Internet Engineering Task Force R. Despres Internet-Draft September 29, 2008 Intended status: Standards Track Expires: April 2, 2009 Stateless Address Mapping with A+P Extended IPv4 addressing (SAM) draft-despres-sam-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 2, 2009. Abstract Stateless Local Address Mapping (SAM) is a generic tool for global- address packets to traverse transit domains where routing is performed in different address spaces. To share IPv4 global addresses among several CPEs and/or hosts, port prefixes can be used as extensions of IPv4 global addresses. In this space (IPv4E), a node having an n-bits IPv4E prefix with n>32 may only use or delegate ports having its port prefix of length /32-n. Static Address Mappers can be placed in CPEs, in hosts, and/or in ISP Internet gateways. Applications include various IPv6 in IPv4 and IPv4E in IPv6 encapsulations. Despres Expires April 2, 2009 [Page 1] Internet-Draft Stateless Address Mapping (SAM) September 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. SAM operation . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Detailed processing rules . . . . . . . . . . . . . . . . . . 7 4. Parameter values for ISATAP - 6to4 - 6rd . . . . . . . . . . . 12 5. Security considerations . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 8. Informative References . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 Intellectual Property and Copyright Statements . . . . . . . . . . 15 Despres Expires April 2, 2009 [Page 2] Internet-Draft Stateless Address Mapping (SAM) September 2008 1. Introduction This document introduces Stateless Local Address Mapping (SAM), a generic tool for global-address packets to traverse transit domains where routings are in different address spaces. To statically share IPv4 global addresses among several CPEs and/or hosts, port prefixes are used as extensions of IPv4 global addresses. In this space (IPv4E), a node having an n-bits IPv4E prefix with n > 32 may only use, or delegate, ports that start with its port prefix (the n - 32 low order bits of the IPv4E prefix). Mechanisms that have already been deployed for IPv6 packets to traverse IPv4 domains, in particular ISATAP, 6to4, and 6rd, are applications of SAM with specific parameter values. Section 2 describes the general architecture of SAM configurations, with all their possible parameters. It also describes stateless mapping rules by which source and destination addresses of encapsulating packets are derived from those of packets to be tunneled. In Section 3, detailed packet processing, including anti-spoofing checks, is presented in pseudo-code. Until some running code is written and tested, these algorithms are not claimed to be error proof. They should therefore be considered as provisional. Section 4 indicates how ISATAP [RFC4214], 6to4 [RFC3056] and 6rd [I-D a]can be seen as specific applications of the general SAM model, with ad hoc parameter values. A companion document, [I-D b], presents several configurations where SAM is used to provide global IPv4 connectivity to customer sites that have only shared global IPv4 addresses in a more scalable way than with NATs in ISP infrastructures, and with possible end-to-end network transparency to IPv4 packets in favorable configurations. 