1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
|
Internet Engineering Task Force (IETF) T. Savolainen
Request for Comments: 7050 Nokia
Category: Standards Track J. Korhonen
ISSN: 2070-1721 Broadcom
D. Wing
Cisco Systems
November 2013
Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis
Abstract
This document describes a method for detecting the presence of DNS64
and for learning the IPv6 prefix used for protocol translation on an
access network. The method depends on the existence of a well-known
IPv4-only fully qualified domain name "ipv4only.arpa.". The
information learned enables nodes to perform local IPv6 address
synthesis and to potentially avoid NAT64 on dual-stack and multi-
interface deployments.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7050.
Savolainen, et al. Standards Track [Page 1]
^L
RFC 7050 Pref64::/n Discovery November 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Requirements Notation and Terminology ...........................4
2.1. Requirements Notation ......................................4
2.2. Terminology ................................................4
3. Node Behavior ...................................................4
3.1. Validation of Discovered Pref64::/n ........................6
3.1.1. DNSSEC Requirements for the Network .................7
3.1.2. DNSSEC Requirements for the Node ....................7
3.2. Connectivity Check .........................................8
3.2.1. No Connectivity Checks against "ipv4only.arpa." .....9
3.3. Alternative Fully Qualified Domain Names ..................10
3.4. Message Flow Illustration .................................10
4. Operational Considerations for Hosting the IPv4-Only
Well-Known Name ................................................12
5. Operational Considerations for DNS64 Operator ..................12
5.1. Mapping of IPv4 Address Ranges to IPv6 Prefixes ...........13
6. Exit Strategy ..................................................14
7. Security Considerations ........................................14
8. IANA Considerations ............................................15
8.1. Domain Name Reservation Considerations ....................15
8.2. IPv4 Address Allocation Considerations ....................16
8.3. IAB Statement Regarding This .arpa Request ................17
9. Acknowledgements ...............................................18
10. References ....................................................18
10.1. Normative References .....................................18
10.2. Informative References ...................................19
Appendix A. Example of DNS Record Configuration ..................20
Appendix B. About the IPv4 Address for the Well-Known Name .......21
Savolainen, et al. Standards Track [Page 2]
^L
RFC 7050 Pref64::/n Discovery November 2013
1. Introduction
As part of the transition to IPv6, NAT64 [RFC6146] and DNS64
[RFC6147] technologies will be utilized by some access networks to
provide IPv4 connectivity for IPv6-only nodes [RFC6144]. DNS64
utilizes IPv6 address synthesis to create local IPv6 addresses for
peers having only IPv4 addresses, hence allowing DNS-using IPv6-only
nodes to communicate with IPv4-only peers.
However, DNS64 cannot serve applications not using DNS, such as those
receiving IPv4 address literals as referrals. Such applications
could nevertheless be able to work through NAT64, provided they are
able to create locally valid IPv6 addresses that would be translated
to the peers' IPv4 addresses.
Additionally, DNS64 is not able to do IPv6 address synthesis for
nodes running validating DNS resolvers enabled by DNS Security
(DNSSEC), but instead, the synthesis must be done by the nodes
themselves. In order to perform IPv6 synthesis, nodes have to learn
the IPv6 prefix(es) used on the access network for protocol
translation. A prefix, which may be a Network-Specific Prefix (NSP)
or a Well-Known Prefix (WKP) [RFC6052], is referred to in this
document as Pref64::/n [RFC6146].
This document describes a best-effort method for applications and
nodes to learn the information required to perform local IPv6 address
synthesis. The IPv6 address synthesis procedure itself is out of the
scope of this document. An example application is a browser
encountering IPv4 address literals in an IPv6-only access network.
Another example is a node running a validating security-aware DNS
resolver in an IPv6-only access network.
The knowledge of IPv6 address synthesis taking place may also be
useful if DNS64 and NAT64 are used in dual-stack-enabled access
networks or if a node is multi-interfaced [RFC6418]. In such cases,
nodes may choose to prefer IPv4 or an alternative network interface
in order to avoid traversal through protocol translators.
It is important to note that use of this approach will not result in
a system that is as robust, secure, and well-behaved as an all-IPv6
system would be. Hence, it is highly recommended to upgrade nodes'
destinations to IPv6 and utilize the described method only as a
transition solution.
Savolainen, et al. Standards Track [Page 3]
^L
RFC 7050 Pref64::/n Discovery November 2013
2. Requirements Notation and Terminology
2.1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2.2. Terminology
NAT64 FQDN: a fully qualified domain name (FQDN) for a NAT64 protocol
translator.
Pref64::/n: an IPv6 prefix used for IPv6 address synthesis [RFC6146].
