Internet-Draft claton May 2024
Linkova & Jensen Expires 25 November 2024 [Page]
Workgroup:
IPv6 operations
Internet-Draft:
draft-link-v6ops-claton-03
Updates:
8585 (if approved)
Published:
Intended Status:
Informational
Expires:
Authors:
J. Linkova
Google
T. Jensen
Microsoft

464 Customer-side Translator (CLAT): Node Recommendations

Abstract

464XLAT ([RFC6877]) defines an architecture for providing IPv4 connectivity across an IPv6-only network. The solution contains two key elements: provider-side translator (PLAT) and customer-side translator (CLAT). This document provides recommendations on when a node shall enable or disable CLAT.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 25 November 2024.

Table of Contents

1. Introduction

464XLAT is widely deployed in 3GPP networks (as described in Section 4.2 of [RFC6877]) where a mobile phone performs the CLAT function, providing a private IPv4 address and IPv4 default route for the applications and tethered devices. Enabling 464XLAT allowed mobile operators to migrate User Equipment (UE) devices (also known as mobile phones) to IPv6-only mode, where those devices are only assigned IPv6 addresses.

Until recently, IPv6-only hosts were rather uncommon outside of mobile networks and datacenters. Even if the network provides PLAT in the form of NAT64, hosts like desktops and laptops still need the network to provide IPv4 addresses, as otherwise IPv4-only applications fail. However, as more and more operating systems outside of the 3GPP world support CLAT, it becomes possible to migrate those devices to IPv6-only mode. Networks such as public Wi-Fi, enterprise networks, or even home networks can deploy 464XLAT as described in Section 4.2 of [RFC6877]:

Another 464XLAT deployment model is a Wireline one (section 4.1 of [RFC6877]), when a CPE router is connected to an IPv6-only network and provides CLAT functions for IPv4-enabled downstream devices. [RFC8585] specifies 464XLAT support requirements for such devices.

For both scenarios to work, the node performing CLAT (such as a host or a CPE router) need to enable the CLAT when connecting to an IPv6-only network. This document complements [RFC6877] by providing recommendations for the node developers on enabling and disabling CLAT functions.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Terminology

4. Multiple Interfaces Considerations

A node may have multiple IPv6-only interfaces (for example, a mobile phone can be connected to an IPv6-only Wi-Fi network and to an IPv6-only mobile network). In that case the node SHOULD run an independent, dedicated CLAT instance on each interface connected to a network equipped with PLAT. Consequently, each CLAT instance SHOULD install a separate default IPv4 route on each CLAT-enabled interface. The metrics of IPv4 routes SHOULD be consistent with the metrics of IPv6 default routes.

5. Enabling CLAT

For performance and security reasons CLAT SHOULD NOT be enabled if the node has IPv4 connectivity over the given interface. Therefore recommendations provided in this section are applicable to an IPv6-only node (a node which does not obtain an IPv4 address via DHCP or static configuration).

To enable CLAT, an IPv6-only node needs to discover the PLAT-side translation IPv6 prefix, also known as the NAT64 prefix (see Section 6.3 of [RFC6877]). The PREF64 Router Advertisement option ([RFC8781]) provides that information and can be used as a strong indication that the network supports NAT64 (PLAT) functionality. Therefore an IPv6-only node SHOULD enable CLAT as soon as an Router Advertisement containing PREF64 option is received.

If RAs received by the node do not contain a PREF64 option, the node MAY use other mechanisms to detect the PLAT presence and obtain the NAT64 prefix (such as [RFC7050]). When discovering the NAT64 prefix using the mechanism defined in [RFC7050], the node MUST follow recommendations provided in [RFC8880]. Specifically, the node MUST send the query to the DNS servers for the specific network interface per Section 7.1 of [RFC8880]. In particular, queries for AAAA resource records of "ipv4only.arpa." MUST be sent to the recursive resolvers provided by the network, not to the resolvers configured manually, local recursive resolvers etc.

Any delay in enabling CLAT on an IPv6-only node would be impactful for IPv4-only applications, as such applications cannot benefit from 464XLAT until CLAT is operational. Therefore it's desirable that the node enables CLAT as soon as network support for PLAT is detected while IPv4 connectivity is not yet detected. The node SHOULD enable CLAT after discovering the NAT64 prefix, unless by that time the node has already obtained an IPv4 address. The node SHOULD NOT wait for an explicit (DHCP Option 108, ) or an implicit (DHCP timeouts) indication that native IPv4 connectivity is not available. However, to mitigate attacks described in Section 7 of [RFC7050], the node MAY delay enabling CLAT if the NAT64 prefix was discovered via DNS ([RFC7050]). The delay is implementation specific. If IPv4 connectivity becomes available later, the node SHOULD disable CLAT as discussed in the following section.