2. SAM operation As shown on Figure 1, SAM concerns packets that traverse a "transit domain" situated between a "core domain" and a number of "branch domains". Stateless Address Mappers (SAMs) are placed at borders between these domains. Being stateless, they can be duplicated any number of times for load sharing. Routes toward them are for this based on prefixes or on anycast addresses. Despres Expires April 2, 2009 [Page 3] Internet-Draft Stateless Address Mapping (SAM) September 2008 SAMs that are between branch domains and the transit domain are the "branch SAMs". They can receive all their parameters in DHCP (possibly DHCPv6). Those that are placed between the transit domain and the core domain are the "core SAMs". Their parameter settings would typically be less automatic. The global Internet, in IPv4 and/or in IPv6, is accessible via the core domain, in which the address space is global. Global packets that are exchanged between hosts of the branch domain ("branch hosts"), and hosts accessible via the core domain ("core hosts") are encapsulated to traverse the transit domain. In each address family v (IPv4E or IPv6) in which a branch host X has an address, this address is structured as follows: Xv = Tv.Ivi.Sv, where Tv is the global prefix of the transit domain, Ivi is an infix that identifies the branch domain in the transit domain, and Sv is a suffix that identifies X in the branch domain. The infix is the same for both address families. In an encapsulating packet of address family v that conveys a packet of family w toward or from branch host X, the address TXv that is derived from Xw, that of X, is structured as follows: TXv = Hv.Ivi.Sw.0/n, where Hv is a header that, in the transit domain, is at the beginning of all prefixes of branch domains, and where n is 32 for IPv4 encapsulating packets and 128 for IPv6 encapsulating packets [Figure 2]. Thus, although IPv4E addresses have 32 + 16 = 48 bits, packets can traverse the transit domain without routers having to route on more than 32 bits. (If k bits are necessary to identify branch domains, H4 should be taken equal to 32 - k.) The address that, in encapsulating packets, corresponds to that of a core host Y is the anycast address Cv of core SAM gateways of the transit domain. To be complete, the SAM model doesn't deal only with the transparent traversal of transit domains by global packets. It deals also with packets of branch host that have private IPv4 addresses and must be encapsulated in IPv6 to reach a NAT at the transit domain - core domain border (a Carrier grade NAT or CGN). The CGN can be IPv4 only as far as packet content is concerned, but they have to exercise their stateful address mapping with "composite" addresses at their transit side. The composite address of a host X that has XS as its private address is a combination of this address and of the encapsulating address derived from it. In the encapsulating packet of a CGN traversing packet, the core side address is the unicast IPv6 address N6 of the CGN in the transit domain. Despres Expires April 2, 2009 [Page 4] Internet-Draft Stateless Address Mapping (SAM) September 2008 BRANCH SAMs CORE SAMs possible parameters: possible parameters: idem core SAM T4, H4, C4 + I4i, I6i, N4, N6 T6, H6, C6 | | | V | .---------------- V | CORE domain .