Network Working Group                                         F. Templin
Internet-Draft                                                     Nokia
Expires: March 10, April 14, 2004                                       T. Gleeson
                                                      Cisco Systems K.K.
                                                               M. Talwar
                                                               D. Thaler
                                                   Microsoft Corporation
                                                      September 10,
                                                        October 15, 2003

        Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
                    draft-ietf-ngtrans-isatap-15.txt
                    draft-ietf-ngtrans-isatap-16.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 10, April 14, 2004.

Copyright Notice

   Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

   This document specifies an Intra-Site Automatic Tunnel Addressing
   Protocol (ISATAP) that connects IPv6 hosts and routers within IPv4
   sites. ISATAP treats the site's IPv4 unicast infrastructure as a
   Non-Broadcast, Multiple Access (NBMA) link layer for IPv6. IPv6 with no
   requirement for IPv4 multicast. ISATAP enables intra-site automatic IPv6-in-IPv4
   tunneling whether globally assigned or private IPv4 addresses are
   used.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Basic IPv6 Operation . . . . . . . . . . . . . . . . . . . . .  4
   5.  Automatic Tunneling  . . . . . . . . . . . . . . . . . . . . .  5  6
   6.  Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . .  6  8
   7.  Address Autoconfiguration  . . . . . . . . . . . . . . . . . .  9 12
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9 12
   9.  Security considerations  . . . . . . . . . . . . . . . . . . .  9 12
   10. Acknowledgements Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 10 12
       Normative References . . . . . . . . . . . . . . . . . . . . . 10 13
       Informative References . . . . . . . . . . . . . . . . . . . . 11 14
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12 15
   A.  Major Changes  . . . . . . . . . . . . . . . . . . . . . . . . 12 15
   B.  Rationale for  Interface Identifier Construction  . . . . . . . 14
   C.  Deployment Considerations  . . . . . . . . . . . . . . . . . . 15
   D.  Other Considerations . . . . . . . . . . . . . . . . . . . . . 15 16
       Intellectual Property and Copyright Statements . . . . . . . . 17 18

1. Introduction

   This document presents specifies a simple approach mechanism called the Intra-Site
   Automatic Tunnel Addressing Protocol (ISATAP) that enables
   incremental deployment of IPv6 [RFC2460] within IPv4 [RFC0791] sites.
   ISATAP allows dual-stack nodes that do not share a link with an IPv6
   router to automatically tunnel packets to the IPv6 next-hop address
   through IPv4, i.e., the site's IPv4 infrastructure is treated as a
   link layer for IPv6.

   Specific

   The main objectives of this document are to: 1) specify operational
   details for the operation of IPv6 and automatic tunneling of IPv6 over IPv4 using ISATAP are given, including an interface identifier ISATAP, 2)
   specify the format that
   embeds of IPv6 interface identifiers using an embedded
   IPv4 address. This format supports IPv6 address
   configuration and simple link-layer address mapping. Also specified
   is address, 3) specify the operation of IPv6 Neighbor Discovery and deployment/security
   Address Autoconfiguration, and 4) discuss security considerations.

   The specification in this document is very similar to [RFC2529], with
   the primary distinction that ISATAP does not require IPv4 multicast
   support within the site.

2. Requirements

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in [RFC2119].

   This document also makes use of internal conceptual variables to
   describe protocol behavior and external variables that an
   implementation must allow system administrators to change. The
   specific variable names, how their values change, and how their
   settings influence protocol behavior are provided to demonstrate
   protocol behavior. An implementation is not required to have them in
   the exact form described here, so long as its external behavior is
   consistent with that described in this document.

3. Terminology

   The terminology of [RFC2460] [RFC2460][RFC2461][RFC2462] applies to this
   document. The following additional terms are defined:

   site:
      same as defined in [RFC3582], which is intended to be equivalent
      to "enterprise" as defined in [RFC1918].

   link, on-link, off-link:
      same as defined in ([RFC2461], section 2.1).

   underlying link:
      a link layer that supports IPv4 (for ISATAP), and MAY also support
      IPv6 natively.

   ISATAP interface:
      an interface used for automatic IPv6-in-IPv4 tunneling and
      configured over one or more underlying links. IPv4 addresses assigned to one or more
      of the node's IPv4 interfaces that belong to the same site.

   advertising ISATAP interface:
      same meaning as "advertising interface" advertising interface in ([RFC2461], section
      6.2.2).

   ISATAP address:
      an address with an on-link prefix assigned on an ISATAP interface
      and with an interface identifier constructed as specified in
      Section 4.1.

4. Basic IPv6 Operation

   ISATAP interfaces automatically tunnel IPv6 packets in IPv4 using the
   site's IPv4 infrastructure as a link layer for IPv6, layer, i.e., IPv6 treats the
   site's IPv4 infrastructure as a Non-Broadcast, Multiple Access (NBMA)
   link layer, layer with properties similar to [RFC2491]. The following
   ISATAP-specific considerations are noted
   sections specify details for basic IPv6 operation: operation on ISATAP
   interfaces:

4.1 Interface Identifiers and Unicast Addresses

   ISATAP interface

   Interface identifiers use "modified EUI-64" for ISATAP are constructed in Modified EUI-64
   format ([RFC3513], as specified in ([ADDR-ARCH], section 2.5.1) and 2.5.1). They are formed
   by appending an a 32-bit IPv4 address assigned
   to an underlying link to the 32-bit string '00-00-5E-FE'. Appendix B
   includes non-normative rationale for this construction rule.

