Network Working Group G. Tsirtsis
Request for Comments: 2766 BT
Category: Standards Track P. Srisuresh
Campio Communications
February 2000
Network Working Group G. Tsirtsis
Request for Comments: 2766 BT
Category: Standards Track P. Srisuresh
Campio Communications
February 2000
Network Address Translation - Protocol Translation (NAT-PT)
网络地址转换-协议转换(NAT-PT)
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This document specifies an IPv4-to-IPv6 transition mechanism, in addition to those already specified in [TRANS]. This solution attempts to provide transparent routing, as defined in [NAT-TERM], to end-nodes in V6 realm trying to communicate with end-nodes in V4 realm and vice versa. This is achieved using a combination of Network Address Translation and Protocol Translation. The scheme described does not mandate dual-stacks (i.e., IPv4 as well as V6 protocol support) or special purpose routing requirements (such as requiring tunneling support) on end nodes. This scheme is based on a combination of address translation theme as described in [NAT-TERM] and V6/V4 protocol translation theme as described in [SIIT].
除了[TRANS]中已经指定的转换机制外,本文档还指定了IPv4到IPv6的转换机制。此解决方案尝试提供透明路由(如[NAT-TERM]中所定义),以连接V6领域中试图与V4领域中的终端节点通信的终端节点,反之亦然。这是通过结合使用网络地址转换和协议转换来实现的。所描述的方案不要求终端节点上有双栈(即IPv4和V6协议支持)或特殊目的路由要求(如需要隧道支持)。该方案基于[NAT-TERM]中描述的地址转换主题和[SIIT]中描述的V6/V4协议转换主题的组合。
Acknowledgements
致谢
Special thanks to Pedro Marques for reviewing an earlier version of this memo. Also, many thanks to Alan O'Neill and Martin Tatham, as the mechanism described in this document was initially developed through discussions with them.
特别感谢Pedro Marques审阅本备忘录的早期版本。此外,非常感谢Alan O'Neill和Martin Tatham,因为本文件中描述的机制最初是通过与他们的讨论制定的。
Table of Contents
目录
1. Introduction.................................................. 2
2. Terminology................................................... 3
2.1 Network Address Translation (NAT)......................... 4
2.2 NAT-PT flavors............................................ 4
2.2.1 Traditional-NAT-PT................................... 4
2.2.2 Bi-directional-NAT-PT................................ 5
2.3 Protocol Translation (PT)................................. 5
2.4 Application Level Gateway (ALG)........................... 5
2.5 Requirements.............................................. 5
3. Traditional-NAT-PT operation (V6 to V4)....................... 6
3.1 NAT-PT Outgoing Sessions.................................. 6
3.2 NAPT-PT Outgoing Sessions................................. 7
4. Use of DNS-ALG for Address assignment......................... 8
4.1 V4 Address Assignment for Incoming Connections (V4 to V6). 9
4.2 V4 Address Assignment for Outgoing Connections (V6 to V4). 11
5. Protocol Translation Details.................................. 12
5.1 Translating IPv4 Headers to IPv6 Headers.................. 13
5.2 Translating IPv6 Headers to IPv4 Headers.................. 13
5.3 TCP/UDP/ICMP Checksum Update.............................. 13
6. FTP Application Level Gateway (FTP-ALG) Support............... 14
6.1 Payload modifications for V4 originated FTP sessions...... 15
6.2 Payload modifications for V6 originated FTP sessions...... 16
6.3 Header updates for FTP control packets.................... 16
7. NAT-PT Limitations and Future Work............................ 17
7.1 Topology Limitations...................................... 17
7.2 Protocol Translation Limitations.......................... 17
7.3 Impact of Address Translation............................. 18
7.4 Lack of End-to-End Security............................... 18
7.5 DNS Translation and DNSSEC................................ 18
8. Applicability Statement....................................... 18
9. Security Considerations....................................... 19
10. References................................................... 19
Authors' Addresses............................................... 20
Full Copyright Statement......................................... 21
1. Introduction.................................................. 2
2. Terminology................................................... 3
2.1 Network Address Translation (NAT)......................... 4
2.2 NAT-PT flavors............................................ 4
2.2.1 Traditional-NAT-PT................................... 4
2.2.2 Bi-directional-NAT-PT................................ 5
2.3 Protocol Translation (PT)................................. 5
2.4 Application Level Gateway (ALG)........................... 5
2.5 Requirements.............................................. 5
3. Traditional-NAT-PT operation (V6 to V4)....................... 6
3.1 NAT-PT Outgoing Sessions.................................. 6
3.2 NAPT-PT Outgoing Sessions................................. 7
4. Use of DNS-ALG for Address assignment......................... 8
4.1 V4 Address Assignment for Incoming Connections (V4 to V6). 9
4.2 V4 Address Assignment for Outgoing Connections (V6 to V4). 11
5. Protocol Translation Details.................................. 12
5.1 Translating IPv4 Headers to IPv6 Headers.................. 13
5.2 Translating IPv6 Headers to IPv4 Headers.................. 13
5.3 TCP/UDP/ICMP Checksum Update.............................. 13
6. FTP Application Level Gateway (FTP-ALG) Support............... 14
6.1 Payload modifications for V4 originated FTP sessions...... 15
6.2 Payload modifications for V6 originated FTP sessions...... 16
6.3 Header updates for FTP control packets.................... 16
7. NAT-PT Limitations and Future Work............................ 17
7.1 Topology Limitations...................................... 17
7.2 Protocol Translation Limitations.......................... 17
7.3 Impact of Address Translation............................. 18
7.4 Lack of End-to-End Security............................... 18
7.5 DNS Translation and DNSSEC................................ 18
8. Applicability Statement....................................... 18
9. Security Considerations....................................... 19
10. References................................................... 19
Authors' Addresses............................................... 20
Full Copyright Statement......................................... 21
IPv6 is a new version of the IP protocol designed to modernize IPv4 which was designed in the 1970s. IPv6 has a number of advantages over IPv4 that will allow for future Internet growth and will simplify IP configuration and administration. IPv6 has a larger address space than IPv4, an addressing model that promotes aggressive route aggregation and a powerful autoconfiguration mechanism. In time, it is expected that Internet growth and a need for a plug-and-play solution will result in widespread adoption of IPv6.
IPv6是IP协议的一个新版本,旨在使1970年代设计的IPv4现代化。与IPv4相比,IPv6具有许多优势,这将允许未来的互联网增长,并将简化IP配置和管理。IPv6具有比IPv4更大的地址空间,IPv4是一种促进主动路由聚合的寻址模型,并且具有强大的自动配置机制。随着时间的推移,预计互联网的增长和对即插即用解决方案的需求将导致IPv6的广泛采用。
There is expected to be a long transition period during which it will be necessary for IPv4 and IPv6 nodes to coexist and communicate. A strong, flexible set of IPv4-to-IPv6 transition and coexistence mechanisms will be required during this transition period.
预计将有一个很长的过渡期,在此期间IPv4和IPv6节点必须共存并通信。在此过渡期间,需要一套强大、灵活的IPv4到IPv6过渡和共存机制。
The SIIT proposal [SIIT] describes a protocol translation mechanism that allows communication between IPv6-only and IPv4-only nodes via protocol independent translation of IPv4 and IPv6 datagrams, requiring no state information for the session. The SIIT proposal assumes that V6 nodes are assigned a V4 address for communicating with V4 nodes, and does not specify a mechanism for the assignment of these addresses.
SIIT提案[SIIT]描述了一种协议转换机制,该机制允许仅IPv6和仅IPv4节点之间通过IPv4和IPv6数据报的协议独立转换进行通信,不需要会话的状态信息。SIIT提案假设为V6节点分配了一个V4地址,用于与V4节点通信,但没有指定分配这些地址的机制。
NAT-PT uses a pool of V4 addresses for assignment to V6 nodes on a dynamic basis as sessions are initiated across V4-V6 boundaries. The V4 addresses are assumed to be globally unique. NAT-PT with private V4 addresses is outside the scope of this document and for further study. NAT-PT binds addresses in V6 network with addresses in V4 network and vice versa to provide transparent routing [NAT-TERM] for the datagrams traversing between address realms. This requires no changes to end nodes and IP packet routing is completely transparent [NAT-TERM] to end nodes. It does, however, require NAT-PT to track the sessions it supports and mandates that inbound and outbound datagrams pertaining to a session traverse the same NAT-PT router. You will note that the topology restrictions on NAT-PT are the same with those described for V4 NATs in [NAT-TERM]. Protocol translation details specified in [SIIT] would be used to extend address translation with protocol syntax/semantics translation. A detailed applicability statement for NAT-PT may be found at the end of this document in section 7.
