From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7269.txt | 1235 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1235 insertions(+) create mode 100644 doc/rfc/rfc7269.txt (limited to 'doc/rfc/rfc7269.txt') diff --git a/doc/rfc/rfc7269.txt b/doc/rfc/rfc7269.txt new file mode 100644 index 0000000..b6557e6 --- /dev/null +++ b/doc/rfc/rfc7269.txt @@ -0,0 +1,1235 @@ + + + + + + +Internet Engineering Task Force (IETF) G. Chen +Request for Comments: 7269 Z. Cao +Category: Informational China Mobile +ISSN: 2070-1721 C. Xie + China Telecom + D. Binet + France Telecom-Orange + June 2014 + + + NAT64 Deployment Options and Experience + +Abstract + + This document summarizes NAT64 function deployment scenarios and + operational experience. Both NAT64 Carrier-Grade NAT (NAT64-CGN) and + NAT64 server Front End (NAT64-FE) are considered in this document. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7269. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + +Chen, et al. Informational [Page 1] + +RFC 7269 NAT64 Experience June 2014 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3. NAT64 Networking Experience . . . . . . . . . . . . . . . . . 4 + 3.1. NAT64-CGN Consideration . . . . . . . . . . . . . . . . . 4 + 3.1.1. NAT64-CGN Usages . . . . . . . . . . . . . . . . . . 4 + 3.1.2. DNS64 Deployment . . . . . . . . . . . . . . . . . . 4 + 3.1.3. NAT64 Placement . . . . . . . . . . . . . . . . . . . 5 + 3.1.4. Coexistence of NAT64 and NAT44 . . . . . . . . . . . 5 + 3.2. NAT64-FE Consideration . . . . . . . . . . . . . . . . . 6 + 4. High Availability . . . . . . . . . . . . . . . . . . . . . . 7 + 4.1. Redundancy Design . . . . . . . . . . . . . . . . . . . . 7 + 4.2. Load Balancing . . . . . . . . . . . . . . . . . . . . . 9 + 5. Source-Address Transparency . . . . . . . . . . . . . . . . . 9 + 5.1. Traceability . . . . . . . . . . . . . . . . . . . . . . 9 + 5.2. Geolocation . . . . . . . . . . . . . . . . . . . . . . . 10 + 6. Quality of Experience . . . . . . . . . . . . . . . . . . . . 11 + 6.1. Service Reachability . . . . . . . . . . . . . . . . . . 11 + 6.2. Resource Reservation . . . . . . . . . . . . . . . . . . 13 + 7. MTU Considerations . . . . . . . . . . . . . . . . . . . . . 13 + 8. ULA Usages . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 + 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 16 + 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 12.1. Normative References . . . . . . . . . . . . . . . . . . 16 + 12.2. Informative References . . . . . . . . . . . . . . . . . 18 + Appendix A. Test Results for Application Behavior . . . . . . . 21 + +1. Introduction + + IPv6 is the only sustainable solution for numbering nodes on the + Internet due to the IPv4 depletion. Network operators have to deploy + IPv6-only networks in order to meet the needs of the expanding + Internet without available IPv4 addresses. + + Single-stack IPv6 network deployment can simplify network + provisioning; some justification was provided in 464XLAT [RFC6877]. + IPv6-only connectivity confers some benefits to mobile operators as + an example. In the mobile context, IPv6-only usage enables the use + of a single IPv6 Packet Data Protocol (PDP) context or Evolved Packet + System (EPS) bearer on Long Term Evolution (LTE) networks. This + eliminates significant network costs (caused by employing two PDP + contexts in some cases) and the need for IPv4 addresses to be + assigned to customers. In broadband networks overall, it can allow + for the scaling of edge-network growth to be decoupled from IPv4 + numbering limitations. + + + +Chen, et al. Informational [Page 2] + +RFC 7269 NAT64 Experience June 2014 + + + In transition scenarios, some existing networks are likely to be IPv4 + only for quite a long time. IPv6 networks and IPv6-only hosts will + need to coexist with IPv4 numbered resources. Widespread dual-stack + deployments have not materialized at the anticipated rate over the + last 10 years, one possible conclusion being that legacy networks + will not make the jump quickly. The Internet will include nodes that + are dual stack, nodes that remain IPv4 only, and nodes that can be + deployed as IPv6-only nodes. A translation mechanism based on a + NAT64 function [RFC6145] [RFC6146] is likely to be a key element of + Internet connectivity for IPv6-IPv4 interoperability. + + [RFC6036] reports at least 30% of operators plan to run some kind of + translator (presumably NAT64/DNS64). Advice on NAT64 deployment and + operations are therefore of some importance. [RFC6586] documents the + implications for IPv6-only networks. This document intends to be + specific to NAT64 network planning. + +2. Terminology + + Regarding IPv4/IPv6 translation, [RFC6144] has described a framework + for enabling networks to make interworking possible between IPv4 and + IPv6 networks. Two operation modes (i.e., stateful translation and + stateless translation) have been described in Section 3.2 of + [RFC6144]. This document describes the usage of those two operation + modes and has further categorized different NAT64 functions, + locations, and use cases. The principal distinction of location is + whether the NAT64 is located in a Carrier-Grade NAT or server Front + End. The terms "NAT-CGN" and "NAT-FE" are understood to be a + topological distinction indicating different features employed in a + NAT64 deployment. + + NAT64 Carrier Grade NAT (NAT64-CGN): A NAT64-CGN is placed in an ISP + network. IPv6-enabled subscribers leverage the NAT64-CGN to + access existing IPv4 Internet services. The ISP as an + administrative entity takes full control of the IPv6 side, but it + has limited or no control on the IPv4 Internet side. NAT64-CGN + deployments may have to consider the IPv4 Internet environment and + services, and make appropriate configuration choices accordingly. + + NAT64 server Front End (NAT64-FE): A NAT64-FE is generally a device + with NAT64 functionality in a content provider or data center + network. It could be, for example, a traffic load balancer or a + firewall. The operator of the NAT64-FE has full control over the + IPv4 network within the data center but only limited influence or + control over the