Network Working Group                                         C. Huitema
Internet-Draft                                     Microsoft Corporation
Obsoletes: 2765 (if approved)                                     C. Bao
Intended status: Standards Track       CERNET Center/Tsinghua University
Expires: February 22, 2010                                    M. Bagnulo
                                                                    UC3M
                                                            M. Boucadair
                                                          France Telecom
                                                                   X. Li
                                       CERNET Center/Tsinghua University
                                                         August 21, 2009


                IPv6 Addressing of IPv4/IPv6 Translators
             draft-ietf-behave-translator-addressing-00.txt

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on February 22, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights



Huitema, et al.         Expires February 22, 2010               [Page 1]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   and restrictions with respect to this document.

Abstract

   This document discusses how an individual IPv6 address can be
   algorithmically translated to a corresponding IPv4 address, and vice
   versa, using only statically configured information.  This technique
   is used in IPv4/IPv6 translators, as well as other types of proxies
   and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  IPv6 Addresses Assigned to IPv6 Hosts  . . . . . . . . . .  4
     1.2.  IPv6 Addresses Used to Represent IPv4 Hosts  . . . . . . .  5
   2.  Prefix Selection . . . . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Requirements . . . . . . . . . . . . . . . . . . . . . . .  5
       2.1.1.  IPv6 Routing System Scalability  . . . . . . . . . . .  6
       2.1.2.  Native Connectivity Preference for Dual-Stack Nodes  .  6
       2.1.3.  Referral Support . . . . . . . . . . . . . . . . . . .  7
       2.1.4.  Support for Multiple IPv4/IPv6 Translators . . . . . .  7
       2.1.5.  Appropriate Prefix Length  . . . . . . . . . . . . . .  8
       2.1.6.  Uniqueness . . . . . . . . . . . . . . . . . . . . . .  9
     2.2.  Types of Prefixes  . . . . . . . . . . . . . . . . . . . .  9
       2.2.1.  Network-Specific Prefix  . . . . . . . . . . . . . . .  9
       2.2.2.  Well-Known Prefix  . . . . . . . . . . . . . . . . . .  9
     2.3.  Scenario-Specific Discussion and Recommendations . . . . . 10
       2.3.1.  Scenario 1: an IPv6 network to the IPv4 Internet . . . 10
       2.3.2.  Scenario 2: the IPv4 Internet to an IPv6 network . . . 12
       2.3.3.  Scenario 3: the IPv6 Internet to an IPv4 network . . . 12
       2.3.4.  Scenario 4: an IPv4 network to the IPv6 Internet . . . 12
       2.3.5.  Scenario 5: an IPv6 network to an IPv4 network . . . . 12
       2.3.6.  Scenario 6: an IPv4 network to an IPv6 network . . . . 13
       2.3.7.  Scenario 7: the IPv6 Internet to the IPv4 Internet . . 13
       2.3.8.  Scenario 8: the IPv4 Internet to the IPv6 Internet . . 13
   3.  IPv6 Address Format and Translation Algorithms . . . . . . . . 13
     3.1.  Requirements . . . . . . . . . . . . . . . . . . . . . . . 13
     3.2.  Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 15
       3.2.1.  IPv4-Mapped IPv6 Addresses . . . . . . . . . . . . . . 15
       3.2.2.  IPv4-Translatable Addresses  . . . . . . . . . . . . . 15
       3.2.3.  Zero-Pad And Embed . . . . . . . . . . . . . . . . . . 16
       3.2.4.  Compensation-Pad And Embed . . . . . . . . . . . . . . 16
       3.2.5.  Embed And Zero-Pad . . . . . . . . . . . . . . . . . . 17
       3.2.6.  Preconfigured Mapping Table  . . . . . . . . . . . . . 18
     3.3.  Scenario-Specific Discussion and Recommendations . . . . . 18
       3.3.1.  Scenario 1: an IPv6 network to the IPv4 Internet . . . 18
       3.3.2.  Scenario 2: the IPv4 Internet to an IPv6 network . . . 18



Huitema, et al.         Expires February 22, 2010               [Page 2]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


       3.3.3.  Scenario 3: the IPv6 Internet to an IPv4 network . . . 18
       3.3.4.  Scenario 4: an IPv4 network to the IPv6 Internet . . . 18
       3.3.5.  Scenario 5: an IPv6 network to an IPv4 network . . . . 19
       3.3.6.  Scenario 6: an IPv4 network to an IPv6 network . . . . 19
       3.3.7.  Scenario 7: the IPv6 Internet to the IPv4 Internet . . 19
       3.3.8.  Scenario 8: the IPv4 Internet to the IPv6 Internet . . 19
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 19
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 19
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
   7.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 20
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 22
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 22
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23





































Huitema, et al.         Expires February 22, 2010               [Page 3]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


1.  Introduction

   This document is part of a series of IPv4/IPv6 translation documents.
   A framework for IPv4/IPv6 translation is discussed in
   [I-D.baker-behave-v4v6-framework], including a taxonomy of scenarios
   that will be used in this document.  Other documents specify the
   behavior of various types of translators and gateways, including
   mechanisms for translating between IP headers and other types of
   messages that include IP addresses.  This document specifies how an
   individual IPv6 address is translated to a corresponding IPv4
   address, and vice versa, in cases where an algorithmic mapping is
   used.  While specific types of devices are used herein as examples,
   it is the responsibility of the specification of such devices to
   reference this document for algorithmic mapping of the addresses
   themselves.

   In this document, an "IPv4/IPv6 translator" is an entity that
   translates IPv4 packets to IPv6 packets, and vice versa.  It may do
   "stateless" translation, meaning that there is no per-flow state
   required, or "stateful" translation where per-flow state is created
   when the first packet in a flow is received.