   IPv6 global and local-use ([RFC3513], sections 2.5.4, 2.5.6) ISATAP
   addresses are constructed leading token
   '0000:5EFE', then setting the universal/local ("u") bit as follows:

    |           64 bits            |     32 bits   |    32 bits     |

   When the IPv4 address is globally unique (i.e., provider-assigned),
   the "u" bit is set to 1 and the leading token becomes '0200:5EFE'.
   When the IPv4 address is from a private allocation [RFC1918], the "u"
   bit is set to 0 and the leading token remains as '0000:5EFE'.

   Global and link-local IPv6 unicast addresses ([ADDR-ARCH], sections
   2.5.4, 2.5.6) for ISATAP are constructed as follows:

    |           64 bits            |     32 bits   |    32 bits     |
    +------------------------------+---------------+----------------+
    | global/local unicast   global/link-local prefix   |   0000:5EFE 000[0/2]:5EFE |  IPv4 Address  |
    +------------------------------+---------------+----------------+

   (Appendix B provides additional non-normative details.)

4.2 ISATAP Interface Configuration Management

   The IP Tunnel MIB [MIB] is used, with the following additions for
   ISATAP interfaces are configured over one or more underlying links
   that support interfaces:

   o  For each IPv4 for tunneling within address an ISATAP interface is configured over, a site; each
      tuple consisting of the IPv4 address
   assigned and ifIndex for the
      corresponding IPv4 interface ([RFC2863], section 3.1.5) is added
      to ifRcvAddressTable ([MIB], section 3.1.2).

   o  tunnelIfRemoteInetAddress in the tunnelIfEntry object ([MIB],
      section 4) is set to 0.0.0.0 for ISATAP interfaces.

   When an underlying link IPv4 address over which an ISATAP interface is configured is
   removed from its IPv4 interface, the corresponding (IPv4 addres,
   ifIndex)-tuple MUST be removed from the ISATAP interface
   ifRcvAddressTable. If the IPv4 address is seen also used as
   tunnelIfLocalInetAddress ([MIB], section 5) in the ISATAP interface
   tunnelIfEntry, the interface MUST either set tunnelIfLocalInetAddress
   to a link-layer different IPv4 address for
   ISATAP. or be disabled.

   When a new IPv4 address is added to an IPv4 interface an ISATAP
   interface is configured over, a new (IPv4 address, ifIndex)-tuple MAY
   be added to ifRcvAddressTable and tunnelIfLocalInetAddress MAY be set
   to the new address.

4.3 Multicast and Anycast

   ISATAP interfaces recognize an IPv6 node's required addresses
   ([RFC3513],
   ([ADDR-ARCH], section 2.8), including certain multicast/anycast
   addresses.

   Mechanisms 2.8). The following multicast mappings are
   defined for packets sent on ISATAP interfaces:

   o  When the IPv6 destination address is the 'All-Routers'
      ([ADDR-ARCH], section 2.7.1) or
      'All_DHCP_Relay_Agents_and_Servers' ([RFC3315], section 1.2)
      multicast address, it is mapped to V4ADDR(i) for one or more
      PRL(i)'s (see: Section 6.1). The manner of selecting PRL(i)'s is
      up to the implementation.

   Other multicast mappings, and mechanisms for general-purpose
   multicast/anycast emulation on ISATAP interfaces
   (e.g., MARS [RFC2022], etc.) are out beyond the scope
   of scope.

5. Automatic Tunneling

   The common tunneling mechanisms specified in ([MECH], sections this document.

4.4 Source/Target Link Layer Address Options

   Source/Target Link Layer Address Options ([RFC2461], section 4.6.1)
   for ISATAP have the following format:

    +-------+-------+-------+-------+-------+-------+-------+--------+
    | Type  |Length |   0   |   0   |        IPv4 Address            |
    +-------+-------+-------+-------+-------+-------+-------+--------+
   Type:
      1 for Source Link-layer address.
      2 and
   3) are used, for Target Link-layer address.

   Length:
      1 (in units of 8 octets).

   IPv4 Address:
      The 32 bit IPv4 address, in network byte order.

5. Automatic Tunneling

   ISATAP interfaces use the basic transition mechanisms specified in
   [MECH] with the following noted considerations for ISATAP: exceptions:

5.1 Tunnel MTU and Fragmentation

   ISATAP automatic tunnel interfaces may be configured over multiple
   underlying links with diverse maximum transmission units (MTUs).

   The specification in ([MECH], section 3.2) is not used; the
   specification in this section is used instead.

   The minimum MTU for IPv6 interfaces is 1280 bytes ([RFC2460], Section
   5), but the following operational considerations apply for ISATAP interfaces: are noted:

   o  Nearly all IPv4 nodes connect to physical links with MTUs of 1500
      bytes or larger (e.g., Ethernet)

   o  Sub-IPv4 layer encapsulations (e.g., VPN) may occur on some paths

   o  Commonly-deployed VPN interfaces use an MTU of 1400 bytes

   To maximize efficiency and minimize IPv4 fragmentation for the
   predominant deployment case, LinkMTU ([RFC2461], Section 6.3.2) for
   the ISATAP interface interfaces SHOULD be
   set to no more than 1380 bytes (1400 minus 20 bytes for IPv4
   encapsulation).

