1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
|
Internet Engineering Task Force (IETF) M. Boucadair
Request for Comments: 7225 France Telecom
Category: Standards Track May 2014
ISSN: 2070-1721
Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)
Abstract
This document defines a new Port Control Protocol (PCP) option to
learn the IPv6 prefix(es) used by a PCP-controlled NAT64 device to
build IPv4-converted IPv6 addresses. This option is needed for
successful communications when IPv4 addresses are used in referrals.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7225.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Boucadair Standards Track [Page 1]
^L
RFC 7225 PCP & NAT64 May 2014
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2.1. AAAA Synthesis by the DNS Stub-resolver . . . . . . . 4
3.2.2. Application Referrals . . . . . . . . . . . . . . . . 4
4. PREFIX64 Option . . . . . . . . . . . . . . . . . . . . . . . 5
4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2. Server's Behavior . . . . . . . . . . . . . . . . . . . . 7
4.3. Client's Behavior . . . . . . . . . . . . . . . . . . . . 9
5. Flow Examples . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. TCP Session Initiated from an IPv6-only Host . . . . . . 10
5.2. SIP Flow Example . . . . . . . . . . . . . . . . . . . . 11
5.3. Mapping of IPv4 Address Ranges to IPv6 Prefixes . . . . . 13
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . 16
1. Introduction
According to [RFC6146], NAT64 uses Pref64::/n to construct
IPv4-converted IPv6 addresses as defined in [RFC6052].
This document defines a new Port Control Protocol (PCP) option
[RFC6887] to inform PCP clients about the Pref64::/n and suffix
[RFC6052] used by a PCP-controlled NAT64 device [RFC6146]. It does
so by defining a new PREFIX64 option.
This PCP option is a deterministic solution to help establish
communications between IPv6-only hosts and remote IPv4-only hosts.
Unlike [RFC7050], this option solves all the issues identified in
[RFC7051].
Some illustrative examples are provided in Section 5. Detailed
experiments conducted to assess the applicability of the PREFIX64
option for services (e.g., accessing a video server, establishing
SIP-based sessions, etc.) in NAT64 environments are available in
[EXPERIMENTS].
The use of this PCP option for NAT64 load-balancing purposes is out
of scope.
Boucadair Standards Track [Page 2]
^L
RFC 7225 PCP & NAT64 May 2014
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
3. Problem Statement
3.1. Issues
This document proposes a deterministic solution to solve the
following issues:
o Learn the Pref64::/n used by an upstream NAT64 function. This is
needed to help:
* distinguish between IPv4-converted IPv6 addresses [RFC6052] and
native IPv6 addresses.
* implement IPv6 address synthesis for applications not relying
on DNS (where DNS64 [RFC6147] would provide the synthesis).
o Avoid stale Pref64::/n values.
o Discover multiple Pref64::/n values when multiple prefixes exist
in a network.
o Use DNSSEC ([RFC4033], [RFC4034], [RFC4035]) in the presence of
NAT64.
o Discover the suffix used by a NAT64 function when non-null
suffixes are in use (e.g., checksum neutral suffix).
o Support destination-based Pref64::/n (e.g., Section 5.1 of
[RFC7050]).
o Associate a Pref64::/n with a given NAT64 when distinct prefixes
are configured for each NAT64 enabled in a network.
A more extensive discussion can be found at [RFC7051].
3.2. Use Cases
This section provides some use cases to illustrate the problem space.
More details can be found at Section 4 of [RFC7051].
Boucadair Standards Track [Page 3]
^L
RFC 7225 PCP & NAT64 May 2014
3.2.1. AAAA Synthesis by the DNS Stub-Resolver
The option defined in this document can be used for hosts with DNS64
capability [RFC6147] added to the host's stub-resolver.
The stub resolver on the host will try to obtain (native) AAAA
records, and if they are not found, the DNS64 function on the host
will query for A records and then synthesize AAAA records. Using the
PREFIX64 PCP extension, the host's stub-resolver can learn the prefix
used for IPv6/IPv4 translation and synthesize AAAA records
accordingly.
