RFC 2765 Network Working Group E. Nordmark Request for Comments: 2765 Sun Microsystems Category: Standards Track February 2000 Stateless IP/ICMP Translation Algorithm (SIIT) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract This document specifies a transition mechanism algorithm in addition to the mechanisms already specified in [TRANS-MECH]. The algorithm translates between IPv4 and IPv6 packet headers (including ICMP headers) in separate translator "boxes" in the network without requiring any per-connection state in those "boxes". This new algorithm can be used as part of a solution that allows IPv6 hosts, which do not have a permanently assigned IPv4 addresses, to communicate with IPv4-only hosts. The document neither specifies address assignment nor routing to and from the IPv6 hosts when they communicate with the IPv4-only hosts. Acknowledgements This document is a product of the NGTRANS working group. Some text has been extracted from an old Internet Draft titled "IPAE: The SIPP Interoperability and Transition Mechanism" authored by R. Gilligan, E. Nordmark, and B. Hinden. George Tsirtsis provides the figures for Section 1. Keith Moore provided a careful review of the document. Nordmark Standards Track [Page 1] RFC 2765 SIIT February 2000 Table of Contents 1. Introduction and Motivation.............................. 2 1.1. Applicability and Limitations....................... 5 1.2. Assumptions......................................... 7 1.3. Impact Outside the Network Layer.................... 7 2. Terminology.............................................. 8 2.1. Addresses........................................... 9 2.2. Requirements........................................ 9 3. Translating from IPv4 to IPv6............................ 9 3.1. Translating IPv4 Headers into IPv6 Headers.......... 11 3.2. Translating UDP over IPv4........................... 13 3.3. Translating ICMPv4 Headers into ICMPv6 Headers...... 13 3.4. Translating ICMPv4 Error Messages into ICMPv6....... 16 3.5. Knowing when to Translate........................... 16 4. Translating from IPv6 to IPv4............................ 17 4.1. Translating IPv6 Headers into IPv4 Headers.......... 18 4.2. Translating ICMPv6 Headers into ICMPv4 Headers...... 20 4.3. Translating ICMPv6 Error Messages into ICMPv4....... 22 4.4. Knowing when to Translate........................... 22 5. Implications for IPv6-Only Nodes......................... 22 6. Security Considerations.................................. 23 References................................................... 24 Author's Address............................................. 25 Full Copyright Statement..................................... 26 1. Introduction and Motivation The transition mechanisms specified in [TRANS-MECH] handle the case of dual IPv4/IPv6 hosts interoperating with both dual hosts and IPv4-only hosts, which is needed early in the transition to IPv6. The dual hosts are assigned both an IPv4 and one or more IPv6 addresses. As the number of available globally unique IPv4 addresses becomes smaller and smaller as the Internet grows there will be a desire to take advantage of the large IPv6 address and not require that every new Internet node have a permanently assigned IPv4 address. There are several different scenarios where there might be IPv6-only hosts that need to communicate with IPv4-only hosts. These IPv6 hosts might be IPv4-capable, i.e. include an IPv4 implementation but not be assigned an IPv4 address, or they might not even include an IPv4 implementation. - A completely new network with new devices that all support IPv6. In this case it might be beneficial to not have to configure the routers within the new network to route IPv4 since none of the Nordmark Standards Track [Page 2] RFC 2765 SIIT February 2000 hosts in the new network are configured with IPv4 addresses. But these new IPv6 devices might occasionally need to communicate with some IPv4 nodes out on the Internet. - An existing network where a large number of IPv6 devices are added. The IPv6 devices might have both an IPv4 and an IPv6 protocol stack but there is not enough global IPv4 address space to give each one of them a permanent IPv4 address. In this case it is more likely that the routers in the network already route IPv4 and are upgraded to dual routers. However, there are other potential solutions in this area: - If there is no IPv4 routing inside the network i.e., the cloud that contains the new devices, some possible solutions are to either use the translators specified in this document at the boundary of the cloud, or to use Application Layer Gateways (ALG) on dual nodes at the cloud's boundary. The ALG solution is less flexible in that it is application protocol specific and it is also less robust since an ALG box is likely to be a single point of failure for a connection using that box. - Otherwise, if IPv4 routing is supported inside the cloud and the implementations support both IPv6 and IPv4 it might suffice to have a mechanism for allocating a temporary address IPv4 and use IPv4 end to end when communicating with IPv4-only nodes. However, it would seem that such a solution would require the pool of temporary IPv4 addresses to be partitioned across all the subnets in the cloud which would either require a larger pool of IPv4 addresses or result in cases where communication would fail due to no available IPv4 address for the node's subnet. This document specifies an algorithm that is one of the components needed to make IPv6-only nodes interoperate with IPv4-only nodes. Other components, not specified in this document, are a mechanism for the IPv6-only node to somehow acquire a