Network Working Group C. Huitema Request for Comments: 3750 Microsoft Category: Informational R. Austein ISC S. Satapati Cisco Systems, Inc. R. van der Pol NLnet Labs April 2004
Network Working Group C. Huitema Request for Comments: 3750 Microsoft Category: Informational R. Austein ISC S. Satapati Cisco Systems, Inc. R. van der Pol NLnet Labs April 2004
Unmanaged Networks IPv6 Transition Scenarios
非托管网络IPv6转换场景
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004). All Rights Reserved.
版权所有(C)互联网协会(2004年)。版权所有。
Abstract
摘要
This document defines the scenarios in which IPv6 transition mechanisms are to be used in unmanaged networks. In order to evaluate the suitability of these mechanisms, we need to define the scenarios in which these mechanisms have to be used. One specific scope is the "unmanaged network", which typically corresponds to a home or small office network. The scenarios are specific to a single subnet, and are defined in terms of IP connectivity supported by the gateway and the Internet Service Provider (ISP). We first examine the generic requirements of four classes of applications: local, client, peer to peer and server. Then, for each scenario, we infer transition requirements by analyzing the needs for smooth migration of applications from IPv4 to IPv6.
本文档定义了在非托管网络中使用IPv6转换机制的场景。为了评估这些机制的适用性,我们需要定义必须使用这些机制的场景。一个特定的范围是“非托管网络”,它通常对应于家庭或小型办公室网络。这些场景特定于单个子网,并根据网关和Internet服务提供商(ISP)支持的IP连接进行定义。我们首先检查四类应用程序的通用需求:本地、客户端、对等和服务器。然后,对于每个场景,我们通过分析应用程序从IPv4平滑迁移到IPv6的需求来推断过渡需求。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Applications . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Local Applications . . . . . . . . . . . . . . . . . . . 5 3.2. Client Applications. . . . . . . . . . . . . . . . . . . 5 3.3. Peer-to-Peer Applications. . . . . . . . . . . . . . . . 5 3.4. Server Applications. . . . . . . . . . . . . . . . . . . 5 4. Application Requirements of an IPv6 Unmanaged Network. . . . . 6 4.1. Requirements of Local Applications . . . . . . . . . . . 6 4.2. Requirements of Client Applications. . . . . . . . . . . 7 4.2.1. Privacy Requirement of Client Applications . . . 7 4.3. Requirements of Peer-to-Peer Applications. . . . . . . . 8 4.4. Requirements of Server Applications. . . . . . . . . . . 9 5. Stages of IPv6 Deployment. . . . . . . . . . . . . . . . . . . 9 5.1. Case A, Host Deployment of IPv6 Applications . . . . . . 10 5.1.1. Application Support in Case A. . . . . . . . . . 10 5.1.2. Addresses and Connectivity in Case A . . . . . . 11 5.1.3. Naming Services in Case A. . . . . . . . . . . . 12 5.2. Case B, IPv6 Connectivity with Provider Support. . . . . 12 5.2.1. Application Support in Case B. . . . . . . . . . 12 5.2.2. Addresses and Connectivity in Case B . . . . . . 13 5.2.3. Naming Services in Case B. . . . . . . . . . . . 14 5.3. Case C, IPv6 Connectivity without Provider Support . . . 14 5.3.1. Application Support in Case C. . . . . . . . . . 15 5.3.2. Addresses and Connectivity in Case C . . . . . . 15 5.3.3. Naming Services in Case C. . . . . . . . . . . . 15 5.4. Case D, ISP Stops Providing Native IPv4 Connectivity . . 15 5.4.1. Application Support in Case D. . . . . . . . . . 16 5.4.2. Addresses and Connectivity in Case D . . . . . . 16 5.4.3. Naming Services in Case D. . . . . . . . . . . . 17 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 17 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 8.1. Normative References. . . . . . . . . . . . . . . . . . . 18 8.2. Informative References. . . . . . . . . . . . . . . . . . 18 9. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19 10. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 20