external Internet IPv6 network. + + + + + + +Chen, et al. Informational [Page 3] + +RFC 7269 NAT64 Experience June 2014 + + +3. NAT64 Networking Experience + +3.1. NAT64-CGN Consideration + +3.1.1. NAT64-CGN Usages + + Fixed network operators and mobile operators may locate NAT64 + translators in access networks or in mobile core networks. NAT64 can + be built into various devices, including routers, gateways, or + firewalls, in order to connect IPv6 users to the IPv4 Internet. With + regard to the numbers of users and the shortage of public IPv4 + addresses, stateful NAT64 [RFC6146] is more suited to maximize + sharing of public IPv4 addresses. The usage of stateless NAT64 can + provide better transparency features [MOTIVATION], but it has to be + coordinated with Address plus Port (A+P) processes [RFC6346] as + specified in [MAP-T] in order to deal with an IPv4 address shortage. + +3.1.2. DNS64 Deployment + + DNS64 [RFC6147] is recommended for use in combination with stateful + NAT64, and it will likely be an essential part of an IPv6 single- + stack network that couples to the IPv4 Internet. 464XLAT [RFC6877] + can enable access of IPv4-only applications or applications that call + IPv4 literal addresses. Using DNS64 will help 464XLAT to + automatically discover NAT64 prefixes through [RFC7050]. Berkeley + Internet Name Daemon (BIND) software supports that function. It's + important to note that DNS64 generates the synthetic AAAA reply when + services only provide A records. Operators should not expect to + access IPv4 parts of a dual-stack server using NAT64/DNS64. The + traffic is forwarded on IPv6 paths if dual-stack servers are + targeted. IPv6 traffic may be routed around rather than going + through NAT64. Only the traffic going to IPv4-only services would + traverse the NAT64 translator. In some sense, it encourages IPv6 + usage and limits NAT translation compared to employing NAT44, where + all traffic flows have to be translated. In some cases, NAT64-CGNs + may serve double roles, i.e., as a translator and IPv6 forwarder. In + mobile networks, NAT64 may be deployed as the default gateway serving + all the IPv6 traffic. The traffic heading to a dual-stack server is + only forwarded on the NAT64. Therefore, both IPv6 and IPv4 are + suggested to be configured on the Internet-facing interfaces of + NAT64. We tested on the top 100 websites (referring to [Alexa] + statistics). 43% of websites are connected and forwarded on NAT64 + since those websites have both AAAA and A records. With expansion of + IPv6 support, the translation process on NAT64 will likely become + less important over time. It should be noted that the DNS64-DNSSEC + interaction [RFC6147] may impact validation of Resource Records + retrieved from the DNS64 process. In particular, DNSSEC validation + + + + +Chen, et al. Informational [Page 4] + +RFC 7269 NAT64 Experience June 2014 + + + will fail when DNS64 synthesizes AAAA records where there is a DNS + query received with the "DNSSEC OK" (DO) bit set and the "Checking + Disabled" (CD) bit set. + +3.1.3. NAT64 Placement + + All connections to IPv4 services from IPv6-only clients must traverse + the NAT64-CGN. It can be advantageous from the viewpoint of + troubleshooting and traffic engineering to carry the IPv6 traffic + natively for as long as possible within an access network and + translate packets only at or near the network egress. NAT64 may be a + feature of the Autonomous System (AS) border in fixed networks. It + may be deployed in an IP node beyond the Gateway GPRS Support Node + (GGSN) or Packet Data Network Gateway (PDN-GW) in mobile networks or + directly as part of the gateway itself in some situations. This + allows consistent attribution and traceability within the service + provider network. It has been observed that the process of + correlating log information is problematic from multiple vendors' + equipment due to inconsistent formats of log records. Placing NAT64 + in a centralized location may reduce diversity of log format and + simplify the network provisioning. Moreover, since NAT64 is only + targeted at serving traffic flows from IPv6 to IPv4-only services, + the user traffic volume should not be as high as in a NAT44 scenario, + and therefore, the gateway's capacity in such a location may be less + of a concern or a hurdle to deployment. On the other hand, placement + in a centralized fashion would require more strict high-availability + (HA) design. It would also make geolocation based on IPv4 addresses + rather inaccurate as is currently the case for NAT44 CGNs already + deployed in ISP networks. More considerations or workarounds on HA + and traceability can be found in Sections 4 and 5. + +3.1.4. Coexistence of NAT64 and NAT44 + + NAT64 will likely coexist with NAT44 in a dual-stack network where + IPv4 private addresses are allocated to customers. The coexistence + has already been observed in mobile networks, in which dual-stack + mobile phones normally initiate some dual-stack PDN/PDP Type + [RFC6459] to query both IPv4/IPv6 addresses and IPv4-allocated + addresses (which are very often private ones). [RFC6724] always + prioritizes IPv6 connections regardless of whether the end-to-end + path is native IPv6 or IPv6 translated to IPv4 via NAT64/DNS64. + Conversely, a "Happy Eyeballs" [RFC6555] algorithm will direct some + IP flows across IPv4 paths. The selection of IPv4/IPv6 paths may + depend on particular implementation choices or settings on a host-by- + host basis, and it may differ from an operator's deterministic + scheme. Our tests verified that hosts may find themselves switching + between IPv4 and IPv6 paths as they access identical services, but at + different times [COEXIST]. Since the topology on each path is + + + +Chen, et al. Informational [Page 5] + +RFC 7269 NAT64 Experience June 2014 + + + potentially different, it may cause unstable user experience and some + degradation of Quality of Experience (QoE) when falling back to the + other protocol. It's also difficult for operators to find a solution + to make a stable network with optimal resource utilization. In + general, it's desirable to figure out the solution that will + introduce