<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-v6ops-nat64-wkp-1918-03" category="std" consensus="true" submissionType="IETF" updates="rfc6052" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="nat64-wkp-1918">NAT64 WKP</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-v6ops-nat64-wkp-1918-03"/>
    <author initials="W." surname="Kumari" fullname="Warren Kumari">
      <organization>Google, LLC</organization>
      <address>
        <email>warren@kumari.net</email>
      </address>
    </author>
    <author fullname="Jen Linkova">
      <organization>Google, LLC</organization>
      <address>
        <email>furry13@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <area>Operations and Management</area>
    <workgroup>IPv6 Operations</workgroup>
    <keyword>ipv6</keyword>
    <keyword>nat64</keyword>
    <keyword>wkp</keyword>
    <abstract>
      <?line 60?>

<t>This document modifies the requirement introduced in Section 3.1 of <xref target="RFC6052"/>
that the NAT64 Well-Known Prefix 64:ff9B::/96 <bcp14>MUST NOT</bcp14> be used to represent
non-globally reachable IPv4 addresses, such as those defined in <xref target="RFC1918"/> or
listed in Section 2.2.2 of <xref target="RFC6890"/>. The proposed change enables IPv6-only
nodes to reach IPv4-only services with specific non-globally reachable addresses
by leveraging the Well-Known Prefix.</t>
      <t>This document updates Section 3.1 of <xref target="RFC6052"/> ("Restrictions on the Use of the
Well-Known Prefix") to allow packets in which an address is composed of the
Well-Known Prefix and specific non-globally reachable IPv4 addresses to be
translated.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-v6ops-nat64-wkp-1918/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        IPv6 Operations Working Group mailing list (<eref target="mailto:v6ops@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/v6ops/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/v6ops/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/furry13/6052-update-wkp1918"/>.</t>
    </note>
  </front>
  <middle>
    <?line 74?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Section 3.1 of <xref target="RFC6052"/> prohibits IPv4/IPv6 translators from using the
Well-Known Prefix (WKP, 64:ff9B::/96) to represent non-globally reachable IPv4
addresses, such as those defined in <xref target="RFC1918"/> or listed in Section 2.2.2 of
<xref target="RFC6890"/>.</t>
      <t>This restriction is relatively straightforward to implement in DNS64 <xref target="RFC6147"/>:
a DNS64 server simply avoids synthesizing an AAAA record using the WKP if the
original A record contains a non-globally reachable IPv4 address. However, this
requirement introduces significant operational challenges for systems that do
not rely on DNS64 and instead use local synthesis such as CLAT (Customer-side
Translator, <xref target="RFC6877"/>), or similar approaches.</t>
      <t>Enterprise and other closed networks often require IPv6-only nodes to
communicate with both internal (e.g., using <xref target="RFC1918"/> addresses) and external
(Internet) IPv4-only destinations. The restriction in Section 3.1 of <xref target="RFC6052"/>
prevents such networks from utilizing the WKP and, consequently, from relying
on public DNS64 servers (e.g. forwarding requests for external zones to public
DNS64) which utilize the WKP in order to maximize compatibility.</t>
      <t>Using two NAT64 prefixes — the WKP for Internet destinations and a
Network-Specific Prefix (NSP) for non-globally reachable IPv4 addresses — is
not a feasible solution for nodes performing local synthesis or running CLAT.
None of the widely deployed NAT64 Prefix Discovery mechanisms (<xref target="RFC7050"/>,
<xref target="RFC8781"/>) provide a method to map a specific NAT64 prefix to the subset of
IPv4 addresses for which it should be used.</t>
      <t>According to Section 3 of <xref target="RFC7050"/>, a node must use all learned prefixes when
performing local IPv6 address synthesis. Consequently, if a node discovers both
the WKP and the NSP, it will use both prefixes to represent globally reachable
IPv4 addresses. This duplication significantly complicates security policies,
troubleshooting, and other operational aspects of the network.</t>
      <t>Prohibiting the WKP from representing non-globally reachable IPv4 addresses
offers no substantial benefit to IPv6-only or IPv6-mostly deployments. It also
substantially complicates network design and the behavior of nodes.</t>
      <t>Given the recent operational experience in deploying IPv6-only and IPv6-mostly
networks, it is desirable to allow translators to use a single prefix
(including the WKP) to represent all IPv4 addresses, regardless of their
globally reachable or non-globally reachable status. This simplification would
greatly improve the utility of the WKP in enterprise networks.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<section anchor="terminology">
        <name>Terminology</name>
        <t>This document reuses the Terminology section of <xref target="RFC6052"/> and <xref target="RFC8190"/>.</t>
      </section>
    </section>
    <section anchor="rfc6052-update">
      <name>RFC6052 Update</name>
      <t>This document updates Section 3.1 of <xref target="RFC6052"/> ("Restrictions on the Use of the
Well-Known Prefix") as follows:</t>
      <t>OLD TEXT:</t>
      <t>===</t>
      <t>The Well-Known Prefix <bcp14>MUST NOT</bcp14> be used to represent non-global IPv4 addresses,
such as those defined in <xref target="RFC1918"/> or listed in Section 3 of <xref target="RFC5735"/>. Address
translators <bcp14>MUST NOT</bcp14> translate packets in which an address is composed of the
Well-Known Prefix and a non-global IPv4 address; they <bcp14>MUST</bcp14> drop these packets.</t>
      <t>===</t>
      <t>NEW TEXT:</t>
      <t>===</t>
      <t>The Well-Known Prefix <bcp14>MAY</bcp14> be used to represent the non-global IPv4 addresses
listed in <xref target="RFC1918"/> and <xref target="RFC6598"/>.</t>
      <t>Unmanaged client-side translators (CLATs) <bcp14>MUST</bcp14> translate packets in which an
address is composed of the Well-Known Prefix and these non-globally reachable
IPv4 address by default.</t>
      <t>Provider-side translators (PLATs) <bcp14>MUST</bcp14> translate such packets unless configured
otherwise. Because administrators may rely on dropping these packets as an
implicit security policy, PLAT implementations <bcp14>MAY</bcp14> choose not to translate such
packets by default. However, such PLAT implementations <bcp14>SHOULD</bcp14> provide a
configuration knob to enable translation for these packets.</t>
      <t>===</t>
      <t>As noted in Errata 5547 (<xref target="EID5547"/>):</t>
      <t><tt>
IPv4 packets with private destination addresses are routinely translated to IPv4 packets with global destination addresses in NAT44.