NAT-PT使用V4地址池动态分配给V6节点,因为会话是跨V4-V6边界启动的。假设V4地址是全局唯一的。具有专用V4地址的NAT-PT不在本文件范围内,有待进一步研究。NAT-PT将V6网络中的地址与V4网络中的地址绑定,反之亦然,以便为地址域之间的数据报提供透明路由[NAT-TERM]。这不需要对终端节点进行任何更改,IP数据包路由对终端节点是完全透明的[NAT-TERM]。但是,它确实要求NAT-PT跟踪它支持的会话,并要求与会话相关的入站和出站数据报穿过同一个NAT-PT路由器。您将注意到,NAT-PT上的拓扑限制与[NAT-TERM]中描述的V4 NAT相同。[SIIT]中指定的协议转换细节将用于通过协议语法/语义转换扩展地址转换。NAT-PT的详细适用性声明见本文件末尾第7节。
By combining SIIT protocol translation with the dynamic address translation capabilities of NAT and appropriate ALGs, NAT-PT provides a complete solution that would allow a large number of commonly used applications to interoperate between IPv6-only nodes and IPv4-only
通过将SIIT协议转换与NAT和适当ALG的动态地址转换功能相结合,NAT-PT提供了一个完整的解决方案,允许大量常用应用程序在仅IPv6节点和仅IPv4节点之间进行互操作
A fundamental assumption for NAT-PT is only to be use when no other native IPv6 or IPv6 over IPv4 tunneled means of communication is possible. In other words the aim is to only use translation between IPv6 only nodes and IPv4 only nodes, while translation between IPv6 only nodes and the IPv4 part of a dual stack node should be avoided over other alternatives.
NAT-PT的一个基本假设是,仅当不可能使用其他本机IPv6或IPv4隧道上的IPv6通信方式时才使用。换句话说,目标是仅在仅IPv6节点和仅IPv4节点之间使用转换,而在其他替代方案中,应避免仅IPv6节点和双堆栈节点的IPv4部分之间的转换。
The majority of terms used in this document are borrowed almost as is from [NAT-TERM]. The following lists terms specific to this document.
本文件中使用的大多数术语几乎都是从[NAT-TERM]借用的。以下列出了本文件的专用术语。
The term NAT in this document is very similar to the IPv4 NAT described in [NAT-TERM], but is not identical. IPv4 NAT translates one IPv4 address into another IPv4 address. In this document, NAT refers to translation of an IPv4 address into an IPv6 address and vice versa.
本文档中的术语NAT与[NAT-term]中描述的IPv4 NAT非常相似,但不同。IPv4 NAT将一个IPv4地址转换为另一个IPv4地址。在本文档中,NAT指的是将IPv4地址转换为IPv6地址,反之亦然。
While the V4 NAT [NAT-TERM] provides routing between private V4 and external V4 address realms, NAT in this document provides routing between a V6 address realm and an external V4 address realm.
虽然V4 NAT[NAT-TERM]提供了专用V4和外部V4地址域之间的路由,但本文中的NAT提供了V6地址域和外部V4地址域之间的路由。
Just as there are various flavors identified with V4 NAT in [NAT-TERM], the following NAT-PT variations may be identified in this document.
正如[NAT-TERM]中的V4 NAT识别了各种口味一样,本文件中可能会识别以下NAT-PT变体。
Traditional-NAT-PT would allow hosts within a V6 network to access hosts in the V4 network. In a traditional-NAT-PT, sessions are uni-directional, outbound from the V6 network. This is in contrast with Bi-directional-NAT-PT, which permits sessions in both inbound and outbound directions.
传统的NAT PT允许V6网络中的主机访问V4网络中的主机。在传统的NAT PT中,会话是单向的,从V6网络出站。这与双向NAT PT形成对比,双向NAT PT允许入站和出站方向的会话。
Just as with V4 traditional-NAT, there are two variations to traditional-NAT-PT, namely Basic-NAT-PT and NAPT-PT.
与V4传统NAT一样,传统NAT PT有两种变体,即基本NAT PT和NAPT-PT。
With Basic-NAT-PT, a block of V4 addresses are set aside for translating addresses of V6 hosts as they originate sessions to the V4 hosts in external domain. For packets outbound from the V6 domain, the source IP address and related fields such as IP, TCP, UDP and ICMP header checksums are translated. For inbound packets, the destination IP address and the checksums as listed above are translated.
对于基本NAT PT,留出一块V4地址,用于在V6主机发起会话时将其地址转换为外部域中的V4主机。对于从V6域出站的数据包,将转换源IP地址和相关字段,如IP、TCP、UDP和ICMP标头校验和。对于入站数据包,将转换上面列出的目标IP地址和校验和。
NAPT-PT extends the notion of translation one step further by also translating transport identifier (e.g., TCP and UDP port numbers, ICMP query identifiers). This allows the transport identifiers of a number of V6 hosts to be multiplexed into the transport identifiers of a single assigned V4 address. NAPT-PT allows a set of V6 hosts to share a single V4 address. Note that NAPT-PT can be combined with Basic-NAT-PT so that a pool of external addresses are used in conjunction with port translation.
NAPT-PT通过转换传输标识符(例如TCP和UDP端口号、ICMP查询标识符)进一步扩展了转换的概念。这允许将多个V6主机的传输标识符多路复用到单个分配的V4地址的传输标识符中。NAPT-PT允许一组V6主机共享一个V4地址。请注意,NAPT-PT可以与基本NAT-PT结合使用,以便将外部地址池与端口转换结合使用。
For packets outbound from the V6 network, NAPT-PT would translate the source IP address, source transport identifier and related fields such as IP, TCP, UDP and ICMP header checksums. Transport identifier can be one of TCP/UDP port or ICMP query ID. For inbound packets, the destination IP address, destination transport identifier and the IP and transport header checksums are translated.
对于来自V6网络的出站数据包,NAPT-PT将转换源IP地址、源传输标识符和相关字段,如IP、TCP、UDP和ICMP报头校验和。传输标识符可以是TCP/UDP端口或ICMP查询ID之一。对于入站数据包,将转换目标IP地址、目标传输标识符以及IP和传输头校验和。
With Bi-directional-NAT-PT, sessions can be initiated from hosts in V4 network as well as the V6 network. V6 network addresses are bound to V4 addresses, statically or dynamically as connections are established in either direction. The name space (i.e., their Fully Qualified Domain Names) between hosts in V4 and V6 networks is assumed to be end-to-end unique. Hosts in V4 realm access V6-realm hosts by using DNS for address resolution. A DNS-ALG [DNS-ALG] must be employed in conjunction with Bi-Directional-NAT-PT to facilitate name to address mapping. Specifically, the DNS-ALG must be capable of translating V6 addresses in DNS Queries and responses into their V4-address bindings, and vice versa, as DNS packets traverse between V6 and V4 realms.
使用双向NAT PT,可以从V4网络和V6网络中的主机启动会话。当在任一方向上建立连接时,V6网络地址静态或动态地绑定到V4地址。假设V4和V6网络中主机之间的名称空间(即它们的完全限定域名)是端到端唯一的。V4领域中的主机通过使用DNS进行地址解析来访问V6领域主机。DNS-ALG[DNS-ALG]必须与双向NAT PT结合使用,以促进名称到地址的映射。具体而言,DNS-ALG必须能够将DNS查询和响应中的V6地址转换为其V4地址绑定,反之亦然,因为DNS数据包在V6和V4域之间移动。
PT in this document refers to the translation of an IPv4 packet into a semantically equivalent IPv6 packet and vice versa. Protocol translation details are described in [SIIT].
本文档中的PT指将IPv4数据包转换为语义等效的IPv6数据包,反之亦然。[SIIT]中描述了协议转换的详细信息。
Application Level Gateway (ALG) [NAT-TERM] is an application specific agent that allows a V6 node to communicate with a V4 node and vice versa. Some applications carry network addresses in payloads. NAT-PT is application unaware and does not snoop the payload. ALG could work in conjunction with NAT-PT to provide support for many such applications.
应用程序级网关(ALG)[NAT-TERM]是一种特定于应用程序的代理,它允许V6节点与V4节点通信,反之亦然。有些应用程序在有效负载中携带网络地址。NAT-PT是应用程序不知道的,不会窥探有效负载。ALG可以与NAT-PT合作,为许多此类应用提供支持。
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in [KEYWORDS].
本文件中出现的关键词必须、不得、要求、应、不应、应、不应、建议、可能和可选时,应按照[关键词]中的说明进行解释。
NAT-PT offers a straight forward solution based on transparent routing [NAT-TERM] and address/protocol translation, allowing a large number of applications in V6 and V4 realms to inter-operate without requiring any changes to these applications.