IPv6/IPv4 translation service to IPv6-only hosts connecting + to IPv4 servers, while making sure dual-stack hosts have at least one + address family accessible via native service if possible. With the + end-to-end native IPv6 environment available, hosts should be + upgraded aggressively to migrate in favor of IPv6 only. There are + ongoing efforts to detect host connectivity and propose a new DHCPv6 + option [CONN-STATUS] to convey appropriate configuration information + to the hosts. + +3.2. NAT64-FE Consideration + + Some Internet Content Providers (ICPs) may locate NAT64 in front of + an Internet Data Center (IDC), for example, co-located with a load- + balancing function. Load balancers are employed to connect different + IP family domains and distribute workloads across multiple domains or + internal servers. In some cases, IPv4 address exhaustion may not be + a problem in an IDC's internal network. IPv6 support for some + applications may require increased investment and workload, so IPv6 + support may not be a priority. NAT64 can be used to support + widespread IPv6 adoption on the Internet while maintaining access to + IPv4-only applications. + + Different strategies have been described in [RFC6883]; they are + referred to as "inside out" and "outside in". An IDC operator may + implement the following practices in the NAT64-FE networking + scenario. + + o Some ICPs who already have satisfactory operational experience + might adopt single-stack IPv6 operation in building data center + networks, servers, and applications, as it allows new services to + be delivered without having to consider IPv4 NAT or the address + limitations of IPv4 networks. Stateless NAT64 [RFC6145] can used + to provide services for IPv4-only customers. [SIIT] has provided + further descriptions and guidelines. + + o ICPs who attempt to offer customers IPv6 support in their + application farms at an early stage will likely run proxies, load + balancers, or translators that are configured to handle incoming + IPv6 flows and proxy them to IPv4 back-end systems. Many load + balancers integrate proxy functionality. IPv4 addresses + configured in the proxy may be multiplexed like a stateful NAT64 + translator. A similar challenge exists as more users with IPv6 + connectivity access IPv4 networks. High loads on load balancers + + + +Chen, et al. Informational [Page 6] + +RFC 7269 NAT64 Experience June 2014 + + + may be apt to cause additional latency, IPv4 pool exhaustion, etc. + Therefore, this approach is only reasonable at an early stage. + ICPs may employ dual stack or IPv6 single stack in a further + stage, since native IPv6 is frequently more desirable than any of + the transition solutions. + + [RFC6144] recommends that AAAA records of load balancers or + application servers can be directly registered in the authoritative + DNS servers. In this case, there is no need to deploy DNS64 name + servers. Those AAAA records can point to natively assigned IPv6 + addresses or IPv4-converted IPv6 addresses [RFC6052]. Hosts are not + aware of the NAT64 translator on the communication path. For testing + purposes, operators could employ an independent subdomain, e.g., + ipv6exp.example.com, to identify experimental IPv6 services to users. + How to design the Fully Qualified Domain Name (FQDN) for the IPv6 + service is outside the scope of this document. + +4. High Availability + +4.1. Redundancy Design + + High Availability (HA) is a major requirement for every service and + network service. Deploying redundancy mechanisms is essential to + avoiding failure and significantly increasing the network + reliability. It's useful not only to stateful NAT64 cases but also + to stateless NAT64 gateways. + + Three redundancy modes are mainly used: Cold Standby, Warm Standby, + and Hot Standby. + + o Cold Standby HA devices do not replicate the NAT64 states from the + primary equipment to the backup. Administrators switch on the + backup NAT64 only if the primary NAT64 fails. As a result, all + existing established sessions through a failed translator will be + disconnected. The translated flows will need to be recreated by + end systems. Since the backup NAT64 is manually configured to + switch over to active NAT64, it may have unpredictable impacts to + the ongoing services. + + o Warm Standby is a flavor of the Cold Standby mode. Backup NAT64 + would keep running once the primary NAT64 is working. This makes + Warm Standby less time-consuming during the traffic failover. The + Virtual Router Redundancy Protocol (VRRP)[RFC5798] can be a + solution to enable automatic handover during Warm Standby. During + testing, the handover took a maximum of 1 minute if the backup + NAT64 had to take over routing and reconstruct the Binding + + + + + +Chen, et al. Informational [Page 7] + +RFC 7269 NAT64 Experience June 2014 + + + Information Bases (BIBs) for 30 million sessions. In the + deployment phase, operators could balance loads on distinct NAT64 + devices. Those NAT64 devices make a warm backup of each other. + + o Hot Standby must synchronize the BIBs between the primary NAT64 + and backup. When the primary NAT64 fails, the backup NAT64 takes + over and maintains the state of all existing sessions. The + internal hosts don't have to reconnect the external hosts. The + handover time is extremely reduced. During testing that employed + Bidirectional Forwarding Detection (BFD) [RFC5880] combined with + VRRP, a handover time of only 35 ms for 30 million sessions was + observed. Under ideal conditions, Hot Standby deployments could + guarantee the session continuity for every service. In order to + transmit session states in a timely manner, operators may have to + deploy extra transport links between the primary NAT64 and the + distant backup. The scale of synchronization of the data instance + depends on the particular deployment. For example, if a NAT64-CGN + serves 200,000 users, an average amount of 800,000 sessions per + second is a rough estimate of the newly created and expired + sessions. A physical 10 Gbit/s transport link may have to be + deployed for the sync data transmission considering the amount of + sync sessions at the peak and the