| draft-ietf-ngtrans-mech-v2-00.txt | draft-ietf-ngtrans-mech-v2-01.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT E. Nordmark | INTERNET-DRAFT E. Nordmark | |||
| July 17, 2002 Sun Microsystems, Inc. | November 4, 2002 Sun Microsystems, Inc. | |||
| Obsoletes: 2893 R. E. Gilligan | Obsoletes: 2893 R. E. Gilligan | |||
| Intransa, Inc. | Intransa, Inc. | |||
| Transition Mechanisms for IPv6 Hosts and Routers | Basic Transition Mechanisms for IPv6 Hosts and Routers | |||
| <draft-ietf-ngtrans-mech-v2-00.txt> | <draft-ietf-ngtrans-mech-v2-01.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
| of Section 10 of RFC2026. | of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 32 | skipping to change at page 1, line 32 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This draft expires on January 17, 2003. | This draft expires on May 4, 2003. | |||
| Abstract | Abstract | |||
| This document specifies IPv4 compatibility mechanisms that can be | This document specifies IPv4 compatibility mechanisms that can be | |||
| implemented by IPv6 hosts and routers. These mechanisms include | implemented by IPv6 hosts and routers. These mechanisms include | |||
| providing complete implementations of both versions of the Internet | providing complete implementations of both versions of the Internet | |||
| Protocol (IPv4 and IPv6), and tunneling IPv6 packets over IPv4 | Protocol (IPv4 and IPv6), and tunneling IPv6 packets over IPv4 | |||
| routing infrastructures. They are designed to allow IPv6 nodes to | routing infrastructures. They are designed to allow IPv6 nodes to | |||
| maintain complete compatibility with IPv4, which should greatly | maintain complete compatibility with IPv4, which should greatly | |||
| simplify the deployment of IPv6 in the Internet, and facilitate the | simplify the deployment of IPv6 in the Internet, and facilitate the | |||
| skipping to change at page 2, line 13 | skipping to change at page 2, line 13 | |||
| This document obsoletes RFC 2893. | This document obsoletes RFC 2893. | |||
| Contents | Contents | |||
| Status of this Memo.......................................... 1 | Status of this Memo.......................................... 1 | |||
| 1. Introduction............................................. 3 | 1. Introduction............................................. 3 | |||
| 1.1. Terminology......................................... 3 | 1.1. Terminology......................................... 3 | |||
| 1.2. Structure of this Document.......................... 5 | 1.2. Structure of this Document.......................... 5 | |||
| 2. Dual IP Layer Operation.................................. 6 | 2. Dual IP Layer Operation.................................. 5 | |||
| 2.1. Address Configuration............................... 6 | 2.1. Address Configuration............................... 6 | |||
| 2.2. DNS................................................. 6 | 2.2. DNS................................................. 6 | |||
| 2.3. Advertising Addresses in the DNS.................... 7 | 2.3. Advertising Addresses in the DNS.................... 7 | |||
| 3. Common Tunneling Mechanisms.............................. 9 | 3. Common Tunneling Mechanisms.............................. 9 | |||
| 3.1. Encapsulation....................................... 10 | 3.1. Encapsulation....................................... 10 | |||
| 3.2. Tunnel MTU and Fragmentation........................ 11 | 3.2. Tunnel MTU and Fragmentation........................ 11 | |||
| 3.3. Hop Limit........................................... 13 | 3.3. Hop Limit........................................... 13 | |||
| 3.4. Handling IPv4 ICMP errors........................... 13 | 3.4. Handling IPv4 ICMP errors........................... 14 | |||
| 3.5. IPv4 Header Construction............................ 14 | 3.5. IPv4 Header Construction............................ 15 | |||
| 3.6. Decapsulation....................................... 16 | 3.6. Decapsulation....................................... 17 | |||
| 3.7. Link-Local Addresses................................ 17 | 3.7. Link-Local Addresses................................ 18 | |||
| 3.8. Neighbor Discovery over Tunnels..................... 18 | 3.8. Neighbor Discovery over Tunnels..................... 19 | |||
| 3.9. Ingress Filtering................................... 19 | 3.9. Ingress Filtering................................... 19 | |||
| 4. Configured Tunneling..................................... 19 | 4. Configured Tunneling..................................... 20 | |||
| 4.1. Ingress Filtering................................... 20 | 4.1. Ingress Filtering................................... 20 | |||
| 5. Acknowledgments.......................................... 20 | 5. Acknowledgments.......................................... 21 | |||
| 6. Security Considerations.................................. 20 | 6. Security Considerations.................................. 21 | |||
| 7. Authors' Addresses....................................... 20 | 7. Authors' Addresses....................................... 22 | |||
| 8. References............................................... 21 | 8. References............................................... 22 | |||
| 8.1. Normative References................................ 22 | ||||
| 8.2. Non-normative References............................ 22 | ||||
| 9. Changes from RFC 2893.................................... 22 | 9. Changes from RFC 2893.................................... 23 | |||
| 10. Changes from RFC 2893................................... 23 | 10. Open issues............................................. 25 | |||
| 11. TODO.................................................... 25 | ||||
| 1. Introduction | 1. Introduction | |||
| The key to a successful IPv6 transition is compatibility with the | The key to a successful IPv6 transition is compatibility with the | |||
| large installed base of IPv4 hosts and routers. Maintaining | large installed base of IPv4 hosts and routers. Maintaining | |||
| compatibility with IPv4 while deploying IPv6 will streamline the task | compatibility with IPv4 while deploying IPv6 will streamline the task | |||
| of transitioning the Internet to IPv6. This specification defines a | of transitioning the Internet to IPv6. This specification defines a | |||
| set of mechanisms that IPv6 hosts and routers may implement in order | set of mechanisms that IPv6 hosts and routers may implement in order | |||
| to be compatible with IPv4 hosts and routers. | to be compatible with IPv4 hosts and routers. | |||
| The mechanisms in this document are designed to be employed by IPv6 | The mechanisms in this document are designed to be employed by IPv6 | |||
| hosts and routers that need to interoperate with IPv4 hosts and | hosts and routers that need to interoperate with IPv4 hosts and | |||
| utilize IPv4 routing infrastructures. We expect that most nodes in | utilize IPv4 routing infrastructures. We expect that most nodes in | |||
| the Internet will need such compatibility for a long time to come, | the Internet will need such compatibility for a long time to come, | |||
| and perhaps even indefinitely. | and perhaps even indefinitely. | |||
| However, IPv6 may be used in some environments where interoperability | ||||
| with IPv4 is not required. IPv6 nodes that are designed to be used | ||||
| in such environments need not use or even implement these mechanisms. | ||||
| The mechanisms specified here include: | The mechanisms specified here include: | |||
| - Dual IP layer (also known as Dual Stack): A technique for | - Dual IP layer (also known as Dual Stack): A technique for | |||
| providing complete support for both Internet protocols -- IPv4 | providing complete support for both Internet protocols -- IPv4 | |||
| and IPv6 -- in hosts and routers. | and IPv6 -- in hosts and routers. | |||
| - Configured tunneling of IPv6 over IPv4: Point-to-point tunnels | - Configured tunneling of IPv6 over IPv4: Point-to-point tunnels | |||
| made by encapsulating IPv6 packets within IPv4 headers to carry | made by encapsulating IPv6 packets within IPv4 headers to carry | |||