   LinkMTU MAY be set to larger values when a dynamic link layer (IPv4)
   MTU discovery mechanism is used used, or when a static MTU assignment is
   used and the anticipated/measured level of fragmentation in the
   site's IPv4 network is deemed acceptable.

   When a dynamic link layer MTU discovery mechanism is not used, the
   ISATAP interface MUST NOT encapsulate IPv6 packets with the
   Don't Fragment (DF) bit MUST NOT be set in the encapsulating IPv4 header.
   header of packets sent on the ISATAP interface. In this case, black
   holes may in rare instances occur along some paths even when the
   tunnel interface uses the IPv6 minimum MTU of 1280 bytes. (This
   concern is not specific to ISATAP interfaces, but applies to all
   tunnels for which nested levels of sub link-layer encapsulation may
   occur.)

5.2 Handling IPv4 ICMP Errors

   ARP failures and persistent ICMPv4 errors SHOULD be processed as
   link-specific information indicating that a path to a neighbor has
   failed ([RFC2461], section 7.3.3).

5.3 Local-Use IPv6 Unicast Link-Local Addresses

   The specification in ([MECH], section 3.7) is not used; the
   specification in Section 4.1 of this document is used instead.

5.4 Ingress Filtering Neighbor Discovery over Tunnels

   The specification in ([MECH], section 3.9) 3.8) is used.

   Additionally, packets received on an ISATAP interface with an ISATAP
   network-layer (IPv6) source address that does not embed used; the
   link-layer (IPv4) source address
   specifications in the interface identifier Section 6 and Section 7 of this document are
   silently discarded.

6. Neighbor Discovery used
   instead.

5.5 Decapsulation/Filtering

   The specification specifications in ([MECH], section 3.8) applies only to configured
   tunnels. [RFC2461] provides sections 3.6, 3.9 and 4.1) are used.

   In addition, the following guidelines decapsulator MUST determine the correct tunnel
   interface to receive each IPv4 protocol-41 packet via a table lookup
   for
   non-broadcast multiple access (NBMA) link support:

      "Redirect, Neighbor Unreachability Detection the tuple consisting of the packet's IPv4 source and next-hop
      determination should be implemented as described in this document.
      Address resolution destination
   address, and the mechanism ifIndex for delivering Router
      Solicitations and Advertisements on NBMA links is not specified in
      this document." the receiving IPv4 interface. (Note that
   ISATAP interfaces SHOULD implement Redirect, Neighbor Unreachability
   Detection, and next-hop determination exactly as specified in
   [RFC2461]. Address resolution and match all IPv4 source addresses by default; if a
   tunnel interface with a more-specific match on the mechanisms IPv4 source
   address exists, it is selected to receive the packet as for delivering
   Router Solicitations and Advertisements are not specified by
   [RFC2461]; instead, they
   longest-prefix-match.) Packets for which the correct tunnel interface
   cannot be determined are specified discarded; in the following sections of this document.

6.1 Address Resolution and Neighbor Unreachability Detection

   ISATAP addresses are resolved to link-layer (IPv4) addresses by a
   static computation, i.e., case, the last four octets are treated as an IPv4
   address.

   Hosts SHOULD perform decapsulator
   MAY also send an initial reachability confirmation by sending
   Neighbor Solicitation (NS) message(s) and receiving a Neighbor
   Advertisement (NA) ICMPv4 Destination Unreachable message as specified in ([RFC2461], with code 3
   (Port Unreachable) ([RFC1122], section 7.2).
   Unless otherwise specified in a future document, solicitations are
   sent 3.2.2.1) to the target's unicast address.

   Hosts SHOULD additionally perform Neighbor Unreachability Detection
   (NUD) as specified in ([RFC2461], section 7.3). Routers MAY perform
   these reachability confirmation and NUD procedures, but this might
   not scale IPv4 source
   address in all environments.

   All ISATAP nodes the packet's outer header.

   After determining the correct tunnel interface, the decapsulator MUST send solicited neighbor advertisements
   ([RFC2461], section 7.2.4).

6.2 Duplicate Address Detection

   Duplicate Address Detection ([RFC2462], section 5.4)
   also verify that the packet's link-layer (IPv4) source address is not required
   correct for the network-layer (IPv6) source address. For ISATAP addresses, since duplicate
   interfaces, the packet's link-layer source address detection is assumed to
   have been already performed for correct if one
   (or more) of the IPv4 addresses from which they
   derive.

6.3 Router and Prefix Discovery

   The following sections describe mechanisms to support are true:

   o  the router and
   prefix discovery process ([RFC2461], section 6):

6.3.1 Conceptual Data Structures network-layer source address is an ISATAP nodes use address that embeds
      the conceptual data structures Prefix List and
   Default Router List exactly as link-layer source address in ([RFC2461], section 5.1). ISATAP
   adds a new conceptual data structure "Potential Router List" (PRL) its interface identifier.

   o  the network-layer source address is an IPv6 neighbor within the
      same site as the receiving ISATAP interface, and the following new configuration variable:

   PrlRefreshInterval
      Time link-layer
      source address matches the link layer address in seconds between successive refreshments the neighbor
      cache.

   o  the link-layer source address is a member of the PRL after
      initialization. It Potential Router
      List for the site (see: Section 6.1).

