Internet Engineering Task Force R. Despres
Internet-Draft March 24, 2009
Intended status: Standards Track
Expires: September 25, 2009
Stateless Address Mapping (SAM)
Avoiding NATs and restoring the end-to-end model in IPv6
draft-despres-sam-02
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 25, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
Stateless Address Mapping (SAM) is a generic mechanism to support
global addressing across network zones where routing is based on a
Despres Expires September 25, 2009 [Page 1]
Internet-Draft Stateless Address Mapping (SAM) March 2009
different address space. With it, the end-to-end model, lost in IPv4
with the deployment of NATs, can be restored without losing services
that NAT44s offer beyond address-space extension (private addressing,
basic firewall, site multihoming, privacy protection, host-rooted
subnets). Global-address packets are encapsulated in local-address
packets to traverse SAM zones, and global prefixes are statelessly
mapped into local addresses. For the IPv6-IPv4 coexistence period,
port-restricted IPv4 addresses are used to extend the global IPv4
address space.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. NAT44 services that remain desirable in IPv6 . . . . . . . . . 4
2.1. Private addressing (easy renumbering) . . . . . . . . . . 4
2.2. Basic firewall (by default, no incoming connections) . . . 4
2.3. Site multihoming (automatic fallback) . . . . . . . . . . 4
2.4. Privacy protection . . . . . . . . . . . . . . . . . . . . 4
2.5. Host-rooted subnets . . . . . . . . . . . . . . . . . . . 5
3. SAM specification . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Local zones - Root SAMs - Branch SAMs . . . . . . . . . . 5
3.2. Encapsulation of global packets in local packets . . . . . 7
3.3. Global prefixes - global addresses - local addresses . . . 9
3.4. Endpoint global address to branch local address mapping . 11
3.5. Privacy protection . . . . . . . . . . . . . . . . . . . . 13
3.6. SAM parameters . . . . . . . . . . . . . . . . . . . . . . 15
3.7. Port range based extended IPv4 addressing . . . . . . . . 16
4. SAM Application Examples . . . . . . . . . . . . . . . . . . . 16
4.1. Private addressing in an IPv6 site . . . . . . . . . . . . 16
4.2. Multihoming and Extended IPv4 addressing in a home site . 19
5. Avoiding using NATs in IPv6 with SAM . . . . . . . . . . . . . 21
6. Security considerations . . . . . . . . . . . . . . . . . . . 22
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9.1. Normative References . . . . . . . . . . . . . . . . . . . 23
9.2. Informative References . . . . . . . . . . . . . . . . . . 23
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24
Despres Expires September 25, 2009 [Page 2]
Internet-Draft Stateless Address Mapping (SAM) March 2009
1. Introduction
In IPv4, Network Address Translations have been extensively deployed
(NAT44s). They are key to mitigate the IPv4 address shortage. But
they also offer various auxiliary services, described in Section 2 :
private addressing, basic firewall, site multihoming, privacy
protection, host-rooted subnets.
In counterpart to these auxiliary services, these NAT44s have
introduced two drawbacks:
o Non compliance with the end-to-end model of the Internet where
addresses and ports are unchanged end to end (e2e).
Negative consequences include incompatibility with the IPsec
security mechanism, and difficulties for hosts to know their
own global addresses, which they need for connection
redirections, for host referrals, and, in sites having several
site entrance routers, for multihoming support mechanisms like
the SCTP of [RFC4960] and [Shim6].
o Stateful operation.
Most NAT44s are in fact stateful NAPTs as defined in [RFC2663]:
to support more local addresses than they have external
addresses, they maintain per-transport-connection states.
Negative consequences include limited scalability, and the risk
of denial of service attacks that go with it, as well as single
points of failures.
Since no global address shortage is in view in IPv6, the following
questions have to be asked:
o Which NAT44 services can, in IPv6, be offered statelessly and
without breaking the e2e model?
o How?
This draft proposes to answer these questions, more completely and
with more technical details than in [RFC4864], the most advance
document on the subject so far.
For this, a Stateless Address Mapping generic mechanism is introduced
(SAM).
The conclusion is that, provided SAM is supported in nodes at borders
of independently administered routing zones, the e2e model can be
restored in IPv6, for all identified useful functions of NAT44s.
Despres Expires September 25, 2009 [Page 3]
Internet-Draft Stateless Address Mapping (SAM) March 2009
(This conclusion needs however to be confirmed after further work on
SAM details, after criticisms by other experts, after some possible
bug corrections, and after validations with running code.)
Thus, traversal of NATs in ISP infrastructures can be avoided.
(These NATs do provide useful connectivity to some non-SAM-capable
nodes, but have the drawback of breaking the e2e model, with the
mentioned consequences on security, referrals, multihoming,
scalability, and reliability.)
