]> Google, LLC

warren@kumari.net

Google, LLC

furry13@gmail.com

Operations and Management IPv6 Operations ipv6 nat64 wkp This document removes the requirement introduced in Section 3.1 of RFC6052 that the NAT64 Well-Known Prefix 64:FF9B::/96 MUST NOT be used to represent non-global IPv4 addresses, such as those defined in or listed in Section 3 of . The proposed change enables IPv6-only nodes to reach IPv4-only services with non-global addresses by leveraging the Well-Known Prefix. About This Document Status information for this document may be found at . Discussion of this document takes place on the IPv6 Operations Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Section 3.1 of prohibits IPv4/IPv6 translators from using the Well-Known Prefix (WKP, 64:FF9B::/96) to represent non-global IPv4 addresses, such as those defined in or listed in Section 3 of . This restriction is relatively straightforward to implement in DNS64 : a DNS64 server simply avoids synthesizing an AAAA record using the WKP if the original A record contains a non-global IPv4 address. However, this requirement introduces significant operational challenges for systems that do not rely on DNS64 and instead use local synthesis such as CLAT (Customer-side Translator, ), or similar approaches. Enterprise and other closed networks often require IPv6-only nodes to communicate with both internal (e.g., using RFC1918 addresses) and external (Internet) IPv4-only destinations. The restriction in Section 3.1 of RFC6052 prevents such networks from utilizing the WKP and, consequently, from relying on public DNS64 servers (e.g. forwarding requests for external zones to public DNS64) which utilize the WKP in order to maximize compatibility. Using two NAT64 prefixes — the WKP for Internet destinations and a Network-Specific Prefix (NSP) for non-global IPv4 addresses — is not a feasible solution for nodes performing local synthesis or running CLAT. None of the widely deployed NAT64 Prefix Discovery mechanisms (, ) provide a method to map a specific NAT64 prefix to a subset of IPv4 addresses for which it should be used. According to Section 3 of , a node must use all learned prefixes when performing local IPv6 address synthesis. Consequently, if a node discovers both the WKP and the NSP, it will use both prefixes to represent global IPv4 addresses. This duplication significantly complicates security policies, troubleshooting, and other operational aspects of the network. Prohibiting the WKP from representing non-global IPv4 addresses offers no substantial benefit to IPv6-only or IPv6-mostly deployments. Simultaneously, it substantially complicates network design and the behavior of nodes. Given the recent operational experience in deploying IPv6-only and IPv6-mostly networks, it is desirable to allow translators to use a single prefix (including the WKP) to represent all IPv4 addresses, regardless of their global or non-global status. This simplification would greatly improve the utility of the WKP in enterprise networks.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology This document reuses the Terminology section of .

RFC6052 Update This document updates Section 3.1 of ("Restrictions on the Use of the Well-Known Prefix") as follows: OLD TEXT: === The Well-Known Prefix MUST NOT be used to represent non-global IPv4 addresses, such as those defined in or listed in Section 3 of . Address translators MUST NOT translate packets in which an address is composed of the Well-Known Prefix and a non- global IPv4 address; they MUST drop these packets. === NEW TEXT: === The Well-Known Prefix MAY be used to represent non-global IPv4 addresses, such as those defined in or listed in Section 3 of . Unmanaged client-side translators (CLATs) MUST translate packets in which an address is composed of the Well-Known Prefix and a non-global IPv4 address by default. Provider-side translators (PLATs) MUST translate such packets unless configured otherwise. Because administrators may rely on dropping these packets as an implicit security policy, PLAT implementations MAY choose not to translate such packets by default. However, such PLAT implementations SHOULD provide a configuration knob to enable translation for these packets. === As noted in Errata 5547 (): IPv4 packets with private destination addresses are routinely translated to IPv4 packets with global destination addresses in NAT44. Similarly, an IPv6 packet with a destination address representing a private IPv4 address [RFC6052] can be translated to an IPv4 packet with a global destination address by NAT64 [RFC6146]. If a 464XLAT CLAT cannot translate a private IPv4 address to an IPv6 address using the NAT64 /96 prefix and that IPv4 address [RFC6052], then the packet may not be translated to an IPv4 packet with a global address by the 464XLAT PLAT (stateful NAT64). This changes the intent of the sender, and in so doing violates the end to end principle. Removing the requirement introduced in RFC 6052 Section 3.1 addresses this errata.

