client MUST
decapsulate the inner packet and treat it as a received IPv6 packet:
(1) the IPv4 packet contains a complete UDP datagram (protocol = 17,
offset = 0, more-fragment bit = 0); (2) both ports of the UDP
datagram are the 6a44 port, and the UDP payload is an IPv6 packet
(UDP length of at least 40 octets, version = 6); (3) the IPv6 source
address is one of the same site (the first 80 bits match those of the
6a44-client IPv6 address; (4) its last 32 bits are equal to the IPv4
source address; (5) the IPv6 destination address is the 6a44-client
IPv6 address.
CR-3 IPv6/UDP/IPv4 PACKET FROM A HOST OF ANOTHER SITE
(IPv4, B, A, UDP(W, W, [IPv6, X, <C.N.Z.A>,...])
|
[decapsulated packet] |
| |
+----|--+--------+ |
| | | 6a44 | |
| --<--+ client +------<---------- <B:W
| IPv6 | |A:W< UDP/IPv4
+-------+--------+
Host
<span class="grey">Despres, et al. Experimental [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
If ALL the following conditions are satisfied (i.e., the packet has
been relayed by a 6a44 relay), the 6a44 client MUST decapsulate the
inner packet and treat it as a received IPv6 packet: (1) the IPv4
packet contains a complete UDP datagram (protocol = 17, offset = 0,
more-fragment bit = 0); (2) the UDP payload is an IPv6 packet (length
of at least 40 octets, version = 6); (3) the UDP/IPv4 source address
is the 6a44-relay UDP/IPv4 address; (4) the IPv6 destination address
is the 6a44-client IPv6 address.
CR-4 RECEIVED ICMPv4 ERROR MESSAGE CONCERNING A 6a44 PACKET
If the 6a44 client receives an IPv4 error message [<a href="./rfc0792" title=""Internet Control Message Protocol"">RFC0792</a>]
that concerns a discarded 6a44 packet (i.e., if the copied
header of the discarded packet is that of a transmitted packet
according to CT-2 or CT-3), it SHOULD translate it into an
ICMPv6 error message [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>] and then treat it as a received
IPv6 packet. Translation of Type and Code conversions between
IPv4 and IPv6 is described in <a href="./rfc6145#section-4.2">Section 4.2 of [RFC6145]</a>, under
"ICMPv4 error messages".
CR-5 RECEIVED IPv4 PACKET OTHER THAN 6a44
If ANY one or more of the following conditions are verified,
the received IPv4 packet does not concern 6a44 and MUST
therefore be left for any other IPv4 reception function that
may apply: (1) the IPv4 payload is neither UDP nor IPv6
(protocol = neither 17 nor 41, or protocol = 41 and IP version
in the payload is not = 6); (2) the IPv4 packet is an
IP-datagram fragment other than the first one (offset > 0);
(3) the IPv4 packet contains the first or unique fragment of a
UDP datagram (protocol = 17, offset = 0), with neither port
equal to the 6a44 port.
<span class="grey">Despres, et al. Experimental [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h3"><a class="selflink" id="section-6.6" href="#section-6.6">6.6</a>. 6a44 Relay Specification</span>
<span class="h4"><a class="selflink" id="section-6.6.1" href="#section-6.6.1">6.6.1</a>. Relay Reception in IPv6</span>
Upon reception of a packet via its IPv6 interface with a destination
address starting with the 6a44-network IPv6 prefix, a 6a44 relay MUST
apply the following RR6-x rules:
RR6-1 VALID IPv6 PACKET FROM OUTSIDE THE 6a44 ISP NETWORK
[IPv6, (X != <C...> AND != <Teredo(IPv4=B)>), <C.<N != B>.Z...>,...]
|
(IPv4, B, N, UDP(W, Z, |
[encapsulated packet])) |
| |
| +--------+ |
| >B:W | 6a44 |C/48< |
N:Z< ---<--------| relay |-------<---- C.N.Z...<
IPv4 | | IPv6
+--------+
If ALL the following conditions are satisfied, the IPv6 packet MUST
be encapsulated in a UDP/IPv4 packet whose UDP/IPv4 destination is
copied from bits 48 to 95 of the IPv6 destination address: (1) the
IPv6 source address is not that of a 6a44 client of the ISP (it does
not start with the 6a44-network IPv6 prefix); (2) the IPv6 source
address is not a Teredo address whose embedded UDP/IPv4 address is
the 6a44-relay anycast address; (3) the customer-site IPv4 address
embedded in the 6a44 destination address is not the 6a44-relay
anycast address; (4) the packet has at most 1280 octets.
