| IPv6 Operations (v6ops) | J. Palet Martinez |
| Internet-Draft | The IPv6 Company |
| Intended status: Informational | H. M.-H. Liu |
| Expires: June 30, 2019 | D-Link Systems, Inc. |
| M. Kawashima | |
| NEC Platforms, Ltd. | |
| December 27, 2018 |
Requirements for IPv6 Customer Edge Routers to Support IPv4 Connectivity as-a-Service
draft-ietf-v6ops-transition-ipv4aas-12
This document specifies the IPv4 service continuity requirements for an IPv6 Customer Edge (CE) router, either provided by the service provider or by vendors who sell through the retail market.
Specifically, this document extends the "Basic Requirements for IPv6 Customer Edge Routers" (RFC7084) in order to allow the provisioning of IPv6 transition services for the support of "IPv4 as-a-Service" (IPv4aaS) by means of new transition mechanisms. The document only covers transition technologies for delivering IPv4 in IPv6-only access networks, commonly called "IPv4 as-a-Service" (IPv4aaS). This is necessary because there aren't sufficient IPv4 addresses available for every possible customer/device. However, devices or applications in the customer LANs (Local Area Networks) may be IPv4-only or IPv6-only and still need to communicate with IPv4-only services at the Internet.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 30, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines IPv4 service continuity features over an IPv6-only network, for a residential or small-office router, referred to as an "IPv6 Transition CE Router", in order to establish an industry baseline for transition features to be implemented on such a router.
These routers rely upon "Basic Requirements for IPv6 Customer Edge Routers" [RFC7084], so the scope of this document is to ensure the IPv4 "service continuity" support, in the LAN side, ensuring that remote IPv4-only services are accessible, from an IPv6-only Internet Service Provider access network (typically referred as WAN - Wide Area Network, even in some cases it may be metropolitan, regional, etc.) even from IPv6-only applications or devices in the LAN side.
+------------+ +------------+ \
| IPv4-only | | IPv4/IPv6 | \
| Remote | | Remote | |
| Host | | Host | | Internet
+--------+---+ +---+--------+ |
| | /
| | /
+-+-----------+-+ \
| Service | \
| Provider | \
| Router | | Service
+-------+-------+ | Provider
| IPv6-only | Network
| Customer /
| Internet Connection /
| /
+------+--------+ \
| IPv6 | \
| Customer Edge | \
| Router | |
+---+-------+---+ |
LAN A | | LAN B | End-User
-+----------------+- -+-----+-------------+- | Network(s)
| | | |
+---+------+ +----+-----+ +-----+----+ |
| IPv6-only| | IPv4-only| |IPv4/IPv6 | /
| Host | | Host | | Host | /
+----------+ +----------+ +----------+ /
Figure 1: Simplified Typical IPv6-only Access Network
This document covers a set of IP transition techniques required when ISPs (Internet Service Providers) have, or want to have, an IPv6-only access network. This is a common situation when sufficient IPv4 addresses are no longer available for every possible customer and device, causing IPv4 addresses to become prohibitive expense. This, in turn, may result in service providers provisioning IPv6-only WAN access. At the same time, they need to ensure that both IPv4-only and IPv6-only devices or applications in the customer networks can still reach IPv4-only devices and applications in the Internet.
This document specifies the IPv4 service continuity mechanisms to be supported by an IPv6 Transition CE Router, and relevant provisioning or configuration information differences from [RFC7084].
This document is not a recommendation for service providers to use any specific transition mechanism.
Automatic provisioning of more complex topology than a single router with multiple LAN interfaces may be handled by means of HNCP [RFC7788] (Home Networking Control Protocol), which is out of the scope of this document.
Since it is impossible to know prior to sale which transition mechanism a device will need over its lifetime, IPv6 Transition CE Router intended for the retail market MUST support all the IPv4aaS transition mechanisms supported by this document. Service providers who specify feature sets for IPv6 Transition CE Router may specify a different set of features than those included in this document, for example supporting only some of the transition mechanisms enumerated in this document.