Because synthetic AAAA records cannot be successfully validated in a
host, learning the Pref64::/n used to construct IPv4-converted IPv6
addresses allows the use of DNSSEC. As discussed in Section 5.5 of
[RFC6147], a security-aware and validating host has to perform the
DNS64 function locally.
3.2.2. Application Referrals
As discussed in [REF-OBJECT], a frequently occurring situation is
that one entity A connected to a network needs to inform another
entity B how to reach either A itself or some third-party entity C.
This is known as address referral.
In the particular context of NAT64 [RFC6146], applications relying on
address referral will fail because an IPv6-only client won't be able
to make use of an IPv4 address received in a referral. A non-
exhaustive list of such applications is provided below:
o In SIP environments [RFC3261], the SDP part ([RFC4566]) of
exchanged SIP messages includes information required for
establishing RTP sessions (namely, IP address and port number).
When a NAT64 is involved in the path, an IPv6-only SIP User Agent
(UA) that receives an SDP offer/answer containing an IPv4 address
cannot send media streams to the remote endpoint.
o An IPv6-only WebRTC (Web Real-Time Communication [WebRTC]) agent
cannot make use of an IPv4 address received in referrals to
establish a successful session with a remote IPv4-only WebRTC
agent.
o BitTorrent is a distributed file-sharing infrastructure that is
based on peer-to-peer (P2P) techniques for exchanging files
between connected users. To download a given file, a BitTorrent
client needs to obtain the corresponding torrent file. Then, it
connects to a tracker to retrieve a list of "leechers" (clients
that are currently downloading the file but do not yet possess all
Boucadair Standards Track [Page 4]
^L
RFC 7225 PCP & NAT64 May 2014
portions of the file) and "seeders" (clients that possess all
portions of the file and are uploading them to other requesting
clients). The client connects to those machines and downloads the
available portions of the requested file. In the presence of an
address-sharing function (see Appendix A of [RFC6269]), some
encountered issues are solved if PCP is enabled (see
[PCP-BITTORRENT]). Nevertheless, an IPv6-only client cannot
connect to a remote IPv4-only machine even if the base PCP
protocol is used.
Learning the Pref64::/n solves the issues listed above.
4. PREFIX64 Option
4.1. Format
The format of the PREFIX64 option is depicted in Figure 1. This
option follows the guidelines specified in Section 7.3 of
[RFC6887].
This option allows the mapping of specific IPv4 address ranges
(contained in the IPv4 Prefix List) to separate Pref64::/n
prefixes as discussed in [RFC6147].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Option Code=129| Reserved | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix64 Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
: Prefix64 (Variable) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
: Suffix (Variable) :
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| (optional) |
: IPv4 Prefix List (Variable) :
| (See Figure 2) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Prefix64 PCP Option
Boucadair Standards Track [Page 5]
^L
RFC 7225 PCP & NAT64 May 2014
The description of the fields is as follows:
o Option Code: 129
o Reserved: This field is initialized as specified in Section 7.3 of
[RFC6887].
o Option Length: Indicates in octets the length of the enclosed
data.
o Prefix64 Length: Indicates in octets the length of the Pref64::/n.
The allowed values are specified in [RFC6052] (i.e., 4, 5, 6, 7,
8, or 12).
o Prefix64: This field identifies the IPv6 unicast prefix to be used
for constructing an IPv4-converted IPv6 address from an IPv4
address as specified in Section 2.2 of [RFC6052]. This prefix can
be the Well-Known Prefix (i.e., 64:ff9b::/96) or a Network-
Specific Prefix. The address synthesis MUST follow the guidelines
documented in [RFC6052].
o Suffix: The length of this field is (12 - Prefix64 Length) octets.
This field identifies the suffix to be used for constructing an
IPv4-converted IPv6 address from an IPv4 address as specified in
Section 2.2 of [RFC6052]. No suffix is included if a /96 Prefix64
is conveyed in the option.
o IPv4 Prefix List: This is an optional field. The format of the
IPv4 Prefix List field is shown in Figure 2. This field may be
included by a PCP server to solve the destination-dependent
Pref64::/n discovery problem discussed in Section 5.1 of
[RFC7050].
* IPv4 Prefix Count: indicates the number of IPv4 prefixes
included in the option. "IPv4 Prefix Count" field MUST be set
to 0 in a request and MUST be set to the number of included
IPv4 subnets in a response.