   Packets for which the link-layer source address is incorrect are
   discarded, and an ICMPv6 Destination Unreachable message ([ICMPV6],
   section 3.1) SHOULD be no less than 3,600 seconds. The
      designated value sent to the IPv6 source in the inner header of all 1's (0xffffffff) represents infinity.

      Default: 3,600 seconds

   A PRL is associated
   the encapsulated packet (subject to rate limiting as in [ICMPV6],
   section 2.4, paragraph f).

6. Neighbor Discovery

   ISATAP interfaces use the neighbor discovery mechanisms specified in
   [RFC2461] with every the following exceptions:

6.1 Conceptual Model Of A Host

   To the list of Conceptual Data Structures ([RFC2461], section 5.1),
   ISATAP interface and supports interfaces add:

   Potential Router List
      A set of entries about potential routers for the site; used to
      support the mechanisms specified in  Section 6.3.4. 6.2.3. Each entry in the PRL
      ("PRL(i)") has an associated timer ("TIMER(i)"), and an IPv4
      address ("V4ADDR(i)") that represents a site border router's advertising
      ISATAP interface.

   When a node enables an ISATAP interface, it initializes

6.2 Router and Prefix Discovery

6.2.1 Message Validation

6.2.1.1 Validation of Router Solicitation Messages

   To the PRL with
   IPv4 addresses. The addresses MAY be discovered via a DHCPv4
   [RFC2131] option for ISATAP, manual configuration, or an unspecified
   alternate method (e.g., DHCPv4 vendor-specific option, etc.).

   When no other mechanisms are available, a DNS fully-qualified domain
   name (FQDN) [RFC1035] established by an out-of-band method (e.g.,
   DHCPv4, manual configuration, etc.) MAY be used. The FQDN is resolved
   into IPv4 addresses list of validity checks for Router Soliciation messages
   ([RFC2461], section 6.1.1), ISATAP interfaces add:

   o  If the PRL through a static host file, a
   site-specific name service, querying message includes a DNS server within Source Link Layer Address Option, the site, or
      message also includes an unspecified alternate method. There are no mandatory rules for the
   selection of a FQDN, but manual configuration MUST be supported. When
   DNS is used, client resolvers use the IPv4 transport.

   After initialization, nodes periodically refresh the PRL (i.e., using
   one or more of the methods described above) after PrlRefreshInterval.

6.3.2 IP authentication Header.

6.2.1.2 Validation of Router Advertisements Advertisement Messages

   The specification in

   To the list of validity checks for Router Advertisement messages
   ([RFC2461], section 6.1.2) is used.

6.3.3 Router Specification

   Routers with advertising 6.1.1), ISATAP interfaces behave add:

   o  IP Source Address is an ISATAP link-local address that embeds
      V4ADDR(i) for some PRL(i).

   o  If the same as
   described in ([RFC2461], section 6.2). message includes a Source Link Layer Address Option, the
      message also includes an IP authentication Header.

6.2.2 Router Specification

   As permitted by ([RFC2461], section 6.2.6), advertising ISATAP
   interfaces SHOULD send unicast RA Router Advertisement messages to a the
   soliciting host's unicast address when the solicitation's source address is
   not the unspecified address.

6.3.4

6.2.3 Host Specification

   Hosts behave

6.2.3.1 Host Variables

   To the same as described in list of host variables ([RFC2461], section 6.3) with
   the following additional considerations for ISATAP:

6.3.4.1 Soliciting Router Advertisements

   Hosts solicit Router Advertisements (RAs) by sending Router
   Solicitations (RSs) to advertising 6.3.2), ISATAP
   interfaces add:

   PrlRefreshInterval
      Time in seconds between successive refreshments of the PRL. PRL after
      initialization. It SHOULD be no less than 3600 seconds. The
   manner
      designated value of selecting PRL(i)'s for solicitation is up to the
   implementation. Hosts add the following variable to support the
   solicitation process: all 1's (0xffffffff) represents infinity.

      Default: 3600 seconds

   MinRouterSolicitInterval
      Minimum time in seconds between successive solicitations of the
      same advertising ISATAP interface. It SHOULD be no less than 900
      seconds. The designated value of alll 1's (0xffffffff) represents
      infinity.

      Default: 900 seconds

   RS messages use a link-local unicast address from

6.2.3.2 Interface Initialization

   The host joins the all-nodes multicast address on ISATAP
   interface interfaces,
   as for multicast-capable interfaces ([RFC2461], section 6.3.3).

   Additionally, the IPv6 source address.

6.3.4.2 Router Advertisement Processing

   RAs received from a member of host provisions the ISATAP interface's PRL (i.e., RAs with an
   IPv4 addresses it discovers via manual configuration, a DNS
   fully-qualified domain name (FQDN) [RFC1035], a DHCPv4 option for
   ISATAP IPv6
   source address that embeds V4ADDR(i) [ISDHCP], a DHCPv4 vendor-specific option, or an unspecified
   alternate method. (Support for some PRL(i)) manual configuration is REQUIRED;
   other methods are processed OPTIONAL.)
   When FQDNs are used, the host establishes the FQDN via manual
   configuration or an unspecified alternate method. (Support for manual
   configuration is REQUIRED; other methods are OPTIONAL.) The host
   resolves the FQDN into IPv4 addresses through lookup in a static host
   file, a site-specific name service, querying the site's DNS service,
   or an unspecified alternate method. When DNS is used, client
   resolvers use the IPv4 transport.