NAT-PT提供了一种基于透明路由[NAT-TERM]和地址/协议转换的直截了当的解决方案,允许V6和V4领域中的大量应用程序相互操作,而无需对这些应用程序进行任何更改。
In the following paragraphs we describe the operation of traditional-NAT-PT and the way that connections can be initiated from a host in IPv6 domain to a host in IPv4 domain through a traditional-NAT-PT
在以下段落中,我们将介绍传统NAT PT的操作,以及通过传统NAT PT从IPv6域中的主机到IPv4域中的主机启动连接的方式
[IPv6-B]-+
| +==============+
[IPv6-A]-+-[NAT-PT]---------| IPv4 network |--[IPv4-C]
| +==============+
(pool of v4 addresses)
[IPv6-B]-+
| +==============+
[IPv6-A]-+-[NAT-PT]---------| IPv4 network |--[IPv4-C]
| +==============+
(pool of v4 addresses)
Figure 1: IPv6 to IPv4 communication
Node IPv6-A has an IPv6 address -> FEDC:BA98::7654:3210
Node IPv6-B has an IPv6 address -> FEDC:BA98::7654:3211
Node IPv4-C has an IPv4 address -> 132.146.243.30
Figure 1: IPv6 to IPv4 communication
Node IPv6-A has an IPv6 address -> FEDC:BA98::7654:3210
Node IPv6-B has an IPv6 address -> FEDC:BA98::7654:3211
Node IPv4-C has an IPv4 address -> 132.146.243.30
NAT-PT has a pool of addresses including the IPv4 subnet 120.130.26/24
NAT-PT有一个地址池,包括IPv4子网120.130.26/24
The V4 addresses in the address pool could be allocated one-to-one to the V6 addresses of the V6 end nodes in which case one needs as many V4 addresses as V6 end points. In this document we assume that the V6 network has less V4 addresses than V6 end nodes and thus dynamic address allocation is required for at least some of them.
地址池中的V4地址可以一对一地分配给V6端点节点的V6地址,在这种情况下,需要与V6端点一样多的V4地址。在本文中,我们假设V6网络的V4地址少于V6终端节点,因此至少其中一些节点需要动态地址分配。
Say the IPv6 Node A wants to communicate with the IPv4 Node C. Node A creates a packet with:
假设IPv6节点A希望与IPv4节点C通信。节点A创建具有以下内容的数据包:
Source Address, SA=FEDC:BA98::7654:3210 and Destination
Address, DA = PREFIX::132.146.243.30
Source Address, SA=FEDC:BA98::7654:3210 and Destination
Address, DA = PREFIX::132.146.243.30
NOTE: The prefix PREFIX::/96 is advertised in the stub domain by the NAT-PT, and packets addressed to this PREFIX will be routed to the NAT-PT. The pre-configured PREFIX only needs to be routable within the IPv6 stub domain and as such it can be any routable prefix that the network administrator chooses.
注意:前缀前缀::/96由NAT-PT在存根域中播发,发送到此前缀的数据包将路由到NAT-PT。预先配置的前缀只需要在IPv6存根域内可路由,因此它可以是网络管理员选择的任何可路由前缀。
The packet is routed via the NAT-PT gateway, where it is translated to IPv4.
该数据包通过NAT-PT网关路由,并在那里转换为IPv4。
If the outgoing packet is not a session initialisation packet, the NAT-PT SHOULD already have stored some state about the related session, including assigned IPv4 address and other parameters for the translation. If this state does not exist, the packet SHOULD be silently discarded.
如果传出数据包不是会话初始化数据包,NAT-PT应该已经存储了有关相关会话的一些状态,包括分配的IPv4地址和用于转换的其他参数。如果此状态不存在,则应以静默方式丢弃数据包。
If the packet is a session initialisation packet, the NAT-PT locally allocates an address (e.g: 120.130.26.10) from its pool of addresses and the packet is translated to IPv4. The translation parameters are cached for the duration of the session and the IPv6 to IPv4 mapping is retained by NAT-PT.
如果数据包是会话初始化数据包,则NAT-PT从其地址池中本地分配一个地址(例如:120.130.26.10),并将数据包转换为IPv4。转换参数在会话期间被缓存,IPv6到IPv4的映射由NAT-PT保留。
The resulting IPv4 packet has SA=120.130.26.10 and DA=132.146.243.30. Any returning traffic will be recognised as belonging to the same session by NAT-PT. NAT-PT will use the state information to translate the packet, and the resulting addresses will be SA=PREFIX::132.146.243.30, DA=FEDC:BA98::7654:3210. Note that this packet can now be routed inside the IPv6-only stub network as normal.
生成的IPv4数据包具有SA=120.130.26.10和DA=132.146.243.30。NAT-PT将确认任何返回流量属于同一会话。NAT-PT将使用状态信息来翻译数据包,结果地址将是SA=PREFIX::132.146.243.30,DA=FEDC:BA98::7654:3210。请注意,此数据包现在可以在仅限IPv6的存根网络内正常路由。
NAPT-PT, which stands for "Network Address Port Translation + Protocol Translation", would allow V6 nodes to communicate with the V4 nodes transparently using a single V4 address. The TCP/UDP ports of the V6 nodes are translated into TCP/UDP ports of the registered V4 address.
NAPT-PT代表“网络地址端口转换+协议转换”,将允许V6节点使用单个V4地址透明地与V4节点通信。V6节点的TCP/UDP端口被转换为注册的V4地址的TCP/UDP端口。
While NAT-PT support is limited to TCP, UDP and other port multiplexing type of applications, NAPT-PT solves a problem that is inherent with NAT-PT. That is, NAT-PT would fall flat when the pool of V4 addresses assigned for translation purposes is exhausted. Once the address pool is exhausted, newer V6 nodes cannot establish sessions with the outside world anymore. NAPT-PT, on the other hand, will allow for a maximum of 63K TCP and 63K UDP sessions per IPv4 address before having no TCP and UDP ports left to assign.
虽然NAT-PT支持仅限于TCP、UDP和其他端口多路复用类型的应用程序,但NAPT-PT解决了NAT-PT固有的问题。也就是说,当为转换目的分配的V4地址池耗尽时,NAT-PT将下降。一旦地址池耗尽,较新的V6节点将无法再与外部世界建立会话。另一方面,NAPT-PT将允许在没有TCP和UDP端口分配之前,每个IPv4地址最多允许63K TCP和63K UDP会话。
To modify the example sited in figure 1, we could have NAPT-PT on the border router (instead of NAT-PT) and all V6 addresses could be mapped to a single v4 address 120.130.26.10.
为了修改图1中的示例,我们可以在边界路由器上使用NAPT-PT(而不是NAT-PT),所有V6地址都可以映射到单个v4地址120.130.26.10。
IPv6 Node A would establish a TCP session with the IPv4 Node C as follows:
IPv6节点A将与IPv4节点C建立TCP会话,如下所示:
Node A creates a packet with:
节点A创建具有以下内容的数据包:
Source Address, SA=FEDC:BA98::7654:3210 , source TCP port = 3017 and Destination Address, DA = PREFIX::132.146.243.30, destination TCP port = 23.
源地址,SA=FEDC:BA98::7654:3210,源TCP端口=3017,目标地址,DA=前缀::132.146.243.30,目标TCP端口=23。
When the packet reaches the NAPT-PT box, NAPT-PT would assign one of the TCP ports from the assigned V4 address to translate the tuple of (Source Address, Source TCP port) as follows:
当数据包到达NAPT-PT框时,NAPT-PT将从分配的V4地址分配一个TCP端口,以转换(源地址,源TCP端口)的元组,如下所示:
SA=120.130.26.10, source TCP port = 1025 and DA=132.146.243.30, destination TCP port = 23.
SA=120.130.26.10,源TCP端口=1025,DA=132.146.243.30,目标TCP端口=23。
The returning traffic from 132.146.243.30, TCP port 23 will be recognised as belonging to the same session and will be translated back to V6 as follows:
从132.146.243.30 TCP端口23返回的流量将被识别为属于同一会话,并将转换回V6,如下所示:
SA = PREFIX::132.146.243.30, source TCP port = 23;
DA = FEDC:BA98::7654:3210 , destination TCP port = 3017
SA = PREFIX::132.146.243.30, source TCP port = 23;
DA = FEDC:BA98::7654:3210 , destination TCP port = 3017
Inbound NAPT-PT sessions are restricted to one server per service, assigned via static TCP/UDP port mapping. For example, the Node [IPv6-A] in figure 1 may be the only HTTP server (port 80) in the V6 domain. Node [IPv4-C] sends a packet:
入站NAPT-PT会话限制为每个服务一台服务器,通过静态TCP/UDP端口映射分配。例如,图1中的节点[IPv6-A]可能是V6域中唯一的HTTP服务器(端口80)。节点[IPv4-C]发送数据包:
SA=132.146.243.30, source TCP port = 1025 and
DA=120.130.26.10, destination TCP port = 80
SA=132.146.243.30, source TCP port = 1025 and
DA=120.130.26.10, destination TCP port = 80
NAPT-PT will translate this packet to:
NAPT-PT将此数据包转换为:
SA=PREFIX::132.146.243.30, source TCP port = 1025
DA=FEDC:BA98::7654:3210, destination TCP port = 80
SA=PREFIX::132.146.243.30, source TCP port = 1025
DA=FEDC:BA98::7654:3210, destination TCP port = 80
In the above example, note that all sessions which reach NAPT-PT with a destination port of 80 will be redirected to the same node [IPv6- A].