---------------------| | TRANSIT domain | ----------------| | BRANCH domain i | C4 ---> <--- T4 | C6 ---> <--- T6 | | 0.0.0.0/0 ---> <--- B4i=H4.Ii | 0::/0 ---> <--- B6i=H6.Ii | | | <--- BRANCH host X | | CORE host Y ---> | TRANSIT addresses | addresses in | in encapsulating | addresses in encapsulated packets| packets | encapsulated packets <== [Xv, Yv] ==> o <== [TXv, Cv] ==> o <== [Xv, Yv] ==> <== [Xv, X'v] ==> o <== [TXv, TX'v] =. | | | | | <==' | | | <== [X4B, Y4] ==> o <== [TX6, N6] ==> | | | ----------------| N6 ---> [CGN] <--- T4b | | | | '---------------------' | '---------------- v : address family 4 or 6 (for IPv4 or IPv6) Hv : Header of all addresses in the transit domain Bvi : prefix of Branch domain i in in the transit domain (Bvi = Hvi.Ii) Ivi : Infix of branch domain i (Ivi = Bvi - Hv) Cv : anycast address of core domain gateways Nv : unicast address of a CGN at the core domain border Tv : prefix of the transit domain in the core domain TXv : Transit address of branch host X ARCHITECTURE AND POSSIBLE PARAMETERS OF STATIC ADDRESS MAPPINGS Figure 1 Despres Expires April 2, 2009 [Page 5] Internet-Draft Stateless Address Mapping (SAM) September 2008 glob. v4 add. port <------32------><---16--> +-----.---------+-.------. | T4 | Ii | S4 | +-----'---------+-'------' <--g--><----i-----><--s--> Branch host IPv4E address (X4) <-------------------------------128-----------------------------> +-----------------.-----------.---------------------------------+ | T6 | Ii | S6 | +-----------------'-----------'---------------------------------+ <-------g---------><----i-----><---------------s----------------> Branch host IPv6 address (X6) <------32------> +---.-----------+ |H4 | Ii | +---'-----------+ <-h-><----i-----> IPv4 TRANSIT address (TX4) for a Branch host <-------------------------------128-----------------------------> +-------------.-----------.-------------------------------------+ | H6 | Ii | 0 | +-------------'-----------'-------------------------------------+ <-----h-------><----i-----><--s--> IPv6 TRANSIT address (TX6) for a Branch host the global address of which is IPv4 <-------------------------------128-----------------------------> +-------------.-----------.------.------------------------------+ | H6 | Ii | Sv | 0 | +-------------'-----------'------'------------------------------+ <-----h-------><----i-----><--s--> IPv6 TRANSIT address (TX6) for a Branch host the global address of which is IPv6 GLOBAL TO TRANSIT ADDRESS MAPPINGs FOR BRANCH HOST Figure 2 Despres Expires April 2, 2009 [Page 6] Internet-Draft Stateless Address Mapping (SAM) September 2008 3. Detailed processing rules Processing rules that result from the above description are detailed in Figure 6 to Figure 8. They include anti-spoofing tests whereby consistency between addresses of encapsulating packets and encapsulated packets are systematically verified. In the pseudo-code, A and B are prefixes with B contained at the beginning of A, A - B stands for what follows B in A. In other words, with he dot as concatenation operator, A = B.(A - B). The pseudo- code notation is otherwise expected to be self explanatory. CASE X4 = G4.. DO CASE Y4 NOT= G4.. DO CASE C4 NOT= nil DO TY4 <- C4 TX4 <- H4.(X4E-G4).0/32 Encapsulate 4/4 CASE C4 = nil & C6 NOT= nil DO TY6 <- C6 TX6 <- H6.(X4E-G4).0/128 Encapsulate 4/6 CASE C4=nil & C6=nil & N4 NOT= nil DO TY4 <- N4 TX4 <- H4.(X4E-G4).0/32 Encapsulate 4/4 CASE C4=nil & C6=nil & N4=nil & N6 NOT= nil DO TY6 <- N6 TX6 <- H6.(X4E-G4).0/128 Encapsulate 6/4 CASE Y4 = G4.. DO CASE H4 NOT= nil DO TY4 <- H4.(Y4E-G4).0/32 TX4 <- H4.(S4E-G4).0/32 Encapsulate 4/4 CASE H4 = nil & H6 NOT= nil DO TY6 <- Y6.(Y4E-G4).0/128 TX6 <- H6.(X4E-G4).0/128 Encapsulate 4/6 CASE X4 NOT= G4.. DO Discard packet BRANCH-SAM PROCESSING OF AN IPV4E CORE-BOUND PACKET Figure 3 Despres Expires April 2, 2009 [Page 7] Internet-Draft Stateless Address Mapping (SAM) September 2008 CASE X6 = G6.. CASE Y6 NOT= G6:: DO CASE H4 NOT= nil DO TY4 <- C4 TX4 <- H4.