   After the host provisions the ISATAP interface's PRL with IPv4
   addresses, it sets PrlRefreshIntervalTimer to PrlRefreshInterval
   seconds. The host re-initializes the PRL (i.e., as specified above)
   when PrlRefreshIntervalTimer expires, or when an asynchronous
   re-initialization event occurs. When the host re-initializes the PRL,
   it resets PrlRefreshIntervalTimer to PrlRefreshInterval seconds.

6.2.3.3 Processing Received Router Advertisements

   Router Advertisements (RAs) are processed exactly as specified in
   ([RFC2461], section 6.3.4). 6.3.4) except that, if the MTU option is present,
   the option's value SHOULD be stored in a per-neighbor cache entry for
   the source of the RA; it MUST NOT be copied into LinkMTU for the
   ISATAP interface.

   Additionally, hosts reset TIMER(i) to schedule the next solicitation
   event (see: Section 6.3.4.1). 6.2.3.4). Let "MIN_LIFETIME" be the minimum value
   in the Router Lifetime or the lifetime(s) encoded in options included
   in the RA message. Then, TIMER(i) is reset as follows:

      TIMER(i) = MAX((0.5 * MIN_LIFETIME), MinRouterSolicitInterval)

   RAs received from a router other than a member of

6.2.3.4 Sending Router Solicitations

   To the PRL are
   processed as specified in ([RFC2461], section 6.3.4) except that any
   RA contents list of events after which RSs may be sent ([RFC2461], section 6.2.3) that would alter
   6.3.2), ISATAP link
   parameters are silently ignored. In particular, non-zero values in
   the interfaces add:

   o  TIMER(i) for some PRL(i) expires.

   Additionally, hosts MAY send Router Lifetime, M and O flags, Cur Hop Limit, Reachable Time,
   and Retrans Timer as well as prefix options with the L and/or A bits
   set are ignored. If the MTU option is present, the option's value
   SHOULD be stored in a per-neighbor cache entry Solicitations to an ISATAP
   link-local address that embeds V4ADDR(i) for some PRL(i) instead of
   the source All-Routers multicast address.

6.3 Address Resolution and Neighbor Unreachability Detection

6.3.1 Message Validation

6.3.1.1 Validation of Neighbor Solicitations

   To the
   RA; it MUST NOT be copied into LinkMTU list of validity checks for the Neighbor Solicitation (NS)
   messages ([RFC2461], section 7.1.1), ISATAP link.

7. interfaces add:

   o  If the message includes a Source Link Layer Address Autoconfiguration

   Hosts invoke stateless address autoconfiguration under Option, the conditions
   specified in ([RFC2462], sections 5.5).

   Hosts invoke stateful address autoconfiguration under
      message also includes an IP authentication Header.

6.3.1.2 Validation of Neighbor Solicitations

   To the conditions
   specified list of validity checks for Neighbor Advertisement (NA)
   messages ([RFC2461], section 7.1.2), ISATAP interfaces add:

   o  If the message includes a Target Link Layer Address Option, the
      message also includes an IP authentication Header.

6.3.2 Address Resolution

   The specification in ([RFC2462], ([RFC2461], section 5.5). When DHCPv6 [RFC3315] 7.2) is used,
   hosts send used. NS and NA
   messages to MAY omit the "All_DHCP_Relay_Agents_and_Servers"
   multicast source/target link layer address ([RFC3315], sections 1.2 and 1.3). Sending
   implementations map option when
   the "All_DHCP_Relay_Agents_and_Servers" multicast
   address to a link-layer (IPv4) address by selecting V4ADDR(i) source/target is an ISATAP address. ISATAP addresses for
   some PRL(i).

   When the site supports the DHCPv6 service, which
   the server/relay function
   MUST neighbor's link-layer address cannot otherwise be deployed equally on each router that is a member of the PRL.

8. IANA Considerations

   The IANA is advised to specify construction rules for IEEE EUI-64
   addresses formed determined
   (i.e., from the Organizationally Unique Identifier (OUI)
   "00-00-5E" neighbor cache or a link layer address option in a
   received packet) are resolved to link-layer addresses by a static
   computation, i.e., the IANA "ethernet-numbers" registry. The non-normative
   text in Appendix B is offered last four octets are treated as an example specification.

9. Security considerations

   ISATAP site border routers MUST implement IPv6 and IPv4 ingress
   filtering and in particular MUST discard any packets originating from
   outside of the site that use an IP address from the site as the
   source
   address. Additionally, site border routers MUST implement
   ip-protocol-41 filtering

   Hosts SHOULD perform an initial reachability confirmation by not allowing packets for that protocol in sending
   NS message(s) and out of receiving a NA message; NS messages are sent to the site. Finally, site border routers MUST NOT forward
   any packets with local-use source or destination addresses outside of
   target's unicast address. Routers MAY perform an initial reachability
   confirmation, but this might not scale in all environments.