   In this document, an "address translator" is any entity that has to
   derive an IPv4 address from an IPv6 address or vice versa.  This
   applies not only to devices that do IPv4/IPv6 packet translation, but
   also to other entities that manipulate addresses, such as name
   resolution proxies (e.g., DNS64 [I-D.bagnulo-behave-dns64]) and
   possibly other types of Application Layer Gateways (ALGs).

   [OPEN ISSUE: addressing for encapsulation mechanisms such as Dual-
   Stack Lite, including use of port ranges, is currently treated as out
   of scope for this document.  Should such addressing be in scope?]

   In choosing a mapping between IPv4 and IPv6 addresses for a given
   scenario, there are two separate choices to make: choosing an IPv6
   prefix, and choosing an algorithm for constructing the remainder of
   the IPv6 address.  These two topics are covered in Section 2 and
   Section 3, respectively.

   Algorithmic derivation of an IPv4 address from an IPv6 address, or
   vice versa, is used with two different classes of IPv6 addresses,
   discussed in Section 1.1 and Section 1.2.

1.1.  IPv6 Addresses Assigned to IPv6 Hosts

   In an IPv6 network, IPv6 addresses are assigned to IPv6 hosts, and
   these IPv6 addresses need to be translated to IPv4 addresses that can
   be used by IPv4 hosts.  Such IPv4 addresses are not assigned to a



Huitema, et al.         Expires February 22, 2010               [Page 4]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   host, but packets destined to such addresses must be routed to an
   appropriate IPv4/IPv6 translator that handles a set of such IPv4
   addresses.  Thus, stateless address translation mechanisms typically
   put constraints on what IPv6 addresses can be assigned to IPv6 hosts
   that want to communicate with IPv4 destinations using an algorithmic
   mapping (although such hosts may have other IPv6 addresses used for
   other purposes such as link-local communication).  Without such
   constraints, stateful translation on such addresses must be done
   instead, which typically only supports initiation from the IPv6 side,
   and does not result in stable addresses that can be used in DNS and
   other protocols and applications that do not deal well with highly
   dynamic addresses.

   IPv6 addresses assigned to IPv6 hosts for use with stateless
   translation are referred to as "IPv4-translatable" IPv6 addresses in
   [RFC2765] although that term is also used to refer to a specific
   address format (defined in [RFC2765] section 2.1) and hence we avoid
   the use of this term herein except when referring to the specific
   IPv6 address format.

1.2.  IPv6 Addresses Used to Represent IPv4 Hosts

   In an IPv4 network, IPv4 addresses are assigned to IPv4 hosts, and
   these IPv4 addresses need to be translated to IPv6 addresses that can
   be used by IPv6 hosts.  Such IPv6 addresses are not assigned to a
   host, but packets destined to such addresses are routed to an
   appropriate IPv4/IPv6 translator that handles a set of such IPv6
   addresses.  Typically, there are no additional constraints put on the
   IPv4 addresses.  Unlike the addresses discussed in Section 1.1,
   algorithmic mapping of IPv6 addresses used to represent IPv4 hosts is
   used with both stateful and stateless translation.

   IPv6 addresses used to represent IPv4 hosts are referred to as "IPv4-
   mapped" IPv6 addresses in [RFC2765] although that term is also used
   to refer to a specific address format (defined in [RFC2765] section
   2.1) and hence we avoid the use of this term herein except when
   referring to the specific address format.


2.  Prefix Selection

   This section discusses the choice of IPv6 prefixes for use with the
   two classes of addresses outlined above.

2.1.  Requirements

   There are a number of important requirements to be considered for
   prefix selection.



Huitema, et al.         Expires February 22, 2010               [Page 5]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


2.1.1.  IPv6 Routing System Scalability

   One critical issue to consider to assess impact of the IPv6 prefix
   used is related to the scalability of the IPv6 routing system.  Since
   a goal of translation is to enable IPv4-only hosts and IPv6-only
   nodes to communicate, the IPv6 addresses used to represent IPv4 hosts
   need to be routable within the IPv6 network served by the IPv4/IPv6
   translator.  This implies that a prefix covering such addresses must
   be covered by one or more routes advertised in that IPv6 network.  In
   some scenarios a single IPv6 route may suffice, whereas other
   scenarios may require multiple (more specific) routes.  It is
   important, however, to avoid injecting an IPv6 route for every IPv4
   route in the Internet.

2.1.2.  Native Connectivity Preference for Dual-Stack Nodes

   When dual stack nodes are involved in communication, a potential
   issue arises if they prefer translated IPv4/IPv6 connectivity over
   native IPv4 or IPv6 connectivity.

   For communication initiated from an IPv6-only node towards a dual-
   stack node, there are two possibilities: communicating to the native
   IPv6 address of the destination, or communicating via an IPv4/IPv6
   translator to the IPv4 address of the destination (by using an IPv6
   address that is translated to the IPv4 address).  In some cases this
   may be solved by having the IPv6-only node only learn the native IPv6
   address and not the algorithmically derived one (e.g., by using a
   normal DNS resolver), but this is not possible in general due to the
   variety of mechanisms for learning the destination addresses (e.g.,
   referrals).  To cover those cases, an IPv6-only node SHOULD be able
   to distinguish a native IPv6 address from an IPv6 address used to
   represent an IPv4 host.

