IPv6 Operations T. Anderson Internet-Draft Redpill Linpro Intended status: Standards Track September 15, 2014 Expires: March 19, 2015 SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments draft-anderson-v6ops-siit-dc-00 Abstract This document describes SIIT-DC, an extension to Stateless IP/ICMP Translation (SIIT) [RFC6145] that makes it ideally suited for use in IPv6 data centre environments. SIIT-DC simultaneously facilitates IPv6 deployment and IPv4 address conservation. The overall SIIT-DC architecture is described, as well as guidelines for operators. Finally, the normative implementation requirements are described, as a list of additions and changes to SIIT [RFC6145]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 19, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Anderson Expires March 19, 2015 [Page 1] Internet-Draft SIIT-DC September 2014 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Motivation and Goals . . . . . . . . . . . . . . . . . . 3 1.1.1. Single Stack IPv6 Operation . . . . . . . . . . . . . 3 1.1.2. Stateless Operation . . . . . . . . . . . . . . . . . 4 1.1.3. No Loss of End User's Source Address . . . . . . . . 4 1.1.4. No Forklift Upgrades Required . . . . . . . . . . . . 5 1.1.5. No Architectural Dependency on IPv4 . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Architectural Overview . . . . . . . . . . . . . . . . . . . 6 3.1. DNS Configuration . . . . . . . . . . . . . . . . . . . . 8 3.2. Packet Flow . . . . . . . . . . . . . . . . . . . . . . . 8 4. Deployment Guidelines . . . . . . . . . . . . . . . . . . . . 10 4.1. Application Support for NAT . . . . . . . . . . . . . . . 11 4.2. Application Support for IPv6 . . . . . . . . . . . . . . 11 4.3. Application Communication Pattern . . . . . . . . . . . . 11 4.4. Choice of Translation Prefix . . . . . . . . . . . . . . 12 4.5. Routing Considerations . . . . . . . . . . . . . . . . . 12 4.6. Location of the SIIT-DC Gateways . . . . . . . . . . . . 13 4.7. Migration from Dual Stack . . . . . . . . . . . . . . . . 13 4.8. Packet Size and Fragmentation Considerations . . . . . . 14 4.8.1. IP Header Size Difference . . . . . . . . . . . . . . 14 4.8.2. Minimum Path MTU Difference . . . . . . . . . . . . . 14 4.8.3. "Atomic Fragments" . . . . . . . . . . . . . . . . . 15 5. Implementation Requirements . . . . . . . . . . . . . . . . . 16 5.1. Compliance with RFC6145 and RFC6052 . . . . . . . . . . . 16 5.2. Static Address Mapping Function . . . . . . . . . . . . . 16 5.3. Support for Increasing the IPv6 Path MTU . . . . . . . . 17 5.4. Support for Disabling "Atomic Fragments" . . . . . . . . 17 5.5. Feature for Handling IPv4 Path MTUs Lower than 1260 . . . 17 5.6. Loop Prevention Mechanism . . . . . . . . . . . . . . . . 18 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 7. Requirements Language . . . . . . . . . . . . . . . . . . . . 19 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 9. Security Considerations . . . . . . . . . . . . . . . . . . . 19 9.1. Mistaking the Translation Prefix for a Trusted Network . 19 9.2. Packets Looping Through the SIIT-DC Function . . . . . . 19 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 10.1. Normative References . . . . . . . . . . . . . . . . . . 19 10.2. Informative References . . . . . . . . . . . . . . . . . 20 Appendix A. Complete SIIT-DC topology example . . . . . . . . . 21 Appendix B. Comparison to Other Deployment Approaches . . . . . 24 B.1. IPv4-only . . . . . . . . . . . . . . . . . . . . . . . . 24 B.2. IPv4-only + NAPT44 . . . . . . . . . . . . . . . . . . . 24 Anderson Expires March 19, 2015 [Page 2] Internet-Draft SIIT-DC September 2014 B.3. Dual Stack . . . . . . . . . . . . . . . . . . . . . . . 26 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 26 1. Introduction SIIT-DC is an extension of SIIT [RFC6145], and provides a a network- centric stateless translation service that allows a data centre operator or Internet Content Provider (ICP) to run a data centre network, servers, and applications using exclusively IPv6, while at the same time ensuring that end users that have only IPv4 connectivity will be able to continue to access the services and applications. 1.1. Motivation and Goals Historically, dual stack [RFC4213] has been the recommended way to transition from an IPv4-only environment to one capable of serving IPv6 users. For data centre and Internet content providers, dual stack operation has a number of disadvantages compared to single stack operation. In particular, the increased complexity and operational overhead, and very low expected return of investment in the short to medium term, as there are practically no end-users who have only connectivity to the IPv6 Internet. Furthermore, the dual stack approach does not in any way help with the depletion of the IPv4 address space. Therefore, a better approach is needed. The design goals are: o Promote the deployment of native IPv6 services (cf. [RFC6540]). o Provide IPv4 service availability for legacy users with no loss of performance or functionality. o To ensure that that the legacy users' IPv4 addresses remain available to the servers and applications. o To conserve and maximise the utilisation of IPv4 addresses. o To avoid introducing more complexity than absolutely necessary, especially on the servers and applications. o To be easy to scale and deploy in a fault-tolerant manner. The following subsections elaborates on how SIIT-DC meets these goals. 