Pref64::WKA: an IPv6 address consisting of Pref64::/n and WKA at any
of the locations allowed by RFC 6052 [RFC6052].
Secure Channel: a communication channel a node has between itself and
a DNS64 server protecting DNS protocol-related messages from
interception and tampering. The channel can be, for example, an
IPsec-based virtual private network (VPN) tunnel or a link layer
utilizing data encryption technologies.
Well-Known IPv4-only Name (WKN): the fully qualified domain name,
"ipv4only.arpa.", well-known to have only A record(s).
Well-Known IPv4 Address (WKA): an IPv4 address that is well-known and
present in an A record for the well-known name. Two well-known IPv4
addresses are defined for Pref64::/n discovery purposes: 192.0.0.170
and 192.0.0.171.
3. Node Behavior
A node requiring information about the presence (or absence) of
NAT64, and one or more Pref64::/n used for protocol translation SHALL
send a DNS query for AAAA resource records of the Well-Known
IPv4-only Name (WKN) "ipv4only.arpa.". The node MAY perform the DNS
query in both IPv6-only and dual-stack access networks.
When sending a DNS AAAA resource record query for the WKN, a node
MUST set the "Checking Disabled (CD)" bit to zero [RFC4035], as
otherwise the DNS64 server will not perform IPv6 address synthesis
(Section 3 of [RFC6147]) and hence would not reveal the Pref64::/n
used for protocol translation.
Savolainen, et al. Standards Track [Page 4]
^L
RFC 7050 Pref64::/n Discovery November 2013
A DNS reply with one or more AAAA resource records indicates that the
access network is utilizing IPv6 address synthesis. In some
scenarios, captive portals, or NXDOMAIN and NODATA hijacking,
performed by the access network may result in a false positive. One
method to detect such hijacking is to query a fully qualified domain
name that is known to be invalid (and normally returns an empty
response or an error response) and see if it returns a valid resource
record. However, as long as the hijacked domain does not result in
AAAA resource record responses that contain a well-known IPv4 address
in any location defined by [RFC6052], the response will not disturb
the Pref64::/n learning procedure.
A node MUST look through all of the received AAAA resource records to
collect one or more Pref64::/n. The Pref64::/n list might include
the Well-Known Prefix 64:ff9b::/96 [RFC6052] or one or more Network-
Specific Prefixes. In the case of NSPs, the node SHALL determine the
used address format by searching the received IPv6 addresses for the
WKN's well-known IPv4 addresses. The node SHALL assume the well-
known IPv4 addresses might be found at the locations specified by
[RFC6052], Section 2.2. The node MUST check on octet boundaries to
ensure a 32-bit well-known IPv4 address value is present only once in
an IPv6 address. In case another instance of the value is found
inside the IPv6 address, the node SHALL repeat the search with the
other well-known IPv4 address.
If only one Pref64::/n was present in the DNS response, a node SHALL
use that Pref64::/n for both local synthesis and for detecting
synthesis done by the DNS64 server on the network.
If more than one Pref64::/n was present in the DNS response, a node
SHOULD use all of them when determining whether other received IPv6
addresses are synthetic. The node MUST use all learned Pref64::/n
when performing local IPv6 address synthesis and use the prefixes in
the order received from the DNS64 server. That is, when the node is
providing a list of locally synthesized IPv6 addresses to upper
layers, IPv6 addresses MUST be synthesized by using all discovered
Pref64::/n prefixes in the received order.
If the well-known IPv4 addresses are not found within the standard
locations, the DNS response indicates that the network is not using a
standard address format or unexpected IPv4 addresses were used in the
AAAA resource record synthesis. In either case, the Pref64::/n
cannot be determined and the heuristic procedure has failed.
Developers can, over time, learn of IPv6-translated address formats
that are extensions or alternatives to the standard formats. At that
point, developers MAY add additional steps to the described discovery
procedure. The additional steps are outside the scope of the present
document.
Savolainen, et al. Standards Track [Page 5]
^L
RFC 7050 Pref64::/n Discovery November 2013
In case a node does not receive a positive DNS reply to the AAAA
resource record query, the node MAY perform a DNS A resource record
query for the well-known name. Receiving a positive reply to the DNS
A resource record query indicates that the recursive DNS server that
is used is not a DNS64 server.
In the case of a negative response (NXDOMAIN, NODATA) or a DNS query
timeout, a DNS64 server is not available on the access network, the
access network filtered out the well-known query, or something went
wrong in the DNS resolution. All unsuccessful cases result in a node
being unable to perform local IPv6 address synthesis. In the case of
timeout, the node SHOULD retransmit the DNS query like any other DNS
query the node makes [RFC1035]. In the case of a negative response
(NXDOMAIN, NODATA), the node MUST obey the Time to Live (TTL)
[RFC1035] of the response before resending the AAAA resource record
query. The node MAY monitor for DNS replies with IPv6 addresses
constructed from the WKP, in which case if any are observed, the node
SHOULD use the WKP as if it were learned during the query for the
well-known name.