   For communication initiated from a dual-stack node toward an IPv4-
   only node, there are two possibilities: communicating to the native
   IPv4 address of the destination, or communicating via an IPv4/IPv6
   translator to the IPv4 address of the destination (by using an IPv6
   address that is translated to the IPv4 address).  In some cases, this
   may be solved by having the dual-stack node only learn the native
   IPv4 address and not the algorithmically derived one, but this is not
   possible in general due to the variety of mechanisms for learning the
   destination addresses.  Normally it is desirable for a dual-stack
   node to prefer an IPv6 destination address over an IPv4 destination
   address, but in this case the IPv6 destination address is worse
   because it will be translated.  Hence in general, a dual-stack node
   SHOULD be able to distinguish a native IPv6 address from an IPv6
   address used to represent an IPv4 host, so that the former can be
   preferred over an IPv4 destination address but not the latter.



Huitema, et al.         Expires February 22, 2010               [Page 6]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   [RFC3484] today provides the ability for IPv6-capable hosts to be
   configured with prefixes used for address sorting sufficient to solve
   the native connectivity preference issue.  However the gap today is
   that this requires manual configuration of all such hosts, which is
   not practical.

2.1.3.  Referral Support

   A referral operation is when a host A passes the IP address of a Host
   B to a third Host C as application data.  The Host C may then
   initiate communication towards Host B using the IP address received.

   At this point in time, there are several widely-available protocols
   that operate on the IPv4 Internet and perform referrals, including
   HTTP, DNS, SIP, and BitTorrent.  The analysis in [I-D.wing-behave-
   nat64-referrals] of SIP (which does referrals between IPv4 and IPv6)
   shows that SIP needs to refer IPv4 addresses, not IPv6 addresses.
   Thus, it doesn't matter what IPv6 prefix is used because an IPv6
   address isn't referred.

   [EDITOR'S NOTE: The wing document discusses BitTorrent but the text
   pulled above from draft-xli-behave-v4v6prefix section 5.1.2.1 only
   summarizes SIP.  Furthermore, it doesn't cover other widely-deployed
   protocols that do referrals such as HTTP or DNS and hence is
   inconclusive.  Finally, it's unclear whether it applies to IPv6
   addresses of IPv4 hosts or of IPv6 hosts, or both.  Hence, referral
   support is still considered an OPEN ISSUE.  Another OPEN ISSUE is
   whether to incorporate text from draft-wing-behave-nat64-referrals
   into this document.  Other protocols are covered in I-D.carpenter-
   behave-referral-object]

2.1.4.  Support for Multiple IPv4/IPv6 Translators

   For IPv6 addresses assigned to IPv6 hosts, the choice of translator
   used in the IPv4-to-IPv6 direction is determined by the IPv4 address
   it is mapped to, rather than by the choice of IPv6 prefix.

   For IPv6 addresses used to represent IPv4 hosts, the choice of
   translator used in the IPv6-to-IPv4 direction is determined by the
   IPv6 address, but is somewhat orthogonal to the choice of prefix.  In
   general, it is possible to use a single IPv6 prefix for multiple
   IPv4/IPv6 translators, or different prefixes for different IPv4/IPv6
   translators.  Using different prefixes can be achieved by inserting
   additional subnet bits after a common prefix such that each IPv4/IPv6
   translator uses a separate range of subnets.  Often only the common
   prefix needs to be configured (as opposed to each more-specific
   prefix) in other types of address translators such as DNS64 devices.




Huitema, et al.         Expires February 22, 2010               [Page 7]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   If the translation is stateful, routing must be configured to ensure
   that the return path flows through the same translator as the forward
   path.  (Stateless translation has no such requirement.)

2.1.5.  Appropriate Prefix Length

   This section discusses several issues related to prefix length
   selection.

2.1.5.1.  Routing Policy

   [EDITOR'S NOTE: The text below needs to be rewritten somewhat.  It's
   currently hard to follow, and is missing justification for its
   statements.]

   The major issue for selecting the prefix length is the routing
   policy.  If IPv4/IPv6 translation is implemented within a subnet,
   then a /96 should be fine.  However, if IPv4/IPv6 translation is
   implemented in an ISP's backbone, then the minimum prefix should be
   /64 and in some cases should be /48.

2.1.5.2.  Forwarding Efficiency

   According to current specifications [EDITOR'S NOTE: need reference],
   routers must handle routes containing prefixes of any valid length,
   from 0 to 128.  However, some users have reported that routers
   exhibit worse performance when routing using prefixes longer than 80
   bits.  This implies that using routes with prefixes of 80 bits or
   fewer would result in better performance in some cases.

2.1.5.3.  EUI-64 Format

   The use of a prefix length longer than 64 bits may affect the
   Interface Identifier format.  Specifically, [RFC4291] section 2.5.1
   requires that for all unicast addresses, except those that start with
   the binary value 000, Interface IDs are required to be 64 bits long
   and to be constructed in Modified EUI-64 format.  While any method
   can be used to construct a Modified EUI-64, the format requires the
   71st bit (the universal/local bit) to be set with specific meaning,
   and hence it is not available for use by an address format unless the
   prefix starts with binary 000.

   Furthermore, for IPv6 addresses assigned to IPv6 hosts, the prefix
   must be 64 bits or less in order to work with stateless address
   autoconfiguration [RFC4862] on most links.






Huitema, et al.         Expires February 22, 2010               [Page 8]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


2.1.6.  Uniqueness

   An IPv6 address used to represent an IPv4 host must be unique (i.e.,
   not ambiguously map to multiple possible IPv4 hosts) within the IPv6
   network that can use that address.  For example, since private IPv4
   addresses can be reused within multiple IPv4 networks, an IPv6
   network that connects to multiple such IPv4 networks cannot rely on
   the IPv4 address to provide uniqueness.

2.2.  Types of Prefixes

   A prefix may be intended for use in IPv6 addresses assigned to IPv6
   hosts, or for use in IPv6 addresses used to represent IPv4 hosts.  In
   either case, there are two types of prefixes that can be used.