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Applications . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Local Applications . . . . . . . . . . . . . . . . . . . 5 3.2. Client Applications. . . . . . . . . . . . . . . . . . . 5 3.3. Peer-to-Peer Applications. . . . . . . . . . . . . . . . 5 3.4. Server Applications. . . . . . . . . . . . . . . . . . . 5 4. Application Requirements of an IPv6 Unmanaged Network. . . . . 6 4.1. Requirements of Local Applications . . . . . . . . . . . 6 4.2. Requirements of Client Applications. . . . . . . . . . . 7 4.2.1. Privacy Requirement of Client Applications . . . 7 4.3. Requirements of Peer-to-Peer Applications. . . . . . . . 8 4.4. Requirements of Server Applications. . . . . . . . . . . 9 5. Stages of IPv6 Deployment. . . . . . . . . . . . . . . . . . . 9 5.1. Case A, Host Deployment of IPv6 Applications . . . . . . 10 5.1.1. Application Support in Case A. . . . . . . . . . 10 5.1.2. Addresses and Connectivity in Case A . . . . . . 11 5.1.3. Naming Services in Case A. . . . . . . . . . . . 12 5.2. Case B, IPv6 Connectivity with Provider Support. . . . . 12 5.2.1. Application Support in Case B. . . . . . . . . . 12 5.2.2. Addresses and Connectivity in Case B . . . . . . 13 5.2.3. Naming Services in Case B. . . . . . . . . . . . 14 5.3. Case C, IPv6 Connectivity without Provider Support . . . 14 5.3.1. Application Support in Case C. . . . . . . . . . 15 5.3.2. Addresses and Connectivity in Case C . . . . . . 15 5.3.3. Naming Services in Case C. . . . . . . . . . . . 15 5.4. Case D, ISP Stops Providing Native IPv4 Connectivity . . 15 5.4.1. Application Support in Case D. . . . . . . . . . 16 5.4.2. Addresses and Connectivity in Case D . . . . . . 16 5.4.3. Naming Services in Case D. . . . . . . . . . . . 17 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 17 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 8.1. Normative References. . . . . . . . . . . . . . . . . . . 18 8.2. Informative References. . . . . . . . . . . . . . . . . . 18 9. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19 10. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 20
In order to evaluate the suitability of transition mechanisms from IPv4 [RFC791] to IPv6 [RFC2460], we need to define the environment or scope in which these mechanisms have to be used. One specific scope is the "unmanaged networks", which typically correspond to home networks or small office networks.
为了评估从IPv4[RFC791]到IPv6[RFC2460]的转换机制的适用性,我们需要定义必须使用这些机制的环境或范围。一个特定的范围是“非托管网络”,它通常对应于家庭网络或小型办公室网络。
This document studies the requirement posed by various transition scenarios, and is organized in to four main sections. Section 2 defines the topology that we are considering. Section 3 presents the four classes of applications that we consider for unmanaged networks: local applications, client applications, peer-to-peer applications, and server applications. Section 4 studies the requirements of these four classes of applications. Section 5 analyses how these requirements translate into four configurations that we expect to encounter during IPv6 deployment: gateways which do not provide IPv6, dual-stack gateways connected to dual-stack ISPs, dual-stack gateways connected to IPv4-only ISPs, and IPv6-capable gateways connected to IPv6-only ISPs. While these four configurations are certainly not an exhaustive list of possible configurations, we believe that they represent the common cases for unmanaged networks.
