Re: [Softwires] 4rd-u tunnels and stateful NAT64s

Rémi Després <despres.remi@laposte.net> Mon, 19 March 2012 08:48 UTC

Return-Path: <despres.remi@laposte.net>
X-Original-To: softwires@ietfa.amsl.com
Delivered-To: softwires@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3265A21F85F6 for <softwires@ietfa.amsl.com>; Mon, 19 Mar 2012 01:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.214
X-Spam-Level:
X-Spam-Status: No, score=-2.214 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8fn6v4ZwGFq for <softwires@ietfa.amsl.com>; Mon, 19 Mar 2012 01:48:27 -0700 (PDT)
Received: from smtpout.laposte.net (smtpout3.laposte.net [193.253.67.228]) by ietfa.amsl.com (Postfix) with ESMTP id B8E1D21F85F3 for <softwires@ietf.org>; Mon, 19 Mar 2012 01:48:25 -0700 (PDT)
Received: from [192.168.0.21] ([88.166.221.144]) by mwinf8506-out with ME id nLoP1i00137Y3f403LoPeB; Mon, 19 Mar 2012 09:48:23 +0100
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/alternative; boundary="Apple-Mail-145--495099420"
From: Rémi Després <despres.remi@laposte.net>
In-Reply-To: <CAFUBMqVV7Q=qnk=UoxBS8VKsjRffjgDM=z0vAGthrCEx0kZMGw@mail.gmail.com>
Date: Mon, 19 Mar 2012 09:48:22 +0100
Message-Id: <D748D3CB-3DDC-47BB-8A0C-130809A6B70C@laposte.net>
References: <B509CB1C-4A0A-408B-9B4A-C0F847169431@juniper.net> <2AB8570A-644F-4792-8C56-44AD80A79234@laposte.net> <D6428903-FBA0-419C-A37F-A00874F28118@laposte.net> <CAM+vMERsVz7cuC1C52gw12wySaEgw8=44JjS8AUygj0vJ899Cg@mail.gmail.com> <DDD20574-4ECD-4285-BB15-548628FB0425@laposte.net> <CAM+vMETahum9rB+fr=OHAmVobDZSzRRy9mUwkjryhqRvaJWe-Q@mail.gmail.com> <35065EB3-D4D6-451B-ACED-67BB94C77F18@laposte.net> <CAAuHL_D68nkd36ifLzEeVR67Q124VH-pMhM1pkEE_PcLbGxBrw@mail.gmail.com> <14D90642-0478-4AB9-91AA-A3E0310197F2@laposte.net> <CAFUBMqX9dj8MSeZdJTic5iOT=Jjg4oihWs30FWVAca08v_3=7g@mail.gmail.com> <D476AFD2-3B6B-48A0-971D-C65CC2CFA46B@laposte.net> <CAFUBMqU1wtP5prSaLG8hDSuv-EGWP5Diqoj6WEMHb_q8hNVDdQ@mail.gmail.com> <4BA560D3-5D48-4911-BDCB-D9CB490FBBA1@laposte.net> <CAFUBMqVzbtZ7JxunHv7m1zgWjRa2sh7zZS+91aURAy8-xTZW8g@mail.gmail.com> <CAFUBMqXPAA7RjCzgvbuq0WqbKijXwuFebnmrL-zDx_XoZh=Xkg@mail.gmail.com> <FED38071-241D-480C-9A8A-CFA7A55A4F3B@laposte.net> <A4A7C9E3-DBA9-4AA5-A60B-E3D3A187BD7 F@laposte.net> <CAFUBMqVT=E=GqBG_-q458GCpYKLk66vuvE-cx81=eTdgyUbj7A@mail.gmail.com> <D1EF9447-336A-48B4-91F4-D514654AC93D@laposte.net> <CAFUBMqWTRb_pjV_VFEDpNof7H+AnOvRM_acQXZ4XRPzAG-865A@mail.gmail.com> <7DED1A34-7237-4F05-B0A4-75C04A09B8E1@laposte.net> <CAFUBMqUVme5Vmm0QuJT4rcZeWo-CZyZoGBkq6RLjO=DRYLKYSg@mail.gmail.com> <AD2E97A4-98FF-4F00-BC28-44AB430870FB@laposte.net> <CAFUBMqXi02DcrTkJ3zjt4fv8EvVJPfAv=CTkM7gesi95jNQSQQ@mail.gmail.com> <8A2DF2DD-C961-4A90-AD62-9C2F647E1A9F@laposte.net> <CAFUBMqXuvBt6DD8JpWt_5+JP33ETqTrz3KbSRm1Kp9ZQBjqs+w@mail.gmail.com> <F2C46FAE-30EF-4707-8680-F4CED8A3A7F9@free.fr> <CAFUBMqU_ggCiE1Jr=HEAY1a1sunNXQZu1Oi98Jaa7jfd_0puLg@mail.gmail.com> <11773427-F939-4F5D-8011-C24E4B7FF58C@laposte.net> <CAFUBMqU+Bv1L6b7BLOwYwACbma4nDhpq_5BziC_Y0qxvCGkJ_A@mail.gmail.com> <5B73A592-AEFC-4010-8960-FCF6012DDAA6@laposte.net> <A06E3FC4-5D3B-4027-9D38-B4E3397E9F99@laposte.net> <CAFUBMqXaja4XoGMCAcQbGOqKxkhbGEGWD9pgp26Btvub2RJWGA@mail.gmail.com> <533DDBBF-FE50-4BF 9-8554-58C1340CCDC6@laposte.net> <CAFUBMqV_0Bh1_uOitu+MQXSbuLm=NydQFg9j-J6S+SyXcG_6ww@mail.gmail.com> <429F424B-8C6F-4DED-B0F6-95D492A7B9F3@laposte.net> <CAFUBMqWz+FKShTb3mB-00nzCEA1+ehtRjzPjC_PROiW7nSDxYA@mail.gmail.com> <7EF05FA7-4C35-44D8-BD5A-7ABF63E96598@laposte.net> <CAFUBMqVV7Q=qnk=UoxBS8VKsjRffjgDM=z0vAGthrCEx0kZMGw@mail.gmail.com>
To: Maoke <fibrib@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: Softwires WG <softwires@ietf.org>
Subject: Re: [Softwires] 4rd-u tunnels and stateful NAT64s
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 08:48:29 -0000

