1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
|
<pre>Internet Engineering Task Force (IETF) O. Troan, Ed.
Request for Comments: 7597 W. Dec
Category: Standards Track Cisco Systems
ISSN: 2070-1721 X. Li
C. Bao
Tsinghua University
S. Matsushima
SoftBank Telecom
T. Murakami
IP Infusion
T. Taylor, Ed.
Huawei Technologies
July 2015
<span class="h1">Mapping of Address and Port with Encapsulation (MAP-E)</span>
Abstract
This document describes a mechanism for transporting IPv4 packets
across an IPv6 network using IP encapsulation. It also describes a
generic mechanism for mapping between IPv6 addresses and IPv4
addresses as well as transport-layer ports.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7597">http://www.rfc-editor.org/info/rfc7597</a>.
<span class="grey">Troan, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Troan, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-4">4</a>
<a href="#section-2">2</a>. Conventions .....................................................<a href="#page-5">5</a>
<a href="#section-3">3</a>. Terminology .....................................................<a href="#page-5">5</a>
<a href="#section-4">4</a>. Architecture ....................................................<a href="#page-7">7</a>
<a href="#section-5">5</a>. Mapping Algorithm ...............................................<a href="#page-8">8</a>
<a href="#section-5.1">5.1</a>. Port-Mapping Algorithm ....................................<a href="#page-10">10</a>
<a href="#section-5.2">5.2</a>. Basic Mapping Rule (BMR) ..................................<a href="#page-11">11</a>
<a href="#section-5.3">5.3</a>. Forwarding Mapping Rule (FMR) .............................<a href="#page-14">14</a>
<a href="#section-5.4">5.4</a>. Destinations outside the MAP Domain .......................<a href="#page-14">14</a>
<a href="#section-6">6</a>. The IPv6 Interface Identifier ..................................<a href="#page-15">15</a>
<a href="#section-7">7</a>. MAP Configuration ..............................................<a href="#page-15">15</a>
<a href="#section-7.1">7.1</a>. MAP CE ....................................................<a href="#page-15">15</a>
<a href="#section-7.2">7.2</a>. MAP BR ....................................................<a href="#page-16">16</a>
<a href="#section-8">8</a>. Forwarding Considerations ......................................<a href="#page-17">17</a>
<a href="#section-8.1">8.1</a>. Receiving Rules ...........................................<a href="#page-17">17</a>
<a href="#section-8.2">8.2</a>. ICMP ......................................................<a href="#page-18">18</a>
<a href="#section-8.3">8.3</a>. Fragmentation and Path MTU Discovery ......................<a href="#page-18">18</a>
<a href="#section-8.3.1">8.3.1</a>. Fragmentation in the MAP Domain ....................<a href="#page-18">18</a>
8.3.2. Receiving IPv4 Fragments on the MAP Domain
Borders ............................................<a href="#page-19">19</a>
<a href="#section-8.3.3">8.3.3</a>. Sending IPv4 Fragments to the Outside ..............<a href="#page-19">19</a>
<a href="#section-9">9</a>. NAT44 Considerations ...........................................<a href="#page-19">19</a>
<a href="#section-10">10</a>. Security Considerations .......................................<a href="#page-20">20</a>
<a href="#section-11">11</a>. References ....................................................<a href="#page-21">21</a>
<a href="#section-11.1">11.1</a>. Normative References .....................................<a href="#page-21">21</a>
<a href="#section-11.2">11.2</a>. Informative References ...................................<a href="#page-21">21</a>
<a href="#appendix-A">Appendix A</a>. Examples ..............................................<a href="#page-25">25</a>
<a href="#appendix-B">Appendix B</a>. A More Detailed Description of the Derivation of the
Port-Mapping Algorithm ................................<a href="#page-29">29</a>
<a href="#appendix-B.1">B.1</a>. Bit Representation of the Algorithm ........................<a href="#page-31">31</a>
<a href="#appendix-B.2">B.2</a>. GMA Examples ...............................................<a href="#page-32">32</a>
Acknowledgements ..................................................<a href="#page-32">32</a>
Contributors ......................................................<a href="#page-33">33</a>
Authors' Addresses ................................................<a href="#page-34">34</a>
<span class="grey">Troan, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Mapping of IPv4 addresses in IPv6 addresses has been described in
numerous mechanisms dating back to the mid-1990s [<a href="./rfc1933" title=""Transition Mechanisms for IPv6 Hosts and Routers"">RFC1933</a>] [<a href="./rfc4213" title=""Basic Transition Mechanisms for IPv6 Hosts and Routers"">RFC4213</a>].
The "automatic tunneling" mechanism as first described in [<a href="./rfc1933" title=""Transition Mechanisms for IPv6 Hosts and Routers"">RFC1933</a>]
assigned a globally unique IPv6 address to a host by combining the
host's IPv4 address with a well-known IPv6 prefix. Given an IPv6
packet with a destination address with an embedded IPv4 address, a
node could automatically tunnel this packet by extracting the IPv4
tunnel endpoint address from the IPv6 destination address.
There are numerous variations of this idea, as described in 6over4
[<a href="./rfc2529" title=""Transmission of IPv6 over IPv4 Domains without Explicit Tunnels"">RFC2529</a>], 6to4 [<a href="./rfc3056" title=""Connection of IPv6 Domains via IPv4 Clouds"">RFC3056</a>], the Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP) [<a href="./rfc5214" title=""Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)"">RFC5214</a>], and IPv6 Rapid Deployment on IPv4
Infrastructures (6rd) [<a href="./rfc5969" title=""IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -- Protocol Specification"">RFC5969</a>].
The commonalities of all of these IPv6-over-IPv4 mechanisms are as
follows:
o Automatic provisioning of an IPv6 address for a host or an IPv6
prefix for a site.
o Algorithmic or implicit address resolution of tunnel endpoint
addresses. Given an IPv6 destination address, an IPv4 tunnel
endpoint address can be calculated.
o Embedding of an IPv4 address or part thereof into an IPv6 address.
In later phases of IPv4-to-IPv6 migration, it is expected that
IPv6-only networks will be common, while there will still be a need
for residual IPv4 deployment. This document describes a generic
mapping of IPv4 to IPv6 and a mechanism for encapsulating IPv4
over IPv6.
Just as for the IPv6-over-IPv4 mechanisms referred to above, the
residual IPv4-over-IPv6 mechanism must be capable of:
o Provisioning an IPv4 prefix, an IPv4 address, or a shared IPv4
address.
o Algorithmically mapping between an IPv4 prefix, an IPv4 address,
or a shared IPv4 address and an IPv6 address.
The mapping scheme described here supports encapsulation of IPv4
packets in IPv6 in both mesh and hub-and-spoke topologies, including
address mappings with full independence between IPv6 and IPv4
addresses.
<span class="grey">Troan, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
This document describes the delivery of IPv4 unicast service across
an IPv6 infrastructure. IPv4 multicast is not considered in this
document.
The Address plus Port (A+P) architecture of sharing an IPv4 address
by distributing the port space is described in [<a href="./rfc6346" title=""The Address plus Port (A+P) Approach to the IPv4 Address Shortage"">RFC6346</a>].
Specifically, <a href="./rfc6346#section-4">Section 4 of [RFC6346]</a> covers stateless mapping. The
corresponding stateful solution, Dual-Stack Lite (DS-Lite), is
described in [<a href="./rfc6333" title=""Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion"">RFC6333</a>]. The motivations for this work are described
in [<a href="#ref-Solutions-4v6">Solutions-4v6</a>].
[<a id="ref-RFC7598">RFC7598</a>] defines DHCPv6 options for the provisioning of MAP. Other
means of provisioning are possible. Deployment considerations are
described in [<a href="#ref-MAP-Deploy">MAP-Deploy</a>].
MAP relies on IPv6 and is designed to deliver dual-stack service
while allowing IPv4 to be phased out within the service provider's
(SP's) network. The phasing out of IPv4 within the SP network is
independent of whether the end user disables IPv4 service or not.
Further, "greenfield" IPv6-only networks may use MAP in order to
deliver IPv4 to sites via the IPv6 network.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Conventions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Terminology</span>
MAP domain: One or more MAP Customer Edge (CE) devices
and Border Relays (BRs) connected to the same
virtual link. A service provider may deploy
a single MAP domain or may utilize multiple
MAP domains.