capacity redundancy. + + In general, Cold Standby and Warm Standby are simpler and less + resource intensive, but they require clients to re-establish sessions + when a failover occurs. Hot Standby increases resource consumption + in order to synchronize state, but it potentially achieves seamless + handover. For stateless NAT64, considerations are simple because + state synchronization is unnecessary. Regarding stateful NAT64, it + may be useful to investigate the performance tolerance of + applications and the traffic characteristics in a particular network. + Some test results are shown in the Appendix A. + + Our statistics in a mobile network shown that almost 91.21% of + traffic is accounted by HTTP/HTTPS services. These services + generally don't require session continuity. Hot Standby does not + offer much benefit for those sessions on this point. In fixed + networks, HTTP streaming, P2P, and online games would be the major + traffic beneficiaries of Hot Standby replication [Cisco-VNI]. + Consideration should be given to the importance of maintaining + bindings for those sessions across failover. Operators may also + consider the Average Revenue Per User (ARPU) when deploying a + suitable redundancy mode. Warm Standby may still be adopted to cover + most services, while Hot Standby could be used to upgrade the Quality + of Experience (QoE) and using DNS64 to generate different synthetic + responses for limited traffic or destinations. Further + considerations are discussed at Section 6. + + + + +Chen, et al. Informational [Page 8] + +RFC 7269 NAT64 Experience June 2014 + + +4.2. Load Balancing + + Load balancing is used to accompany redundancy design so that better + scalability and resiliency can be achieved. Stateless NAT64s allow + asymmetric routing, while anycast-based solutions are recommended in + [MAP-DEPLOY]. The deployment of load balancing may make more sense + to stateful NAT64s for the sake of avoiding single-point failures. + Since the NAT64-CGN and NAT64-FE have distinct facilities, the + following lists the considerations for each case. + + o NAT64-CGN normally doesn't implement load-balancing functions; + they may be implemented in other dedicated equipment. Therefore, + the gateways have to resort to DNS64 or an internal host's + behavior. Once DNS64 is deployed, the load balancing can be + performed by synthesizing the AAAA response with different IPv6 + prefixes. For the applications not requiring a DNS resolver, + internal hosts could learn multiple IPv6 prefixes through the + approaches defined in [RFC7050] and then select one based on a + given prefix selection policy. + + o A dedicated load balancer could be deployed at the front of a + NAT64-FE farm. The load balancer could use proxy mode to redirect + the flows to the appropriate NAT64 instance. Stateful NAT64s + require a deterministic pattern to arrange the traffic in order to + ensure outbound/inbound flows traverse the identical NAT64. + Therefore, static scheduling algorithms, for example, a source- + address-based policy, is preferred. A dynamic algorithm, for + example, Round-Robin, may have impacts on applications seeking + session continuity, which are described in Table 1. + +5. Source-Address Transparency + +5.1. Traceability + + Traceability is required in many cases, such as meeting accounting + requirements and identifying the sources of malicious attacks. + Operators are asked to record the NAT64 log information for specific + periods of time. In our lab testing, the log information from + 200,000 subscribers was collected from a stateful NAT64 gateway for + 60 days. Syslog [RFC5424] has been adopted to transmit log messages + from NAT64 to a log station. Each log message contains the transport + protocol, source IPv6 address:port, translated IPv4 address:port, and + timestamp. It takes almost 125 bytes in ASCII format. It has been + verified that the rate of traffic flow is around 72,000 flows per + second, and the volume of recorded information reaches up to 42.5 + terabytes in the raw format. The volume is 29.07 terabytes in a + + + + + +Chen, et al. Informational [Page 9] + +RFC 7269 NAT64 Experience June 2014 + + + compact format. At scale, operators have to build up dedicated + transport links, storage systems, and servers for the purpose of + managing such logging. + + There are also several improvements that can be made to mitigate the + issue. For example, stateful NAT64 could be configured with the bulk + port allocation method. Once a subscriber creates the first session, + a number of ports are pre-allocated. A bulk allocation message is + logged indicating this allocation. Subsequent session creations will + use one of the pre-allocated ports and hence do not require logging. + The log volume in this case may be only one thousandth of that of + dynamic port allocation. Some implementations may adopt static port- + range allocations [DET-CGN] that eliminate the need for per- + subscriber logging. As a side effect of those methods, the IPv4 + multiplexing efficiency is decreased. For example, the utilization + ratio of public IPv4 addresses drops to approximately 75% when the + NAT64 gateway is configured with bulk port allocation. (The lab + testing allocates each subscriber with 400 ports.) In addition, + port-range-based allocation should consider port randomization as + described in [RFC6056]. The trade-off among address multiplexing + efficiency, logging storage compression, and port allocation + complexity should be considered. More discussions can be found in + [PORT-ALLOC]. The decision can balance usable IPv4 resources against + investments in log systems. + +5.2. Geolocation + + IP addresses are usually used as inputs to geolocation services. The + use of address sharing prevents these systems from resolving the + location of a host based on IP address alone. Applications that + assume such geographic information may not work as intended. The + possible solutions listed in [RFC6967] are intended to bridge the + gap. However, those solutions can only provide a suboptimal + substitution to solve the problem of host identification; in + particular, it may not solve today's problems with source + identification through translation. The following lists current + practices to mitigate the issue. + + o Operators who adopt NAT64-FE may leverage the application-layer + proxies, e.g., X-Forwarded-For (XFF) [RFC7239], to convey the IPv6 + source address in HTTP headers. Those messages would be passed on + to web servers. The log parsing tools are required to be able to + support IPv6 and may lookup RADIUS servers for the target + subscribers based on IPv6 addresses included in XFF HTTP headers. + XFF is the de facto standard that has been integrated in most load + balancers. Therefore, it may be superior to use in a NAT-FE + environment. On the downside, XFF is specific to HTTP. It + + + + +Chen, et al. Informational [Page 10] + +RFC 7269 NAT64 Experience June 2014 + + + restricts usage so that the solution can't be applied to requests + made over HTTPS. This makes geolocation problematic for HTTPS- + based services. + + o The NAT64-CGN equipment may not implement XFF. Geolocation based + on shared IPv4 addresses is rather inaccurate in that case. + Operators could subdivide the outside IPv4 address pool so an IPv6 + address can be translated depending on the IPv6 subscriber's + geographical locations. As a consequence, location information + can be identified from a certain IPv4 address range. [RFC6967] + also enumerates several options to reveal the host identifier. + Each solution likely has its own specific usage. For the + geolocation systems relying on a RADIUS database [RFC5580], we + have investigated delivering NAT64 BIBs and Session Table Entries + (STEs) to a RADIUS server [NAT64-RADIUS]. This method could + provide a geolocation system with an internal IPv6 address to + identify each user. It can be paired with [RFC5580] to convey the + original source address through the same message bus. + +6. Quality of Experience + +6.1. Service Reachability + + NAT64 is providing a translation capability between IPv6 and IPv4 end + nodes. In order to provide reachability between two IP address + families, NAT64-CGN has to implement appropriate application-aware + functions, i.e., Application Layer Gateways (ALGs), where address + translation is not sufficient and security mechanisms do not render + the functions infeasible. Most NAT64-CGNs mainly provide FTP-ALG + [RFC6384]. NAT64-FEs may have functional richness on the load + balancer; for example, HTTP-ALG, HTTPS-ALG, RTSP-ALG, and SMTP-ALG + have been supported. Those application protocols exchange IP address + and port parameters within a control session, for example, using the + "Via" field in a HTTP header, "Transport" field in an RTSP SETUP + message, or "Received:" header in a SMTP message. ALG functions will + detect those fields and make IP address translations. It should be + noted that ALGs may impact the performance on a NAT64 box to some + extent. ISPs as well as content providers might choose to avoid + situations where the imposition of an ALG might be required. At the + same time, it is also important to remind customers and application + developers that IPv6 end-to-end usage does not require ALG imposition + and therefore results in a better overall user experience. + + The service reachability is also subject to the IPv6 support in the + client side. We tested several kinds of applications as shown in the + below table to verify the IPv6 support. The experiences of some + applications are still aligned with [RFC6586]. For example, we + tested P2P file sharing and streaming applications including eMule + + + +Chen, et al. Informational [Page 11] + +RFC 7269 NAT64 Experience June 2014 + + + v0.50a, Thunder v7.9, and PPS TV v3.2.0. It has been found there are + some software issues with the support of IPv6 at this time. The + application software would benefit from 464XLAT [RFC6877] until the + software adds IPv6 support. A SIP-based voice call has been tested + in the LTE mobile environment as specified in [IR.92]. The voice + call failed due to the lack of NAT64 traversal when an IPv6 SIP user + agent communicates with an IPv4 SIP user agent. In order to address + the failure, Interactive Connectivity Establishment (ICE) as + described in [RFC5245] is recommended to be supported for the SIP + IPv6 transition. [RFC6157] describes both signaling and the media- + layer process, which should be followed. In addition, it is worth + noting that ICE is not only useful for NAT traversal, but also for + firewall [RFC6092] traversal in a native IPv6 deployment. + + Different IPsec modes for VPN services have been tested, including + IPsec Authentication Header (AH) and IPsec Encapsulating Security + Payload (ESP). It has been shown that IPsec AH fails because the + destination host detects the IP header changes and invalidates the + packets. IPsec ESP failed in our testing because the NAT64 does not + translate IPsec ESP (i.e., protocol 50) packets. It has been + suggested that IPsec ESP would succeed if the IPsec client supports + NAT traversal in the Internet Key Exchange Protocol (IKE) [RFC3947] + and uses IPsec ESP over UDP [RFC3948]. + + Table 1: The Tested Applications + + +----------------+----------------------------------------------------+ + | Application | Results and Issues Found | + +----------------+----------------------------------------------------+ + | Web service | Mostly pass; some failures due to IPv4 literals | + +----------------+----------------------------------------------------+ + |Instant Message | Mostly fail; software can't support IPv6 | + +----------------+----------------------------------------------------+ + | Games | Mostly pass for web-based games; mostly fail for | + | | standalone games due to the lack of IPv6 support | + | | in software | + +----------------+----------------------------------------------------+ + | SIP VoIP | Fail, due to the lack of NAT64 traversal | + +----------------+----------------------------------------------------+ + | IPsec VPN | Fail; the translated IPsec packets are invalidated | + +----------------+----------------------------------------------------+ + |P2P file sharing| Mostly fail; software can't support IPv6, | + |and streaming | e.g., eMule, Thunder, and PPS TV | + +----------------+----------------------------------------------------+ + | FTP | Pass | + +----------------+----------------------------------------------------+ + | Email | Pass | + +----------------+----------------------------------------------------+ + + + +Chen, et al. Informational [Page 12] + +RFC 7269 NAT64 Experience June 2014 + + +6.2. Resource Reservation + + Session status normally is managed by a static timer. For example, + the value of the "established connection idle-timeout" must not be + less than 2 hours 4 minutes [RFC5382] for TCP sessions and 5 minutes + for UDP sessions [RFC4787]. In some cases, NAT resources may be + significantly consumed by largely inactive users. The NAT and other + customers would suffer from service degradation due to port + consumption by other subscribers using the same NAT64 device. A + flexible NAT session control is desirable to resolve these issues. + The Port Control Protocol (PCP) [RFC6887] could be a candidate to + provide such capability. A NAT64-CGN should integrate with a PCP + server to allocate available IPv4 address/port resources. Resources + could be assigned to PCP clients through PCP MAP/PEER mode. Doing so + might improve user experiences, for example, by assigning different + sizes of port ranges for different subscribers. Those mechanisms are + also helpful to minimize terminal battery consumption and reduce the + number of keep-alive messages sent by mobile terminal devices. + + Subscribers can also benefit from network reliability. It has been + discussed that Hot Standby offers a satisfactory experience after + outage of the primary NAT64 has occurred. Operators may rightly be + concerned about the considerable investment required for NAT64 + equipment relative to low ARPU. For example, transport links may be + expensive, because the primary NAT64 and the backup are normally + located at different locations, separated by a relatively large + distance. Additional cost would be incurred to ensure the + connectivity quality. However, that may be necessary to applications + that are delay-sensitive and seek session continuity, for example, + online games and live streaming. Operators may be able to get added + value from those services by offering first-class services. The + service sessions can be pre-configured on the gateway to Hot Standby + mode depending on the subscriber's profile. The rest of the sessions + can be covered by Cold or Warm Standby. + +7. MTU Considerations + + IPv6 requires that every link in the Internet have a Maximum + Transmission Unit (MTU) of 1280 octets or greater [RFC2460]. + However, if NAT64 translation is deployed, some IPv4 MTU constrained + link will be used in a communication path and the originating IPv6 + nodes may therefore receive an ICMP Packet Too Big (PTB) message, + reporting a Next-Hop MTU less than 1280 bytes. The result would be + that IPv6 allows packets to contain a fragmentation header, without + the packet being fragmented into multiple pieces. A NAT64 would + receive IPv6 packets with a fragmentation header in which the "M" + flag is set to 0 and the "Fragment Offset" is set to 0. Those + packets likely impact other fragments already queued with the same + + + +Chen, et al. Informational [Page 13] + +RFC 7269 NAT64 Experience June 2014 + + + set of {IPv6 Source Address, IPv6 Destination Address, Fragment + Identification}. If the NAT64 box is compliant with [RFC5722], there + is a risk that all the fragments will have to be dropped. + + [RFC6946] discusses how this situation could be exploited by an + attacker to perform fragmentation-based attacks and also proposes + improved handling of such packets. It requires enhancements on NAT64 + gateway implementations to isolate the processing of packets. NAT64 + devices should follow the recommendations and take steps to prevent + the risks of fragmentation. + + Another approach that potentially avoids this issue is to configure + the IPv4 MTU to more than 1260 bytes. This would prevent getting a + PTB message for an MTU smaller than 1280 bytes. Such an operational + consideration is hard to universally apply to the legacy "IPv4 + Internet" that is bridged by NAT64-CGNs. However, it's a feasible + approach in NAT64-FE cases, since an IPv4 network NAT64-FE is rather + well-organized and operated by an IDC operator or content provider. + Therefore, the MTU of an IPv4 network in NAT64-FE case is strongly + recommended to be set to more than 1260 bytes. + +8. ULA Usages + + Unique Local Addresses (ULAs) are defined in [RFC4193] to be + renumbered within a network site for local communications. Operators + may use ULAs as NAT64 prefixes to provide site-local IPv6 + connectivity. Those ULA prefixes are stripped when the packets go to + the IPv4 Internet; therefore, ULAs are only valid in the IPv6 site. + The use of ULAs could help in identifying the translation traffic. + [ULA-USAGE] provides further guidance on using ULAs. + + We configure ULAs as NAT64 prefixes on a NAT64-CGN. If a host is + assigned with only an IPv6 address and connected to a NAT64-CGN, when + it connects to an IPv4 service, it would receive a AAAA record + generated by the DNS64 with the ULA prefix. A Global Unicast Address + (GUA) will be selected as the source address to the ULA destination + address. When the host has both IPv4 and IPv6 addresses, it would + initiate both A and AAAA record lookup, then both the original A + record and DNS64-generated AAAA record would be received. A host + that is compliant with [RFC6724] will never prefer a ULA over an IPv4 + address. An IPv4 path will always be selected. It may be + undesirable because the NAT64-CGN will never be used. Operators may + consider adding additional site-specific rows into the default policy + table for host address selection in order to steer traffic flows + through the NAT64-CGN. However, it involves significant costs to + change a terminal's behavior. Therefore, it is not suggested that + operators configure ULAs on a NAT64-CGN. + + + + +Chen, et al. Informational [Page 14] + +RFC 7269 NAT64 Experience June 2014 + + + ULAs can't work when hosts transit the Internet to connect with + NAT64. Therefore, ULAs are