temporary IPv4 address, and a mechanism for providing routing (perhaps using tunneling) to and from the temporary IPv4 address assigned to the node. The temporary IPv4 address will be used as an IPv4-translated IPv6 address and the packets will travel through a stateless IP/ICMP translator that will translate the packet headers between IPv4 and IPv6 and translate the addresses in those headers between IPv4 addresses on one side and IPv4-translated or IPv4-mapped IPv6 addresses on the other side. Nordmark Standards Track [Page 3] RFC 2765 SIIT February 2000 This specification does not cover how an IPv6 node can acquire a temporary IPv4 address and how such a temporary address be registered in the DNS. The DHCP protocol, perhaps with some extensions, could probably be used to acquire temporary addresses with short leases but that is outside the scope of this document. Also, the mechanism for routing this IPv4-translated IPv6 address in the site is not specified in this document. The figures below show how the Stateless IP/ICMP Translation algorithm (SIIT) can be used initially for small networks (e.g., a single subnet) and later for a site which has IPv6-only hosts in a dual IPv4/IPv6 network. This use assumes a mechanism for the IPv6 nodes to acquire a temporary address from the pool of IPv4 addresses. Note that SIIT is not likely to be useful later during transition when most of the Internet is IPv6 and there are only small islands of IPv4 nodes, since such use would either require the IPv6 nodes to acquire temporary IPv4 addresses from a "distant" SIIT box operated by a different administration, or require that the IPv6 routing contain routes for IPv6-mapped addresses. (The latter is known to be a very bad idea due to the size of the IPv4 routing table that would potentially be injected into IPv6 routing in the form of IPv4-mapped addresses.) ___________ / \ [IPv6 Host]---[SIIT]---------< IPv4 network>--[IPv4 Host] | \___________/ (pool of IPv4 addresses) IPv4-translatable -> IPv4->IPv4 addresser IPv4-mapped Figure 1. Using SIIT for a single IPv6-only subnet. ___________ ___________ / \ / \ [IPv6 Host]--< Dual network>--[SIIT]--< IPv4 network>--[IPv4 Host] \___________/ | \___________/ (pool of IPv4 addresses) IPv4-translatable -> IPv4->IPv4 addresser IPv4-mapped Figure 2. Using SIIT for an IPv6-only or dual cloud (e.g. a site) which contains some IPv6-only hosts as well as IPv4 hosts. Nordmark Standards Track [Page 4] RFC 2765 SIIT February 2000 The protocol translators are assumed to fit around some piece of topology that includes some IPv6-only nodes and that may also include IPv4 nodes as well as dual nodes. There has to be a translator on each path used by routing the "translatable" packets in and out of this cloud to ensure that such packets always get translated. This does not require a translator at every physical connection between the cloud and the rest of the Internet since the routing can be used to deliver the packets to the translator. The IPv6-only node communicating with an IPv4 node through a translator will see an IPv4-mapped address for the peer and use an IPv4-translatable address for its local address for that communication. When the IPv6-only node sends packets the IPv4-mapped address indicates that the translator needs to translate the packets. When the IPv4 node sends packets those will translated to have the IPv4-translatable address as a destination; it is not possible to use an IPv4-mapped or an IPv4-compatible address as a destination since that would either route the packet back to the translator (for the IPv4-mapped address) or make the packet be encapsulated in IPv4 (for the IPv4-compatible address). Thus this specification introduces the new notion of an IPv4-translatable address. 1.1. Applicability and Limitations The use of this translation algorithm assumes that the IPv6 network is somehow well connected i.e. when an IPv6 node wants to communicate with another IPv6 node there is an IPv6 path between them. Various tunneling schemes exist that can provide such a path, but those mechanisms and their use is outside the scope of this document. The IPv6 protocol [IPv6] has been designed so that the TCP and UDP pseudo-header checksums are not affected by the translations specified in this document, thus the translator does not need to modify normal TCP and UDP headers. The only exceptions are unfragmented IPv4 UDP packets which need to have a UDP checksum computed since a pseudo-header checksum is required for UDP in IPv6. Also, ICMPv6 include a pseudo-header checksum but it is not present in ICMPv4 thus the checksum in ICMP messages need to be modified by the translator. In addition, ICMP error messages contain an IP header as part of the payload thus the translator need to rewrite those parts of the packets to make the receiver be able to understand the included IP header. However, all of the translator's operations, including path MTU discovery, are stateless in the sense that the translator operates independently on each packet and does not retain any state from one packet to another. This allows redundant translator boxes without any coordination and a given TCP connection can have the two directions of packets go through different translator boxes. Nordmark Standards Track [Page 5] RFC 2765 SIIT February 2000 The translating function as specified in this document does not translate any IPv4 options and it does not translate IPv6 routing headers, hop-by-hop extension headers, or destination options headers. It could be possible to define a translation between source routing in IPv4 and IPv6. However such a translation would not be semantically correct due to the slight differences