(X6-G6).0/32 Encapsulate 6/4 CASE H4 = nil & H6 NOT= nil DO TY6 <- C6 TX6 <- H6.(X6-G6).0/128 Encapsulate 6/6 CASE C4=nil & C6=nil & N4 NOT= nil DO TY4 <- N4 TX4 <- H4.(X6-G6).0/32 Encapsulate 4/4 CASE C4=nil & C6=nil & N4=nil & N6 NOT= nil DO TY6 <- N6 TX6 <- H6.(X6-G6).0/128 Encapsulate 6/4 CASE Y6 = G6.. DO CASE H4 NOT= nil DO TY4 <- H4.(Y6-G6).0/32 TX4 <- H4.(X6-G6).0/32 Encapsulate 6/4 CASE H4 = nil & H6 NOT= nil DO TY6 <- Y6.(Y6-G6).0/128 TX6 <- H6.(X6-G6).0/128 Encapsulate 6/6 CASE X6 NOT= G6.. DO Discard packet BRANCH-SAM PROCESSING OF AN IPV6 CORE-BOUND PACKET Figure 4 Despres Expires April 2, 2009 [Page 8] Internet-Draft Stateless Address Mapping (SAM) September 2008 CASE Encapsulating packet is v4 CASE Encapsulated packet is v4 DO Decapsulate 4/4, getting X4 and Y4 IF X4=G4.. & TX4 = H4.(X4-G4).0/32 & [TY4=C4 OR TY4=N4 OR (Y4 = G4.. & TY4=H4.(Y4-G4)..] DO Forward decapsulated packet ELSE Discard packet CASE Encapsulated packet is v6 DO Decapsulate 6/4, getting X4 and Y4 IF X6=G6.. & TX4 = H4.(X6-G6).0/32 & [TY4=C4 OR TY4=N4 OR (Y6 = G6.. & TY4=H4.(Y6-G6)..] DO Forward decapsulated packet ELSE Discard packet CASE Encapsulating packet is v6 CASE Encapsulated packet is v4 DO Decapsulate 4/6, getting X4 and Y4 IF X4=G4.. & TX6 = H6.(X4-G4).0/128 & [TY6=C6 OR TY6=N6 OR (Y4 = G4.. & TY6=H6.(Y4-G4)..] DO Forward decapsulated packet ELSE Discard packet CASE Encapsulated packet is v6 DO Decapsulate 6/6, getting X6 and Y6 IF X6=G6.. & TX6 = H6.(X6-G6).0/128 & [TY6=C6 OR TY6=N6 OR (Y6 = G6.. & TY6=H6.(Y6-G6)..] DO Forward decapsulated packet ELSE Discard packet BRANCH-SAM PROCESSING OF A BRANCH-BOUND PACKET Figure 5 Despres Expires April 2, 2009 [Page 9] Internet-Draft Stateless Address Mapping (SAM) September 2008 CASE Encapsulating packet is v4 CASE Encapsulated packet is v4 DO Decapsulate 4/4, getting X4 and Y4 IF X4 = G4.. & TX4 = H4.(X4-G4).0/32 & Y4 NOT= G4.. DO Forward decapsulated packet ELSE Discard packet CASE Encapsulated packet is v6 DO Decapsulate 6/4, getting X6 and Y6 IF X6 = G6.. & TX4 = H4.(X6-G6).0/32 & Y4 NOT= G4.. DO Forward decapsulated packet ELSE Discard packet CASE Encapsulating packet is v6 CASE Encapsulated packet is v4 DO Decapsulate 4/6, getting X4 and Y4 IF X4 = G4.. & TX6 = H6.(X4-G4).0/128 & Y4 NOT= G4.. DO Forward decapsulated packet ELSE Discard packet CASE Encapsulated packet is v6 DO Decapsulate 6/6, getting X6 and Y6 IF X6 = G6.. & TX6 = H6.(X6-G6).0/128 & [ Y6 NOT = G6.. DO Forward decapsulated packet ELSE Discard packet CORE-SAM PROCESSING OF CORE-BOUND PACKET Figure 6 Despres Expires April 2, 2009 [Page 10] Internet-Draft Stateless Address Mapping (SAM) September 2008 CASE Y4 NOT= G4.. DO CASE C4 NOT= nil DO TY4 <- C4 TX4 <- H4.(X4E-G4).0/32 Encapsulate 4/4 CASE C4 = nil & C6 NOT= nil DO TY6 <- C6 TX6 <- H6.(X4E-G4).0/128 Encapsulate 4/6 CASE Y4 = G4.. DO Discard packet CORE-SAM PROCESSING OF AN IPV4 BRANCH-BOUND PACKET Figure 7 CASE Y6 NOT= G6.. DO CASE C4 NOT= nil DO TY4 <- C4 TX4 <- H4.(X6-G6).0/32 Encapsulate 6/4 CASE C4 = nil & C6 NOT= nil DO TY6 <- C6 TX6 <- H6.