Recommendations for Prefix Binding in the Softwire DS-Lite Context

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Authors Suresh Vinapamula  , Mohamed Boucadair 
Last updated 2015-04-23
Stream Internet Engineering Task Force (IETF)
Formats pdf htmlized (tools) htmlized bibtex
IETF conflict review conflict-review-vinapamula-softwire-dslite-prefix-binding
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD Terry Manderson
Send notices to,, "Suresh Krishnan" <>
Network Working Group                                      S. Vinapamula
Internet-Draft                                          Juniper Networks
Intended status: Best Current Practice                      M. Boucadair
Expires: October 25, 2015                                 France Telecom
                                                          April 23, 2015

   Recommendations for Prefix Binding in the Softwire DS-Lite Context


   This document discusses issues induced by the change of the Dual-
   Stack Lite (DS-Lite) Basic Bridging BroadBand (B4) IPv6 address and
   sketches a set of recommendations to solve those issues.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 25, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Vinapamula & Boucadair  Expires October 25, 2015                [Page 1]
Internet-Draft         Prefix Binding for DS-Lite             April 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  The Problem . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Recommendations . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative references  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative references  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   IPv6 deployment models assume IPv6 prefixes are delegated by Service
   Providers to the connected CPEs (Customer Premise Equipments) or
   hosts, which in their turn derive IPv6 addresses out of that prefix.
   In the case of DS-Lite [RFC6333], that is an IPv4 service continuity
   mechanism over an IPv6 network, the Basic Bridging BroadBand (B4)
   element derives an IPv6 address for the IPv4-in-IPv6 softwire setup

   The B4 element might obtain a new external IPv6 address, for a
   variety of reasons including a reboot of the CPE, power outage,
   DHCPv6 lease expiry, or other actions undertaken by the Service
   Provider.  If this occurs, traffic forwarded to a B4's previous IPv6
   address might be delivered to another B4 that now acquired that
   address.  This affects all mapping types, whether implicit (e.g., by
   sending a TCP SYN) or explicit (e.g., using Port Control Protocol
   (PCP) [RFC6887]).  The problem is further elaborated in Section 2.

   This document proposes recommendations to soften the impact of such
   renumbering issues (Section 3).

   Note that in some deployments, CPE renumbering may be required to
   accommodate some privacy-related requirements to avoid the same
   prefix be assigned to the same customer.  It is out of scope of this
   document to discuss such contexts.

   This document complements [RFC6908].

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

Vinapamula & Boucadair  Expires October 25, 2015                [Page 2]
Internet-Draft         Prefix Binding for DS-Lite             April 2015

2.  The Problem

   Since IPv4 addresses assigned to hosts serviced by a B4 element are
   overlapping across multiple CPEs, the IPv6 address of a B4 element
   plays a key role in de-multiplexing connections, enforcing policies,
   and in identifying associated resources assigned for each of the
   connections in the Address Family Transition Router (AFTR,
   [RFC6333]).  For example, these resources maintain state of Endpoint-
   Independent Mapping (EIM, Section 4.1 of [RFC4787]), Endpoint-
   Independent Filtering (EIF, Section 5 of [RFC4787]), preserve the
   external IPv4 address assigned in the AFTR (i.e., "IP address
   pooling" behavior as defined in Section 4.1 of [RFC4787]), PCP
   mappings, etc.

   However, there can be a change in the B4's IPv6 address for any
   reason, e.g., because of a change in the CPE itself or may be because
   of privacy extensions enabled in generating the IPv6 address.  When
   the B4's IPv6 address changes, the associated mappings created in the
   AFTR are no more valid.  This may result in creation of new set of
   mappings in the AFTR.

   Furthermore, a mis-behaving user may be tempted to change the B4's
   IPv6 address in order to "grab" more ports and resources at the AFTR
   side.  This behavior can be seen as a potential Denial of Service
   (DoS) attack from mis-behaving users.  Note that this DoS attack can
   be achieved whatever port assignment policy configured to the AFTR
   (individual ports, port sets, randomized port bulks, etc.).

   Service Providers may want to enforce policies in order to limit the
   usage of the AFTR resources on a per-subscriber basis for fairness
   resources usage (see REQ-4 of [RFC6888]).  These policies are used
   for dimensioning purposes and also to ensure that AFTR resources are
   not exhausted.  To that aim, a subscriber should be identified at the
   AFTR by the delegated IPv6 prefix and not the derived B4's IPv6
   address.  Also, when there is a change of the B4's IPv6 address,
   enforcing policies based on the B4's IPv6 address doesn't resolve
   stale mappings hanging around in the system, consuming not only
   system resources, but also reducing the available quota of resources
   per-subscriber.  Clearing those mappings can be envisaged, but that
   will cause a lot of churn in the AFTR and could be disruptive to
   existing connections, which is not desirable.

   When application servers are hosted behind a B4 element, and when
   there is a change of the B4's IPv6 address which if results in a
   change in the external IPv4 address and/or the external port number
   at the AFTR side, these servers have to advertise about their change
   (see Section 1.1 of [RFC7393]).  Means to discover the change of B4's
   IPv6 address, the external IPv4 address and/or the external port are

Vinapamula & Boucadair  Expires October 25, 2015                [Page 3]
Internet-Draft         Prefix Binding for DS-Lite             April 2015

   therefore required.  Latency issues are likely to be experienced
   where an application server has to advertise its newly assigned
   external IPv4 address and port, and the application clients have to
   discover that newly assigned server and/or port and re-initiate
   connections to the application server.

3.  Recommendations

   In order to mitigate the issues discussed in Section 2, the following
   recommendations are made:

   1.  A policy SHOULD be enforced at the AFTR to limit the number of
       active softwires per-subscriber.  The default value MUST be 1.

