Discovering PREF64 in Router Advertisements
draft-ietf-6man-ra-pref64-09

Like Alexey, I found the Scaled Lifetime section tricky / overly complex - I'm not actually quire sure why the value needs to be scaled by 8 -- the field is 13 bits, which gives ( I think!) a maximum value of 8192. If this were not scaled, it would be 136 minutes (8192/60), or ~2 1/4 hours -- I might be missing something, but surely if you haven't gotten an RA in much less than that, you have some larger set of issues? I think that the complexity would be an easier pill to swallow if there was some justification for the complexity provided.

If the text is reworded, I *think* it might make sense to break the explanation out of the main part of the "Option Format" bit, and do something like: "Scaled Lifetime: 13-bit unsigned integer, see Section 5.1" and then put the explanation text in Sec 5.1 - having it in this location makes the text feel "squished" and leads to an attempt to be overly terse.

Jen, Lorenzo,

Thank you for the work put into this short and clear document and let's hope for implementations.

Answers/actions to my COMMENTs below will be welcomed, even if those COMMENTs are not blocking.

Regards,

-éric

== COMMENTS ==

-- Section 5 --
I find this "scaled lifetime" field overspecified with respect to the router vendor requirements (perhaps a bias of mine ;-)).

Define MaxRtrAdvInterval as "MaxRtrAdvInterval" in RFC 4861 ?

-- Section 6 --
The text "the host receives multiple RAs with different PREF64 prefixes on one or multiple interfaces" is not followed by any guidance on how to use PREF64 received on different interfaces. Perhaps worth mentioning here also PvD and requiring to use a PREF64 received on an interface (or PvD) only with interface/next hop/DNS of this interface (or PvD).

I found this document to be well written, but I have one small comment:

In Section 5:

   Lifetime seconds over which this NAT64 prefix MAY be used. The value
            of the Scaled Lifetime field SHOULD by default be set to the
            lesser of 3 x MaxRtrAdvInterval divided by 8, or 8191. The
            receiver MUST multiply the Scaled Lifetime value by 8 (for
            example, by logical left shift) to calculate the maximum
            time in seconds the prefix MAY be used. Lifetime of 0
            indicates that the prefix SHOULD NOT be used anymore. Router
            vendors SHOULD allow administrators to specify non-zero
            lifetime values which are not divisible by 8. In such cases
            the router SHOULD round the provided value up to the lesser
            of nearest integer divisible by 8, or 65528 and divide the
            result by 8 (or just perform a logical right-shift by 3) and
            set the Scaled Lifetime field to the resulting value. If
            such a non-zero lifetime value to be divided by 8 (to be
            subjected to a logical right-shift by 3) is less than 8 then
            the Scaled Lifetime field SHOULD by default be set to 1.

I found this description to be unclear. You are first saying to round the value up, but then your last sentence looks like a special case, where it is not supposed to be according to my understanding of the meaning of "round up". I suggest this text needs more work.

I just have a couple of editorial comments about Section 4:

   If the network operator desires to route different
   parts of the IPv4 address space to different NAT64 devices, this can
   be accomplished by routing more specifics of the NAT64 prefix to
   those devices.

What does “more specifics” mean here?  I don’t understand the sentence.

   For example, if the operator is using the RFC1918
   address space, e.g. 10.0.0.0/8 internally and would like to route
   10.0.0.0/8 through NAT64 device A and the rest of the IPv4 space
   through NAT64 device B, and the operator's NAT64 prefix is
   2001:db8:a:b::/96, then the operator can route
   2001:db8:a:b::a00:0/104 to NAT64 A and 2001:db8:a:b::/96 to NAT64 B.

This sentence is too long and cumbersome, and would benefit from being split (which would also fix some awkward missing commas).  How’s this?:

NEW
   For example, suppose an operator is using the RFC1918 address
   space 10.0.0.0/8 internally.  That operator might want to route
   10.0.0.0/8 through NAT64 device A, and the rest of the IPv4 space
   through NAT64 device B.  If the operator's NAT64 prefix is
   2001:db8:a:b::/96, then the operator can route
   2001:db8:a:b::a00:0/104 to NAT64 A and 2001:db8:a:b::/96 to NAT64 B.
END

Thanks for this well-written document!  I just have some fairly minor
comments; the most significant one is a request to expound a bit more in
the security considerations section.