   As specified in ([RFC2461], section 7.2.4), all nodes MUST send
   solicited neighbor advertisements on ISATAP interfaces.

6.3.3 Neighbor Unreachability Detection

   Hosts SHOULD perform Neighbor Unreachability Detection as specified
   in ([RFC2461], section 7.3). Routers MAY perform neighbor
   unreachability detection, but this might not scale in all
   environments.

6.4 Redirect Function

   To the site ([RFC3513], list of validity checks for Redirect messages (([RFC2461],
   section 2.5.6).

   Even 8.1), ISATAP interfaces add:

   o  If the message includes a Target Link Layer Address Option, the
      message also includes an IP authentication Header.

7. Address Autoconfiguration

   ISATAP interfaces use the address autoconfiguration mechanisms
   specified in [RFC2462] with the following exceptions:

7.1 Address Lifetime Expiry

   The specification in ([RFC2462], section 5.5.4) is used, except that
   an ISATAP address also becomes deprecated when the IPv4 and IPv6 ingress filtering, reflection attacks can
   originate address
   embedded in its interface identifier is removed from compromised nodes within an IPv4
   interface over which the ISATAP interface is configured. (This
   deprecation rule applies to all ISATAP addresses, including
   link-local addresses.)

7.2 Stateful Address Autoconfiguration

   When the site uses DHCPv6 [RFC3315] as the stateful address
   autoconfiguration mechanism, the server/relay function MUST be
   deployed equally on each router that spoof
   IPv6 source addresses. Security mechanisms is a member of the PRL.

8. IANA Considerations

   The IANA is advised to specify construction rules for reflection attack
   mitigation SHOULD be used IEEE EUI-64
   addresses formed from the Organizationally Unique Identifier (OUI)
   "00-00-5E" in routers with advertising ISATAP
   interfaces. At a minimum, the IANA "ethernet-numbers" registry. The non-normative
   text in Appendix B is offered as an example specification.

9. Security considerations

   The security considerations in [RFC2461][RFC2462][MECH] apply.

   Additionally, site border routers SHOULD log potential
   source address spoofing cases.

   Site administrators maintain a list MUST ensure that lists of IPv4
   addresses representing the advertising ISATAP interfaces and make them available via one or more of PRL
   members are well maintained.

10. Acknowledgments

   Most of the mechanisms described basic ideas in Section 6.3.1. The list can include
   IPv4 anycast address(es) but administrators this document are advised to consider
   operational implications of anycast (e.g., see: [RFC1546]).

   ISATAP addresses do not support privacy extensions for stateless
   address autoconfiguration [RFC3041].

10. Acknowledgements original; the
   authors acknowledge the original architects of those ideas. Portions
   of this work were derived from sponsored through SRI International internal
   funds
   projects and government contracts. Government sponsors include Monica
   Farah-Stapleton and Russell Langan (U.S. Army CECOM ASEO), and Dr.
   Allen Moshfegh (U.S. Office of Naval Research). SRI International
   sponsors include Dr.  Mike Frankel, J. Peter Marcotullio, Lou
   Rodriguez, and Dr. Ambatipudi Sastry.

   The following are acknowledged for providing peer review input: Jim
   Bound, Rich Draves, Cyndi Jung, Ambatipudi Sastry, Aaron Schrader,
   Ole Troan, Vlad Yasevich.

   The following additional individuals are acknowledged for their significant contributions: Rich Draves,
   Alain Durand, Hannu Flinck, Jason Goldschmidt, Nathan Lutchansky,
   Karen Nielsen, Mohan Parthasarathy, Chirayu Patel, Art Shelest, Pekka
   Savola, Margaret Wasserman, Brian Zill.

   The authors also acknowledge the work of Quang Nguyen [VET] under the
   guidance of Dr. Lixia Zhang that proposed very similar ideas to those
   that appear in this document. This work was first brought to the
   authors' attention on September 20, 2002.

Normative References
   authors' attention on September 20, 2002.

Normative References

   [ADDR-ARCH]
              Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", draft-ietf-ipv6-addr-arch-v4-00 (work in
              progress), October 2003.

   [ICMPV6]   Conta, A. and S. Deering, "Internet Control Message
              Protocol (ICMPv6) for the Internet Protocol Version 6
              (IPv6) Specification", draft-ietf-ipngwg-icmp-v3 (work in
              progress), November 2001.

   [MECH]     Gilligan, R. and E. Nordmark, "Basic Transition Mechanisms
              for IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-00
              (work in progress), February 2003.

   [MIB]      Thaler, D., "IP Tunnel MIB", draft-thaler-inet-tunnel-mib
              (work in progress), September 2003.

   [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791, September
              1981.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.

   [RFC2461]  Narten, T., Nordmark, E. and W. Simpson, "Neighbor
              Discovery for IP Version 6 (IPv6)", RFC 2461, December
              1998.

   [RFC2462]  Thomson, S. and T. Narten, "IPv6 Stateless Address
              Autoconfiguration", RFC 2462, December 1998.

   [RFC3513]  Hinden, R. and S. Deering, "Internet

Informative References

   [ISDHCP]   Templin, F., "Dynamic Host Configuration Protocol Version 6
              (IPv6) (DHCPv4)
              Option for the Intra-Site Automatic Tunnel Addressing Architecture", RFC 3513, April
              Protocol (ISATAP)", draft-templin-isatap-dhcp (work in
              progress), October 2003.