MAP Rule: A set of parameters describing the mapping
between an IPv4 prefix, IPv4 address, or
shared IPv4 address and an IPv6 prefix or
address. Each domain uses a different
mapping rule set.
MAP node: A device that implements MAP.
<span class="grey">Troan, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
MAP Border Relay (BR): A MAP-enabled router managed by the service
provider at the edge of a MAP domain. A BR
has at least an IPv6-enabled interface and an
IPv4 interface connected to the native IPv4
network. A MAP BR may also be referred to as
simply a "BR" within the context of MAP.
MAP Customer Edge (CE): A device functioning as a Customer Edge
router in a MAP deployment. A typical MAP CE
adopting MAP Rules will serve a residential
site with one WAN-side interface and one or
more LAN-side interfaces. A MAP CE may also
be referred to as simply a "CE" within the
context of MAP.
Port set: Each node has a separate part of the
transport-layer port space; this is denoted
as a port set.
Port Set ID (PSID): Algorithmically identifies a set of ports
exclusively assigned to a CE.
Shared IPv4 address: An IPv4 address that is shared among multiple
CEs. Only ports that belong to the assigned
port set can be used for communication. Also
known as a port-restricted IPv4 address.
End-user IPv6 prefix: The IPv6 prefix assigned to an End-user CE by
means other than MAP itself, e.g.,
provisioned using DHCPv6 Prefix Delegation
(PD) [<a href="./rfc3633" title=""IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6"">RFC3633</a>], assigned via Stateless
Address Autoconfiguration (SLAAC) [<a href="./rfc4862" title=""IPv6 Stateless Address Autoconfiguration"">RFC4862</a>],
or configured manually. It is unique for
each CE.
MAP IPv6 address: The IPv6 address used to reach the MAP
function of a CE from other CEs and from BRs.
Rule IPv6 prefix: An IPv6 prefix assigned by a service provider
for a mapping rule.
Rule IPv4 prefix: An IPv4 prefix assigned by a service provider
for a mapping rule.
<span class="grey">Troan, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Embedded Address (EA) bits:
The IPv4 EA-bits in the IPv6 address identify
an IPv4 prefix/address (or part thereof) or a
shared IPv4 address (or part thereof) and a
Port Set Identifier.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Architecture</span>
In accordance with the requirements stated above, the MAP mechanism
can operate with shared IPv4 addresses, full IPv4 addresses, or IPv4
prefixes. Operation with shared IPv4 addresses is described here,
and the differences for full IPv4 addresses and prefixes are
described below.
The MAP mechanism uses existing standard building blocks. The
existing Network Address and Port Translator (NAPT) [<a href="./rfc2663" title=""IP Network Address Translator (NAT) Terminology and Considerations"">RFC2663</a>] on the
CE is used with additional support for restricting transport-protocol
ports, ICMP identifiers, and fragment identifiers to the configured
port set. For packets outbound from the private IPv4 network, the CE
NAPT MUST translate transport identifiers (e.g., TCP and UDP port
numbers) so that they fall within the CE's assigned port range.
The NAPT MUST in turn be connected to a MAP-aware forwarding function
that does encapsulation/decapsulation of IPv4 packets in IPv6. MAP
supports the encapsulation mode specified in [<a href="./rfc2473" title=""Generic Packet Tunneling in IPv6 Specification"">RFC2473</a>]. In addition,
MAP specifies an algorithm to do "address resolution" from an IPv4
address and port to an IPv6 address. This algorithmic mapping is
specified in <a href="#section-5">Section 5</a>.
The MAP architecture described here restricts the use of the shared
IPv4 address to only be used as the global address (outside) of the
NAPT running on the CE. A shared IPv4 address MUST NOT be used to
identify an interface. While it is theoretically possible to make
host stacks and applications port-aware, it would be a drastic change
to the IP model [<a href="./rfc6250" title=""Evolution of the IP Model"">RFC6250</a>].
For full IPv4 addresses and IPv4 prefixes, the architecture just
described applies, with two differences: first, a full IPv4 address
or IPv4 prefix can be used as it is today, e.g., for identifying an
interface or as a DHCP pool, respectively. Second, the NAPT is not
required to restrict the ports used on outgoing packets.
<span class="grey">Troan, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
This architecture is illustrated in Figure 1.
User N
Private IPv4
| Network
|
O--+---------------O
| | MAP CE |
| +-----+--------+ |
| NAPT44| MAP | |
| +-----+ | |\ ,-------. .------.
| +--------+ | \ ,-' `-. ,-' `-.
O------------------O / \ O---------O / Public \
/ IPv6-only \ | MAP | / IPv4 \
( Network --+ Border +- Network )
\ (MAP Domain) / | Relay | \ /
O------------------O \ / O---------O \ /
| MAP CE | /". ,-' `-. ,-'
| +-----+--------+ | / `----+--' ------'
| NAPT44| MAP | |/
| +-----+ | |
| | +--------+ |
O---+--------------O
|
User M
Private IPv4
Network
Figure 1: Network Topology
The MAP BR connects one or more MAP domains to external IPv4
networks.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Mapping Algorithm</span>
A MAP node is provisioned with one or more mapping rules.
Mapping rules are used differently, depending on their function.
Every MAP node must be provisioned with a Basic Mapping Rule. This
is used by the node to configure its IPv4 address, IPv4 prefix, or
shared IPv4 address. This same basic rule can also be used for
forwarding, where an IPv4 destination address and, optionally, a
destination port are mapped into an IPv6 address. Additional mapping
rules are specified to allow for multiple different IPv4 subnets to
exist within the domain and optimize forwarding between them.
<span class="grey">Troan, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Traffic outside of the domain (i.e., when the destination IPv4
address does not match (using longest matching prefix) any Rule IPv4
prefix in the Rules database) is forwarded to the BR.
There are two types of mapping rules:
1. Basic Mapping Rule (BMR) - mandatory. A CE can be provisioned
with multiple End-user IPv6 prefixes. There can only be one
Basic Mapping Rule per End-user IPv6 prefix. However, all CEs
having End-user IPv6 prefixes within (aggregated by) the same
Rule IPv6 prefix may share the same Basic Mapping Rule. In
combination with the End-user IPv6 prefix, the Basic Mapping Rule
is used to derive the IPv4 prefix, address, or shared address and
the PSID assigned to the CE.
2. Forwarding Mapping Rule (FMR) - optional; used for forwarding.
The Basic Mapping Rule may also be a Forwarding Mapping Rule.
Each Forwarding Mapping Rule will result in an entry in the rule
table for the Rule IPv4 prefix. Given a destination IPv4 address
and port within the MAP domain, a MAP node can use the matching
FMR to derive the End-user IPv6 address of the interface through
which that IPv4 destination address and port combination can be
reached. In hub-and-spoke mode, there are no FMRs.
Both mapping rules share the same parameters:
o Rule IPv6 prefix (including prefix length)
o Rule IPv4 prefix (including prefix length)
o Rule EA-bit length (in bits)
A MAP node finds its BMR by doing a longest match between the
End-user IPv6 prefix and the Rule IPv6 prefix in the Mapping Rules
table. The rule is then used for IPv4 prefix, address, or shared
address assignment.
A MAP IPv6 address is formed from the BMR Rule IPv6 prefix. This
address MUST be assigned to an interface of the MAP node and is used
to terminate all MAP traffic being sent or received to the node.
Port-restricted IPv4 routes are installed in the rule table for all
the Forwarding Mapping Rules, and a default route is installed to the
MAP BR (see <a href="#section-5.4">Section 5.4</a>).
<span class="grey">Troan, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Forwarding Mapping Rules are used to allow direct communication
between MAP CEs; this is known as "Mesh mode". In hub-and-spoke
mode, there are no Forwarding Mapping Rules; all traffic MUST be
forwarded directly to the BR.
While an FMR is optional in the sense that a MAP CE MAY be configured
with zero or more FMRs -- depending on the deployment -- all MAP CEs
MUST implement support for both rule types.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Port-Mapping Algorithm</span>
The port-mapping algorithm is used in domains whose rules allow IPv4
address sharing.