RR6-2 INVALID IPv6 PACKET FROM OUTSIDE THE 6a44 ISP NETWORK
If ANY one or more of the following conditions are satisfied,
the IPv6 packet MUST be discarded: (1) the packet has more
than 1280 octets (in this case, an ICMPv6 Packet Too Big error
message MUST be returned to the source); (2) the customer-site
IPv4 address embedded in the IPv6 destination address is the
6a44-relay anycast address; (3) the IPv6 source address is a
Teredo address whose embedded IPv4 address is the 6a44-relay
anycast address.
<span class="grey">Despres, et al. Experimental [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h4"><a class="selflink" id="section-6.6.2" href="#section-6.6.2">6.6.2</a>. Relay Reception in IPv4</span>
Upon reception via its IPv4 downstream interface of an IPv4 packet
that contains a complete IP datagram (fragment offset = 0 and
more-fragment bit = 0) and that contains a UDP datagram whose UDP/
IPv4 destination is the 6a44-relay UDP/IPv4 address, a 6a44 relay
MUST apply the following rules:
RR4-1 BUBBLE FROM 6a44 CLIENT
(IPv4, N, B, UDP(Z, W, [::/96, Bubble ID]))
|
IPv4 | +--------+
------->----| |
>B:W| 6a44 |
| relay |
N:Z< -------<----| |
IPv4 | +--------+
|
|
(IPv4, B, N, UDP(W, Z, [<C.N.Z>, Bubble ID]))
If the following condition is satisfied, the 6a44 relay MUST return
to the source a bubble derived from the bubble it just received by
permuting its UDP/IPv4 source and destination, and by putting in its
6a44-client-IPv6-prefix field the received UDP/IPv4 source address:
the UDP payload is a bubble, i.e., has at least 20 octets and less
than 40 octets.
RR4-2 IPv6 PACKET FROM A 6a44 CLIENT TO ANOTHER 6a44 CLIENT
(IPv4, N1, B, UDP(Z1, W, [IPv6, <C.N1.Z1...>, <C.N2.Z2...>, ...]))
|
IPv4 | +--------+
------->----| |
>B:W| 6a44 |
| relay |
| |
N2.Z2< -------<----| |
IPv4 | +--------+
| 6a44 relay
|
(IPv4, B, N2, UDP(W, Z2, [encapsulated packet]))
If ALL the following conditions are satisfied, the 6a44 relay MUST
return back via its downstream IPv4 interface an IPv6/ UDP/IPv4
packet containing the same encapsulated packet, having its UDP/IPv4
destination set to the UDP/IPv4 address found in the 6a44 destination
<span class="grey">Despres, et al. Experimental [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
address, and having its UDP/IPv4 source set to the 6a44-relay
UDP/IPv4 address: (1) the IPv4 packet contains a complete UDP
datagram (protocol = 17, offset = 0, more-fragment bit = 0); (2) the
UDP payload is an IPv6 packet (length of at least 40 octets, version
= 6); (3) the IPv6 source address starts with the 6a44-network IPv6
prefix followed by the UDP/IPv4 source address of the received
packet; (4) the IPv6 destination address starts with the 6a44-network
IPv6 prefix.
RR4-3 IPv6 PACKET FROM A 6a44 CLIENT TO A NON-6a44 CLIENT
(IPv4, N, B, UDP(Z, W, [IPv6, <C.N.Z...>,
| (X != <C...> AND != <Teredo(IPv4=B)), ...]))
|
| [decapsulated packet]
| |
| +--------+ |
| B:W>| 6a44 | |
>B:W --->----------| relay |------->---- >
IPv4 | | IPv6
+--------+
If ALL the following conditions are satisfied, the 6a44 relay MUST
decapsulate the IPv6 packet and forward it via the IPv6 interface:
(1) the IPv4 packet contains a complete UDP datagram (protocol = 17,
offset = 0, more-fragment bit = 0); (2) the UDP payload is an IPv6
packet (length of at least 40 octets, version = 6); (3) the IPv6
source address starts with the 6a44-network IPv6 prefix followed by
the UDP/IPv4 source address of the received packet; (4) the IPv6
destination address does not start with the 6a44-network IPv6 prefix
and is not a Teredo address whose embedded IPv4 address is the
6a44-relay anycast address.