Informative References

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC1546]  Partridge, C., Mendez, T. and W. Milliken, "Host
              Anycasting Service",

   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1546, November 1993. 1122, October 1989.

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and
              E. Lear, "Address Allocation for Private Internets", BCP
              5, RFC 1918, February 1996.

   [RFC2022]  Armitage, G., "Support for Multicast over UNI 3.0/3.1
              based ATM Networks", RFC 2022, November 1996.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol", RFC
              2131, March 1997.

   [RFC2491]  Armitage, G., Schulter, P., Jork, M. and G. Harter, "IPv6
              over Non-Broadcast Multiple Access (NBMA) networks", RFC
              2491, January 1999.

   [RFC2529]  Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
              Domains without Explicit Tunnels", RFC 2529, March 1999.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, May 2000.

   [RFC2863]  McCloghrie, K. and F. Kastenholz, "The Interfaces Group
              MIB", RFC 2863, June 2000.

   [RFC3041]  Narten, T. and R. Draves, "Privacy Extensions for
              Stateless Address Autoconfiguration in IPv6", RFC 3041,
              January 2001.

   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and
              M. Carney, "Dynamic Host Configuration Protocol for IPv6
              (DHCPv6)", RFC 3315, July 2003.

   [RFC3582]  Abley, J., Black, B. and V. Gill, "Goals for IPv6
              Site-Multihoming Architectures", RFC 3582, August 2003.

   [VET]      Nguyen, Q., "http://irl.cs.ucla.edu/vet/report.ps", spring
              1998.

Authors' Addresses

   Fred L. Templin
   Nokia
   313 Fairchild Drive
   Mountain View, CA  94110
   US

   Phone: +1 650 625 2331
   EMail: ftemplin@iprg.nokia.com

   Tim Gleeson
   Cisco Systems K.K.
   Shinjuku Mitsu Building
   2-1-1 Nishishinjuku, Shinjuku-ku
   Tokyo  163-0409
   Japan

   EMail: tgleeson@cisco.com

   Mohit Talwar
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA>  98052-6399
   US

   Phone: +1 425 705 3131
   EMail: mohitt@microsoft.com

   Dave Thaler
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052-6399
   US

   Phone: +1 425 703 8835
   EMail: dthaler@microsoft.com

Appendix A. Major Changes

   changes from version 14 to version 15:

   o  several editorial changes

   o  revised Security; IANA considerations
   o  revised Section 6.3.4.2

   o  added new section on ingress filtering

   o  revised stateful autoconfiguration and moved to new section

   o  removed overly-restrictive text at end of Section 6.3.4.1

   changes from version 13 to version 14:

   o  removed applicability statement; applicability TBD by v6ops

   o  updated deployment/site admin sections; moved to appendices

   o  new text on "L" bit in prefix options in section 7.3.4.2

   o  removed extraneous text in Security Considerations

   o  fixed "layering bug" in section 7.3.4.3

   o  revised "ISATAP address" definition

   o  updated references for RFC 3315; 3513

   Major changes from earlier versions to version 13:

   o  Revised ISATAP interface/link terminology

   o  Returned to using symbolic reference names

   o  Revised MTU section; moved non-normative MTU text to separate
      document

   o  Added multicast/anycast subsection

   o  Revised PRL initialization

   o  Updated neighbor discovery, security consideration sections

   o  Rearranged/revised sections 5, 6, 7

   o  Added stateful autoconfiguration mechanism 16:

   o  Normative references to RFC 2491, RFC 2462  dropped "underlying link" from terminology.

   o  Moved non-normative MTU text to appendix C  specified multicast mappings.

   o  clarified  specified layer address resolution, Neighbor Unreachability Detection option format.

   o  specified MTU/MRU requirements

   o  Addressed operational issues identified in 05 based on discussion
      between co-authors

   o  Clarified ambiguous text per comments from Hannu Flinck; Jason
      Goldschmidt

   o  Moved historical text in section 4.1 to Appendix B in response to
      comments from Pekka Savola setting of "u" bit in interface id's.

   o  Identified operational issues for anticipated deployment scenarios  removed obsoleted appendix sections.

   o  Included reference  re-organized major sections to Quang Nguyen work match normative references.

   o  revised neighbor discovery, address autoconfiguration, security
      considerations sections. Added new subsections on interface
      management, decapsulation/filtering, address lifetime expiry.