The simplest way to represent a port range is using a notation
similar to Classless Inter-Domain Routing (CIDR) [<a href="./rfc4632" title=""Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan"">RFC4632</a>]. For
example, the first 256 ports are represented as port prefix 0.0/8 and
the last 256 ports as 255.0/8. In hexadecimal, these would be
0x0000/8 (PSID = 0) and 0xFF00/8 (PSID = 0xFF), respectively. Using
this technique but wishing to avoid allocating the system ports
[<a href="./rfc6335" title=""Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry"">RFC6335</a>] to the user, one would have to exclude the use of one or
more PSIDs (e.g., PSIDs 0 to 3 in the example just given).
When the PSID is embedded in the End-user IPv6 prefix, it is
desirable to minimize the restrictions of possible PSID values in
order to minimize dependencies between the End-user IPv6 prefix and
the assigned port set. This is achieved by using an infix
representation of the port value. Using such a representation, the
well-known ports are excluded by restrictions on the value of the
high-order bit field (A) rather than the PSID.
The infix algorithm allocates ports to a given CE as a series of
contiguous ranges spaced at regular intervals throughout the complete
range of possible port-set values.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-----------+-----------+-------+
Ports in | A | PSID | j |
the CE port set | > 0 | | |
+-----------+-----------+-------+
| a bits | k bits |m bits |
Figure 2: Structure of a Port-Restricted Port Field
<span class="grey">Troan, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
a bits: The number of offset bits -- 6 by default, as this excludes
the system ports (0-1023). To guarantee non-overlapping
port sets, the offset 'a' MUST be the same for every MAP CE
sharing the same address.
A: Selects the range of the port number. For 'a' > 0, A MUST
be larger than 0. This ensures that the algorithm excludes
the system ports. For the default value of 'a' (6), the
system ports are excluded by requiring that A be greater
than 0. Smaller values of 'a' exclude a larger initial
range, e.g., 'a' = 4 will exclude ports 0-4095. The
interval between initial port numbers of successive
contiguous ranges assigned to the same user is 2^(16 - a).
k bits: The length in bits of the PSID field. To guarantee
non-overlapping port sets, the length 'k' MUST be the same
for every MAP CE sharing the same address. The sharing
ratio is 2^k. The number of ports assigned to the user is
2^(16 - k) - 2^m (excluded ports).
PSID: The Port Set Identifier (PSID). Different PSID values
guarantee non-overlapping port sets, thanks to the
restrictions on 'a' and 'k' stated above, because the PSID
always occupies the same bit positions in the port number.
m bits: The number of contiguous ports is given by 2^m.
j: Selects the specific port within a particular range
specified by the concatenation of A and the PSID.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Basic Mapping Rule (BMR)</span>
The Basic Mapping Rule is mandatory and is used by the CE to
provision itself with an IPv4 prefix, IPv4 address, or shared IPv4
address. Recall from <a href="#section-5">Section 5</a> that the BMR consists of the
following parameters:
o Rule IPv6 prefix (including prefix length)
o Rule IPv4 prefix (including prefix length)
o Rule EA-bit length (in bits)
<span class="grey">Troan, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Figure 3 shows the structure of the complete MAP IPv6 address as
specified in this document.
| n bits | o bits | s bits | 128-n-o-s bits |
+--------------------+-----------+---------+-----------------------+
| Rule IPv6 prefix | EA bits |subnet ID| interface ID |
+--------------------+-----------+---------+-----------------------+
|<--- End-user IPv6 prefix --->|
Figure 3: MAP IPv6 Address Format
The Rule IPv6 prefix is common among all CEs using the same Basic
Mapping Rule within the MAP domain. The EA bit field encodes the
CE-specific IPv4 address and port information. The EA bit field,
which is unique for a given Rule IPv6 prefix, can contain a full or
partial IPv4 address and, in the shared IPv4 address case, a PSID.
An EA bit field length of 0 signifies that all relevant MAP IPv4
addressing information is passed directly in the BMR and is not
derived from the EA bit field in the End-user IPv6 prefix.
The MAP IPv6 address is created by concatenating the End-user IPv6
prefix with the MAP subnet identifier (if the End-user IPv6 prefix is
shorter than 64 bits) and the interface identifier as specified in
<a href="#section-6">Section 6</a>.
The MAP subnet identifier is defined to be the first subnet (s bits
set to zero).
Define:
r = length of the IPv4 prefix given by the BMR;
o = length of the EA bit field as given by the BMR;
p = length of the IPv4 suffix contained in the EA bit field.
The length r MAY be zero, in which case the complete IPv4 address or
prefix is encoded in the EA bits. If only a part of the IPv4
address / prefix is encoded in the EA bits, the Rule IPv4 prefix is
provisioned to the CE by other means (e.g., a DHCPv6 option). To
create a complete IPv4 address (or prefix), the IPv4 address suffix
(p) from the EA bits is concatenated with the Rule IPv4 prefix
(r bits).
The offset of the EA bit field in the IPv6 address is equal to the
BMR Rule IPv6 prefix length. The length of the EA bit field (o) is
given by the BMR Rule EA-bit length and can be between 0 and 48. A
length of 48 means that the complete IPv4 address and port are
<span class="grey">Troan, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
embedded in the End-user IPv6 prefix (a single port is assigned). A
length of 0 means that no part of the IPv4 address or port is
embedded in the address. The sum of the Rule IPv6 Prefix length and
the Rule EA-bit length MUST be less than or equal to the End-user
IPv6 prefix length.
If o + r < 32 (length of the IPv4 address in bits), then an IPv4
prefix is assigned. This case is shown in Figure 4.
| r bits | o bits = p bits |
+-------------+---------------------+
| Rule IPv4 | IPv4 address suffix |
+-------------+---------------------+
| < 32 bits |
Figure 4: IPv4 Prefix
If o + r is equal to 32, then a full IPv4 address is to be assigned.
The address is created by concatenating the Rule IPv4 prefix and the
EA-bits. This case is shown in Figure 5.
| r bits | o bits = p bits |
+-------------+---------------------+
| Rule IPv4 | IPv4 address suffix |
+-------------+---------------------+
| 32 bits |
Figure 5: Complete IPv4 Address
If o + r is > 32, then a shared IPv4 address is to be assigned. The
number of IPv4 address suffix bits (p) in the EA bits is given by
32 - r bits. The PSID bits are used to create a port set. The
length of the PSID bit field within the EA bits is q = o - p.
| r bits | p bits | | q bits |
+-------------+---------------------+ +------------+
| Rule IPv4 | IPv4 address suffix | |Port Set ID |
+-------------+---------------------+ +------------+
| 32 bits |
Figure 6: Shared IPv4 Address
The length of r MAY be 32, with no part of the IPv4 address embedded
in the EA bits. This results in a mapping with no dependence between
the IPv4 address and the IPv6 address. In addition, the length of o
MAY be zero (no EA bits embedded in the End-user IPv6 prefix),
meaning that the PSID is also provisioned using, for example, DHCP.
<span class="grey">Troan, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
See <a href="#appendix-A">Appendix A</a> for an example of the Basic Mapping Rule.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Forwarding Mapping Rule (FMR)</span>
The Forwarding Mapping Rule is optional and is used in Mesh mode to
enable direct CE-to-CE connectivity.
On adding an FMR rule, an IPv4 route is installed in the rule table
for the Rule IPv4 prefix (Figures 4, 5, and 6).
| 32 bits | | 16 bits |
+--------------------------+ +-------------------+
| IPv4 destination address | | IPv4 dest port |
+--------------------------+ +-------------------+
: : ___/ :
| p bits | / q bits :
+-----------+ +------------+
|IPv4 suffix| |Port Set ID |
+-----------+ +------------+
\ / ____/ ________/
\ : __/ _____/
\ : / /
| n bits | o bits | s bits | 128-n-o-s bits |
+--------------------+-----------+---------+------------+----------+
| Rule IPv6 prefix | EA bits |subnet ID| interface ID |
+--------------------+-----------+---------+-----------------------+
|<--- End-user IPv6 prefix --->|
Figure 7: Derivation of MAP IPv6 Address
See <a href="#appendix-A">Appendix A</a> for an example of the Forwarding Mapping Rule.
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Destinations outside the MAP Domain</span>
IPv4 traffic between MAP nodes that are all within one MAP domain is
encapsulated in IPv6, with the sender's MAP IPv6 address as the IPv6
source address and the receiving MAP node's MAP IPv6 address as the
IPv6 destination address. To reach IPv4 destinations outside of the
MAP domain, traffic is also encapsulated in IPv6, but the destination
IPv6 address is set to the configured IPv6 address of the MAP BR.