2.2.1.  Network-Specific Prefix

   IPv6 prefixes are assigned to a network operator by its regional
   internet registrar (RIR).  From an IPv6 prefix assigned to the
   operator, the operator chooses a longer prefix for use by the
   operator's translator(s).  Hence a given IPv4 address would have
   different IPv6 representations in different networks that use
   different prefixes.  A network-specific prefix is also known as a
   Local Internet Registry (LIR) prefix.

   If the network operator is an ISP that has been allocated a /32 or
   shorter, then it may be possible for the ISP to allocate a fairly
   short prefix such as a /40.  However, if the network operator is an
   end site with a /48, then the prefixes for the translator would be
   much longer, such as a /56.  Using a /56 prefix still leaves 24 bits
   that can be used (without routing on prefixes longer than 80 bits)
   for routes via different translators.  However, since a prefix that
   originates from an RIR will not start with binary 000, the use of the
   71st bit cannot be used by any format with a network-specific prefix.

2.2.2.  Well-Known Prefix

   A well-known prefix is an IPv6 prefix assigned by IANA for use in an
   algorithmic mapping.  Hence a given IPv4 address would have the same
   IPv6 representation in all networks that use the same well-known
   prefix.

   Rather than requiring manual configuration of the IPv6 prefixes in
   each device in a network (and for each network to which a given
   device can connect), a well-known prefix can be implemented by
   default until there exists a protocol to learn the policies.  Using a
   network-specific prefix allows no such factory defaults.




Huitema, et al.         Expires February 22, 2010               [Page 9]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   Another benefit of a well-known prefix over a network-specific prefix
   is that a short prefix length can be used, allowing greater
   flexibility in the choice of format and support for multiple
   translators, while not requiring routing on prefixes longer than 80
   bits.

   Finally, a well-known prefix can start with binary 000, allowing the
   use of all subsequent bits.

   Two examples of well-known prefixes, as specified in [RFC2765]
   section 2.1, are:
   o  IPv4-mapped: This prefix is 0:0:0:0:0:ffff::/96, and addresses in
      this prefix are used to represent IPv4 hosts.
   o  IPv4-translatable: This prefix is 0:0:0:0:ffff:0::/96, and
      addresses in this prefix are assigned to IPv6 hosts.  However,
      since this prefix is longer than /64, this prefix does not work
      with stateless address autoconfiguration.  Hence some other
      mechanism for configuring IPv6 hosts must be used with this
      prefix.

   Note that both of the above prefixes start with binary 000, and hence
   there is no issue with the 71st bit.

2.3.  Scenario-Specific Discussion and Recommendations

   In this section we discuss four topologies in which IPv4/IPv6
   translation is interesting.  In each topology, initiating
   communication can be attempted from either the IPv4 side or the IPv6
   side, though it may or may not be supported.

2.3.1.  Scenario 1: an IPv6 network to the IPv4 Internet

   [EDITOR'S NOTE: draft-xli-behave-v4v6-prefix-00 section 5.1.1.2 was
   hard to follow, and contained some statements that got significant
   pushback on the list.  This section tries to take these into account,
   but there may still be some points missing.]

   The figure below shows an IPv6 network connected to the IPv6
   Internet, and also to the IPv4 network via an IPv4/IPv6 translator.

          ________                    _______       ________
         /        \   +----------+   /  An   \     /        \
        |  IPv4    |--|IPv4/IPv6 |--|  IPv6   |---|  IPv6    |
         \Internet/   |Translator|   \Network/     \Internet/
          --------    +----------+    -------       --------

   For the IPv6 prefix used to represent IPv4 hosts, all IPv6-capable
   devices served by the translator SHOULD be configurable with



Huitema, et al.         Expires February 22, 2010              [Page 10]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   preference policies consistent with [RFC3484], and SHOULD default to
   having the Well-Known Mapped Prefix defined in Section 5 in this
   table, with a lower preference than either native IPv4 or native IPv6
   addresses.

   Similarly, all address translators MUST be configurable with the IPv6
   prefix to use to represent IPv4 hosts, and SHOULD use the Well-Known
   Mapped Prefix unless configured with a network-specific prefix.

   When any well-known prefix is used by a given network, it MUST NOT be
   advertised into the IPv6 Internet, to prevent pollution of the global
   IPv6 routing table by elements of the IPv4 routing table.  Therefore,
   a site which also has a native IPv6 connection MUST NOT advertise a
   well-known prefix on that connection, and native IPv6 network
   operators MUST filter out and discard any prefix routing
   advertisements for the well-known prefix.

   Furthermore, to avoid being used as transit, the IPv6 network MUST
   NOT advertise into the IPv6 Internet the IPv6 prefix used to
   represent IPv4 hosts, regardless of whether it is network-specific or
   well-known.  This is easy to ensure when the IPv6 prefix used to
   represent IPv4 hosts is disjoint from the IPv6 prefix used to
   represent IPv6 hosts.

   For the IPv6 prefix used to assign addresses to IPv6 hosts, the use
   differs between stateless and stateful translation.

2.3.1.1.  Stateful Translation

   When stateful translation is used, the choice of IPv6 prefix for
   addresses assigned to IPv6 hosts is unaffected, since algorithmic
   mapping is not used for these addresses.

2.3.1.2.  Stateless Translation

   "An IPv6 network" will advertise to the IPv4/IPv6 translator the
   prefix for IPv6 addresses assigned to IPv6 hosts (and similarly the
   IPv4/IPv6 translator will advertise into "an IPv6 network" the IPv6
   prefix used to represent IPv4 hosts).