Similarly, an IPv6 packet with a destination address representing a private IPv4 address [RFC6052] can be translated to an IPv4 packet with a global destination address by NAT64 [RFC6146].
If a 464XLAT CLAT cannot translate a private IPv4 address to an IPv6 address using the NAT64 /96 prefix and that IPv4 address [RFC6052], then the packet may not be translated to an IPv4 packet with a global address by the 464XLAT PLAT (stateful NAT64). This changes the intent of the sender, and in so doing violates the end to end principle.
</tt></t>
      <t>Removing the requirement introduced in RFC 6052 Section 3.1 addresses this
errata.</t>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>There may be cases in which it is desirable to ignore translation of private use
IPv4 addressing due to internal policy or overlapping internal networks. It is
important to note, however, that overlapping networks in IPv6 translated
addresses are also overlapping in IPv4, and so behavior will be similar across
protocols in the vast majority of use cases. Environments reliant on
<xref target="RFC7050"/> may be required to create configurations which address the filtering
of private use IPv4 addressing if there is an expectation of compliance with
the original section 3.1.</t>
      <section anchor="existing-behavior">
        <name>Existing Behavior</name>
        <t>Testing and operational experience with existing CLAT implementations (both
mobile and non-mobile) have revealed highly inconsistent behavior regarding the
original restriction in Section 3.1 of <xref target="RFC6052"/>. While some implementations
strictly comply with the original requirement and drop packets destined for
non-globally reachable IPv4 addresses, many other widely deployed CLATs
completely ignore this restriction and translate the packets.</t>
        <t>This inconsistency creates significant operational challenges. Network
operators are unable to predictably determine how unmanaged, client-side
devices will handle traffic directed to internal IPv4 services. This
unpredictable dropping or translating of packets on the client side severely
complicates network design, security policies, and troubleshooting.</t>
        <t>By formalizing the requirement that unmanaged CLAT implementations <bcp14>MUST</bcp14>
translate these packets by default (as updated in Section 3), and allowing PLAT
devices to translate these packets, this document provides clear, standardized
instructions to implementers. This resolves the current operational ambiguity,
ensuring predictable behavior across all client ecosystems and aligning the
standard with the practical realities of modern IPv6-mostly and IPv6-only
deployments.</t>
        <t>Furthermore, where client-side translation and local synthesis are used, it is
currently not feasible to employ more than one translation prefix, especially
if different prefixes must be used for different IPv4 destinations. None of the
widely deployed NAT64 Prefix Discovery mechanisms (<xref target="RFC7050"/>, <xref target="RFC8781"/>)
provide a method to map a specific NAT64 prefix to a subset of IPv4 addresses
for which it should be used.</t>
      </section>
      <section anchor="use-of-network-specific-prefix">
        <name>Use of Network Specific Prefix</name>
        <t>Use of a network specific prefix such as provided by <xref target="RFC8215"/> does not
preclude the removal of section 3.1 as a <bcp14>MUST</bcp14> requirement. If a network employs
a network specific prefix, the behavior of synthesizing a private use IPv4
address is not prevented by standard. The use of a network specific prefix
implies the existence of a local mechanism for synthesizing IPv6 addresses
based on that specific prefix, and thereby rules out use of a public DNS64
resolver in the vast majority of cases, as large scale public DNS64 resolvers
use the WKP to maximize compatibility.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Legitimizing packets where the IPv6 destination address is composed of the WKP
and a non-globally reachable IPv4 address does not, inherently, introduce new
security considerations. Whether a specific traffic flow between an IPv6-only
source and a non-globally reachable IPv4 destination (or any flow to a
non-globally reachable IPv4 destination) is legitimate is a matter of local
network topology and administrative policy. However, existing NAT64
implementations compliant with RFC 6052 are expected to drop such packets.