本文档研究各种过渡场景提出的需求,分为四个主要部分。第2节定义了我们正在考虑的拓扑结构。第3节介绍了我们为非托管网络所考虑的四类应用:本地应用程序、客户端应用程序、对等应用程序和服务器应用程序。第4节研究这四类应用程序的要求。第5节分析了这些要求如何转化为我们在IPv6部署期间预期会遇到的四种配置:不提供IPv6的网关、连接到双栈ISP的双栈网关、连接到仅IPv4 ISP的双栈网关以及连接到仅IPv6 ISP的支持IPv6的网关。虽然这四种配置肯定不是可能配置的详尽列表,但我们相信它们代表了非托管网络的常见情况。
The typical unmanaged network is composed of a single subnet, connected to the Internet through a single Internet Service Provider (ISP) connection. Several hosts may be connected to the subnet:
典型的非托管网络由单个子网组成,通过单个Internet服务提供商(ISP)连接连接到Internet。多台主机可能连接到子网:
+------+ | Host +--+ +------+ | | +------+ | | Host +--+ +-------------- +------+ | | : +-----+ : +---------+ | | +--+ Gateway +------| ISP | Internet : +---------+ | | : +-----+ +------+ | | | Host +--+ +-------------- +------+ | | +------+ | | Host +--+ +------+
+------+ | Host +--+ +------+ | | +------+ | | Host +--+ +-------------- +------+ | | : +-----+ : +---------+ | | +--+ Gateway +------| ISP | Internet : +---------+ | | : +-----+ +------+ | | | Host +--+ +-------------- +------+ | | +------+ | | Host +--+ +------+
Between the subnet and the ISP access link is a gateway, which may or may not perform NAT and firewall functions. When the gateway performs NAT functions [RFC3022], it generally allocates private IPv4 addresses to the local hosts [RFC1918]. A key point of this configuration is that the gateway is typically not "managed". In most cases, it is a simple "appliance" that incorporates some static policies. There are many cases in which the gateway is procured and configured by the ISP.
子网和ISP访问链路之间有一个网关,它可以执行NAT和防火墙功能,也可以不执行。网关执行NAT功能[RFC3022]时,通常会将专用IPv4地址分配给本地主机[RFC1918]。此配置的一个关键点是网关通常不是“受管理的”。在大多数情况下,它是一个简单的“设备”,包含一些静态策略。在许多情况下,网关是由ISP采购和配置的。
Note that there are also some cases in which we find two gateways back to back, one managed by the ISP and the other added by the owner of the unmanaged network. They are not covered in this memo because most of them either require some management, or the gateway added by the user can function as an L2 switch.
请注意,在某些情况下,我们会发现两个网关背对背,一个由ISP管理,另一个由非托管网络的所有者添加。本备忘录中未涉及它们,因为它们中的大多数要么需要一些管理,要么用户添加的网关可以用作二级交换机。
The access link between the unmanaged network and the ISP might be either a static, permanent connection or a dynamic connection such as a dial-up or ISDN line.
非托管网络和ISP之间的访问链路可以是静态、永久连接,也可以是动态连接,如拨号或ISDN线路。
In a degenerate case, an unmanaged network might consist of a single host, directly connected to an ISP.
在退化情况下,非托管网络可能由直接连接到ISP的单个主机组成。
There are some cases in which the "gateway" is replaced by a layer-2 bridge. In such deployments, the hosts have direct access to the ISP service. In order to avoid lengthy developments, we will treat these cases as if the gateway was not present, i.e., as if each host was connected directly to the ISP.
在某些情况下,“网关”被第二层网桥取代。在这种部署中,主机可以直接访问ISP服务。为了避免冗长的开发,我们将把这些情况视为网关不存在,也就是说,每个主机都直接连接到ISP。
Our definition of unmanaged networks explicitly exclude networks composed of multiple subnets. We will readily admit that some home networks and some small business networks contain multiple subnets, but in the current state of the technology, these multiple subnet networks are not "unmanaged": some competent administrator has to explicitly configure the routers. We will thus concentrate on single subnet networks, where no such competent operator is expected.