not applicable to the case of NAT64-FE. + +9. Security Considerations + + This document presents the deployment experiences of NAT64 in CGN and + FE scenarios. In general, RFC 6146 [RFC6146] provides TCP-tracking, + address-dependent filtering mechanisms to protect NAT64 from + Distributed Denial of Service (DDoS). In NAT64-CGN cases, operators + could also adopt unicast Reverse Path Forwarding (uRPF) [RFC3704] and + blacklisting and whitelisting to enhance security by specifying + access policies. For example, NAT64-CGN should forbid establishing + NAT64 BIB for incoming IPv6 packets if they do not pass the uRPF + check in Strict or Loose mode or if their source IPv6 address is + blacklisted. + + Stateful NAT64-FE creates state and maps that connection to an + internally facing IPv4 address and port. An attacker can consume the + resources of the NAT64-FE device by sending an excessive number of + connection attempts. Without a DDoS limitation mechanism, the + NAT64-FE is exposed to attacks. The load balancer is recommended to + enable the capabilities for line-rate DDOS defense, such as the + employment of SYN proxy/cookie. In this case, division of the + security domain is necessary as well. Therefore, load balancers + could not only optimize the traffic distribution but also prevent + service from quality deterioration due to security attacks. + + The DNS64 process will potentially interfere with the DNSSEC + functions [RFC4035], since the DNS response is modified and DNSSEC + intends to prevent such changes. More detailed discussions can be + found in [RFC6147]. + +10. Acknowledgements + + The authors would like to thank Jari Arkko, Dan Wing, Remi Despres, + Fred Baker, Hui Deng, Iljitsch van Beijnum, Philip Matthews, Randy + Bush, Mikael Abrahamsson, Lorenzo Colitti, Sheng Jiang, Nick Heatley, + Tim Chown, Gert Doering, and Simon Perreault for their helpful + comments. + + Many thanks to Wesley George, Lee Howard, and Satoru Matsushima for + their detailed reviews. + + The authors especially thank Joel Jaeggli and Ray Hunter for their + efforts and contributions on editing, which substantially improved + the readability of the document. + + + + + +Chen, et al. Informational [Page 15] + +RFC 7269 NAT64 Experience June 2014 + + + Thanks to Cameron Byrne who was an active coauthor of some earlier + draft versions of this document. + +11. Contributors + + The following individuals contributed extensively to the effort: + + Qiong Sun + China Telecom + Room 708, No. 118, Xizhimennei Street + Beijing 100035 + P.R. China + Phone: +86-10-58552936 + EMail: sunqiong@ctbri.com.cn + + QiBo Niu + ZTE + 50 RuanJian Road + YuHua District, + Nan Jing 210012 + P.R. China + EMail: niu.qibo@zte.com.cn + +12. References + +12.1. Normative References + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + + [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed + Networks", BCP 84, RFC 3704, March 2004. + + [RFC3947] Kivinen, T., Swander, B., Huttunen, A., and V. Volpe, + "Negotiation of NAT-Traversal in the IKE", RFC 3947, + January 2005. + + [RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. + Stenberg, "UDP Encapsulation of IPsec ESP Packets", RFC + 3948, January 2005. + + [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "Protocol Modifications for the DNS Security + Extensions", RFC 4035, March 2005. + + [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast + Addresses", RFC 4193, October 2005. + + + + +Chen, et al. Informational [Page 16] + +RFC 7269 NAT64 Experience June 2014 + + + [RFC4787] Audet, F. and C. Jennings, "Network Address Translation + (NAT) Behavioral Requirements for Unicast UDP", BCP 127, + RFC 4787, January 2007. + + [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment + (ICE): A Protocol for Network Address Translator (NAT) + Traversal for Offer/Answer Protocols", RFC 5245, April + 2010. + + [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. + Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, + RFC 5382, October 2008. + + [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009. + + [RFC5580] Tschofenig, H., Adrangi, F., Jones, M., Lior, A., and B. + Aboba, "Carrying Location Objects in RADIUS and Diameter", + RFC 5580, August 2009. + + [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments", + RFC 5722, December 2009. + + [RFC5798] Nadas, S., "Virtual Router Redundancy Protocol (VRRP) + Version 3 for IPv4 and IPv6", RFC 5798, March 2010. + + [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection + (BFD)", RFC 5880, June 2010. + + [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. + Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, + October 2010. + + [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation + Algorithm", RFC 6145, April 2011. + + [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful + NAT64: Network Address and Protocol Translation from IPv6 + Clients to IPv4 Servers", RFC 6146, April 2011. + + [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van + Beijnum, "DNS64: DNS Extensions for Network Address + Translation from IPv6 Clients to IPv4 Servers", RFC 6147, + April 2011. + + [RFC6157] Camarillo, G., El Malki, K., and V. Gurbani, "IPv6 + Transition in the Session Initiation Protocol (SIP)", RFC + 6157, April 2011. + + + + +Chen, et al. Informational [Page 17] + +RFC 7269 NAT64 Experience June 2014 + + + [RFC6384] van Beijnum, I., "An FTP Application Layer Gateway (ALG) + for IPv6-to-IPv4 Translation", RFC 6384, October 2011. + + [RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with + Dual-Stack Hosts", RFC 6555, April 2012. + + [RFC6724] Thaler, D., Draves, R., Matsumoto, A., and T. Chown, + "Default Address Selection for Internet Protocol Version 6 + (IPv6)", RFC 6724, September 2012. + + [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. + Selkirk, "Port Control Protocol (PCP)", RFC 6887, April + 2013. + + [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC + 6946, May 2013. + + [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of + the IPv6 Prefix Used for IPv6 Address Synthesis", RFC + 7050, November 2013. + + [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", + RFC 7239, June 