2. NAT44 services that remain desirable in IPv6
2.1. Private addressing (easy renumbering)
With NAT44s, when a prefix assigned by an ISPs to a customer site is
modified, local IP addresses in the site can remain unchanged.
2.2. Basic firewall (by default, no incoming connections)
Most NAT44s, being NAPTs, and therefore maintaining states for all
TCP and UDP connections, have as a byproduct a protection against
incoming connections (unless some "holes" are "punched" in this
protection, under explicit customer control). This level of security
protection is largely relied upon.
2.3. Site multihoming (automatic fallback)
In a site is multi-homed, and if it has a NAT device supporting all
its ISP interfaces, its hosts can take advantage of multihoming
without having to support any multihoming-specific function. This
level of multihoming support is better than none.
(For this, a NAT44 needs only to make sure that, for each transport
connection, all outgoing packets go through the same ISP. Thus, if
an ISP access fails, current TCP and UDP connections that go via this
ISP are broken, but they can immediately be replaced by new ones.)
2.4. Privacy protection
From outside a site where a NAT44 operates in NAPT mode, it is
difficult to determine which hosts establish which connections. This
level of privacy protection, in particular for some web requests, is
an added value.
Despres Expires September 25, 2009 [Page 4]
Internet-Draft Stateless Address Mapping (SAM) March 2009
2.5. Host-rooted subnets
Behind a host that is assigned a single IPv4 address, it is possible,
with a NAT44 in the host, to deploy a private subnet. As modern
operating systems include a router function with a NAT44, a computer
can serve as a root for a LAN.
Thus, the distinction between hosts and a routers is no longer a
distinction between types of devices. It has become only a
distinction between functions within nodes.
3. SAM specification
3.1. Local zones - Root SAMs - Branch SAMs
As presented in Figure 1, the SAM mechanism applies to a SAM "local
zone" Z. Routing within this zone is independently administered, and
is based on a "local address space".
Each SAM zone has one or several "root interfaces" (Ri), that give
access to the global Internet. Each one has, in the global Internet,
one or several "global prefixes" (gZij) exclusively assigned to zone
Z.
SAM global prefixes can be global IPv6 and/or global IPv4. SAM local
address spaces can be IPv6 or IPv4, global or private. If both IPv4
and IPv6 are routed in the zone, one of the two is chosen for SAM.
(SAM is in this respect an extension of the 6to4 of [RFC3056], of the
ISATAP of [RFC5214], and of [6rd], where all global prefixes are IPv6
and all local address spaces are IPv4).
As explained in Section Section 3.7, global IPv4 addresses can be
extended beyond 32 bits to deal with the IPv4 address shortage during
the IPv4-IPv6 coexistence period.
Despres Expires September 25, 2009 [Page 5]
Internet-Draft Stateless Address Mapping (SAM) March 2009
ROOT-SIDE ENDPOINTS
| /\ |
| || |
|_____:_____| || |______:_____|
| |
| ROOT ZONES |
| gZ22
Zone Global prefixes gZij gZ11 gZ21
Root interfaces: _________:_______________________:________
|(Z) (root-SAM) (root-SAM) |
Root local addresses: | R1 R2 |
Ri | |
| SAM ZONE Z |
| |
| |
Branch local addresses: | B1 B2 B3 |
Bk | : : : |
Branch interfaces: |______:________________:_____________:____|
| | |
Branch Global prefixes: | (branch-SAM) |
*gBkij=gZij.zBk* => + gB211, gB221, gB222
Branch Global Addresses: + gB211@, gB221@, gB222@
*gBkij@=gBkij.H* ||
BRANCH ZONES ||
\/
BRANCH-SIDE ENDPOINTS
ROOT AND BRANCH INTERFACES AND SAMs
Figure 1
Each root interface that supports a root-SAM function has a local
address (Rk), and each "branch interface" has a local address (Bk).
If a "branch SAM" function is supported at a branch interface Bk,
this interface gets, in addition to its local address, global
prefixes (gBkij). Each of these prefixes is made of a global prefix
of the zone (gZij) followed by an identifier (zBk) of the branch in
its zone.
For each each of its global prefixes gBkij, a branch interface has
also a host global address (gBkij@), derived from the prefix by
appending a standard host suffix (H) to complete the address length.
Thus, if a zone D is accessible from the global Internet via a zone
hierarchy A, B, C, it has at least gA.aB.bC.cD as a global prefix gD,
and gA.aB.bC.cD.H as a global address gD@. SAM is thus an
application of the locator-identifier separation principle. (It
Despres Expires September 25, 2009 [Page 6]
Internet-Draft Stateless Address Mapping (SAM) March 2009
differs however from [LISP], in that no new protocol is needed for
SAM (only new options in existing protocols such as DHCP [RFC2131],
DHCPv6 [RFC3315], or ND [RFC4861], to advertise SAM parameters to
branch interfaces.)
3.2. Encapsulation of global packets in local packets
endpoint Y Global address: gY
^
|
...