我们对非托管网络的定义明确排除了由多个子网组成的网络。我们很容易承认,一些家庭网络和一些小型企业网络包含多个子网,但在当前的技术状态下,这些多个子网并非“非托管”:一些有能力的管理员必须明确配置路由器。因此,我们将专注于单子网网络,在这种网络中,预计不会有这样的合格运营商。
Users may use or wish to use the unmanaged network services in four types of applications: local, client, servers and peer-to-peers. These applications may or may not run easily on today's networks (some do, some don't).
用户可能在四种类型的应用程序中使用或希望使用非托管网络服务:本地、客户端、服务器和对等。这些应用程序在今天的网络上运行起来可能很容易,也可能不容易(有些可以,有些不可以)。
"Local applications" are only meant to involve the hosts that are part of the unmanaged network. Typical examples would be file sharing or printer sharing.
“本地应用程序”仅指作为非托管网络一部分的主机。典型的例子是文件共享或打印机共享。
Local applications work effectively in IPv4 unmanaged networks, even when the gateway performs NAT or firewall functions. In fact, firewall services at the gateway are often deemed desirable, as they isolate the local applications from interference by Internet users.
本地应用程序在IPv4非托管网络中有效工作,即使网关执行NAT或防火墙功能。事实上,网关上的防火墙服务通常被认为是可取的,因为它们将本地应用程序与Internet用户的干扰隔离开来。
"Client applications" are those that involve a client on the unmanaged network and a server at a remote location. Typical examples would be accessing a web server from a client inside the unmanaged network, or reading and sending e-mail with the help of a server outside the unmanaged network.
“客户端应用程序”是指涉及非托管网络上的客户端和远程位置的服务器的应用程序。典型的例子是从非托管网络内的客户端访问web服务器,或者在非托管网络外的服务器的帮助下读取和发送电子邮件。
Client applications tend to work correctly in IPv4 unmanaged networks, even when the gateway performs NAT or firewall functions: these translation and firewall functions are designed precisely to enable client applications.
客户端应用程序往往在IPv4非托管网络中正常工作,即使网关执行NAT或防火墙功能:这些转换和防火墙功能的设计正是为了启用客户端应用程序。
There are really two kinds of "peer-to-peer" applications: ones which only involve hosts on the unmanaged network, and ones which involve both one or more hosts on the unmanaged network and one or more hosts outside the unmanaged network. We will only consider the latter kind of peer-to-peer applications, since the former can be considered a subset of the kind of local applications discussed in section 3.1.
实际上有两种“对等”应用程序:一种只涉及非托管网络上的主机,另一种涉及非托管网络上的一台或多台主机以及非托管网络外的一台或多台主机。我们只考虑后一种对等应用程序,因为前者可以被看作是第3.1节中讨论的本地应用程序的子集。
Peer-to-peer applications often don't work well in unmanaged IPv4 networks. Application developers often have to enlist the help of a "relay server", in effect restructuring the peer-to-peer connection into a pair of back-to-back client/server connections.
对等应用程序通常在非托管IPv4网络中无法正常工作。应用程序开发人员通常必须寻求“中继服务器”的帮助,实际上是将对等连接重组为一对背靠背客户机/服务器连接。
"Server applications" involve running a server in the unmanaged network for use by other parties outside the network. Typical examples would be running a web server or an e-mail server on one of the hosts inside the unmanaged network.
“服务器应用程序”涉及在非托管网络中运行服务器,供网络外的其他方使用。典型的例子是在非托管网络中的一台主机上运行web服务器或电子邮件服务器。
Deploying these servers in most unmanaged IPv4 networks requires some special programming of the NAT or firewall [RFC2993], and is more complex when the NAT only publishes a small number of global IP
在大多数非托管IPv4网络中部署这些服务器需要对NAT或防火墙[RFC2993]进行一些特殊编程,并且当NAT只发布少量全局IP时更为复杂
addresses and relies on "port translation". In the common case in which the NAT manages exactly one global IP address and relies on "port translation", a given external port can only be used by one internal server.