A complete description of "Usage Scenarios" and "End-User Network Architecture" is provided in Annexes A and B, respectively, which together with [RFC7084], will facilitate the reader to have a clearer understanding of this document.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document, are not used as described in RFC 2119. This document uses these keywords not strictly for the purpose of interoperability, but rather for the purpose of establishing industry-common baseline functionality. As such, the document points to several other specifications to provide additional guidance to implementers regarding any protocol implementation required to produce a successful IPv6 Transition CE Router that interoperates successfully with a particular subset of currently deploying and planned common IPv6-only access networks.
Additionally, the keyword "DEFAULT" is to be interpreted in this document as pertaining to a configuration as applied by a vendor, prior to the administrator changing it for its initial activation.
This document uses the same terms as in [RFC7084], with minor clarifications.
"IPv4aaS" stands for "IPv4 as-a-Service", meaning transition technologies for delivering IPv4 in IPv6-only connectivity.
The term "IPv6 transition Customer Edge Router with IPv4aaS" (shortened as "IPv6 Transition CE Router") is defined as an "IPv6 Customer Edge Router" that provides features for the delivery of IPv4 services over an IPv6-only WAN network, including IPv6-IPv4 communications.
The "WAN Interface" term used across this document, defines an IPv6 Transition CE Router attachment to an IPv6-only link used to provide connectivity to a service provider network, including link Internet-layer (or higher layers) "tunnels", such as IPv4-in-IPv6 tunnels.
The IPv6 Transition CE Router MUST comply with [RFC7084] (Basic Requirements for IPv6 Customer Edge Routers) and this document adds new requirements, as described in the following sub-sections.
A new LAN requirement is added, which in fact is common in regular IPv6 Transition CE Router, and it is required by most of the transition mechanisms:
The main target of this document is the support of IPv6-only WAN access. To enable legacy IPv4 functionality, this document also includes the support of IPv4-only devices and applications in the customers LANs, as well as IPv4-only services on the Internet. Thus, both IPv4-only and the IPv6-only devices in the customer-side LANs of the IPv6 Transition CE Router are able to reach the IPv4-only services.
This document takes no position on simultaneous operation of one or several transition mechanisms and/or native IPv4.
In order to seamlessly provide the IPv4 Service Continuity in Customer LANs, allowing an automated IPv6 transition mechanism provisioning, general transition requirements are defined.
General transition requirements:
In order to allow the service provider to disable all the transition mechanisms and/or choose the most convenient one, the IPv6 Transition CE Router MUST follow the following configuration steps:
The following sections describe the requirements for supporting each one of the transition mechanisms. An IPv6 Transition CE Router intended for the retail market MUST support all of them.
464XLAT [RFC6877] is a technique to provide IPv4 service over an IPv6-only access network without encapsulation. This architecture assumes a NAT64 [RFC6146] (Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) function deployed at the service provider or a third-party network.
The IPv6 Transition CE Router MUST support CLAT functionality [RFC6877] if intended for the retail market. If 464XLAT is supported, it MUST be implemented according to [RFC6877]. The following IPv6 Transition CE Router requirements also apply:
464XLAT requirements:
The NAT64 prefix could be discovered by means of [RFC7050] only in the case the service provider uses DNS64 [RFC6147]. If DNS64 [RFC6147] is not used, or not trusted, as the DNS configuration at the CE (or hosts behind the CE) may be modified by the customer, then the service provider may opt to configure the NAT64 prefix either by means of [RFC7225] or [RFC8115], which also can be used if the service provider uses DNS64 [RFC6147].
Dual-Stack Lite [RFC6333] enables continued support for IPv4 services. Dual-Stack Lite enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IP in IP (IPv4-in-IPv6) and Network Address Translation (NAT). It is expected that DS-Lite traffic is forwarded over the IPv6 Transition CE Router's native IPv6 WAN interface, and not encapsulated in another tunnel.
The IPv6 Transition CE Router MUST implement DS-Lite B4 functionality [RFC6333] if intended for the retail market. If DS-Lite is supported, it MUST be implemented according to [RFC6333]. The following IPv6 Transition CE Router requirements also apply:
DS-Lite requirements:
lw4o6 [RFC7596] specifies an extension to DS-Lite which moves the NAPT function from the DS-Lite tunnel concentrator to the tunnel client located in the IPv6 Transition CE Router, removing the requirement for a CGN (Carrier Grade NAT, AFTR - Address Family Transition Router) function in the tunnel concentrator and reducing the amount of centralized state.