Le 2012-03-19 à 09:16, Maoke a écrit :

> 
> 
> 2012/3/16 Rémi Després <despres.remi@laposte.net>
> Maoke,
> 
> Let me try a more complete picture than before:
> 
> 
>     A1 -----.           
> RFC6145-host|           .-- 4rd BR --. 
>             |           |            |
>     A2 -----:--(v6net)--:            :--(v4 Internet)--- B 
>   4rd-CE    |           |            |             UDP Lite appli                   
> (no IPv4 @) |           '-- NAT64+ --' 
>             |          
>     A3 -----' 
>   4rd-CE                                                
> (IPv4 @, shared or not)
> 
> 
> NAT64+ is supposed to have a bindings for UDP Lite, either only for 4rd IPv6 addresses (the minimum), or also for native IPv6 addresses (the complete upgrade, with UDP-Lite checksum adjustment for these addresses)
> 
> Connectivities I get are: 
>  A2  => B (via NAT64+)
>  A3 <=> B (via 4rd BR)
> (There is no A1-B connectivity)
> 
> A2 is IPv6-only, right?

There seems to be a misunderstanding on what is IPv6-only.
a) A2 is dual stack. Being a CE node, it supports IPv4 applications, and typically includes a NAT44. 
b) Its IPv6 prefix matches neither a CE nor the BR mapping rule, it has no assigned public IPv4 address (even shared).
c) Because it has received a NAT64+ mapping rule, it knows it can tunnel IPv4 packets to the NAT64+.


> if so, let me go down. 

Not so => doesn't apply. 
(Yet some further comments below)