地址和依赖于“端口转换”。在NAT只管理一个全局IP地址并依赖“端口转换”的常见情况下,给定的外部端口只能由一个内部服务器使用。
Deploying servers usually requires providing each server with a stable DNS name, and associating a global IPv4 address with that name, whether the address be that of the server itself or that of the router acting as a firewall or NAT. Since updating DNS is a management task, it falls somewhat outside the scope of an unmanaged network. On the other hand, it is also possible to use out-of-band techniques (such as cut-and-paste into an instant message system) to pass around the address of the target server.
部署服务器通常需要为每台服务器提供一个稳定的DNS名称,并将全局IPv4地址与该名称关联,无论该地址是服务器本身的地址还是充当防火墙或NAT的路由器的地址。由于更新DNS是一项管理任务,因此它在某种程度上超出了非托管网络的范围。另一方面,也可以使用带外技术(例如剪切并粘贴到即时消息系统中)来传递目标服务器的地址。
As we transition to IPv6, we must meet the requirements of the various applications, which we can summarize in the following way: applications that worked well with IPv4 should continue working well during the transition; it should be possible to use IPv6 to deploy new applications that are currently hard to deploy in IPv4 networks; and the deployment of these IPv6 applications should be simple and easy to manage, but the solutions should also be robust and secure.
当我们过渡到IPv6时,我们必须满足各种应用程序的要求,我们可以用以下方式总结:与IPv4配合良好的应用程序应该在过渡期间继续工作良好;应该可以使用IPv6部署当前难以在IPv4网络中部署的新应用程序;这些IPv6应用程序的部署应该简单且易于管理,但解决方案也应该健壮且安全。
The application requirements for IPv6 Unmanaged Networks fall into three general categories: connectivity, naming, and security. Connectivity issues include the provision of IPv6 addresses and their quality: do hosts need global addresses, should these addresses be stable or, more precisely, what should the expected lifetimes of these addresses be? Naming issues include the management of names for the hosts: do hosts need DNS names, and is inverse name resolution [DNSINADDR] a requirement? Security issues include possible restriction to connectivity, privacy concerns and, generally speaking, the security of the applications.
IPv6非托管网络的应用程序要求分为三大类:连接性、命名和安全性。连接性问题包括IPv6地址的提供及其质量:主机是否需要全局地址,这些地址是否稳定,或者更准确地说,这些地址的预期寿命应该是多少?命名问题包括主机名称的管理:主机是否需要DNS名称,是否需要反向名称解析[DNSINADDR]?安全问题包括对连接的可能限制、隐私问题,以及一般来说应用程序的安全性。
Local applications require local connectivity. They must continue to work even if the unmanaged network is isolated from the Internet.
本地应用程序需要本地连接。即使非托管网络与Internet隔离,它们也必须继续工作。
Local applications typically use ad hoc naming systems. Many of these systems are proprietary; an example of a standard system is the service location protocol (SLP) [RFC2608].
本地应用程序通常使用临时命名系统。这些系统中有许多是专有的;标准系统的一个示例是服务位置协议(SLP)[RFC2608]。
The security of local applications will usually be enhanced if these applications can be effectively isolated from the global Internet.
如果本地应用程序能够有效地与全球互联网隔离,那么本地应用程序的安全性通常会得到增强。
Client applications require global connectivity. In an IPv6 network, we would expect the client to use a global IPv6 address, which will have to remain stable for the duration of the client-server session.
客户端应用程序需要全局连接。在IPv6网络中,我们希望客户端使用全局IPv6地址,该地址必须在客户端-服务器会话期间保持稳定。
Client applications typically use the domain name system to locate servers. In an IPv6 network, the client must be able to locate a DNS resolver.
客户端应用程序通常使用域名系统来定位服务器。在IPv6网络中,客户端必须能够找到DNS解析程序。
Many servers try to look up a DNS name associated with the IP address of the client. In an IPv4 network, this IP address will often be allocated by the Internet service provider to the gateway, and the corresponding PTR record will be maintained by the ISP. In many cases, these PTR records are perfunctory, derived in an algorithmic fashion from the IPv4 address; the main information that they contain is the domain name of the ISP. Whether or not an equivalent function should be provided in an IPv6 network is unclear.