* An IPv4 prefix is represented as "IPv4 Address/IPv4 Prefix
Length" [RFC4632]. For example, to encode 192.0.2.0/24, "IPv4
Prefix Length" field is set to 24 and "IPv4 Address" field is
set to 192.0.2.0. If a Pref64::/n is configured for all IPv4
addresses, a wildcard IPv4 prefix (i.e., 0.0.0.0/0) may be
returned in the response together with the configured
Pref64::/n. If no IPv4 Prefix List is returned in a PREFIX64
option, the PCP client assumes the prefix is valid for any
destination IPv4 address. Valid IPv4 prefixes are listed in
Section 3.1 of [RFC4632].
Boucadair Standards Track [Page 6]
^L
RFC 7225 PCP & NAT64 May 2014
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Prefix Count | IPv4 Prefix Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Address (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Prefix Length | IPv4 Address (32 bits)... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... IPv4 Address (continued) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Format of IPv4 Prefix List field
Option Name: PREFIX64
Value: 129
Purpose: Learn the prefix used by the NAT64 to build
IPv4-converted IPv6 addresses. This is used by a host for
local address synthesis (e.g., when an IPv4 address is present
in referrals).
Valid for Opcodes: MAP, ANNOUNCE
Length: Variable
May appear in: request, response.
Maximum occurrences: 1 for a request. As many as fit within the
maximum PCP message size for a response.
4.2. Server's Behavior
The PCP server controlling a NAT64 SHOULD be configured to return to
requesting PCP clients the value of the Pref64::/n and suffix used to
build IPv4-converted IPv6 addresses. When enabled, the PREFIX64
option conveys the value of the Pref64::/n and configured suffix. If
no suffix is explicitly configured to the PCP server, the null suffix
is used as the default value (see Section 2.2 of [RFC6052]).
If the PCP server is configured to honor the PREFIX64 option but no
Pref64::/n is explicitly configured, the PCP server MUST NOT include
any PREFIX64 option in its PCP messages.
Boucadair Standards Track [Page 7]
^L
RFC 7225 PCP & NAT64 May 2014
The PCP server controlling a NAT64 MAY be configured to include a
PREFIX64 option in all MAP responses even if the PREFIX64 option is
not listed in the associated request. The PCP server controlling a
NAT64 MAY be configured to include a PREFIX64 option in its ANNOUNCE
messages.
The PCP server MAY be configured with a list of destination IPv4
prefixes associated with a Pref64::/n. This list is then included by
the PCP server in a PREFIX64 option sent to PCP clients.
The PCP server MAY be configured to return multiple PREFIX64 options
in the same message to the PCP client. In such case, the server does
the following:
o If no destination IPv4 prefix list is configured, the PCP server
includes in the first PREFIX64 option, which appears in the PCP
message it sends to the PCP client, the prefix and suffix to
perform local IPv6 address synthesis [RFC6052]. Additional
PREFIX64 options convey any other Pref64::/n values configured.
Returning these prefixes allows an end host to identify all
synthesized IPv6 addresses in a network; the host can prefer IPv4
or another network interface instead in order to avoid any NAT64
deployed in the network. The PCP server is required to
disambiguate prefixes used for IPv6 address synthesis and other
prefixes used to avoid any NAT64 deployed in the network. The PCP
server can be configured with a customized IPv6 prefix list (i.e.,
specific to a PCP client or a group of PCP clients) or system-wide
IPv6 prefix list (i.e., the same list is returned for any PCP
client). Note, it is NOT RECOMMENDED to include PREFIX64 options
in ANNOUNCE messages if a customized IPv6 prefix list is
configured to the PCP server.
o If IPv4 prefix lists are configured, the PCP server includes in
the first PREFIX64 options the Pref64::/n and suffix that are
associated with an IPv4 prefix list (i.e., each of these PREFIX64
options conveys a distinct Pref64::/n together with an IPv4 prefix
list). Additional PREFIX64 options convey any other Pref64::/n
values configured (i.e., the remaining Pref64::/n values not
mapped to any IPv4 prefix list).