1.1.1. Single Stack IPv6 Operation Anderson Expires March 19, 2015 [Page 3] Internet-Draft SIIT-DC September 2014 SIIT-DC allows an operator to build their applications on an IPv6-only foundation. IPv4 end-user connectivity becomes a service provided by the network, which systems administration and application development staff do not need to concern themselves with. Obviously, this will promote universal IPv6 deployment for all of the provider's services and applications. It is worth noting that SIIT-DC requires no special support or change from the underlying IPv6 infrastructure, it will work with any kind of IPv6 network. Traffic between IPv6-enabled end users and IPv6-enabled services will always be native, and SIIT-DC will not be involved in it at all. 1.1.2. Stateless Operation Unlike other solutions that provide either dual stack availability to single-stack services (e.g., Stateful NAT64 [RFC6146] and Layer-4/7 proxies), or that provide conservation of IPv4 addresses (e.g., NAPT44 [RFC3022]), a SIIT-DC Gateway does not keep any state between each packet in a single connection or flow. In this sense it operates exactly like a normal IP router, and has similar scaling properties - the limiting factors are packets per second and bandwidth. The number of concurrent flows and flow initiation rates are irrelevant for performance. This not only allows individual SIIT-DC Gateways to easily attain "line rate" performance, it also allows for per-packet load balancing between multiple SIIT-DC Gateways using Equal-Cost Multipath Routing [RFC2991]. Asymmetric routing is also acceptable, which makes it easy to avoid sub-optimal traffic patterns; the prefixes involved may be anycasted from all the SIIT-DC Gateways in the provider's network, thus ensuring that the most optimal path through the network is used, even where the optimal path in one direction differs from the optimal path in the opposite direction. Finally, stateless operation means that high availability is easily achieved. If an SIIT-DC Gateway should fail, its traffic can be re- routed onto another SIIT-DC Gateway using a standard IP routing protocol. This does not impact existing flows any more than what any other IP re-routing event would. 1.1.3. No Loss of End User's Source Address Anderson Expires March 19, 2015 [Page 4] Internet-Draft SIIT-DC September 2014 SIIT-DC will map the entire end-user's source address into an predefined IPv6 translation prefix. This allows the application server to identify the user by an IPv4 address, which is useful for performing tasks like Geo-Location, logging, abuse handling, and so forth. 1.1.4. No Forklift Upgrades Required Except for the introduction of the SIIT-DC Gateways themselves, there is no change required in the network, servers, applications, or anywhere else to specifically support SIIT-DC, compared to a dual stack deployment. From the clients', the servers', the IPv6 data centre network's, and the IPv4 Internet's point of view, SIIT-DC is practically invisible. It will work with any standards-compliant IPv4 or IPv6 stack. 1.1.5. No Architectural Dependency on IPv4 SIIT-DC will allow an ICP or data centre operator to build infrastructure and applications entirely on IPv6. This means that when the day comes to discontinue support for IPv4, no change needs to be made to the overall architecture - it's only a matter of shutting off the SIIT-DC Gateways. Therefore, by deploying native IPv6 along with SIIT-DC, operators will avoid future migration or deployment projects relating to IPv6 roll-out and/or IPv4 sun- setting. 2. Terminology This document makes use of the following terms: IPv4 Service Address A public IPv4 address with which IPv4-only clients will communicate. This communication will be translated to IPv6 by the SIIT-DC Gateway. IPv4 Service Address Pool One or more IPv4 prefixes routed to the SIIT-DC Gateway's IPv4 interface. IPv4 Service Addresses are allocated from this pool. Note that this does not necessarily have to be a "pool" per se, as it could also be one or more host routes (whose prefix length is equal to /32). The primary purpose of using a pool rather than host routes is to facilitate IPv4 route aggregation and ease provisioning of new IPv4 Service Addresses. Anderson Expires March 19, 2015 [Page 5] Internet-Draft SIIT-DC September 2014 IPv6 Service Address A public IPv6 address assigned to a server or application in the IPv6 network. IPv6-only and dual stacked clients communicates with this address directly without invoking SIIT-DC. IPv4-only clients also communicates with this address through the SIIT-DC Gateway and via an IPv4 Service Address. SIIT-DC Host Agent A logical function very similar to an SIIT-DC Gateway that resides on a server and provides virtual IPv4 connectivity to applications, by reversing the translations done by the SIIT-DC Gateway. It is an optional component of the SIIT- DC architecture, that may be used to increase application support. See [I-D.anderson-v6ops-siit-dc-2xlat]. SIIT-DC Gateway A device or a logical function that translates between IPv4 and IPv6 in accordance with Section 5. Static Address Mapping A bi-directional mapping between an IPv4 Service Address and an IPv6 Service Address configured in the SIIT-DC Gateway. When translating between IPv4 and IPv6, the SIIT-DC Gateway changes the address fields in the translated packet's IP header according to any matching Static Address Mapping. Translation Prefix An IPv6 prefix into which the entire IPv4 address space is mapped. This prefix is routed to the SIIT-DC Gateway's IPv6 interface. It is either an Network-Specific Prefix or a Well-Known Prefix as specified in [RFC6052]. When translating between IPv4 and IPv6, the SIIT-DC Gateway prepends or strips the Translation Prefix from the address fields in the translated packet's IP header, unless a Static Address Mapping exists for the IP address in question. 3. Architectural Overview This section describes the basic SIIT-DC architecture. SIIT-DC Architecture Anderson Expires March 19, 2015 [Page 6] Internet-Draft SIIT-DC September 2014 +-------------------+ +----------------+ | IPv6-capable user | | IPv4-only user | | ================= | | ============== | | | | | +-<2001:db8::ab:cd>-+ +-<203.0.113.50>-+ | | | | (the IPv6 internet) (the IPv4 Internet) | | | | | +------------------<192.0.2.0/24>-+ | | | | | SIIT-DC Gateway | | | =============== | | | | | | Translation Prefix: | | | 2001:db8:46::/96 | | | | | | Static Address Mapping: | | | 192.0.2.1 <=> 2001:db8:12:34::1 | | | | | +--------------<2001:db8:46::/96>-+ | | | | (the IPv6-only data centre network) | | | ------------------------------/ |/ | +--<2001:db8:12:34::1>------------------------------+ | | | | | IPv6-only server | | | ================ | | | | | +-[2001:db8:12:34::1]---------------------------+ | | | AF_INET6 | | | | | | | | IPv6-only application | | | | | | | +-----------------------------------------------+ | +---------------------------------------------------+ Figure 1 In this example, 192.0.2.0/24 is allocated as an IPv4 Service Address Pool. Individual IPv4 Service Addresses are assigned from this pool. The provider must route this prefix to the SIIT-DC Gateway's IPv4 interface. Note that there are no restrictions on how many IPv4 Anderson Expires March 19, 2015 [Page 7] Internet-Draft SIIT-DC September 2014 Service Address Pools are used or their prefix length, as long as they are all routed to the SIIT-DC Gateway's IPv4 interface. The Static Address Mapping list is used when translating an IPv4 Service Address (here 192.0.2.1) to its corresponding IPv6 Service Address (here 2001:db8:12:34::1) and vice versa. When the SIIT-DC Gateway translates an IPv4 packet to IPv6, any IPv4 Service Address found in the original IPv4 header will be replaced with the corresponding IPv6 Service Address in the resulting IPv6 header, and vice versa when translating an IPv6 packet to IPv4. 2001:db8:46::/96 is the Translation Prefix into which the entire IPv4 address space is mapped. It is used for translation of the end user's IPv4 address to IPv6 and vice versa according to the algorithm defined in Section 2.2 of RFC6052 [RFC6052]. This algorithmic mapping has a lower precedence than the configured Static Address Mappings. The SIIT-DC Gateway itself can be either a separate device or a logical function in another multi-purpose device, for example an IP router. Any number of SIIT-DC Gateways may exist simultaneously in an operators infrastructure, as long as they all have the same translation prefix and list of Static Mappings configured. 3.1. DNS Configuration The IPv6 Service Address of should be registered in DNS using an AAAA record, while its corresponding IPv4 Service Address should be registered using an A record. This results in the following DNS records: DNS Configuration for a SIIT-DC enabled service app.domain.tld. IN AAAA 2001:db8:12:34::1 app.domain.tld. IN A 192.0.2.1 Figure 2 3.2. Packet Flow In this example, "IPv4-only user" initiates a request to the application running on the IPv6-only server. He starts by looking up the IN A record of "app.domain.tld" in DNS, and attempts to connect to this address on the service by transmitting the following IPv4 packet destined for the IPv4 Service Address: Stage 1: Client -> Server, IPv4 Anderson Expires March 19, 2015 [Page 8] Internet-Draft SIIT-DC September 2014 +------------------------------------------------+ | IP Version: 4 | | Source Address: 203.0.113.50 | | Destination Address: 192.0.2.1 | | Protocol: TCP | |------------------------------------------------| | TCP SYN [...] | +------------------------------------------------+ Figure 3 This packet is then routed over the Internet to the (nearest) SIIT-DC Gateway, which translates it into the following IPv6 packet and forward it into the IPv6 network: Stage 2: Client -> Server request, IPv4 +-------------------------------------------------+ | IP Version: 6 | | Source Address: 2001:db8:46::203.0.113.50 | | Destination Address: 2001:db8:12:34::1 | | Next Header: TCP | |-------------------------------------------------| | TCP SYN [...] | +-------------------------------------------------+ Figure 4 The destination address field was translated to the IPv6 Service Address according to the configured Static Address Mapping, while the source address was field translated according to the [RFC6052] mapping using the Translation Prefix (because it did not match any Static Address Mapping). The rest of the IP header was translated according to [RFC6145]. The Layer 4 payload is copied verbatim, with the exception of the TCP checksum being recalculated. Note that the IPv6 address 2001:db8:46::203.0.113.50 may also be expressed as 2001:db8:46::cb00:7132, cf. Section 2.2 of RFC2373 [RFC2373]. Next, the application receives receives this IPv6 packet and responds to it like it would with any other IPv6 packet: Stage 3: Server -> Client response, IPv6 Anderson Expires March 19, 2015 [Page 9] Internet-Draft SIIT-DC September 2014 +-------------------------------------------------+ | IP Version: 6 | | Source Address: 2001:db8:12:34::1 | | Destination Address: 2001:db8:46::203.0.113.50 | | Next Header: TCP | |-------------------------------------------------| | TCP SYN+ACK [...] | +-------------------------------------------------+ Figure 5 The response packet is routed to the (nearest) SIIT-DC Gateway's IPv6 interface, which will translate it back to IPv4 as follows: Stage 4: Server -> Client response, IPv4 +------------------------------------------------+ | IP Version: 4 | | Source Address: 192.0.2.2 | | Destination Address: 203.0.113.50 | | Protocol: TCP | |------------------------------------------------| | TCP SYN+ACK [...] | +------------------------------------------------+ Figure 6 This time, the source address matched the Static Address Mapping and was translated accordingly, while the destination address did not, and was therefore translated according to [RFC6052] by having the Translation Prefix stripped. The rest of the packet was translated according to [RFC6145]. The resulting IPv4 packet is transmitted back to the end user over the IPv4 Internet. Subsequent packets in the flow will follow the exact same translation pattern. They may or may not cross the same translators as earlier packets in the same flow. The end user's IPv4 stack has no idea that it is communicating with an IPv6 server, nor does the server's IPv6 stack have any idea that is is communicating with an IPv4 client. To them, it's just plain IPv4 or IPv6, respectively. However, the applications running on the server may optionally be updated to recognise and strip the Translation Prefix, so that the end user's IPv4 address may be used for logging, Geo-Location, abuse handling, and so forth. 4. Deployment Guidelines Anderson Expires March 19, 2015 [Page 10] Internet-Draft SIIT-DC September 2014 In this section, we list recommendations and guidelines for operators who would like to deploy a SIIT-DC service in their data centre network. 