许多服务器试图查找与客户端IP地址关联的DNS名称。在IPv4网络中,此IP地址通常由Internet服务提供商分配给网关,相应的PTR记录将由ISP维护。在许多情况下,这些PTR记录是敷衍的,以算法方式从IPv4地址派生;它们包含的主要信息是ISP的域名。IPv6网络中是否应提供同等功能尚不清楚。
It is debatable whether the IPv6 networking service should be engineered to enhance the privacy of the clients, and specifically whether support for RFC 3041 [RFC3041] should be required. RFC 3041 enables hosts to pick IPv6 addresses in which the host identifier is randomized; this was designed to make sure that the IPv6 addresses and the host identifier cannot be used to track the Internet connections of a device's owner.
IPv6网络服务是否应该设计为增强客户端的隐私,特别是是否需要对RFC 3041[RFC3041]的支持,这是有争议的。RFC3041使主机能够选择主机标识符随机化的IPv6地址;这是为了确保IPv6地址和主机标识符不能用于跟踪设备所有者的Internet连接。
Many observe that randomizing the host identifier portion of the address is only a half measure. If the unmanaged network address prefix remains constant, the randomization only hides which host in the unmanaged network originates a given connection, e.g., the children's computer versus their parents'. This would place the privacy rating of such connections on a par with that of IPv4 connections originating from an unmanaged network in which a NAT manages a static IPv4 address; in both cases, the IPv4 address or the IPv6 prefix can be used to identify the unmanaged network, e.g., the specific home from which the connection originated.
许多人观察到,将地址的主机标识符部分随机化仅仅是一个半度量。如果非托管网络地址前缀保持不变,则随机化仅隐藏非托管网络中发起给定连接的主机,例如,孩子的计算机与其父母的计算机。这将使这种连接的隐私评级与源自NAT管理静态IPv4地址的非托管网络的IPv4连接等同;在这两种情况下,IPv4地址或IPv6前缀都可用于标识非托管网络,例如,发起连接的特定家庭。
However, randomization of the host identifier does provide benefits. First, if some of the hosts in the unmanaged network are mobile, the randomization destroys any correlation between the addresses used at various locations: the addresses alone could not be used to determine whether a given connection originates from the same laptop moving from work to home, or used on the road. Second, the randomization removes any information that could be extracted from a hardwired host identifier; for example, it will prevent outsiders from correlating a
然而,主机标识符的随机化确实提供了好处。首先,如果非托管网络中的某些主机是移动的,则随机化会破坏在不同位置使用的地址之间的任何相关性:单凭地址无法确定给定连接是来自从工作地点移动到家中的同一台笔记本电脑,还是在路上使用的同一台笔记本电脑。第二,随机化移除可从硬连线主机标识符提取的任何信息;例如,它将防止局外人将
serial number with a specific brand of expensive electronic equipment, and to use this information for planning marketing campaigns or possibly burglary attempts.
具有特定品牌昂贵电子设备的序列号,并使用此信息规划营销活动或可能的盗窃企图。
Randomization of the addresses is not sufficient to guarantee privacy. Usage can be tracked by a variety of other means, from application level "cookies" to complex techniques involving data mining and traffic analysis. However, we should not make a bad situation worse. Other attacks to privacy may be possible, but this is not a reason to enable additional tracking through IPv6 addresses.
地址的随机化不足以保证隐私。可以通过多种其他方法跟踪使用情况,从应用程序级别的“cookie”到涉及数据挖掘和流量分析的复杂技术。然而,我们不应该让糟糕的情况变得更糟。可能存在其他对隐私的攻击,但这不是通过IPv6地址启用额外跟踪的原因。
Randomization of the host identifier has some costs: the address management in hosts is more complex for the hosts, reverse DNS services are harder to provide, and the gateway may have to maintain a larger cache of neighbor addresses; however, experience from existing implementation shows that these costs are not overwhelming. Given the limited benefits, it would be unreasonable to require that all hosts use privacy addresses; however, given the limited costs, it is reasonable to require that all unmanaged networks allow use of privacy addresses by those hosts that choose to do so.