   On the other side, towards the IPv6 Internet, the IPv6 network
   advertises into the IPv6 Internet an IPv6 prefix for IPv6 addresses
   assigned to IPv6 hosts.  This prefix, used to be reachable from the
   IPv6 Internet, may or may not be the same as the prefix used to
   assign to hosts IPv6 addresses that are reachable from the IPv4
   Internet, but it seems simplest to only require one prefix (and hence
   one global IPv6 address per host).




Huitema, et al.         Expires February 22, 2010              [Page 11]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


2.3.2.  Scenario 2: the IPv4 Internet to an IPv6 network

   The considerations are the same as in scenario 1, except that
   stateful translation only supports initiation from the IPv6 side, and
   hence only stateless translation can be used in this scenario.

2.3.3.  Scenario 3: the IPv6 Internet to an IPv4 network

   For this scenario, shown in the following figure, only stateful
   translation can be used in general, and an algorithmic mapping is not
   relevant for IPv6 addresses assigned to IPv6 hosts since they are not
   under the control of the same organization as the translator.  (Note
   that algorithmic mapping can be used if communication with only a
   small subset of the IPv6 Internet is supported.  That scenario is
   covered in Section 2.3.6.)

          ________                    _______       ________
         /        \   +----------+   /  An   \     /        \
        |  IPv6    |--|IPv4/IPv6 |--|  IPv4   |---|  IPv4    |
         \Internet/   |Translator|   \Network/     \Internet/
          --------    +----------+    -------       --------

   For IPv6 addresses used to represent the IPv4 hosts, the following
   considerations apply.  If the IPv4 network uses private IPv4
   addresses, a well-known prefix will not work since there is no
   distinction among IPv4 networks using the same private IPv4 address
   block.  Therefore, a network-specific prefix MUST be used.  If the
   IPv4 network uses public IPv4 addresses, it will inject a route into
   the IPv6 routing table pointing to its translator(s).  Hence the
   routing scalability requirement requires that an IPv6 network-
   specific prefix again MUST be used.

2.3.4.  Scenario 4: an IPv4 network to the IPv6 Internet

   The considerations are the same as in scenario 3, except that
   stateful translation only supports initiation from the IPv6 side, and
   hence only stateless translation can be used in this scenario.

2.3.5.  Scenario 5: an IPv6 network to an IPv4 network

   TO BE FILLED IN

       ________       _______                    _______       ________
      /        \     /  An   \   +----------+   /  An   \     /        \
     |  IPv4    |---|  IPv4   |--|IPv4/IPv6 |--|  IPv6   |---|  IPv6    |
      \Internet/     \Network/   |Translator|   \Network/     \Internet/
       --------       -------    +----------+    -------       --------




Huitema, et al.         Expires February 22, 2010              [Page 12]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


2.3.6.  Scenario 6: an IPv4 network to an IPv6 network

   The considerations are the same as in scenario 5, except that
   stateful translation only supports initiation from the IPv6 side, and
   hence only stateless translation can be used in this scenario.

2.3.7.  Scenario 7: the IPv6 Internet to the IPv4 Internet

   This scenario need not be supported.

          ________                    ________
         /        \   +----------+   /        \
        |  IPv4    |--|IPv4/IPv6 |--|   IPv6   |
         \Internet/   |Translator|   \Internet/
          --------    +----------+    --------

2.3.8.  Scenario 8: the IPv4 Internet to the IPv6 Internet

   This scenario need not be supported.


3.  IPv6 Address Format and Translation Algorithms

   There are multiple mechanisms used today to algorithmically map
   between an IPv6 address and an IPv4 address, and more may be defined
   over time.  In this section, we first present a set of requirements
   for such mechanisms, and then evaluate a number of existing
   mechanisms.

3.1.  Requirements
   1.  An algorithm MUST be one-to-one and reversible.
   2.  Unless the IPv6 prefix starts with binary 000, an address format
       MUST NOT use the 71st bit for any purpose other than indicating
       universal/local as specified in [RFC4291],
   3.  An IPv6 address format SHOULD provide support for multiple IPv4/
       IPv6 translators using different routes advertised into the IPv6
       network (and different routes advertised into the IPv4 network).
   4.  An IPv6 address format intended to be used with a stateless
       translator SHOULD be checksum-neutral.  That is, the IPv6 address
       and its corresponding IPv4 address should result in the same
       one's complement checksum to avoid having to parse or modify the
       transport header.  Simply relying on an administrator to choose a
       checksum-neutral prefix is tricky and hence error-prone.  An
       algorithm that automatically compensates no matter what the
       administrator types is less harmful that one that does not.  Note
       that checksum-neutral translation only benefits stateless
       translators that maintain a one-to-one mapping between an IPv4
       address and an IPv6 address, since otherwise it has to have



Huitema, et al.         Expires February 22, 2010              [Page 13]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


       transport-specific behavior anyway.
   5.  For ease of readability and debugging, an IPv6 address format
       that is not designed to intentionally hide the IPv4 address
       SHOULD allow accepting and/or displaying an embedded IPv4 address
       in dotted-decimal form.  This is done today for a variety of
       address formats (e.g., IPv4-mapped and IPv4-translatable
       addresses as discussed below, IPv4-compatible addresses which
       were deprecated by [RFC4291] Section 2.5.5.1, and ISATAP
       [RFC5214] addresses).  Per [RFC4291] Section 2.2, this can only
       be done when the embedded IPv4 address appears in the low-order
       32 bits.  It is not done when an IPv4 address is embedded
       elsewhere in the address (as in a 6to4 address).  Displaying an
       address using dotted-decimal can only be done when some other
       portion of the IPv6 address is used to indicate displaying the
       low-order 32 bits in dotted-decimal form.
   6.  When the IPv4 network is a private network for which the topology
       is considered sensitive information, the algorithm SHOULD provide
       a way to hide the details of the internal IPv4 subnetting scheme.
       Note that there may be other mechanisms of discovering the
       topology beyond merely inspecting addresses, so while this is not
       sufficient in itself, it is a necessary component of any larger
       solution.  Also note that providing this capability conflicts
       with the requirement 5.
   7.  An algorithm MAY provide the ability to hide an IPv4 address from
       "helpful" IPv4 NATs.  Consider the scenarios depicted below with
       IPv4 NATs that attempt to be "helpful" by looking for the NAT's
       public IPv4 address in inbound application payloads and then
       translating it to a private IPv4 address, and similarly
       translating a private IPv4 address to the NAT's public IPv4
       address in outbound payloads.  While this can break applications
       since the same bytes that appear in the IPv4 address can appear
       normally in the payload purely by coincidence, the fact remains
       that many NATs have been observed to do this in an attempt to
       make other protocols work.