Appendix B. Rationale for Interface Identifier Construction

   ISATAP specifies

   This section provides an EUI64-format address construction example specification for constructing EUI64
   addresses from the Organizationally-Unique Identifier (OUI) owned by
   the Internet Assigned Numbers Authority (IANA). This format (given below) is It can be used to
   construct both native EUI64 addresses for general use and modified EUI-64 format interface identifiers for IPv6
   unicast addresses: addresses ([ADDR-ARCH], section 2.5.1) and "native" EUI64
   addresses for future use:

   |0                      2|2      3|3      3|4                      6|
   |0                      3|4      1|2      9|0                      3|
   +------------------------+--------+--------+------------------------+
   |  OUI ("00-00-5E"+u+g)  |  TYPE  |  TSE   |          TSD           |
   +------------------------+--------+--------+------------------------+

   Where the fields are:

      OUI     IANA's OUI: 00-00-5E with 'u' "u" and 'g' "g" bits (3 octets)

      TYPE    Type field; specifies use of (TSE, TSD) (1 octet)

      TSE     Type-Specific Extension (1 octet)

      TSD     Type-Specific Data (3 octets)

   And the following interpretations are specified based on TYPE:

      TYPE         (TSE, TSD) Interpretation
      ----         -------------------------
      0x00-0xFD    RESERVED for future IANA use
      0xFE         (TSE, TSD) together contain an embedded IPv4 address
      0xFF         TSD is interpreted based on TSE as follows:

                   TSE          TSD Interpretation
                   ---          ------------------
                   0x00-0xFD    RESERVED for future IANA use
                   0xFE         TSD contains 24-bit EUI-48 intf id
                   0xFF         RESERVED by IEEE/RAC

   Thus, if TYPE=0xFE, TSE is an extension of TSD. If TYPE=0xFF, TSE is
   an extension of TYPE. Other values for TYPE (thus, other
   interpretations of TSE, TSD) are reserved for future IANA use.

   The above specification is compatible with all aspects of EUI64,
   including support for encapsulating legacy EUI-48 interface
   identifiers (e.g., an IANA EUI-48 format multicast address such as:
   '01-00-5E-01-02-03' is encapsulated as: '01-00-5E-FF-FE-01-02-03').
   But, the specification also provides a special TYPE (0xFE) to
   indicate an IPv4 address is embedded. Thus, when the first four
   octets of an IPv6 interface identifier are: '00-00-5E-FE' (note: the
   'u/l' bit MUST be 0) the interface identifier is said to be in
   "ISATAP format" and the next four octets embed an IPv4 address
   encoded in network byte order.

Appendix C. Deployment Considerations

   Hosts can enable ISATAP, e.g., when native IPv6 service is
   unavailable. When native IPv6 service is acquired, hosts can
   discontinue the ISATAP router solicitation process (Section 6.3.4)
   and/or allow associated state to expire (see: [RFC2461], section 5.3
   and [RFC2462], section 5.5.4). In this case, any associated addresses
   added to the DNS should also be removed.

   Routers can configure both native IPv6 and ISATAP interfaces over the
   same physical link. The prefixes used on each interface will be
   distinct, and normal IPv6 routing between the interfaces can occur.

   Routers can obtain IPv6 prefix delegations from a server via
                   0x00-0xFD    RESERVED for future IANA use
                   0xFE         TSD contains 24-bit EUI-48 intf id
                   0xFF         RESERVED by IEEE/RAC

   Using this example specification, if TYPE=0xFE, then TSE is an
   ISATAP interface
   extension of TSD. If TYPE=0xFF, then TSE is an extension of TYPE.
   (Other values for TYPE, and advertise the delegated prefix(es) on other IPv6
   interface(s).

   Responsible administration can reduce control traffic overhead
   associated with router and prefix discovery.

Appendix D. Other Considerations

   The Potential Router List (PRL) contains interpretations of TSE, TSD are
   reserved for future IANA use.) When TYPE='0xFE' the EUI64 address
   embeds an IPv4 address, encoded in network byte order.

   For Modified EUI64 format interface identifiers in IPv6 unicast
   addresses of
   advertising ISATAP interfaces on site border routers, ([ADDR-ARCH], Appendix A) using IANA's OUI, when TYPE=0xFE
   and the
   specification mandates that nodes only accept Router Advertisement
   (RA) parameters that alter the ISATAP link (e.g., default router
   list, on-link prefix list, LinkMTU, etc.) if they are sent by IPv4 address is a
   member of the PRL. However, the specification allows any node on globally unique (i.e., provider-assigned)
   unicast address, the
   ISATAP link "u" bit is set to send "other" parameters in RAs and also allows any
   node on the ISATAP link 1 to act as a (non-default) IPv6 router, e.g.,
   if indicate universal scope.
   When TYPE=0xFE and the node IPv4 address is configured as from a router for its other IPv6 links.

   These aspects of the specification allow useful functionality,
   including private allocation, the ability for ISATAP nodes other than PRL members
   "u" bit is set to
   serve as routers for "stub" IPv6 networks, the ability for ISATAP
   nodes 0 to send IPv6 packets with non-ISATAP source addresses (e.g.,
   RFC 3401 privacy addresses), etc. But, allowing this functionality
   prevents ISATAP nodes from perform effective ingress filtering for
   IPv6 source addresses in packets they receive. Instead, indicate local scope. Thus, when the nodes
   must trust that: 1) site border routers are performing ingress
   filtering, and 2) malicious nodes are effectively denied access to first
   four octets of the link.

   Additionally, interface identifier in an IPv6 unicast address
   are either: '02-00-5E-FE' or: '00-00-5E-FE', the specification expects that that next four octets
   embed an IPv4 addresses are
   uniquely assigned within address and the ISATAP site. interface identifier is said to be in
   "ISATAP format".

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.

   The IETF has been notified of intellectual property rights claimed in
   regard to some or all of the specification contained in this
   document. For more information consult the online list of claimed
   rights.

Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.