| them over IPv4 routing infrastructures. | them over IPv4 routing infrastructures. | |||
| The mechanisms defined here are intended to be part of a "transition | The mechanisms defined here are intended to be the core of a | |||
| toolbox" -- a growing collection of techniques which implementations | "transition toolbox" -- a growing collection of techniques which | |||
| and users may employ to ease the transition. The tools may be used | implementations and users may employ to ease the transition. The | |||
| as needed. Implementations and sites decide which techniques are | tools may be used as needed. Implementations and sites decide which | |||
| appropriate to their specific needs. This document defines the | techniques are appropriate to their specific needs. | |||
| initial core set of transition mechanisms, but these are not expected | ||||
| to be the only tools available. Additional transition and | This document defines the basic set of transition mechanisms, but | |||
| compatibility mechanisms are expected to be developed in the future, | these are not the only tools available. Additional transition and | |||
| with new documents being written to specify them. | compatibility mechanisms are specified in other documents. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| The following terms are used in this document: | The following terms are used in this document: | |||
| Types of Nodes | Types of Nodes | |||
| IPv4-only node: | IPv4-only node: | |||
| A host or router that implements only IPv4. An IPv4- | A host or router that implements only IPv4. An IPv4- | |||
| skipping to change at page 5, line 15 | skipping to change at page 5, line 12 | |||
| IPv6-over-IPv4 tunneling where the IPv4 tunnel endpoint | IPv6-over-IPv4 tunneling where the IPv4 tunnel endpoint | |||
| address is determined by configuration information on | address is determined by configuration information on | |||
| the encapsulating node. The tunnels can be either | the encapsulating node. The tunnels can be either | |||
| unidirectional or bidirectional. Bidirectional | unidirectional or bidirectional. Bidirectional | |||
| configured tunnels behave as virtual point-to-point | configured tunnels behave as virtual point-to-point | |||
| links. | links. | |||
| Other transition mechanisms, including other tunneling mechanisms, | Other transition mechanisms, including other tunneling mechanisms, | |||
| are outside the scope of this document. | are outside the scope of this document. | |||
| Modes of operation of IPv6/IPv4 nodes | ||||
| IPv6-only operation: | ||||
| An IPv6/IPv4 node with its IPv6 stack enabled and its | ||||
| IPv4 stack disabled. | ||||
| IPv4-only operation: | ||||
| An IPv6/IPv4 node with its IPv4 stack enabled and its | ||||
| IPv6 stack disabled. | ||||
| IPv6/IPv4 operation: | ||||
| An IPv6/IPv4 node with both stacks enabled. | ||||
| The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, | The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, | |||
| SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this | SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this | |||
| document, are to be interpreted as described in [16]. | document, are to be interpreted as described in [16]. | |||
| 1.2. Structure of this Document | 1.2. Structure of this Document | |||
| The remainder of this document is organized as follows: | The remainder of this document is organized as follows: | |||
| - Section 2 discusses the operation of nodes with a dual IP layer, | - Section 2 discusses the operation of nodes with a dual IP layer, | |||
| IPv6/IPv4 nodes. | IPv6/IPv4 nodes. | |||
| skipping to change at page 6, line 16 | skipping to change at page 5, line 39 | |||
| The most straightforward way for IPv6 nodes to remain compatible with | The most straightforward way for IPv6 nodes to remain compatible with | |||
| IPv4-only nodes is by providing a complete IPv4 implementation. IPv6 | IPv4-only nodes is by providing a complete IPv4 implementation. IPv6 | |||
| nodes that provide a complete IPv4 and IPv6 implementations are | nodes that provide a complete IPv4 and IPv6 implementations are | |||
| called "IPv6/IPv4 nodes." IPv6/IPv4 nodes have the ability to send | called "IPv6/IPv4 nodes." IPv6/IPv4 nodes have the ability to send | |||
| and receive both IPv4 and IPv6 packets. They can directly | and receive both IPv4 and IPv6 packets. They can directly | |||
| interoperate with IPv4 nodes using IPv4 packets, and also directly | interoperate with IPv4 nodes using IPv4 packets, and also directly | |||
| interoperate with IPv6 nodes using IPv6 packets. | interoperate with IPv6 nodes using IPv6 packets. | |||
| Even though a node may be equipped to support both protocols, one or | Even though a node may be equipped to support both protocols, one or | |||
| the other stack may be disabled for operational reasons. Thus | the other stack may be disabled for operational reasons. Here we use | |||
| IPv6/IPv4 nodes may be operated in one of three modes: | a rather loose notion of "stack". A stack being enabled has IP | |||
| addresses assigned etc, but whether or not any particular application | ||||
| is available on the stacks is explicitly not defined. Thus IPv6/IPv4 | ||||
| nodes may be operated in one of three modes: | ||||
| - With their IPv4 stack enabled and their IPv6 stack disabled. | - With their IPv4 stack enabled and their IPv6 stack disabled. | |||
| - With their IPv6 stack enabled and their IPv4 stack disabled. | - With their IPv6 stack enabled and their IPv4 stack disabled. | |||
| - With both stacks enabled. | - With both stacks enabled. | |||
| IPv6/IPv4 nodes with their IPv6 stack disabled will operate like | IPv6/IPv4 nodes with their IPv6 stack disabled will operate like | |||
| IPv4-only nodes. Similarly, IPv6/IPv4 nodes with their IPv4 stacks | IPv4-only nodes. Similarly, IPv6/IPv4 nodes with their IPv4 stacks | |||
| disabled will operate like IPv6-only nodes. IPv6/IPv4 nodes MAY | disabled will operate like IPv6-only nodes. IPv6/IPv4 nodes MAY | |||
| provide a configuration switch to disable either their IPv4 or IPv6 | provide a configuration switch to disable either their IPv4 or IPv6 | |||
| stack. | stack. | |||
| The dual IP layer technique may or may not be used in conjunction | The IPv6-over-IPv4 tunneling techniques, which are described in | |||
| with the IPv6-over-IPv4 tunneling technique, which are described in | sections 3 and 4, may or may not be used in addition to the dual IP | |||
| sections 3 and 4. An IPv6/IPv4 node MAY support configured | layer operation. An IPv6/IPv4 node MAY support configured tunneling. | |||
| tunneling. | ||||
| 2.1. Address Configuration | 2.1. Address Configuration | |||
| Because they support both protocols, IPv6/IPv4 nodes may be | Because they support both protocols, IPv6/IPv4 nodes may be | |||
| configured with both IPv4 and IPv6 addresses. IPv6/IPv4 nodes use | configured with both IPv4 and IPv6 addresses. IPv6/IPv4 nodes use | |||
| IPv4 mechanisms (e.g., DHCP) to acquire their IPv4 addresses, and | IPv4 mechanisms (e.g., DHCP) to acquire their IPv4 addresses, and | |||
| IPv6 protocol mechanisms (e.g., stateless address autoconfiguration | IPv6 protocol mechanisms (e.g., stateless address autoconfiguration | |||
| and/or DHCPv6) to acquire their IPv6-native addresses. | and/or DHCPv6) to acquire their IPv6-native addresses. | |||
| 2.2. DNS | 2.2. DNS | |||
| The Domain Naming System (DNS) is used in both IPv4 and IPv6 to map | The Domain Naming System (DNS) is used in both IPv4 and IPv6 to map | |||
| between hostnames and IP addresses. A new resource record type named | between hostnames and IP addresses. A new resource record type named | |||
| "AAAA" has been defined for IPv6 addresses [6]. Since IPv6/IPv4 | "AAAA" has been defined for IPv6 addresses [6]. Since IPv6/IPv4 | |||
| nodes must be able to interoperate directly with both IPv4 and IPv6 | nodes must be able to interoperate directly with both IPv4 and IPv6 | |||
| nodes, they must provide resolver libraries capable of dealing with | nodes, they must provide resolver libraries capable of dealing with | |||
| IPv4 "A" records as well as IPv6 "AAAA" records. | IPv4 "A" records as well as IPv6 "AAAA" records. Note that the | |||