Operational Considerations There may be cases when it is desirable to ignore translation of private use IPv4 addressing due to internal policy or overlapping internal networks. It is important to note, however, that overlapping networks in IPv6 translated addresses are also overlapping in IPv4, and so behavior will be similar across protocols in the vast majority of use cases. Environments reliant on may be required to create configurations which address the filtering of private use IPv4 addressing if there is an expectation of compliance with the original section 3.1.

Existing Behavior Testing and operational experience with existing CLAT implementations (both mobile and non-mobile) have revealed highly inconsistent behavior regarding the original restriction in Section 3.1 of . While some implementations strictly comply with the original requirement and drop packets destined for non-global IPv4 addresses, many other widely deployed CLATs completely ignore this restriction and translate the packets. This inconsistency creates significant operational challenges. Network operators are unable to predictably determine how unmanaged, client-side devices will handle traffic directed to internal IPv4 services. This unpredictable dropping or translating of packets on the client side severely complicates network design, security policies, and troubleshooting. By formalizing the requirement that unmanaged CLAT implementations MUST translate these packets by default (as updated in Section 3), and allowing PLAT devices to translate these packets, this document provides clear, standardized instructions to implementers. This resolves the current operational ambiguity, ensuring predictable behavior across all client ecosystems and aligning the standard with the practical realities of modern IPv6-mostly and IPv6-only deployments. Furthermore, where client-side translation and local synthesis are used, it is currently not feasible to employ more than one translation prefix, especially if different prefixes must be used for different IPv4 destinations. None of the widely deployed NAT64 Prefix Discovery mechanisms (, ) provide a method to map a specific NAT64 prefix to a subset of IPv4 addresses for which it should be used.

Use of Network Specific Prefix Use of a network specific prefix such as provided by does not preclude the removal of section 3.1 as a MUST requirement. If a network employs a network specific prefix the behavior of synthesizing a private use IPv4 address is not prevented by standard. The use of a network specific prefix implies the existence of a local mechanism for synthesizing IPv6 addresses based on that specific prefix, and thereby rules out use of a public DNS64 resolver in the vast majority of cases, as large scale public DNS64 resolvers use the WKP to maximize compatibility.

Security Considerations Legitimizing packets where the IPv6 destination address is composed of the WKP and a non-global IPv4 address does not, inherently, introduce new security considerations. Whether a specific traffic flow between an IPv6-only source and a non-global IPv4 destination (or any flow to a non-global IPv4 destination) is legitimate is a matter of local network topology and administrative policy. However, existing NAT64 implementations compliant with RFC 6052 are expected to drop such packets. Administrators may be relying on this implicit filtering as a built-in security mechanism to prevent unauthorized access to private IPv4 infrastructure, rather than implementing explicit security policies. This reliance is particularly prevalent in managed NAT64 (PLAT) environments. Modifying the recommended behavior to allow such address compositions may, in the absence of explicit filtering, enable traffic flows that were previously prohibited by the translator's default logic. To mitigate this risk, existing managed NAT64 implementations compliant with RFC 6052 SHOULD NOT alter their default dropping behavior. Instead, they SHOULD provide a configuration knob to enable this functionality, ensuring that the transition to supporting non-global addresses is an intentional administrative action accompanied by a review of local security policies. Furthermore, administrators should not rely on the internal verification logic of the translator to enforce security boundaries. Instead, explicit policies such as access control lists (ACLs), firewall policies or NAT rules must be used to define authorized traffic patterns through the translator.

IANA Considerations This document has no IANA actions.