between the IPv4 and IPv6 source routing. Also, the usefulness of source routing when going through a header translator might be limited since all the IPv6-only routers would need to have an IPv4-translated IPv6 address since the IPv4-only node will send a source route option containing only IPv4 addresses. At first sight it might appear that the IPsec functionality [IPv6-SA, IPv6-ESP, IPv6-AH] can not be carried across the translator. However, since the translator does not modify any headers above the logical IP layer (IP headers, IPv6 fragment headers, and ICMP messages) packets encrypted using ESP in Transport-mode can be carried through the translator. [Note that this assumes that the key management can operate between the IPv6-only node and the IPv4-only node.] The AH computation covers parts of the IPv4 header fields such as IP addresses, and the identification field (fields that are either immutable or predictable by the sender) [IPv6-AUTH]. While the SIIT algorithm is specified so that those IPv4 fields can be predicted by the IPv6 sender it is not possible for the IPv6 receiver to determine the value of the IPv4 Identification field in packets sent by the IPv4 node. Thus as the translation algorithm is specified in this document it is not possible to use end-to-end AH through the translator. For ESP Tunnel-mode to work through the translator the IPv6 node would have to be able to both parse and generate "inner" IPv4 headers since the inner IP will be encrypted together with the transport protocol. Thus in practise, only ESP transport mode is relatively easy to make work through a translator. IPv4 multicast addresses can not be mapped to IPv6 multicast addresses. For instance, ::ffff:224.1.2.3 is an IPv4 mapped IPv6 address with a class D address, however it is not an IPv6 multicast address. While the IP/ICMP header translation aspect of this memo in theory works for multicast packets this address mapping limitation makes it impossible to apply the techniques in this memo for multicast traffic. Nordmark Standards Track [Page 6] RFC 2765 SIIT February 2000 1.2. Assumptions The IPv6 nodes using the translator must have an IPv4-translated IPv6 address while it is communicating with IPv4-only nodes. The use of the algorithm assumes that there is an IPv4 address pool used to generate IPv4-translated addresses. Routing needs to be able to route any IPv4 packets, whether generated "outside" or "inside" the translator, destined to addresses in this pool towards the translator. This implies that the address pool can not be assigned to subnets but must be separated from the IPv4 subnets used on the "inside" of the translator. Fragmented IPv4 UDP packets that do not contain a UDP checksum (i.e. the UDP checksum field is zero) are not of significant use over wide-areas in the Internet and will not be translated by the translator. An informal trace [MILLER] in the backbone showed that out of 34,984,468 IP packets there were 769 fragmented UDP packets with a zero checksum. However, all of them were due to malicious or broken behavior; a port scan and first fragments of IP packets that are not a multiple of 8 bytes. 1.3. Impact Outside the Network Layer The potential existence of stateless IP/ICMP translators is already taken care of from a protocol perspective in [IPv6]. However, an IPv6 node that wants to be able to use translators needs some additional logic in the network layer. The network layer in an IPv6-only node, when presented by the application with either an IPv4 destination address or an IPv4-mapped IPv6 destination address, is likely to drop the packet and return some error message to the application. In order to take advantage of translators such a node should instead send an IPv6 packet where the destination address is the IPv4-mapped address and the source address is the node's temporarily assigned IPv4-translated address. If the node does not have a temporarily assigned IPv4-translated address it should acquire one using mechanisms that are not discussed in this document. Note that the above also applies to a dual IPv4/IPv6 implementation node which is not configured with any IPv4 address. There are no extra changes needed to applications to operate through a translator beyond what applications already need to do to operate on a dual node. The applications that have been modified to work on a dual node already have the mechanisms to determine whether they are communicating with an IPv4 or an IPv6 peer. Thus if the applications Nordmark Standards Track [Page 7] RFC 2765 SIIT February 2000 need to modify their behavior depending on the type of the peer, such as ftp determining whether to fallback to using the PORT/PASV command when EPRT/EPSV fails (as specified in [FTPEXT]), they already need to do that when running on dual nodes and the presense of translators does not add anything. For example, when using the socket API [BSDAPI] the applications know that the peer is IPv6 if they get an AF_INET6 address from the name service and the address is not an IPv4-mapped address (i.e., IN6_IS_ADDR_V4MAPPED returns false). If this is not the case, i.e., the address is AF_INET or an IPv4-mapped IPv6 address, the peer is IPv4. One way of viewing the translator, which might help clarify why applications do not need to know that a translator is used, is to look at the information that is passed from the transport layer to the network layer. If the transport passes down an IPv4 address (whether or not is in the IPv4-mapped encoding) this means that at some point there will be IPv4 packets generated. In a dual node the generation of the IPv4 packets takes place in the sending node. In an IPv6-only node conceptually the only difference is that the IPv4 packet is generated by the translator - all the information that the transport layer passed to the network layer will be conveyed to the translator in some form. That form just "happens" to be in the form of an IPv6 header. 