| lookup of A versus AAAA records is independent of whether the DNS | ||||
| packets are carried in IPv4 or IPv6 packets. | ||||
| DNS resolver libraries on IPv6/IPv4 nodes MUST be capable of handling | DNS resolver libraries on IPv6/IPv4 nodes MUST be capable of handling | |||
| both AAAA and A records. However, when a query locates an AAAA | both AAAA and A records. However, when a query locates an AAAA | |||
| record holding an IPv6 address, and an A record holding an IPv4 | record holding an IPv6 address, and an A record holding an IPv4 | |||
| address, the resolver library MAY filter or order the results | address, the resolver library MAY filter or order the results | |||
| returned to the application in order to influence the version of IP | returned to the application in order to influence the version of IP | |||
| packets used to communicate with that node. In terms of filtering, | packets used to communicate with that node. In terms of filtering, | |||
| the resolver library has three alternatives: | the resolver library has three alternatives: | |||
| - Return only the IPv6 address(es) to the application. | - Return only the IPv6 address(es) to the application. | |||
| skipping to change at page 7, line 47 | skipping to change at page 7, line 32 | |||
| or leave the decision entirely up to the application. | or leave the decision entirely up to the application. | |||
| An implementation MUST allow the application to control whether or | An implementation MUST allow the application to control whether or | |||
| not such filtering takes place. | not such filtering takes place. | |||
| More details on this subject are specified in [19]. | More details on this subject are specified in [19]. | |||
| 2.3. Advertising Addresses in the DNS | 2.3. Advertising Addresses in the DNS | |||
| There are some constraint placed on the use of the DNS during | There are some constraint placed on the use of the DNS during | |||
| transition. Most of these are obvious but are stated here for | transition. The constraints allow nodes to prefer either IPv6 or | |||
| completeness. | IPv4 addresses when both types of addresses are returned by the DNS. | |||
| Most of these are obvious but are stated here for completeness. | ||||
| The recommendation is that AAAA records for a node should not be | The recommendation is that AAAA records for a node should not be | |||
| added to the DNS until all of these are true: | added to the DNS until all of these are true: | |||
| 1) The address is assigned to the interface on the node. | 1) The address is assigned to the interface on the node. | |||
| 2) The address is configured on the interface. | 2) The address is configured on the interface. | |||
| 3) The interface is on a link which is connected to the IPv6 | 3) The interface is on a link which is connected to the IPv6 | |||
| infrastructure. | infrastructure. | |||
| If an IPv6 node is isolated from an IPv6 perspective (e.g., it is not | If an IPv6 node is isolated from an IPv6 perspective (e.g., it is not | |||
| connected to the 6bone to take a concrete example) constraint #3 | connected to the 6bone to take a concrete example) constraint #3 | |||
| would mean that it should not have an address in the DNS. | would mean that it should not have an address in the DNS. | |||
| This works great when other dual stack nodes tries to contact the | This works great when other dual stack nodes try to contact the | |||
| isolated dual stack node. There is no IPv6 address in the DNS thus | isolated dual stack node. There is no IPv6 address in the DNS thus | |||
| the peer doesn't even try communicating using IPv6 but goes directly | the peer doesn't even try communicating using IPv6 but goes directly | |||
| to IPv4 (we are assuming both nodes have A records in the DNS.) | to IPv4 (we are assuming both nodes have A records in the DNS.) | |||
| However, this does not work well when the isolated node is trying to | However, this does not work well when the isolated node is trying to | |||
| establish communication. Even though it does not have an IPv6 | establish communication. Even though it does not have an IPv6 | |||
| address in the DNS it will find AAAA records in the DNS for the peer. | address in the DNS it will find AAAA records in the DNS for the peer. | |||
| Since the isolated node has IPv6 addresses assigned to at least one | Since the isolated node has IPv6 addresses assigned to at least one | |||
| interface it will try to communicate using IPv6. If it has no IPv6 | interface it will try to communicate using IPv6. If it has no IPv6 | |||
| route to the 6bone (e.g., because the local router was upgraded to | route to the 6bone (e.g., because the local router was upgraded to | |||
| advertise IPv6 addresses using Neighbor Discovery but that router | advertise IPv6 addresses using Neighbor Discovery but that router | |||
| doesn't have any IPv6 routes) this communication will fail. | doesn't have any IPv6 routes) this communication will fail. | |||
| Typically this means a few minutes of delay as TCP times out. The | Typically this means a few minutes of delay as TCP times out. The | |||
| TCP specification says that ICMP unreachable messages could be due to | TCP specification [10] says that ICMP unreachable messages could be | |||
| routing transients thus they should not immediately terminate the TCP | due to routing transients thus they should not immediately terminate | |||
| connection. This means that the normal TCP timeout of a few minutes | the TCP connection. This means that the normal TCP timeout of a few | |||
| apply. Once TCP times out the application will hopefully try the | minutes apply. Once TCP times out the application will hopefully try | |||
| IPv4 addresses based on the A records in the DNS, but this will be | the IPv4 addresses based on the A records in the DNS, but this will | |||
| painfully slow. | be painfully slow. | |||
| A possible implication of the recommendations above is that, if one | A possible implication of the recommendations above is that, if one | |||
| enables IPv6 on a node on a link without IPv6 infrastructure, and | enables IPv6 on a node on a link without IPv6 infrastructure, and | |||
| choose to add AAAA records to the DNS for that node, then external | choose to add AAAA records to the DNS for that node, then external | |||
| IPv6 nodes that might see these AAAA records will possibly try to | IPv6 nodes that might see these AAAA records will possibly try to | |||
| reach that node using IPv6 and suffer delays or communication failure | reach that node using IPv6 and suffer delays or communication failure | |||
| due to unreachability. (A delay is incurred if the application | due to unreachability. (A delay is incurred if the application | |||
| correctly falls back to using IPv4 if it can not establish | correctly falls back to using IPv4 if it can not establish | |||
| communication using IPv6 addresses. If this fallback is not done the | communication using IPv6 addresses. If this fallback is not done the | |||
| application would fail to communicate in this case.) Thus it is | application would fail to communicate in this case.) Thus it is | |||
| suggested that either the recommendations be followed, or care be | suggested that either the recommendations be followed, or care be | |||
| taken to only do so with nodes that will not be impacted by external | taken to only do so with nodes that will not be impacted by external | |||
| accessing delays and/or communication failure. | accessing delays and/or communication failure. | |||
| In the future when a site or node removes the support for IPv4 the | In the future, when a node discontinues its use of IPv4, analogous | |||
| above recommendations apply to when the A records for the node(s) | constraints apply with respect to the node's A records in the DNS; | |||
| should be removed from the DNS. | the removal of the A records should be tied to when the node can no | |||
| longer be reached using IPv4. | ||||
| 3. Common Tunneling Mechanisms | 3. Common Tunneling Mechanisms | |||