在上面的示例中,请注意,到达NAPT-PT且目标端口为80的所有会话都将重定向到同一节点[IPv6-a]。
An IPv4 address is assigned by NAT-PT to a V6 node when NAT-PT identifies the start of session, inbound or outbound. Identification of the start of a new inbound session is performed differently than for outbound sessions. However, the same V4 address pool is used for assignment to V6 nodes, irrespective of whether a session is initiated outbound from a V6 node or initiated inbound from a V4 node.
当NAT-PT标识入站或出站会话的开始时,NAT-PT将IPv4地址分配给V6节点。新入站会话的开始标识的执行方式与出站会话不同。但是,无论会话是从V6节点向外启动还是从V4节点向内启动,都使用相同的V4地址池分配给V6节点。
Policies determining what type of sessions are allowed and in which direction and from/to which nodes is out of the scope of this document.
确定允许什么类型的会话、在哪个方向以及从哪个节点到哪个节点的策略不在本文档的范围内。
IPv4 name to address mappings are held in the DNS with "A" records. IPv6 name to address mappings are at the moment held in the DNS with "AAAA" records. "A6" records have also been defined but at the time of writing they are neither fully standardized nor deployed.
IPv4名称到地址的映射保存在具有“A”记录的DNS中。IPv6名称到地址的映射目前保存在DNS中,并带有“AAAA”记录。“A6”记录也有定义,但在撰写本文时,它们既没有完全标准化,也没有部署。
In any case, the DNS-ALG's principle of operation described in this section is the same with either "AAAA" or "A6" records. The only difference is that a name resolution using "A6" records may require more than one query - reply pairs. The DNS-ALG SHOULD, in that case, track all the replies in the transaction before translating an "A6" record to an "A" record.
在任何情况下,本节中描述的DNS-ALG的工作原理与“AAAA”或“A6”记录相同。唯一的区别是,使用“A6”记录的名称解析可能需要多个查询-应答对。在这种情况下,DNS-ALG应该在将“A6”记录转换为“A”记录之前跟踪事务中的所有回复。
One of the aims of NAT-PT design is to only use translation when there is no other means of communication, such as native IPv6 or some form of tunneling. For the following discussion NAT-PT, in addition to the IPv4 connectivity that it has it may also have a native IPv6 and/or a tunneled IPv6 connection.
NAT-PT设计的目标之一是仅在没有其他通信方式(如本机IPv6或某种形式的隧道)时使用翻译。在下面的讨论中,NAT-PT除了具有IPv4连接外,还可能具有本机IPv6和/或隧道IPv6连接。
[DNS]--+
| [DNS]------[DNS]-------[DNS]
[IPv6-B]-+ | |
| +==============+ |
[IPv6-A]-+----[NAT-PT]------| IPv4 network |--[IPv4-C]
| +==============+
(pool of v4 addresses)
[DNS]--+
| [DNS]------[DNS]-------[DNS]
[IPv6-B]-+ | |
| +==============+ |
[IPv6-A]-+----[NAT-PT]------| IPv4 network |--[IPv4-C]
| +==============+
(pool of v4 addresses)
Figure 2: IPv4 to IPv6 communication
Node IPv6-A has an IPv6 address -> FEDC:BA98::7654:3210
Node IPv6-B has an IPv6 address -> FEDC:BA98::7654:3211
Node IPv4-C has an IPv4 address -> 132.146.243.30
Figure 2: IPv4 to IPv6 communication
Node IPv6-A has an IPv6 address -> FEDC:BA98::7654:3210
Node IPv6-B has an IPv6 address -> FEDC:BA98::7654:3211
Node IPv4-C has an IPv4 address -> 132.146.243.30
NAT-PT has a pool of addresses including the IPv4 subnet 120.130.26/24
NAT-PT有一个地址池,包括IPv4子网120.130.26/24
In figure 2 above, when Node C's name resolver sends a name look up request for Node A, the lookup query is directed to the DNS server on the V6 network. Considering that NAT-PT is residing on the border router between V4 and V6 networks, this request datagram would traverse through the NAT-PT router. The DNS-ALG on the NAT-PT device would modify DNS Queries for A records going into the V6 domain as follows: (Note that a TCP/UDP DNS packet is recognised by the fact that its source or destination port number is 53)
在上面的图2中,当节点C的名称解析器发送节点a的名称查找请求时,查找查询被定向到V6网络上的DNS服务器。考虑到NAT-PT驻留在V4和V6网络之间的边界路由器上,该请求数据报将穿过NAT-PT路由器。NAT-PT设备上的DNS-ALG将修改进入V6域的记录的DNS查询,如下所示:(注意,TCP/UDP DNS数据包通过其源或目标端口号为53的事实进行识别)
a) For Node Name to Node Address Query requests: Change the Query type from "A" to "AAAA" or "A6".
a) 对于节点名称到节点地址的查询请求:将查询类型从“A”更改为“AAAA”或“A6”。
b) For Node address to Node name query requests: Replace the string "IN-ADDR.ARPA" with the string "IP6.INT". Replace the V4 address octets (in reverse order) preceding the string "IN-ADDR.ARPA" with the corresponding V6 address (if there exists a map) octets in reverse order.
b) 对于节点地址到节点名称查询请求:将字符串“IN-ADDR.ARPA”替换为字符串“IP6.INT”。将字符串“in-ADDR.ARPA”前面的V4地址八位字节(按相反顺序)替换为相应的V6地址(如果存在映射)八位字节(按相反顺序)。
In the opposite direction, when a DNS response traverses from the DNS server on the V6 network to the V4 node, the DNS-ALG once again intercepts the DNS packet and would:
相反,当DNS响应从V6网络上的DNS服务器传递到V4节点时,DNS-ALG再次截获DNS数据包,并将:
a) Translate DNS responses for "AAAA" or "A6" records into "A" records, (only translate "A6" records when the name has completely been resolved) b) Replace the V6 address resolved by the V6 DNS with the V4 address internally assigned by the NAT-PT router.
a) 将“AAAA”或“A6”记录的DNS响应转换为“A”记录,(仅在名称已完全解析时转换“A6”记录)b)将V6 DNS解析的V6地址替换为NAT-PT路由器内部分配的V4地址。
If a V4 address is not previously assigned to this V6 node, NAT-PT would assign one at this time. As an example say IPv4-C attempts to initialise a session with node IPv6-A by making a name lookup ("A" record) for Node-A . The name query goes to the local DNS and from there it is propagated to the DNS server of the IPv6 network. The DNS-ALG intercepts and translates the "A" query to "AAAA" or "A6" query and then forwards it to the DNS server in the IPv6 network which replies as follows: (The example uses AAAA records for convenience)
如果先前未将V4地址分配给此V6节点,则NAT-PT此时将分配一个。例如,IPv4-C试图通过对节点a进行名称查找(“a”记录)来初始化与节点IPv6-a的会话。名称查询转到本地DNS,并从那里传播到IPv6网络的DNS服务器。DNS-ALG截取并将“A”查询转换为“AAAA”或“A6”查询,然后将其转发到IPv6网络中的DNS服务器,该服务器的回复如下:(为了方便起见,该示例使用AAAA记录)
Node-A AAAA FEDC:BA98::7654:3210,
节点A AAAA FEDC:BA98::7654:3210,
this is returned by the DNS server and gets intercepted and translated by the DNS-ALG to:
这由DNS服务器返回,并被DNS-ALG截取和转换为:
Node-A A 120.130.26.1
节点A 120.130.26.1
The DNS-ALG also holds the mapping between FEDC:BA98::7654:3210 and 120.130.26.1 in NAT-PT. The "A" record is then returned to Node-C. Node-C can now initiate a session as follows:
DNS-ALG还保存NAT-PT中FEDC:BA98::7654:3210和120.130.26.1之间的映射。然后将“A”记录返回给Node-C。Node-C现在可以启动会话,如下所示:
SA=132.146.243.30, source TCP port = 1025 and
DA=120.130.26.1, destination TCP port = 80
SA=132.146.243.30, source TCP port = 1025 and
DA=120.130.26.1, destination TCP port = 80
the packet will be routed to NAT-PT, which since it already holds a mapping between FEDC:BA98::7654:3210 and 120.130.26.1 can translate the packet to:
数据包将被路由到NAT-PT,因为它已经拥有FEDC:BA98::7654:3210和120.130.26.1之间的映射,所以可以将数据包转换为:
SA=PREFIX::132.146.243.30, source TCP port = 1025
DA=FEDC:BA98::7654:3210, destination TCP port = 80
SA=PREFIX::132.146.243.30, source TCP port = 1025
DA=FEDC:BA98::7654:3210, destination TCP port = 80
the communication can now proceed as normal.