4.1. Application Support for NAT Not all application protocols are able to operate in a network environment where rewriting of IP addresses occur. An operator should therefore carefully evaluate the applications he would like to make available for IPv4 users through SIIT-DC, to ensure they do not fall in this category. In general, if an application layer protocol works correctly through standard NAT44 (see [RFC3235]), it will most likely work correctly through SIIT-DC as well. Higher-level protocols that embed IP addresses as part of their payload are especially problematic, as noted in [RFC2663], [RFC2993], and [RFC3022]. Such protocols will most likely not work through any form of address translation, including SIIT-DC. One well-known example of such a protocol is FTP [RFC0959]. The SIIT-DC architecture may be extended with a Host Agent that reverses the translation performed by the SIIT-DC Gateway before passing the packets to the application software. This allows the problematic application protocols described above to work correctly in an SIIT-DC environment as well. See [I-D.anderson-v6ops-siit-dc-2xlat] for a description of this extension. 4.2. Application Support for IPv6 SIIT-DC requires that the application software supports IPv6 networking, and that it has no dependency on IPv4 networking. If this is not the case, the approach described in [I-D.anderson-v6ops-siit-dc-2xlat] may be used, as it provides the application with seemingly native IPv4 connectivity. This allows IPv4-only applications to work correctly in an otherwise IPv6-only environment. 4.3. Application Communication Pattern SIIT-DC is ideally suited for applications where IPv4-only nodes on the Internet initiate traffic towards the IPv6-only services, which in turn are only passively listening for inbound traffic and responding as necessary. One well-known example of such a protocol is HTTP [RFC2616]. This is due to the fact that in this case, an IPv4 user looks exactly like an ordinary IPv6 user from the host and application's point of view, and requires no special treatment. Anderson Expires March 19, 2015 [Page 11] Internet-Draft SIIT-DC September 2014 It is possible to combine SIIT-DC with DNS64 [RFC6147] in order to allow an IPv6-only application to initiate communication with IPv4-only nodes through an SIIT-DC Gateway. However, in this case, care must be taken so that all outgoing communication is sourced from the IPv6 Service Address that has a Static Mapping configured on the SIIT-DC Gateway. If another unmapped address is used, the SIIT-DC Gateway will discard the packet. An alternative approach to the above would be to make use of an SIIT- DC Host Agent as described in [I-D.anderson-v6ops-siit-dc-2xlat]. This provides the application with seemingly native IPv4 connectivity, which it may use for both inbound and outbound communication without requiring the application to select a specific source address for its outbound communications. 4.4. Choice of Translation Prefix Either a Network-Specific Prefix (NSP) from the provider's own IPv6 address space or the IANA-allocated Well-Known Prefix 64:ff9b::/96 (WKP) may be used. From a technical point of view, both should work equally well, however as only a single WKP exists, if a provider would like to deploy more than one instance of SIIT-DC in his network, or Stateful NAT64 [RFC6146], an NSP must be used anyway for all but one of those deployments. Furthermore, the WKP cannot be used in inter-domain routing. By using an NSP, a provider will have the possibility to provide SIIT-DC service to other operators across Autonomous System borders. For these reasons, this document recommends that an NSP is used. Section 3.3 of [RFC6052] discusses the choice of translation prefix in more detail. The Translation Prefix may use any of the lengths described in Section 2.2 of RFC6052 [RFC6052], but /96 has two distinct advantages over the others. First, converting it to IPv4 can be done in a single operation by simply stripping off the first 96 bits; second, it allows for IPv4 addresses to be embedded directly into the text representation of an IPv6 address using the familiar dotted quad notation, e.g., "2001:db8::198.51.100.10" (cf. Section 2.4 of RFC6052 [RFC6052])), instead of being converted to hexadecimal notation. This makes it easier to write IPv6 ACLs and similar that match translated endpoints in the IPv4 Internet. Use of a /96 prefix length is therefore recommended. 4.5. Routing Considerations Anderson Expires March 19, 2015 [Page 12] Internet-Draft SIIT-DC September 2014 The prefixes that constitute the IPv4 Service Address Pool and the IPv6 Translation Prefix may be routed to the SIIT-DC Gateway(s) as any other IPv4 or IPv6 route in the provider's network. If more than one SIIT-DC Gateway is being deployed, it is recommended that a dynamic routing protocol (such as BGP, IS-IS, or OSPF) is being used to advertise the routes within the provider's network. This will ensure that the traffic that is to be translated will reach the closest SIIT-DC Gateway, reducing or eliminating sub-optimal traffic patterns, as well as provide high availability - if one SIIT- DC Gateway fails, the dynamic routing protocol will automatically redirect the traffic to the next-best translator. 4.6. Location of the SIIT-DC Gateways It is optimal to place the SIIT-DC Gateways as close as possible to the direct path between the servers and the end users. If the closest translator is located a long way from the optimal path, all packets in both directions must make a detour. This would increase the RTT between the server and the end user by by two times the extra latency incurred by the detour, as well as cause unnecessary load on the network links on the detour path. The ideal location of the SIIT-DC Gateways would be a logical function within the IP routers would have handled the traffic anyway (if the topology was dual stacked) This way, the translation service would not need separate networks ports to be assigned (which might become saturated and impact the service quality), nor would it need extra rack space or energy. Some good choices of the location could be within a data centre's access routers, or inside the provider's border routers. If every single application in the data centre or the provider's network eventually get single-stacked, there would no need to run IPv4 on the inside of the SIIT-DC Gateway - thus allowing the operator to reclaim IPv4 addresses from the network infrastructure that may instead be used for translated services. 