The IPv6 Transition CE Router MUST implement lwB4 functionality [RFC7596] if intended for the retail market. If DS-Lite is implemented, lw4o6 SHOULD be implemented as well. If lw4o6 is supported, it MUST be implemented according to [RFC7596]. The following IPv6 Transition CE Router requirements also apply:
lw4o6 requirements:
MAP-E [RFC7597] is a mechanism for transporting IPv4 packets across an IPv6 network using IP encapsulation, including an algorithmic mechanism for mapping between IPv6 and IPv4 addresses.
The IPv6 Transition CE Router MUST support MAP-E CE functionality [RFC7597] if intended for the retail market. If MAP-E is supported, it MUST be implemented according to [RFC7597]. The following IPv6 Transition CE Router requirements also apply:
MAP-E requirements:
MAP-T [RFC7599] is a mechanism similar to MAP-E, differing from it in that MAP-T uses IPv4-IPv6 translation, instead of encapsulation, as the form of IPv6 domain transport.
The IPv6 Transition CE Router MUST support MAP-T CE functionality [RFC7599] if intended for the retail market. If MAP-T is supported, it MUST be implemented according to [RFC7599]. The following IPv6 Transition CE Router requirements also apply:
MAP-T requirements:
Existing IPv4 deployments support IPv4 multicast for services such as IPTV. In the transition phase, it is expected that multicast services will still be provided using IPv4 to the customer LANs.
If the IPv6 Transition CE Router supports delivery of IPv4 multicast services, then it MUST support [RFC8114] (Delivery of IPv4 Multicast Services to IPv4 Clients over an IPv6 Multicast Network) and [RFC8115] (DHCPv6 Option for IPv4-Embedded Multicast and Unicast IPv6 Prefixes).
If the UPnP WANIPConnection:2 service [UPnP-WANIPC] is enabled on a CE router, but cannot be associated with an IPv4 interface established by an IPv4aaS mechanism or cannot determine which ports are available, an AddPortMapping() or AddAnyPortMapping() action MUST be rejected with error code 729 "ConflictWithOtherMechanisms". Port availability could be determined through PCP or access to a configured port set (if the IPv4aaS mechanism limits the available ports).
An AddPortMapping() request for a port that is not available MUST result in "ConflictInMappingEntry".
An AddAnyPortMapping() request for a port that is not available SHOULD result in a successful mapping with an alternative "NewReservedPort" value from within the configured port set range, or as assigned by PCP as per [RFC6970], Section 5.6.1.
Note that IGD:1 and its WANIPConnection:1 service have been deprecated by OCF.
This document doesn't include support for 6rd [RFC5969], because it is an IPv6-in-IPv4 tunneling.
Regarding DS-LITE [RFC6333], this document includes slightly different requirements, related to the support of PCP [RFC6887], IGD-PCP IWF [RFC6970] and the prioritization of the transition mechanisms, including dual-stack.
One of the apparent main issues for vendors to include new functionalities, such as support for new transition mechanisms, is the lack of space in the flash (or equivalent) memory. However, it has been confirmed from existing open source implementations (OpenWRT/LEDE, Linux, others), that adding the support for the new transitions mechanisms, requires around 10-12 Kbytes (because most of the code base is shared among several transition mechanisms already supported by [RFC7084]), as a single data plane is common to all them, which typically means about 0,15% of the existing code size in popular CEs already in the market [OpenWRT].
In general, the new requirements don't have extra cost in terms of RAM memory, neither other hardware requirements such as more powerful CPUs, if compared to the cost of NAT44 code so, existing hardware supports them with minimal impact.
The other issue seems to be the cost of developing the code for those new functionalities. However, at the time of writing this document, it has been confirmed that there are several open source versions of the required code for supporting all the new transition mechanisms, and several vendors already have implementations and provide it to ISPs, so the development cost is negligible, and only integration and testing cost may become a minor issue.