The node MUST follow recommendations from Section 4 of [RFC7335] to avoid IPv4 address space conflicts.

6. Disabling CLAT

From a performance perspective, native IPv4 connectivity is preferrable over 464XLAT, so CLAT SHOULD NOT be enabled if the node has IPv4 connectivity over the given interface.

It is possible that after the CLAT instance has started, native IPv4 becomes available (e.g. an IPv4 address received via DHCP). The node SHOULD disable CLAT immediately upon obtaining an IPv4 address via DHCP or a non-link-local ([RFC3927]) IPv4 address through manual or automated fallback configuration.

While disabling CLAT is impactful for all applications and traffic flows already utilizing CLAT, it is recommended not only from performance perspective, but also from security point of view. Because IPv4-only networks are inherently IPv6-ignorant, they might lack IPv6 layer2 security features, such as RA Guard. that would prevent spoofed RAs. An attacker can send an RA containing the PREF64 option, while the network doesn't provide any PLAT functionality. If the node keeps CLAT enabled and uses it for IPv4-only destinations, that traffic could be blackholed (availability attack) or routed through an attacker-controlled route (active attack on insecure traffic or hoarding secure traffic for "Harvest Now, Decrypt Later" attacks for non-PQC secure traffic [draft-ietf-pquip-pqc-engineers Section 8] ). Rogue RAs can also disturb traffic to destinations that support both IPv4 and IPv6 by causing IPv6 through an attacker's PLAT to be used instead of the legitimate network owner's IPv4 path.

7. CLAT Addresses Considerations

7.1. CLAT IPv4 Addresses

There are two different models in 464xlat deployments:

  • A dedicated prefix model, which Section 4.1 of [RFC6877] calls "wireline network architecture". In that case, the node performing CLAT functions also extends the network downstream and provides network connectivity services to other connected systems. Those systems can be physical (e.g. various clients connected to a CPE router), or logical (e.g. virtual systems running on a node, while the host system acts as a router and performs CLAT). In all those cases, systems behind the CLAT node usually use [RFC1918] addresses.

  • A single-address model, which section 4.2 of [RFC6877] calls "wireless network architecture". In that case, the CLAT instance provides an IPv4 address and the default route to the local node's network stack only. It should be noted that [RFC6877] implies that the second deployment scenario is limited to 3GPP cases, while currently it is also deployed in other types of networks, such as enterprise and public Wi-Fi networks, where hosts (as mobile phones, laptops and desktops) use CLAT to provide connectivity to IPv4-only local applications. Despite the word "wireless" in the name, this architecure is applicable for wired networks as well (e.g. desktops or servers using wired connections).

In the latter case, the CLAT instance needs a single IPv6 and a single IPv4 address only. The node providing CLAT functions to local applications SHOULD use IPv4 addresses from the dedicated 192.0.0.0/29 range ([RFC7335]), reserved for IPv4 continuity solutions including but not limited to 464XLAT. If the node runs multiple CLAT instances (see Section 4), the node SHOULD use different local IPv4 addresses for each CLAT instance. This means that it is not possible to run more than 8 CLAT instances per node. The node MUST NOT send packets on wire from the local CLAT address.

The host SHOULD use 255.255.255.255 as a netmask for the CLAT address. That allows all 8 addresses from 192.0.0.0/29 to be used, if needed.

It should be noted that 192.0.0.0/29 is shared between multiple IPv4 continuity solutions such as 464XLAT and DS-Lite (see [RFC7335]. For example, Section 10 of [RFC6333] reserves 192.0.0.1 for the Dual-Stack Lite default router. However, as per Section 4 of [RFC7335], the host MUST NOT enable two active IPv4 continuity solutions simultaneously in a way that would cause a node to have overlapping 192.0.0.0/29 address space. Therefore, as long as the host is not using DS-Lite, it MAY use 192.0.0.1 as a CLAT address.

7.2. CLAT IPv6 Addresses

Section 6.3 of [RFC6877] recommends that the CLAT instance acquires a dedicated /64 for translating between IPv4 and IPv6, and only uses a single interface IPv6 address if a dedicated prefix is not available via DHCPv6-PD. However, deployments where each node can obtain a dedicated /64 just for CLAT are rather uncommon, to say the least. In most cases, the CLAT instance uses a single IPv6 address as a source for all IPv4 traffic translated bt CLAT.