       In the first scenario (an IPv6 address assigned to an IPv6 host),
       an IPv4 NAT has IPv4 public address Y, and an address translator
       uses IPv4 address X to map to an IPv6 address assigned to the
       IPv6 host.  If the IPv6 host sends an application payload that
       includes an IPv6 address that directly embeds X (e.g.,
       ::ffff:0:X) then this may be translated by the IPv4 NAT to
       ::ffff:0:Y, and similarly if the IPv4 host sends an application
       payload that includes ::ffff:0:Y then this may be translated by
       the IPv4 NAT to ::ffff:0:X. This may or may not be desirable.

                                              ________
                       X                 Y   /  IPv4  \
   IPv6 ---- IPv4/IPv6 ------- "Helpful" ---| Internet |- IPv4



Huitema, et al.         Expires February 22, 2010              [Page 14]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   Host      Translator         IPv4 NAT     \________/   Host


       In the second scenario (an IPv6 address used to represent an IPv4
       host), the IPv4 NAT has public address Y, and the IPv4 host
       behind it has address Z. If the IPv6 host sends an application
       payload that includes an IPv6 address that directly embeds Y
       (e.g., ::ffff:Y) then this may be translated by the IPv4 NAT to
       ::ffff:Z, and similarly if the IPv4 host sends an application
       payload that includes ::ffff:Z then this may be translated by the
       IPv4 NAT to ::ffff:Y. This may or may not be desirable.

                           ________
                          /  IPv4  \     Y             Z
   IPv6 ---- IPv4/IPv6 --| Internet |----- "Helpful" --- IPv4
   Host      Translator   \________/        IPv4 NAT     Host


       As a result, protocols such as Teredo [RFC4380] and STUN
       [RFC5389] today avoid such problems by obscuring the IPv4 address
       using XOR.

       Note that providing this capability conflicts with requirement 5,
       but anything that meets requirement 6 will also meet this
       requirement.

3.2.  Mechanisms

   In this section we discuss a number of mechanisms for algorithmic
   mapping.  [EDITOR'S NOTE: currently the subsections are ordered from
   most specific to most general.  Would the opposite order be more or
   less readable?]

3.2.1.  IPv4-Mapped IPv6 Addresses

   IPv4-mapped IPv6 addresses are defined in [RFC4291] Section 2.5.5.2
   as IPv6 addresses used to represent IPv4 hosts, using the format
   ::ffff:a.b.c.d, where a.b.c.d is the corresponding IPv4 address.
   IPv4-mapped IPv6 addresses are used both on the wire ([RFC2765]) when
   translation is done in the network, as well as within hosts (e.g.,
   [RFC3493]) when translation is done in the end system.  This format
   was designed to be checksum-neutral, and obviously uses a well-known
   prefix.  It is widely deployed in host operating systems today.

3.2.2.  IPv4-Translatable Addresses

   IPv4-translatable addresses (also known as IPv4-translated addresses)
   are defined in [RFC2765] Section 2.1 as addresses assigned to IPv6



Huitema, et al.         Expires February 22, 2010              [Page 15]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   hosts, using the format ::ffff:0:a.b.c.d, where a.b.c.d is a
   corresponding IPv4 address used by a translator.  IPv4-translatable
   addresses are used on the wire ([RFC2765]) when translation is done
   in the network.  Hypothetically they could be used within hosts when
   translation is done in the end system, but there is no specification
   of this at present.  This format was also designed to be checksum-
   neutral, and obviously uses a well-known-prefix.  It is not known to
   be widely deployed today.

   OPEN ISSUE: Should IPv4-translatable addresses be deprecated by this
   document, or should it continue to be used as the well-known default
   prefix for this purpose?  For now, we assume it will continue to be
   used as the well-known default prefix for this purpose.

3.2.3.  Zero-Pad And Embed

   In this mechanism, the IPv4 address is placed in the last 32-bits,
   after a 96-bit configured prefix.  That is, a well-known or network-
   specific prefix is zero-padded to 96 bits.  This is referred to as
   PREFIX::/96 in the deprecated [RFC2766], resulting in addresses of
   the form PREFIX::a.b.c.d, where a.b.c.d is the corresponding IPv4
   address.  Note that typically the dotted-decimal form can only be
   used for input and in documentation, but not display since display
   would require the PREFIX to be known to all displaying systems to
   indicate the use of dotted-decimal.

   |                96 bits                    |      32 bits        |
   +-------------------------------------------+---------------------+
   |                PREFIX                     |    IPv4 address     |
   +-------------------------------------------+---------------------+

   This format is not checksum-neutral unless the PREFIX is checksum-
   neutral.  Hence, a well-known prefix can ensure checksum neutrality,
   but using this format with network-specific prefixes in general
   cannot.

   The universal/local bit in the Modified EUI-64 occurs in the prefix
   and MUST be set to zero unless the IPv4 address is known to be global
   (but can be set to zero even if it is known to be global).