Section 1

   NAT64 [RFC6146] with DNS64 [RFC6147] is a widely-deployed mechanism
   to provide IPv4 access on IPv6-only networks.  In various scenarios,
   the host must be aware of the NAT64 prefix in use by the network.

RFC 6147 sayas that no changes are required to the IPv6 node "for the
class of applications that work through NATs".  Is it only applications
that do not work through NATs that comprise the "various scenarios"
mentioned here?  (Interestingly, neither of the examples in Section 2
seem to fall nicely into that bucket.)

Section 2

      *  Local DNSSEC validation (DNS64 in stub-resolver mode).  As
         discussed in [RFC6147] section 2, the stub resolver in the host
         "will try to obtain (real) AAAA RRs, and in case they are not
         available, the DNS64 function will synthesize AAAA RRs for
         internal usage."  This is required in order to use DNSSEC on a
         NAT64 network.

nit: I think the "this" that is required is "the stub doing the DNS64",
not the AAAA synthesis mentioned in the quoted text.

      *  Networks with no DNS64 server.  Hosts that support AAAA
         synthesis and that are aware of the NAT64 prefix in use do not
         need the network to perform the DNS64 function at all.

side note: I'm curious how common it is for a NAT64 network to not
provide a DNS64 server, though that probably has no bearing on the
contents of this document.

Section 3

   host.  Only one packet (a Router Advertisement) is required to
   complete the network configuration.  This speeds up the process of
   connecting to a network that supports NAT64/DNS64, and simplifies
   host implementation by removing the possibility that the host can
   have an incomplete layer 3 configuration (e.g., IPv6 addresses and
   prefixes, but no NAT64 prefix).

This discussion seems slightly at odds with the premise/assumption in
6146/6147 that hosts will not need to know the NAT64 prefix in order to
function (for applications that work through NAT, at least).  I don't
have any proposed alternative text, though (would just predicating the
discussion on having a host that needs/wants the NAT64 prefix suffice?).

Section 5

   Scaled   13-bit unsigned integer. The maximum time in units of 8
   Lifetime seconds over which this NAT64 prefix MAY be used. The value
            [...]
            lifetime values which are not divisible by 8. In such cases
            the router SHOULD round the provided value up to the lesser
            of nearest integer divisible by 8, or 65528 and divide the
            result by 8 (or just perform a logical right-shift by 3) and
            set the Scaled Lifetime field to the resulting value. If

nit: I think the lone comma before "or 65528" is misplaced and suggest
NEW:

%           lifetime values which are not divisible by 8. In such cases
%           the router SHOULD round the provided value up to the lesser
%           of the nearest integer divisible by 8 and 65528, and divide the
%           result by 8 (or just perform a logical right-shift by 3) and
%           set the Scaled Lifetime field to the resulting value. If

            such a non-zero lifetime value to be divided by 8 (to be
            subjected to a logical right-shift by 3) is less than 8 then
            the Scaled Lifetime field SHOULD by default be set to 1.

I suggest to s/SHOULD by default/SHOULD/

   Highest  96-bit unsigned integer. Contains bits 0 - 95 of the NAT64
   96 bits  prefix.
   of the
   prefix

Am I supposed to zero-fill when the prefix length is less than 96 bits?

Section 6

   When multiple PREF64 were discovered via RA PREF64 Option (the Option
   presents more than once in a single RA or multiple RAs were
   received), host behaviour with regards to synthesizing IPv6 addresses
   from IPv4 addresses SHOULD follow the recommendations given in
   Section 3 of [RFC7050], limited to the NAT64 prefixes that have non-
   zero lifetime.

This seems to have high overlap with a recommendation from Section 4;
could/should the texts be consolidated?

Section 7

   Section 6.2.7 of [RFC4861] recommends that routers inspect RAs sent
   by other routers to ensure that all routers onlink advertise the
   consistent information.  Routers SHOULD inspect valid PREF64 options

nit: I think s/the consistent information/consistent information/

Section 9

I appreciate the discussion that RAs already need to be protected for
normal opration, and that NAT64 prefix delivery, when bundled as an RA
option, can take advantage of those mechanisms.  Nonetheless, I think
it would still be appropriate to mention (either inline or by reference)
the scope of risk/breakage possible when an incorrect NAT64 prefix
(or length) is used.

Minor comment/question:
Section 6 discusses Handling of Multiple NAT64 Prefixes, however, it does not really discussion any consequences of using the "wrong" prefix. Maybe you can say more about that...?