2. Terminology This documents uses the terminology defined in [IPv6] and [TRANS-MECH] with these clarifications: IPv4 capable node: A node which has an IPv4 protocol stack. In order for the stack to be usable the node must be assigned one or more IPv4 addresses. IPv4 enabled node: A node which has an IPv4 protocol stack and is assigned one or more IPv4 addresses. Both IPv4-only and IPv6/IPv4 nodes are IPv4 enabled. IPv6 capable node: A node which has an IPv6 protocol stack. In order for the stack to be usable the node must be assigned one or more IPv6 addresses. IPv6 enabled node: A node which has an IPv6 protocol stack and is assigned one or more IPv6 addresses. Both IPv6-only and IPv6/IPv4 nodes are IPv6 enabled. Nordmark Standards Track [Page 8] RFC 2765 SIIT February 2000 2.1. Addresses In addition to the forms of addresses defined in [ADDR-ARCH] this document also introduces the new form of IPv4-translated address. This is needed to avoid using IPv4-compatible addresses outside the intended use of automatic tunneling. Thus the address forms are: IPv4-mapped: An address of the form 0::ffff:a.b.c.d which refers to a node that is not IPv6-capable. In addition to its use in the API this protocol uses IPv4-mapped addresses in IPv6 packets to refer to an IPv4 node. IPv4-compatible: An address of the form 0::0:a.b.c.d which refers to an IPv6/IPv4 node that supports automatic tunneling. Such addresses are not used in this protocol. IPv4-translated: An address of the form 0::ffff:0:a.b.c.d which refers to an IPv6-enabled node. Note that the prefix 0::ffff:0:0:0/96 is chosen to checksum to zero to avoid any changes to the transport protocol's pseudo header checksum. 2.2. Requirements The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in [KEYWORDS]. 3. Translating from IPv4 to IPv6 When an IPv4-to-IPv6 translator receives an IPv4 datagram addressed to a destination that lies outside of the attached IPv4 island, it translates the IPv4 header of that packet into an IPv6 header. It then forwards the packet based on the IPv6 destination address. The original IPv4 header on the packet is removed and replaced by an IPv6 header. Except for ICMP packets the transport layer header and data portion of the packet are left unchanged. Nordmark Standards Track [Page 9] RFC 2765 SIIT February 2000 +-------------+ +-------------+ | IPv4 | | IPv6 | | Header | | Header | +-------------+ +-------------+ | Transport | | Fragment | | Layer | ===> | Header | | Header | |(not always) | +-------------+ +-------------+ | | | Transport | ~ Data ~ | Layer | | | | Header | +-------------+ +-------------+ | | ~ Data ~ | | +-------------+ IPv4-to-IPv6 Translation One of the differences between IPv4 and IPv6 is that in IPv6 path MTU discovery is mandatory but it is optional in IPv4. This implies that IPv6 routers will never fragment a packet - only the sender can do fragmentation. When the IPv4 node performs path MTU discovery (by setting the DF bit in the header) the path MTU discovery can operate end-to-end i.e. across the translator. In this case either IPv4 or IPv6 routers might send back ICMP "packet too big" messages to the sender. When these ICMP errors are sent by the IPv6 routers they will pass through a translator which will translate the ICMP error to a form that the IPv4 sender can understand. In this case an IPv6 fragment header is only included if the IPv4 packet is already fragmented. However, when the IPv4 sender does not perform path MTU discovery the translator has to ensure that the packet does not exceed the path MTU on the IPv6 side. This is done by fragmenting the IPv4 packet so that it fits in 1280 byte IPv6 packet since IPv6 guarantees that 1280 byte packets never need to be fragmented. Also, when the IPv4 sender does not perform path MTU discovery the translator MUST always include an IPv6 fragment header to indicate that the sender allows fragmentation. That is needed should the packet pass through an IPv6-to-IPv4 translator. The above rules ensure that when packets are fragmented either by the sender or by IPv4 routers that the low-order 16 bits of the fragment identification is carried end-end to ensure that packets are correctly reassembled. In addition, the rules use the presence of an Nordmark Standards Track [Page 10] RFC 2765 SIIT February 2000 IPv6 fragment header to indicate that the sender might not be using path MTU discovery i.e. the packet should not have the DF flag set should it later be translated back to IPv4. Other than the special rules for handling fragments and path MTU discovery the actual translation of the packet header consists of a simple mapping as defined below. Note that ICMP packets require special handling in order to translate the content of ICMP error message and also to add the ICMP pseudo-header checksum. 