To save Internet resources if possible, a node should perform
Pref64::/n discovery only when needed (e.g., when local synthesis is
required, when a new network interface is connected to a new network,
and so forth). The node SHALL cache the replies it receives during
the Pref64::/n discovery procedure, and it SHOULD repeat the
discovery process ten seconds before the TTL of the Well-Known Name's
synthetic AAAA resource record expires.
3.1. Validation of Discovered Pref64::/n
If a node is using an insecure channel between itself and a DNS64
server or the DNS64 server is untrusted, it is possible for an
attacker to influence the node's Pref64::/n discovery procedures.
This may result in denial-of-service, redirection, man-in-the-middle,
or other attacks.
To mitigate against attacks, the node SHOULD communicate with a
trusted DNS64 server over a secure channel or use DNSSEC. NAT64
operators SHOULD provide facilities for validating discovery of
Pref64::/n via a secure channel and/or DNSSEC protection.
It is important to understand that DNSSEC only validates that the
discovered Pref64::/n is the one that belongs to a domain used by
NAT64 FQDN. Importantly, the DNSSEC validation does not tell if the
node is at the network where the Pref64::/n is intended to be used.
Furthermore, DNSSEC validation cannot be utilized in the case of a
WKP.
Savolainen, et al. Standards Track [Page 6]
^L
RFC 7050 Pref64::/n Discovery November 2013
3.1.1. DNSSEC Requirements for the Network
If the operator has chosen to support nodes performing validation of
discovered Pref64::/n with DNSSEC, the operator of the NAT64 device
MUST perform the following configurations.
1. Have one or more fully qualified domain names for the NAT64
translator entities (later referred to as NAT64 FQDN). In the
case of more than one Pref64::/n being used in a network, e.g.,
for load-balancing purposes, it is for network administrators to
decide whether a single NAT64's fully qualified domain name maps
to more than one Pref64::/n, or whether there will be a dedicated
NAT64 FQDN per Pref64::/n.
2. Each NAT64 FQDN MUST have one or more DNS AAAA resource records
containing Pref64::WKA (Pref64::/n combined with WKA).
3. Each Pref64::WKA MUST have a PTR resource record that points to
the corresponding NAT64 FQDN.
4. Sign the NAT64 FQDNs' AAAA and A resource records with DNSSEC.
3.1.2. DNSSEC Requirements for the Node
A node SHOULD prefer a secure channel to talk to a DNS64 server
whenever possible. In addition, a node that implements a DNSSEC
validating resolver MAY use the following procedure to validate
discovery of the Pref64::/n.
1. Heuristically find Pref64::/n candidates by making a AAAA
resource record query for "ipv4only.arpa." by following the
procedure in Section 3. This will result in IPv6 addresses
consisting of Pref64::/n combined with WKA, i.e., Pref64::WKA.
For each Pref64::/n that the node wishes to validate, the node
performs the following steps.
2. Send a DNS PTR resource record query for the IPv6 address of the
translator (for ".ip6.arpa." tree), using the Pref64::WKA learned
in step 1. CNAME and DNAME results should be followed according
to the rules in RFC 1034 [RFC1034], RFC 1035 [RFC1035], and RFC
6672 [RFC6672]. The ultimate response will include one or more
NAT64 FQDNs.
3. The node SHOULD compare the domains of learned NAT64 FQDNs to a
list of the node's trusted domains and choose a NAT64 FQDN that
matches. The means for a node to learn the trusted domains is
Savolainen, et al. Standards Track [Page 7]
^L
RFC 7050 Pref64::/n Discovery November 2013
implementation specific. If the node has no trust for the
domain, the discovery procedure is not secure, and the remaining
steps described below MUST NOT be performed.
4. Send a DNS AAAA resource record query for the NAT64 FQDN.
5. Verify the DNS AAAA resource record contains Pref64::WKA
addresses received at step 1. It is possible that the NAT64 FQDN
has multiple AAAA records, in which case the node MUST check if
any of the addresses match the ones obtained in step 1. The node
MUST ignore other responses and not use them for local IPv6
address synthesis.
6. Perform DNSSEC validation of the DNS AAAA response.
After the node has successfully performed the above five steps, the
node can consider Pref64::/n validated.
3.2. Connectivity Check
After learning a Pref64::/n, the node SHOULD perform a connectivity
check to ensure the learned Pref64::/n is functional. It could be
non-functional for a variety of reasons -- the discovery failed to
work as expected, the IPv6 path to the NAT64 is down, the NAT64 is
down, or the IPv4 path beyond the NAT64 is down.