Administrators may be relying on this implicit filtering as a built-in security
mechanism to prevent unauthorized access to private IPv4 infrastructure, rather
than implementing explicit security policies. This reliance is particularly
prevalent in managed NAT64 (PLAT) environments.</t>
      <t>Modifying the recommended behavior to allow such address compositions may, in
the absence of explicit filtering, enable traffic flows that were previously
prohibited by the translator's default logic. To mitigate this risk, existing
managed NAT64 implementations compliant with RFC 6052 <bcp14>SHOULD NOT</bcp14> alter their
default dropping behavior. Instead, they <bcp14>SHOULD</bcp14> provide a configuration knob to
enable this functionality, ensuring that the transition to supporting
non-globally reachable addresses is an intentional administrative action
accompanied by a review of local security policies.</t>
      <t>Furthermore, administrators should not rely on the internal verification logic
of the translator to enforce security boundaries. Instead, explicit policies
such as access control lists (ACLs), firewall policies or NAT rules must be
used to define authorized traffic patterns through the translator.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC6052">
          <front>
            <title>IPv6 Addressing of IPv4/IPv6 Translators</title>
            <author fullname="C. Bao" initials="C." surname="Bao"/>
            <author fullname="C. Huitema" initials="C." surname="Huitema"/>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="M. Boucadair" initials="M." surname="Boucadair"/>
            <author fullname="X. Li" initials="X." surname="Li"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>This document discusses the algorithmic translation of an IPv6 address to a corresponding IPv4 address, and vice versa, using only statically configured information. It defines a well-known prefix for use in algorithmic translations, while allowing organizations to also use network-specific prefixes when appropriate. Algorithmic translation is used in IPv4/IPv6 translators, as well as other types of proxies and gateways (e.g., for DNS) used in IPv4/IPv6 scenarios. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6052"/>
          <seriesInfo name="DOI" value="10.17487/RFC6052"/>
        </reference>
        <reference anchor="RFC1918">
          <front>
            <title>Address Allocation for Private Internets</title>
            <author fullname="Y. Rekhter" initials="Y." surname="Rekhter"/>
            <author fullname="B. Moskowitz" initials="B." surname="Moskowitz"/>
            <author fullname="D. Karrenberg" initials="D." surname="Karrenberg"/>
            <author fullname="G. J. de Groot" initials="G. J." surname="de Groot"/>
            <author fullname="E. Lear" initials="E." surname="Lear"/>
            <date month="February" year="1996"/>
            <abstract>
              <t>This document describes address allocation for private internets. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="5"/>
          <seriesInfo name="RFC" value="1918"/>
          <seriesInfo name="DOI" value="10.17487/RFC1918"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC5735">
          <front>
            <title>Special Use IPv4 Addresses</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="L. Vegoda" initials="L." surname="Vegoda"/>
            <date month="January" year="2010"/>
            <abstract>
              <t>This document obsoletes RFC 3330. It describes the global and other specialized IPv4 address blocks that have been assigned by the Internet Assigned Numbers Authority (IANA). It does not address IPv4 address space assigned to operators and users through the Regional Internet Registries, nor does it address IPv4 address space assigned directly by IANA prior to the creation of the Regional Internet Registries. It also does not address allocations or assignments of IPv6 addresses or autonomous system numbers. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5735"/>