3.1. Translating IPv4 Headers into IPv6 Headers If the DF flag is not set and the IPv4 packet will result in an IPv6 packet larger than 1280 bytes the IPv4 packet MUST be fragmented prior to translating it. Since IPv4 packets with DF not set will always result in a fragment header being added to the packet the IPv4 packets must be fragmented so that their length, excluding the IPv4 header, is at most 1232 bytes (1280 minus 40 for the IPv6 header and 8 for the Fragment header). The resulting fragments are then translated independently using the logic described below. If the DF bit is set and the packet is not a fragment (i.e., the MF flag is not set and the Fragment Offset is zero) then there is no need to add a fragment header to the packet. The IPv6 header fields are set as follows: Version: 6 Traffic Class: By default, copied from IP Type Of Service and Precedence field (all 8 bits are copied). According to [DIFFSERV] the semantics of the bits are identical in IPv4 and IPv6. However, in some IPv4 environments these fields might be used with the old semantics of "Type Of Service and Precedence". An implementation of a translator SHOULD provide the ability to ignore the IPv4 "TOS" and always set the IPv6 traffic class to zero. Flow Label: 0 (all zero bits) Payload Length: Total length value from IPv4 header, minus the size of the IPv4 header and IPv4 options, if present. Nordmark Standards Track [Page 11] RFC 2765 SIIT February 2000 Next Header: Protocol field copied from IPv4 header Hop Limit: TTL value copied from IPv4 header. Since the translator is a router, as part of forwarding the packet it needs to decrement either the IPv4 TTL (before the translation) or the IPv6 Hop Limit (after the translation). As part of decrementing the TTL or Hop Limit the translator (as any router) needs to check for zero and send the ICMPv4 or ICMPv6 "ttl exceeded" error. Source Address: The low-order 32 bits is the IPv4 source address. The high-order 96 bits is the IPv4-mapped prefix (::ffff:0:0/96) Destination Address: The low-order 32 bits is the IPv4 destination address. The high-order 96 bits is the IPv4- translated prefix (0::ffff:0:0:0/96) If IPv4 options are present in the IPv4 packet, they are ignored i.e., there is no attempt to translate them. However, if an unexpired source route option is present then the packet MUST instead be discarded, and an ICMPv4 "destination unreachable/source route failed" (Type 3/Code 5) error message SHOULD be returned to the sender. If there is need to add a fragment header (the DF bit is not set or the packet is a fragment) the header fields are set as above with the following exceptions: IPv6 fields: Payload Length: Total length value from IPv4 header, plus 8 for the fragment header, minus the size of the IPv4 header and IPv4 options, if present. Next Header: Fragment Header (44). Fragment header fields: Next Header: Protocol field copied from IPv4 header. Nordmark Standards Track [Page 12] RFC 2765 SIIT February 2000 Fragment Offset: Fragment Offset copied from the IPv4 header. M flag: More Fragments bit copied from the IPv4 header. Identification: The low-order 16 bits copied from the Identification field in the IPv4 header. The high-order 16 bits set to zero. 3.2. Translating UDP over IPv4 If a UDP packet has a zero UDP checksum then a valid checksum must be calculated in order to translate the packet. A stateless translator can not do this for fragmented packets but [MILLER] indicates that fragmented UDP packets with a zero checksum appear to only be used for malicious purposes. Thus this is not believed to be a noticeable limitation. When a translator receives the first fragment of a fragmented UDP IPv4 packet and the checksum field is zero the translator SHOULD drop the packet and generate a system management event specifying at least the IP addresses and port numbers in the packet. When it receives fragments other than the first it SHOULD silently drop the packet, since there is no port information to log. When a translator receives an unfragmented UDP IPv4 packet and the checksum field is zero the translator MUST compute the missing UDP checksum as part of translating the packet. Also, the translator SHOULD maintain a counter of how many UDP checksums are generated in this manner. 3.3. Translating ICMPv4 Headers into ICMPv6 Headers All ICMP messages that are to be translated require that the ICMP checksum field be updated as part of the translation since ICMPv6, unlike ICMPv4, has a pseudo-header checksum just like UDP and TCP. In addition all ICMP packets need to have the Type value translated and for ICMP error messages the included IP header also needs translation. Nordmark Standards Track [Page 13] RFC 2765 SIIT February 2000 The actions needed to translate various ICMPv4 messages are: ICMPv4 query messages: Echo and Echo Reply (Type 8 and Type 0) Adjust the type to 128 and 129, respectively, and adjust the ICMP checksum both to take the type change into account and to include the ICMPv6 pseudo-header. Information Request/Reply (Type 15 and Type 16) Obsoleted in ICMPv4. Silently drop. Timestamp and Timestamp Reply (Type 13 and Type 14) Obsoleted in ICMPv6. Silently drop. Address Mask Request/Reply (Type 17 and Type 18) Obsoleted in ICMPv6. Silently drop. ICMP Router Advertisement (Type 9) Single hop message. Silently drop. ICMP Router Solicitation (Type 10) Single hop message. Silently drop. Unknown ICMPv4 types Silently drop. IGMP messages: While the MLD messages [MLD] are the logical IPv6 counterparts for the IPv4 IGMP messages all the "normal" IGMP messages are single-hop messages and should be silently dropped by the translator. Other IGMP messages might be used by multicast routing protocols and, since it would be a configuration error to try to have router adjacencies across IPv4/IPv6 translators those packets should also be silently dropped. ICMPv4 error messages: Destination Unreachable (Type 3) For all that are not explicitly listed below set the Type to 1. Translate the code field as follows: Code 0, 1 (net, host unreachable): Set Code to 0 (no route to destination). Nordmark Standards Track [Page 14] RFC 2765 SIIT February 2000 Code 2 (protocol unreachable): Translate to an ICMPv6 Parameter Problem (Type 4, Code 1) and make the Pointer point to the IPv6 Next Header