There are two main approaches to determine if the learned Pref64::/n
is functional. The first approach is to perform a dedicated
connectivity check. The second approach is to simply attempt to use
the learned Pref64::/n. Each approach has some trade-offs (e.g.,
additional network traffic or possible user-noticeable delay), and
implementations should carefully weigh which approach is appropriate
for their application and the network.
The node SHOULD use an implementation-specific connectivity check
server and a protocol of the implementation's choice, but if that is
not possible, a node MAY do a PTR resource record query of the
Pref64::WKA to get a NAT64 FQDN. The node then does an A resource
query of the NAT64 FQDN, which will return zero or more A resource
records pointing to connectivity check servers used by the network
operator. A negative response to the PTR or A resource query means
there are no connectivity check servers available. A network
operator that provides NAT64 services for a mix of nodes with and
without implementation-specific connectivity check servers SHOULD
assist nodes in their connectivity checks by mapping each NAT64 FQDN
to one or more DNS A resource records with IPv4 address(es) pointing
to connectivity check server(s). The connectivity check approach
based on Pref64::/n works only with NSPs, as it is not possible to
Savolainen, et al. Standards Track [Page 8]
^L
RFC 7050 Pref64::/n Discovery November 2013
register A records for each different domain using a WKP. The
network operator MUST disable ICMPv6 rate limiting for connectivity
check messages.
If multiple connectivity check servers are available for use, the
node chooses the first one, preferring implementation-specific
servers.
The connectivity check protocol used with implementation-specific
connectivity check servers is implementation specific.
The connectivity check protocol used with connectivity check servers
pointed to by the NAT64 FQDN's A resource records is ICMPv6
[RFC4443]. The node performing a connectivity check against these
servers SHALL send an ICMPv6 Echo Request to an IPv6 address
synthesized by combining discovered Pref64::/n with an IPv4 address
of the server as specified in [RFC6052]. This will test the IPv6
path to the NAT64, the NAT64's operation, and the IPv4 path all the
way to the connectivity check server. If no response is received for
the ICMPv6 Echo Request, the node SHALL send another ICMPv6 Echo
Request a second later. If still no response is received, the node
SHALL send a third ICMPv6 Echo Request two seconds later. If an
ICMPv6 Echo Response is received, the node knows the IPv6 path to the
connectivity check server is functioning normally. If no response is
received after three transmissions and after three seconds have
elapsed since the last ICMPv6 Echo Request, the node learns this
Pref64::/n might not be functioning, and the node MAY choose a
different Pref64::/n (if available), choose to alert the user, or
proceed anyway assuming the failure is temporary or is caused by the
connectivity check itself. After all, ICMPv6 is unreliable by
design, and failure to receive ICMPv6 responses may not indicate
anything other than network failure to transport ICMPv6 messages.
If no separate connectivity check is performed before local IPv6
address synthesis, a node MAY monitor success of connection attempts
performed with locally synthesized IPv6 addresses. Based on success
of these connections, and based on possible ICMPv6 error messages
received (such as Destination Unreachable messages), the node MAY
cease to perform local address synthesis and MAY restart the
Pref64::/n discovery procedures.
3.2.1. No Connectivity Checks against "ipv4only.arpa."
Clients MUST NOT send a connectivity check to an address returned by
the "ipv4only.arpa." query. This is because, by design, no server
will be operated on the Internet at that address as such. Similarly,
network operators MUST NOT operate a server on that address. The
reason this address isn't used for connectivity checks is that
Savolainen, et al. Standards Track [Page 9]
^L
RFC 7050 Pref64::/n Discovery November 2013
operators who neglect to operate a connectivity check server will
allow that traffic towards the Internet where it will be dropped and
cause a false negative connectivity check with the client (that is,
the NAT64 is working fine, but the connectivity check fails because a
server is not operating at "ipv4only.arpa." on the Internet and a
server is not operated by the NAT64 operator). Instead, for the
connectivity check, an additional DNS resource record is looked up
and used for the connectivity check. This ensures that packets don't
unnecessarily leak to the Internet and reduces the chance of a false
negative connectivity check.
3.3. Alternative Fully Qualified Domain Names
Some applications, operating systems, devices, or networks may find
it advantageous to operate their own DNS infrastructure to perform a
function similar to "ipv4only.arpa." but use a different resource
record. The primary advantage is to ensure availability of the DNS
infrastructure and ensure the proper configuration of the DNS record
itself. For example, a company named Example might have their
application query "ipv4only.example.com". Other than the different
DNS resource record being queried, the rest of the operations are
anticipated to be identical to the steps described in this document.