| In most deployment scenarios, the IPv6 routing infrastructure will be | In most deployment scenarios, the IPv6 routing infrastructure will be | |||
| built up over time. While the IPv6 infrastructure is being deployed, | built up over time. While the IPv6 infrastructure is being deployed, | |||
| the existing IPv4 routing infrastructure can remain functional, and | the existing IPv4 routing infrastructure can remain functional, and | |||
| can be used to carry IPv6 traffic. Tunneling provides a way to | can be used to carry IPv6 traffic. Tunneling provides a way to | |||
| utilize an existing IPv4 routing infrastructure to carry IPv6 | utilize an existing IPv4 routing infrastructure to carry IPv6 | |||
| traffic. | traffic. | |||
| skipping to change at page 9, line 49 | skipping to change at page 9, line 45 | |||
| the last segment of the end-to-end path. | the last segment of the end-to-end path. | |||
| Tunneling techniques are usually classified according to the | Tunneling techniques are usually classified according to the | |||
| mechanism by which the encapsulating node determines the address of | mechanism by which the encapsulating node determines the address of | |||
| the node at the end of the tunnel. In the first two tunneling | the node at the end of the tunnel. In the first two tunneling | |||
| methods listed above -- router-to-router and host-to-router -- the | methods listed above -- router-to-router and host-to-router -- the | |||
| IPv6 packet is being tunneled to a router. The endpoint of this type | IPv6 packet is being tunneled to a router. The endpoint of this type | |||
| of tunnel is an intermediary router which must decapsulate the IPv6 | of tunnel is an intermediary router which must decapsulate the IPv6 | |||
| packet and forward it on to its final destination. When tunneling to | packet and forward it on to its final destination. When tunneling to | |||
| a router, the endpoint of the tunnel is different from the | a router, the endpoint of the tunnel is different from the | |||
| destination of the packet being tunneled. So the addresses in the | destination of the packet being tunneled. In some cases, the | |||
| IPv6 packet being tunneled can not provide the IPv4 address of the | addresses in the IPv6 packet being tunneled can not provide the IPv4 | |||
| tunnel endpoint. Instead, the tunnel endpoint address must be | address of the tunnel endpoint. In those cases, the tunnel endpoint | |||
| determined from configuration information on the node performing the | address must be determined from configuration information on the node | |||
| tunneling. We use the term "configured tunneling" to describe the | performing the encapsulation. We use the term "configured tunneling" | |||
| type of tunneling where the endpoint is explicitly configured. | to describe the type of tunneling where the endpoint is explicitly | |||
| configured. | ||||
| In the last two tunneling methods -- host-to-host and router-to-host | In the last two tunneling methods -- host-to-host and router-to-host | |||
| -- the IPv6 packet is tunneled all the way to its final destination. | -- the IPv6 packet is tunneled all the way to its final destination. | |||
| In this case, the destination address of both the IPv6 packet and the | In this case, the destination address of both the IPv6 packet and the | |||
| encapsulating IPv4 header identify the same node. However, the | encapsulating IPv4 header identify the same node. However, the | |||
| tunneling mechanism specified in this document does not handle these | tunneling mechanism specified in this document does not handle these | |||
| cases any differently; the IPv4 addresses is still determined using | cases any differently; the IPv4 addresses is still determined using | |||
| configuration information using configured tunneling. | configuration information using configured tunneling. | |||
| The underlying mechanisms for tunneling are: | The underlying mechanisms for tunneling are: | |||
| skipping to change at page 10, line 31 | skipping to change at page 10, line 26 | |||
| encapsulating IPv4 header and transmits the encapsulated packet. | encapsulating IPv4 header and transmits the encapsulated packet. | |||
| - The exit node of the tunnel (the decapsulating node) receives | - The exit node of the tunnel (the decapsulating node) receives | |||
| the encapsulated packet, reassembles the packet if needed, | the encapsulated packet, reassembles the packet if needed, | |||
| removes the IPv4 header, updates the IPv6 header, and processes | removes the IPv4 header, updates the IPv6 header, and processes | |||
| the received IPv6 packet. | the received IPv6 packet. | |||
| - The encapsulating node MAY need to maintain soft state | - The encapsulating node MAY need to maintain soft state | |||
| information for each tunnel recording such parameters as the MTU | information for each tunnel recording such parameters as the MTU | |||
| of the tunnel in order to process IPv6 packets forwarded into | of the tunnel in order to process IPv6 packets forwarded into | |||
| the tunnel. Since the number of tunnels that any one host or | the tunnel. In cases where the number of tunnels that any one | |||
| router may be using may grow to be quite large, this state | host or router is using is large, it is helpful to observe that | |||
| information can be cached and discarded when not in use. | this state information can be cached and discarded when not in | |||
| use. | ||||
| The remainder of this section discusses the common mechanisms. A | The remainder of this section discusses the common mechanisms. A | |||
| subsequent section discusses how the tunnel endpoint address is | subsequent section discusses how the tunnel endpoint address is | |||
| determined for configured tunneling. | determined for configured tunneling. | |||
| 3.1. Encapsulation | 3.1. Encapsulation | |||
| The encapsulation of an IPv6 datagram in IPv4 is shown below: | The encapsulation of an IPv6 datagram in IPv4 is shown below: | |||
| +-------------+ | +-------------+ | |||
| skipping to change at page 12, line 5 | skipping to change at page 12, line 5 | |||
| bytes "extra" are needed for the encapsulating IPv4 header). The | bytes "extra" are needed for the encapsulating IPv4 header). The | |||
| encapsulating node would need only to report IPv6 ICMP "packet too | encapsulating node would need only to report IPv6 ICMP "packet too | |||
| big" errors back to the source for packets that exceed this MTU. | big" errors back to the source for packets that exceed this MTU. | |||
| However, such a scheme would be inefficient for two reasons: | However, such a scheme would be inefficient for two reasons: | |||
| 1) It would result in more fragmentation than needed. IPv4 layer | 1) It would result in more fragmentation than needed. IPv4 layer | |||
| fragmentation SHOULD be avoided due to the performance problems | fragmentation SHOULD be avoided due to the performance problems | |||
| caused by the loss unit being smaller than the retransmission | caused by the loss unit being smaller than the retransmission | |||
| unit [11]. | unit [11]. | |||
| 2) Any IPv4 fragmentation occurring inside the tunnel would have to | 2) Any IPv4 fragmentation occurring inside the tunnel, i.e. between | |||
| the encapsulating node and the decapsulating node, would have to | ||||
| be reassembled at the tunnel endpoint. For tunnels that | be reassembled at the tunnel endpoint. For tunnels that | |||
| terminate at a router, this would require additional memory to | terminate at a router, this would require additional memory to | |||
| reassemble the IPv4 fragments into a complete IPv6 packet before | reassemble the IPv4 fragments into a complete IPv6 packet before | |||
| that packet could be forwarded onward. | that packet could be forwarded onward. | |||
| Hence, the encapsulating node MUST NOT treat the tunnel as an | ||||
| interface with an MTU of 64 kilobytes, but use the smaller MTU | ||||
| specified below. | ||||
| The fragmentation inside the tunnel can be reduced to a minimum by | The fragmentation inside the tunnel can be reduced to a minimum by | |||
| having the encapsulating node track the IPv4 Path MTU across the | having the encapsulating node track the IPv4 Path MTU across the | |||