          <seriesInfo name="DOI" value="10.17487/RFC5735"/>
        </reference>
        <reference anchor="RFC6146">
          <front>
            <title>Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>This document describes stateful NAT64 translation, which allows IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMP. One or more public IPv4 addresses assigned to a NAT64 translator are shared among several IPv6-only clients. When stateful NAT64 is used in conjunction with DNS64, no changes are usually required in the IPv6 client or the IPv4 server.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6146"/>
          <seriesInfo name="DOI" value="10.17487/RFC6146"/>
        </reference>
        <reference anchor="RFC6147">
          <front>
            <title>DNS64: DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers</title>
            <author fullname="M. Bagnulo" initials="M." surname="Bagnulo"/>
            <author fullname="A. Sullivan" initials="A." surname="Sullivan"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="I. van Beijnum" initials="I." surname="van Beijnum"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>DNS64 is a mechanism for synthesizing AAAA records from A records. DNS64 is used with an IPv6/IPv4 translator to enable client-server communication between an IPv6-only client and an IPv4-only server, without requiring any changes to either the IPv6 or the IPv4 node, for the class of applications that work through NATs. This document specifies DNS64, and provides suggestions on how it should be deployed in conjunction with IPv6/IPv4 translators. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6147"/>
          <seriesInfo name="DOI" value="10.17487/RFC6147"/>
        </reference>
        <reference anchor="RFC6598">
          <front>
            <title>IANA-Reserved IPv4 Prefix for Shared Address Space</title>
            <author fullname="J. Weil" initials="J." surname="Weil"/>
            <author fullname="V. Kuarsingh" initials="V." surname="Kuarsingh"/>
            <author fullname="C. Donley" initials="C." surname="Donley"/>
            <author fullname="C. Liljenstolpe" initials="C." surname="Liljenstolpe"/>
            <author fullname="M. Azinger" initials="M." surname="Azinger"/>
            <date month="April" year="2012"/>
            <abstract>
              <t>This document requests the allocation of an IPv4 /10 address block to be used as Shared Address Space to accommodate the needs of Carrier- Grade NAT (CGN) devices. It is anticipated that Service Providers will use this Shared Address Space to number the interfaces that connect CGN devices to Customer Premises Equipment (CPE).</t>
              <t>Shared Address Space is distinct from RFC 1918 private address space because it is intended for use on Service Provider networks. However, it may be used in a manner similar to RFC 1918 private address space on routing equipment that is able to do address translation across router interfaces when the addresses are identical on two different interfaces. Details are provided in the text of this document.</t>
              <t>This document details the allocation of an additional special-use IPv4 address block and updates RFC 5735. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="153"/>
          <seriesInfo name="RFC" value="6598"/>
          <seriesInfo name="DOI" value="10.17487/RFC6598"/>
        </reference>
        <reference anchor="RFC6877">