通信现在可以正常进行。
The TTL values on all DNS resource records (RRs) passing through NAT-PT SHOULD be set to 0 so that DNS servers/clients do not cache temporarily assigned RRs. Note, however, that due to some buggy DNS client implementations a value of 1 might in some cases work better. The TTL values should be left unchanged for statically mapped addresses.
通过NAT-PT的所有DNS资源记录(RRs)上的TTL值应设置为0,以便DNS服务器/客户端不会缓存临时分配的RRs。但是,请注意,由于DNS客户端实现存在一些错误,在某些情况下,值1可能会更好地工作。对于静态映射的地址,TTL值应该保持不变。
Address mappings for incoming sessions, as described above, are subject to denial of service attacks since one can make multiple queries for nodes residing in the V6 network causing the DNS-ALG to map all V4 addresses in NAT-PT and thus block legitimate incoming sessions. Thus, address mappings for incoming sessions should time out to minimise the effect of denial of service attacks. Additionally, one IPv4 address (using NAPT-PT, see 3.2) could be reserved for outgoing sessions only to minimise the effect of such attacks to outgoing sessions.
如上所述,传入会话的地址映射会受到拒绝服务攻击,因为可以对驻留在V6网络中的节点进行多次查询,从而导致DNS-ALG映射NAT-PT中的所有V4地址,从而阻止合法的传入会话。因此,传入会话的地址映射应该超时,以将拒绝服务攻击的影响降至最低。此外,一个IPv4地址(使用NAPT-PT,请参见3.2)只能保留给传出会话,以尽量减少此类攻击对传出会话的影响。
V6 nodes learn the address of V4 nodes from the DNS server in the V4 domain or from the DNS server internal to the V6 network. We recommend that DNS servers internal to V6 domains maintain a mapping of names to IPv6 addresses for internal nodes and possibly cache mappings for some external nodes. In the case where the DNS server in the v6 domain contains the mapping for external V4 nodes, the DNS queries will not cross the V6 domain and that would obviate the need for DNS-ALG intervention. Otherwise, the queries will cross the V6 domain and are subject to DNS-ALG intervention. We recommend external DNS servers in the V4 domain cache name mapping for external nodes (i.e., V4 nodes) only. Zone transfers across IPv4 - IPv6 boundaries are strongly discouraged.
V6节点从V4域中的DNS服务器或V6网络内部的DNS服务器了解V4节点的地址。我们建议V6域内部的DNS服务器为内部节点维护名称到IPv6地址的映射,并可能为某些外部节点维护缓存映射。在v6域中的DNS服务器包含外部V4节点映射的情况下,DNS查询将不会跨越v6域,这将消除DNS-ALG干预的需要。否则,查询将跨越V6域,并受到DNS-ALG干预。我们建议仅针对外部节点(即V4节点)在V4域缓存名称映射中使用外部DNS服务器。强烈反对跨IPv4-IPv6边界的区域传输。
In the case of NAPT-PT, a TCP/UDP source port is assigned from the registered V4 address upon detection of each new outbound session.
对于NAPT-PT,在检测到每个新出站会话时,从注册的V4地址分配TCP/UDP源端口。
We saw that a V6 node that needs to communicate with a V4 node needs to use a specific prefix (PREFIX::/96) in front of the IPv4 address of the V4 node. The above technique allows the use of this PREFIX without any configuration in the nodes.
我们看到需要与V4节点通信的V6节点需要在V4节点的IPv4地址前面使用特定的前缀(前缀::/96)。上述技术允许使用此前缀,而无需在节点中进行任何配置。
To create another example from Figure 2 say Node-A wants to set up a session with Node-C. For this Node-A starts by making a name look-up ("AAAA" or "A6" record) for Node-C.
为了从图2中创建另一个示例,假设Node-A想要与Node-C建立一个会话。对于这个Node-A,首先为Node-C进行名称查找(“AAAA”或“A6”记录)。
Since Node-C may have IPv6 and/or IPv4 addresses, the DNS-ALG on the NAT-PT device forwards the original AAAA/A6 query to the external DNS system unchanged, as well as an A query for the same node. If an AAAA/A6 record exists for the destination, this will be returned to
由于Node-C可能具有IPv6和/或IPv4地址,因此NAT-PT设备上的DNS-ALG将原始AAAA/A6查询转发给外部DNS系统,而不做任何更改,同时也转发同一节点的A查询。如果目的地存在AAAA/A6记录,则该记录将返回到
NAT-PT which will forward it, also unchanged, to the originating host.
NAT-PT,它将把它转发给发起主机,也不会改变。
If there is an A record for Node-C the reply also returns to the NAT-PT. The DNS-ALG then, translates the reply adding the appropriate PREFIX and forwards it to the originating device with any IPv6 addresses that might have learned. So, if the reply is
如果存在节点C的A记录,则应答也返回到NAT-PT。然后,DNS-ALG通过添加适当的前缀来翻译应答,并将其转发给具有可能已识别的任何IPv6地址的原始设备。所以,如果答案是肯定的
NodeC A 132.146.243.30, it is translated to NodeC AAAA PREFIX::132.146.243.30 or to NodeC A6 PREFIX::132.146.243.30
NodeC A 132.146.243.30,转换为NodeC AAAA前缀::132.146.243.30或NodeC A6前缀::132.146.243.30
Now Node A can use this address like any other IPv6 address and the V6 DNS server can even cache it as long as the PREFIX does not change.
现在节点A可以像任何其他IPv6地址一样使用该地址,只要前缀不变,V6 DNS服务器甚至可以缓存该地址。
An issue here is how the V6 DNS server in the V6 stub domain talks to the V4 domain outside the V6 stub domain. Remember that there are no dual stack nodes here. The external V4 DNS server needs to point to a V4 address, part of the V4 pool of addresses, available to NAT-PT. NAT-PT keeps a one-to-one mapping between this V4 address and the V6 address of the internal V6 DNS server. In the other direction, the V6 DNS server points to a V6 address formed by the IPv4 address of the external V4 DNS servers and the prefix (PREFIX::/96) that indicates non IPv6 nodes. This mechanism can easily be extended to accommodate secondary DNS servers.
这里的一个问题是V6存根域中的V6 DNS服务器如何与V6存根域之外的V4域通信。请记住,这里没有双堆栈节点。外部V4 DNS服务器需要指向一个V4地址,该地址是NAT-PT可用的V4地址池的一部分。NAT-PT在该V4地址和内部V6 DNS服务器的V6地址之间保持一对一的映射。在另一个方向,V6 DNS服务器指向由外部V4 DNS服务器的IPv4地址和表示非IPv6节点的前缀(前缀::/96)组成的V6地址。此机制可以轻松扩展以适应辅助DNS服务器。
Note that the scheme described in this section impacts DNSSEC. See section 7.5 of this document for details.
请注意,本节所述方案影响DNSSEC。详见本文件第7.5节。
The IPv4 and ICMPv4 headers are similar to their V6 counterparts but a number of field are either missing, have different meaning or different length. NAT-PT SHOULD translate all IP/ICMP headers from v4 to v6 and vice versa in order to make end-to-end IPv6 to IPv4 communication possible. Due to the address translation function and possible port multiplexing, NAT-PT SHOULD also make appropriate adjustments to the upper layer protocol (TCP/UDP) headers. A separate section on FTP-ALG describes the changes FTP-ALG would make to FTP payload as an FTP packet traverses from V4 to V6 realm or vice versa.
IPv4和ICMPv4头与V6头相似,但有许多字段缺失、含义不同或长度不同。NAT-PT应将所有IP/ICMP头从v4转换为v6,反之亦然,以实现端到端IPv6到IPv4的通信。由于地址转换功能和可能的端口多路复用,NAT-PT还应适当调整上层协议(TCP/UDP)头。关于FTP-ALG的单独一节描述了当FTP数据包从V4领域穿越到V6领域或反之亦然时,FTP-ALG对FTP有效负载所做的更改。
Protocol Translation details are described in [SIIT], but there are some modifications required to SIIT because of the fact that NAT-PT also performs Network Address Translation.