field. Code 3 (port unreachable): Set Code to 4 (port unreachable). Code 4 (fragmentation needed and DF set): Translate to an ICMPv6 Packet Too Big message (Type 2) with code 0. The MTU field needs to be adjusted for the difference between the IPv4 and IPv6 header sizes. Note that if the IPv4 router did not set the MTU field i.e. the router does not implement [PMTUv4], then the translator must use the plateau values specified in [PMTUv4] to determine a likely path MTU and include that path MTU in the ICMPv6 packet. (Use the greatest plateau value that is less than the returned Total Length field.) Code 5 (source route failed): Set Code to 0 (no route to destination). Note that this error is unlikely since source routes are not translated. Code 6,7: Set Code to 0 (no route to destination). Code 8: Set Code to 0 (no route to destination). Code 9, 10 (communication with destination host administratively prohibited): Set Code to 1 (communication with destination administratively prohibited) Code 11, 12: Set Code to 0 (no route to destination). Redirect (Type 5) Single hop message. Silently drop. Source Quench (Type 4) Obsoleted in ICMPv6. Silently drop. Time Exceeded (Type 11) Set the Type field to 3. The Code field is unchanged. Nordmark Standards Track [Page 15] RFC 2765 SIIT February 2000 Parameter Problem (Type 12) Set the Type field to 4. The Pointer needs to be updated to point to the corresponding field in the translated include IP header. 3.4. Translating ICMPv4 Error Messages into ICMPv6 There are some differences between the IPv4 and the IPv6 ICMP error message formats as detailed above. In addition, the ICMP error messages contain the IP header for the packet in error which needs to be translated just like a normal IP header. The translation of this "packet in error" is likely to change the length of the datagram thus the Payload Length field in the outer IPv6 header might need to be updated. +-------------+ +-------------+ | IPv4 | | IPv6 | | Header | | Header | +-------------+ +-------------+ | ICMPv4 | | ICMPv6 | | Header | | Header | +-------------+ +-------------+ | IPv4 | ===> | IPv6 | | Header | | Header | +-------------+ +-------------+ | Partial | | Partial | | Transport | | Transport | | Layer | | Layer | | Header | | Header | +-------------+ +-------------+ IPv4-to-IPv6 ICMP Error Translation The translation of the inner IP header can be done by recursively invoking the function that translated the outer IP headers. 3.5. Knowing when to Translate The translator is assumed to know the pool(s) of IPv4 address that are used to represent the internal IPv6-only nodes. Thus if the IPv4 destination field contains an address that falls in these configured sets of prefixes the packet needs to be translated to IPv6. Nordmark Standards Track [Page 16] RFC 2765 SIIT February 2000 4. Translating from IPv6 to IPv4 When an IPv6-to-IPv4 translator receives an IPv6 datagram addressed to an IPv4-mapped IPv6 address, it translates the IPv6 header of that packet into an IPv4 header. It then forwards the packet based on the IPv4 destination address. The original IPv6 header on the packet is removed and replaced by an IPv4 header. Except for ICMP packets the transport layer header and data portion of the packet are left unchanged. +-------------+ +-------------+ | IPv6 | | IPv4 | | Header | | Header | +-------------+ +-------------+ | Fragment | | Transport | | Header | ===> | Layer | |(if present) | | Header | +-------------+ +-------------+ | Transport | | | | Layer | ~ Data ~ | Header | | | +-------------+ +-------------+ | | ~ Data ~ | | +-------------+ IPv6-to-IPv4 Translation There are some differences between IPv6 and IPv4 in the area of fragmentation and the minimum link MTU that effect the translation. An IPv6 link has to have an MTU of 1280 bytes or greater. The corresponding limit for IPv4 is 68 bytes. Thus, unless there were special measures, it would not be possible to do end-to-end path MTU discovery when the path includes an IPv6-to-IPv4 translator since the IPv6 node might receive ICMP "packet too big" messages originated by an IPv4 router that report an MTU less than 1280. However, [IPv6] requires that IPv6 nodes handle such an ICMP "packet too big" message by reducing the path MTU to 1280 and including an IPv6 fragment header with each packet. This allows end-to-end path MTU discovery across the translator as long as the path MTU is 1280 bytes or greater. When the path MTU drops below the 1280 limit the IPv6 sender will originate 1280 byte packets that will be fragmented by IPv4 routers along the path after being translated to IPv4. The only drawback with this scheme is that it is not possible to use PMTU to do optimal UDP fragmentation (as opposed to completely avoiding fragmentation) at sender since the presence of an IPv6 Nordmark Standards Track [Page 17] RFC 2765 SIIT February 2000 Fragment header is interpreted that is it OK to fragment the packet on the IPv4 side. Thus if a UDP application wants to send large packets independent of the PMTU, the sender will only be able to determine the path MTU on the IPv6 side of the translator. If the path MTU on the IPv4 side of the translator is smaller then the IPv6 sender will not receive any ICMP "too big" errors and can not adjust the size fragments it is sending. Other than the special rules for handling fragments and path MTU discovery the actual translation of the packet header consists of a simple mapping as defined below. Note that ICMP packets require special handling in order to translate the content of ICMP error message and also to add the ICMP pseudo-header checksum. 