If a distinct Pref64::/n or suffix is configured to the PCP-
controlled NAT64 device, the PCP server SHOULD issue an unsolicited
PCP ANNOUNCE message to inform the PCP client about the new
Pref64::/n and/or suffix.
Boucadair Standards Track [Page 8]
^L
RFC 7225 PCP & NAT64 May 2014
4.3. Client's Behavior
The PCP client includes a PREFIX64 option in a MAP or ANNOUNCE
request to learn the IPv6 prefix and suffix used by an upstream PCP-
controlled NAT64 device. When enclosed in a PCP request, the
Prefix64 MUST be set to ::/96. The PREFIX64 option can be inserted
in a MAP request used to learn the external IP address as detailed in
Section 11.6 of [RFC6887].
The PCP client MUST be prepared to receive multiple prefixes (e.g.,
if several PCP servers are deployed and each of them is configured
with a distinct Pref64::/n). The PCP client MUST associate each
received Pref64::/n and suffix with the PCP server from which the
Pref64::/n and suffix information was retrieved.
If the PCP client fails to contact a given PCP server, the PCP client
SHOULD clear the prefix(es) and suffix(es) it learned from that PCP
server. For example, a PCP client may fail to contact a PCP server
if the host embedding the PCP client moves to a new network or if
that PCP server is out of service. The use of these stale prefixes
is not recommended to build an IPv4-converted IPv6 address because
failures are likely to be encountered (see [RFC7051], Section 3,
Issue #4).
If the PCP client receives a PREFIX64 option that includes an invalid
IPv4 prefix, the PCP client ignores that IPv4 prefix. If one or more
valid IPv4 prefixes and/or IPv6 prefixes and suffixes are present,
the PCP client uses them.
Upon receipt of the message from the PCP server, the PCP client
replaces any old prefix(es)/suffix(es) received from the same PCP
server with the new one(s) included in the PREFIX64 option(s). If no
PREFIX64 option includes a destination IPv4 prefix list, the host
embedding the PCP client uses the prefix/suffix included in the first
PREFIX64 option for local address synthesis. Other prefixes learned
can be used by the host to avoid any NAT64 deployed in the network.
If one or multiple received PREFIX64 options contain a destination
IPv4 prefix list, the PCP client MUST associate the included IPv4
prefixes with the Pref64::/n and the suffix indicated in the same
PREFIX64 option. In such case, the host embedding the PCP client
MUST enforce a destination-based prefix Pref64::/n selection for
local address synthesis purposes. How the content of the PREFIX64
option(s) is passed to the OS is implementation specific.
Upon receipt of an unsolicited PCP ANNOUNCE message, the PCP client
replaces the old prefix/suffix received from the same PCP server with
the new Pref64::/n and suffix included in the PREFIX64 option.
Boucadair Standards Track [Page 9]
^L
RFC 7225 PCP & NAT64 May 2014
5. Flow Examples
This section provides a non-normative description of use cases
relying on the PREFIX64 option.
5.1. TCP Session Initiated from an IPv6-Only Host
The usage shown in Figure 3 depicts a typical usage of the PREFIX64
option when a DNS64 capability is embedded in the host.
In the example shown in Figure 3, once the IPv6-only client discovers
the IPv4 address of the remote IPv4-only server (e.g., using DNS), it
retrieves the Pref64::/n (i.e., 2001:db8:122:300::/56) to be used to
build an IPv4-converted IPv6 address for that server. This retrieval
is achieved using the PREFIX64 option (Steps (a) and (b)). The
client then uses 2001:db8:122:300::/56 to construct an IPv6 address
and then initiates a TCP connection (Steps (1) to (4)).
+---------+ +-----+ +---------+
|IPv6-only| |NAT64| |IPv4-only|
| Client | | | | Server |
+---------+ +-----+ +---------+
| | |
| (a) PCP MAP Request | |
| PREFIX64 | |
|======================>| |
| (b) PCP MAP Response | |
| PREFIX64 = | |
| 2001:db8:122:300::/56 | |
|<======================| |
| (1) TCP SYN | (2) TCP SYN |
|======================>|====================>|
| (4) TCP SYN/ACK | (3) TCP SYN/ACK |
|<======================|<====================|
| (5) TCP ACK | (6) TCP ACK |
|======================>|====================>|
| | |
Note: The DNS exchange to retrieve the IPv4 address of
the IPv4-only Server is not shown in the figure.