3.4. Message Flow Illustration
The figure below gives an example illustration of a message flow in
the case of prefix discovery utilizing Pref64::/n validation. The
figure also shows a step where the procedure ends if no Pref64::/n
validation is performed.
In this example, three Pref64::/n prefixes are provided by the DNS64
server. The first Pref64::/n is using an NSP, in this example,
"2001:db8:42::/96". The second Pref64::/n is using an NSP, in this
example, "2001:db8:43::/96". The third Pref64::/n is using the WKP.
Hence, when the Pref64::/n prefixes are combined with the WKA to form
Pref64::WKA, the synthetic IPv6 addresses returned by the DNS64
server are "2001:db8:42::192.0.0.170", "2001:db8:43::192.0.0.170",
and "64:ff9b::192.0.0.170". The DNS64 server could also return
synthetic addresses containing the IPv4 address 192.0.0.171.
The validation is not done for the WKP; see Section 3.1.
Savolainen, et al. Standards Track [Page 10]
^L
RFC 7050 Pref64::/n Discovery November 2013
Node DNS64 server
| |
| "AAAA" query for "ipv4only.arpa." |
|----------------------------------------------->|"A" query for
| |"ipv4only.arpa."
| |--------------->
| |
| | "A" response:
| | "192.0.0.170"
| | "192.0.0.171"
| |<---------------
| +----------------------------+
| | "AAAA" synthesis using |
| | three Pref64::/n. |
| +----------------------------+
| "AAAA" response with: |
| "2001:db8:42::192.0.0.170" |
| "2001:db8:43::192.0.0.170" |
| "64:ff9b::192.0.0.170" |
|<-----------------------------------------------|
| |
+----------------------------------------------+ |
| If Pref64::/n validation is not performed, a | |
| node can fetch prefixes from AAAA responses | |
| at this point and skip the steps below. | |
+----------------------------------------------+ |
| |
| "PTR" query #1 for "2001:db8:42::192.0.0.170 |
|----------------------------------------------->|
| "PTR" query #2 for "2001:db8:43::192.0.0.170 |
|----------------------------------------------->|
| |
| "PTR" response #1 "nat64_1.example.com" |
|<-----------------------------------------------|
| "PTR" response #2 "nat64_2.example.com" |
|<-----------------------------------------------|
| |
+----------------------------------------------+ |
| Compare received domains to a trusted domain | |
| list and if matches are found, continue. | |
+----------------------------------------------+ |
| |
| "AAAA" query #1 for "nat64_1.example.com" |
|----------------------------------------------->|
| "AAAA" query #2 for "nat64_2.example.com" |
|----------------------------------------------->|
Savolainen, et al. Standards Track [Page 11]
^L
RFC 7050 Pref64::/n Discovery November 2013
| |
| "AAAA" resp. #1 with "2001:db8:42::192.0.0.170 |
|<-----------------------------------------------|
| "AAAA" resp. #2 with "2001:db8:43::192.0.0.170 |
|<-----------------------------------------------|
| |
+----------------------------------------------+ |
| Validate AAAA responses and compare the IPv6 | |
| addresses to those previously learned. | |
+----------------------------------------------+ |
| |
+----------------------------------------------+ |
| Fetch the Pref64::/n from the validated | |
| responses and take into use. | |
+----------------------------------------------+ |
| |
Figure 1: Pref64::/n Discovery Procedure
4. Operational Considerations for Hosting the IPv4-Only Well-Known Name
The authoritative name server for the well-known name SHALL have DNS
record TTL set to at least 60 minutes in order to improve
effectiveness of DNS caching. The exact TTL value will be determined
and tuned based on operational experiences.
The domain serving the well-known name MUST be signed with DNSSEC.
See also Section 7.
5. Operational Considerations for DNS64 Operator
A network operator of a DNS64 server can guide nodes utilizing
heuristic discovery procedures by managing the responses a DNS64
server provides.
If the network operator would like nodes to utilize multiple
Pref64::/n prefixes, the operator needs to configure DNS64 servers to
respond with multiple synthetic AAAA records. As per Section 3, the
nodes can then use them all.
There are no guarantees on which of the Pref64::/n prefixes nodes
will end up using. If the operator wants nodes to specifically use a
certain Pref64::/n or periodically change the Pref64::/n they use,
for example, for load balancing reasons, the only guaranteed method
is to make DNS64 servers return only a single synthetic AAAA resource
record and have the TTL of that synthetic record such that the node
repeats the Pref64::/n discovery when required.
Savolainen, et al. Standards Track [Page 12]
^L
RFC 7050 Pref64::/n Discovery November 2013
Besides choosing how many Pref64::/n prefixes to respond and what TTL
to use, DNS64 servers MUST NOT interfere with or perform other
special procedures for the queries related to the well-known name.