          <front>
            <title>464XLAT: Combination of Stateful and Stateless Translation</title>
            <author fullname="M. Mawatari" initials="M." surname="Mawatari"/>
            <author fullname="M. Kawashima" initials="M." surname="Kawashima"/>
            <author fullname="C. Byrne" initials="C." surname="Byrne"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>This document describes an architecture (464XLAT) for providing limited IPv4 connectivity across an IPv6-only network by combining existing and well-known stateful protocol translation (as described in RFC 6146) in the core and stateless protocol translation (as described in RFC 6145) at the edge. 464XLAT is a simple and scalable technique to quickly deploy limited IPv4 access service to IPv6-only edge networks without encapsulation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6877"/>
          <seriesInfo name="DOI" value="10.17487/RFC6877"/>
        </reference>
        <reference anchor="RFC6890">
          <front>
            <title>Special-Purpose IP Address Registries</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="L. Vegoda" initials="L." surname="Vegoda"/>
            <author fullname="R. Bonica" initials="R." role="editor" surname="Bonica"/>
            <author fullname="B. Haberman" initials="B." surname="Haberman"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>This memo reiterates the assignment of an IPv4 address block (192.0.0.0/24) to IANA. It also instructs IANA to restructure its IPv4 and IPv6 Special-Purpose Address Registries. Upon restructuring, the aforementioned registries will record all special-purpose address blocks, maintaining a common set of information regarding each address block.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="153"/>
          <seriesInfo name="RFC" value="6890"/>
          <seriesInfo name="DOI" value="10.17487/RFC6890"/>
        </reference>
        <reference anchor="RFC7050">
          <front>
            <title>Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis</title>
            <author fullname="T. Savolainen" initials="T." surname="Savolainen"/>
            <author fullname="J. Korhonen" initials="J." surname="Korhonen"/>
            <author fullname="D. Wing" initials="D." surname="Wing"/>
            <date month="November" year="2013"/>
            <abstract>
              <t>This document describes a method for detecting the presence of DNS64 and for learning the IPv6 prefix used for protocol translation on an access network. The method depends on the existence of a well-known IPv4-only fully qualified domain name "ipv4only.arpa.". The information learned enables nodes to perform local IPv6 address synthesis and to potentially avoid NAT64 on dual-stack and multi-interface deployments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7050"/>
          <seriesInfo name="DOI" value="10.17487/RFC7050"/>
        </reference>
        <reference anchor="RFC8781">
          <front>
            <title>Discovering PREF64 in Router Advertisements</title>
            <author fullname="L. Colitti" initials="L." surname="Colitti"/>
            <author fullname="J. Linkova" initials="J." surname="Linkova"/>
            <date month="April" year="2020"/>
            <abstract>
              <t>This document specifies a Neighbor Discovery option to be used in Router Advertisements (RAs) to communicate prefixes of Network Address and Protocol Translation from IPv6 clients to IPv4 servers (NAT64) to hosts.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8781"/>
          <seriesInfo name="DOI" value="10.17487/RFC8781"/>
        </reference>
        <reference anchor="RFC8190">
          <front>
            <title>Updates to the Special-Purpose IP Address Registries</title>
