1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
|
Internet Engineering Task Force (IETF) T. Anderson
Request for Comments: 7757 Redpill Linpro
Updates: 6145 A. Leiva Popper
Category: Standards Track NIC Mexico
ISSN: 2070-1721 February 2016
Explicit Address Mappings for Stateless IP/ICMP Translation
Abstract
This document extends the Stateless IP/ICMP Translation Algorithm
(SIIT) with an Explicit Address Mapping (EAM) algorithm and formally
updates RFC 6145. The EAM algorithm facilitates stateless IP/ICMP
translation between arbitrary (non-IPv4-translatable) IPv6 endpoints
and IPv4.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7757.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Anderson & Leiva Popper Standards Track [Page 1]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
3. Explicit Address Mapping Algorithm . . . . . . . . . . . . . 5
3.1. Explicit Address Mapping Table . . . . . . . . . . . . . 5
3.2. Explicit Address Mapping Specification . . . . . . . . . 6
3.3. IP Address Translation Procedure . . . . . . . . . . . . 6
3.3.1. Address Translation Steps: IPv4 to IPv6 . . . . . . . 7
3.3.2. Address Translation Steps: IPv6 to IPv4 . . . . . . . 7
4. Hairpinning of IPv6 Traffic . . . . . . . . . . . . . . . . . 8
4.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 8
4.2. Recommendation . . . . . . . . . . . . . . . . . . . . . 9
4.2.1. Simple Hairpinning Support . . . . . . . . . . . . . 9
4.2.2. Intrinsic Hairpinning Support . . . . . . . . . . . . 9
5. Overlapping Explicit Address Mappings . . . . . . . . . . . . 10
6. Lack of Checksum Neutrality . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Use Cases . . . . . . . . . . . . . . . . . . . . . 14
A.1. 464XLAT . . . . . . . . . . . . . . . . . . . . . . . . . 14
A.2. IVI . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
A.3. SIIT-DC . . . . . . . . . . . . . . . . . . . . . . . . . 15
Appendix B. Example IP Address Translations . . . . . . . . . . 15
B.1. Hairpinning Examples . . . . . . . . . . . . . . . . . . 16
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
The Stateless IP/ICMP Translation Algorithm (SIIT) [RFC6145]
specifies that when translating IPv4 addresses to IPv6 and vice
versa, all addresses must be translated using the algorithm specified
in [RFC6052]. This document specifies an alternative to the
algorithm specified in [RFC6052], where IP addresses are translated
according to a table of Explicit Address Mappings configured on the
stateless translator. This removes the previous constraint that IPv6
nodes that communicate with IPv4 nodes through SIIT must be
configured with IPv4-translatable IPv6 addresses.
Translation using the Explicit Address Mapping Table does not replace
[RFC6052]. For most use cases, it is expected that both algorithms
are used in concert. The Explicit Address Mapping algorithm is used
only when a mapping matching the address to be translated exists. If
no matching mapping exists, the algorithm specified in [RFC6052] will
Anderson & Leiva Popper Standards Track [Page 2]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
be used instead. Thus, when translating an individual IP packet, an
SIIT implementation might translate one of the two IP address fields
according to an EAM, while the other IP address field is translated
according to [RFC6052].
1.1. Terminology
This document makes use of the following terms:
EAM:
An Explicit Address Mapping, as specified in Section 3.2.
EAMT:
The Explicit Address Mapping Table, as specified in Section 3.1.
Inner (header or address):
Refers to an IP header located inside the payload of an ICMP error
packet or to an IP address within that header. Compare with
"Outer".
Outer (header or address):
Refers to the first IP header in a packet or to an IP address
within that header. In other words, an IP header or address that
is NOT "Inner". If a reference is made to an IP header or address
without the "Inner" or "Outer" qualifier, it should be considered
as "Outer".
SIIT:
The Stateless IP/ICMP Translation Algorithm, as specified in
[RFC6145].
XLAT:
Short for "translation".
IPv4-Converted IPv6 Addresses:
As defined in Section 1.3 of [RFC6052].