5.1. Mapping of IPv4 Address Ranges to IPv6 Prefixes
RFC 6147 [RFC6147] allows DNS64 implementations to be able to map
specific IPv4 address ranges to separate Pref64::/n prefixes. That
allows handling of special use IPv4 addresses [RFC6890]. The example
setup where this might be used is illustrated in Figure 2. The NAT64
"A" is used when accessing IPv4-only servers in the data center, and
the NAT64 "B" is used for Internet access.
NAT64 "A" ----- IPv4-only servers in a data center
/
IPv6-only node---<
\
NAT64 "B" ----- IPv4 Internet
Figure 2: NAT64s with IPv4 Address Ranges
The heuristic discovery method described herein does not support
learning of the possible rules used by a DNS64 server for mapping
specific IPv4 address ranges to separate Pref64::/n prefixes.
Therefore, nodes will use the same discovered Pref64::/n to
synthesize IPv6 addresses from any IPv4 address. This can cause
issues for routing and connectivity establishment procedures. The
operator of the NAT64 and the DNS64 ought to take this into account
in the network design.
The network operators can help IPv6-only nodes by ensuring the nodes
do not have to work with IPv4 address literals for which special
mapping rules are used. That is, the IPv4-only servers addressed
from the special IPv4 address ranges ought to have signed AAAA
records, which allows IPv6-only nodes to avoid local address
synthesis. If the IPv6-only nodes are not using DNSSEC, then it is
enough if the network's DNS64 server returns synthetic AAAA resource
records pointing to IPv4-only servers. Avoiding the need for
IPv6-only nodes to perform address synthesis for IPv4 addresses
belonging to special ranges is the best approach to assist nodes.
If the IPv6-only nodes have no choice other than using IPv4-address
literals belonging to special IPv4 address ranges and the IPv6-only
node will perform local synthesis by using the discovered Pref64::/n,
then the network ought to ensure with routing that the packets are
delivered to the correct NAT64. For example, a router in the path
from an IPv6-only host to NAT64s can forward the IPv6 packets to the
correct NAT64 as illustrated in Figure 3. The routing could be based
Savolainen, et al. Standards Track [Page 13]
^L
RFC 7050 Pref64::/n Discovery November 2013
on the last 32 bits of the IPv6 address, but the network operator can
also use some other IPv6 address format allowed by RFC 6052 [RFC6052]
if it simplifies routing setup. This setup requires additional logic
on the NAT64 providing connectivity to special IPv4 address ranges:
it needs to be able to translate packets it receives that are using
the Pref64::/n used with Internet connections.
NAT64 "A" ----- IPv4-only servers in a data center
/
IPv6-only host---router
\
NAT64 "B" ----- IPv4 Internet
Figure 3: NAT64s with Assisting Router
6. Exit Strategy
A day will come when this tool is no longer needed. A node SHOULD
implement a configuration knob for disabling the Pref64::/n discovery
feature.
7. Security Considerations
The security considerations follow closely those of RFC 6147
[RFC6147]. The possible attacks are very similar in the case where
an attacker controls a DNS64 server and returns tampered IPv6
addresses to a node and in the case where an attacker causes the node
to use tampered Pref64::/n for local address synthesis. DNSSEC
cannot be used to validate responses created by a DNS64 server with
which the node has no trust relationship. Hence, this document does
not change the big picture for untrusted network scenarios. If an
attacker alters the Pref64::/n used by a DNS64 server or a node, the
traffic generated by the node will be delivered to an altered
destination. This can result in either a denial-of-service (DoS)
attack (if the resulting IPv6 addresses are not assigned to any
device), a flooding attack (if the resulting IPv6 addresses are
assigned to devices that do not wish to receive the traffic), or an
eavesdropping attack (in case the altered NSP is routed through the
attacker).
Even though a well-known name's DNS A resource record would not
necessarily need to be protected with DNSSEC as both the name and
IPv4 addresses well-known, DNSSEC protection is required for DNS AAAA
resource record queries. Without DNSSEC, fake positive AAAA
responses could cause hosts to erroneously detect Pref64::/n, thus
allowing an attacker to inject malicious Pref64::/n for hosts'
synthesis procedures. A signed "ipv4only.arpa." allows validating
Savolainen, et al. Standards Track [Page 14]
^L
RFC 7050 Pref64::/n Discovery November 2013
DNS64 servers (see [RFC6147] Section 3, Case 5, for example) to
detect malicious AAAA resource records. Therefore, the zone serving
the well-known name has to be protected with DNSSEC.
For Pref64::/n discovery validation, the access network SHOULD sign
the NAT64 translator's fully qualified domain name. A node SHOULD
use the algorithm described in Section 3.1 to validate each
discovered Pref64::/n.