4.7. Migration from Dual Stack While this document discusses the use of IPv6-only servers and applications, there is no technical requirement that the servers are IPv4 free. SIIT-DC works equally well for dual stacked servers, which makes migration easy - after setting up the translation function, the DNS A record for the service is updated to point to the IPv4 address that will be translated to IPv6, the previously used IPv4 service address may continue to be assigned to the server. This makes roll-back to dual stack easy, as it is only a matter of changing the DNS record back to what it was before. Anderson Expires March 19, 2015 [Page 13] Internet-Draft SIIT-DC September 2014 For high-volume services migrating to SIIT-DC from dual stack, DNS Round Robin may be used to gradually migrate the service's IPv4 traffic from its native IPv4 address(es) to the translated IPv4 Service Address(s). 4.8. Packet Size and Fragmentation Considerations There are two key differences between IPv4 and IPv6 relating to packet sizes that one should consider when deploying SIIT-DC. They result in a few problematic corner cases, which can be dealt with in a few different ways. The operator may find that relying on fragmentation in the IPv6 domain is undesired or even operationally impossible [I-D.taylor-v6ops-fragdrop]. For this reason, the recommendations in this section seeks to minimise the use of IPv6 fragmentation. Unless otherwise stated, this section assumes that the MTU in both the IPv4 and IPv6 domains is 1500 bytes. 4.8.1. IP Header Size Difference The IPv6 header is up to 20 bytes larger than the IPv4 header. This means that a full-size 1500 bytes large IPv4 packet cannot be translated to IPv6 without being fragmented, otherwise it would likely have resulted in a 1520 bytes large IPv6 packet. If the transport protocol used is TCP, this is generally not a problem, as the IPv6 server will advertise a TCP MSS of 1440 bytes. This causes the client to never send larger packets than what can be translated to a single full-size IPv6 packet, eliminating any need for fragmentation. For other transport protocols, full-size IPv4 packets with the DF flag cleared will need to be fragmented by the SIIT-DC Gateway. The only way to avoid this is to increase the Path MTU between the SIIT- DC Gateway and the servers to 1520 bytes. Note that the servers' MTU SHOULD NOT be increased accordingly, as that would cause them to undergo Path MTU Discovery for most native IPv6 destinations. However, the servers would need to be able to accept and process incoming packets larger than their own MTU. If the server's IPv6 implementation allows the MTU to be set differently for specific destinations, it could be increased to 1520 for destinations within the Translation Prefix specifically. 4.8.2. Minimum Path MTU Difference Anderson Expires March 19, 2015 [Page 14] Internet-Draft SIIT-DC September 2014 The minimum allowed link MTU in IPv6 is 1280 bytes. In IPv4, the corresponding value is 68 bytes. This means that an 1280 byte large IPv6 packet sent to an IPv4 client may need to be fragmented by a router in the IPv4 network, if the path to the IPv4 client involves a link with a MTU lower than 1260 bytes. By default, an SIIT-DC Gateway will set the DF flag when translating from IPv6 to IPv4, resulting in a situation where the IPv6 server may receive an ICMPv6 Packet Too Big error where the indicated MTU value is less than the IPv6 minimum of 1280. In this situation, the IPv6 server has two choices on how to proceed, according to the last paragraph of Section 5 of RFC2460 [RFC2460]: o It may reduce its Path MTU value to the value indicated in the Packet Too Big. This causes no problems for the SIIT-DC function. o It may reduce its Path MTU value to exactly 1280, and also include a Fragmentation header in each subsequent packet sent to that destination. The Fragmentation header signals to the the SIIT-DC Gateway that the DF flag should be cleared in the resulting IPv4 packet, and it also provides the Identification value. If the use of the IPv6 Fragmentation header is problematic, and the operator has IPv6 servers that implement the second option above, the operator should enable a feature on the SIIT-DC Gateways which ensures that the resulting MTU field is always set to 1280 or higher when translating ICMPv4 Need to Fragment into ICMPv6 Packet Too Big, and that when translating IPv6 packets smaller or equal to 1280 bytes the resulting IPv4 packets will have the DF flag cleared and an Identification value generated, cf. Section 5.5. 4.8.3. "Atomic Fragments" By default, an SIIT-DC Gateway will include a Fragmentation header in the resulting IPv6 packet when translating from an IPv4 packet with the DF flag cleared, cf. Section 4 of RFC6145 [RFC6145]. This happens even though the resulting IPv6 packet isn't actually fragmented into several pieces, resulting in an "Atomic Fragment" [RFC6946]. This is generally not useful in a data centre environment, and it is therefore recommended that this behaviour is disabled in the SIIT-DC Gateway(s). See Section 5.4. Anderson Expires March 19, 2015 [Page 15] Internet-Draft SIIT-DC September 2014 5. Implementation Requirements This normative section specifies the SIIT-DC protocol that is implemented by an SIIT Gateway. Because SIIT-DC builds on and closely resembles SIIT [RFC6145], this section should be read as a set of additions and changes that are applied to an implementation already compliant to SIIT [RFC6145]. Each of the following subsections discuss how the requirement relates to with any corresponding requirements in SIIT [RFC6145]. 5.1. Compliance with RFC6145 and RFC6052 Unless otherwise stated in the following sections, an SIIT-DC implementation MUST comply fully with [RFC6145]. It must also implement the algorithmic address mapping defined in [RFC6052]. 