Figure 3: Example of a TCP Session Initiated from an IPv6-Only Host
Boucadair Standards Track [Page 10]
^L
RFC 7225 PCP & NAT64 May 2014
5.2. SIP Flow Example
Figure 4 shows an example of the use of the option defined in Section
4 in a SIP context. In order for RTP/RTCP flows to be exchanged
between an IPv6-only SIP UA and an IPv4-only UA without requiring any
ALG (Application Level Gateway) at the NAT64 or any particular
function at the IPv4-only SIP Proxy Server (e.g., hosted NAT
traversal [LATCHING]), the PORT_SET option [PORT-SET] is used in
addition to the PREFIX64 option.
In steps (a) and (b), the IPv6-only SIP UA retrieves a pair of ports
to be used for RTP/RTCP sessions, the external IPv4 address and the
Pref64::/n to build IPv4-embedded IPv6 addresses. This is achieved
by issuing a MAP request that includes a PREFIX64 option and a
PORT_SET option. A pair of ports (i.e., port_X/port_X+1) and an
external IPv4 address (together with a Pref64::/n, i.e.,
2001:db8:122::/48) are then returned by the PCP server to the
requesting PCP client.
The returned external IPv4 address and external port numbers are used
by the IPv6-only SIP UA to build its SDP offer, which contains
exclusively IPv4 addresses. (Especially in the "c=" line, the port
indicated for the media port is the external port assigned by the PCP
server.) The INVITE request including the SDP offer is then
forwarded by the NAT64 to the Proxy Server, which will relay it to
the called party, i.e., the IPv4-only SIP UA (Steps (1) to (3)).
The remote IPv4-only SIP UA accepts the offer and sends back its SDP
answer in a "200 OK" message that is relayed by the SIP Proxy Server
and NAT64 until being delivered to the IPv6-only SIP UA (Steps (4) to
(6)).
The Pref64::/n (2001:db8:122::/48) is used by the IPv6-only SIP UA to
construct a corresponding IPv6 address of the IPv4 address enclosed
in the SDP answer made by the IPv4-only SIP UA (Step (6)).
The IPv6-only SIP UA and IPv4-only SIP UA are then able to exchange
RTP/RTCP flows without requiring any ALG at the NAT64 or any special
function at the IPv4-only SIP Proxy Server.
Boucadair Standards Track [Page 11]
^L
RFC 7225 PCP & NAT64 May 2014
+---------+ +-----+ +------------+ +---------+
|IPv6-only| |NAT64| | IPv4 SIP | |IPv4-only|
| SIP UA | | | |Proxy Server| | SIP UA |
+---------+ +-----+ +------------+ +---------+
| (a) PCP MAP Request | | |
| PORT_SET | | |
| PREFIX64 | | |
|======================>| | |
| (b) PCP MAP Response | | |
| PORT_SET | | |
| PREFIX64: | | |
| 2001:db8:122::/48 | | |
|<======================| | |
| (1) SIP INVITE | (2) SIP INVITE | (3) SIP INVITE |
|======================>|===============>|================>|
| (6) SIP 200 OK | (5) SIP 200 OK | (4) SIP 200 OK |
|<======================|<===============|<================|
| (7) SIP ACK | (8) SIP ACK | (9) SIP ACK |
|======================>|===============>|================>|
| | | |
|src port: dst port:|src port: dst port:|
|port_A port_B|port_X port_B|
|<======IPv6 RTP=======>|<============IPv4 RTP============>|
|<===== IPv6 RTCP======>|<============IPv4 RTCP===========>|
|src port: dst port:|src port: dst port:|
|port_A+1 port_B+1|port_X+1 port_B+1|
| | |
Figure 4: Example of IPv6 to IPv4 SIP-Initiated Session
When the session is initiated from the IPv4-only SIP UA (see Figure
5), the IPv6-only SIP UA retrieves a pair of ports to be used for the
RTP/RTCP session, the external IPv4 address and the Pref64::/n to
build IPv4-converted IPv6 addresses (Steps (a) and (b)). These two
steps could instead be delayed until the INVITE message is received
(Step (3)).