2014. + +12.2. Informative References + + [Alexa] Alexa, "Top 500 Global Sites", April 2013, + . + + [COEXIST] Kaliwoda, A. and D. Binet, "Co-existence of both dual- + stack and IPv6-only hosts", Work in Progress, October + 2012. + + [CONN-STATUS] + Patil, P., Boucadair, M., Wing, D., and T. Reddy, "IP + Connectivity Status Notifications for DHCPv6", Work in + Progress, February 2014. + + [Cisco-VNI] + Cisco, "Cisco VNI Global Mobile Data Traffic Forecast, + 2012-2018", February 2014, + . + + [DET-CGN] Donley, C., Grundemann, C., Sarawat, V., Sundaresan, K., + and O. Vautrin, "Deterministic Address Mapping to Reduce + Logging in Carrier Grade NAT Deployments", Work in + Progress, January 2014. + + + + +Chen, et al. Informational [Page 18] + +RFC 7269 NAT64 Experience June 2014 + + + [IR.92] Global System for Mobile Communications Association + (GSMA), "IMS Profile for Voice and SMS Version 7.0", March + 2013. + + [MAP-DEPLOY] + Qiong, Q., Chen, M., Chen, G., Tsou, T., and S. Perreault, + "Mapping of Address and Port (MAP) - Deployment + Considerations", Work in Progress, April 2014. + + [MAP-T] Li, X., Bao, C., Dec, W., Troan, O., Matsushima, S., and + T. Murakami, "Mapping of Address and Port using + Translation (MAP-T)", Work in Progress, February 2014. + + [MOTIVATION] + Boucadair, M., Matsushima, S., Lee, Y., Bonness, O., + Borges, I., and G. Chen, "Motivations for Carrier-side + Stateless IPv4 over IPv6 Migration Solutions", Work in + Progress, November 2012. + + [NAT64-RADIUS] + Chen, G. and D. Binet, "Radius Attributes for Stateful + NAT64", Work in Progress, July 2013. + + [PORT-ALLOC] + Chen, G., Tsou, T., Donley, C., and T. Taylor, "Analysis + of NAT64 Port Allocation Methods for Shared IPv4 + Addresses", Work in Progress, April 2014. + + [RFC6036] Carpenter, B. and S. Jiang, "Emerging Service Provider + Scenarios for IPv6 Deployment", RFC 6036, October 2010. + + [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- + Protocol Port Randomization", BCP 156, RFC 6056, January + 2011. + + [RFC6092] Woodyatt, J., "Recommended Simple Security Capabilities in + Customer Premises Equipment (CPE) for Providing + Residential IPv6 Internet Service", RFC 6092, January + 2011. + + [RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for + IPv4/IPv6 Translation", RFC 6144, April 2011. + + [RFC6346] Bush, R., "The Address plus Port (A+P) Approach to the + IPv4 Address Shortage", RFC 6346, August 2011. + + + + + + +Chen, et al. Informational [Page 19] + +RFC 7269 NAT64 Experience June 2014 + + + [RFC6459] Korhonen, J., Soininen, J., Patil, B., Savolainen, T., + Bajko, G., and K. Iisakkila, "IPv6 in 3rd Generation + Partnership Project (3GPP) Evolved Packet System (EPS)", + RFC 6459, January 2012. + + [RFC6586] Arkko, J. and A. Keranen, "Experiences from an IPv6-Only + Network", RFC 6586, April 2012. + + [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: + Combination of Stateful and Stateless Translation", RFC + 6877, April 2013. + + [RFC6883] Carpenter, B. and S. Jiang, "IPv6 Guidance for Internet + Content Providers and Application Service Providers", RFC + 6883, March 2013. + + [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, + "Analysis of Potential Solutions for Revealing a Host + Identifier (HOST_ID) in Shared Address Deployments", RFC + 6967, June 2013. + + [SIIT] Anderson, T., "Stateless IP/ICMP Translation in IPv6 Data + Centre Environments", Work in Progress, November 2012. + + [ULA-USAGE] + Liu, B. and S. Jiang, "Recommendations of Using Unique + Local Addresses", Work in Progress, February 2014. + + + + + + + + + + + + + + + + + + + + + + + + +Chen, et al. Informational [Page 20] + +RFC 7269 NAT64 Experience June 2014 + + +Appendix A. Test Results for Application Behavior + + We tested several application behaviors in a lab environment to + evaluate the impact when a primary NAT64 is out of service. In this + testing, participants were asked to connect an IPv6-only WiFi network + using laptops, tablets, or mobile phones. NAT64 was deployed as the + gateway to provide Internet service. The tested applications are + shown in the table below. Cold Standby, Warm Standby, and Hot + Standby were each tested. The participants may have experienced + service interruption due to the NAT64 handover. Different + interruption intervals were tested to gauge application behaviors. + The results are shown below. + + Table 2: The Acceptable Delay of Applications + + +----------------+------------------------+-------------------------+ + | Application | Acceptable Interrupt | Session Continuity | + | | Recovery | | + +----------------+------------------------+-------------------------+ + | Web browsing | Maximum of 6 s | No | + +----------------+------------------------+-------------------------+ + | HTTP streaming | Maximum of 10 s (cache)| Yes | + +----------------+------------------------+-------------------------+ + | Games | 200-400 ms | Yes | + +----------------+------------------------+-------------------------+ + |P2P file sharing| 10-16 s | Yes | + |and streaming | | | + +----------------+------------------------+-------------------------+ + | Instant Message| 1 minute | Yes | + +----------------+------------------------+-------------------------+ + | Email | 30 s | No | + +----------------+------------------------+-------------------------+ + | Downloading | 1 minute | No | + +----------------+------------------------+-------------------------+ + + + + + + + + + + + + + + + + + +Chen, et al. Informational [Page 21] + +RFC 7269 NAT64 Experience June 2014 + + +Authors' Addresses + + Gang Chen + China Mobile + Xuanwumenxi Ave. No. 32 + Xuanwu District + Beijing 100053 + P.R. China + + EMail: chengang@chinamobile.com, phdgang@gmail.com + + Zhen Cao + China Mobile + Xuanwumenxi Ave. No. 32 + Xuanwu District + Beijing 100053 + P.R. China + + EMail: caozhen@chinamobile.com, zehn.cao@gmail.com + + + Chongfeng Xie + China Telecom + Room 708, No. 118, Xizhimennei Street + Beijing 100035 + P.R. China + + EMail: xiechf@ctbri.com.cn + + + David Binet + France Telecom-Orange + Rennes + 35000 + France + + EMail: david.binet@orange.com + + + + + + + + + + + + + + +Chen, et al. Informational [Page 22] + -- cgit v1.2.3