On the CE, the path to the BR can be represented as a point-to-point
IPv4-over-IPv6 tunnel [<a href="./rfc2473" title=""Generic Packet Tunneling in IPv6 Specification"">RFC2473</a>] with the source address of the tunnel
being the CE's MAP IPv6 address and the BR IPv6 address as the remote
tunnel address. When MAP is enabled, a typical CE router will
install a default IPv4 route to the BR.
<span class="grey">Troan, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
The BR forwards traffic received from the outside to CEs using the
normal MAP forwarding rules.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. The IPv6 Interface Identifier</span>
The interface identifier format of a MAP node is described below.
| 128-n-o-s bits |
| 16 bits| 32 bits | 16 bits|
+--------+----------------+--------+
| 0 | IPv4 address | PSID |
+--------+----------------+--------+
Figure 8: IPv6 Interface Identifier
In the case of an IPv4 prefix, the IPv4 address field is right-padded
with zeros up to 32 bits. The PSID field is left-padded with zeros
to create a 16-bit field. For an IPv4 prefix or a complete IPv4
address, the PSID field is zero.
If the End-user IPv6 prefix length is larger than 64, the most
significant parts of the interface identifier are overwritten by the
prefix.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. MAP Configuration</span>
For a given MAP domain, the BR and CE MUST be configured with the
following MAP elements. The configured values for these elements are
identical for all CEs and BRs within a given MAP domain.
o The Basic Mapping Rule and, optionally, the Forwarding Mapping
Rules, including the Rule IPv6 prefix, Rule IPv4 prefix, and
Length of EA bits.
o Hub-and-spoke mode or Mesh mode (if all traffic should be sent to
the BR, or if direct CE-to-CE traffic should be supported).
In addition, the MAP CE MUST be configured with the IPv6 address(es)
of the MAP BR (<a href="#section-5.4">Section 5.4</a>).
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. MAP CE</span>
The MAP elements are set to values that are the same across all CEs
within a MAP domain. The values may be configured in a variety of
ways, including provisioning methods such as the Broadband Forum's
"TR-69" Residential Gateway management interface [<a href="#ref-TR069" title=""CPE WAN Management Protocol"">TR069</a>], an
XML-based object retrieved after IPv6 connectivity is established, or
manual configuration by an administrator. IPv6 DHCP options for MAP
<span class="grey">Troan, et al. Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
configuration are defined in [<a href="./rfc7598" title=""DHCPv6 Options for Configuration of Softwire Address and Port-Mapped Clients"">RFC7598</a>]. Other configuration and
management methods may use the formats described by these options for
consistency and convenience of implementation on CEs that support
multiple configuration methods.
The only remaining provisioning information the CE requires in order
to calculate the MAP IPv4 address and enable IPv4 connectivity is the
IPv6 prefix for the CE. The End-user IPv6 prefix is configured as
part of obtaining IPv6 Internet access.
The MAP provisioning parameters, and hence the IPv4 service itself,
are tied to the associated End-user IPv6 prefix lifetime; thus, the
MAP service is also tied to this in terms of authorization,
accounting, etc.
A single MAP CE MAY be connected to more than one MAP domain, just as
any router may have more than one IPv4-enabled service-provider-
facing interface and more than one set of associated addresses
assigned by DHCP. Each domain within which a given CE operates would
require its own set of MAP configuration elements and would generate
its own IPv4 address. Each MAP domain requires a distinct End-user
IPv6 prefix.
MAP DHCP options are specified in [<a href="./rfc7598" title=""DHCPv6 Options for Configuration of Softwire Address and Port-Mapped Clients"">RFC7598</a>].
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. MAP BR</span>
The MAP BR MUST be configured with corresponding mapping rules for
each MAP domain for which it is acting as a BR.
For increased reliability and load balancing, the BR IPv6 address MAY
be an anycast address shared across a given MAP domain. As MAP is
stateless, any BR may be used at any time. If the BR IPv6 address is
anycast, the relay MUST use this anycast IPv6 address as the source
address in packets relayed to CEs.
Since MAP uses provider address space, no specific routes need to be
advertised externally for MAP to operate in IPv6 or IPv4 BGP.
However, if anycast is used for the MAP IPv6 relays, the anycast
addresses must be advertised in the service provider's IGP.
<span class="grey">Troan, et al. Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Forwarding Considerations</span>
Figure 1 depicts the overall MAP architecture with IPv4 users
connected to a routed IPv6 network.
MAP uses encapsulation mode as specified in [<a href="./rfc2473" title=""Generic Packet Tunneling in IPv6 Specification"">RFC2473</a>].
For a shared IPv4 address, a MAP CE forwarding IPv4 packets from the
LAN performs NAT44 functions first and creates appropriate NAT44
bindings. The resulting IPv4 packets MUST contain the source IPv4
address and source transport identifiers specified by the MAP
provisioning parameters. The IPv4 packet is forwarded using the CE's
MAP forwarding function. The IPv6 source and destination addresses
MUST then be derived as per <a href="#section-5">Section 5</a> of this document.
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Receiving Rules</span>
A MAP CE receiving an IPv6 packet to its MAP IPv6 address sends this
packet to the CE's MAP function, where it is decapsulated. The
resulting IPv4 packet is then forwarded to the CE's NAT44 function,
where it is handled according to the NAT's translation table.
A MAP BR receiving IPv6 packets selects a best matching MAP domain
rule (Rule IPv6 prefix) based on a longest address match of the
packet's IPv6 source address, as well as a match of the packet
destination address against the configured BR IPv6 address(es). The
selected MAP Rule allows the BR to determine the EA-bits from the
source IPv6 address.
To prevent spoofing of IPv4 addresses, any MAP node (CE and BR) MUST
perform the following validation upon reception of a packet. First,
the embedded IPv4 address or prefix, as well as the PSID (if any),
are extracted from the source IPv6 address using the matching MAP
Rule. These represent the range of what is acceptable as source IPv4
address and port. Second, the node extracts the source IPv4 address
and port from the IPv4 packet encapsulated inside the IPv6 packet.
If they are found to be outside the acceptable range, the packet MUST
be silently discarded and a counter incremented to indicate that a
potential spoofing attack may be underway. The source validation
checks just described are not done for packets whose source IPv6
address is that of the BR (BR IPv6 address).
By default, the CE router MUST drop packets received on the MAP
virtual interface (i.e., after decapsulation of IPv6) for IPv4
destinations not for its own IPv4 shared address, full IPv4 address,
or IPv4 prefix.
<span class="grey">Troan, et al. Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. ICMP</span>
ICMP messages should be supported in MAP domains. Hence, the NAT44
in the MAP CE MUST implement the behavior for ICMP messages
conforming to the best current practice documented in [<a href="./rfc5508" title=""NAT Behavioral Requirements for ICMP"">RFC5508</a>].
If a MAP CE receives an ICMP message having the ICMP Identifier field
in the ICMP header, the NAT44 in the MAP CE MUST rewrite this field
to a specific value assigned from the port set. BRs and other CEs
must handle this field in a way similar to the handling of a port
number in the TCP/UDP header upon receiving the ICMP message with the
ICMP Identifier field.
If a MAP node receives an ICMP error message without the ICMP
Identifier field for errors that are detected inside an IPv6 tunnel,
a node should relay the ICMP error message to the original source.
This behavior SHOULD be implemented in accordance with <a href="./rfc2473#section-8">Section 8 of
[RFC2473]</a>.
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Fragmentation and Path MTU Discovery</span>
Due to the different sizes of the IPv4 and IPv6 headers, handling the
maximum packet size is relevant for the operation of any system
connecting the two address families. There are three mechanisms to
handle this issue: Path MTU Discovery (PMTUD), fragmentation, and
transport-layer negotiation such as the TCP Maximum Segment Size
(MSS) option [<a href="./rfc879" title=""The TCP Maximum Segment Size and Related Topics"">RFC879</a>]. MAP uses all three mechanisms to deal with
different cases.