   Note that IPv4-mapped and IPv4-translatable addresses are a special
   case of this mechanism, where the PREFIX is well-known.

3.2.4.  Compensation-Pad And Embed

   This potential mechanism is the same as Zero-Pad And Embed
   (Section 3.2.3), except that it provides checksum neutrality and
   hence benefits stateless IPv4/IPv6 translators.  A configured well-



Huitema, et al.         Expires February 22, 2010              [Page 16]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   known or network-specific PREFIX::/80 is followed by 16 bits that
   result in the first 96 bits being checksum-neutral.

   |                80 bits               | 16 |      32 bits        |
   +--------------------------------------+----+---------------------+
   |                PREFIX                |comp|    IPv4 address     |
   +--------------------------------------+----+---------------------+

   The universal/local bit in the Modified EUI-64 occurs in the prefix
   and MUST be set to zero unless the IPv4 address is known to be global
   (but can be set to zero even if it is known to be global).

3.2.5.  Embed And Zero-Pad

   In this mechanism (often referred to as "IVI"), the IPv4 address is
   embedded immediately after a routable prefix, and then zero-padded at
   the end.

   |           n bits         |      32 bits        |    96-n bits   |
   +--------------------------+---------------------+----------------+
   |           PREFIX         |    IPv4 address     |      Zero      |
   +--------------------------+---------------------+----------------+

   [EDITOR'S NOTE: draft-baker-behave-v4v6-framework disallowed PREFIX
   being 64-95 bits long, without explanation.  IPv6 addresses used to
   represent IPv4 hosts should be fine to use prefixes of other lengths.
   Hence suggested clarifying text below.  For IPv6 addresses assigned
   to IPv6 hosts, kept the restriction though I do not understand why
   this is needed and hence still consider this an OPEN ISSUE.]

   The IPv4 address is intended to straddle the boundary between the
   prefix used in routable tables and the bits in the host portion.  For
   IPv6 addresses assigned to IPv6 hosts, this would require a PREFIX of
   length 32..63 bits.  For IPv6 addresses used to represent IPv4 hosts,
   any PREFIX length is sufficient.

   However, if the PREFIX is a network-specific prefix, rather than a
   well-known prefix, this mechanism requires the prefix to be less than
   38 bits (so that the IPv4 address would end prior to the universal/
   local bit), or at least 71 bits (so that the IPv4 address would begin
   after the universal/local bit).

   Note that Zero-Pad and Embed can be considered to be a special case
   of this mechanism, where the PREFIX is 96 bits and the SUFFIX is 0
   bits.






Huitema, et al.         Expires February 22, 2010              [Page 17]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


3.2.6.  Preconfigured Mapping Table

   In this, the most general, mechanism, an IPv4/IPv6 address translator
   is preconfigured with a mapping table including all legal pairs.  Any
   IPv6 and IPv4 addresses can be used.  This mechanism is not checksum-
   neutral.  Since the IPv4 address is not embedded in any way, it need
   not reveal any details of the IPv4 topology, and minimizes issues
   with "helpful" IPv4 NATs.

3.3.  Scenario-Specific Discussion and Recommendations

   In this section we discuss four topologies in which IPv4/IPv6
   translation is interesting.  In each topology, initiating
   communication can be attempted from either the IPv6 side or the IPv4
   side.

3.3.1.  Scenario 1: an IPv6 network to the IPv4 Internet

   Since the IPv4 network is the Internet, there is negligible value in
   trying to hide the topology details of the IPv4 network and hence
   requirement 6 does not apply.  The other requirements all apply
   normally.

   TO BE FILLED IN

3.3.2.  Scenario 2: the IPv4 Internet to an IPv6 network

   The considerations are the same as in scenario 1, except as follows.

   TO BE FILLED IN

3.3.3.  Scenario 3: the IPv6 Internet to an IPv4 network

   In this scenario, only stateful translation can be used and hence
   requirement 4 (checksum-neutrality) does not apply.  The other
   requirements all apply normally.

   TO BE FILLED IN

3.3.4.  Scenario 4: an IPv4 network to the IPv6 Internet

   The considerations are the same as in scenario 3, except as follows.

   TO BE FILLED IN







Huitema, et al.         Expires February 22, 2010              [Page 18]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


3.3.5.  Scenario 5: an IPv6 network to an IPv4 network

   Typically the IPv4 network and the IPv6 network are managed by the
   same organization in this scenario, and hence it is not necessary to
   hide the topology details of the IPv4 network and requirement 6 does
   not apply in this case.  The other requirements all apply normally.

   TO BE FILLED IN

3.3.6.  Scenario 6: an IPv4 network to an IPv6 network

   The considerations are the same as in scenario 5, except as follows.

   TO BE FILLED IN

3.3.7.  Scenario 7: the IPv6 Internet to the IPv4 Internet

   This scenario need not be supported.

3.3.8.  Scenario 8: the IPv4 Internet to the IPv6 Internet

   This scenario need not be supported.


4.  Security Considerations

   The prefix and format need to be the same among multiple devices in
   the same network (e.g., hosts that need to prefer native over
   translated addresses, DNS gateways, and IPv4/IPv6 translators).  As
   such, the means by which they are learned/configured must be secure.
   Specifying a default prefix and/or format in implementations provides
   one way to configure them securely.  Any alternative means of
   configuration is responsible for specifying how to do so securely.


5.  IANA Considerations

   A future version of this memo will request an IPv6 prefix assignment
   as a Well-Known Mapped Prefix, that is used to represent IPv4 hosts,
   and which must start with binary 000.