RD


>  
> 
> Anything missed?
> 
> 
> Other detailed comments follow.
> 
> Le 2012-03-16 à 01:59, Maoke a écrit :
> 
>> 
>> 
>> 2012/3/15 Rémi Després <despres.remi@laposte.net>
>> 
>> Le 2012-03-15 à 14:47, Maoke a écrit :
>> 
>>> 
>>> 
>>> 2012/3/15 Rémi Després <despres.remi@laposte.net>
>>> 
>>> Le 2012-03-15 à 11:45, Maoke a écrit :
>>> 
>>>> i understand NAT64 makes translation between arbitrary IPv6 address to arbitrary IPv4 address. i don't understand how you make CNP in any IPv6 address.
>>> 
>>> 
>>>> in other words, we cannot limit NAT64 stateful service only serve those IPv6 addresses with CNP.
>>> 
>>> That's no the case at all(!). 
>>> A NAT64+ is a *backward compatible* extension of NAT64 (everything that worked before still works completely unchanged).
>>> 
>>> The draft says:
>>> "NAT64+:  An ISP NAT64 of [RFC6146] that is upgraded to support 4rd tunneling when IPv6 addresses it deals with have the 4rd-IPv6-address format."
>>>  
>>>  
>>> this phrase is not understood yet. do you mean using 4rd-IPv6-address format for stateful translation service?
>> 
>> Yes (but, &s said, only for CE nodes that are 4rd capable (with the advantage of better IPv4 transparency between CEs and NAT64+ than between RFC6145 and NAT64).
>> 
>>> please draw an example of A <---> B communication as i did for clarification.
>> 
>> Here is an example scenario:
>> 
>> v4appli-BIH ----. => A>B NOK (because, according to RFC6535, BIH uses RFC6145) 
>>      A1         |     
>>                 :----(v6net)----- NAT64+ ---(IPv4 Internet)--- Server
>>                 |                UDP-lite                      UDP-lite
>> v4Appli-4rdCE --'                 capable                         B
>>      A2          => A-B OK
>> 
>> 
>> yes, BIH uses RFC6145 that doesn't claim supporting UDP-Lite. but exactly speaking, if the "not support" means passing-it-through without checksum adjustment, A --> B is fine because neither BIH nor NAT64+ does nothing with the L4, right?
> 
> A NAT64 that supports UDP Lite MUST update checksum for hosts that have native IPv6 addresses.
> That's why A1 => B doesn't work unless the NAT64 recognizes which packets are those of IPv4 applications in DS hosts.
> 
> A1 -> B doesn't need stateful NAT64 but stateless service is enough. well, stateful is also ok. it is true NAT64 supporting UDP-Lite must update checksum. 
>  
> 
>> B --> A is a question mark, if we use the NAT64+ which does nothing with the L4 checksum, it is also not a problem.
> 
> 
>> however, if we use, as you mentioned before, an UDP-Lite-aware update of RFC6146, that may updates the checksum while the BIH doesn't know that. 
> 
> Note that an upgrade of RFC6146 isn't needed for A NAT64 (and NAT64+) to support more protocols than the two required by the RFC. It is just an extension which cannot break anything (backward compatible).
> 
> confusing. upgrade vs. extension?? 
>  
> 
> 
>> 
>> my point here is: what is the use case with the details of addressing? if and only if A1 or A2 is configured with an RFC6052 or a MAP or a 4rd-U address while NAT64+ has a pool of checksum-neutral IPv6 address to serve B for the communications, A1 BIH or A2 CE may do the stateless processing successfuly. if NAT64+ hasn't such a address pool for B, things will fail because only one among src and dst is checksum-neutral. 
> 
> Sec 4.4 (8) says that a CE that targets an off-domain IPv4 address reaches the NAT64+ at this IPv6 address:
> 
> +-------------------------------+---+---+-------------+------+
> |      NAT64+ IPv6 prefix       |"u"| 0 |DST IPv4 add.|  CNP |
> +-------------------------------+---+---+-------------+------+
> :               64              : 8 : 8 :      32     :  16  :
> 
> In the reverse direction, and for the same IPv4 address, it is the same IPv6 address that must be synthesized by the NAT64+.
> 
> this address is used for A2 or used for B? if you mean B, then may i conclude that NAT64+ is serving between A2 (native IPv6 address with 4rd-U CNP) and B (synthesized by NAT64+ into another IPv6-converted address having CNP)? if i can, may i further conclude that NAT64+ serves only for the case where A2 has the 4rd-U-style address? 

Let me repeat that:
- NAT64+ works as a NAT64 for addresses that aren't 4rd-u style.
- The only difference is that NAT64+ has a plus for addresses that are those of 4RD-u CEs (better IPv4 transparency).


> if the A2 is configured with any IPv6 address, for example, address with the autoconfigured EUI64 IID, it is out of the scope of the NAT64+, right? 
> 
> if so, i do really suggest you call it NAT64- instead of NAT64+ because NAT64 can also serve hosts with any native IPv6 address to connect with an IPv4 peer.
> 
> your answer below didn't respond my question, sorry. for example (in the use case of NAT64 instead of NAT64-), A2 has native IPv6 address 2001:db8:1234:5678:208:1fff:fe4d:606e while B is 192.32.77.50. the CE might synthesize an IPv6 address for B, with the NAT64+ prefix and the 0xc0204d32 and a CNP embedded, say B', and let A2 connect to B' through IPv6; however, when this packet goes through the NAT64+,

> because only B' is checksum-neutral while A2 is not,

If the /64 of A2 is 2001:db8:1234:5678::/64, its 4rd IPv6 address is, per Fig 6, 2001:db8:1234:5678:3000::<CNP> 
It IS checksum neutral.