            <author fullname="R. Bonica" initials="R." surname="Bonica"/>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Haberman" initials="B." surname="Haberman"/>
            <author fullname="L. Vegoda" initials="L." surname="Vegoda"/>
            <date month="June" year="2017"/>
            <abstract>
              <t>This memo updates the IANA IPv4 and IPv6 Special-Purpose Address Registries to address issues raised by the definition of a "global" prefix. It also corrects several errors in registry entries to ensure the integrity of the IANA Special-Purpose Address Registries.</t>
              <t>This memo updates RFC 6890.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="153"/>
          <seriesInfo name="RFC" value="8190"/>
          <seriesInfo name="DOI" value="10.17487/RFC8190"/>
        </reference>
        <reference anchor="RFC8215">
          <front>
            <title>Local-Use IPv4/IPv6 Translation Prefix</title>
            <author fullname="T. Anderson" initials="T." surname="Anderson"/>
            <date month="August" year="2017"/>
            <abstract>
              <t>This document reserves the IPv6 prefix 64:ff9b:1::/48 for local use within domains that enable IPv4/IPv6 translation mechanisms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8215"/>
          <seriesInfo name="DOI" value="10.17487/RFC8215"/>
        </reference>
        <reference anchor="EID5547" target="https://www.rfc-editor.org/errata/eid5547">
          <front>
            <title>Errata ID 5547: NAT64 Well-Known Prefix SHOULD NOT be used for Private Use IPv4 Addresses</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 281?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank Mohamed Boucadair, Nick Buraglio, Lorenzo
Colitti, Brian Carpenter, Goetz Goerisch, Suresh Krishnan, Ted Lemon, Jordi
Palet for their helpful comments and suggestions on this document.</t>
    </section>
    <section numbered="false" anchor="appendix-example-flow">
      <name>Appendix: Example flow</name>
      <t>To illustrate the updated normative behavior, consider an IPv6-only network
utilizing 464XLAT <xref target="RFC6877"/> where an administrator wishes to provide access to
an internal, IPv4-only corporate service hosted at 10.1.2.3.</t>
      <section numbered="false" anchor="scenario-a-unmanaged-clat-to-managed-plat-flow">
        <name>Scenario A: Unmanaged CLAT to Managed PLAT Flow</name>
        <t>An IPv4-only application on an unmanaged client device generates an IPv4 packet
destined for 10.1.2.3.</t>
        <t>The local CLAT intercepts the IPv4 packet and synthesizes an IPv6 destination
address by prepending the Well-Known Prefix: 64:ff9B::10.1.2.3.</t>
        <t>CLAT Behavior: Under the updated guidance in Section 3, the CLAT <bcp14>MUST</bcp14> translate
this packet by default, ignoring the non-globally reachable nature of the
embedded IPv4 address, and forward the resulting IPv6 packet to the network.</t>
        <t>The IPv6 network routes the packet to the managed PLAT (NAT64 gateway).</t>
        <t>PLAT Behavior: Upon receiving the packet destined for 64:ff9B::10.1.2.3, the
PLAT evaluates its local configuration:</t>
        <t>Permit: If the administrator has explicitly enabled translation for
non-globally reachable addresses (or left the default translation behavior
enabled), the PLAT translates the packet back to IPv4 and forwards it to
10.1.2.3.</t>
        <t>Drop: If the administrator relies on a default-drop posture for non-globally
reachable addresses or has explicitly configured an access control list (ACL)
blocking this range, the PLAT drops the packet.</t>
      </section>
      <section numbered="false" anchor="scenario-b-native-ipv6-host-to-managed-plat">