   [EDITOR'S NOTE: 0/8 is reserved by the IETF (and not allocated by
   IANA), so all that is needed is to specify the prefix herein since it
   is an allocation from IETF not from IANA.]

   OPEN ISSUE: The prefix length of this block has not yet been
   determined.  Some possibilities are /16, /32, /48 or /96.




Huitema, et al.         Expires February 22, 2010              [Page 19]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


6.  Acknowledgements

   Many people in the Behave WG have contributed to the discussion that
   led to this document, including Andrew Sullivan, Andrew Yourtchenko,
   Brian Carpenter, Congxiao Bao, Dan Wing, Ed Jankiewicz, Fred Baker,
   Hiroshi Miyata, Iljitsch van Beijnum, John Schnizlein, Keith Moore,
   Kevin Yin, Magnus Westerlund, Marcelo Bagnulo Braun, Margaret
   Wasserman, Masahito Endo, Phil Roberts, Philip Matthews, Remi Denis-
   Courmont, Remi Despres, William Waites and Xing Li.


7.  Contributors

   The following individuals co-authored drafts from which text has been
   incorporated, and are listed in alphabetical order.




































Huitema, et al.         Expires February 22, 2010              [Page 20]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


       Dave Thaler
       Microsoft Corporation
       One Microsoft Way
       Redmond, WA  98052
       USA

       Phone: +1 425 703 8835
       Email: dthaler@microsoft.com

       Congxiao Bao
       CERNET Center/Tsinghua University
       Room 225, Main Building, Tsinghua University
       Beijing,   100084
       China
       Phone: +86 62785983
       Email: congxiao@cernet.edu.cn

       Fred Baker
       Cisco Systems
       Santa Barbara, California  93117
       USA
       Phone: +1-408-526-4257
       Fax:   +1-413-473-2403
       Email: fred@cisco.com

       Hiroshi Miyata
       Yokogawa Electric Corporation
       2-9-32 Nakacho
       Musashino-shi, Tokyo  180-8750
       JAPAN
       Email: h.miyata@jp.yokogawa.com

       Marcelo Bagnulo
       Universidad Carlos III de Madrid
       Av. Universidad 30
       Leganes, Madrid  28911
       ESPANA
       Email: marcelo@it.uc3m.es

       Xing Li
       CERNET Center/Tsinghua University
       Room 225, Main Building, Tsinghua University
       Beijing,   100084
       China
       Phone: +86 62785983
       Email: xing@cernet.edu.cn





Huitema, et al.         Expires February 22, 2010              [Page 21]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


8.  References

8.1.  Normative References

   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
              3", BCP 9, RFC 2026, October 1996.

   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
              Architecture", RFC 4291, February 2006.

8.2.  Informative References

   [I-D.bagnulo-behave-dns64]
              Bagnulo, M., Sullivan, A., Matthews, P., Beijnum, I., and
              M. Endo, "DNS64: DNS extensions for Network Address
              Translation from IPv6 Clients to  IPv4 Servers",
              draft-bagnulo-behave-dns64-02 (work in progress),
              March 2009.

   [I-D.baker-behave-v4v6-framework]
              Baker, F., Li, X., and C. Bao, "Framework for IPv4/IPv6
              Translation", draft-baker-behave-v4v6-framework-02 (work
              in progress), February 2009.

   [I-D.wing-behave-nat64-referrals]
              Wing, D., "Referrals Across a NAT64",
              draft-wing-behave-nat64-referrals-00 (work in progress),
              March 2009.

   [RFC2765]  Nordmark, E., "Stateless IP/ICMP Translation Algorithm
              (SIIT)", RFC 2765, February 2000.

   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
              Translation - Protocol Translation (NAT-PT)", RFC 2766,
              February 2000.

   [RFC3484]  Draves, R., "Default Address Selection for Internet
              Protocol version 6 (IPv6)", RFC 3484, February 2003.

   [RFC3493]  Gilligan, R., Thomson, S., Bound, J., McCann, J., and W.
              Stevens, "Basic Socket Interface Extensions for IPv6",
              RFC 3493, February 2003.

   [RFC4380]  Huitema, C., "Teredo: Tunneling IPv6 over UDP through
              Network Address Translations (NATs)", RFC 4380,
              February 2006.

   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless



Huitema, et al.         Expires February 22, 2010              [Page 22]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


              Address Autoconfiguration", RFC 4862, September 2007.

   [RFC5214]  Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
              Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
              March 2008.

   [RFC5389]  Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
              "Session Traversal Utilities for NAT (STUN)", RFC 5389,
              October 2008.


Authors' Addresses

   Christian Huitema
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052-6399
   U.S.A.

   Email: huitema@microsoft.com


   Congxiao Bao
   CERNET Center/Tsinghua University
   Room 225, Main Building, Tsinghua University
   Beijing,   100084
   China

   Phone: +86 10-62785983
   Email: congxiao@cernet.edu.cn


   Marcelo Bagnulo
   UC3M
   Av. Universidad 30
   Leganes, Madrid  28911
   Spain

   Phone: +34-91-6249500
   Fax:
   Email: marcelo@it.uc3m.es
   URI:   http://www.it.uc3m.es/marcelo









Huitema, et al.         Expires February 22, 2010              [Page 23]


Internet-Draft  IPv6 Addressing of IPv4/IPv6 Translators     August 2009


   Mohamed Boucadair
   France Telecom
   3, Av Francois Chateaux
   Rennes  350000
   France

   Email: mohamed.boucadair@orange-ftgroup.com


   Xing Li
   CERNET Center/Tsinghua University
   Room 225, Main Building, Tsinghua University
   Beijing,   100084
   China

   Phone: +86 10-62785983
   Email: xing@cernet.edu.cn


































Huitema, et al.         Expires February 22, 2010              [Page 24]