RR4-4 RECEIVED ICMPv4 ERROR MESSAGE CONCERNING A 6a44 PACKET
If the 6a44 relay receives an IPv4 error message [<a href="./rfc0792" title=""Internet Control Message Protocol"">RFC0792</a>]
that concerns a discarded 6a44 packet (i.e., if the copied
header of the discarded packet is that of a transmitted packet
according to RR6-1 or RR4-2), it SHOULD translate it into an
ICMPv6 error message [<a href="./rfc4443" title=""Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification"">RFC4443</a>] and then treat it as a received
IPv6 packet. Translation of Type and Code conversions between
IPv4 and IPv6 is described in <a href="./rfc6145#section-4.2">Section 4.2 of [RFC6145]</a>, under
"ICMPv4 error messages".
RR4-5 INVALID IPv6/UDP/IPv4 PACKET
For ANY other case, the 6a44 relay MUST discard the packet.
<span class="grey">Despres, et al. Experimental [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h3"><a class="selflink" id="section-6.7" href="#section-6.7">6.7</a>. Implementation of Automatic Sunset</span>
6a44 is designed as an interim transition mechanism, not to be used
any longer than strictly necessary. Its sole purpose is to
accelerate availability of IPv6 native addresses where, for any
reason, CPEs cannot quickly be replaced, or where, for any reason,
ISP networks cannot quickly support dual-stack routing or 6rd.
A 6a44-capable ISP can first have an increase in its 6a44 traffic as
more and more hosts behind IPv4-only CPEs support the 6a44 client
function, but it should later have a decrease in this traffic as more
and more CPEs operate in dual stack.
When this traffic becomes sufficiently negligible, the ISP may, after
due prior notice, discontinue 6a44-relay operation. This terminates
its sunset procedure.
In a host that obtains an IPv6 native address by some means other
than 6a44, the effect of having the 6a44 function in its protocol
stack is inexistent. OS providers may therefore keep this function
in their code for many years. When it becomes clear that the number
of users of this function has become negligible, they can delete it
from later releases. This terminates their sunset procedure.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
Incoming reachability:
Hosts that acquire 6a44 addresses become reachable from the
Internet in IPv6 while they remain unreachable in IPv4 at their
private IPv4 addresses.
For ordinary use, this should not introduce a perceptible new
security risk for two reasons: (1) hosts can, without IPv6, use
NAT44 hole-punching techniques such as Interactive Connectivity
Establishment (ICE) [<a href="./rfc5245" title=""Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols"">RFC5245</a>] to receive incoming connections;
(2) by default, modern operating systems that support IPv6 have
their own protections against incoming connections.
If 6a44 reachability across an ordinary NAT44 nevertheless has to
be barred, this can be done by configuring its port-forwarding
function with the 6a44 port bound to any internal address that is
not assigned to any host. Thus, no bubble from a 6a44 relay can
reach any 6a44-capable host, and this is sufficient to prevent
hosts from using 6a44.
<span class="grey">Despres, et al. Experimental [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
For more sophisticated uses with managed firewalls, default
configurations generally specify that packets that are not
explicitly authorized are discarded. Thus, 6a44 can be used only
if the 6a44 port is deliberately opened to incoming traffic.
Subscriber authentication:
Any authentication that applies to an IPv4 address extends its
effect to 6a44 addresses that are derived from it.
Host-address spoofing:
With ingress filtering required in 6a44 ISP networks, and with the
address checks specified in <a href="#section-6">Section 6</a>, no new IPv6 address-
spoofing vulnerability is introduced by 6a44.