| tunnel, using the IPv4 Path MTU Discovery Protocol [8] and recording | tunnel, using the IPv4 Path MTU Discovery Protocol [8] and recording | |||
| the resulting path MTU. The IPv6 layer in the encapsulating node can | the resulting path MTU. The IPv6 layer in the encapsulating node can | |||
| then view a tunnel as a link layer with an MTU equal to the IPv4 path | then view a tunnel as a link layer with an MTU equal to the IPv4 path | |||
| MTU, minus the size of the encapsulating IPv4 header. | MTU, minus the size of the encapsulating IPv4 header. | |||
| Note that this does not completely eliminate IPv4 fragmentation in | Note that this does not completely eliminate IPv4 fragmentation in | |||
| the case when the IPv4 path MTU would result in an IPv6 MTU less than | the case when the IPv4 path MTU would result in an IPv6 MTU less than | |||
| 1280 bytes. (Any link layer used by IPv6 has to have an MTU of at | 1280 bytes. (Any link layer used by IPv6 has to have an MTU of at | |||
| least 1280 bytes [4].) In this case the IPv6 layer has to "see" a | least 1280 bytes [4].) In this case the IPv6 layer has to "see" a | |||
| link layer with an MTU of 1280 bytes and the encapsulating node has | link layer with an MTU of 1280 bytes and the encapsulating node has | |||
| to use IPv4 fragmentation in order to forward the 1280 byte IPv6 | to use IPv4 fragmentation in order to forward the 1280 byte IPv6 | |||
| packets. | packets. | |||
| This dynamic MTU determination is OPTIONAL. However, if it is | ||||
| implemented it SHOULD have the behavior described in this document | ||||
| and the tunnel MTU MUST be not exceed 4400 bytes. If it is not | ||||
| implemented instead the node MUST instead limit the size of the IPv6 | ||||
| packets it tunnels to 1280 bytes i.e., treat the tunnel interface as | ||||
| having a fixed interface MTU of 1280 bytes. An implementation MAY | ||||
| have a configuration knob which can be used to set a larger value of | ||||
| the tunnel MTU than 1280 bytes, but if so the default MUST be 1280 | ||||
| bytes. | ||||
| The encapsulating node can employ the following algorithm to | The encapsulating node can employ the following algorithm to | |||
| determine when to forward an IPv6 packet that is larger than the | determine when to forward an IPv6 packet that is larger than the | |||
| tunnel's path MTU using IPv4 fragmentation, and when to return an | tunnel's path MTU using IPv4 fragmentation, and when to return an | |||
| IPv6 ICMP "packet too big" message: | IPv6 ICMP "packet too big" message: | |||
| if (IPv4 path MTU - 20) is less than or equal to 1280 | if (IPv4 path MTU - 20) is less than or equal to 1280 | |||
| if packet is larger than 1280 bytes | if packet is larger than 1280 bytes | |||
| Send IPv6 ICMP "packet too big" with MTU = 1280. | Send IPv6 ICMP "packet too big" with MTU = 1280. | |||
| Drop packet. | Drop packet. | |||
| else | else | |||
| Encapsulate but do not set the Don't Fragment | Encapsulate but do not set the Don't Fragment | |||
| flag in the IPv4 header. The resulting IPv4 | flag in the IPv4 header. The resulting IPv4 | |||
| packet might be fragmented by the IPv4 layer on | packet might be fragmented by the IPv4 layer on | |||
| the encapsulating node or by some router along | the encapsulating node or by some router along | |||
| the IPv4 path. | the IPv4 path. | |||
| endif | endif | |||
| else | else | |||
| if packet is larger than (IPv4 path MTU - 20) | if packet is larger than (IPv4 path MTU - 20) or packet | |||
| is larger than 4400 | ||||
| Send IPv6 ICMP "packet too big" with | Send IPv6 ICMP "packet too big" with | |||
| MTU = (IPv4 path MTU - 20). | MTU = MIN(IPv4 path MTU - 20, 4400). | |||
| Drop packet. | Drop packet. | |||
| else | else | |||
| Encapsulate and set the Don't Fragment flag | Encapsulate and set the Don't Fragment flag | |||
| in the IPv4 header. | in the IPv4 header. | |||
| endif | endif | |||
| endif | endif | |||
| Encapsulating nodes that have a large number of tunnels might not be | Encapsulating nodes that have a large number of tunnels might not be | |||
| able to store the IPv4 Path MTU for all tunnels. Such nodes can, at | able to store the IPv4 Path MTU for all tunnels. Such nodes can, at | |||
| the expense of additional fragmentation in the network, avoid using | the expense of additional fragmentation in the network, avoid using | |||
| the IPv4 Path MTU algorithm across the tunnel and instead use the MTU | the IPv4 Path MTU algorithm across the tunnel and instead use the MTU | |||
| of the link layer (under IPv4) in the above algorithm instead of the | of the link layer (under IPv4) in the above algorithm instead of the | |||
| IPv4 path MTU. | IPv4 path MTU. | |||
| In this case the Don't Fragment bit MUST NOT be set in the | In this case the Don't Fragment bit MUST NOT be set in the | |||
| encapsulating IPv4 header. | encapsulating IPv4 header. | |||
| skipping to change at page 13, line 31 | skipping to change at page 14, line 10 | |||
| The single-hop model is implemented by having the encapsulating and | The single-hop model is implemented by having the encapsulating and | |||
| decapsulating nodes process the IPv6 hop limit field as they would if | decapsulating nodes process the IPv6 hop limit field as they would if | |||
| they were forwarding a packet on to any other datalink. That is, | they were forwarding a packet on to any other datalink. That is, | |||
| they decrement the hop limit by 1 when forwarding an IPv6 packet. | they decrement the hop limit by 1 when forwarding an IPv6 packet. | |||
| (The originating node and final destination do not decrement the hop | (The originating node and final destination do not decrement the hop | |||
| limit.) | limit.) | |||
| The TTL of the encapsulating IPv4 header is selected in an | The TTL of the encapsulating IPv4 header is selected in an | |||
| implementation dependent manner. The current suggested value is | implementation dependent manner. The current suggested value is | |||
| published in the "Assigned Numbers RFC. Implementations MAY provide | published in the "Assigned Numbers" RFC. Implementations MAY provide | |||
| a mechanism to allow the administrator to configure the IPv4 TTL such | a mechanism to allow the administrator to configure the IPv4 TTL such | |||
| as the one specified in the IP Tunnel MIB [17]. | as the one specified in the IP Tunnel MIB [17]. | |||
| 3.4. Handling IPv4 ICMP errors | 3.4. Handling IPv4 ICMP errors | |||
| In response to encapsulated packets it has sent into the tunnel, the | In response to encapsulated packets it has sent into the tunnel, the | |||
| encapsulating node might receive IPv4 ICMP error messages from IPv4 | encapsulating node might receive IPv4 ICMP error messages from IPv4 | |||
| routers inside the tunnel. These packets are addressed to the | routers inside the tunnel. These packets are addressed to the | |||
| encapsulating node because it is the IPv4 source of the encapsulated | encapsulating node because it is the IPv4 source of the encapsulated | |||
| packet. | packet. | |||
| skipping to change at page 15, line 16 | skipping to change at page 15, line 46 | |||
| 4 | 4 | |||
| IP Header Length in 32-bit words: | IP Header Length in 32-bit words: | |||
| 5 (There are no IPv4 options in the encapsulating | 5 (There are no IPv4 options in the encapsulating | |||
| header.) | header.) | |||
| Type of Service: | Type of Service: | |||
| 0. [Note that work underway in the IETF is redefining | 0 unless otherwise specified. (See [20] and [21] for | |||
| the Type of Service byte and as a result future RFCs | issues relating to the ToS byte and tunneling.) | |||
| might define a different behavior for the ToS byte when | ||||
| tunneling.] | ||||
| Total Length: | Total Length: | |||
| Payload length from IPv6 header plus length of IPv6 and | Payload length from IPv6 header plus length of IPv6 and | |||
| IPv4 headers (i.e. a constant 60 bytes). | IPv4 headers (i.e., IPv6 payload length plus a constant | |||
| 60 bytes). | ||||
| Identification: | Identification: | |||
| Generated uniquely as for any IPv4 packet transmitted by | Generated uniquely as for any IPv4 packet transmitted by | |||