IPv4-Translatable IPv6 Addresses:
As defined in Section 1.3 of [RFC6052].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Anderson & Leiva Popper Standards Track [Page 3]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
2. Problem Statement
Section 3.2.1 of [RFC6144] notes that "stateless translation
mechanisms typically put constraints on what IPv6 addresses can be
assigned to IPv6 nodes that want to communicate with IPv4
destinations using an algorithmic mapping." In practice, this means
that the IPv6 nodes must be configured with IPv4-translatable IPv6
addresses. For the reasons discussed below, some environments may
find that the use of IPv4-translatable IPv6 addresses is not desired
or even possible.
Limited availability:
The number of IPv4-translatable IPv6 addresses available to an
operator is equal to the number of IPv4 addresses that is assigned
to the SIIT function. IPv4 addresses are scarce, and as a result,
an operator might not have enough IPv4-translatable IPv6 addresses
to number the entire IPv6 infrastructure.
Restricted format:
IPv4-translatable IPv6 addresses must conform to the format
specified in Section 2.2 of [RFC6052]. This format is not
compatible with other common IPv6 address formats, such as the
IPv6 address format based on the 64-bit Extended Unique Identifier
(EUI-64) and used by IPv6 Stateless Address Autoconfiguration
[RFC4862].
An operator could overcome the above two problems by building an IPv6
network using regular (non-IPv4-translatable) IPv6 addresses and
assigning IPv4-translatable IPv6 addresses as secondary addresses on
the nodes that want to communicate with IPv4 nodes through SIIT only.
However, doing so may result in a new set of undesired consequences:
Routing complexity:
The IPv4-translatable IPv6 addresses must be routed throughout the
IPv6 network separately from the primary (non-IPv4-translatable)
IPv6 addresses used by the nodes. It might be impossible to
aggregate these routes, as two adjacent IPv4-translatable IPv6
addresses might not be assigned to two adjacent IPv6 nodes. As a
result, in order to support SIIT, the IPv6 network might need to
carry a large number of extraneous routes. These routes must be
separately injected into the IPv6 routing topology somehow. Any
intermediate devices in the IPv6 network such as a firewall might
require special configuration in order to treat the
IPv4-translatable IPv6 address the same as the primary IPv6
address, for example, by requiring that any Access Control List
(ACL) entries involving the primary IPv6 address of a node must be
duplicated.
Anderson & Leiva Popper Standards Track [Page 4]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
Operational complexity:
The IPv4-translatable IPv6 addresses not only have to be assigned
to the IPv6 nodes participating in SIIT, but also all applications
and services on those nodes must be configured to use them. For
example, if the IPv6 node is a load balancer, it might require a
separate virtual server definition using the IPv4-translatable
IPv6 address in addition to one using the service's primary IPv6
address. A web server might require specific configuration to
listen for connections on both the IPv4-translatable and the
primary IPv6 address. A high-availability cluster service must be
set up to fail over both addresses between cluster nodes, and
depending on how the IPv6 network learns the location of the
IPv4-translatable IPv6 address, the fail-over mechanism used for
the two addresses might be completely different. Service
monitoring must be done for both the IPv4-translatable and the
primary IPv6 address, and any troubleshooting procedures must be
extended to involve both addresses. Finally, the Default Address
Selection Policy Table [RFC6724] on the IPv6 nodes might need to
be altered in order to ensure that outbound sessions towards the
IPv4 Internet are sourced from an IPv4-translatable IPv6 address.
In short, the use of IPv4-translatable IPv6 addresses in parallel
with regular IPv6 addresses is in many ways analogous to the use of
dual stack [RFC4213]. While no actual IPv4 packets are used, the
IPv4-translatable IPv6 addresses create a secondary "stack" in the
infrastructure that must be treated and operated separately from the
primary one. This increases the complexity of the overall
infrastructure, in turn increasing operational overhead and reducing
reliability. An operator who for such reasons finds the use of dual
stack unappealing might feel the same way about using SIIT with
IPv4-translatable IPv6 addresses.