[SIIT]中描述了协议转换的详细信息,但由于NAT-PT也执行网络地址转换,因此需要对SIIT进行一些修改。
This is done exactly the same as in SIIT apart from the following fields:
除以下字段外,此操作与SIIT中的操作完全相同:
Source Address: The low-order 32 bits is the IPv4 source address. The high-order 96 bits is the designated PREFIX for all v4 communications. Addresses using this PREFIX will be routed to the NAT-PT gateway (PREFIX::/96)
源地址:低位32位是IPv4源地址。高阶96位是所有v4通信的指定前缀。使用此前缀的地址将路由到NAT-PT网关(前缀::/96)
Destination Address: NAT-PT retains a mapping between the IPv4 destination address and the IPv6 address of the destination node. The IPv4 destination address is replaced by the IPv6 address retained in that mapping.
目标地址:NAT-PT保留目标节点的IPv4目标地址和IPv6地址之间的映射。IPv4目标地址将替换为该映射中保留的IPv6地址。
This is done exactly the same as in SIIT apart from the Source Address which should be determined as follows:
这与SIIT中的操作完全相同,但源地址应按以下方式确定:
Source Address: The NAT-PT retains a mapping between the IPv6 source address and an IPv4 address from the pool of IPv4 addresses available. The IPv6 source address is replaced by the IPv4 address retained in that mapping.
源地址:NAT-PT保留IPv6源地址和可用IPv4地址池中IPv4地址之间的映射。IPv6源地址将替换为该映射中保留的IPv4地址。
Destination Address: IPv6 packets that are translated have a destination address of the form PREFIX::IPv4/96. Thus the low-order 32 bits of the IPv6 destination address is copied to the IPv4 destination address.
目标地址:转换后的IPv6数据包的目标地址格式为前缀::IPv4/96。因此,IPv6目标地址的低位32位被复制到IPv4目标地址。
NAT-PT retains mapping between IPv6 address and an IPv4 address from the pool of IPv4 addresses available. This mapping is used in the translation of packets that go through NAT-PT.
NAT-PT保留IPv6地址和可用IPv4地址池中IPv4地址之间的映射。此映射用于转换通过NAT-PT的数据包。
The following sub-sections describe TCP/UDP/ICMP checksum update procedure in NAT-PT, as packets are translated from V4 to V6 and vice versa.
以下小节描述NAT-PT中的TCP/UDP/ICMP校验和更新过程,因为数据包从V4转换为V6,反之亦然。
UDP checksums, when set to a non-zero value, and TCP checksum SHOULD be recalculated to reflect the address change from v4 to v6. The incremental checksum adjustment algorithm may be borrowed from [NAT]. In the case of NAPT-PT, TCP/UDP checksum should be adjusted to account for the address and TCP/UDP port changes, going from V4 to V6 address.
当UDP校验和设置为非零值时,应重新计算TCP校验和,以反映从v4到v6的地址更改。增量校验和调整算法可借鉴[NAT]。对于NAPT-PT,应调整TCP/UDP校验和,以考虑地址和TCP/UDP端口的变化,从V4到V6地址。
When the checksum of a V4 UDP packet is set to zero, NAT-PT MUST evaluate the checksum in its entirety for the V6-translated UDP packet. If a V4 UDP packet with a checksum of zero arrives in fragments, NAT-PT MUST await all the fragments until they can be assembled into a single non-fragmented packet and evaluate the checksum prior to forwarding the translated V6 UDP packet.
当V4 UDP数据包的校验和设置为零时,NAT-PT必须为V6翻译的UDP数据包计算整个校验和。如果校验和为零的V4 UDP数据包以片段形式到达,则NAT-PT必须等待所有片段,直到它们可以组装成单个非片段数据包,并在转发转换后的V6 UDP数据包之前评估校验和。
ICMPv6, unlike ICMPv4, uses a pseudo-header, just like UDP and TCP during checksum computation. As a result, when the ICMPv6 header checksum is computed [SIIT], the checksum needs to be adjusted to account for the additional pseudo-header. Note, there may also be adjustments required to the checksum due to changes in the source and destination addresses (and changes in TCP/UDP/ICMP identifiers in the case of NAPT-PT) of the payload carried within ICMP.
与ICMPv4不同,ICMPv6使用伪报头,就像校验和计算期间的UDP和TCP一样。因此,当计算ICMPv6报头校验和[SIIT]时,需要调整校验和以考虑额外的伪报头。注意,由于ICMP中承载的有效负载的源地址和目标地址(以及在NAPT-PT情况下TCP/UDP/ICMP标识符的变化)的变化,可能还需要对校验和进行调整。
TCP and UDP checksums SHOULD be recalculated to reflect the address change from v6 to v4. The incremental checksum adjustment algorithm may be borrowed from [NAT]. In the case of NAPT-PT, TCP/UDP checksums should be adjusted to account for the address and TCP/UDP port changes, going from V6 to V4 addresses. For UDP packets, optionally, the checksum may simply be changed to zero.
应重新计算TCP和UDP校验和,以反映从v6到v4的地址更改。增量校验和调整算法可借鉴[NAT]。对于NAPT-PT,应调整TCP/UDP校验和,以考虑从V6地址到V4地址的地址和TCP/UDP端口更改。对于UDP数据包,可以选择将校验和更改为零。
The checksum calculation for a V4 ICMP header needs to be derived from the V6 ICMP header by running the checksum adjustment algorithm [NAT] to remove the V6 pseudo header from the computation. Note, the adjustment must additionally take into account changes to the checksum as a result of updates to the source and destination addresses (and transport ports in the case of NAPT-PT) made to the payload carried within ICMP.
V4 ICMP报头的校验和计算需要通过运行校验和调整算法[NAT]从V6 ICMP报头导出,以从计算中删除V6伪报头。注意,调整还必须考虑到由于对ICMP内承载的有效负载进行源地址和目标地址(以及NAPT-PT情况下的传输端口)更新而导致的校验和变化。
Because an FTP control session carries, in its payload, the IP address and TCP port information for the data session, an FTP-ALG is required to provide application level transparency for this popular Internet application.
由于FTP控制会话在其有效负载中携带数据会话的IP地址和TCP端口信息,因此需要FTP-ALG为这个流行的Internet应用程序提供应用程序级的透明度。
In the FTP application running on a legacy V4 node, arguments to the FTP PORT command and arguments in PASV response(successful) include an IP V4 address and a TCP port, both represented in ASCII as h1,h2,h3,h4,p1,p2. However, [FTP-IPV6] suggests EPRT and EPSV command extensions to FTP, with an intent to eventually retire the use of PORT and PASV commands. These extensions may be used on a V4 or V6 node. FTP-ALG, facilitating transparent FTP between V4 and V6 nodes, works as follows.
在旧式V4节点上运行的FTP应用程序中,FTP端口命令的参数和PASV响应(成功)中的参数包括IP V4地址和TCP端口,两者均以ASCII表示为h1、h2、h3、h4、p1、p2。然而,[FTP-IPV6]建议将EPRT和EPSV命令扩展到FTP,目的是最终停止使用端口和PASV命令。这些扩展可以在V4或V6节点上使用。FTP-ALG促进了V4和V6节点之间的透明FTP,其工作原理如下。
A V4 host may or may not have the EPRT and EPSV command extensions implemented in its FTP application. If a V4 host originates the FTP session and uses PORT or PASV command, the FTP-ALG will translate these commands into EPRT and EPSV commands respectively prior to forwarding to the V6 node. Likewise, EPSV response from V6 nodes will be translated into PASV response prior to forwarding to V4 nodes. The format of EPRT and EPSV commands and EPSV response may be specified as follows[FTP-IPV6].
V4主机可能在其FTP应用程序中实现EPRT和EPSV命令扩展,也可能没有。如果V4主机发起FTP会话并使用端口或PASV命令,则FTP-ALG将在转发到V6节点之前分别将这些命令转换为EPRT和EPSV命令。同样,来自V6节点的EPSV响应将在转发到V4节点之前转换为PASV响应。EPRT和EPSV命令以及EPSV响应的格式可指定如下[FTP-IPV6]。
EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>
EPSV<space><net-prt>
(or)
EPSV<space>ALL
EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>
EPSV<space><net-prt>
(or)
EPSV<space>ALL
Format of EPSV response(Positive): 229 <text indicating
extended passive mode> (<d><d><d><tcp-port><d>)
Format of EPSV response(Positive): 229 <text indicating
extended passive mode> (<d><d><d><tcp-port><d>)
PORT command from a V4 node is translated into EPRT command, by setting the protocol <net-prt> field to AF #2 (IPV6) and translating the V4 host Address (represented as h1,h2,h3,h4) into its NAT-PT assigned V6 address in string notation, as defined in [V6ADDR] in the <net-addr> field. TCP port represented by p1,p2 in PORT command must be specified as a decimal <tcp-port> in the EPRT command. Further, <tcp-port> translation may also be required in the case of NAPT-PT. PASV command from a V4 node is be translated into a EPSV command with the <net-prt> argument set to AF #2. EPSV response from a V6 node is translated into PASV response prior to forwarding to the target V4 host.