(3) e2e packet: [ gX->gY [data]]
^
|
gZ ROOT ZONE R
______________:______________________
|(Z) (root SAM) |
| R LOCAL ZONE Z |
| ^ |
| | |
| ... |
(2) encapsulated packet: | |
*B = la(gX)* | [ B->R [gX->gY[data]] |
*R = parameter* | ^ |
| | |
| B |
|______________:______________________|
(branch SAM) BRANCH ZONE B
=> + gB
^
|
...
(1) e2e packet: [ gX->gY [data]]
^
|
endpoint X Global address: gX=gZ.id(B).xxx
PACKET ENCAPSULATION AND ADDRESS MAPPING - BRANCH SIDE TO ROOT SIDE
Figure 2
To traverse a SAM local zone, global-address packets are encapsulated
into local address packets, as illustrated in Figure 2 and Figure 3.
Thus, compatibility is ensured, within the local zone, with the
ingress filtering for multihomed networks of [RFC3704], the basic
anti-spoofing mechanism.
Despres Expires September 25, 2009 [Page 7]
Internet-Draft Stateless Address Mapping (SAM) March 2009
|
| ROOT ZONE
gZ
______________:______________________
|(Z) (root-SAM) |
| zR LOCAL ZONE Z |
| |
| |
| |
(2) encapsulated packet: | [ zB1->zB2 [gE1->gE2[data]] |
*zB1 = la(gX)* | -------->-------- |
*zB2 = la(gY)* | / \ |
| ^ | |
| | v |
| zB1 zB2 |
|______:_____________________:________|
BRANCH ZONES: (branch-SAM) (branch-SAM)
=> + gB1 => + gB2
^ |
| v
(3) e2e packet: ... [ E1->E2 [data]]
(1) e2e packet: [ E1->E2 [data]] ...
^ |
| v
gX=gZ.id(B1).xxx gY=gZ.id(B2).yyy
_:_ _:_
| X | | Y |
|___| |___|
ADDRESS MAPPING AND PACKET ENCAPSULATION - BRANCH SIDE TO BRANCH SIDE
Figure 3
For the IP-in-IP encapsulation, the IPv6 next header or the IPv4
protocol id which indicates the type of IP payload is set to 41 (the
same value as for 6to4, ISATAP, and 6rd).
Local addresses are determined as follows (illustrated in Figure 2
and Figure 3):
1. If an endpoint global address gE, indifferently source or
destination, is that of a branch-side endpoint, this is
recognized by the fact that it starts with one of the global
prefixes of the zone. Then, the local address B is obtained by a
function B=la(gX), completely determined by SAM parameters of the
zone (details in Section 3.4).
Despres Expires September 25, 2009 [Page 8]
Internet-Draft Stateless Address Mapping (SAM) March 2009
2. If an endpoint global address gE, indifferently source or
destination, is that of a root-side endpoint, this is recognized
by the fact that it doesn't start with any of the global prefixes
of the zone. In this case, the other address gX of the packet,
destination or source respectively, is necessarily that of a
branch-side endpoint (otherwise the packet would not traverse the
local zone). Then, local address Ri is that of the root
interface that has, in its assigned global prefixes, the global
prefix present at the beginning of the branch-side address gX.
In multihomed sites, the second of these rules ensures compatibility
with the ingress filtering of [RFC3704] in root zones (if it does
apply, as necessary for anti-spoofing protection).
In Figure 2 and Figure 3, packets in the reverse direction, not
shown, would have the same addresses but with sources and
destinations inverted, and with encapsulations and decapsulations
made at inverted interfaces.
Decapsulation functions MUST verify, for anti-spoofing protection,
that local addresses present in headers of encapsulating packets are
consistent with global addresses present in headers of encapsulated
packets.
3.3. Global prefixes - global addresses - local addresses
Internal structures of SAM global prefixes, global addresses, and
local addresses are detailed in Figure 4.
A branch-interface global prefix necessarily starts with a global
prefix of the zone Z. Its remaining bits are a "branch identifier" in
the zone (gBkij = gZij.zB).
Despres Expires September 25, 2009 [Page 9]
Internet-Draft Stateless Address Mapping (SAM) March 2009
|<-------------- Branch global address gB@ ------------->|
|<-------- Branch global prefix gB --------> |
|<-- G --><----- Branch identifier iB ----> |
________________________________________________________
| local |branch| Subnet | branch | branch |
| zone | id | index | Index | Host |
| Global |Format| (option)| | endpoint |
| prefix | code | | | suffix |
| | | | | (10...00) |
| G | F | S | I | H |
|_________|______|_________|________________|____________|
_______/ <-- s ---><----- i ------>
/ ^ ^
v | |
Specifies s and i / \
(option) | \
Specify F <-----.-----|--------------------. \
\ | \ |
\ v \ v
<-- s ---> <----- i ------>|
________________________________________________________
|local-address| Subnet | next field | branch |
| constant | index | Delimiter | index |
| Prefix | | (00...01) | |
| | | | |
| P | S | D | I |
|_____________|_________|_______________|________________|
|<-- subnet prefix zS -->
|<-------------- Branch local address B ---------------->|
SAM GLOBAL PREFIXES - GLOBAL ADDRESSES - LOCAL ADDRESSES
Figure 4
Principles that influence the internal structure of branch
identifiers proposed for SAM are the following:
1. To permit a flexible hierarchy of local zones, branch identifiers
should be kept rather short. They should, at least to some
extent, be proportionate to the maximum number of branches
supported in their zone.