5.2. Static Address Mapping Function The implementation MUST allow the operator to configure an arbitrary number of Static Address Mappings which override the default [RFC6052] algorithm. It SHOULD be possible to specify a single bi- directional mapping that will be used in both the IPv4=>IPv6 and IPv6=>IPv4 directions, but it MAY additionally (or alternatively) support unidirectional mappings. An example of such a bidirectional Static Address Mapping would be: o 192.0.2.1 <=> 2001:db8:12:34::1 To accomplish the same using unidirectional mappings, the following two mappings must instead be configured: o 192.0.2.1 => 2001:db8:12:34::1 o 2001:db8:12:34::1 => 192.0.2.1 In both cases, if the SIIT-DC Gateway receives an IPv6 packet that has the value 2001:db8:12:34::1 in either the source or destination field of the IPv6 header, it MUST rewrite this field to 192 0.2.1 when translating to IPv4. Similarly, if the SIIT-DC Gateway receives an IPv4 packet that has the value 192.0.2.1 as the either the source or destination field of the IPv4 header, it MUST rewrite this field to 2001:db8:12:34::1 when translating to IPv6. For all IPv4 or IPv6 source or destination field values for which there are no Static Address Mapping, [RFC6052] compliant mapping MUST be used instead. Relation to [RFC6145]: The Static Address Mapping is a novel feature feature that is not discussed in [RFC6145]. It conflicts with Anderson Expires March 19, 2015 [Page 16] Internet-Draft SIIT-DC September 2014 [RFC6145]'s requirement that all addresses must be translated according to the [RFC6052] algorithm. 5.3. Support for Increasing the IPv6 Path MTU The SIIT-DC Gateway MUST provide a configuration function for the network administrator to adjust the threshold of the minimum IPv6 MTU to a value that reflects the real value of the minimum IPv6 MTU in the network (greater than 1280 bytes). This will help reduce the chance of including the Fragment Header in the packets. Relation to [RFC6145]: This strengthens the corresponding "MAY" requirement located in Section 4 of RFC6145 [RFC6145] to a "MUST". 5.4. Support for Disabling "Atomic Fragments" When the IPv4 sender does not set the DF bit, the SIIT-DC Gateway SHOULD NOT include an IPv6 Fragment Header in resulting non- fragmented IPv6 packets. If does, the SIIT-DC Gateway MUST provide a configuration function that allows the SIIT-DC Gateway not to include the Fragment Header for the non-fragmented IPv6 packets. Relation to [RFC6145]: This is an update of the corresponding requirement in Section 4 of RFC6145 [RFC6145]. It inverts the recommended default behaviour to not generate IPv6 Atomic Fragments, and strengthens the "MAY" requirement for making it possible to disable this behaviour to a "MUST". For the definition of an "Atomic Fragment", see [RFC6946]. 5.5. Feature for Handling IPv4 Path MTUs Lower than 1260 In order to prevent unnecessary fragments, the implementation SHOULD support a feature which, if enabled by the operator, changes the SIIT-DC Gateway's default behaviour accordingly: o When translating an ICMPv4 Need To Fragment packet indicating a Path MTU smaller than or equal to 1260, the MTU field in the resulting ICMPv6 Packet Too Big is set to 1280. o When translating an IPv6 packet that is smaller or equal to 1280 bytes, the DF flag in the resulting IPv4 packet is cleared, and an IPv4 Identification value is generated. The SIIT-DC Gateway MUST NOT create or maintain any state as a result of this. Relation to [RFC6145]: This is a modified version of the second approach described in Section 6 of RFC6145 [RFC6145]. The modifications are: Anderson Expires March 19, 2015 [Page 17] Internet-Draft SIIT-DC September 2014 1. In the IPv4-to-IPv6 direction, the algorithm only used for ICMPv4 Need To Fragment packets that indicate an MTU value smaller or equal to 1260. The corresponding value used by [RFC6145] is smaller than 1280. 2. In the IPv6-to-IPv4 direction, an SIIT Gateway MUST NOT generate and maintain any state due to generating IPv4 Identification values. [RFC6145] RECOMMENDS that this is done. Also see [I-D.gont-6man-deprecate-atomfrag-generation], which seeks to formally update [RFC6145] with the approach described in this section. 5.6. Loop Prevention Mechanism As noted in Section 9.2, there is a potential for packets looping through the SIIT-DC function if it receives an IPv4 packet for which there is no Static Address Mapping. It is therefore RECOMMENDED that the implementation has a mechanism that automatically prevents this behaviour. One way this could be accomplished would be to discard any IPv4 packets that would be translated into an IPv6 packet that would be routed straight back into the SIIT-DC function. If such a mechanism isn't provided, the implementation MUST provide a way to manually filter or null-route the destination addresses that would otherwise cause loops. Relation to [RFC6145]: This security consideration applies only when an SIIT-DC Gateway translates a packet in "pure" SIIT [RFC6145] mode (i.e., both address fields are translated according to [RFC6052]). This consideration is in other words not specific to SIIT-DC, it is inherited from [RFC6145]. In spite of this, [RFC6145] does not describe this consideration or any methods of prevention. The requirements in this section is therefore novel to SIIT-DC, even though they apply equally to [RFC6145]. 6. Acknowledgements The author would like to thank the following individuals for their contributions, suggestions, corrections, and criticisms: Fred Baker, Cameron Byrne, Ross Chandler, Dagfinn Ilmari Mannsaaker, Lars Olafsen, Stig Sandbeck Mathisen, [YOUR NAME GOES HERE]. Anderson Expires March 19, 2015 [Page 18] Internet-Draft SIIT-DC September 2014 7. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 8. IANA Considerations This draft makes no request of the IANA. The RFC Editor may remove this section prior to publication. 9. Security Considerations 9.1. Mistaking the Translation Prefix for a Trusted Network If a Network-Specific Prefix from the provider's own address space is chosen for the translation prefix, as is recommended, care must be taken if the translation service is used in front of services that have application-level ACLs that distinguish between the operator's own networks and the Internet at large, as the translated IPv4 end users on the Internet will appear to come from within the provider's own IPv6 address space. It is therefore important that the translation prefix is treated the same as the Internet at large, rather than as a trusted network. 