<span class="h4"><a class="selflink" id="section-8.3.1" href="#section-8.3.1">8.3.1</a>. Fragmentation in the MAP Domain</span>
Encapsulating an IPv4 packet to carry it across the MAP domain will
increase its size (typically by 40 bytes). It is strongly
recommended that the MTU in the MAP domain be well managed and that
the IPv6 MTU on the CE WAN-side interface be set so that no
fragmentation occurs within the boundary of the MAP domain.
For an IPv4 packet entering a MAP domain, fragmentation is performed
as described in <a href="./rfc2473#section-7.2">Section 7.2 of [RFC2473]</a>.
The use of an anycast source address could lead to an ICMP error
message generated on the path being sent to a different BR.
Therefore, using a dynamically set tunnel MTU (<a href="./rfc2473#section-6.7">Section 6.7 of
[RFC2473]</a>) is subject to IPv6 Path MTU black holes. A MAP BR using
an anycast source address SHOULD NOT by default use Path MTU
Discovery across the MAP domain.
<span class="grey">Troan, et al. Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Multiple BRs using the same anycast source address could send
fragmented packets to the same CE at the same time. If the
fragmented packets from different BRs happen to use the same
fragment ID, incorrect reassembly might occur. See [<a href="./rfc4459" title=""MTU and Fragmentation Issues with In-the-Network Tunneling"">RFC4459</a>] for an
analysis of the problem; <a href="./rfc4459#section-3.4">Section 3.4 of [RFC4459]</a> suggests solving
the problem by fragmenting the inner packet.
<span class="h4"><a class="selflink" id="section-8.3.2" href="#section-8.3.2">8.3.2</a>. Receiving IPv4 Fragments on the MAP Domain Borders</span>
The forwarding of an IPv4 packet received from outside of the MAP
domain requires the IPv4 destination address and the
transport-protocol destination port. The transport-protocol
information is only available in the first fragment received. As
described in <a href="./rfc6346#section-5.3.3">Section 5.3.3 of [RFC6346]</a>, a MAP node receiving an
IPv4 fragmented packet from outside has to reassemble the packet
before sending the packet onto the MAP link. If the first packet
received contains the transport-protocol information, it is possible
to optimize this behavior by using a cache and forwarding the
fragments unchanged. Implementers of MAP should be aware that there
are a number of well-known attacks against IP fragmentation; see
[<a href="./rfc1858" title=""Security Considerations for IP Fragment Filtering"">RFC1858</a>] and [<a href="./rfc3128" title=""Protection Against a Variant of the Tiny Fragment Attack (RFC 1858)"">RFC3128</a>]. Implementers should also be aware of
additional issues with reassembling packets at high rates, as
described in [<a href="./rfc4963" title=""IPv4 Reassembly Errors at High Data Rates"">RFC4963</a>].
<span class="h4"><a class="selflink" id="section-8.3.3" href="#section-8.3.3">8.3.3</a>. Sending IPv4 Fragments to the Outside</span>
If two IPv4 hosts behind two different MAP CEs with the same IPv4
address send fragments to an IPv4 destination host outside the
domain, those hosts may use the same IPv4 fragmentation identifier,
resulting in incorrect reassembly of the fragments at the destination
host. Given that the IPv4 fragmentation identifier is a 16-bit
field, it could be used similarly to port ranges. A MAP CE could
rewrite the IPv4 fragmentation identifier to be within its allocated
port set, if the resulting fragment identifier space was large enough
related to the rate at which fragments were sent. However, splitting
the identifier space in this fashion would increase the probability
of reassembly collisions for all connections through the Customer
Premises Equipment (CPE). See also [<a href="./rfc6864" title=""Updated Specification of the IPv4 ID Field"">RFC6864</a>].
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. NAT44 Considerations</span>
The NAT44 implemented in the MAP CE SHOULD conform to the behavior
and best current practices documented in [<a href="./rfc4787" title=""Network Address Translation (NAT) Behavioral Requirements for Unicast UDP"">RFC4787</a>], [<a href="./rfc5508" title=""NAT Behavioral Requirements for ICMP"">RFC5508</a>], and
[<a href="./rfc5382" title=""NAT Behavioral Requirements for TCP"">RFC5382</a>]. In MAP address-sharing mode (determined by the MAP
domain / rule configuration parameters), the operation of the NAT44
MUST be restricted to the available port numbers derived via the
Basic Mapping Rule.
<span class="grey">Troan, et al. Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Security Considerations</span>
Spoofing attacks: With consistency checks between IPv4 and IPv6
sources that are performed on IPv4/IPv6 packets received by MAP
nodes, MAP does not introduce any new opportunity for spoofing
attacks that would not already exist in IPv6.
Denial-of-service attacks: In MAP domains where IPv4 addresses are
shared, the fact that IPv4 datagram reassembly may be necessary
introduces an opportunity for DoS attacks. This is inherent in
address sharing and is common with other address-sharing
approaches such as DS-Lite and NAT64/DNS64. The best protection
against such attacks is to accelerate IPv6 deployment so that
address sharing is used less and less where MAP is supported.
Routing loop attacks: Routing loop attacks may exist in some
"automatic tunneling" scenarios and are documented in [<a href="./rfc6324" title=""Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations"">RFC6324</a>].
They cannot exist with MAP because each BR checks that the IPv6
source address of a received IPv6 packet is a CE address based on
the Forwarding Mapping Rule.
Attacks facilitated by restricted port set: From hosts that are not
subject to ingress filtering [<a href="./rfc2827" title=""Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"">RFC2827</a>], an attacker can inject
spoofed packets during ongoing transport connections [<a href="./rfc4953" title=""Defending TCP Against Spoofing Attacks"">RFC4953</a>]
[<a href="./rfc5961" title=""Improving TCP's Robustness to Blind In-Window Attacks"">RFC5961</a>] [<a href="./rfc6056" title=""Recommendations for Transport-Protocol Port Randomization"">RFC6056</a>]. The attacks depend on guessing which ports
are currently used by target hosts. Using an unrestricted port
set is preferable, i.e., using native IPv6 connections that are
not subject to MAP port-range restrictions. To minimize these
types of attacks when using a restricted port set, the MAP CE's
NAT44 filtering behavior SHOULD be "Address-Dependent Filtering"
as described in <a href="./rfc4787#section-5">Section 5 of [RFC4787]</a>. Furthermore, the MAP CEs
SHOULD use a DNS transport proxy [<a href="./rfc5625" title=""DNS Proxy Implementation Guidelines"">RFC5625</a>] function to handle DNS
traffic and source such traffic from IPv6 interfaces not assigned
to MAP.
[<a id="ref-RFC6269">RFC6269</a>] outlines general issues with IPv4 address sharing.
<span class="grey">Troan, et al. Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. References</span>
<span class="h3"><a class="selflink" id="section-11.1" href="#section-11.1">11.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC2473">RFC2473</a>] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", <a href="./rfc2473">RFC 2473</a>, DOI 10.17487/RFC2473,
December 1998, <<a href="http://www.rfc-editor.org/info/rfc2473">http://www.rfc-editor.org/info/rfc2473</a>>.
[<a id="ref-RFC5625">RFC5625</a>] Bellis, R., "DNS Proxy Implementation Guidelines",
<a href="https://www.rfc-editor.org/bcp/bcp152">BCP 152</a>, <a href="./rfc5625">RFC 5625</a>, DOI 10.17487/RFC5625, August 2009,
<<a href="http://www.rfc-editor.org/info/rfc5625">http://www.rfc-editor.org/info/rfc5625</a>>.
<span class="h3"><a class="selflink" id="section-11.2" href="#section-11.2">11.2</a>. Informative References</span>
[<a id="ref-MAP-Deploy">MAP-Deploy</a>]
Sun, Q., Chen, M., Chen, G., Tsou, T., and S. Perreault,
"Mapping of Address and Port (MAP) - Deployment
Considerations", Work in Progress,
<a href="./draft-ietf-softwire-map-deployment-06">draft-ietf-softwire-map-deployment-06</a>, June 2015.
[<a id="ref-RFC879">RFC879</a>] Postel, J., "The TCP Maximum Segment Size and Related
Topics", <a href="./rfc879">RFC 879</a>, DOI 10.17487/RFC0879, November 1983,
<<a href="http://www.rfc-editor.org/info/rfc879">http://www.rfc-editor.org/info/rfc879</a>>.