2. Several subnets must be possible in the zone. For this, a branch
identifier contain an optional "subnet index" (S), followed the
"branch index" (I) which identifies the branch in its subnet.
(The word "index" is chosen to express that these fields have no
further internal structure.)
Despres Expires September 25, 2009 [Page 10]
Internet-Draft Stateless Address Mapping (SAM) March 2009
3. For the efficiency of routing tables, intra-zone subnet indexes
have to be in the upper part of local addresses, just behind the
"constant prefix" (P) that is common to all local addresses. (In
IPv6, this constant prefix is typically an ULA prefix of
[RFC4193]; in IPv4, it is typically a private-address prefix of
[RFC1918].)
4. For efficiency of the neighbor discovery protocol of [RFC2461],
branch indexes B have on the contrary to be in the lowest part of
branch local addresses B.
5. Consequently, it must be possible to extract separately, from a
intra-zone branch identifier iB, the subnet index S and the
interface index I, and for this to know their lengths (s and i).
6. In order to permit to configure several subnet-index lengths,
and/or several interface index lengths, in SAM zones, an optional
branch-identifier "format code" (F) is placed at the beginning of
a branch identifier B (just before the optional subnet index S
and the branch index I). Each format codes specifies a subnet-
index length s and an interface-index length i. To be
recognized, format codes that have different lengths must be non
overlapping prefixes.
Since the local address B of a branch interface starts with a
constant prefix P followed by the interface subnet index S , and is
terminated by the interface-index of the interface, space is left
between them. It is filled with a next-field delimiter (D). Its
format, a series of 0s followed by a 1, i.e. 00...01 with a minimal
length of 1 bit, is chosen so that knowing the constant prefix P and
the subnet prefix of a branch interface, lengths s and i of the its
subnet index S and of its interface index I can be determined. Then,
the identifier format F to be placed in global prefixes of B can be
derived from these lengths s and i.
3.4. Endpoint global address to branch local address mapping
Detailed steps by which a branch local address B is derived from the
global address of a branch-side endpoint are presented in Figure 5.
Despres Expires September 25, 2009 [Page 11]
Internet-Draft Stateless Address Mapping (SAM) March 2009
________________________________________________________
| Endpoint Global address |
| gE |
|________________________________________________________|
(A) ANALYSIS ||
\/
___________________________________________ ............
| Global | id | Subnet | branch | endpoint :
| prefix |Format| index | Index | suffix :
| G | F | S | I | E :
|_________|______|_________|________________|............:
| | | |
1. Match found | | | |
in the G list _| | | |
| | |
2. Match found | | |
in the F list ______| | |
| |
3. length defined by F _______| |
. |
4. length defined by F ____________________|
. .
(B) CONSTRUCTION . || .
. \/ .
5. The current . .
local-address prefix __ . .
| . .
6. From step 3. _______:______.__ .
| | .
7. From step 4. _______:_________:_________.__________
| | |
8. Binary 00...01 _____:_________:________ |
| | | |
_______________|_________|________|___________|_________
| local-address | Subnet |next field | branch |
| Prefix | index | Delimiter | Index |
| P | S | D | I |
|_________________|_________|___________|________________|
|<--------------- Branch Local address B --------------->|
DERIVING A BRANCH LOCAL ADDRESS FROM AN ENDPOINT GLOBAL ADDRESS
Figure 5
Despres Expires September 25, 2009 [Page 12]
Internet-Draft Stateless Address Mapping (SAM) March 2009
3.5. Privacy protection
In a zone where privacy protection is desired, the privacy option can
be turned on. Principles of this option are the following:
1. Fields that identify branch-side IP endpoints in privacy
protected zones, or transport endpoints if endpoints are at this
layer, are obfuscated in e2e packets that traverse the global
Internet.
2. This obfuscation is stateless and reversible.
3. Branch SAMs of a privacy-protected zone are informed of
parameters of this obfuscation. They can thus know which
"hidden" addresses (or addresses plus ports), appear on the
global Internet in place of their "clear" addresses (or address
plus ports). These clear addresses are those from which local
addresses are derived in the privacy-protected zone and in zones
that are lower in the hierarchy.