Address-and-port scanning:
To mitigate the (limited) risk of a malicious user trying to scan
IPv4 address/port pairs to reach a host, Teredo addresses contain
12 random bits [<a href="./rfc5991" title=""Teredo Security Updates"">RFC5991</a>]. 6a44 addresses have no random bits but
contain local IPv4 addresses of clients. Since possible values of
these addresses are not deterministically known from outside
customer sites and are in ranges that can be configured in typical
NAT44s, some protection against address and port scanning is thus
achieved. This protection may be less effective than that
achieved with random bits but is in any case better for 6a44 IPv6
addresses than for IPv4 addresses alone.
Denial of service:
Provided 6a44 relays are provisioned with enough processing power,
which is facilitated by their being completely stateless, 6a44
introduces no denial-of-service vulnerabilities of its own.
<span class="grey">Despres, et al. Experimental [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
Routing loops:
A risk of routing-loop attacks has been identified in [<a href="./rfc6324" title=""Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations"">RFC6324</a>].
Without taking precautions, it applies to some combinations of
automatic-tunnel mechanisms such as 6to4, the Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP), 6rd, and Teredo. This risk
does not exist with 6a44 for the following reasons:
1. When a packet enters a 6a44 relay via its IPv6 interface, the
following apply:
+ An IPv6/UDP/IPv4 packet cannot be sent to another 6a44
relay because its IPv4 destination would have to be a
6a44-relay IPv4 address. This is prevented by rule RR6-1
of <a href="#section-6.6.1">Section 6.6.1</a>.
+ If an IPv6/UDP/IPv4 packet is sent to the address of a 6to4
relay, 6rd relay, or ISATAP relay, it will be discarded
there because these relays don't accept UDP/IPv4 packets.
+ If an IPv6/UDP/IPv4 packet is sent to a Teredo relay, it
will be discarded there because (1) Teredo relays check
that the IPv4 address that is embedded in the IPv6 source
address of a received IPv6/IPv4 packet matches the IPv4
source address of the encapsulating packet (<a href="./rfc4380#section-5.4.2">Section 5.4.2
of [RFC4380]</a>); (2) encapsulating packets sent by 6a44
relays have the 6a44-relay anycast address as the IPv4
source address; (3) a 6a44 relay forwards a received IPv6
packet as an IPv6/UDP/IPv4 packet only if its IPv6 source
address is not a Teredo address whose embedded IPv4 address
is the 6a44-relay IPv4 address.
2. When a packet enters a 6a44 relay via its IPv4 interface, the
following apply:
+ The received packet cannot come from another 6a44 relay (as
just explained, 6rd relays do not send IPv6/UDP/IPv4
packets to other 6a44 relays).
+ If the IPv4 packet comes from a 6to4 relay, a 6rd relay, or
an ISATAP relay, its IPv6 encapsulated packet cannot be
forwarded (the received packet is IPv6/IPv4 instead of
being IPv6/UDP/IPv4, as required by rules RR4-2 and RR4-3
of <a href="#section-6.6.2">Section 6.6.2</a>).
+ If the received packet is an IPv6/UDP/IPv4 packet coming
from a Teredo relay, this packet cannot have been sent to
the Teredo relay by a 6a44 relay: (1) in order to reach the
<span class="grey">Despres, et al. Experimental [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
6a44 relay, the IPv6 destination of the IPv6 encapsulated
packet must be a Teredo address whose embedded IPv4 address
is the 6a44-relay anycast address (<a href="./rfc4380#section-5.4.1">Section 5.4.1 of
[RFC4380]</a>); (2) a 6a44 relay does not forward via its IPv6
interface an IPv6 packet whose destination is a Teredo
address whose embedded IPv4 address is the 6a44-relay
anycast address (rule RR4-3 of <a href="#section-6.6.2">Section 6.6.2</a>).
6a44-relay spoofing:
In a 6a44 network, no node can spoof a 6a44 relay because ingress
filtering prevents any 6a44-relay anycast address from being
spoofed.
In a network that does not support ingress filtering (and
therefore is not a 6a44 network), the following apply:
* 6a44 packets sent by 6a44-capable hosts are discarded in the
IPv4 backbone because their IPv4 destination, the 6a44-relay
anycast address, does not start with any ISP-assigned prefix.