通过将协议<net prt>字段设置为AF#2(IPV6),并将V4主机地址(表示为h1、h2、h3、h4)转换为其NAT-PT分配的V6地址(以字符串表示),如<net addr>字段中的[V6ADDR]中所定义,将V4节点的端口命令转换为EPRT命令。端口命令中p1、p2表示的TCP端口必须在EPRT命令中指定为十进制<TCP端口>。此外,在NAPT-PT的情况下,可能还需要进行<tcp端口>转换。来自V4节点的PASV命令被转换为参数设置为AF#2的EPSV命令。来自V6节点的EPSV响应在转发到目标V4主机之前转换为PASV响应。
If a V4 host originated the FTP session and was using EPRT and EPSV commands, the FTP-ALG will simply translate the parameters to these commands, without altering the commands themselves. The protocol Number <net-prt> field will be translated from AF #1 to AF #2. <net-addr> will be translated from the V4 address in ASCII to its NAT-PT assigned V6 address in string notation as defined in [V6ADDR]. <tcp-port> argument in EPSV response requires translation only in the case of NAPT-PT.
如果V4主机发起FTP会话并使用EPRT和EPSV命令,则FTP-ALG将简单地将参数转换为这些命令,而不改变命令本身。协议编号<net prt>字段将从AF#1转换为AF#2<net addr>将从ASCII格式的V4地址转换为[V6ADDR]中定义的字符串表示法的NAT-PT分配的V6地址<EPSV响应中的tcp端口>参数仅在NAPT-PT的情况下需要转换。
If a V6 host originates the FTP session, however, the FTP-ALG has two approaches to pursue. In the first approach, the FTP-ALG will leave the command strings "EPRT" and "EPSV" unaltered and simply translate the <net-prt>, <net-addr> and <tcp-port> arguments from V6 to its NAT-PT (or NAPT-PT) assigned V4 information. <tcp-port> is translated only in the case of NAPT-PT. Same goes for EPSV response from V4 node. This is the approach we recommend to ensure forward support for RFC 2428. However, with this approach, the V4 hosts are mandated to have their FTP application upgraded to support EPRT and EPSV extensions to allow access to V4 and V6 hosts, alike.
但是,如果V6主机发起FTP会话,则FTP-ALG有两种方法。在第一种方法中,FTP-ALG将保持命令字符串“EPRT”和“EPSV”不变,并将<net prt>、<net addr>和<tcp port>参数从V6转换为其NAT-PT(或NAPT-PT)分配的V4信息<tcp端口>仅在NAPT-PT的情况下转换。来自V4节点的EPSV响应也是如此。这是我们建议的方法,以确保对RFC 2428的前瞻性支持。但是,通过这种方法,V4主机必须升级其FTP应用程序,以支持EPRT和EPSV扩展,从而允许访问V4和V6主机。
In the second approach, the FTP-ALG will translate the command strings "EPRT" and "EPSV" and their parameters from the V6 node into their equivalent NAT-PT assigned V4 node info and attach to "PORT" and "PASV" commands prior to forwarding to V4 node. Likewise, PASV response from V4 nodes is translated into EPSV response prior to forwarding to the target V6 nodes. However, the FTP-ALG would be unable to translate the command "EPSV<space>ALL" issued by V6 nodes. In such a case, the V4 host, which receives the command, may return an error code indicating unsupported function. This error response may cause many RFC 2428 compliant FTP applications to simply fail, because EPSV support is mandated by RFC 2428. The benefit of this approach, however, is that is does not impose any FTP upgrade requirements on V4 hosts.
在第二种方法中,FTP-ALG将把命令字符串“EPRT”和“EPSV”及其参数从V6节点转换为等效的NAT-PT分配的V4节点信息,并在转发到V4节点之前附加到“端口”和“PASV”命令。同样,来自V4节点的PASV响应在转发到目标V6节点之前被转换为EPSV响应。但是,FTP-ALG将无法转换V6节点发出的命令“EPSV<space>ALL”。在这种情况下,接收命令的V4主机可能会返回一个错误代码,指示不支持的功能。此错误响应可能会导致许多符合RFC 2428的FTP应用程序失败,因为RFC 2428强制要求提供EPSV支持。但是,这种方法的好处是不会对V4主机施加任何FTP升级要求。
All the payload translations considered in the previous sections are based on ASCII encoded data. As a result, these translations may result in a change in the size of packet.
前面章节中考虑的所有有效负载转换都基于ASCII编码数据。因此,这些翻译可能导致数据包大小的变化。
If the new size is the same as the previous, only the TCP checksum needs adjustment as a result of the payload translation. If the new size is different from the previous, TCP sequence numbers should also be changed to reflect the change in the length of the FTP control session payload. The IP packet length field in the V4 header or the IP payload length field in the V6 header should also be changed to reflect the new payload size. A table is used by the FTP-ALG to correct the TCP sequence and acknowledgement numbers in the TCP header for control packets in both directions.
如果新大小与前一个相同,则只有TCP校验和需要作为有效负载转换的结果进行调整。如果新的大小不同于以前的大小,则还应更改TCP序列号,以反映FTP控制会话有效负载长度的变化。V4报头中的IP数据包长度字段或V6报头中的IP有效负载长度字段也应更改,以反映新的有效负载大小。FTP-ALG使用一个表来更正TCP报头中的TCP序列和双向控制数据包的确认号。
The table entries should have the source address, source data port, destination address and destination data port for V4 and V6 portions of the session, sequence number delta for outbound control packets and sequence number delta for inbound control packets.
表项应具有会话V4和V6部分的源地址、源数据端口、目标地址和目标数据端口、出站控制数据包的序列号增量和入站控制数据包的序列号增量。
The sequence number for an outbound control packet is increased by the outbound sequence number delta, and the acknowledgement number for the same outbound packet is decreased by the inbound sequence number delta. Likewise, the sequence number for an inbound packet is increased by the inbound sequence number delta and the acknowledgement number for the same inbound packet is decreased by the outbound sequence number delta.
出站控制数据包的序列号由出站序列号增量增加,同一出站数据包的确认号由入站序列号增量减少。同样,入站分组的序列号增加入站序列号增量,相同入站分组的确认号减少出站序列号增量。
All limitations associated to NAT [NAT-TERM] are also associated to NAT-PT. Here are the most important of them in detail, as well as some unique to NAT-PT.
与NAT[NAT-TERM]相关的所有限制也与NAT-PT相关。下面详细介绍了其中最重要的部分,以及NAT-PT的一些独特之处。
There are limitations to using the NAT-PT translation method. It is mandatory that all requests and responses pertaining to a session be routed via the same NAT-PT router. One way to guarantee this would be to have NAT-PT based on a border router that is unique to a stub domain, where all IP packets are either originated from the domain or destined to the domain. This is a generic problem with NAT and it is fully described in [NAT-TERM].
使用NAT-PT翻译方法存在局限性。必须通过同一NAT-PT路由器路由与会话相关的所有请求和响应。保证这一点的一种方法是,NAT-PT基于存根域特有的边界路由器,其中所有IP数据包要么来自该域,要么发送到该域。这是NAT的一般问题,在[NAT-TERM]中有详细描述。
Note, this limitation does not apply to packets originating from or directed to dual-stack nodes that do not require packet translation. This is because in a dual-stack set-up, IPv4 addresses implied in a V6 address can be identified from the address format PREFIX::x.y.z.w and a dual-stack router can accordingly route a packet between v4 and dual-stack nodes without tracking state information.
注意,此限制不适用于源自或定向到不需要数据包转换的双堆栈节点的数据包。这是因为在双栈设置中,可以从地址格式前缀::x.y.z.w中识别V6地址中隐含的IPv4地址,并且双栈路由器可以相应地在v4和双栈节点之间路由数据包,而无需跟踪状态信息。
This should also not affect IPv6 to IPv6 communication and in fact only actually use translation when no other means of communication is possible. For example NAT-PT may also have a native IPv6 connection and/or some kind of tunneled IPv6 connection. Both of the above connections should be preferred over translation when possible. The above makes sure that NAT-PT is a tool only to be used to assist transition to native IPv6 to IPv6 communication.
这也不应影响IPv6到IPv6的通信,事实上,只有在没有其他通信方式的情况下才实际使用翻译。例如,NAT-PT还可能具有本机IPv6连接和/或某种隧道式IPv6连接。在可能的情况下,上述两种连接都应优先于翻译。以上内容确保NAT-PT是一种工具,仅用于帮助过渡到本机IPv6到IPv6通信。
A number of IPv4 fields have changed meaning in IPv6 and translation is not straightforward. For example, the option headers semantics and syntax have changed significantly in IPv6. Details of IPv4 to IPv6 Protocol Translation can be found in [SIIT].