4. In these lower zones, all branch SAMs are informed that a root
SAM in the global-Internet direction has activated a privacy
option, and are informed of parameters of this option. They can
thus derive a clear address (or address plus port) from an
obfuscated address (or address plus port), and conversely. They
can also avoid to activate the privacy option so that obfuscation
is never done more than once.
Parameters of a privacy option are a privacy global prefix (PPm) and
a scrambling multiplier (PMm). The prefix is that which, at the
beginning of global addresses, is not obfuscated in the global
Internet. The multiplier is an odd constant.
Obfuscation consists in a modulo 2^n multiplication by the scrambling
multiplier, where n is the number of bits to be obfuscated. De-
obfuscation is the modulo 2^n multiplication by the inverse of the
scrambling multiplier (for odd numbers, such an inverse modulo 2^n
always exists).
In hosts in which the branch SAM is informed of an active privacy
option, applications that ask for their addresses and their ports at
their socket interface, get them in hidden form, that which appears
in the global Internet. The e2e model is thus preserved despite the
fact that the topology of the privacy-protected zone and that of
lower zones in the hierarchy are all hidden, and despite the fact
that successive transport connections from a same host cannot, in the
global Internet, be related to a single host.
Despres Expires September 25, 2009 [Page 13]
Internet-Draft Stateless Address Mapping (SAM) March 2009
Ports that are concerned with the privacy option are only the IANA
dynamic and/or private ports (ports 49152 to 65535, those starting
with binary 11). Well known ports and registered ports, which have
an e2e meaning not to be lost, must not be obfuscated.
Since some applications, e.g. active mode FTP of [RFC0959], work on
port pairs rather than on individual ports, port bits to be
obfuscated must exclude the last one. Port bits that are part of
obfuscated endpoint identifiers are then bits 2 to 14.
gY
^
|
...
e2e packet: gZij.F1.hhhh->gY [TCP hh->80 [data]]
^
|
gZij ROOT ZONE R
___________________________:________________________
|(Z) .---> (root SAM) |
Privacy-option ON / Ri |
for prefix PP1 = gZij.F1 ---' ^ LOCAL ZONE Z |
with multiplier PM1 | |
| | |
| ... |
encapsulated | [ Bk->Ri [ gZkij.cccc->gY [TCP cc->80 [data]] |
packet | |
| ^ |
| | |
| B |
|___________________________:________________________|
(branch SAM)
Clear-address packet: gZij.F1.cccc->gY [TCP cc->80 [data]]
e2e packet: gZij.F1.hhhh->gY [TCP hh->80 [data]]
where . tmp = modulo 2^m (PM1 x (cccc . (bits 2 to 14 of cc))
where m = length of cccc + length of cc - 3
. hhhh = bits 0 to (length of hhhh - 1) of tmp
. hh = cc in which bits 2-15 are replaced by
bits(length of PP1 TO m - 1) of tmp
PRIVACY OPTION ILLUSTRATION
Figure 6
Figure 6 illustrates the effect of the privacy option. The option is
supposed to be on in the root SAM of the zone, for its global prefix
Despres Expires September 25, 2009 [Page 14]
Internet-Draft Stateless Address Mapping (SAM) March 2009
gZij and its identifier format F1. The privacy-option prefix is
therefore PP1 = gZj.F1. The scrambling multiplier is PM1.
3.6. SAM parameters
Table 1 to Table 4 present the complete set of SAM parameters
described in previous sections.
+-----------------------+-----+
| Constant local prefix | TTL |
+-----------------------+-----+
| ... | ... |
| Pm | PTm |
| ... | ... |
+-----------------------+-----+
LOCAL PREFIXES
Table 1
+-------------------+-----+------------------+----------------------+
| Identifier Format | TTL | Subnet-index | Interfacet-index |
| Code | | Length | Length |
+-------------------+-----+------------------+----------------------+
| ... | ... | ... | ... |
| Fn | FTn | SLn | ILn |
| ... | ... | ... | ... |
+-------------------+-----+------------------+----------------------+
IDENTIFIER FORMATS
Table 2
+-----------+-----+----------+-------+-----+----------+-------+-----+
| Root | TTL | Global | TTL1 | ... | Global | TTLj | ... |
| local | | prefix 1 | | | prefix j | | |
| address | | | | | | | |
+-----------+-----+----------+-------+-----+----------+-------+-----+
| ... | ... | ... | ... | ... | ... | ... | ... |
| Ri | RTi | gZi1 | gZTi1 | ... | gZij | gZTij | ... |
| ... | ... | ... | ... | ... | ... | ... | ... |
+-----------+-----+----------+-------+-----+----------+-------+-----+
ROOT PARAMETERS
Table 3
Despres Expires September 25, 2009 [Page 15]
Internet-Draft Stateless Address Mapping (SAM) March 2009
+-----------------------+-----+---------------------------+
| Privacy-option Prefix | TTL | Privacy-option Multiplier |
+-----------------------+-----+---------------------------+
| ... | ... | ... |
| PPp | PTp | PMp |
| ... | ... | ... |
+-----------------------+-----+---------------------------+
PRIVACY OPTION
Table 4
3.7. Port range based extended IPv4 addressing
For a dual stack host not to break the e2e model when it establishes
a connection with an remote endpoint that is still only reachable in
IPv4, it must have a global IPv4 address. Because of the IPv4
address shortage, this address may however be shared with other
hosts. For this, SAM accepts "port-extended" IPv4 prefixes, longer
than 32 bits. Bits beyond the first 32 define a port range in the
set of dynamic and/or private ports (those in which the two high
order bits are binary 11). For example, a 3-bit prefix extension 010
imposes that branch-side hosts use only ports starting with binary
11010.