主机标识符的随机化有一些成本:主机中的地址管理对于主机来说更复杂,反向DNS服务更难提供,网关可能需要维护更大的邻居地址缓存;然而,现有实施的经验表明,这些成本并不高。鉴于好处有限,要求所有主机使用隐私地址是不合理的;然而,鉴于成本有限,要求所有非托管网络允许选择使用隐私地址的主机使用隐私地址是合理的。
Peer-to-peer applications require global connectivity. In an IPv6 network, we would expect the peers to use a global IPv6 address, which will have to remain stable for the duration of the peer-to-peer session.
对等应用程序需要全局连接。在IPv6网络中,我们希望对等方使用全局IPv6地址,该地址必须在对等会话期间保持稳定。
There are multiple aspects to the security of peer-to-peer applications, many of which relate to the security of the rendezvous system. If we assume that the peers have been able to safely exchange their IPv6 addresses, the main security requirement is the capability to safely exchange data between the peers without interference by third parties.
对等应用程序的安全性涉及多个方面,其中许多与会合系统的安全性有关。如果我们假设对等方能够安全地交换其IPv6地址,那么主要的安全要求是能够在对等方之间安全地交换数据,而不受第三方的干扰。
Private conversations by one of the authors with developers of peer-to-peer applications suggest that many individuals would be willing to consider an "IPv6-only" model if they can get two guarantees:
其中一位作者与点对点应用程序开发人员进行的私人对话表明,如果有两个保证,许多个人愿意考虑“IPv6”模式:
1) That there is no regression from IPv4, i.e., that all customers who could participate in a peer-to-peer application using IPv4 can also be reached by IPv6.
1) 与IPv4没有任何倒退,即IPv6也可以联系到所有可以使用IPv4参与对等应用程序的客户。
2) That IPv6 provides a solution for at least some of their hard problems, e.g., enabling peers located behind an IPv4 NAT to participate in a peer-to-peer application.
2) IPv6至少为他们的一些难题提供了解决方案,例如,使位于IPv4 NAT后面的对等方能够参与对等应用程序。
Requiring IPv6 connectivity for a popular peer-to-peer application could create what economists refer to as a "network effect", which in turn could significantly speed up the deployment of IPv6.
为流行的点对点应用程序要求IPv6连接可能会产生经济学家所说的“网络效应”,这反过来会大大加快IPv6的部署。
Server applications require global connectivity, which in an IPv6 network implies global addresses. In an IPv4 network utilizing a NAT, for each service provided by a server, the NAT has to be configured to forward packets sent to that service to the server that offers the service.
服务器应用程序需要全局连接,这在IPv6网络中意味着全局地址。在使用NAT的IPv4网络中,对于服务器提供的每个服务,必须将NAT配置为将发送到该服务的数据包转发给提供该服务的服务器。
Server applications normally rely on the publication of the server's address in the DNS. This, in turn, requires that the server be provisioned with a "global DNS name".
服务器应用程序通常依赖于DNS中服务器地址的发布。这反过来要求为服务器提供“全局DNS名称”。
The DNS entries for the server will have to be updated, preferably in real time, if the server's address changes. In practice, updating the DNS can be slow, which implies that server applications will have a better chance of being deployed if the IPv6 addresses remain stable.
如果服务器的地址发生变化,则必须更新服务器的DNS条目,最好是实时更新。实际上,更新DNS可能很慢,这意味着如果IPv6地址保持稳定,服务器应用程序将有更好的机会部署。
The security of server applications depends mostly on the correctness of the server, and also on the absence of collateral effects: many incidents occur when the opening of a server on the Internet inadvertently enables remote access to some other services on the same host.