| the system. | the system. | |||
| Flags: | Flags: | |||
| Set the Don't Fragment (DF) flag as specified in section | Set the Don't Fragment (DF) flag as specified in section | |||
| 3.2. Set the More Fragments (MF) bit as necessary if | 3.2. Set the More Fragments (MF) bit as necessary if | |||
| skipping to change at page 16, line 8 | skipping to change at page 16, line 40 | |||
| 41 (Assigned payload type number for IPv6) | 41 (Assigned payload type number for IPv6) | |||
| Header Checksum: | Header Checksum: | |||
| Calculate the checksum of the IPv4 header. | Calculate the checksum of the IPv4 header. | |||
| Source Address: | Source Address: | |||
| IPv4 address of outgoing interface of the encapsulating | IPv4 address of outgoing interface of the encapsulating | |||
| node. | node. The source address MAY alternatively be | |||
| administratively specified to be a specific IPv4 address | ||||
| assigned to the encapsulating node. | ||||
| Destination Address: | Destination Address: | |||
| IPv4 address of tunnel endpoint. | IPv4 address of tunnel endpoint. | |||
| Any IPv6 options are preserved in the packet (after the IPv6 header). | Any IPv6 options are preserved in the packet (after the IPv6 header). | |||
| 3.6. Decapsulation | 3.6. Decapsulation | |||
| When an IPv6/IPv4 host or a router receives an IPv4 datagram that is | When an IPv6/IPv4 host or a router receives an IPv4 datagram that is | |||
| addressed to one of its own IPv4 address, and the value of the | addressed to one of its own IPv4 address, and the value of the | |||
| protocol field is 41, it reassembles if the packet if it is | protocol field is 41, it reassembles if the packet if it is | |||
| fragmented at the IPv4 level, then it removes the IPv4 header and | fragmented at the IPv4 level, then it removes the IPv4 header and | |||
| submits the IPv6 datagram to its IPv6 layer code. | submits the IPv6 datagram to its IPv6 layer code. | |||
| The decapsulating node MUST be capable of reassembling an IPv4 packet | The decapsulating node MUST be capable of reassembling an IPv4 packet | |||
| that is 1300 bytes (1280 bytes plus IPv4 header). | that is 4420 bytes (4400 bytes plus IPv4 header). This limit allows | |||
| dynamic tunnel MTU determination by the encapsulator to take | ||||
| advantage of larger IPv4 path MTUs. An implementation MAY have a | ||||
| configuration knob which can be used to set a larger value of the | ||||
| tunnel MRU than 4420 bytes, but the value MUST not be set below 4420. | ||||
| The decapsulation is shown below: | The decapsulation is shown below: | |||
| +-------------+ | +-------------+ | |||
| | IPv4 | | | IPv4 | | |||
| | Header | | | Header | | |||
| +-------------+ +-------------+ | +-------------+ +-------------+ | |||
| | IPv6 | | IPv6 | | | IPv6 | | IPv6 | | |||
| | Header | | Header | | | Header | | Header | | |||
| +-------------+ +-------------+ | +-------------+ +-------------+ | |||
| skipping to change at page 16, line 47 | skipping to change at page 17, line 40 | |||
| | Layer | ===> | Layer | | | Layer | ===> | Layer | | |||
| | Header | | Header | | | Header | | Header | | |||
| +-------------+ +-------------+ | +-------------+ +-------------+ | |||
| | | | | | | | | | | |||
| ~ Data ~ ~ Data ~ | ~ Data ~ ~ Data ~ | |||
| | | | | | | | | | | |||
| +-------------+ +-------------+ | +-------------+ +-------------+ | |||
| Decapsulating IPv6 from IPv4 | Decapsulating IPv6 from IPv4 | |||
| When decapsulating the packet, the IPv6 header is not modified. | When decapsulating the packet, the IPv6 header is not modified. (See | |||
| [Note that work underway in the IETF is redefining the Type of | [20] and [21] for issues relating to the Type of Service byte and | |||
| Service byte and as a result future RFCs might define a different | tunneling.) If the packet is subsequently forwarded, its hop limit | |||
| behavior for the ToS byte when decapsulating a tunneled packet.] If | is decremented by one. | |||
| the packet is subsequently forwarded, its hop limit is decremented by | ||||
| one. | ||||
| As part of the decapsulation the node SHOULD silently discard a | As part of the decapsulation the node SHOULD silently discard a | |||
| packet with an invalid IPv4 source address such as a multicast | packet with an invalid IPv4 source address such as a multicast | |||
| address, a broadcast address, 0.0.0.0, and 127.0.0.1. In general it | address, a broadcast address, 0.0.0.0, and 127.0.0.1. In general it | |||
| SHOULD apply the rules for martian filtering in [18] and ingress | SHOULD apply the rules for martian filtering in [18] and ingress | |||
| filtering [13] on the IPv4 source address. | filtering [13] on the IPv4 source address. | |||
| The decapsulating node performs IPv4 reassembly before decapsulating | ||||
| the IPv6 packet. All IPv6 options are preserved even if the | ||||
| encapsulating IPv4 packet is fragmented. | ||||
| The encapsulating IPv4 header is discarded. | The encapsulating IPv4 header is discarded. | |||
| After the decapsulation the node SHOULD silently discard a packet | After the decapsulation the node SHOULD silently discard a packet | |||
| with an invalid IPv6 source address. This includes IPv6 multicast | with an invalid IPv6 source address. This includes IPv6 multicast | |||
| addresses, the unspecified address, and the loopback address but also | addresses, the unspecified address, and the loopback address but also | |||
| IPv4-compatible IPv6 source addresses where the IPv4 part of the | IPv4-compatible IPv6 source addresses where the IPv4 part of the | |||
| address is an (IPv4) multicast address, broadcast address, 0.0.0.0, | address is an (IPv4) multicast address, broadcast address, 0.0.0.0, | |||
| or 127.0.0.1. In general it SHOULD apply the rules for martian | or 127.0.0.1. In general it SHOULD apply the rules for martian | |||
| filtering in [18] and ingress filtering [13] on the IPv4-compatible | filtering in [18] and ingress filtering [13] on the IPv4-compatible | |||
| source address. | source address. | |||
| The decapsulating node performs IPv4 reassembly before decapsulating | ||||
| the IPv6 packet. All IPv6 options are preserved even if the | ||||
| encapsulating IPv4 packet is fragmented. | ||||
| After the IPv6 packet is decapsulated, it is processed almost the | After the IPv6 packet is decapsulated, it is processed almost the | |||
| same as any received IPv6 packet. The only difference being that a | same as any received IPv6 packet. The only difference being that a | |||
| decapsulated packet MUST NOT be forwarded unless the node has been | decapsulated packet MUST NOT be forwarded unless the node has been | |||
| explicitly configured to forward such packets for the given IPv4 | explicitly configured to forward such packets for the given IPv4 | |||
| source address. This configuration can be implicit in e.g., having a | source address. This configuration can be implicit in e.g., having a | |||
| configured tunnel which matches the IPv4 source address. This | configured tunnel which matches the IPv4 source address. This | |||
| restriction is needed to prevent tunneling to be used as a tool to | restriction is needed to prevent tunneling to be used as a tool to | |||
| circumvent ingress filtering [13]. | circumvent ingress filtering [13]. | |||
| 3.7. Link-Local Addresses | 3.7. Link-Local Addresses | |||
| skipping to change at page 18, line 19 | skipping to change at page 19, line 13 | |||
| the prefix FE80::/64. | the prefix FE80::/64. | |||
| +-------+-------+-------+-------+-------+-------+------+------+ | +-------+-------+-------+-------+-------+-------+------+------+ | |||
| | FE 80 00 00 00 00 00 00 | | | FE 80 00 00 00 00 00 00 | | |||
| +-------+-------+-------+-------+-------+-------+------+------+ | +-------+-------+-------+-------+-------+-------+------+------+ | |||
| | 00 00 | 00 | 00 | IPv4 Address | | | 00 00 | 00 | 00 | IPv4 Address | | |||
| +-------+-------+-------+-------+-------+-------+------+------+ | +-------+-------+-------+-------+-------+-------+------+------+ | |||
| 3.8. Neighbor Discovery over Tunnels | 3.8. Neighbor Discovery over Tunnels | |||