[<a id="ref-RFC1858">RFC1858</a>] Ziemba, G., Reed, D., and P. Traina, "Security
Considerations for IP Fragment Filtering", <a href="./rfc1858">RFC 1858</a>,
DOI 10.17487/RFC1858, October 1995,
<<a href="http://www.rfc-editor.org/info/rfc1858">http://www.rfc-editor.org/info/rfc1858</a>>.
[<a id="ref-RFC1933">RFC1933</a>] Gilligan, R. and E. Nordmark, "Transition Mechanisms for
IPv6 Hosts and Routers", <a href="./rfc1933">RFC 1933</a>, DOI 10.17487/RFC1933,
April 1996, <<a href="http://www.rfc-editor.org/info/rfc1933">http://www.rfc-editor.org/info/rfc1933</a>>.
[<a id="ref-RFC2529">RFC2529</a>] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
Domains without Explicit Tunnels", <a href="./rfc2529">RFC 2529</a>,
DOI 10.17487/RFC2529, March 1999,
<<a href="http://www.rfc-editor.org/info/rfc2529">http://www.rfc-editor.org/info/rfc2529</a>>.
[<a id="ref-RFC2663">RFC2663</a>] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations",
<a href="./rfc2663">RFC 2663</a>, DOI 10.17487/RFC2663, August 1999,
<<a href="http://www.rfc-editor.org/info/rfc2663">http://www.rfc-editor.org/info/rfc2663</a>>.
<span class="grey">Troan, et al. Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
[<a id="ref-RFC2827">RFC2827</a>] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", <a href="https://www.rfc-editor.org/bcp/bcp38">BCP 38</a>, <a href="./rfc2827">RFC 2827</a>, DOI 10.17487/RFC2827,
May 2000, <<a href="http://www.rfc-editor.org/info/rfc2827">http://www.rfc-editor.org/info/rfc2827</a>>.
[<a id="ref-RFC3056">RFC3056</a>] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", <a href="./rfc3056">RFC 3056</a>, DOI 10.17487/RFC3056,
February 2001, <<a href="http://www.rfc-editor.org/info/rfc3056">http://www.rfc-editor.org/info/rfc3056</a>>.
[<a id="ref-RFC3128">RFC3128</a>] Miller, I., "Protection Against a Variant of the Tiny
Fragment Attack (<a href="./rfc1858">RFC 1858</a>)", <a href="./rfc3128">RFC 3128</a>,
DOI 10.17487/RFC3128, June 2001,
<<a href="http://www.rfc-editor.org/info/rfc3128">http://www.rfc-editor.org/info/rfc3128</a>>.
[<a id="ref-RFC3633">RFC3633</a>] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", <a href="./rfc3633">RFC 3633</a>,
DOI 10.17487/RFC3633, December 2003,
<<a href="http://www.rfc-editor.org/info/rfc3633">http://www.rfc-editor.org/info/rfc3633</a>>.
[<a id="ref-RFC4213">RFC4213</a>] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
for IPv6 Hosts and Routers", <a href="./rfc4213">RFC 4213</a>,
DOI 10.17487/RFC4213, October 2005,
<<a href="http://www.rfc-editor.org/info/rfc4213">http://www.rfc-editor.org/info/rfc4213</a>>.
[<a id="ref-RFC4459">RFC4459</a>] Savola, P., "MTU and Fragmentation Issues with
In-the-Network Tunneling", <a href="./rfc4459">RFC 4459</a>, DOI 10.17487/RFC4459,
April 2006, <<a href="http://www.rfc-editor.org/info/rfc4459">http://www.rfc-editor.org/info/rfc4459</a>>.
[<a id="ref-RFC4632">RFC4632</a>] Fuller, V. and T. Li, "Classless Inter-domain Routing
(CIDR): The Internet Address Assignment and Aggregation
Plan", <a href="https://www.rfc-editor.org/bcp/bcp122">BCP 122</a>, <a href="./rfc4632">RFC 4632</a>, DOI 10.17487/RFC4632,
August 2006, <<a href="http://www.rfc-editor.org/info/rfc4632">http://www.rfc-editor.org/info/rfc4632</a>>.
[<a id="ref-RFC4787">RFC4787</a>] Audet, F., Ed., and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", <a href="https://www.rfc-editor.org/bcp/bcp127">BCP 127</a>, <a href="./rfc4787">RFC 4787</a>, DOI 10.17487/RFC4787,
January 2007, <<a href="http://www.rfc-editor.org/info/rfc4787">http://www.rfc-editor.org/info/rfc4787</a>>.
[<a id="ref-RFC4862">RFC4862</a>] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", <a href="./rfc4862">RFC 4862</a>,
DOI 10.17487/RFC4862, September 2007,
<<a href="http://www.rfc-editor.org/info/rfc4862">http://www.rfc-editor.org/info/rfc4862</a>>.
[<a id="ref-RFC4953">RFC4953</a>] Touch, J., "Defending TCP Against Spoofing Attacks",
<a href="./rfc4953">RFC 4953</a>, DOI 10.17487/RFC4953, July 2007,
<<a href="http://www.rfc-editor.org/info/rfc4953">http://www.rfc-editor.org/info/rfc4953</a>>.
<span class="grey">Troan, et al. Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
[<a id="ref-RFC4963">RFC4963</a>] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
Errors at High Data Rates", <a href="./rfc4963">RFC 4963</a>,
DOI 10.17487/RFC4963, July 2007,
<<a href="http://www.rfc-editor.org/info/rfc4963">http://www.rfc-editor.org/info/rfc4963</a>>.
[<a id="ref-RFC5214">RFC5214</a>] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP)", <a href="./rfc5214">RFC 5214</a>,
DOI 10.17487/RFC5214, March 2008,
<<a href="http://www.rfc-editor.org/info/rfc5214">http://www.rfc-editor.org/info/rfc5214</a>>.
[<a id="ref-RFC5382">RFC5382</a>] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", <a href="https://www.rfc-editor.org/bcp/bcp142">BCP 142</a>,
<a href="./rfc5382">RFC 5382</a>, DOI 10.17487/RFC5382, October 2008,
<<a href="http://www.rfc-editor.org/info/rfc5382">http://www.rfc-editor.org/info/rfc5382</a>>.
[<a id="ref-RFC5508">RFC5508</a>] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", <a href="https://www.rfc-editor.org/bcp/bcp148">BCP 148</a>, <a href="./rfc5508">RFC 5508</a>,
DOI 10.17487/RFC5508, April 2009,
<<a href="http://www.rfc-editor.org/info/rfc5508">http://www.rfc-editor.org/info/rfc5508</a>>.
[<a id="ref-RFC5961">RFC5961</a>] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", <a href="./rfc5961">RFC 5961</a>,
DOI 10.17487/RFC5961, August 2010,
<<a href="http://www.rfc-editor.org/info/rfc5961">http://www.rfc-editor.org/info/rfc5961</a>>.
[<a id="ref-RFC5969">RFC5969</a>] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
Infrastructures (6rd) -- Protocol Specification",
<a href="./rfc5969">RFC 5969</a>, DOI 10.17487/RFC5969, August 2010,
<<a href="http://www.rfc-editor.org/info/rfc5969">http://www.rfc-editor.org/info/rfc5969</a>>.
[<a id="ref-RFC6056">RFC6056</a>] Larsen, M. and F. Gont, "Recommendations for
Transport-Protocol Port Randomization", <a href="https://www.rfc-editor.org/bcp/bcp156">BCP 156</a>, <a href="./rfc6056">RFC 6056</a>,
DOI 10.17487/RFC6056, January 2011,
<<a href="http://www.rfc-editor.org/info/rfc6056">http://www.rfc-editor.org/info/rfc6056</a>>.
[<a id="ref-RFC6250">RFC6250</a>] Thaler, D., "Evolution of the IP Model", <a href="./rfc6250">RFC 6250</a>,
DOI 10.17487/RFC6250, May 2011,
<<a href="http://www.rfc-editor.org/info/rfc6250">http://www.rfc-editor.org/info/rfc6250</a>>.
[<a id="ref-RFC6269">RFC6269</a>] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", <a href="./rfc6269">RFC 6269</a>,
DOI 10.17487/RFC6269, June 2011,
<<a href="http://www.rfc-editor.org/info/rfc6269">http://www.rfc-editor.org/info/rfc6269</a>>.