Finally, in some cases, operators supporting several transition mechanisms may need to consider training costs for staff in all those techniques for their operation and management, even if this is not directly caused by supporting this document, but because the business decisions behind that.
The IPv6 Transition CE Router must comply with the Security Considerations as stated in [RFC7084], as well as those stated by each transition mechanism implemented by the IPv6 Transition CE Router.
As described in [RFC8026] and [RFC8026] Security Consideration sections, there are generic DHCP security issues, which in the case of this document means that malicious nodes may alter the priority of the transition mechanisms.
IANA is requested, by means of this document, to update the "Option Codes permitted in the S46 Priority Option" registry available at https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#option-codes-s46-priority-option, with the following entry.
+-------------+--------------------+-----------+ | Option Code | S46 Mechanism | Reference | +-------------+--------------------+-----------+ | 113 | 464XLAT | [thisdoc] | +-------------+--------------------+-----------+
Table 1: DHCPv6 Option Code for 464XLAT
Thanks to Mikael Abrahamsson, Fred Baker, Mohamed Boucadair, Brian Carpenter, Ian Farrer, Lee Howard, Richard Patterson, Barbara Stark, Ole Troan, James Woodyatt, Lorenzo Colitti and Alejandro D'Egidio, for their review and comments in this and/or previous versions of this document, as well as to the Last Call reviewers by the Opsdir (Dan Romascanu), Secdir (Christian Huitema), Rtgdir (Daniele Ceccarelli) and Tsvdir (Martin Stiemerling).
The situation previously described, where there is ongoing IPv6 deployment and lack of IPv4 addresses, is not happening at the same pace in every country, and even within every country, every ISP. For different technical, financial, commercial/marketing and socio-economic reasons, each network is transitioning at their own pace; the global transition timings cannot be estimated.
Different studies (for example [IPv6Survey]) also show that the IPv6 deployment is a changing situation. In a single country, not all operators will necessarily provide IPv6 support. Consumers may also switch ISPs, and use the same IPv6 Transition CE Router with either an ISP that provides IPv4-only or an ISP that provides IPv6 with IPv4aaS.
So, to cover all those evolving situations, an IPv6 Transition CE Router is required, at least from the perspective of the transition support.
Moreover, because some services will remain IPv4-only for an undetermined time, and some service providers will remain IPv4-only for an undetermined period of time, IPv4 will be needed for an undetermined period of time. There will be a need for CEs with support "IPv4 as-a-Service" for an undetermined period of time.
This document, based on those premises, ensures that the IPv6 Transition CE Router allows the continued transition from networks that today may provide access with dual-stack or IPv6-in-IPv4, as described in [RFC7084], and as an "extension" to it, evolve to an IPv6-only access with IPv4-as-a-Service.
Considering that situation and different possible usage cases, the IPv6 Transition CE Router described in this document is expected to be used typically, in residential/household, Small Office/Home Office (SOHO) and Small/Medium Enterprise (SME). Common usage is any kind of Internet access (web, email, streaming, online gaming, etc.) and even more advanced requirements including inbound connections (IP cameras, web, DNS, email, VPN, etc.).
The above is not intended to be comprehensive list of all the possible usage cases, just an overall view. In fact, combinations of the above usages are also possible, as well as situations where the same CE is used at different times in different scenarios or even different services providers that may use a different transition mechanism.
The mechanisms for allowing inbound connections are "naturally" available in any IPv6 router, when using GUA (IPv6 Global Unicast Addresses), unless they are blocked by firewall rules, which may require some manual configuration by means of a GUI, CLI and/or API.
However, in the case of IPv4aaS, because the usage of private addresses and NAT and even depending on the specific transition mechanism, inbound connections typically require some degree of more complex manual configuration such as setting up a DMZ, virtual servers, or port/protocol forwarding. In general, IPv4 CE Routers already provide a GUI and/or a CLI to manually configure them, or the possibility to setup the CE in bridge mode, so another CE behind it, takes care of that. The requirements for that support are out of the scope of this document.