The procedure described in Section 3.1.2 requires a node using DNSSEC
to validate discovery of Pref64::/n to have a list of trusted
domains. If a matching domain is not found at Step 3 in
Section 3.1.2, an implementation might be tempted to ask a user to
temporarily or permanently add a received domain as trusted. History
has shown that average users are unable to properly handle such
queries and tend to answer positively without thinking in an attempt
to move forward quickly. Therefore, unless the DNSSEC-using
implementation has a way to dynamically and reliably add trusted
domains, it is better to fail the Pref64::/n discovery procedure.
Lastly, the best mitigation action against Pref64::/n discovery
attacks is to add IPv6 support for nodes' destinations and hence
reduce the need to perform local IPv6 address synthesis.
8. IANA Considerations
8.1. Domain Name Reservation Considerations
According to procedures described in [RFC3172] and [RFC6761], IANA
has delegated a new second-level domain in the .ARPA zone for the
well-known domain name "ipv4only.arpa.". The intention is that there
will not be any further delegation of names below the
"ipv4only.arpa." domain. The administrative and operational
management of this zone is performed by IANA. The answers to the
seven questions listed in [RFC6761] are as follows:
1. Are human users expected to recognize these names as special and
use them differently? In what way?
No, although this is a domain delegated under the .arpa
infrastructural identifier top level domain.
2. Are writers of application software expected to make their
software recognize these names as special and treat them
differently? In what way?
Yes. Any application attempting to perform NAT64 discovery will
query the name.
Savolainen, et al. Standards Track [Page 15]
^L
RFC 7050 Pref64::/n Discovery November 2013
3. Are writers of name resolution APIs and libraries expected to
make their software recognize these names as special and treat
them differently? If so, how?
Yes, to the extent the API or library is affected by NAT64.
4. Are developers of caching domain name servers expected to make
their implementations recognize these names as special and treat
them differently? If so, how?
No.
5. Are developers of authoritative domain name servers expected to
make their implementations recognize these names as special and
treat them differently? If so, how?
No.
6. Does this reserved Special-Use Domain Name have any potential
impact on DNS server operators? If they try to configure their
authoritative DNS server as authoritative for this reserved name,
will compliant name server software reject it as invalid? Do DNS
server operators need to know about that and understand why?
Even if the name server software doesn't prevent them from using
this reserved name, are there other ways that it may not work as
expected, of which the DNS server operator should be aware?
This name has effects for operators of NAT64/DNS64, but otherwise
is just another delegated .arpa domain.
7. How should DNS Registries/Registrars treat requests to register
this reserved domain name? Should such requests be denied?
Should such requests be allowed, but only to a specially-
designated entity?
The registry for .arpa is held at IANA, and only IANA needs to
take action here.
Savolainen, et al. Standards Track [Page 16]
^L
RFC 7050 Pref64::/n Discovery November 2013
8.2. IPv4 Address Allocation Considerations
The well-known name needs to map to two different global IPv4
addresses, which have been allocated as described in [RFC6890]. The
addresses have been taken from the IANA IPv4 Special Purpose Address
Registry [RFC6890], and 192.0.0.170 and 192.0.0.171 have been
assigned to this document with the parameters shown below:
+----------------------+-------------------------------+
| Attribute | Value |
+----------------------+-------------------------------+
| Address Block | 192.0.0.170/32 |
| | 192.0.0.171/32 |
| Name | NAT64/DNS64 Discovery |
| RFC | RFC 7050, Section 2.2 |
| Allocation Date | February 2013 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-protocol | True |
+----------------------+-------------------------------+
The Record for IPv4 Address Allocation for IPv4 Special Purpose
Address Registry
The zone "ipv4only.arpa." is delegated from the ARPA zone to
appropriate name servers chosen by the IANA. An apex A RRSet has
been inserted in the "ipv4only.arpa." zone as follows:
IPV4ONLY.ARPA. IN A 192.0.0.170
IPV4ONLY.ARPA. IN A 192.0.0.171
8.3. IAB Statement Regarding This .arpa Request
With the publication of this document, the IAB approves of the
delegation of "ipv4only" in the .arpa domain. Under [RFC3172], the
IAB has requested that IANA delegate and provision "ipv4only.arpa."
as written in this specification. However, the IAB does not take any
architectural or technical position about this specification.
Savolainen, et al. Standards Track [Page 17]
^L
RFC 7050 Pref64::/n Discovery November 2013
9. Acknowledgements
The authors would like to thank Dmitry Anipko, Cameron Byrne, Aaron
Yi Ding, Christian Huitema, Washam Fan, Peter Koch, Stephan
Lagerholm, Zhenqiang Li, Simon Perreault, Marc Petit-Huguenin, Andrew
Sullivan, and Dave Thaler for significant improvement ideas and
comments.