       This policy aims to prevent a misbehaving subscriber to mount
       several softwires to consume more resources on the AFTR side
       (e.g., get more external ports if the quota was enforced on a
       per-softwire basis, consume extra processing induced by a large
       number of active softwires).

   2.  Resource contexts created at the AFTR SHOULD be based on the
       delegated IPv6 prefix instead of the B4's IPv6 address.  The AFTR
       derives the delegated prefix from the B4's IPv6 address through a
       configured subscriber-mask.  Administrators SHOULD configure per-
       prefix limits of resource usage, instead of per-tunnel limits.
       These resources include, the maximum number of active flows, the
       maximum number of PCP-created mappings, NAT pool resources, etc.

       1.  Subscriber-mask is defined as an integer that indicates the
           length of significant bits to be applied on the source IPv6
           address (internal side) to identify a subscriber (or a CPE).

           Subscriber-mask is an AFTR system-wide configuration
           parameter that is used to enforce generic per-subscriber
           policies.  Applying these generic policies does not require
           to configure every subscriber's prefix.

           Subscriber-mask must be configurable; the default value is

       2.  For example, suppose 2001:db8:100:100::/56 is delegated to a
           DS-Lite enabled CPE.  Suppose also that 2001:db8:100:100::1
           is the IPv6 address assigned to the B4 element that resides
           in that CPE.  When the AFTR receives a packet from this B4
           element (i.e., the source address of the IPv4-in-IPv6 packet
           is 2001:db8:100:100::1), the AFTR applies the subscriber-mask
           (e.g., 56) on the source IPv6 address to derive the prefix
           for this B4 element (that is 2001:db8:100:100::/56).  Then,

Vinapamula & Boucadair  Expires October 25, 2015                [Page 4]
Internet-Draft         Prefix Binding for DS-Lite             April 2015

           the AFTR enforces policies based on that derived prefix
           (i.e., 2001:db8:100:100::/56), not on the exact source IPv6

   3.  In the event a new IPv6 address is assigned to the B4 element,
       the AFTR SHOULD migrate existing state to be bound to the new
       B4's IPv6 address.  This operation ensures the traffic destined
       to the previous B4's IPv6 address will be redirected to the newer
       B4's IPv6 address.  The destination IPv6 address for tunneling
       return traffic SHOULD be the last seen as B4's IPv6 address from
       the CPE.  This recommendation avoids stale mappings at the AFTR
       and minimizes the risk of service disruption for subscribers.

       The AFTR uses the subscriber-mask to determine whether two IPv6
       addresses belong to the same CPE (e.g., If the subscriber-mask is
       set to 56, the AFTR concludes that 2001:db8:100:100::1 and
       2001:db8:100:100::2 belong to the same CPE assigned with

   4.  In the event of change of the CPE WAN's IPv6 prefix, unsolicited
       PCP ANNOUNCE messages are to be sent by the B4 element to
       internal hosts to update their mappings.  This allows internal
       PCP clients to update their mappings with the new B4's IPv6
       address and trigger updates to rendez-vous servers (e.g., dynamic
       DNS).  A PCP-based dynamic DNS solution is specified in

   5.  When a new prefix is assigned to the CPE, stale mappings may
       exist in the AFTR.  This will consume both implicit and explicit
       resources.  In order to avoid such issues, stable IPv6 prefix
       assignment is RECOMMENDED.

   6.  In case for any reason an IPv6 prefix has to be reassigned, it is
       RECOMMENDED to reassign an IPv6 prefix to a distinct CPE only
       when all the resources in use associated with that prefix are
       cleared from the AFTR.  Doing so avoids to redirect traffic,
       destined to the previous prefix owner, to the new one.

4.  Security Considerations

   Security considerations related to DS-Lite are discussed in

   Enforcing the recommendations in Section 3 defends against DoS
   attacks that would result in varying the source IPv6 address to
   exhaust AFTR resources.

Vinapamula & Boucadair  Expires October 25, 2015                [Page 5]
Internet-Draft         Prefix Binding for DS-Lite             April 2015

5.  IANA Considerations

   This document does not require any action from IANA.

6.  Acknowledgements

   G.  Krishna, C.  Jacquenet, I.  Farrer, Y.  Lee, and Q.  Sun provided
   useful comments.  Many thanks to them.

7.  References

7.1.  Normative references

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6333]  Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
              Stack Lite Broadband Deployments Following IPv4
              Exhaustion", RFC 6333, August 2011.

   [RFC6887]  Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
              Selkirk, "Port Control Protocol (PCP)", RFC 6887, April

7.2.  Informative references

   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
              RFC 4787, January 2007.

   [RFC6888]  Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
              and H. Ashida, "Common Requirements for Carrier-Grade NATs
              (CGNs)", BCP 127, RFC 6888, April 2013.

   [RFC6908]  Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M.
              Boucadair, "Deployment Considerations for Dual-Stack
              Lite", RFC 6908, March 2013.

   [RFC7393]  Deng, X., Boucadair, M., Zhao, Q., Huang, J., and C. Zhou,
              "Using the Port Control Protocol (PCP) to Update Dynamic
              DNS", RFC 7393, November 2014.

Authors' Addresses

Vinapamula & Boucadair  Expires October 25, 2015                [Page 6]
Internet-Draft         Prefix Binding for DS-Lite             April 2015

   Suresh Vinapamula
   Juniper Networks
   1194 North Mathilda Avenue
   Sunnyvale, CA  94089

   Phone: +1 408 936 5441

   Mohamed Boucadair
   France Telecom
   Rennes  35000


Vinapamula & Boucadair  Expires October 25, 2015                [Page 7]