The retrieved IPv4 address and port numbers are used to build the SDP
answer in Step (4), while the Pref64::/n is used to construct an IPv6
address corresponding to the IPv4 address enclosed in the SDP offer
made by the IPv4-only SIP UA (Step (3)). RTP/RTCP flows are then
exchanged between the IPv6-only SIP UA and the IPv4-only UA without
requiring any ALG at the NAT64 or any special function at the
IPv4-only SIP Proxy Server.
Boucadair Standards Track [Page 12]
^L
RFC 7225 PCP & NAT64 May 2014
+---------+ +-----+ +------------+ +---------+
|IPv6-only| |NAT64| | IPv4 SIP | |IPv4-only|
| SIP UA | | | |Proxy Server| | SIP UA |
+---------+ +-----+ +------------+ +---------+
| (a) PCP MAP Request | | |
| PORT_SET | | |
| PREFIX64 | | |
|======================>| | |
| (b) PCP MAP Response | | |
| PORT_SET | | |
| PREFIX64: | | |
| 2001:db8:122::/48 | | |
|<======================| | |
| (3) SIP INVITE | (2) SIP INVITE | (1) SIP INVITE |
|<======================|<===============|<================|
| (4) SIP 200 OK | (5) SIP 200 OK | (6) SIP 200 OK |
|======================>|===============>|================>|
| (9) SIP ACK | (8) SIP ACK | (7) SIP ACK |
|<======================|<===============|<================|
| | | |
|src port: dst port:|src port: dst port:|
|port_a port_b|port_Y port_b|
|<======IPv6 RTP=======>|<============IPv4 RTP============>|
|<===== IPv6 RTCP======>|<============IPv4 RTCP===========>|
|src port: dst port:|src port: dst port:|
|port_a+1 port_b+1|port_Y+1 port_b+1|
| | |
Figure 5: Example of IPv4 to IPv6 SIP-Initiated Session
5.3. Mapping of IPv4 Address Ranges to IPv6 Prefixes
Figure 6 shows an example of a NAT64 configured with two Pref64::/n
values; each of these Pref64::/n values is associated with a distinct
IPv4 address range:
o 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
o 198.51.100.0/24 is mapped to 2001:db8:122::/48.
Once the IPv6-only client discovers the IPv4 address of the remote
IPv4-only server (i.e., 198.51.100.1), it retrieves two IPv6 prefixes
to be used to build an IPv4-converted IPv6 addresses. This retrieval
is achieved using two PREFIX64 options (Step (b)).
Boucadair Standards Track [Page 13]
^L
RFC 7225 PCP & NAT64 May 2014
Because 198.51.100.1 matches the destination prefix 198.51.100.0/24,
the client uses the associated Pref64::/n (i.e., 2001:db8:122::/48)
to construct an IPv6 address for that IPv4-only server, and then it
initiates a TCP connection (Steps (1) to (6)).
+---------+ +-----+ +---------+
|IPv6-only| |NAT64| |IPv4-only|
| Client | | | | Server |
+---------+ +-----+ +---------+
| | 198.51.100.1
| (a) PCP MAP Request | |
| PREFIX64 | |
|=================================>| |
| (b) PCP MAP Response | |
|PREFIX64{ | |
| Pref64::/n =2001:db8:122:300::/56| |
| IPv4 Prefix=192.0.2.0/24} | |
|PREFIX64{ | |
| Pref64::/n =2001:db8:122::/48 | |
| IPv4 Prefix=198.51.100.0/24} | |
|<=================================| |
| (1) TCP SYN | (2) TCP SYN |
|=================================>|====================>|
| (4) TCP SYN/ACK | (3) TCP SYN/ACK |
|<=================================|<====================|
| (5) TCP ACK | (6) TCP ACK |
|=================================>|====================>|
| | |
Note: The DNS exchange to retrieve the IPv4 address of
the IPv4-only Server is not shown in the figure.
Figure 6: Mapping of IPv4 Address Ranges to IPv6 Prefixes
A similar behavior is to be experienced if these Pref64::/n values
and associated IPv4 prefix lists are configured to distinct NAT64
devices.