> NAT64+ passing it without L4 checksum adjustment will make B receive a packet with wrong checksum, for any L4 protocols. 
> 
> the above example works well for TCP and UDP with today's NAT64, without limitations on A2's address. 
> 
> - maoke
>  
> This is I suppose implicit, but it can advantageously be made explicit in the draft.
> Thanks.
> 
> 
>>> Because 4rd IPv6 addresses of CEs are distinguishable from all other IPv6 addresses (due to the V octet), NAT64s are concerned with CNPs ONLY for addresses that actually are 4rd CE addresses.
>>>  
>>>  
>>> we need to make sure if the NAT64s make both src and dst addresses checksum-neutral.
>> 
>> Correct, iff the host address has the V octet.
>> 
>> 1. without the V-octet, CE and NAT64 can also distinguish the 4rd-CE addresses from others. 
> 
> True, but while testing the V octet is sufficient in 4rd, the NAT64 has in MAP to process mapping rules to find for null subnet IDs whose lengths depend on which mapping rule applies.
> That's IMHO one instance where the V-octet potential is clear.
> 
> 
>> 2. even with the V-octet, do you mean B's IPv4 address also translated (by the NAT64+) to a CNP-and-V-containing IPv6 address? 
> 
> Yes (see above).
> 
>> if 2 is true, why you use stateful NAT64+ here for B rather than a stateless one?
> 
> Because we consider hosts that are not assigned any public IPv4 address, even shared.
> 
>> if 2 is not true, then the NAT64 can use any arbitrary IPv6 address for B's communications, and such a case results only A's mapped address is checksum-neutral, and thus anyway L4 adjustment is needed. 
>> 
>> if 2 is true, i do suggest you naming NAT64+ as NAT64- instead, because NAT64 doesn't have the limitation on the IPv6 address pool in use. 
> 
> Suggestion not retained ;-).
> What you call the IPv6 address pool isn't a reserved pool: as explained above, NAT64+ synthesizes its IPv6 source addresses using its unchanged /64 prefix. 
> 
> 
>> 3. RFC6535 states, explicitly, "Use of BIH together with a NAT64 is NOT RECOMMENDED [RFC6180]" (but the above technical discussion can omit this for the time being). 
> 
> Right.
> 
> RD
> 
> 
> 
> 
> 
>> 
>> - maoke 
>>  
>> 
>>> i cannot imagine what the use case is. please specify!
>> 
>> Hope the picture above helps.
>> 
>> RD
>> 
>> 
>> 
>>>  
>>> - maoke
>>>  
>>>  
>>> 
>>> RD 
>>> 
>>> 
>>>> - maoke 
>>>> 
>>>> 2012/3/15 Rémi Després <despres.remi@laposte.net>
>>>> 
>>>> Le 2012-03-15 à 10:59, Rémi Després a écrit :
>>>> 
>>>> > Maoke,
>>>> >
>>>> > Thanks for this question.
>>>> > This subject being new, I take it on a new thread.
>>>> >
>>>> > 2012-03-15 10:38, Maoke:
>>>> > ...
>>>> >> i didn't understand the how the stateful NAT64 benefits from CNP.
>>>> >
>>>> > The point is that if a NAT64 is upgraded to support 4rd-u tunnels (thus becoming a NAT64+) it can take IPv6 payloads as valid IPv4 payloads.
>>>> > Any protocol that this NAT64 supports is then supported e2e for 4rd-u CEs
>>>> > These CEs need not being dependent on which NAT64 supports which protocols.
>>>> >
>>>> > Note that the NAT64 doesn't need to have CNP code. It just happens that host IPv6 addresses it sees are checksum neutral. (Thus, IPv6 and IPv4 payloads are the same for all protocols that have ports at the same place as TCP/UDP/..., and the same checksum algorithm)
>>>> 
>>>> Oops.
>>>> This is only true for the IPv6 host address. To construct an IPv6 address when transmitting to  a 4rd-u CE, the NAT64 should compute a CNP. (This is to maintain the property that that middleboxes can treat tunnel packets as valid IPv6 packets. Not a big deal, but necessary).
>>>> Sorry for having hastily added this sentence.
>>>> 
>>>> RD
>>>> 
>>>> >
>>>> > RD
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Softwires mailing list
>>>> > Softwires@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/softwires
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
> 
>