        <name>Scenario B: Native IPv6 Host to Managed PLAT</name>
        <t>An IPv6-capable host (without a local CLAT) needs to communicate with the same
internal service. It acquires the destination address 64:ff9B::10.1.2.3 (e.g.,
via DNS64, local synthesis, or explicit application configuration).</t>
        <t>The host transmits the IPv6 packet, which is routed to the PLAT.</t>
        <t>PLAT Behavior: The PLAT applies the same configuration logic as in Scenario A.
It <bcp14>MUST</bcp14> translate the packet to IPv4 and forward it to 10.1.2.3 unless local
administrative policy configures it to drop the packet.</t>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA71abXLbSJL9X6eo1fxYaYOkW7Ys29zpmZZldbfGsqy15PB0
OBTRRaBI1ggEOCiANN3REXuIOcCcZY+yJ9mXWR/4IOn2zG6sHWGTIFCVny9f
ZmE4HIrKVJkey4Prs7vTE/nh9c2BUJNJqVe4lqvq9GS4flgOj18cPz8Qiar0
rCg3Y2mrVIi0SHK1wMNpqabV0OhqOlydFks77D44/OaJsPVkYaw1RV5tlnjk
8uLue1EvU6xox7KcJqffPH0s8nox0eVY0OWxSIrc6tzWuKEqay0g0hOhSq0g
2tulLlWF5axUeSrfqFzN9ELn1YFYF+XDrCzqJW67vFmdyubeA/GgN/g9HQsp
h9IsV6f8geXlT5BZrHRea7pj7ypSOi0OPmAvk8/kD3QnXV8ok+E6m+E7ssio
KGf0gyqTOX6YV9XSjh89ovvoklnpUbjtEV14NCmLtdWPeIVH9OTMVPN6gmen
dVlujp88IlMNne3Ixs43QtXVvIDt5BDPSOk880GVpc7l63qhSsPXTQ5zfhi1
L2FrlZvPrNxY/lAUs0wP5NXVOf+qnUprXum7B35slOtKhJ2mdZa53f6Era5M
/lCs1Ncv7LX6bkZfR0mxECIvygUeWrET3n1/Tgr7j6TsWAiTT3v3PH325Gm4
/fjktPn4LHx8+uJ5+Pj8Wbz6/MU3/uOzb56Gj8+fPT8OH4/jDc8fH/MWF5ev
nj516yIQfP5clIgOJS9fSf5N+nzSWTZ8nRfrXN6Uemo+ydsf376/eiWv397J
iZa11amEKvjVrOBP+d5qiXA7kWdpWmprNUcbtlHlTFdjGeJnvV6PkDVDnZqq
KDl6NEvwSJuUJBBCjEYjIYbDoVQTW5Uqgcvu5sZK5G1NqSIXRWqmRltZzbUs
9V9rU3IOIUiqskjrBMKZXN7qhDwon4yOZTGVH71H7kU1VxU/u0/Z05PxdPri
5Xj86MWpfPP+9q6jd1Vg0yW0xJbweT6cZcVEZdkGl1UyV5PM20IFWwykrZO5
VCRxAUul2CV3Qn70wXGPqBOZsVVX9scj/I3Sw+n3I3kHyZdlsSxIGOyXz7TU
OW1rad/TYZFnGwiWkoUKJxQLxD9Iq8uVSfDbGgkq7VInMGYi9ygSdRCTjcz0
CmAyI+Qg820ZbtT3lEfKva6QhwfvNJxsEoeJuIUWpmjCbfgotvY4OCKlIGWx
lkuVPOjKksHWc0MWzoPAEmIgKZ2R9q3FGPxbFui6kjafaIG4zG0G3VIfqwuT
ppkW4nfy0gchaSTEXs3hwbmZmIp9dvKIsTqsWpRWTstigXjztt4h+yGK3qAT
qked0PySPuIfDU25PzRFE5re/WXjUslfM0Y8ij1oaGbzCtABYOZUMotlFrJX
vrq+RUJ+9Ah4PxbKX6Kg1aW0dPdGqlVhUivtJodprPlMRoLrz/AHuyUolI3l
iBtI4wKgKA2CV2Uy3oZaXSlD1fhr3D+SPxZryoEBljNW7MQeyGVmOUWUwuUi
lF/sihWzTCNdLWOn3cCkCzI84CgtkLEV2WpDWeC0pvCEcJVWpJCWWZFgmaC2
ja47vzq7k4fnta2KhS6H1qRa3MVYGnjwePbs/mhAvoQVqYpLtUQQQk9t4bmL
vNLlsjTYhrYtsEUpk4zzB2WT2Anyc1qhVnq1G7CRAWzAfRaLOjfEuBy+TLAQ
2UaXZIFDPZqNBt45TXzFaDzivfUnd7s4vOQHdXXUwi/sVMGJDBgODDvx9gXc
R2KAI1XeblEpl2mVyVwghZiBJAPJXO6vNZ7KNgN3J7kI9wnssKwnGYCjHaLW
6Sh9hNOCZC5I6JwedJOfi9yhiVtE8CJHHsecNLqJ3xx+S+EQ3L9Qn+A//Ejw
BjNMcGu1gQffu5BfF76uLRknsMl//+ff4kokQ7Bqx5RseSWunVWGtwEVA9pc
394c8dNfB5O0JzKEYlrJqVbW0E22yGr2jVuIggb5QZyIRO+HN+4p6zynnyjC
R+IaNvNgjuhKNUfDMis2iFGns5f2lbFJAW9s5EJThTQWeXb40bOl+wFjFrGl
+yMC4hXWgpgLDQxMnY2X+B4rQ9ue9DPtj87AwoTAv57mpJrzoqmknRd1lgbq
ACedJYQ77KiiidQQp046BiNItEBCc97D1Ki9qiRgjl5dz3UutqzHdSTUwGjK
kTzvBDLw0O+RektZzlTRCn7HkG5RY6DH2kAEEoXzOcrQqTfbQdEzDWUrsYN6
mRFCkOYtqMSDFNH8E4GoTuoSgS2XBS6B7Q1QdIuaWM68KBC2s0ELqNowq8hv
lQ2B4vMctr/xJbed5T6lvQ70y1fFtyimUzJaXnAgVJDfYOuJzmGZiuzSgCNl
HH1ZFLaKEUs1Awa5RHpkthCtRXp28OJTrsJW0TETPVcrg6WhJScS9PsBRTb3
pDjRveKjP+GL0XmiCU2cEKRuIyct3RJUBIDkACC/QYKSbREJWJuw4CLHqiQY
yrQPEnFo8iSr05bNezSFgrtPl0s9A3hmFMPOi6YUO3yyH41gzKoOAcesgaOM
Y25NKSlmuJncgd8AAA5qGXYRcj5yPPLqpjIGk8DYYHrIKaonET1fEXcy/J2Y
kJbo2iW17VYeUBdxMHD/UzdBn99d/Mf7y3cXr+jz7Y9nV1fxg/B3uK6r+dQ8
ef72zZuL61fuYepOOpfEwZuznw5cghy8vbm7fHt9dnVAylQdfq5K7QitK9Fw
CZE8ZQV8nZRm4hjfy/Ob//r78Yn85Zd/AUY9Pj5+8euv/svz42cn+EJY5NOR
Isl9hQk3AhwDwEWrkJ8TtTQVAn5ArAV5DDaL7NUw5799JMvcj+XvJ8ny+OQP
/gIp3LkYbNa5yDbbvrL1sDPijks7tonW7FzvWbor79lPne/B7q2Lv/9jBnYt
h8fP//gHCqHfyTtN6F1kxWzTb55KXVvf5LbuImDkMO50E2T6j77tv3fR6X+T
77kH+//pzBSVP0IGOxbiLex6d/HnO3z89ttvXUZstzFfbK9b6d3HCPHP9i2x
2NLoBe20n1iINpZFoWKf93/Ta6p9Cv07Z4vbN0VvT19t3HTkLXh98eFrLHr2