* If an attacker tries to send to a 6a44-capable host a fake
relay-to-client bubble, the probability that it would be
accepted by its destination is negligible. It would require
that all the following conditions be simultaneously satisfied:
+ The UDP/IPv4 destination set by the attacker must reach a
NAT44 node in which it is the external mapping of a 6a44
tunnel established by a 6a44-capable host.
+ This host must be in the "Bubble sent" state -- the only one
in which it listens to bubbles when its ISP is not 6a44
capable. This state is taken only for a few seconds every
30 minutes (rule TM-5 of <a href="#section-6.5.1">Section 6.5.1</a>).
+ This host accepts the bubble only if its Bubble ID has the
right value -- an extremely unlikely possibility with a
64-bit randomly chosen Bubble ID (see <a href="#section-6.5.1">Section 6.5.1</a>).
* If a 6a44-capable host -- despite this scenario being very
unlikely -- accepts a fake bubble, the effect is that it
wrongly believes, for about 30 seconds, that it has an assigned
public IPv6 address. All IPv6 packets it then sends with this
address as the source cannot be accepted by any destination (no
relay will forward them, and no host of the same site will
accept them). The consequences of this scenario would
therefore not impair security.
<span class="grey">Despres, et al. Experimental [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. IANA Considerations</span>
IANA has assigned the following:
1. IPv4 address 192.88.99.2 as the 6a44-relay anycast address (B in
this document).
2. UDP port 1027 as the 6a44 port (W in this document).
The choice of 192.88.99.2 as the 6a44 IPv4 anycast address doesn't
conflict with any existing IETF specification because
o it starts with the 6to4 prefix 192.88.99.0/24 [<a href="./rfc3068" title=""An Anycast Prefix for 6to4 Relay Routers"">RFC3068</a>].
o it differs from the only currently assigned address that starts
with this prefix (the anycast address of 6to4 relays --
192.88.99.1 [<a href="./rfc3068" title=""An Anycast Prefix for 6to4 Relay Routers"">RFC3068</a>].
This choice is made to permit implementations of 6a44 relays in
physical nodes that are independent from any 6to4 relay or, if found
to be more optimum, in nodes in which 6to4 relays and 6a44 relays are
collocated.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgments</span>
This specification, whose origin is a convergence effort based on two
independent proposals -- [6rd+] and [<a href="#ref-SAMPLE" title=""Legacy NAT Traversal for IPv6: Simple Address Mapping for Premises Legacy Equipment (SAMPLE)"">SAMPLE</a>] -- has benefited from
various suggestions. Comments have been received during this
process, in particular from Dave Thaler, Fred Templin, Ole Troan,
Olivier Vautrin, Pascal Thubert, Washam Fan, and Yu Lee. The authors
wish to thank them, and all others, for their useful contributions.
Special recognition is due to Dave Thaler and John Mann. Their
detailed reviews led to a few useful modifications and editorial
improvements.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-RFC0792">RFC0792</a>] Postel, J., "Internet Control Message Protocol", STD 5,
<a href="./rfc792">RFC 792</a>, September 1981.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
<span class="grey">Despres, et al. Experimental [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
[<a id="ref-RFC2460">RFC2460</a>] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", <a href="./rfc2460">RFC 2460</a>, December 1998.
[<a id="ref-RFC4291">RFC4291</a>] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", <a href="./rfc4291">RFC 4291</a>, February 2006.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[6rd+] Despres, R., "Rapid Deployment of Native IPv6 Behind IPv4
NATs (6rd+)", Work in Progress, July 2010.
[<a id="ref-NAT444">NAT444</a>] Yamaguchi, J., Shirasaki, Y., Miyakawa, S., Nakagawa, A.,
and H. Ashida, "NAT444 addressing models", Work
in Progress, July 2012.
[<a id="ref-RFC1918">RFC1918</a>] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets",
<a href="https://www.rfc-editor.org/bcp/bcp5">BCP 5</a>, <a href="./rfc1918">RFC 1918</a>, February 1996.
[<a id="ref-RFC2827">RFC2827</a>] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", <a href="https://www.rfc-editor.org/bcp/bcp38">BCP 38</a>, <a href="./rfc2827">RFC 2827</a>, May 2000.