Note that, due to the systematic encapsulation of global packets in
local packets of SAM, routing within SAM zones is not concerned with
theses "port-extended" IPv4 addresses. Only root SAMs and branch
SAMs have to know about port ranges.
The branch SAM in a host that is assigned a port-restricted IPv4
address has to inform its socket interface of the port range
available to applications, and to inform its internal NAT if it has
one. Consequences for applications, and for NATs, of restricted port
ranges, are out of the scope of this SAM specification. Other
documents are available on the subject, e.g. [Boucadair], which
however requires further study.
4. SAM Application Examples
4.1. Private addressing in an IPv6 site
In the example of Figure 8, we consider a home or SOHO site in which
an Ethernet and/or WiFi LAN is deployed. Its global IPv6 prefix gZ
is 2001:0db8:9999::/48.
Local addressing is done in an IPv6 private space. To keep addresses
Despres Expires September 25, 2009 [Page 16]
Internet-Draft Stateless Address Mapping (SAM) March 2009
short in the figure, their constant prefix is fc00/8, the shortest
prefix reserved for private IPv6 addressing in [RFC4193]. (Note that
this prefix could be replaced by a full fdxx: xxxx:xxxx::/48 prefix,
as recommended in [RFC4193] for ULAs, without changing the substance
of the example.)
The site is configured to support 255 branch interfaces on the LAN
(each branch being indifferently a host and/or a router). To
facilitate future changes, a branch-identifier format code F1, set to
0/4, is used in branch global prefixes.
SAM parameters of the site are then following (ignoring TTLs):
Constant local prefix: P1 = fc00/8
Identifier format code: F1 = 0::/4
Subnet index length: SL1 = 0 (non applicable)
Interface index length: IL1 = 8
Root local address: R1 = fc00::0101
Zone Global prefix: gZ11 = 2001:0db8:9999::/48
Privacy option prefix: none in this example
We now consider a SAM-capable PC which serves as a router for a
bluetooth link. On this link, a bluetooth mobile phone is active.
(Configuring a root-SAM in the PC would permit the mobile phone, if
acting as a SAM-capable router, to assign global prefixes and
addresses to hosts behind it. But this would have been too much for
the example).
Despres Expires September 25, 2009 [Page 17]
Internet-Draft Stateless Address Mapping (SAM) March 2009
|
|
2001:0db8:9999::/48
_________________:_________________
|(Z) (root SAM) for 2^8 hosts |
Site | fc00::0101 |
gateway | |
| |
| fc00::0155 |
|_________________:_________________|
|
Ethernet and/or WiFi ...
fcOO::/64 |
(branch SAM)
=> + 2001:0db8:9999:0550::/60
__________:__________
|2001:0db8:9999:0558::|
PC | |
|_____________________|
/___________._________/
|
Bluetooth ...
2001:0db8:9999:0550::/64 |
|
2001:0db8:9999:0550:< eui64 IID >
|
|_|__
| |
Mobile phone | |
| |
|_____|
PRIVATE ADDRESSING IN AN IPV6 SITE
Figure 7
The PC local address B is fc00::0155, i.e. P.D.I where P is
fc00::/8, where the 8 bits of I are supposed to be 55::/8, and where
D is binary 00...01 with consequently (128 - 8 -8) = 112 bits.
The PC global prefix gB is therefore 2001:0db8:9999:0550::/60, i.e.
G.F.I, where G is 2001:0db8:9999::/48, where F is 0::/4, and where I
is 55::/8.
The PC global address is therefore 2001:0db8:9999:0558::, i.e. gB.E
where E is binary 10...00 with (128 - 48 - 4 - 8) = 68 bits.
Despres Expires September 25, 2009 [Page 18]
Internet-Draft Stateless Address Mapping (SAM) March 2009
The bluetooth link is supposed to have 0::/4 as subnet ID in the
PC.Its /64 subnet prefix is therefore 2001:0db8:9999:0550::/64.