6. IANA Considerations
The following PCP Option Code has been allocated in the optional-to-
process range (the registry is maintained in
http://www.iana.org/assignments/pcp-parameters):
PREFIX64 set to 129 (see Section 4.1)
Boucadair Standards Track [Page 14]
^L
RFC 7225 PCP & NAT64 May 2014
7. Security Considerations
PCP-related security considerations are discussed in [RFC6887].
As discussed in [RFC6147], if an attacker can manage to change the
Pref64::/n used by the DNS64 function, the traffic generated by the
host that receives the synthetic reply will be delivered to the
altered Pref64. This can result in either a denial-of-service (DoS)
attack, a flooding attack, or a man-in-the-middle (MITM) attack.
This attack could be achieved either by altering PCP messages issued
by a legitimate PCP server or by using a fake PCP server.
Means to defend against attackers who can modify packets between the
PCP server and the PCP client, or who can inject spoofed packets that
appear to come from a legitimate PCP server, SHOULD be enabled. In
some deployments, access control lists (ACLs) can be installed on the
PCP client, PCP server, and the network between them, so those ACLs
allow only communications from a trusted PCP server to the PCP
client.
PCP server discovery is out of scope for this document. It is the
responsibility of documents about PCP server discovery to elaborate
on the security considerations to discover a legitimate PCP server.
Learning a Pref64::/n via PCP allows using DNSSEC in the presence of
NAT64. As such, NAT64 with DNSSEC and PCP is better than no DNSSEC
at all, but it is less safe than DNSSEC without DNS64/NAT64 and PCP.
The best mitigation action against Pref64::/n discovery attacks is
thus to add IPv6 support in all endpoints and hence reduce the need
to perform IPv6 address synthesis.
8. Acknowledgements
Many thanks to S. Perreault, R. Tirumaleswar, T. Tsou, D. Wing, J.
Zhao, R. Penno, I. van Beijnum, T. Savolainen, S. Savikumar, D.
Thaler, T. Lemon, S. Hanna, P. Resnick, R. Sparks, S. Farrell, and W.
Cui for their comments and suggestions.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
(CIDR): The Internet Address Assignment and Aggregation
Plan", BCP 122, RFC 4632, August 2006.
Boucadair Standards Track [Page 15]
^L
RFC 7225 PCP & NAT64 May 2014
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
October 2010.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011.
[RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van
Beijnum, "DNS64: DNS Extensions for Network Address
Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
April 2011.
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013.
9.2. Informative References
[PCP-BITTORRENT]
Boucadair, M., Zheng, T., Deng, X., and J. Queiroz,
"Behavior of BitTorrent service in PCP-enabled networks
with Address Sharing", Work in Progress, May 2012.
[EXPERIMENTS]
Abdesselam, M., Boucadair, M., Hasnaoui, A., and J.
Queiroz, "PCP NAT64 Experiments", Work in Progress,
September 2012.
[REF-OBJECT]
Carpenter, B., Jiang, S., and Z. Cao, "Problem Statement
for Referral", Work in Progress, February 2011.
[LATCHING] Ivov, E., Kaplan, H., and D. Wing, "Latching: Hosted NAT
Traversal (HNT) for Media in Real-Time Communication",
Work in Progress, May 2014.
[PORT-SET] Qiong, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou,
T., and S. Perreault, "Port Control Protocol (PCP)
Extension for Port Set Allocation", Work in Progress,
November 2013.
[WebRTC] Alvestrand, H., "Overview: Real Time Protocols for Brower-
based Applications", Work in Progress, February 2014.
Boucadair Standards Track [Page 16]
^L
RFC 7225 PCP & NAT64 May 2014
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, July 2006.
[RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
Roberts, "Issues with IP Address Sharing", RFC 6269, June
2011.
[RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
the IPv6 Prefix Used for IPv6 Address Synthesis", RFC
7050, November 2013.
[RFC7051] Korhonen, J. and T. Savolainen, "Analysis of Solution
Proposals for Hosts to Learn NAT64 Prefix", RFC 7051,
November 2013.
Author's Address
Mohamed Boucadair
France Telecom
Rennes 35000
France
EMail: mohamed.boucadair@orange.com
Boucadair Standards Track [Page 17]
^L
|