| Unidirectional configured tunnels are considered to be | For unidirectional configured tunnels most of Neighbor Discovery [17] | |||
| unidirectional! Thus the only aspects of Neighbor Discovery [7] and | and Stateless Address Autoconfiguration [5] does not apply; only the | |||
| Stateless Address Autoconfiguration [5] that apply to these tunnels | formation of the link-local address applies. | |||
| is the formation of the link-local address. | ||||
| If an implementation provides bidirectional configured tunnels it | If an implementation provides bidirectional configured tunnels it | |||
| MUST at least accept and respond to the probe packets used by | MUST at least accept and respond to the probe packets used by | |||
| Neighbor Unreachability Detection [7]. Such implementations SHOULD | Neighbor Unreachability Detection [7]. Such implementations SHOULD | |||
| also send NUD probe packets to detect when the configured tunnel | also send NUD probe packets to detect when the configured tunnel | |||
| fails at which point the implementation can use an alternate path to | fails at which point the implementation can use an alternate path to | |||
| reach the destination. Note that Neighbor Discovery allows that the | reach the destination. Note that Neighbor Discovery allows that the | |||
| sending of NUD probes be omitted for router to router links if the | sending of NUD probes be omitted for router to router links if the | |||
| routing protocol tracks bidirectional reachability. | routing protocol tracks bidirectional reachability. | |||
| For the purposes of Neighbor Discovery the configured tunnels | For the purposes of Neighbor Discovery the configured tunnels | |||
| specified in this document as assumed to NOT have a link-layer | specified in this document are assumed to NOT have a link-layer | |||
| address, even though the link-layer (IPv4) does have address. This | address, even though the link-layer (IPv4) does have address. This | |||
| means that a sender of Neighbor Discovery packets | means that a sender of Neighbor Discovery packets | |||
| - SHOULD NOT include Source Link Layer Address options or Target | - SHOULD NOT include Source Link Layer Address options or Target | |||
| Link Layer Address options on the tunnel link. | Link Layer Address options on the tunnel link. | |||
| - MUST silently ignore any received SLLA or TLLA options on the | - MUST silently ignore any received SLLA or TLLA options on the | |||
| tunnel link. | tunnel link. | |||
| Not using alink layer address options is consistent with how neighbor | ||||
| discovery is used on other point-to-point links. | ||||
| 3.9. Ingress Filtering | 3.9. Ingress Filtering | |||
| The specification above contains rules that apply ingress filtering | The specification above contains rules that apply ingress filtering | |||
| to packets before they are decapsulated. The purpose of ingress | to packets before they are decapsulated. The purpose of ingress | |||
| filtering in general is specified in [13]. When IP-in-IP tunneling | filtering in general is specified in [13]. When IP-in-IP tunneling | |||
| (independent of IP versions) is used it is important that this not be | (independent of IP versions) is used it is important that this not be | |||
| a tool to bypass ingress filtering for non-tunneled packets. For | a tool to bypass ingress filtering for non-tunneled packets. For | |||
| instance, without specific ingress filtering checks in the | instance, without specific ingress filtering checks in the | |||
| decapsulating node, it would be possible for an attacker to inject a | decapsulating node, it would be possible for an attacker to inject a | |||
| packet with: | packet with: | |||
| skipping to change at page 20, line 16 | skipping to change at page 21, line 6 | |||
| The decapsulating node MUST verify that the tunnel source address is | The decapsulating node MUST verify that the tunnel source address is | |||
| acceptable before forwarding decapsulated packets to avoid | acceptable before forwarding decapsulated packets to avoid | |||
| circumventing ingress filtering [13]. Note that packets which are | circumventing ingress filtering [13]. Note that packets which are | |||
| delivered to transport protocols on the decapsulating node SHOULD NOT | delivered to transport protocols on the decapsulating node SHOULD NOT | |||
| be subject to these checks. For bidirectional configured tunnels | be subject to these checks. For bidirectional configured tunnels | |||
| this is done by verifying that the source address is the IPv4 address | this is done by verifying that the source address is the IPv4 address | |||
| of the other end of the tunnel. For unidirectional configured | of the other end of the tunnel. For unidirectional configured | |||
| tunnels the decapsulating node MUST be configured with a list of | tunnels the decapsulating node MUST be configured with a list of | |||
| source IPv4 address prefixes that are acceptable. Such a list MUST | source IPv4 address prefixes that are acceptable. Such a list MUST | |||
| default to not having any entries i.e. the node has to be explicitly | default to not having any entries i.e., the node has to be explicitly | |||
| configured to forward decapsulated packets received over | configured to forward decapsulated packets received over | |||
| unidirectional configured tunnels. | unidirectional configured tunnels. | |||
| 5. Acknowledgments | 5. Acknowledgments | |||
| We would like to thank the members of the IPng working group and the | We would like to thank the members of the IPng working group and the | |||
| Next Generation Transition (ngtrans) working group for their many | Next Generation Transition (ngtrans) working group for their many | |||
| contributions and extensive review of this document. Special thanks | contributions and extensive review of this document. Special thanks | |||
| are due to Jim Bound, Ross Callon, Bob Hinden, and John Moy for many | are due to Jim Bound, Ross Callon, Bob Hinden, John Moy, and Pekka | |||
| helpful suggestions. | Savola for many helpful suggestions. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| Tunneling is not known to introduce any security holes except for the | Tunneling is not known to introduce any security holes except for the | |||
| possibility to circumvent ingress filtering [13]. This is prevented | possibility to circumvent ingress filtering [13]. This is prevented | |||
| by requiring that decapsulating routers only forward packets if they | by requiring that decapsulating routers only forward packets if they | |||
| have been configured to accept encapsulated packets from the IPv4 | have been configured to accept encapsulated packets from the IPv4 | |||
| source address in the receive packet. | source address in the receive packet. | |||
| An implementation of tunneling needs to be aware that while a tunnel | ||||
| is a link (as defined in [4]), the threat model for a tunnel might be | ||||
| rather different than for other links, since the tunnel potentially | ||||
| includes all of the Internet. The recommendations to verify that the | ||||
| IPv4 addresses in the encapsulated packet matches what has been | ||||
| configured for the tunnel, coupled with use of ingress filtering in | ||||
| IPv4, ameliorate some of this. In addition, an implementation must | ||||
| treat interfaces to different links as separate e.g. to ensure that | ||||
| Neighbor Discovery packets arriving on one link does not effect other | ||||
| links. This is especially important for tunnel links. | ||||
| 7. Authors' Addresses | 7. Authors' Addresses | |||
| Erik Nordmark | Erik Nordmark | |||
| Sun Microsystems Laboratories | Sun Microsystems Laboratories | |||
| 29, Chemin du Vieux Chene | 180, avenue de l'Europe | |||
| 38240 Meylan, France | 38334 SAINT ISMIER Cedex, France | |||
| Tel : +33 (0)4 76 18 88 03 | ||||
| phone: +33 (0)4 76 18 88 03 | Fax : +33 (0)4 76 18 88 88 | |||
| fax: +33 (0)4 76 18 88 88 | EMail : erik.nordmark@sun.com | |||
| email: erik.nordmark@sun.com | ||||
| Robert E. Gilligan | Robert E. Gilligan | |||
| Intransa, Inc. | Intransa, Inc. | |||
| 1393 Geneva Drive | 2870 Zanker Rd., Suite 100 | |||