This simple example illustrates how the SAM logic permits to
establish a hierarchy of routing zones where each host can become a
router, and where the e2e model is preserved.
4.2. Multihoming and Extended IPv4 addressing in a home site
In the example of Figure 8, we consider a home site S, multihomed
with two ISPs A and B.
ISP A assigns to the site IPv6 prefix 2001:1111:1111:1110::/60, and
IPv4 address 192.0.2.1.
ISP B can only assign port-restricted IPv4 addresses to its sites
because it has to support up to 2^16 sites, and has only for this an
IPv4 /18 prefix (namely 198.16.0.0/18, i.e. v4|c610:0000:/18), and
since 18 + 16 = 34 which exceeds 32. Having 2001:0db8::/32 as its
IPv6 prefix, it assigns /48s to its customer sites, in particular
2001:0db8:0202::/48 to site S.
Half of its IPv4 address space, namely v4|c610:2000/19 is allocated
to a NAT, to support sites that are not SAM capable. The other half,
i.e. v4|c610::/19, is allocated to a root SAM, the local address of
which is supposed to be 2001:0db8::1.
SAM parameters of the zone of ISP B are then the following:
Constant local prefix: P1 = 2001:0db8::/32
Identifier format code: F1 = ::/0 (non applicable)
Subnet index length: SL1 = 0 (non applicable)
Interface index length: IL1 = 16
Root local address: R1 = 2001:0db8::1:1
Zone Global prefix: gZ11 = v4|c610::/19 (=198.16.0.0/19).
Privacy option prefix: none in this example (::/0)
Despres Expires September 25, 2009 [Page 19]
Internet-Draft Stateless Address Mapping (SAM) March 2009
198.16.0.0/18
2001:0db8::/32 =v4|c610:0000:/18
____|__________________|____________
|(B) / \ |
| | v4|c610::/19 |
| v4|c610:2000/19 | |
| (NAT) (root SAM) |
| 0.0.0.0/0 2001:0db8::1 |
|(A) | | |
| | | |
|2001:1111:1111:1110::/60| | (2^16 SAM sites) |
| 192.0.2.1 | | |
| =v4|c000:0201/32 | | 2001:0db8:0202::/48 |
|________________:_______| |___________________:________________|
| (branch SAM)
| => + v4|c610:0040:4000::/35
| = 198.16.0.64 - ports 11010...
________________:______________________________:________________
|(S) / \ / \ |
| | v4|c000:0201::/33 | v4|c610:0040:4000::/36|
| | ::/0 | ::/0 |
| v4|c000:0201:8000::/33 | v4|c608:0040:6000::/36 | |
| (NAT) (root SAM) (NAT) (root SAM) |
| 0.0.0.0/0 fc00::0011 0.0.0.0/0 fc00::0012 |
| |
| (2^4 SAM hosts) |
| fc00::0018 |
|_____________________________:__________________________________|
|
HOST (H) (branch SAM)
=> + 2001:1111:1111:1118:8000::0008/64
+ 2001:0db8:0220:4800::0008/52
+ v4|c000:0201:4000::/37 = 192.0.2.1 - ports 1101000...
+ v4|c610:0040:4800::/40 = 198.16.0.64 - ports 1101001000...
: (64 ports)
HOST
E2E IPV6 ADDRESSING AND SHARED IPV4 ADDRESSES IN A MULTIHOMED SITE
Figure 8
In site S, the branch SAM of its root interface with ISP B derives
from its IPv6 prefix 2001:0db8:O2O2::/48, and from SAM parameters of
ISP B, its IPv4 prefix v4|c610:2040:4000::/35, which is a port-
restricted one.
The constant prefix of local addresses is fc00::/8. Two root SAMs
and two NATs are configured, each one having half the available IPv4
Despres Expires September 25, 2009 [Page 20]
Internet-Draft Stateless Address Mapping (SAM) March 2009
address space.
Parameters of SAMs of site S are the following:
Constant local prefix: P1 = fc00::/8
Identifier format code: F1 = 0::/4
Subnet index length: SL1 = 0 (non applicable)
Interface index length: IL1 = 8
Root local addresses: R1 = fc00::0011; R2 = fc00::0012
Zone Global prefixes: gZ11 = 2001:1111:1111:1110::/60; gZ12 = v4|
c000:0201/32; gz21 = 2001:0db8:0202::/48; gZ22 = v4| c610:0040:
4000::/35
Privacy option prefix: none in this example (::/0)
Among the 16 hosts of home site S, Host H is supposed to have local
address fc00::0018. As shown on the figure, the branch SAM of host H
then derives from this local address two IPv6 global prefixes, two
IPv6 global host addresses starting with these prefixes, and two
port-restricted IPv4 prefixes. With these prefixes, it can use,
without breaking the e2e model, 512 ports for connections via ISP A,
and 64 ports via ISP B.