[<a id="ref-RFC6324">RFC6324</a>] Nakibly, G. and F. Templin, "Routing Loop Attack Using
IPv6 Automatic Tunnels: Problem Statement and Proposed
Mitigations", <a href="./rfc6324">RFC 6324</a>, DOI 10.17487/RFC6324, August 2011,
<<a href="http://www.rfc-editor.org/info/rfc6324">http://www.rfc-editor.org/info/rfc6324</a>>.
<span class="grey">Troan, et al. Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
[<a id="ref-RFC6333">RFC6333</a>] Durand, A., Droms, R., Woodyatt, J., and Y. Lee,
"Dual-Stack Lite Broadband Deployments Following IPv4
Exhaustion", <a href="./rfc6333">RFC 6333</a>, DOI 10.17487/RFC6333, August 2011,
<<a href="http://www.rfc-editor.org/info/rfc6333">http://www.rfc-editor.org/info/rfc6333</a>>.
[<a id="ref-RFC6335">RFC6335</a>] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
Cheshire, "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry", <a href="https://www.rfc-editor.org/bcp/bcp165">BCP 165</a>,
<a href="./rfc6335">RFC 6335</a>, DOI 10.17487/RFC6335, August 2011,
<<a href="http://www.rfc-editor.org/info/rfc6335">http://www.rfc-editor.org/info/rfc6335</a>>.
[<a id="ref-RFC6346">RFC6346</a>] Bush, R., Ed., "The Address plus Port (A+P) Approach to
the IPv4 Address Shortage", <a href="./rfc6346">RFC 6346</a>,
DOI 10.17487/RFC6346, August 2011,
<<a href="http://www.rfc-editor.org/info/rfc6346">http://www.rfc-editor.org/info/rfc6346</a>>.
[<a id="ref-RFC6864">RFC6864</a>] Touch, J., "Updated Specification of the IPv4 ID Field",
<a href="./rfc6864">RFC 6864</a>, DOI 10.17487/RFC6864, February 2013,
<<a href="http://www.rfc-editor.org/info/rfc6864">http://www.rfc-editor.org/info/rfc6864</a>>.
[<a id="ref-RFC7598">RFC7598</a>] Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec,
W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for
Configuration of Softwire Address and Port-Mapped
Clients", <a href="./rfc7598">RFC 7598</a>, DOI 10.17487/RFC7598, July 2015,
<<a href="http://www.rfc-editor.org/info/rfc7598">http://www.rfc-editor.org/info/rfc7598</a>>.
[<a id="ref-Solutions-4v6">Solutions-4v6</a>]
Boucadair, M., Ed., Matsushima, S., Lee, Y., Bonness, O.,
Borges, I., and G. Chen, "Motivations for Carrier-side
Stateless IPv4 over IPv6 Migration Solutions", Work in
Progress, <a href="./draft-ietf-softwire-stateless-4v6-motivation-05">draft-ietf-softwire-stateless-4v6-motivation-05</a>,
November 2012.
[<a id="ref-TR069">TR069</a>] Broadband Forum TR-069, "CPE WAN Management Protocol",
Amendment 5, CWMP Version: 1.4, November 2013,
<<a href="https://www.broadband-forum.org">https://www.broadband-forum.org</a>>.
<span class="grey">Troan, et al. Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Examples</span>
Example 1 - Basic Mapping Rule:
Given the MAP domain information and an IPv6 address of
an endpoint:
End-user IPv6 prefix: 2001:db8:0012:3400::/56
Basic Mapping Rule: {2001:db8:0000::/40 (Rule IPv6 prefix),
192.0.2.0/24 (Rule IPv4 prefix),
16 (Rule EA-bit length)}
PSID length: (16 - (32 - 24) = 8 (sharing ratio of 256)
PSID offset: 6 (default)
A MAP node (CE or BR) can, via the BMR or equivalent FMR,
determine the IPv4 address and port set as shown below:
EA bits offset: 40
IPv4 suffix bits (p) Length of IPv4 address (32) -
IPv4 prefix length (24) = 8
IPv4 address: 192.0.2.18 (0xc0000212)
PSID start: 40 + p = 40 + 8 = 48
PSID length: o - p = (56 - 40) - 8 = 8
PSID: 0x34
Available ports (63 ranges): 1232-1235, 2256-2259, ...... ,
63696-63699, 64720-64723
The BMR information allows a MAP CE to determine (complete)
its IPv6 address within the indicated IPv6 prefix.
IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034
<span class="grey">Troan, et al. Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Example 2 - BR:
Another example is a MAP BR, configured with the following FMR
when receiving a packet with the following characteristics:
IPv4 source address: 1.2.3.4 (0x01020304)
IPv4 source port: 80
IPv4 destination address: 192.0.2.18 (0xc0000212)
IPv4 destination port: 1232
Forwarding Mapping Rule: {2001:db8::/40 (Rule IPv6 prefix),
192.0.2.0/24 (Rule IPv4 prefix),
16 (Rule EA-bit length)}
IPv6 address of MAP BR: 2001:db8:ffff::1
The above information allows the BR to derive the mapped
destination IPv6 address for the corresponding MAP CE, and also
the mapped source IPv6 address for the IPv4 source address,
as follows:
IPv4 suffix bits (p): 32 - 24 = 8 (18 (0x12))
PSID length: 8
PSID: 0x34 (1232)
The resulting IPv6 packet will have the following key fields:
IPv6 source address: 2001:db8:ffff::1
IPv6 destination address: 2001:db8:0012:3400:0000:c000:0212:0034
Example 3 - Forwarding Mapping Rule:
An IPv4 host behind the MAP CE (addressed as per the previous
examples) corresponding with IPv4 host 1.2.3.4 will have its
packets encapsulated by IPv6 using the IPv6 address of the BR
configured on the MAP CE as follows:
IPv6 address of BR: 2001:db8:ffff::1
IPv4 source address: 192.0.2.18
IPv4 destination address: 1.2.3.4
IPv4 source port: 1232
IPv4 destination port: 80
MAP CE IPv6 source address: 2001:db8:0012:3400:0000:c000:0212:0034
IPv6 destination address: 2001:db8:ffff::1
<span class="grey">Troan, et al. Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Example 4 - Rule with no embedded address bits and no address
sharing:
End-user IPv6 prefix: 2001:db8:0012:3400::/56
Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix),
192.0.2.18/32 (Rule IPv4 prefix),
0 (Rule EA-bit length)}
PSID length: 0 (sharing ratio is 1)
PSID offset: n/a
A MAP node (CE or BR) can, via the BMR or equivalent FMR, determine
the IPv4 address and port set as shown below:
EA bits offset: 0
IPv4 suffix bits (p): Length of IPv4 address (32) -
IPv4 prefix length (32) = 0
IPv4 address: 192.0.2.18 (0xc0000212)
PSID start: 0
PSID length: 0
PSID: null
The BMR information allows a MAP CE to also determine (complete)
its full IPv6 address by combining the IPv6 prefix with the MAP
interface identifier (that embeds the IPv4 address).
IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0000
<span class="grey">Troan, et al. Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Example 5 - Rule with no embedded address bits and address sharing
(sharing ratio of 256):
End-user IPv6 prefix: 2001:db8:0012:3400::/56
Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix),
192.0.2.18/32 (Rule IPv4 prefix),
0 (Rule EA-bit length)}
PSID length: 8 (from DHCP; sharing ratio of 256)
PSID offset: 6 (default)
PSID: 0x34 (from DHCP)
A MAP node can, via the Basic Mapping Rule, determine the IPv4
address and port set as shown below:
EA bits offset: 0
IPv4 suffix bits (p): Length of IPv4 address (32) -
IPv4 prefix length (32) = 0
IPv4 address: 192.0.2.18 (0xc0000212)
PSID offset: 6
PSID length: 8
PSID: 0x34
Available ports (63 ranges): 1232-1235, 2256-2259, ...... ,
63696-63699, 64720-64723
The Basic Mapping Rule information allows a MAP CE to also
determine (complete) its full IPv6 address by combining the IPv6
prefix with the MAP interface identifier (that embeds the IPv4
address and PSID).
IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034
Note that the IPv4 address and PSID are not derived from the IPv6
prefix assigned to the CE but are provisioned separately using,
for example, DHCP.