3. Explicit Address Mapping Algorithm
This normative section defines the EAM algorithm and formally updates
Sections 4.1 and 5.1 of [RFC6145]. Specifically, when the EAM
algorithm is applied, it supplants the requirement in [RFC6145] that
states that a translator operating in the stateless mode must
translate the Source Address and Destination Address IP header fields
according to Section 2.3 of [RFC6052].
3.1. Explicit Address Mapping Table
An SIIT implementation includes an EAMT, a conceptual table in which
each row represents an EAM. Each EAM describes a mapping between
IPv4 and IPv6 prefixes/addresses. An operator populates the EAMT to
provide the mappings between the two address families.
Anderson & Leiva Popper Standards Track [Page 5]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
The EAMT consists of the following columns:
o IPv4 Prefix
o IPv6 Prefix
SIIT implementations MAY include other columns in order to support
proprietary extensions to the EAM algorithm.
Throughout this document, figures representing the EAMT contain an
Index column using the pound sign as the header. This column is not
a required part of this specification; it is included only as a
convenience to the reader.
3.2. Explicit Address Mapping Specification
An EAM consists of an IPv4 prefix and an IPv6 prefix. The prefix
length MAY be omitted, in which case the implementation MUST assume
it to be 32 for IPv4 and 128 for IPv6. Figure 1 illustrates an EAMT
containing examples of valid EAMs.
+---+----------------+----------------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+----------------+----------------------+
| 1 | 192.0.2.1 | 2001:db8:aaaa:: |
| 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 |
| 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 |
| 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 |
| 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 6 | 192.0.2.224/31 | 64:ff9b::/127 |
+---+----------------+----------------------+
Figure 1: Example EAMT
An EAM's IPv4 prefix value MUST have an identical or smaller number
of suffix bits than its corresponding IPv6 prefix value.
Unless otherwise specified in Section 4, an SIIT implementation MUST
individually translate each IP address it encounters in the packet's
IP headers (including any IP headers contained within ICMP errors)
according to Section 3.3.
3.3. IP Address Translation Procedure
This section describes step by step how an SIIT implementation
translates addresses between IPv4 and IPv6. Only the outcome of the
algorithm described should be considered normative, that is, an SIIT
implementation may implement the exact procedure differently than
Anderson & Leiva Popper Standards Track [Page 6]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
what is described here, but the outcome of the algorithm MUST be the
same.
For concrete examples of IP address translations, refer to
Appendix B.
3.3.1. Address Translation Steps: IPv4 to IPv6
1. The IPv4 prefix column of the EAMT is searched for the EAM entry
that shares the longest common prefix with the IPv4 address being
translated. The IPv4 prefix and IPv6 prefix values of the EAM
entry found is from now on referred to as EAM4 and EAM6,
respectively.
2. If no matching EAM entry is found, the EAM algorithm is aborted.
The SIIT implementation MUST proceed to translate the address in
accordance with [RFC6145] (and its updates).
3. The prefix bits of EAM4 are removed from the IPv4 address being
translated. The remaining suffix bits from the IPv4 address
being translated are stored in a temporary buffer.
4. The prefix bits of EAM6 are prepended to the temporary buffer.
5. If the temporary buffer at this point does not contain a 128-bit
value, it is padded with trailing zeros so that it reaches a
length of 128 bits.
6. The contents of the temporary buffer is the translated IPv6
address.
3.3.2. Address Translation Steps: IPv6 to IPv4
1. The IPv6 prefix column of the EAMT is searched for the EAM entry
that shares the longest common prefix with the IPv6 address being
translated. The IPv4 prefix and IPv6 prefix values of the EAM
entry found is from now on referred to as EAM4 and EAM6,
respectively.
2. If no matching EAM entry is found, the EAM algorithm is aborted.
The SIIT implementation MUST proceed to translate the address in
accordance with [RFC6145] (and its updates).
3. The prefix bits of EAM6 are removed from the IPv6 address being
translated. The remaining suffix bits from the IPv6 address
being translated are stored in a temporary buffer.