5. Avoiding using NATs in IPv6 with SAM
With SAM as specified, all NAT44 services that have been listed in
Section 2 can be offered in IPv6 without stateful processing and
without breaking the e2e model:
1. In a private-addressing IPv6 site, hosts can know their global
addresses to use them in e2e packets that are encapsulated in
local packets to traverse the site. Renumbering is then
automated simply by automating advertisement of SAM parameter
changes (in DHCP and/or with router advertisements).
2. The fact that NAT44s are in general configured with by default
rejection of all incoming calls can have a simple stateless
equivalent in IPv6:
* By default, reject all incoming packets that have a branch-
side port in the well known or in the IANA defined registered
port ranges.
Despres Expires September 25, 2009 [Page 21]
Internet-Draft Stateless Address Mapping (SAM) March 2009
* By default, reject all TCP incoming packets that are attempts
to open new incoming connections (SYN packets without ACK).
3. In a SAM-capable site, SAM-capable hosts can take advantage of
site multihoming with full compatibility with ingress filtering
of [RFC3704] in both the site itself and in ISP networks to which
it is connected.
4. The privacy protection described in Section 3.5 maintains the e2e
model. It is expected to be largely sufficient in practice.
(Sophisticated hackers would probably find ways around it, and
identify who does what in sites havin the privacy-protection
option, but NAT44s are not perfect for privacy protection
either).
5. As we have seen, SAM global addresses contain a flexible
succession of branch identifiers, so that it becomes possible to
set up a flexible hierarchy of private addressing zones. In
particular, host-rooted subnets become possible without breaking
the e2e model.
For information, no intellectual property right has been applied for
by the author on any of SAM mechanisms. The intent is to facilitate
IPv6 deployment with new mechanisms that enhance its potential.
6. Security considerations
Like any function where some parameters have to be configured, SAM
introduces a risk of human errors.
Besides that, no security risk introduced by SAM has so far been
identified. In particular, provided consistency between local
addresses and global addresses are checked in root and branch SAMs,
as they must be, no new address spoofing possibility is introduced
with SAM.
SAM being stateless, its scalability is high. Prevention against
denial of service attacks should therefore be possible even for very
intense traffic (e.g. using load balancers in front of parallel
devices).
7. IANA Considerations
Standardizing ways to advertise SAM parameters to branch SAMs will,
in due time, imply some IANA number assignments.
Despres Expires September 25, 2009 [Page 22]
Internet-Draft Stateless Address Mapping (SAM) March 2009
8. Acknowledgements
As this specification has evolved during many months, precious
encouragement and remarks were received from Mark Townsley. He has
to be warmly thanked for it. Concerning what SAM can bring to port-
restricted IPv4 addresses, stimulating discussions with Dan Wing,
Teemu Savolainen, Gabor Bajko, Pierre Levis, Jean-Luc Grimault, and
Alain Villefranque, have influenced progress of the work. Gratitude
is due to them for this. Challenging remarks, and a few (deserved)
criticisms from Alain Durand have also helped to better analyze how
SAM will coexist with NATs. He deserves credit for it.
9. References
9.1. Normative References
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
9.2. Informative References
[6rd] Despres, R., "IPv6 Rapid Deployment on IPv4
infrastructures (6rd) - Work in progress
(draft-despres-6rd-02)", October 2008.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations",
RFC 2663, August 1999.
[RFC3286] Ong, L. and J. Yoakum, "An Introduction to the Stream
Control Transmission Protocol (SCTP)", RFC 3286, May 2002.
[RFC3582] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site-
Multihoming Architectures", RFC 3582, August 2003.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
Networks", BCP 84, RFC 3704, March 2004.
[RFC4219] Lear, E., "Things Multihoming in IPv6 (MULTI6) Developers
Should Think About", RFC 4219, October 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
Despres Expires September 25, 2009 [Page 23]
Internet-Draft Stateless Address Mapping (SAM) March 2009
[RFC4864] Van de Velde, G., Hain, T., Droms, R., Carpenter, B., and
E. Klein, "Local Network Protection for IPv6", RFC 4864,
May 2007.
[RFC4960] Stewart, R., "Stream Control Transmission Protocol",
RFC 4960, September 2007.
[RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
March 2008.
[draft-carpenter-renum-needs-work-01]
Carpenter, B., Atkinson, R., and H. Flinck, "Renumbering
still needs work - Work in progress", December 2008.
[shim6 fail detec]
Arkko, J. and I. van Beijnum, "Failure Detection and
Locator Pair Exploration Protocol for IPv6 Multihoming -
Work in progress (draft-ietf-shim6-failure-detection-09)",
July 2007.
[shim6 protocol]
Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6 - Work in progress
(draft-ietf-shim6-failure-detection-09)", October 2007.
Author's Address
Remi Despres
3 rue du President Wilson
Levallois,
France
Email: remi.despres@free.fr
Despres Expires September 25, 2009 [Page 24]