RFC 8781 | Discovering PREF64 in Router Advertiseme | April 2020 |
Colitti & Linkova | Standards Track | [Page] |
This document specifies a Neighbor Discovery option to be used in Router Advertisements (RAs) to communicate prefixes of Network Address and Protocol Translation from IPv6 clients to IPv4 servers (NAT64) to hosts.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8781.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
NAT64 [RFC6146] with DNS Extensions for Network Address Translation from IPv6 clients to IPv4 servers (DNS64) [RFC6147] is a widely deployed mechanism to provide IPv4 access on IPv6-only networks. In various scenarios, the host must be aware of the NAT64 prefix in use by the network. This document specifies a Neighbor Discovery [RFC4861] option to be used in Router Advertisements (RAs) to communicate NAT64 prefixes to hosts.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
DNS64: a mechanism for synthesizing AAAA records from A records [RFC6147];¶
On networks employing NAT64, it is useful for hosts to know the NAT64 prefix for several reasons, including the following:¶
Enabling DNS64 functions on end hosts. In particular:¶
Enabling NAT64 address-translation functions on end hosts. For example:¶
Fields:¶
It would be highly undesirable for the NAT64 prefix to have a lifetime shorter than the Router Lifetime, which is defined in Section 4.2 of [RFC4861] as a 16-bit unsigned integer. If the NAT64 prefix lifetime is not at least equal to the default Router Lifetime, it might lead to scenarios in which the NAT64 prefix lifetime expires before the arrival of the next unsolicited RA. Therefore, the Scaled Lifetime encodes the NAT64 prefix lifetime in units of 8 seconds. The receiver MUST multiply the Scaled Lifetime value by 8 (for example, by a logical left shift) to calculate the maximum time in seconds the prefix MAY be used. The maximum lifetime of the NAT64 prefix is thus 65528 seconds. To ensure that the NAT64 prefix does not expire before the default router, it is NOT RECOMMENDED to configure default Router Lifetimes greater than 65528 seconds when using this option. A lifetime of 0 indicates that the prefix SHOULD NOT be used anymore.¶
By default, the value of the Scaled Lifetime field SHOULD be set to the lesser of 3 x MaxRtrAdvInterval [RFC4861] divided by 8, or 8191.¶
Router vendors SHOULD allow administrators to specify nonzero lifetime values that are not divisible by 8. In such cases, the router SHOULD round the provided value up to the nearest integer that is divisible by 8 and smaller than 65536, then divide the result by 8 (or perform a logical right shift by 3) and set the Scaled Lifetime field to the resulting value. If a nonzero lifetime value that is to be divided by 8 (or subjected to a logical right shift by 3) is less than 8, then the Scaled Lifetime field SHOULD be set to 1. This last step ensures that lifetimes under 8 seconds are encoded as a nonzero Scaled Lifetime.¶
This option specifies exactly one NAT64 prefix for all IPv4 destinations. If the network operator wants to route different parts of the IPv4 address space to different NAT64 devices, this can be accomplished by routing more specific subprefixes of the NAT64 prefix to those devices. For example, suppose an operator is using the [RFC1918] address space 10.0.0.0/8 internally. That operator might want to route 10.0.0.0/8 through NAT64 device A, and the rest of the IPv4 space through NAT64 device B. If the operator's NAT64 prefix is 2001:db8:a:b::/96, then the operator can route 2001:db8:a:b::a00:0/104 to NAT64 A and 2001:db8:a:b::/96 to NAT64 B.¶
This option may appear more than once in an RA (e.g., when gracefully renumbering the network from one NAT64 prefix to another). Host behavior with regard to synthesizing IPv6 addresses from IPv4 addresses SHOULD follow the recommendations given in Section 3 of [RFC7050], limited to the NAT64 prefixes that have a nonzero lifetime.¶
In a network (or a provisioning domain) that provides both IPv4 and NAT64, it may be desirable for certain IPv4 addresses not to be translated. An example might be private address ranges that are local to the network/provisioning domain and that should not be reached through the NAT64. This type of configuration cannot be conveyed to hosts using this option, or through other NAT64 prefix provisioning mechanisms such as [RFC7050] or [RFC7225]. This problem does not apply in IPv6-only networks: the host in an IPv6-only network does not have an IPv4 address and cannot reach any IPv4 destinations without the NAT64.¶
In some cases, a host may receive multiple NAT64 prefixes from different sources. Possible scenarios include (but are not limited to):¶
When multiple PREF64s are discovered via the RA PREF64 Option (either the Option presents more than once in a single RA or multiple RAs are received), host behavior with regard to synthesizing IPv6 addresses from IPv4 addresses SHOULD follow the recommendations given in Section 3 of [RFC7050], limited to the NAT64 prefixes that have a nonzero lifetime.¶
When different PREF64s are discovered using multiple mechanisms, hosts SHOULD select one source of information only. The RECOMMENDED order is:¶
Note: If the network provides PREF64s via both this RA Option and [RFC7225], hosts that receive the PREF64 via the RA Option may choose to use it immediately (before waiting for the PCP to complete); therefore, some traffic may not reflect any more detailed configuration provided by the PCP.¶
The host SHOULD treat the PREF64 as being specific to the network interface it was received on. Hosts that are aware of Provisioning Domain (PvD, [RFC7556]) MUST treat the PREF64 as being scoped to the implicit or explicit PvD.¶
Section 6.2.7 of [RFC4861] recommends that routers inspect RAs sent by other routers to ensure that all routers onlink advertise consistent information. Routers SHOULD inspect valid PREF64 options received on a given link and verify the consistency. Detected inconsistencies indicate that one or more routers might be misconfigured. Routers SHOULD log such cases to system or network management. Routers SHOULD check and compare the following information:¶
Routers that are aware of PvD ([RFC7556]) MUST only compare information scoped to the same implicit or explicit PvD.¶
IANA has assigned a new IPv6 Neighbor Discovery Option type for the PREF64 option defined in this document in the "IPv6 Neighbor Discovery Option Formats" registry [IANA].¶
Description | Type |
---|---|
PREF64 option | 38 |
Because RAs are required in all IPv6 configuration scenarios, on IPv6-only networks, RAs must already be secured -- e.g., by deploying an RA-Guard [RFC6105]. Providing all configuration in RAs reduces the attack surface to be targeted by malicious attackers trying to provide hosts with invalid configuration, as compared to distributing the configuration through multiple different mechanisms that need to be secured independently.¶
If a host is provided with an incorrect NAT64 prefix, the IPv6-only host might not be able to communicate with IPv4-only destinations. Connectivity to destinations reachable over IPv6 would not be impacted just by providing a host with an incorrect prefix; however, if attackers are capable of sending rogue RAs, they can perform denial-of-service or man-in-the-middle attacks, as described in [RFC6104].¶
The security measures that must already be in place to ensure that RAs are only received from legitimate sources eliminate the problem of NAT64 prefix validation described in Section 3.1 of [RFC7050].¶
Thanks to the following people (in alphabetical order) for their review and feedback: Mikael Abrahamsson, Mark Andrews, Brian E Carpenter, David Farmer, Nick Heatley, Robert Hinden, Martin Hunek, Tatuya Jinmei, Benjamin Kaduk, Erik Kline, Suresh Krishnan, Warren Kumari, David Lamparter, Barry Leiba, Jordi Palet Martinez, Tommy Pauly, Alexandre Petrescu, Michael Richardson, David Schinazi, Ole Troan, Eric Vynke, Bernie Volz.¶