4. The prefix bits of EAM4 are prepended to the temporary buffer.
Anderson & Leiva Popper Standards Track [Page 7]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
5. If the temporary buffer at this point does not contain a 32-bit
value, any trailing bits are discarded so that the buffer is
reduced to a length of 32 bits.
6. The contents of the temporary buffer is the translated IPv4
address.
4. Hairpinning of IPv6 Traffic
4.1. Problem Statement
Two IPv6 nodes that are both covered by EAMs might in certain
circumstances attempt to communicate through a stateless translator
rather than using native IPv6 directly. This happens if one of the
nodes initiates traffic towards the IPv4-converted IPv6 address whose
embedded IPv4 address matches an EAM that covers the other node.
Special consideration is required in order to make this communication
pattern work in a bidirectional fashion. This is illustrated by the
example below.
Assume that a stateless translator is configured with a translation
prefix of 64:ff9b::/96 (per [RFC6052]) and the EAMT shown in
Figure 1. The IPv6 node 2001:db8:aaaa:: transmits an IPv6 packet
towards 64:ff9b::192.0.2.2, which reaches the translator and is
translated into an IPv4 packet with source address 192.0.2.1 and
destination address 192.0.2.2. This destination address is found in
the EAMT, so the packet loops back into the translation function and
is translated back to an IPv6 packet with source address
2001:db8:aaaa:: and destination address 2001:db8:bbbb::b.
While this packet will reach its destination just fine, a problem
will occur when 2001:db8:bbbb::b responds to it. The response packet
will have a source address of 2001:db8:bbbb::b and a destination
address of 2001:db8:aaaa:: and will be routed directly to its
destination without being subjected to any form of translation.
Because the source address of this response packet (2001:db8:bbbb::b)
is not equal to the destination address of the initial outgoing
packet (64:ff9b::192.0.2.2), the packet will most likely be discarded
by 2001:db8:aaaa::, and bidirectional communication will most likely
fail.
The above scenario could be made to work by ensuring that the
stateless translator is hairpinning the traffic in both directions.
Section 4.2 describes how this is accomplished. The resulting
address translations are demonstrated step by step in Appendix B.1.
Anderson & Leiva Popper Standards Track [Page 8]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
4.2. Recommendation
An SIIT implementation SHOULD include a feature that ensures that
hairpinned IPv6 traffic is supported. The feature SHOULD be enabled
by default. The following two subsections describe two alternate
ways to implement this feature. An implementation MAY support both
approaches.
4.2.1. Simple Hairpinning Support
When the simple hairpinning feature is enabled, the translator
employs the following rules when translating from IPv4 to IPv6:
1. If the packet is not an ICMPv4 error: The EAM algorithm MUST NOT
be used in order to translate the source address in the IPv4
header.
2. If the packet is an ICMPv4 error: The EAM algorithm MUST NOT be
used when translating the destination address in the inner IPv4
header.
3. If the packet is an ICMPv4 error whose outer IPv4 source address
is equal to its inner IPv4 destination address: The EAM algorithm
MUST NOT be used in order to translate the source address in the
outer IPv4 header.
Rules #2 and #3 are cumulative.
The addresses in question MUST instead be translated according to
[RFC6145], as if they did not match any EAM.
4.2.2. Intrinsic Hairpinning Support
When the intrinsic hairpinning feature is enabled, the translator
employs the following rules after having translated an IPv6 packet to
IPv4:
If all the conditions in either of the two sets below are true, the
packet is to be hairpinned. The implementation MUST immediately
(i.e., prior to forwarding it to the IPv4 network) translate the
packet back to IPv6. During the second translation pass, the
behavior specified in Section 4.2.1 MUST be applied, and the Hop
Limit field SHOULD NOT be decremented.
Anderson & Leiva Popper Standards Track [Page 9]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
Condition set A:
A1. The packet is not an ICMPv4 error.
A2. The destination address was translated using the algorithm in
[RFC6052].
A3. The destination address is found in the EAMT.
Condition set B:
B1. The packet is an ICMPv4 error.