4.1. Translating IPv6 Headers into IPv4 Headers If there is no IPv6 Fragment header the IPv4 header fields are set as follows: Version: 4 Internet Header Length: 5 (no IPv4 options) Type of Service and Precedence: By default, copied from the IPv6 Traffic Class (all 8 bits). According to [DIFFSERV] the semantics of the bits are identical in IPv4 and IPv6. However, in some IPv4 environments these bits might be used with the old semantics of "Type Of Service and Precedence". An implementation of a translator SHOULD provide the ability to ignore the IPv6 traffic class and always set the IPv4 "TOS" to zero. Total Length: Payload length value from IPv6 header, plus the size of the IPv4 header. Identification: All zero. Flags: The More Fragments flag is set to zero. The Don't Fragments flag is set to one. Fragment Offset: All zero. Nordmark Standards Track [Page 18] RFC 2765 SIIT February 2000 Time to Live: Hop Limit value copied from IPv6 header. Since the translator is a router, as part of forwarding the packet it needs to decrement either the IPv6 Hop Limit (before the translation) or the IPv4 TTL (after the translation). As part of decrementing the TTL or Hop Limit the translator (as any router) needs to check for zero and send the ICMPv4 or ICMPv6 "ttl exceeded" error. Protocol: Next Header field copied from IPv6 header. Header Checksum: Computed once the IPv4 header has been created. Source Address: If the IPv6 source address is an IPv4-translated address then the low-order 32 bits of the IPv6 source address is copied to the IPv4 source address. Otherwise, the source address is set to 0.0.0.0. The use of 0.0.0.0 is to avoid completely dropping e.g. ICMPv6 error messages sent by IPv6-only routers which makes e.g. traceroute present something for the IPv6-only hops. Destination Address: IPv6 packets that are translated have an IPv4-mapped destination address. Thus the low-order 32 bits of the IPv6 destination address is copied to the IPv4 destination address. If any of an IPv6 hop-by-hop options header, destination options header, or routing header with the Segments Left field equal to zero are present in the IPv6 packet, they are ignored i.e., there is no attempt to translate them. However, the Total Length field and the Protocol field would have to be adjusted to "skip" these extension headers. If a routing header with a non-zero Segments Left field is present then the packet MUST NOT be translated, and an ICMPv6 "parameter problem/ erroneous header field encountered" (Type 4/Code 0) error message, with the Pointer field indicating the first byte of the Segments Left field, SHOULD be returned to the sender. Nordmark Standards Track [Page 19] RFC 2765 SIIT February 2000 If the IPv6 packet contains a Fragment header the header fields are set as above with the following exceptions: Total Length: Payload length value from IPv6 header, minus 8 for the Fragment header, plus the size of the IPv4 header. Identification: Copied from the low-order 16-bits in the Identification field in the Fragment header. Flags: The More Fragments flag is copied from the M flag in the Fragment header. The Don't Fragments flag is set to zero allowing this packet to be fragmented by IPv4 routers. Fragment Offset: Copied from the Fragment Offset field in the Fragment Header. Protocol: Next Header value copied from Fragment header. 4.2. Translating ICMPv6 Headers into ICMPv4 Headers All ICMP messages that are to be translated require that the ICMP checksum field be updated as part of the translation since ICMPv6, unlike ICMPv4, has a pseudo-header checksum just like UDP and TCP. In addition all ICMP packets need to have the Type value translated and for ICMP error messages the included IP header also needs translation. The actions needed to translate various ICMPv6 messages are: ICMPv6 informational messages: Echo Request and Echo Reply (Type 128 and 129) Adjust the type to 0 and 8, respectively, and adjust the ICMP checksum both to take the type change into account and to exclude the ICMPv6 pseudo-header. MLD Multicast Listener Query/Report/Done (Type 130, 131, 132) Single hop message. Silently drop. Nordmark Standards Track [Page 20] RFC 2765 SIIT February 2000 Neighbor Discover messages (Type 133 through 137) Single hop message. Silently drop. Unknown informational messages Silently drop. ICMPv6 error messages: Destination Unreachable (Type 1) Set the Type field to 3. Translate the code field as follows: Code 0 (no route to destination): Set Code to 1 (host unreachable). Code 1 (communication with destination administratively prohibited): Set Code to 10 (communication with destination host administratively prohibited). Code 2 (beyond scope of source address): Set Code to 1 (host unreachable). Note that this error is very unlikely since the IPv4-translatable source address is considered to have global scope. Code 3 (address unreachable): Set Code to 1 (host unreachable). Code 4 (port unreachable): Set Code to 3 (port unreachable). Packet Too Big (Type 2) Translate to an ICMPv4 Destination Unreachable with code 4. The MTU field needs to be adjusted for the difference between the IPv4 and IPv6 header sizes taking into account whether or not the packet in error includes a Fragment header. Time Exceeded (Type 3) Set the Type to 11. The Code field is unchanged. Parameter Problem (Type 4) If the Code is 1 translate this to an ICMPv4 protocol unreachable (Type 3, Code 2). Otherwise set the Type to 12 and the Code to zero. The Pointer needs to be updated to point to the corresponding field in the translated include IP header. Unknown error messages Silently drop. Nordmark Standards Track [Page 21] RFC 2765 SIIT February 2000 4.3. Translating ICMPv6 Error Messages into ICMPv4 There are some differences between