[<a id="ref-RFC3053">RFC3053</a>] Durand, A., Fasano, P., Guardini, I., and D. Lento, "IPv6
Tunnel Broker", <a href="./rfc3053">RFC 3053</a>, January 2001.
[<a id="ref-RFC3056">RFC3056</a>] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", <a href="./rfc3056">RFC 3056</a>, February 2001.
[<a id="ref-RFC3068">RFC3068</a>] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers",
<a href="./rfc3068">RFC 3068</a>, June 2001.
[<a id="ref-RFC3704">RFC3704</a>] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", <a href="https://www.rfc-editor.org/bcp/bcp84">BCP 84</a>, <a href="./rfc3704">RFC 3704</a>, March 2004.
[<a id="ref-RFC4193">RFC4193</a>] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", <a href="./rfc4193">RFC 4193</a>, October 2005.
[<a id="ref-RFC4380">RFC4380</a>] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)", <a href="./rfc4380">RFC 4380</a>,
February 2006.
[<a id="ref-RFC4443">RFC4443</a>] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", <a href="./rfc4443">RFC 4443</a>,
March 2006.
<span class="grey">Despres, et al. Experimental [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
[<a id="ref-RFC5245">RFC5245</a>] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", <a href="./rfc5245">RFC 5245</a>,
April 2010.
[<a id="ref-RFC5569">RFC5569</a>] Despres, R., "IPv6 Rapid Deployment on IPv4
Infrastructures (6rd)", <a href="./rfc5569">RFC 5569</a>, January 2010.
[<a id="ref-RFC5626">RFC5626</a>] Jennings, C., Ed., Mahy, R., Ed., and F. Audet, Ed.,
"Managing Client-Initiated Connections in the Session
Initiation Protocol (SIP)", <a href="./rfc5626">RFC 5626</a>, October 2009.
[<a id="ref-RFC5969">RFC5969</a>] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
Infrastructures (6rd) -- Protocol Specification",
<a href="./rfc5969">RFC 5969</a>, August 2010.
[<a id="ref-RFC5991">RFC5991</a>] Thaler, D., Krishnan, S., and J. Hoagland, "Teredo
Security Updates", <a href="./rfc5991">RFC 5991</a>, September 2010.
[<a id="ref-RFC6081">RFC6081</a>] Thaler, D., "Teredo Extensions", <a href="./rfc6081">RFC 6081</a>, January 2011.
[<a id="ref-RFC6145">RFC6145</a>] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", <a href="./rfc6145">RFC 6145</a>, April 2011.
[<a id="ref-RFC6324">RFC6324</a>] Nakibly, G. and F. Templin, "Routing Loop Attack Using
IPv6 Automatic Tunnels: Problem Statement and Proposed
Mitigations", <a href="./rfc6324">RFC 6324</a>, August 2011.
[<a id="ref-SAMPLE">SAMPLE</a>] Carpenter, B. and S. Jiang, "Legacy NAT Traversal for
IPv6: Simple Address Mapping for Premises Legacy Equipment
(SAMPLE)", Work in Progress, June 2010.
[<a id="ref-TheTool">TheTool</a>] de Saint-Exupery, A., "Wind, Sand and Stars", Chapter III
(The Tool), 1939.
<span class="grey">Despres, et al. Experimental [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc6751">RFC 6751</a> Native IPv6 behind NAT44 CPEs (6a44) October 2012</span>
Authors' Addresses
Remi Despres (editor)
RD-IPtech
3 rue du President Wilson
Levallois
France
EMail: despres.remi@laposte.net
Brian Carpenter
University of Auckland
Department of Computer Science
PB 92019
Auckland 1142
New Zealand
EMail: brian.e.carpenter@gmail.com
Dan Wing
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
EMail: dwing@cisco.com
Sheng Jiang
Huawei Technologies Co., Ltd.
Q14, Huawei Campus - No. 156 Beiqing Road
Hai-Dian District, Beijing 100095
P.R. China
EMail: jiangsheng@huawei.com
Despres, et al. Experimental [Page 33]
</pre>
|