B2. The inner source address was translated using the algorithm
in [RFC6052].
B3. The inner source address is found in the EAMT.
5. Overlapping Explicit Address Mappings
The algorithm specified in Section 3 relies on making a lookup in the
EAMT in order to find the EAM entry that shares the longest common
prefix with the address being translated. Operators should note that
configuring EAMs with overlapping or identical IPv4 or IPv6 prefixes
in the EAMT may create configurations where the IPv4-to-IPv6 and
IPv6-to-IPv4 address translations will not be symmetric. This may in
some cases make bidirectional communication impossible.
EAM #1 in the example EAMT (Figure 2) could be thought of as
implementing IVI (Appendix A.2), while EAM #2 introduces a single
exception in the style of SIIT-DC (Appendix A.3). The IPv4 prefixes
of the two EAMs overlap, while the IPv6 prefixes do not. This
results in a situation where the IPv6 address
2001:db8:ffc6:3364:4000:: will be translated (according to EAM #1) to
the IPv4 address 198.51.100.64. However, when this IPv4 address is
translated back to IPv6, it will be translated (according to EAM #2)
to the IPv6 address 2001:db8::abcd. Because the IPv4-to-IPv6
translation in this example does not mirror the corresponding IPv6-
to-IPv4 translation, bidirectional communication involving the IPv6
address 2001:db8:ffc6:3364:4000:: might fail. In order to help avoid
such situations, implementations MAY warn the operator when a new EAM
that overlaps with a previously existing one is inserted into the
EAMT.
Anderson & Leiva Popper Standards Track [Page 10]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
+---+------------------+--------------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+------------------+--------------------+
| 1 | 0.0.0.0/0 | 2001:db8:ff00::/40 |
| 2 | 198.51.100.64/32 | 2001:db8::abcd/128 |
+---+------------------+--------------------+
Figure 2: EAMT Containing Overlapping IPv4 Prefixes
In Figure 3, the IPv6 prefixes of the two EAMs are identical. The
behavior of the stateless translator when translating an IPv6 packet
that contains the address 2001:db8::1 to IPv4 is in this case
unspecified. In order to prevent this situation from occurring,
implementations MAY refuse to insert a new EAM, whose IPv4 or IPv6
prefix value is identical to that of an already existing EAM, into
the EAMT.
+---+-----------------+-----------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+-----------------+-----------------+
| 1 | 198.51.100.8/32 | 2001:db8::1/128 |
| 2 | 198.51.100.9/32 | 2001:db8::1/128 |
+---+-----------------+-----------------+
Figure 3: EAMT Containing Identical IPv6 Prefixes
6. Lack of Checksum Neutrality
When one or both of the address fields in an IP/ICMP packet are
translated according to the EAM algorithm, the translation cannot be
relied upon to be checksum neutral, even if the well-known prefix
64:ff9b::/96 is used. This consideration is discussed in more detail
in Section 4.1 of [RFC6052].
7. Security Considerations
The EAM algorithm does not introduce any new security issues beyond
those that are already discussed in Section 7 of [RFC6145].
Anderson & Leiva Popper Standards Track [Page 11]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
DOI 10.17487/RFC6052, October 2010,
<http://www.rfc-editor.org/info/rfc6052>.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
<http://www.rfc-editor.org/info/rfc6145>.
8.2. Informative References
[RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
for IPv6 Hosts and Routers", RFC 4213,
DOI 10.17487/RFC4213, October 2005,
<http://www.rfc-editor.org/info/rfc4213>.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>.
[RFC6144] Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
IPv4/IPv6 Translation", RFC 6144, DOI 10.17487/RFC6144,
April 2011, <http://www.rfc-editor.org/info/rfc6144>.
[RFC6219] Li, X., Bao, C., Chen, M., Zhang, H., and J. Wu, "The
China Education and Research Network (CERNET) IVI
Translation Design and Deployment for the IPv4/IPv6
Coexistence and Transition", RFC 6219,
DOI 10.17487/RFC6219, May 2011,
<http://www.rfc-editor.org/info/rfc6219>.
[RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown,
"Default Address Selection for Internet Protocol Version 6
(IPv6)", RFC 6724, DOI 10.17487/RFC6724, September 2012,
<http://www.rfc-editor.org/info/rfc6724>.
Anderson & Leiva Popper Standards Track [Page 12]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
[RFC6791] Li, X., Bao, C., Wing, D., Vaithianathan, R., and G.
Huston, "Stateless Source Address Mapping for ICMPv6
Packets", RFC 6791, DOI 10.17487/RFC6791, November 2012,
<http://www.rfc-editor.org/info/rfc6791>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013,
<http://www.rfc-editor.org/info/rfc6877>.
[RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
DOI 10.17487/RFC7335, August 2014,
<http://www.rfc-editor.org/info/rfc7335>.
[RFC7755] Anderson, T., "SIIT-DC: Stateless IP/ICMP Translation for
IPv6 Data Center Environments", RFC 7755,
DOI 10.17487/RFC7755, February 2016,
<http://www.rfc-editor.org/info/rfc7755>.
Anderson & Leiva Popper Standards Track [Page 13]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
Appendix A. Use Cases
The following subsections describe some use cases that at the time of
writing leverage SIIT with the EAM algorithm.
A.1. 464XLAT
When the customer-side translator (CLAT) component in the 464XLAT
[RFC6877] architecture does not have a dedicated IPv6 prefix
assigned, it may instead use "one interface IPv6 address that is
claimed by the CLAT." This IPv6 address might not be
IPv4-translatable. If this is the case, the CLAT essentially
implements the EAM algorithm using an EAMT as follows (assuming the
CLAT's IPv4 address is picked from the IPv4 Service Continuity Prefix
[RFC7335]):
+---+--------------+-------------------------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+--------------+-------------------------------+
| 1 | 192.0.0.1/32 | CLAT_claimed_IPv6_address/128 |
+---+--------------+-------------------------------+
Figure 4: Example EAMT for a 464XLAT CLAT
In this particular use case, the EAM algorithm is used to translate
IPv6 destination addresses to IPv4, and conversely, IPv4 source
addresses to IPv6. Other addresses are translated using [RFC6052].
A.2. IVI
IVI [RFC6219] describes a stateless translation model that embeds
IPv4 addresses in a 40-bit translation prefix where bits 33-40 are
required to be 1. The embedded IPv4 address is located in bits 41-72
of the IPv6 address. Bits 73-128 are required to be 0.
The location of the eight least significant IPv4 address bits makes
the IVI address mapping differ from [RFC6052].
Anderson & Leiva Popper Standards Track [Page 14]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
+---+-------------+--------------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+-------------+--------------------+
| 1 | 0.0.0.0/0 | 2001:db8:ff00::/40 |
+---+-------------+--------------------+
Figure 5: Example EAMT for IVI
In this particular use case, all addresses are translated according
to the EAM algorithm. In other words, [RFC6052] mapping is not used
at all.
A.3. SIIT-DC
SIIT-DC [RFC7755] describes the use of SIIT to facilitate
connectivity from the IPv4 Internet to services hosted in an
IPv6-only data center. In order to avoid the constraints relating to
the use of IPv4-translatable IPv6 addresses discussed in Section 2,
the stateless IPv4/IPv6 translators are provisioned with an EAMT
containing one entry per IPv6-only service that are to be made
available from the IPv4 Internet, for example (assuming
2001:db8:aaaa::1 and 2001:db8:bbbb::1 are assigned to load balancers
or servers that provide the IPv6-only services in question):
+---+----------------+----------------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+----------------+----------------------+
| 1 | 203.0.113.1/32 | 2001:db8:aaaa::1/128 |
| 2 | 203.0.113.2/32 | 2001:db8:bbbb::1/128 |
+---+----------------+----------------------+
Figure 6: Example EAMT for SIIT-DC
In this particular use case, the EAM algorithm is used to translate
IPv4 destination addresses to IPv6, and conversely, IPv6 source
addresses to IPv4. Other addresses are translated using [RFC6052].