<span class="grey">Troan, et al. Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. A More Detailed Description of the Derivation of the</span>
Port-Mapping Algorithm
This appendix describes how the port-mapping algorithm described in
<a href="#section-5.1">Section 5.1</a> was derived. The algorithm is used in domains whose
rules allow IPv4 address sharing.
The basic requirement for a port-mapping algorithm is that the port
sets it assigns to different MAP CEs MUST be non-overlapping. A
number of other requirements guided the choice of the algorithm:
o In keeping with the general MAP algorithm, the port set MUST be
derivable from a Port Set identifier (PSID) that can be embedded
in the End-user IPv6 prefix.
o The mapping MUST be reversible such that, given the port number,
the PSID of the port set to which it belongs can be quickly
derived.
o The algorithm MUST allow a broad range of address-sharing ratios.
o It SHOULD be possible to exclude subsets of the complete port
numbering space from assignment. Most operators would exclude the
system ports (0-1023). A conservative operator might exclude all
but the transient ports (49152-65535).
o The effect of port exclusion on the possible values of the
End-user IPv6 prefix (i.e., due to restrictions on the PSID value)
SHOULD be minimized.
o For administrative simplicity, the algorithm SHOULD allocate the
same or almost the same number of ports to each CE sharing a given
IPv4 address.
The two extreme cases that an algorithm satisfying those conditions
might support are when (1) the port numbers are not contiguous for
each PSID but uniformly distributed across the allowed port range and
(2) the port numbers are contiguous in a single range for each PSID.
The port-mapping algorithm proposed here is called the Generalized
Modulus Algorithm (GMA) and supports both of these cases.
<span class="grey">Troan, et al. Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
For a given IPv4 address-sharing ratio (R) and the maximum number of
contiguous ports (M) in a port set, the GMA is defined as follows:
a. The port numbers (P) corresponding to a given PSID are
generated by:
(1) ... P = (R * M) * i + M * PSID + j
where i and j are indices and the ranges of i, j, and the PSID
are discussed below.
b. For any given port number P, the PSID is calculated as:
(2) ... PSID = trunc((P modulo (R * M)) / M)
where trunc() is the operation of rounding down to the nearest
integer.
Formula (1) can be interpreted as follows. First, the available port
space is divided into blocks of size R * M. Each block is divided
into R individual ranges of length M. The index i in formula (1)
selects a block, PSID selects a range within that block, and the
index j selects a specific port value within the range. On the basis
of this interpretation:
o i ranges from ceil(N / (R * M)) to trunc(65536/(R * M)) - 1, where
ceil is the operation of rounding up to the nearest integer and N
is the number of ports (e.g., 1024) excluded from the lower end of
the range. That is, any block containing excluded values is
discarded at the lower end, and if the final block has fewer than
R * M values it is discarded. This ensures that the same number
of ports is assigned to every PSID.
o PSID ranges from 0 to R - 1.
o j ranges from 0 to M - 1.
<span class="grey">Troan, et al. Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h3"><a class="selflink" id="appendix-B.1" href="#appendix-B.1">B.1</a>. Bit Representation of the Algorithm</span>
If R and M are powers of 2 (R = 2^k, M = 2^m), formula (1) translates
to a computationally convenient structure for any port number
represented as a 16-bit binary number. This structure is shown in
Figure 9.
0 8 15
+---------------+----------+------+-------------------+
| P |
----------------+-----------------+-------------------+
| i | PSID | j |
+---------------+----------+------+-------------------+
|<----a bits--->|<-----k bits---->|<------m bits----->|
Figure 9: Bit Representation of a Port Number
As shown in the figure, the index value i of formula (1) is given by
the first a = 16 - k - m bits of the port number. The PSID value is
given by the next k bits, and the index value j is given by the last
m bits.
Because the PSID is always in the same position in the port number
and always the same length, different PSID values are guaranteed to
generate different sets of port numbers. In the reverse direction,
the generating PSID can be extracted from any port number by a
bitmask operation.
Note that when M and R are powers of 2, 65536 divides evenly by
R * M. Hence, the final block is complete, and the upper bound on i
is exactly 65536/(R * M) - 1. The lower bound on i is still the
minimum required to ensure that the required set of ports is
excluded. No port numbers are wasted through the discarding of
blocks at the lower end if block size R * M is a factor of N, the
number of ports to be excluded.
As a final note, the number of blocks into which the range 0-65535 is
being divided in the above representation is given by 2^a. Hence,
the case where a = 0 can be interpreted as one where the complete
range has been divided into a single block, and individual port sets
are contained in contiguous ranges in that block. We cannot throw
away the whole block in that case, so port exclusion has to be
achieved by putting a lower bound equal to ceil(N / M) on the allowed
set of PSID values instead.
<span class="grey">Troan, et al. Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
<span class="h3"><a class="selflink" id="appendix-B.2" href="#appendix-B.2">B.2</a>. GMA Examples</span>
For example, for R = 256, PSID = 0, offset: a = 6 and PSID length:
k = 8 bits:
Available ports (63 ranges): 1024-1027, 2048-2051, ...... ,
63488-63491, 64512-64515
Example 1: with offset = 6 (a = 6)
For example, for R = 64, PSID = 0, a = 0 (PSID offset = 0 and PSID
length = 6 bits), no port exclusion:
Available ports (1 range): 0-1023
Example 2: with offset = 0 (a = 0) and N = 0
Acknowledgements
This document is based on the ideas of many, including Masakazu
Asama, Mohamed Boucadair, Gang Chen, Maoke Chen, Wojciech Dec,
Xiaohong Deng, Jouni Korhonen, Tomek Mrugalski, Jacni Qin, Chunfa
Sun, Qiong Sun, and Leaf Yeh. The authors want in particular to
recognize Remi Despres, who has tirelessly worked on generalized
mechanisms for stateless address mapping.
The authors would like to thank Lichun Bao, Guillaume Gottard, Dan
Wing, Jan Zorz, Necj Scoberne, Tina Tsou, Kristian Poscic, and
especially Tom Taylor and Simon Perreault for the thorough review and
comments of this document. Useful IETF Last Call comments were
received from Brian Weis and Lei Yan.
<span class="grey">Troan, et al. Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Contributors
This document is the result of the IETF Softwire MAP design team
effort and numerous previous individual contributions in this area:
Chongfeng Xie
China Telecom
Room 708, No. 118, Xizhimennei Street
Beijing 100035
China
Phone: +86-10-58552116
Email: xiechf@ctbri.com.cn
Qiong Sun
China Telecom
Room 708, No. 118, Xizhimennei Street
Beijing 100035
China
Phone: +86-10-58552936
Email: sunqiong@ctbri.com.cn
Gang Chen
China Mobile
29, Jinrong Avenue
Xicheng District, Beijing 100033
China
Email: phdgang@gmail.com, chengang@chinamobile.com
Yu Zhai
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: jacky.zhai@gmail.com
Wentao Shang
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: wentaoshang@gmail.com
<span class="grey">Troan, et al. Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Guoliang Han
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: bupthgl@gmail.com
Rajiv Asati
Cisco Systems
7025-6 Kit Creek Road
Research Triangle Park, NC 27709
United States
Email: rajiva@cisco.com
Authors' Addresses
Ole Troan (editor)
Cisco Systems
Philip Pedersens vei 1
Lysaker 1366
Norway
Email: ot@cisco.com
Wojciech Dec
Cisco Systems
Haarlerbergpark Haarlerbergweg 13-19
Amsterdam, NOORD-HOLLAND 1101 CH
The Netherlands
Email: wdec@cisco.com
Xing Li
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: xing@cernet.edu.cn
<span class="grey">Troan, et al. Standards Track [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc7597">RFC 7597</a> MAP-E July 2015</span>
Congxiao Bao
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: congxiao@cernet.edu.cn
Satoru Matsushima
SoftBank Telecom
1-9-1 Higashi-Shinbashi, Munato-ku
Tokyo
Japan
Email: satoru.matsushima@g.softbank.co.jp
Tetsuya Murakami
IP Infusion
1188 East Arques Avenue
Sunnyvale, CA 94085
United States
Email: tetsuya@ipinfusion.com
Tom Taylor (editor)
Huawei Technologies
Ottawa
Canada
Email: tom.taylor.stds@gmail.com
Troan, et al. Standards Track [Page 35]
</pre>
|