| Sunnyvale, CA 94089-1121 | San Jose, CA 95134 | |||
| phone: 408.548.5140 | Tel : +1 408 678 8600 | |||
| fax: 408.548.5196 | Fax : +1 408 678 8800 | |||
| email: gilligan@intransa.com, gilligan@leaf.com | Email : gilligan@intransa.com, gilligan@leaf.com | |||
| 8. References | 8. References | |||
| [1] Croft, W., and J. Gilmore, "Bootstrap Protocol", RFC 951, | 8.1. Normative References | |||
| September 1985. | ||||
| [2] Droms, R., "Dynamic Host Configuration Protocol", RFC 1541. | ||||
| October 1993. | ||||
| [4] Deering, S., and Hinden, R. "Internet Protocol, Version 6 (IPv6) | [4] Deering, S., and Hinden, R. "Internet Protocol, Version 6 (IPv6) | |||
| Specification", RFC 2460, December 1998. | Specification", RFC 2460, December 1998. | |||
| [8] Mogul, J., and Deering, S., "Path MTU Discovery", RFC 1191, | ||||
| November 1990. | ||||
| [14] Hinden, R., and S. Deering, "IP Version 6 Addressing | ||||
| Architecture", RFC 2373, July 1998. | ||||
| 8.2. Non-normative References | ||||
| [5] Thomson, S., and Narten, T. "IPv6 Stateless Address | [5] Thomson, S., and Narten, T. "IPv6 Stateless Address | |||
| Autoconfiguration," RFC 2462, December 1998. | Autoconfiguration," RFC 2462, December 1998. | |||
| [6] Thomson, S., and Huitema C. "DNS Extensions to support IP | [6] Thomson, S., and Huitema C. "DNS Extensions to support IP | |||
| version 6", RFC 1886, December 1995. | version 6", RFC 1886, December 1995. | |||
| [7] Narten, T., Nordmark, E., and Simpson, W. "Neighbor Discovery | [7] Narten, T., Nordmark, E., and Simpson, W. "Neighbor Discovery | |||
| for IP Version 6 (IPv6)", RFC 2461, December 1998. | for IP Version 6 (IPv6)", RFC 2461, December 1998. | |||
| [8] Mogul, J., and Deering, S., "Path MTU Discovery", RFC 1191, | ||||
| November 1990. | ||||
| [9] Finlayson, R., Mann, T., Mogul, J., and M. Theimer, "Reverse | ||||
| Address Resolution Protocol", RFC 903, June 1984. | ||||
| [10] Braden, R., "Requirements for Internet Hosts - Communication | [10] Braden, R., "Requirements for Internet Hosts - Communication | |||
| Layers", STD 3, RFC 1122, October 1989. | Layers", STD 3, RFC 1122, October 1989. | |||
| [11] Kent, C., and J. Mogul, "Fragmentation Considered Harmful". In | [11] Kent, C., and J. Mogul, "Fragmentation Considered Harmful". In | |||
| Proc. SIGCOMM '87 Workshop on Frontiers in Computer | Proc. SIGCOMM '87 Workshop on Frontiers in Computer | |||
| Communications Technology. August 1987. | Communications Technology. August 1987. | |||
| [12] Callon, R. and Haskin, D., "Routing Aspects of IPv6 Transition", | ||||
| RFC 2185. September 1997. | ||||
| [13] Ferguson, P., and Senie, D., "Network Ingress Filtering: | [13] Ferguson, P., and Senie, D., "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", RFC 2267, January 1998. | Address Spoofing", RFC 2267, January 1998. | |||
| [14] Hinden, R., and S. Deering, "IP Version 6 Addressing | ||||
| Architecture", RFC 2373, July 1998. | ||||
| [15] Rechter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.J., and | ||||
| Lear, E. "Address Allocation for Private Internets", RFC 1918, | ||||
| February 1996. | ||||
| [16] S. Bradner, "Key words for use in RFCs to Indicate Requirement | [16] S. Bradner, "Key words for use in RFCs to Indicate Requirement | |||
| Levels", RFC 2119, March 1997. | Levels", RFC 2119, March 1997. | |||
| [17] D. Thaler, "IP Tunnel MIB", RFC 2667, August 1999. | [17] D. Thaler, "IP Tunnel MIB", RFC 2667, August 1999. | |||
| [18] F. Baker, "Requirements for IP Version 4 Routers", RFC 1812, | [18] F. Baker, "Requirements for IP Version 4 Routers", RFC 1812, | |||
| June 1995. | June 1995. | |||
| [19] R. Draves, "Default Address Selection for IPv6", Work in | [19] R. Draves, "Default Address Selection for IPv6", Work in | |||
| progress, draft-ietf-ipv6-default-addr-select-08.txt, June | progress, draft-ietf-ipv6-default-addr-select-09.txt, June | |||
| 2002. | 2002. | |||
| [20] D. Black, "Differentiated Services and Tunnels", RFC 2893, | ||||
| October 2000. | ||||
| [21] K. Ramakrishnan, S. Floyd, D. Black, "The Addition of Explicit | ||||
| Congestion Notification (ECN) to IP", RFC 3168, September 2001. | ||||
| 9. Changes from RFC 2893 | 9. Changes from RFC 2893 | |||
| The motivation for the bulk of these changes are to simplify the | ||||
| document to only contain the mechanisms of wide-spread use. | ||||
| RFC 2893 contains a mechanism called automatic tunneling. But a | ||||
| much more general mechanism is specified in RFC 3056 which gives | ||||
| each node with a (global) IPv4 address a /48 IPv6 prefix i.e., | ||||
| enough for a whole site. | ||||
| - Removed references to A6 and retained AAAA. | - Removed references to A6 and retained AAAA. | |||
| - Removed automatic tunneling and IPv4-compatible addresses. | - Removed automatic tunneling and IPv4-compatible addresses. | |||
| - Removed default Configured Tunnel using IPv4 "Anycast Address" | - Removed default Configured Tunnel using IPv4 "Anycast Address" | |||
| - Removed Source Address Selection section since this is now | - Removed Source Address Selection section since this is now | |||
| covered by another document ([19]). | covered by another document ([19]). | |||
| - Removed brief mention of 6over4. | - Removed brief mention of 6over4. | |||
| 10. Changes from RFC 2893 | - Split into normative and non-normative references. | |||
| - Should 6to4 be mentioned? How complete should we make the list | - Drop "or equal" in if (IPv4 path MTU - 20) is less than or equal | |||
| of tunneling techniques in section 1.1? | to 1280 | |||
| - Dropped this: However, IPv6 may be used in some environments | ||||
| where interoperability with IPv4 is not required. IPv6 nodes | ||||
| that are designed to be used in such environments need not use | ||||
| or even implement these mechanisms. | ||||
| - Increased the minimum MRU from 1300 to 4420. | ||||
| - Clarified that the dynamic path MTU mechanism in section 3.2 is | ||||
| OPTIONAL but if it is implemented it should follow the rules in | ||||
| section 3.2. | ||||
| - Stated that when the dynamic PMTU is not implemented the sender | ||||
| MUST NOT by default send IPv6 packets larger than 1280 into the | ||||
| tunnel. | ||||
| - Stated that implementations MAY have a knob by which the "min | ||||
| MRU" and the max MTU" can be set to larger values on a tunnel by | ||||
| tunnel basis, but that the defaults MUST be the above numbers. | ||||
| - Restated the "currently underway" language about ToS to loosely | ||||
| point at [20] and [21]. | ||||
| - Stated that IPv4 source MAY also be administratively specified. | ||||
| (This is especially useful on multi-interface nodes and with | ||||
| configured tunneling) | ||||
| 10. Open issues | ||||
| - Should all of section 2.2 (DNS stuff) be removed? It duplicates | - Should all of section 2.2 (DNS stuff) be removed? It duplicates | |||
| [19]. | [19]. | |||
| - Should we drop the discussion about unidirectional tunneling? | ||||
| - Is 1280 a reasonable MTU for encapsulators that do not implement | ||||
| dynamic tunnel MTU discovery? | ||||
| - Is 4400 a reasonable cap on the MTU for encapsulators that | ||||
| implement dynamic tunnel MTU discovery? | ||||
| - Is 4420 is reasonable minimum MRU for decapsulating nodes? | ||||
| - IPv6 native addresses include IPv4-mapped as currently defined. | ||||
| Is this an issue that needs to be dealt with? The term "IPv6- | ||||
| native" is only used once in the document. | ||||
| 11. TODO | ||||
| - Section 4.1: Ingress filtering as described does not guard | ||||
| against the attack described in 3.9. Checking must be done on | ||||
| the v6 address - attacker can spoof the v4 source address, | ||||
| unless tunnel is secured. Make it more clear that the | ||||
| assumption is that *if* IPv4 and IPv6 ingress filtering is | ||||
| deployed, the decapsulating node can't blindly decapsulate since | ||||
| it would circumvent the ingress filtering. | ||||
| - Section 3.3 reference to Assigned Numbers needs to be to online | ||||
| version (with proper pointer to "Assigned Numbers is obsolete" | ||||
| RFC) | ||||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||