Appendix B. Example IP Address Translations
Figure 7 demonstrates how a set of example IP addresses are
translated given the example EAMT in Figure 1. Implementors may use
the examples given to develop test cases to validate correct
operation. Note that the address translations are bidirectional, so
a single row in the table describes two address translations: IPv4 to
IPv6 and IPv6 to IPv4.
It is also assumed that the translation prefix is configured to be
64:ff9b::/96 (per [RFC6052]).
Anderson & Leiva Popper Standards Track [Page 15]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
+--------------+------------------------+-----------------------+
| IPv4 Address | IPv6 Address | Comment |
+--------------+------------------------+-----------------------+
| 192.0.2.1 | 2001:db8:aaaa:: | According to EAM #1 |
| 192.0.2.2 | 2001:db8:bbbb::b | According to EAM #2 |
| 192.0.2.16 | 2001:db8:cccc:: | According to EAM #3 |
| 192.0.2.24 | 2001:db8:cccc::8 | According to EAM #3 |
| 192.0.2.31 | 2001:db8:cccc::f | According to EAM #3 |
| 192.0.2.128 | 2001:db8:dddd:: | According to EAM #4 |
| 192.0.2.152 | 2001:db8:dddd:0:6000:: | According to EAM #4 |
| 192.0.2.183 | 2001:db8:dddd:0:dc00:: | According to EAM #4 |
| 192.0.2.191 | 2001:db8:dddd:0:fc00:: | According to EAM #4 |
| 192.0.2.195 | 2001:db8:eeee:9:8000:: | According to EAM #5 |
| 192.0.2.225 | 64:ff9b::1 | According to EAM #6 |
| 192.0.2.248 | 64:ff9b::c000:2f8 | According to RFC 6052 |
+--------------+------------------------+-----------------------+
Figure 7: Example IP Address Translations
B.1. Hairpinning Examples
The following examples show how hairpinned IPv6 packets between the
IPv6 nodes 2001:db8:aaaa:: and 2001:db8:bbbb::b are translated
according to Section 4. As in Appendix B, the EAMT in Figure 1 is
used, and the translation prefix is 64:ff9b::/96 (per [RFC6052]). In
addition, the [RFC6791] pool is assumed to contain only the single
address 198.51.100.1.
+--------------+--------------------+---------------------+
| XLAT Stage | Source Address | Destination Address |
+--------------+--------------------+---------------------+
| Initial | 2001:db8:aaaa:: | 64:ff9b::192.0.2.2 |
+--------------+--------------------+---------------------+
| Intermediate | 192.0.2.1 | 192.0.2.2 |
+--------------+--------------------+---------------------+
| Final | 64:ff9b::192.0.2.1 | 2001:db8:bbbb::b |
+--------------+--------------------+---------------------+
Figure 8: Hairpinning of a Normal IPv6 Packet
Figure 8 illustrates how a normal (i.e., not an ICMP error) IPv6
packet sent from 2001:db8:aaaa:: towards 64:ff9b::192.0.2.2 is
hairpinned. In this example, rule #1 in Section 4.2.1 was applied in
order to disable the EAM algorithm when translating the intermediate
IPv4 source address to IPv6.
Anderson & Leiva Popper Standards Track [Page 16]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
+--------------+-------+-----------------------+--------------------+
| XLAT Stage | Loc. | Source Address | Destination Addr. |
+--------------+-------+-----------------------+--------------------+
| Initial | Outer | 2001:db8::1234 | 64:ff9b::192.0.2.1 |
| | Inner | 64:ff9b::192.0.2.1 | 2001:db8:bbbb::b |
+--------------+-------+-----------------------+--------------------+
| Intermediate | Outer | 198.51.100.1 | 192.0.2.1 |
| | Inner | 192.0.2.1 | 192.0.2.2 |
+--------------+-------+-----------------------+--------------------+
| Final | Outer | 64:ff9b::198.51.100.1 | 2001:db8:aaaa:: |
| | Inner | 2001:db8:aaaa:: | 64:ff9b::192.0.2.2 |
+--------------+-------+-----------------------+--------------------+
Figure 9: Hairpinning of a Router-Originated ICMPv6 Error
Figure 9 illustrates the hairpinning of an ICMPv6 error sent by an
arbitrary IPv6 router (2001:db8::1234) in response to the packet in
Figure 8. In this example, rule #2 in Section 4.2.1 was applied in
order to disable the EAM algorithm when translating the intermediate
inner IPv4 destination address to IPv6.