The CLAT instance SHOULD obtain a dedicated IPv6 address used exclusively for CLAT functions. This is required as when the node receives a packet from a NAT64 source, the node needs to differentiate between native IPv6 traffic and traffic which needs to be passed to the CLAT instance. For example, an ICMPv6 Echo Reply packet from 64:ff9b::203.0.113.1 can be a response to either an IPv6 ping to 64:ff9b::203.0.113.1, or an IPv4 ping to 203.0.113.1, translated by CLAT. Using a dedicated IPv6 source address for CLAT traffic allows the node to make that distinction without keeping state and operate in the stateless mode (see Section 1.3 of [RFC6145].

In accordance with Section 5.4 of [RFC4862], the node MUST perform Duplicate Address Detection for each dedicated CLAT address.

If the dedicated CLAT address is obtained via SLAAC, the CLAT instance SHOULD ensure that the address is checksum-neutral for the given local IPv4 CLAT address and the NAT64 prefix (this means that the local IPv4 address needs to be assigned/known before the IPv6 one is configured). Using a checksum-neutral CLAT address provides the following benefits:

  • Better performance as CLAT doesn't need to recalculate the checksum.

  • If a protocol uses the standard IP checksum, CLAT doesn't need to recalculate the checksum. That improves the chances of the protocol working via CLAT even if CLAT is not aware of the protocol's semantics.

The node SHOULD generate a different interface id for the CLAT address when connecting to different networks, even if the NAT64 prefix and the local IPv4 CLAT address do not change. To achieve that, the node SHOULD generate a random checksum-neutral CLAT address every time.

7.2.1. CLAT and Multiple Prefixes per Interface

The CLAT instance SHOULD obtain a dedicated IPv6 address from each prefix used to configure IPv6 addresses on the given interface. When selecting an address to be used as a source address for the translated packet, the following rules are applied:

  • All packets with the same IPv4 5-tuple MUST be translated to the same IPv6 address.

  • When translation for a new IPv4 5-tuple is performed by the CLAT instance, the instance SHOULD comply with requirements defined in Section 3 of [RFC8028], in particular Sections 3.2 and 3.3 of [RFC8028]. This is needed to ensure that the CLAT is operational and selects the source IPv6 correctly in multihomed environments or if the link subnet has been changed (renumbered).

8. Updates to RFC8585

This document makes the following changes to Section 3.2.1 of [RFC8585]:

OLD TEXT:

===

464XLAT requirements:

===

NEW TEXT:

===

464XLAT requirements:

464XLAT-0: The IPv6 Transition CE Router SHOULD follow recommendations provided in draft-link-v6ops-claton.

===

OLD TEXT:

===

464XLAT-4: The IPv6 Transition CE Router MUST implement [RFC7050] ("Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis") in order to discover the provider-side translator (PLAT) translation IPv4 and IPv6 prefix(es)/suffix(es).

464XLAT-5: If PCP is implemented, the IPv6 Transition CE Router MUST follow [RFC7225] ("Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)") in order to learn the PLAT-side translation IPv4 and IPv6 prefix(es)/suffix(es) used by an upstream PCP-controlled NAT64 device.

464XLAT-6: If the network provides several choices for the discovery/learning of the NAT64 prefix, the priority to use one or the other MUST follow this order: 1) [RFC7225] and 2) [RFC7050].

The NAT64 prefix could be discovered by means of the method defined in [RFC7050] only if the service provider uses DNS64 [RFC6147]. It may be the case that the service provider does not use or does not trust DNS64 [RFC6147] because the DNS configuration at the CE (or hosts behind the CE) can be modified by the customer. In that case, the service provider may opt to configure the NAT64 prefix by means of the option defined in [RFC7225]. This can also be used if the service provider uses DNS64 [RFC6147].

===

NEW TEXT

===

464XLAT-4: The IPv6 Transition CE Router MUST implement [RFC8781] ("Discovering PREF64 in Router Advertisements") and [RFC7050] ("Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis") in order to discover the provider-side translator (PLAT) translation IPv4 and IPv6 prefix(es)/suffix(es).

464XLAT-5: If PCP is implemented, the IPv6 Transition CE Router MUST follow [RFC7225] ("Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)") in order to learn the PLAT-side translation IPv4 and IPv6 prefix(es)/suffix(es) used by an upstream PCP-controlled NAT64 device.

464XLAT-6: If the network provides several choices for the discovery/learning of the NAT64 prefix, the priority to use one or the other MUST follow this order: 1)[RFC7225] 2)[RFC8781] and 3) [RFC7050].