Jouni Korhonen would like to acknowledge his previous employer, Nokia
Siemens Networks, where the majority of his work on this document was
carried out.
10. References
10.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
October 2010.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011.
[RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van
Beijnum, "DNS64: DNS Extensions for Network Address
Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
April 2011.
[RFC6672] Rose, S. and W. Wijngaards, "DNAME Redirection in the
DNS", RFC 6672, June 2012.
Savolainen, et al. Standards Track [Page 18]
^L
RFC 7050 Pref64::/n Discovery November 2013
10.2. Informative References
[RFC3172] Huston, G., "Management Guidelines & Operational
Requirements for the Address and Routing Parameter Area
Domain ("arpa")", BCP 52, RFC 3172, September 2001.
[RFC5735] Cotton, M. and L. Vegoda, "Special Use IPv4 Addresses",
RFC 5735, January 2010.
[RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
IPv4/IPv6 Translation", RFC 6144, April 2011.
[RFC6418] Blanchet, M. and P. Seite, "Multiple Interfaces and
Provisioning Domains Problem Statement", RFC 6418,
November 2011.
[RFC6761] Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
RFC 6761, February 2013.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, RFC
6890, April 2013.
Savolainen, et al. Standards Track [Page 19]
^L
RFC 7050 Pref64::/n Discovery November 2013
Appendix A. Example of DNS Record Configuration
The following BIND-style examples illustrate how A and AAAA records
could be configured by a NAT64 operator.
The examples use Pref64::/n of 2001:db8::/96, both WKAs, and the
example.com domain.
The PTR record for reverse queries (Section 3.1.1, Bullet 3):
$ORIGIN A.A.0.0.0.0.0.C\
.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA.
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 12h 15m 3w 2h)
IN NS ns.example.com.
IN PTR nat64.example.com.
$ORIGIN B.A.0.0.0.0.0.C\
.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA.
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 12h 15m 3w 2h)
IN NS ns.example.com.
IN PTR nat64.example.com.
If example.com does not use DNSSEC, the following configuration file
could be used. Please note that nat64.example.com has both a AAAA
record with the Pref64::/n and an A record for the connectivity check
(Section 3.1.1, Bullet 2).
example.com. IN SOA ns.example.com. hostmaster.example.com. (
2002050501 ; serial
100 ; refresh (1 minute 40 seconds)
200 ; retry (3 minutes 20 seconds)
604800 ; expire (1 week)
100 ; minimum (1 minute 40 seconds)
)
example.com. IN NS ns.example.com.
nat64.example.com.
IN AAAA 2001:db8:0:0:0:0:C000:00AA
IN AAAA 2001:db8:0:0:0:0:C000:00AB
IN A 192.0.2.1
Savolainen, et al. Standards Track [Page 20]
^L
RFC 7050 Pref64::/n Discovery November 2013
For DNSSEC to sign the records, the owner of the example.com zone
would have RRSIG records for both the AAAA and A records for
nat64.example.com. As a normal DNSSEC requirement, the zone and its
parent also need to be signed.
Appendix B. About the IPv4 Address for the Well-Known Name
The IPv4 addresses for the well-known name cannot be non-global IPv4
addresses as listed in the Section 3 of [RFC5735]. Otherwise, DNS64
servers might not perform AAAA record synthesis when the well-known
prefix is used, as stated in Section 3.1 of [RFC6052]. However, the
addresses do not have to be routable or allocated to any real node as
no communications will be initiated to these IPv4 address.
Allocation of at least two IPv4 addresses improves the heuristics in
cases where the bit pattern of the primary IPv4 address appears more
than once in the synthetic IPv6 address (i.e., the NSP prefix
contains the same bit pattern as the IPv4 address).
If no well-known IPv4 addresses would be statically allocated for
this method, the heuristic would require sending of an additional A
query to learn the IPv4 addresses that would be then searched from
inside of the received IPv6 address.
Savolainen, et al. Standards Track [Page 21]
^L
RFC 7050 Pref64::/n Discovery November 2013
Authors' Addresses
Teemu Savolainen
Nokia
Hermiankatu 12 D
FI-33720 Tampere
Finland
EMail: teemu.savolainen@nokia.com
Jouni Korhonen
Broadcom
Linnoitustie 6
FI-02600 Espoo
Finland
EMail: jouni.nospam@gmail.com
Dan Wing
Cisco Systems
170 West Tasman Drive
San Jose, California 95134
USA
EMail: dwing@cisco.com
Savolainen, et al. Standards Track [Page 22]
^L
|