IPv6中的许多IPv4字段的含义已经发生了变化,转换并不简单。例如,在IPv6中,选项头的语义和语法发生了重大变化。有关IPv4到IPv6协议转换的详细信息,请参见[SIIT]。
Since NAT-PT performs address translation, applications that carry the IP address in the higher layers will not work. In this case Application Layer Gateways (ALG) need to be incorporated to provide support for those applications. This is a generic problem with NAT and it is fully described in [NAT-TERM].
由于NAT-PT执行地址转换,因此在更高层承载IP地址的应用程序将无法工作。在这种情况下,需要合并应用层网关(ALG)来为这些应用程序提供支持。这是NAT的一般问题,在[NAT-TERM]中有详细描述。
One of the most important limitations of the NAT-PT proposal is the fact that end-to-end network layer security is not possible. Also transport and application layer security may not be possible for applications that carry IP addresses to the application layer. This is an inherent limitation of the Network Address Translation function.
NAT-PT方案最重要的限制之一是端到端网络层安全是不可能的。此外,对于将IP地址传送到应用层的应用程序,传输和应用层安全性可能不可能实现。这是网络地址转换功能的固有限制。
Independent of NAT-PT, end-to-end IPSec security is not possible across different address realms. The two end-nodes that seek IPSec network level security must both support one of IPv4 or IPv6.
独立于NAT-PT,端到端IPSec安全不可能跨不同的地址域。寻求IPSec网络级安全的两个终端节点必须都支持IPv4或IPv6中的一个。
The scheme described in section 4.2 involves translation of DNS messages. It is clear that this scheme can not be deployed in combination with secure DNS. I.e., an authoritative DNS name server in the V6 domain cannot sign replies to queries that originate from the V4 world. As a result, an V4 end-node that demands DNS replies to be signed will reject replies that have been tampered with by NAT-PT.
第4.2节中描述的方案涉及DNS消息的翻译。很明显,此方案不能与安全DNS结合部署。即,V6域中的权威DNS名称服务器无法对源自V4世界的查询的答复进行签名。因此,要求对DNS回复进行签名的V4端节点将拒绝已被NAT-PT篡改的回复。
The good news, however, is that only servers in V6 domain that need to be accessible from the V4 world pay the price for the above limitation, as V4 end-nodes may not access V6 servers due to DNS replies not being signed.
然而,好消息是,只有V6域中需要从V4世界访问的服务器才需要为上述限制付出代价,因为V4端节点可能由于DNS回复未签名而无法访问V6服务器。
Also note that zone transfers between DNS-SEC servers within the same V6 network are not impacted.
还请注意,同一V6网络中DNS-SEC服务器之间的区域传输不受影响。
Clearly, with DNS SEC deployment in DNS servers and end-host resolvers, the scheme suggested in this document would not work.
显然,在DNS服务器和终端主机解析程序中部署DNS SEC时,本文档中建议的方案将不起作用。
NAT-PT can be a valuable transition tool at the border of a stub network that has been deployed as an IPv6 only network when it is connected to an Internet that is either V4-only or a combination of V4 and V6.
当NAT-PT连接到仅V4或V4与V6组合的Internet时,NAT-PT可以是存根网络边界上的一个有价值的转换工具,该存根网络已部署为仅IPv6网络。
NAT-PT, in its simplest form, without the support of DNS-ALG, provides one way connectivity between an IPv6 stub domain and the IPv4 world meaning that only sessions initialised by IPv6 nodes internal to the IPv6 stub domain can be translated, while sessions initiated by IPv4 nodes are dropped. This makes NAT-PT a useful tool to IPv6 only stub networks that need to be able to maintain connectivity with the IPv4 world without the need to deploy servers visible to the IPv4 world.
NAT-PT以其最简单的形式在不支持DNS-ALG的情况下提供了IPv6存根域和IPv4世界之间的单向连接,这意味着只有IPv6存根域内部的IPv6节点初始化的会话才能转换,而IPv4节点发起的会话则会被丢弃。这使得NAT-PT成为只支持IPv6的存根网络的有用工具,这些存根网络需要能够保持与IPv4世界的连接,而无需部署IPv4世界可见的服务器。
NAT-PT combined with a DNS-ALG provides bi-directional connectivity between the IPv6 stub domain and the IPv4 world allowing sessions to be initialised by IPv4 nodes outside the IPv6 stub domain. This makes NAT-PT useful for IPv6 only stub networks that need to deploy servers visible to the IPv4 world.
NAT-PT结合DNS-ALG在IPv6存根域和IPv4世界之间提供双向连接,允许IPv6存根域外的IPv4节点初始化会话。这使得NAT-PT对于需要部署IPv4世界可见的服务器的纯IPv6存根网络非常有用。
Some applications count on a certain degree of address stability for their operation. Dynamic address reuse by NAT-PT might not be agreeable for these applications. For hosts running such address critical applications, NAT-PT may be configured to provide static address mapping between the host's V6 address and a specific V4 address. This will ensure that address related changes by NAT-PT do not become a significant source of operational failure.
有些应用程序的操作依赖于一定程度的地址稳定性。NAT-PT的动态地址重用可能不适合这些应用程序。对于运行这种地址关键型应用程序的主机,可以将NAT-PT配置为在主机的V6地址和特定的V4地址之间提供静态地址映射。这将确保NAT-PT的地址相关更改不会成为操作故障的重要来源。
Section 7.4 of this document states that end-to-end network and transport layer security are not possible when a session is intercepted by a NAT-PT. Also application layer security may not be possible for applications that carry IP addresses in the application layer.
本文件第7.4节指出,当NAT-PT截获会话时,端到端网络和传输层安全是不可能的。此外,对于在应用层中承载IP地址的应用程序,应用层安全性可能不可能实现。
Section 7.5 of this document states that the DNS-ALG can not be deployed in combination with secure DNS.
本文件第7.5节规定,DNS-ALG不能与安全DNS一起部署。
Finally, all of the security considerations described in [NAT-TERM] are applicable to this document as well.
最后,[NAT-TERM]中描述的所有安全注意事项也适用于本文档。
[DNS-ALG] Srisuresh, P., Tsirtsis, G., Akkiraju, P. and A. Heffernan, "DNS extensions to Network Address Translators (DNS_ALG)", RFC 2694, September 1999.
[DNS-ALG]Srisuresh,P.,Tsirtsis,G.,Akkiraju,P.和A.Heffernan,“网络地址转换器的DNS扩展(DNS_ALG)”,RFC 26941999年9月。
[DNSSEC] Eastlake, D., "Domain Name System Security Extensions", RFC 2065, March 1999.
[DNSSEC]Eastlake,D.,“域名系统安全扩展”,RFC20651999年3月。
[FTP-IPV6] Allman, M., Ostermann, S. and C. Metz, "FTP Extensions for IPv6 and NATs", RFC 2428, September 1998.
[FTP-IPV6]Allman,M.,Ostermann,S.和C.Metz,“IPV6和NATs的FTP扩展”,RFC 24281998年9月。
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[NAT] Egevang, K. and P. Francis, "The IP Network Address Translator (NAT)", RFC 1631, May 1994.
[NAT]Egevang,K.和P.Francis,“IP网络地址转换器(NAT)”,RFC16311994年5月。
[NAT-TERM] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.
[NAT-TERM]Srisuresh,P.和M.Holdrege,“IP网络地址转换器(NAT)术语和注意事项”,RFC 2663,1999年8月。
[SIIT] Nordmark, E., "Stateless IP/ICMP Translator (SIIT)", RFC 2765, February 2000.
[SIIT]Nordmark,E.“无状态IP/ICMP转换器(SIIT)”,RFC 27652000年2月。
[TRANS] Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC 1933, April 1996.
[TRANS]Gilligan,R.和E.Nordmark,“IPv6主机和路由器的过渡机制”,RFC 1933,1996年4月。
[V6ADDR] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998.
[V6ADDR]Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 23731998年7月。
Authors' Addresses
作者地址
George Tsirtsis Internet Futures B29 Room 129 BT Adastral Park IPSWICH IP5 3RE England
George Tsirtsis互联网期货B29英国电信公司艾普斯威奇公园129室IP5 3RE英格兰
Phone: +44 181 8260073
Fax: +44 181 8260073
EMail: george.tsirtsis@bt.com
EMail (alternative): gtsirt@hotmail.com
Phone: +44 181 8260073
Fax: +44 181 8260073
EMail: george.tsirtsis@bt.com
EMail (alternative): gtsirt@hotmail.com
Pyda Srisuresh 630 Alder Drive Milpitas, CA 95035 U.S.A.
美国加利福尼亚州米尔皮塔斯市阿尔德大道630号Pyda Srisuresh,邮编95035。
Phone: (408) 519-3849 EMail: srisuresh@yahoo.com
电话:(408)519-3849电子邮件:srisuresh@yahoo.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。