9.2. Packets Looping Through the SIIT-DC Function If the SIIT-DC Gateway receives an IPv4 packet destined to an address for which there is no Static Address Mapping, its destination address will be rewritten according to [RFC6052], making the resulting IPv6 packet have a destination address within the translation prefix, which is likely routed to back to the SIIT-DC function. This will cause the packet to loop until its Time To Live / Hop Limit reaches zero, potentially creating a Denial Of Service vulnerability. To avoid this, it should be ensured that packets sent to IPv4 destinations addresses for which there are no Static Address Mappings, or whose resulting IPv6 address does not have a more- specific route to the IPv6 network, are immediately discarded. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Anderson Expires March 19, 2015 [Page 19] Internet-Draft SIIT-DC September 2014 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, October 2010. [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation Algorithm", RFC 6145, April 2011. 10.2. Informative References [I-D.anderson-v6ops-siit-dc-2xlat] Anderson, T., "SIIT-DC: Dual Translation Mode", draft- anderson-v6ops-siit-dc-2xlat-00 (work in progress), September 2014. [I-D.gont-6man-deprecate-atomfrag-generation] Gont, F., Will, W., and T. Anderson, "Deprecating the Generation of IPv6 Atomic Fragments", draft-gont-6man- deprecate-atomfrag-generation-01 (work in progress), August 2014. [I-D.taylor-v6ops-fragdrop] Jaeggli, J., Colitti, L., Kumari, W., Vyncke, E., Kaeo, M., and T. Taylor, "Why Operators Filter Fragments and What It Implies", draft-taylor-v6ops-fragdrop-02 (work in progress), December 2013. [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985. [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999. Anderson Expires March 19, 2015 [Page 20] Internet-Draft SIIT-DC September 2014 [RFC2991] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and Multicast Next-Hop Selection", RFC 2991, November 2000. [RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993, November 2000. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001. [RFC3235] Senie, D., "Network Address Translator (NAT)-Friendly Application Design Guidelines", RFC 3235, January 2002. [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for IPv6 Hosts and Routers", RFC 4213, October 2005. [RFC4217] Ford-Hutchinson, P., "Securing FTP with TLS", RFC 4217, October 2005. [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011. [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van Beijnum, "DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", RFC 6147, April 2011. [RFC6540] George, W., Donley, C., Liljenstolpe, C., and L. Howard, "IPv6 Support Required for All IP-Capable Nodes", BCP 177, RFC 6540, April 2012. [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC 6946, May 2013. Appendix A. Complete SIIT-DC topology example This figure shows a more complete SIIT-DC topology, in order to better demonstrate the beneficial properties it has. In particular, it tries to highlight the following: Anderson Expires March 19, 2015 [Page 21] Internet-Draft SIIT-DC September 2014 o Stateless operation: Any number of SIIT-DC Gateways may be deployed side-by side, or indeed anywhere in the IPv6 network, as any standard routing mechanism may be used to direct traffic to them (shown here with BGP on the IPv4 side and ECMP on the IPv6 side). This in turn leads to high availability, should one of the SIIT-DC Gateways fail or become unavailable, those standard routing mechanisms will ensure that traffic is automatically redirect one of the remaining SIIT-DC Gateways. o IPv4 address conservation: Even though the to customers in the example have several hundred servers, most of them are not used for externally available services, and thus do not require an IPv4 address. The network between the servers and the SIIT-DC Gateways require no IPv4 addresses, either. Furthermore, the IPv4 addresses that are used do not have to be assigned to customers in the form of aggregated blocks or prefixes; which makes it easy to achieve 100% effective utilisation of the IPv4 service address pools. o Application support: The translation-friendly applications HTTP and SMTP will work through SIIT-DC without requiring any special customisation. Furthermore, translation-unfriendly applications such as FTP will also work if an host agent in present, cf. [I-D.anderson-v6ops-siit-dc-2xlat]. o Native IPv6 as the foundation: Every server, application, and network component has access to native and untranslated IPv6 connectivity to each other and to the Internet. Traffic through the SIIT-DC Gateways will diminish over time as IPv6 is deployed throughout the Internet. Eventually they may be shut down entirely, which causes no disruption to the application stacks' ability to deliver their services over native IPv6. Example data centre topology using SIIT-DC Anderson Expires March 19, 2015 [Page 22] Internet-Draft SIIT-DC September 2014 /--------------------------------\ /---------------\ | IPv4 Internet | | IPv6 Internet | \-+----------------------------+-/ \--------+------/ | | | | <----------[BGP]---------> | | | | | +---------<192.0.2.0/24>----------+ +---<192.0.2.0/24>---+ | | | | | | | SIIT-DC Gateway 1 | | SIIT-DC Gateway 2 | | | ================= | | ================= | | | | | | | | Translation Prefix: | | | | | 2001:db8:46::/96 | | | | | | | | | | Static Address Mappings: | | Exactly the same | | | 192.0.2.1 <=> 2001:db8:12:34::1 | | configuration as | | | 192.0.2.2 <=> 2001:db8:12:34::2 | | SIIT-DC Gateway 1 | | | 192.0.2.3 <=> 2001:db8:fe:dc::1 | | | | | 192.0.2.4 <=> 2001:db8:12:34::4 | | | | | [...] | | | | | | | | | +--------<2001:db8:46::/96>-------+ +-<2001:db8:46::/96>-+ | | | | | <---------[ECMP]---------> | | | | | /-----------------+----------------------------+-\ | | IPv6 data centre network +----------+ \-+-----------------------------------+----------/ | | | Customer A's server LAN | Customer B's server LAN | 2001:db8:12:34::/64 | 2001:db8:fe:dc::/64 | | | | +-- www ::1 (IPv6+SIIT-DC) +-- www ::1 (IPv6+SIIT-DC) | | | +-- file01 ::f:01 (IPv6) +-- mta ::2 (IPv6+SIIT-DC) | [...] | +-- file99 ::f:99 (IPv6) +-- ftp ::3 (IPv6) | ::4 (SIIT-DC/Host Agent) | +-- app01 ::a:01 (IPv6) | [...] +- app99 ::a:99 (IPv6) | +-- db01 ::d:01 (IPv6) | [..] +-- db99 ::d:99 (IPv6) Anderson Expires March 19, 2015 [Page 23] Internet-Draft SIIT-DC September 2014 Figure 7 Appendix B. Comparison to Other Deployment Approaches There are a number of alternative deployment strategies a data centre operator may follow. They each have different properties and helps solve a different set of challenges. This section aims to compare the SIIT-DC approach with each of the most common ones, by highlighting the benefits and disadvantages of each. B.1. IPv4-only At the time of writing, IPv4-only operation remains the status quo for most operators. As such, it is well understood and supported. An operator can reasonably expect everything to work correctly in an IPv4-only environment. Benefits of IPv4-only operation compared to SIIT-DC include: o No translation occurs, the end-to-end principle is intact. o Compatible with all common application protocols. o Compatible with IPv4-only devices. o Compatible with IPv4-only application software, without requiring a host agent. Disadvantages of IPv4-only operation compared to SIIT-DC include: o Does not provide any form of IPv6 connectivity. o Does not alleviate IPv4 address scarcity. B.2. IPv4-only + NAPT44 An operator who would otherwise chose a traditional IPv4-only approach, but cannot due to having insufficient public IPv4 addresses available, could chose to deploy using a combination of private IPv4 addresses [RFC1918] and NAPT44 [RFC3022] devices which will translate between a smaller number of public IPv4 addresses and the private addresses assigned to the servers that provide public services to the Internet. Benefits of IPv4-only + NAPT44 operation compared to SIIT-DC include: o Compatible with IPv4-only devices. Anderson Expires March 19, 2015 [Page 24] Internet-Draft SIIT-DC September 2014 o Compatible with IPv4-only application software, without requiring a host agent. Disadvantages of IPv4-only + NAPT44 operation compared to SIIT-DC include: o Does not provide any form of IPv6 availability. o Requires network devices that track all flow state, which may create a performance bottleneck and be an easy target for Denial of Service attacks. o Limits routing flexibility (prevents closest exit routing), as outbound traffic must pass across the same NAPT44 device that handled the inbound traffic. o Limited potential for horizontal scaling, as packets cannot be load-balanced across multiple NAT devices. o Depending on whether or not the NAPT44 device rewrites source addresses in order to attract the return traffic to itself: o * Obscures the true source address of the user from the server/ application, preventing it from e.g. performing geo-location lookups, or: * Requires an IPv4 default route to be pointed to the NAPT44 device, also attracting native traffic that does not need to undergo translation. In addition, application compatibility is a consideration with both NAPT44 and SIIT-DC, but the exact nature depends from application to application, so it is hard to objectively quantify if there is a clear advantage to either approach here. Some translation-unfriendly application protocols may work without host modifications through the use of Application Layer Gateway support in the NAPT44 device (e.g., FTP [RFC0959]), or in the SIIT-DC architecture when a host agent is being used [I-D.anderson-v6ops-siit-dc-2xlat]. Other application protocols might not work with NAPT44 at all, but will work in the SIIT-DC if a host agent is being used (e.g., FTP/TLS [RFC4217]). In summary, the most accurate statement would be to say that a NAPT44 architecture is more compatible with translation-unfriendly protocols than plain SIIT-DC, while SIIT-DC is more compatible than NAPT44 if a host agent is used. Anderson Expires March 19, 2015 [Page 25] Internet-Draft SIIT-DC September 2014 For a more complete discussion of potential issues with running NAPT44, see Architectural Implications of NAT [RFC2993]. B.3. Dual Stack Dual Stack [RFC4213] could be used both with or without NAPT44 to handle IPv4. In general, the benefits and disadvantages are equal to the corresponding IPv4-only option, except for the fact that Dual Stack does provides IPv6 connectivity. Therefore, his section only lists the benefits and disadvantages which are unique to a Dual Stack environment. Benefits of Dual Stack operation compared to SIIT-DC include: o No translation occurring, the end-to-end principle is intact (assuming NAPT44 isn't used). o Compatible with all common application protocols (assuming NAPT44 isn't used). o Compatible with IPv4-only devices. o Compatible with IPv4-only application software, without requiring a host agent. Disadvantages of Dual Stack operation compared to SIIT-DC include: o Does not alleviate IPv4 address scarcity (assuming NAPT44 isn't used). o Increases the complexity of the infrastructure, as many things must done twice (once for IPv4 and once for IPv6). Examples of things that must be duplicated in this manner under Dual Stack: Firewall rules/ACLs, IGP topology, monitoring, troubleshooting. o Encourages software developers, systems administrators, etc. to build architectures that cannot operate correctly without IPv4. This in turn makes it difficult to make use of Dual Stack as a short term transitional stage, rather than a near-permanent end state. o Increases the amount of things that can encounter failures, and increases the time required to locate and fix such failures. This reduces reliability. Author's Address Anderson Expires March 19, 2015 [Page 26] Internet-Draft SIIT-DC September 2014 Tore Anderson Redpill Linpro Vitaminveien 1A 0485 Oslo NORWAY Phone: +47 959 31 212 Email: tore@redpill-linpro.com Anderson Expires March 19, 2015 [Page 27]