It is not relevant who provides the IPv6 Transition CE Router. In most of the cases is the service provider, and in fact is responsible, typically, of provisioning/managing at least the WAN side. Commonly, the user has access to configure the LAN interfaces, firewall, DMZ, and many other features. However, in many cases, the user must supply or may replace the IPv6 Transition CE Router. This underscores the importance of the IPv6 Transition CE Routers supporting the same requirements defined in this document.
The IPv6 Transition CE Router described in this document is not intended for usage in other scenarios such as large Enterprises, Data Centers, Content Providers, etc. So even if the documented requirements meet their needs, they may have additional requirements, which are out of the scope of this document.
According to the descriptions in the preceding sections, an end-user network will likely support both IPv4 and IPv6. It is not expected that an end user will change their existing network topology with the introduction of IPv6. There are some differences in how IPv6 works and is provisioned; these differences have implications for the network architecture.
A typical IPv4 end-user network consists of a "plug and play" router with NAT functionality and a single link upstream, connected to the service provider network.
From the perspective of an "IPv4 user" behind an IPv6 transition Customer Edge Router with IPv4aaS, this doesn't change.
However, while a typical IPv4 NAT deployment by default blocks all incoming connections and may allow opening of ports using a Universal Plug and Play Internet Gateway Device (UPnP IGD) [UPnP-IGD] or some other firewall control protocol, in the case of an IPv6-only access and IPv4aaS, that may not be feasible depending on specific transition mechanism details. PCP (Port Control Protocol, [RFC6887]) may be an alternative solution.
Another consequence of using IPv4 private address space in the end-user network is that it provides stable addressing; that is, it doesn't change, even when you change service providers, and the addresses are always usable even when the WAN interface is down or the customer edge router has not yet been provisioned. In the case of an IPv6-only access, private IPv4 addresses are also available if the IPv4aaS transition mechanism keeps running the NAT interface towards the LAN side when the WAN interface is down.
More advanced routers support dynamic routing (which learns routes from other routers), and advanced end-users can build arbitrary, complex networks using manual configuration of address prefixes combined with a dynamic routing protocol. Once again, this is true for both, IPv4 and IPv6.
In general, the end-user network architecture for IPv6 should provide equivalent or better capabilities and functionality than the current IPv4 architecture.
The end-user network is a stub network, in the sense that is not providing transit to other external networks. However, HNCP [RFC7788] allows support for automatic provisioning of downstream routers. Figure 1 illustrates the model topology for the end-user network.
+---------------+ \
| Service | \
| Provider | \
| Router | | Service
+-------+-------+ | Provider
| IPv6-only | Network
| Customer /
| Internet Connection /
| /
+------+--------+ \
| IPv6 | \
| Customer Edge | \
| Router | |
+---+-------+---+ |
Network A | | Network B |
-+----------------+-+- -+---+-------------+- |
| | | | |
+---+------+ | +----+-----+ +-----+----+ |
| IPv6 | | | IPv4 | |IPv4/IPv6 | |
| Host | | | Host | | Host | |
+----------+ | +----------+ +----------+ | End-User
| | Network(s)
+------+--------+ |
| IPv6 | |
| Router | |
+------+--------+ |
Network C | |
-+-------------+--+- |
| | |
+---+------+ +----+-----+ |
| IPv6 | | IPv6 | /
| Host | | Host | /
+----------+ +----------+ /
Figure 2: An Example of a Typical End-User Network
This architecture describes the:
The IPv6 Transition CE Router may be manually configured in an arbitrary topology with a dynamic routing protocol or using HNCP [RFC7788]. Automatic provisioning and configuration is described for a single IPv6 Transition CE Router only.
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
Section to be removed by RFC Editor. Significant updates are:
| [IPv6Survey] | Palet Martinez, J., "IPv6 Deployment Survey", January 2018. |
| [OpenWRT] | OpenWRT, "OpenWRT Packages", January 2018. |
| [RFC7788] | Stenberg, M., Barth, S. and P. Pfister, "Home Networking Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 2016. |
| [UPnP-IGD] | UPnP Forum, "InternetGatewayDevice:2 Device Template Version 1.01", December 2010. |
| [UPnP-WANIPC] | UPnP Forum, "WANIPConnection:2 Service", December 2010. |