[RFC8781] allows the service provider to signal NAT64 prefix independently from DNS64 presence. At the same time the NAT64 prefix could be discovered by means of the method defined in [RFC7050] only if the service provider uses DNS64 [RFC6147]. It may be the case that the service provider does not use or does not trust DNS64 [RFC6147] because the DNS configuration at the CE (or hosts behind the CE) can be modified by the customer. In that case, the service provider may opt to configure the NAT64 prefix by means of the option defined in [RFC7225]. This can also be used if the service provider uses DNS64 [RFC6147].

===

9. Security Considerations

If a malicious actor spoofs PLAT presence signals (such as an RA with PREF64 option) or DNS responses for DNS-based NAT64 prefix detection ([RFC7050]), traffic of IPv4-only applications using CLAT can be affected:

Using the PREF64 RA option to detect PLAT presence and the NAT64 prefix is less prone to such attacks, as the attacker needs to be on-link and be able to bypass layer-2 security features such as RA Guard.

10. Privacy Considerations

This document does not introduce any privacy considerations.

11. IANA Considerations

This memo does not introduce any requests to IANA.

12. References

12.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC3927]
Cheshire, S., Aboba, B., and E. Guttman, "Dynamic Configuration of IPv4 Link-Local Addresses", RFC 3927, DOI 10.17487/RFC3927, , <https://www.rfc-editor.org/info/rfc3927>.
[RFC6146]
Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, , <https://www.rfc-editor.org/info/rfc6146>.
[RFC6333]
Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, , <https://www.rfc-editor.org/info/rfc6333>.
[RFC6877]
Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: Combination of Stateful and Stateless Translation", RFC 6877, DOI 10.17487/RFC6877, , <https://www.rfc-editor.org/info/rfc6877>.
[RFC7050]
Savolainen, T., Korhonen, J., and D. Wing, "Discovery of the IPv6 Prefix Used for IPv6 Address Synthesis", RFC 7050, DOI 10.17487/RFC7050, , <https://www.rfc-editor.org/info/rfc7050>.
[RFC7335]
Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, DOI 10.17487/RFC7335, , <https://www.rfc-editor.org/info/rfc7335>.
[RFC8880]
Cheshire, S. and D. Schinazi, "Special Use Domain Name 'ipv4only.arpa'", RFC 8880, DOI 10.17487/RFC8880, , <https://www.rfc-editor.org/info/rfc8880>.
[RFC8028]
Baker, F. and B. Carpenter, "First-Hop Router Selection by Hosts in a Multi-Prefix Network", RFC 8028, DOI 10.17487/RFC8028, , <https://www.rfc-editor.org/info/rfc8028>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8781]
Colitti, L. and J. Linkova, "Discovering PREF64 in Router Advertisements", RFC 8781, DOI 10.17487/RFC8781, , <https://www.rfc-editor.org/info/rfc8781>.
[RFC8585]
Palet Martinez, J., Liu, H. M.-H., and M. Kawashima, "Requirements for IPv6 Customer Edge Routers to Support IPv4-as-a-Service", RFC 8585, DOI 10.17487/RFC8585, , <https://www.rfc-editor.org/info/rfc8585>.
[RFC8925]
Colitti, L., Linkova, J., Richardson, M., and T. Mrugalski, "IPv6-Only Preferred Option for DHCPv4", RFC 8925, DOI 10.17487/RFC8925, , <https://www.rfc-editor.org/info/rfc8925>.

12.2. Informative References

[RFC1918]
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, , <https://www.rfc-editor.org/info/rfc1918>.
[RFC4861]
Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, , <https://www.rfc-editor.org/info/rfc4861>.
[RFC4862]
Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, DOI 10.17487/RFC4862, , <https://www.rfc-editor.org/info/rfc4862>.
[RFC6145]
Li, X., Bao, C., and F. Baker, "IP/ICMP Translation Algorithm", RFC 6145, DOI 10.17487/RFC6145, , <https://www.rfc-editor.org/info/rfc6145>.
[RFC7225]
Boucadair, M., "Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)", RFC 7225, DOI 10.17487/RFC7225, , <https://www.rfc-editor.org/info/rfc7225>.

Appendix A. Enabling and Disabling CLAT: Flowchart

YES Has non-link-local IPv4 address? CLAT Disabled NO NO NO PLAT prefix Start DHCP Received PREF64 in RA? discovered via RFC7050? YES YES Wait for DHCP Offer Enable CLAT YES Option 108 Present? NO
Figure 1: Enabling and Disabling CLAT Instance

Acknowledgements

Thanks to Ondrej Caletka, Stuart Cheshire, Lorenzo Colitti, Ted Lemon, Jordi Palet, Dieter Siegmund for the discussions, the input and all contribution.

Authors' Addresses

Jen Linkova
Google
1 Darling Island Rd
Pyrmont NSW 2009
Australia
Tommy Jensen
Microsoft