the IPv4 and the IPv6 ICMP error message formats as detailed above. In addition, the ICMP error messages contain the IP header for the packet in error which needs to be translated just like a normal IP header. The translation of this "packet in error" is likely to change the length of the datagram thus the Total Length field in the outer IPv4 header might need to be updated. +-------------+ +-------------+ | IPv6 | | IPv4 | | Header | | Header | +-------------+ +-------------+ | ICMPv6 | | ICMPv4 | | Header | | Header | +-------------+ +-------------+ | IPv6 | ===> | IPv4 | | Header | | Header | +-------------+ +-------------+ | Partial | | Partial | | Transport | | Transport | | Layer | | Layer | | Header | | Header | +-------------+ +-------------+ IPv6-to-IPv4 ICMP Error Translation The translation of the inner IP header can be done by recursively invoking the function that translated the outer IP headers. 4.4. Knowing when to Translate When the translator receives an IPv6 packet with an IPv4-mapped destination address the packet will be translated to IPv4. 5. Implications for IPv6-Only Nodes An IPv6-only node which works through SIIT translators need some modifications beyond a normal IPv6-only node. As specified in Section 1.3 the application protocols need to handle operation on a dual stack node. In addition the protocol stack needs to be able to: Nordmark Standards Track [Page 22] RFC 2765 SIIT February 2000 o Determine when an IPv4-translatable address needs to be allocated and the allocation needs to be refreshed/renewed. This can presumably be done without involving the applications by e.g. handling this under the socket API. For instance, when the connect or sendto socket calls are invoked they could check if the destination is an IPv4-mapped address and in that case allocate/refresh the IPv4-translatable address. o Ensure, as part of the source address selection mechanism, that when the destination address is an IPv4-mapped address the source address MUST be an IPv4-translatable address. And an IPv4- translatable address MUST NOT be used with other forms of IPv6 destination addresses. o Should the peer have AAAA/A6 address records the application (or resolver) SHOULD never fall back to looking for A address records even if communication fails using the available AAAA/A6 records. The reason for this restriction is to prevent traffic between two IPv6 nodes (which AAAA/A6 records in the DNS) from accidentally going through SIIT translators twice; from IPv6 to IPv4 and to IPv6 again. It is considered preferable to instead signal a failure to communicate to the application. 6. Security Considerations The use of stateless IP/ICMP translators does not introduce any new security issues beyond the security issues that are already present in the IPv4 and IPv6 protocols and in the routing protocols which are used to make the packets reach the translator. As the Authentication Header [IPv6-AUTH] is specified to include the IPv4 Identification field and the translating function not being able to always preserve the Identification field, it is not possible for an IPv6 endpoint to compute AH on received packets that have been translated from IPv4 packets. Thus AH does not work through a translator. Packets with ESP can be translated since ESP does not depend on header fields prior to the ESP header. Note that ESP transport mode is easier to handle than ESP tunnel mode; in order to use ESP tunnel mode the IPv6 node needs to be able to generate an inner IPv4 header when transmitting packets and remove such an IPv4 header when receiving packets. Nordmark Standards Track [Page 23] RFC 2765 SIIT February 2000 References [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [IPv6] Deering, S. and R. Hinden, Editors, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [IPv4] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. [ADDR-ARCH] Deering, S. and R. Hinden, Editors, "IP Version 6 Addressing Architecture", RFC 2373, July 1998. [TRANS-MECH] Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC 1933, April 1996. [DISCOVERY] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [IPv6-SA] Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [IPv6-AUTH] Atkinson, R., "IP Authentication Header", RFC 2402, November 1998. [IPv6-ESP] Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [ICMPv4] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, September 1981. [ICMPv6] Conta, A. and S. Deering, "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)", RFC 2463, December 1998. [IGMP] Deering, S., "Host extensions for IP multicasting", STD 5, RFC 1112, August 1989. [PMTUv4] Mogul, J. and S. Deering, "Path MTU Discovery", RFC 1191, November 1990. [PMTUv6] McCann, J., Deering, S. and J. Mogul, "Path MTU Discovery for IP version 6", RFC 1981, August 1996. Nordmark Standards Track [Page 24] RFC 2765 SIIT February 2000 [DIFFSERV] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, December 1998. [MLD] Deering, S., Fenner, W. and B. Haberman, "Multicast Listener Discovery (MLD) for IPv6", RFC 2710, October 1999. [FTPEXT] Allman, M., Ostermann, S. and C. Metz, "FTP Extensions for IPv6 and NATs.", RFC 2428, September 1998. [MILLER] G. Miller, Email to the ngtrans mailing list on 26 March 1999. [BSDAPI] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic Socket Interface Extensions for IPv6", RFC 2553, March 1999. Author's Address Erik Nordmark Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA 94303 USA Phone: +1 650 786 5166 Fax: +1 650 786 5896 EMail: nordmark@sun.com Nordmark Standards Track [Page 25] RFC 2765 SIIT February 2000 Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Nordmark Standards Track [Page 26]