+--------------+-------+--------------------+--------------------+
| XLAT Stage | Loc. | Source Address | Destination Addr. |
+--------------+-------+--------------------+--------------------+
| Initial | Outer | 2001:db8:bbbb::b | 64:ff9b::192.0.2.1 |
| | Inner | 64:ff9b::192.0.2.1 | 2001:db8:bbbb::b |
+--------------+-------+--------------------+--------------------+
| Intermediate | Outer | 192.0.2.2 | 192.0.2.1 |
| | Inner | 192.0.2.1 | 192.0.2.2 |
+--------------+-------+--------------------+--------------------+
| Final | Outer | 64:ff9b::192.0.2.2 | 2001:db8:aaaa:: |
| | Inner | 2001:db8:aaaa:: | 64:ff9b::192.0.2.2 |
+--------------+-------+--------------------+--------------------+
Figure 10: Hairpinning of a Host-Originated ICMPv6 Error
Figure 10 illustrates the hairpinning of an ICMPv6 error sent by the
original destination host itself in response to the packet in
Figure 8. In this example, rules #2 and #3 in Section 4.2.1 were
both applied in order to disable the EAM algorithm when translating
the intermediate inner IPv4 destination address and the intermediate
outer IPv4 source address to IPv6.
Anderson & Leiva Popper Standards Track [Page 17]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
+--------------+--------------------+---------------------+
| XLAT Stage | Source Address | Destination Address |
+--------------+--------------------+---------------------+
| Initial | 2001:db8:bbbb::b | 64:ff9b::192.0.2.1 |
+--------------+--------------------+---------------------+
| Intermediate | 192.0.2.2 | 192.0.2.1 |
+--------------+--------------------+---------------------+
| Final | 64:ff9b::192.0.2.2 | 2001:db8:aaaa:: |
+--------------+--------------------+---------------------+
Figure 11: Hairpinning of Normal Response Packet
Figure 11 illustrates how the response from 2001:db8:bbbb::b to the
packet in Figure 8 is hairpinned in the exact same fashion as the
initial packet. Again, rule #1 in Section 4.2.1 was applied in order
to disable the EAM algorithm when translating the intermediate IPv4
source address to IPv6. The example is included in order to
illustrate how the addresses in the packet initially sent by
2001:db8:aaaa:: match those in the translated response packet sent by
2001:db8:bbbb::b, thus facilitating bidirectional communication.
Acknowledgements
This document was conceived due to comments made by Dave Thaler in
the V6OPS session at IETF 91 as well as email discussions between
Fred Baker and the authors.
Valuable reviews, suggestions, and other feedback was given by Fred
Baker, Mohamed Boucadair, Cameron Byrne, Brian E. Carpenter, Brian
Haberman, Ray Hunter, Alvaro Retana, Michael Richardson, Dan
Romascanu, Hemant Singh, and Andrew Yourtchenko.
Anderson & Leiva Popper Standards Track [Page 18]
^L
RFC 7757 SIIT Explicit Address Mappings February 2016
Authors' Addresses
Tore Anderson
Redpill Linpro
Vitaminveien 1A
0485 Oslo
Norway
Phone: +47 959 31 212
Email: tore@redpill-linpro.com
URI: http://www.redpill-linpro.com
Alberto Leiva Popper
NIC Mexico
Av. Eugenio Garza Sada 427 L4-6
Monterrey, Nuevo Leon 64840
Mexico
Email: ydahhrk@gmail.com
URI: http://www.nicmexico.mx/
Anderson & Leiva Popper Standards Track [Page 19]
^L
|
