Concluded WG Tunneling Configuration (tc)
Note: The data for concluded WGs is occasionally incorrect.
|Area||Internet Area (int)|
|Personnel||Chairs||Alain Durand, Dr. Thomas Narten|
Final Charter for Working Group
ISPs will likely deploy IPv6 incrementally, meaning that parts, rather
than all of their networks will support native IPv6 service. They will
need a way to provide IPv6 service to customers without requiring that
native IPv6 service be provided on the access link. Automatic
transition mechanisms like 6to4, teredo do not really leverage the
infrastructure the ISP had put in place and offer little insight on
how to gradually introduce native IPv6 in the access network.
Configured tunnels are better suited for the job, and a number of
deployments have been undertaken using the tunnel broker approach.
However, the lack of standard on how to configure those tunnels
remains a serious obstacle and manual configuration of all the
parameters is a significant burden for typical customers.
It is assumed that the ISP has upgraded its core network and has
global IPv6 connectivity. It is also assumed that the ISP has obtained
global address space (that it will delegate to its customers), either
from an RIR or an upstream ISP. They key point is that the ISP does
not (yet) provide native IPv6 access to all of its customers, but does
want to provide an IPv6-over-IPv4 tunneling service. It is also
assumed that large ISPs will have multiple POPs, and roaming customers
will want to use a tunnel service topologically close to the current
POP, rather than always using the same one.
Access media assumptions:
No assumptions are made on the access network. They will have high or
low bandwidth, high or low latency, high or low access cost, and there
will be more or less secure. Especially in the case of wireless access
network, confidentiality of the data cannot always be guaranteed.
Address spoofing may or may not be a problem. Although those
environment vary widely, it is expected that a single configuration
protocol with a number of options can be designed to accommodate all
the different cases.
Customers connecting with IPv6 to their ISP can have multiple
The most common topologies expected to be encountered are:
- a single node, directly attached to the ISP access network
- a router, directly attached to the ISP access network
- a router, behind an unmodifiable IPv4-only customer owned NAT
The IPv4 addresses of the customer may change over time and be
dynamically allocated. In the case of NAT environment, both the
internal and the external addresses may be dynamically allocated.
Another case to consider in the "roaming" user within its home ISP
network. When the customer is roaming within the ISP network(s), this
is not really different than having a dynamic IPv4 address, except
that the "nearest" ISP tunnel end point to use may be different. When
the customer is roaming in another ISP network that does not offer
IPv6 service, the "home" ISP may be willing to still offer tunneling
service, however the security implications and the tunnel end point
discovery mechanism to use will be different.
A "generic" tunnel setup protocol. The key requirement is to allow the
creation of a tunnel for sending IPv6 over IPv4. In order to setup a
tunnel, some negotiation may be needed in order to determine such
properties as the encapsulation (e.g., GRE, IPv6-over-IPv4, etc.), MTU
parameters, authentication and/or security properites, etc. For
reasons of efficiency over very high latency networks, minimizing the
number of packet exchanges is desirable.
This group will not create new tunneling encapsulations. Moreover, it
will reuse the work of other WGs rather than inventing unneeded
mechanism. For example, IPsec can be used to create tunnels. The setup
protocol could determine that an IPsec tunnel is needed, and then rely
on IKE (as specified elsewhere) to setup up the appropriate tunnel.
A key question the BOF should answer is if the tunnel set-up protocol
should be limited to IP in IP tunnel (with a focus on IPv6 in IPv4) or
if it should be extended to other types of encapsulation, like GRE,
Another possible work item is a way for an ISP to indicate that it is
offering tunnel services to its direct customers. This is also known
as tunnel end-point discovery.
The BOF should answer is if this second work items should be covered
by the same wg or not.
This work is not about creating a new transition mechanism, but to
offer a standardized way to configure tunnels.
Some of the issues initially explored are:
- Do we want to focus on IP in IP tunnels or extend to GRE,
- Do we want to address the tunnel end point discovery problem?
- Could we live with UDP encapsulation always on?
- Do we need mutual authentication? How strong should this be?
- Should some of this authentication mechanism "follow-on"
atfer the tunnel set-up phase has finished?
- Can we have separate channels, one for configuration and one
for the tunneled traffic or should we maintain only one
channel to help traverse NAT?
- Should we embed some kind of signaling in the tunnel channel?
- How much of the wheel are we going to re-invent?
e.g. if we define a new packet exchange and there is a goal
to minimize the total number of RTT needed, there is a
temptation to piggy-back configuration information in this
protocol that could be over wise obtained via DHCP...