(X6-G6).0/128 Encapsulate 6/6 CASE Y4 = G4.. DO Discard packet CORE-SAM PROCESSING OF AN IPV6 BRANCH-BOUND PACKET Figure 8 Despres Expires April 2, 2009 [Page 11] Internet-Draft Stateless Address Mapping (SAM) September 2008 4. Parameter values for ISATAP - 6to4 - 6rd ISATAP [RFC4214], 6to4 [RFC3056], and 6rd [I-D a], are techniques that provide IPv6 connectivity via various IPv4 domains. They can be implemented as specific applications of the SAM architecture with the ad hoc parameter values shown in the following table. +----------------+---------------+---------------+-----------------+ | | ISATAP | 6to4 | 6rd | +----------------+---------------+---------------+-----------------+ | Branch domains | DS hosts |customer sites | customer sites | +----------------+---------------+---------------+-----------------+ | Transit domain |customer site | global IPv4 | ISP IPv4 | | | | Internet * | infrastructure | +----------------+---------------+---------------+-----------------+ | Core domain | ISP IPv6 | global IPv6 | global IPv6 | | |infrastructure | Internet | Internet | +----------------+---------------+---------------+-----------------+ | T6 |Site v6 prefix | 2002::/16 | ISP v6 prefix **| +----------------+---------------+---------------+-----------------+ | H4 | 0.0.0.0/0 | 0.0.0.0/0 | 0.0.0.0/0 | +----------------+---------------+---------------+-----------------+ | C4 | CPE local Add.| 192.88.99.1 | 192.88.99.2 ***| +----------------+---------------+---------------+-----------------+ | Ii length | 32 | 32 | 32 | +----------------+---------------+---------------+-----------------+ * For full connectivity between 6to4 sites, the 2002 prefix must be routed from the global IPv6 Internet to the global IPv4 Internet ** A /28 prefix in the Iliad-Free deployment (initially a /32) *** Value used in the Iliad-Free deployment. Any anycast address that is local to the ISP infrastructure can do. SAM PARAMETERS OF EXISTING ENCAPSULATIONS OF IPv6 IN IPv4 Figure 9 5. Security considerations With anti-spoofing checks in processing rules of Section 3, no security risk inherent to SAM has been identified. Despres Expires April 2, 2009 [Page 12] Internet-Draft Stateless Address Mapping (SAM) September 2008 6. IANA Considerations To automate parameter settings of branch SAMs, DHCP and DHCPv6 option codes will have to be assigned. 7. Acknowledgements So far, the SAM design has essentially been worked out by the author, with various intermediate stages like the so called Address Borrowing Protocol and the Global Address Protocol, without any sponsoring or company contract, and without seeking intellectual property protection. He therefore wishes to expresses its first acknowledgment to his wife: she accepted that traveling and other expenses be supported by the uni-personal enterprise of the author, the money of which cannot be distinguished from family money. One important and recent progress of the approach has been the recognition that, with the flexibility of DHCP, no new protocol would be necessary to automate SAM parameter settings. Acknowledgment is due to Gabor Bajko and Teemu Savolainen for pointing it out at IETF 72. 8. Informative References [I-D a] "IPv6 Rapid Deployment on IPv4 infrastructures (6rd) - Work in progress", September 2008. [I-D b] "IPv4-IPv6 Coexistence Scenarios based on Stateless Address mapping - Work in progress", September 2008. [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4 Clouds", RFC 3056, February 2001. [RFC4214] Templin, F., Gleeson, T., Talwar, M., and D. Thaler, "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)", RFC 4214, October 2005. Despres Expires April 2, 2009 [Page 13] Internet-Draft Stateless Address Mapping (SAM) September 2008 Author's Address Remi Despres 3 rue du President Wilson Levallois, France Email: remi.despres@free.fr Despres Expires April 2, 2009 [Page 14] Internet-Draft Stateless Address Mapping (SAM) September 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Despres Expires April 2, 2009 [Page 15]