References Normative References This document discusses the algorithmic translation of an IPv6 address to a corresponding IPv4 address, and vice versa, using only statically configured information. It defines a well-known prefix for use in algorithmic translations, while allowing organizations to also use network-specific prefixes when appropriate. Algorithmic translation is used in IPv4/IPv6 translators, as well as other types of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document obsoletes RFC 3330. It describes the global and other specialized IPv4 address blocks that have been assigned by the Internet Assigned Numbers Authority (IANA). It does not address IPv4 address space assigned to operators and users through the Regional Internet Registries, nor does it address IPv4 address space assigned directly by IANA prior to the creation of the Regional Internet Registries. It also does not address allocations or assignments of IPv6 addresses or autonomous system numbers. This memo documents an Internet Best Current Practice. This document describes stateful NAT64 translation, which allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. One or more public IPv4 addresses assigned to a NAT64 translator are shared among several IPv6-only clients. When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server. DNS64 is a mechanism for synthesizing AAAA records from A records. DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only server, without requiring any changes to either the IPv6 or the IPv4 node, for the class of applications that work through NATs. This document specifies DNS64, and provides suggestions on how it should be deployed in conjunction with IPv6/IPv4 translators. [STANDARDS-TRACK] This document describes an architecture (464XLAT) for providing limited IPv4 connectivity across an IPv6-only network by combining existing and well-known stateful protocol translation (as described in RFC 6146) in the core and stateless protocol translation (as described in RFC 6145) at the edge. 464XLAT is a simple and scalable technique to quickly deploy limited IPv4 access service to IPv6-only edge networks without encapsulation. This document describes a method for detecting the presence of DNS64 and for learning the IPv6 prefix used for protocol translation on an access network. The method depends on the existence of a well-known IPv4-only fully qualified domain name "ipv4only.arpa.". The information learned enables nodes to perform local IPv6 address synthesis and to potentially avoid NAT64 on dual-stack and multi-interface deployments. This document specifies a Neighbor Discovery option to be used in Router Advertisements (RAs) to communicate prefixes of Network Address and Protocol Translation from IPv6 clients to IPv4 servers (NAT64) to hosts. This document reserves the IPv6 prefix 64:ff9b:1::/48 for local use within domains that enable IPv4/IPv6 translation mechanisms. n.d.

Acknowledgments The authors would like to thank Mohamed Boucadair, Nick Buraglio, Lorenzo Colitti, Suresh Krishnan, Ted Lemon, Jordi Palet for their helpful comments and suggestions on this document.

Appendix: Example flow { Ed note: Nick Buraglio has suggested that we include an example flow here. I think that this can be removed before publication, but it might be helpful to include fur discussion / during LC, etc} To illustrate the updated normative behavior, consider an IPv6-only network utilizing 464XLAT where an administrator wishes to provide access to an internal, IPv4-only corporate service hosted at 10.1.2.3.

Scenario A: Unmanaged CLAT to Managed PLAT Flow An IPv4-only application on an unmanaged client device generates an IPv4 packet destined for 10.1.2.3. The local CLAT intercepts the IPv4 packet and synthesizes an IPv6 destination address by prepending the Well-Known Prefix: 64:ff9b::10.1.2.3. CLAT Behavior: Under the updated guidance in Section 3, the CLAT MUST translate this packet by default, ignoring the non-global nature of the embedded IPv4 address, and forward the resulting IPv6 packet to the network. The IPv6 network routes the packet to the managed PLAT (NAT64 gateway). PLAT Behavior: Upon receiving the packet destined for 64:ff9b::10.1.2.3, the PLAT evaluates its local configuration: Permit: If the administrator has explicitly enabled translation for non-global addresses (or left the default translation behavior enabled), the PLAT translates the packet back to IPv4 and forwards it to 10.1.2.3. Drop: If the administrator relies on a default-drop posture for non-global addresses or has explicitly configured an access control list (ACL) blocking this range, the PLAT drops the packet.

Scenario B: Native IPv6 Host to Managed PLAT An IPv6-capable host (without a local CLAT) needs to communicate with the same internal service. It acquires the destination address 64:ff9b::10.1.2.3 (e.g., via DNS64, local synthesis, or explicit application configuration). The host transmits the IPv6 packet, which is routed to the PLAT. PLAT Behavior: The PLAT applies the same configuration logic as in Scenario A. It MUST translate the packet to IPv4 and forward it to 10.1.2.3 unless local administrative policy configures it to drop the packet.