025jcjXcZ9DW8KFFzH1Y0RCKwup9vuCJJRqnDLWk4lajUwUOiamBx7MmX7Se
2G+9HUr5umf1HsTvUA05oTI7VXVWubJPBK/cIezNTmE5soLEdc5lCI3A1Mzq
UqeCGcca5WAkX+pEcdFLkZ6Gulted6E2sZMjby599Ws8SoELE3BhSogndtgO
GBpJ1vTGnqKTZxOwH7YCs4yu0CKs3tK/aVlZrZ3rehCMTFgEbV3BfMiLCW3m
hkxxz8Djd4bqGXEjH09+xkjjPZBwP+i7P0IU//zzz85xQXDuGZd+qNhqT1r8
mmoWiCB+IQs3gxhPunpr+VjfvRRkA7U/ORmJW9cSEzdGXjOJdsu4VdSuBbq0
UUWxO5HYACo4LqVlV2C32Ulvs/1Ck2ddN+KHJKdIy0ti8yenJ38m3/IsAHtx
gMTo2CNdlKDpGZrBiduHRqDLdg6qao+GXPFdmfDqUB6QHP+Y2i1Vaa2gGEfu
IRE7Pa0zJ92RZ3huCupqJTEZ4r4OSeCelILfjVLQgKIEkoLgzhkXQLpJ56mL
b2qvwFcN0mPEwSne6QWSwltk/6wZNpBcbdv1tDU0pGmRG3SPqDa/bRFz6swI
nlRDHBHhZDqYLVE+TmNH2SfiaAqKspuUUD14G+DUQUbSJK3dg2Eo4yCHiiU1
gplycBV/jpyXmhWoAfAoSupVaBHK8YGcN1MxREd7lThkMT7MmjgQ3ZSmNqgn
AMeIc50tmo6He1HYJo6xkrJA/QZ6VUVSZNbRXC1XylII/qUoPacnpGaDjuRF
vjJlkXMXRlBteFaXi9iEBwd4l3N8JNQyaNkBRxvqWcgobDw1GWzHM6KOJ2Tf
E24sCeUNVQNu0ZIq+tB1gYo6NkoQ7s3jBNM2cTZiInnxyVgGopfeTogk7a4w
L9/dCnLm6fDo+a7icMiDgUUxMZkbDVIBdl+PJLYiG620ymCjuZnNqaXKaWxG
dCKvGre5ni7Ms6MiXzm8G8kPc8MTpIXuiyjcCqFx3jitOuZqZy7pwBwrFAqH
s+5E62sPdMCDNn720J9EMQMSLAraKbKHT9H+bJzxNEJ0g5s2DNJbhkSCuvD7
mvHySPoxnnC/EyehHKvzgBpA9BRS4CsJXnF7oSmPcY+neIM2x0NDGA6NkHxA
29QRgSmNx1JYNvHIHmGDDRbOmhxMizpv9tUNMyIOEeCLvk6jZ3zX4QSRzN8s
IQ2sKvYPSQY7hkfe2J0BEsz8ciP5RLY1+22HCuNZtMju/CDyKDpubNG8hojJ
Q1A+13V125EjJxsPVEgGqnPR3B2K11l60GvlPXlDLaRJ4YAmIHlKCfcZUEuH
CGXtW7n2oYsuw5AEgVlkK18QYb2yP0BSiwlQD0YdCHq7gfBNtt0ZE93hsev3
neN0UoTDDqcqRbAHgiBnk7RLOvM1CWctbq3opBcxsShQJPPOKC1OrPjEsz1Y
E+L7uqTsXCDzBjSQKPXOniXkYX/2zOliKQu45gpvkcwRmjjQJtawoG3lwqU4
YJyG1O3lHXsaSM3zZMIVAeBPDU0Qnef8NJXnve3T9eYezqbuyUdrGC7+V8Nw
2QzDxT8xDFfNKLzfUn55FE5Vy88TPFzJ3qkDnWnw7ypmeBTDCxCmAF7wlDLu
o3/p4R7ZobkPoaMfmkJqn+HgdPA2FrZtukangNwKtiAArKe9vXO2FXsFGmxN
Z7unlFt8oN0GU2j5QyqnSUgOd85V/4YxXDsZOO0nVzf8Iy6+YwD4A8iWZO0m
gE77FbfjuYPALSV9O15qCFnW9OYBOrJGwPbBmPDIUu7lZczJeCSY0esi0kJU
3T1cC2ughtjmWOxLp2Fg2behCvQp9pWeAVYWTvHYLjJG0NJsil3N165Jxesb
0Z/s7CUOMR6BKvlcl+E0JrQScOxaxNqVdKQmAqSZb7RyMVTgKQ3jJ4gKrfPQ
0TlQtEVdJnpr+LQtYlvfQ0Jx8BtellL8i6yo9eQRmShz1qUgJyCFi6pKcypw
EIZzBSy8dBNNFq6ZoBhQSteTtIYXkaMy/Ih+EQ5c2feSsR0jGHe02tET5n3t
+c5InG3Pbpj38ymvywCiYmFSE8m9w4tJje9D6iy920STY45nrXjcmrv33Kga
o0AmvvnuNOUmn5bK1emaihYEgrsF15SoL20MhXZNjYxuarnvG/B5qUoU05qH
G3wCjtxyL1sEVuMAnWdhR+iBm8YIWfSGXrXaNNSIzvepo04biIuHQQ6KfaS7
PHGHIWRTinLuYBRqhUelqEe06aA1Y4qB7d+QWFN6kgKmqC3r4k7zHFLS0s1o
719tpF2IMJPALoAKSDNzPIpsZOxDE1aia4yvDa/WW3GKVPBHVWHvyHCDsVBN
3Osc7nRka/Amdw7eRDAKyT2t88QxMqJiMlKx+FIbW4ENT66x9ZLadVLxt97w
8l2om594ztfNSuVeakL8EtjmxpleUQNo9Dpm+I647PGx3rzUU4P2CzBhksO9
BBCgOb5jhwoPv43L3QAHZS3Rzf6Toqb6yZkRLR/DLkgXjxJ8YtJLQWWR8dkB
mNLZ+ZUFSZ+CEayJ1IbHqG9BuPj658mbCGN3dyAhW2kfYnrJeEhEfI5+ZDbv
KcIDosuz67Mdk6E24Z8rPn7mO51j+FiSXkabANtolbMEEbRGZz7jfBa/jN2b
yjr99mCqMqsPfnWHCE5K645GofeDdq85qPxBvinmagHxXxZ1olJlAMbXJnmQ
LxGls8wUA3kFn+afC3EOw1SVGciXJXJFnqtyyS3GQP5Q6Ooz/YusS+YDeQuA
s3P5Gl/nuULDdocNrkDL8PFP9H6EuAFMVWG8bEo519mSxn4OgCrXSNh6NqPi
Ew+oWvZhM54tIUFqPo3lxSdFOc2AAjvIHYYQwAh0tzWHpT8Q9v1afLM3ZvIg
ludOvQ3UTDTvE4X5ZXwJyzMNPj9qpQGgxc79K0EBD0KhED4vKRsGrXehkqJE
dvP433XaaOH5FAdYcPzN6Hj0ePTEjYduE4BIaQp5Npbvuw0tNnzjv/OM9fv9
JjrLW5urZfMeB3dRrU7ZN36ujZUznVMUa9sb/Ir25KUtMMWkgxLXcpPqiV5W
NvCzODrmMAg8Nm7QoW+iNVBG/eCI2PcG67h5obIlDgsR5mpkv9RBfYwP9MWp
8q9WxMbetQL8bPeASXCgegWaCcHADYqCbHvgGjoheULjp+GilMpxm2Y6eh7f
sXRvyGGDSPP91v5NpuYFmbtAfgNFo3MW3090n1m0A+bQFU2qrWu1OaIjt57B
lkXO76SYOEr3y3UCYMv0bEG3GPGWmkOIXpl1sdEplmPsSmOsakwdGzONTnYR
XAbkh0FdSU37h1m/XSSJG2d66mptKPTtVQJC+KqdHrk4YC1iCHRsSnAdT69a
riNdKflbkfgKjGKPgkT6NOOgCnIN3ZgTkEAh0395T+xSb9tSzcknQ9Z2ieQK
eSQmcMqDcy/RKzqQaWlOkrSV7qHSy7G8dgDL8fcjRO7j0hch6XSYqCWrQgAo
D4mmUUeqWjByhLDWKQPs1muqfFSEMici5/CA6l7RSngeYL3PtxvDrcj1b7qK
lfFvMA/6EyZ+EzdSkTaWdsL6yKclq8XhszANDIZUHoQxi3Upm4Y8veH3Jvv5
eBe8wtt6vUj9Hv9kqkXEiGAtFpCRgEl6R+ZdhOgHsovjCPDhTN21gzs7vybq
fBLEtyJi/PwPWGs2fQY2AAA=

-->

</rfc>
