Re: [v6ops] Status of CLAT implementation on iPhone? (IPv4 apps on IPv6-only PDP type)

James Woodyatt <> Mon, 23 February 2015 20:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CD5B31A6F04 for <>; Mon, 23 Feb 2015 12:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AtWW0CJWT05D for <>; Mon, 23 Feb 2015 12:38:59 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C36B1A6F17 for <>; Mon, 23 Feb 2015 12:38:59 -0800 (PST)
Received: by with SMTP id va2so39146990obc.1 for <>; Mon, 23 Feb 2015 12:38:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=hMqZ9LOyHWm6hkDclPx1zRU3EeG8KXiR6gpgnpZZeE8=; b=BJFALgblXXI/c2uWPN/KK6ng1/0E5JL2LxjaHMFDnAeIKcSthDiZ80i+3m3eN9U+By uWleUOXz+kiucmukVccbwO+GxuNgo1m7XiaX7sM5AKdzR+SLB4e/2OVNeGsQlNlxeYcI FKd/Av+vHKelHCvZKlc5HFPl9IncU2MbxIfvel2beuRifuD1S0Ffq2AdCOL0R3rAv6dQ yzNX7fTbL01ZHrFlwMcV/eVRaJ7sa5SHlJ0qCgPkx3JbGbEEUHc4n9y/vI9LIiDjupt6 Zw6nNZgemT+kvHbfbRoviGlxxXWprIoM1PvSCr9BQ9TM02O8JBGrCJpFhiypuK6rpn8F oyww==
X-Gm-Message-State: ALoCoQkq/xz64jySnEMFlEsTKgymYZtbk5/GftlnDM0RMLa1RyldDTyxW1ta7SOSOMCszXpUlyAM
MIME-Version: 1.0
X-Received: by with SMTP id t2mr8381340oib.104.1424723938851; Mon, 23 Feb 2015 12:38:58 -0800 (PST)
Received: by with HTTP; Mon, 23 Feb 2015 12:38:58 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Mon, 23 Feb 2015 12:38:58 -0800
Message-ID: <>
From: James Woodyatt <>
To: "" <>
Content-Type: multipart/alternative; boundary=001a113cdcce475b0d050fc764e3
Archived-At: <>
Subject: Re: [v6ops] Status of CLAT implementation on iPhone? (IPv4 apps on IPv6-only PDP type)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Feb 2015 20:39:02 -0000

p1. I have no inside information from Apple's Core OS Networking group
newer than seventeen months ago when I separated. I'm not at liberty to
discuss confidential stuff even today. That said, I can dispel some myths.

p2. The security architecture for networking on iOS will effectively
prevent any third-party efforts from delivering a CLAT for iOS. Andrew
Yourtchenko wrote one for OS X, but it will be necessary for Apple Core OS
engineers to deliver it on iOS. Anyone who wants to review the source code
for the Darwin kernel in should be able to get a
sense of the scope of this problem.

p3. The Android implementation may be Apache-licensed, but— like Mr.
Yourtchenko's implementation— it's unsuitable for general production use
with Apple's networking stack, which has diverged substantially from
FreeBSD in the last several years. The Darwin kernel networking stack in
iOS and OS X has interface scoped routes, which the Core Networking and
Core Telephony subsystems use extensively. The IPv4 addresses assigned to
the host via the CLAT must be attached to the same interface as the
translated IPv6 address or the interface scoped routing won't work
properly. Again, see the Darwin kernel source code for details.

p4. It might be comparatively easy for Apple to deliver a very limited
CLAT, using one of several Darwin-specific tricks, e.g. a socket filter,
that only works to enable certain 3rd-party applications, e.g. Skype, on
IPv6-only LTE networks with a PLAT service available, but that will also
have some interoperability issues that make it unsuitable for general
reliability. I hope they don't go that way, but I don't work there anymore,
and I don't think anyone there would listen to me anyway, if that's what
they were to decide to do. I can kinda see why they might choose to do this.

For these reasons, I would counsel any operators expecting Apple to deliver
a CLAT in a forthcoming release of iOS to test it extensively before
accepting it. Especially: A) test it with Internet Sharing enabled, B) test
it with VPN connect-on-demand, and C) test it with AirDrop and AirPlay in
use. Whatever method they choose to implement a CLAT, it will be a tricky
job, and I would be surprised if it doesn't take a lot of Radar problems to
be opened and closed before it works acceptably.

Shorter james: I don't think IETF should list having a CLAT as requirement
for 3GPP mobile devices. It could be awkward for us while the leading
vendor of IPv6-capable handsets is shipping without one.

On Mon, Feb 23, 2015 at 4:38 AM, Alexandru Petrescu <> wrote:

> Hello participants to v6ops WG,
> What is the status of a CLAT implementation on iPhone?  Any hint in that
> direction?
> I am asking because in private conversation I have noticed doubts about
> this being done.  Or, since the iPhone relies on a bsd derivative,
> it would be technically feasible to implement CLAT on it; it is nothing
> more than some iptables address translation plus a bit of python
> scripting in case.
> (CLAT is needed by some IPv4 apps to continue working on a smartphone
>  connected solely with an IPv6-only PDP type).
> Alex
> _______________________________________________
> v6ops mailing list

james woodyatt <>
Nest Labs, Communications Engineering