服务器应用程序的安全性主要取决于服务器的正确性,也取决于没有附带影响:当在Internet上无意中打开服务器时,会发生许多事件,使远程访问同一主机上的某些其他服务成为可能。
We expect the deployment of IPv6 to proceed from an initial state in which there is little or no deployment, to a final stage in which we might retire the IPv4 infrastructure. We expect this process to stretch over many years; we also expect it to not be synchronized, as different parties involved will deploy IPv6 at different paces.
我们预计IPv6的部署将从一个几乎没有部署或没有部署的初始状态开始,到最后一个阶段,我们可能会停用IPv4基础设施。我们预计这一进程将持续多年;我们还希望它不会同步,因为不同的参与方将以不同的速度部署IPv6。
In order to get some clarity, we distinguish three entities involved in the transition of an unmanaged network: the ISP (possibly including ISP consumer premise equipment (CPE)), the home gateway, and the hosts (computers and appliances). Each can support IPv4- only, both IPv4 and IPv6, or IPv6-only. That gives us 27 possibilities. We describe the most important cases. We will assume that in all cases the hosts are a combination of IPv4-only, dual stack, and (perhaps) IPv6-only hosts.
为了更清楚,我们区分了参与非托管网络过渡的三个实体:ISP(可能包括ISP用户端设备(CPE))、家庭网关和主机(计算机和设备)。每个都可以只支持IPv4、IPv4和IPv6,或者只支持IPv6。这给了我们27种可能性。我们描述了最重要的案例。我们将假设在所有情况下,主机都是仅IPv4、双堆栈和(可能)仅IPv6主机的组合。
The cases we will consider are:
我们将考虑的案例是:
A) a gateway that does not provide IPv6 at all; B) a dual-stack gateway connected to a dual stack ISP; C) a dual stack gateway connected to an IPV4-only ISP; and D) a gateway connected to an IPv6-only ISP
A) a gateway that does not provide IPv6 at all; B) a dual-stack gateway connected to a dual stack ISP; C) a dual stack gateway connected to an IPV4-only ISP; and D) a gateway connected to an IPv6-only ISP
In most of these cases, we will assume that the gateway includes a NAT: we realize that this is not always the case, but we submit that it is common enough that we have to deal with it; furthermore, we believe that the non-NAT variants of these cases map fairly closely to this same set of cases. In fact, we can consider three non-NAT variants: directly connected host; gateway acting as a bridge; and gateway acting as a non-NAT IP router.
在大多数情况下,我们将假设网关包括NAT:我们意识到情况并非总是如此,但我们认为这是很常见的,我们必须处理它;此外,我们认为这些病例的非NAT变体与这组病例相当接近。事实上,我们可以考虑三个非NAT变种:直接连接的主机;作为桥梁的门户;网关充当非NAT IP路由器。
The cases of directly connected hosts are, in effect, variants of cases B, C, and D, in which the host can use all solutions available to gateways: case B if the ISP is dual stack, case C if the ISP only provides IPv4 connectivity, and case D if the ISP only provides IPv6 connectivity.
直接连接主机的情况实际上是情况B、C和D的变体,在这些情况下,主机可以使用网关可用的所有解决方案:如果ISP为双栈,则为情况B;如果ISP仅提供IPv4连接,则为情况C;如果ISP仅提供IPv6连接,则为情况D。
In the cases where the gateway is a bridge, the hosts are, in effect, directly connected to the ISP, and for all practical matter, behave as directly connected hosts.
在网关是网桥的情况下,主机实际上直接连接到ISP,并且在所有实际问题上,其行为都与直接连接的主机相同。
The case where the gateway is an IP router but not a NAT will be treated as small variants in the analysis of case A, B, C, and D.
在案例a、B、C和D的分析中,网关是IP路由器而不是NAT的情况将被视为小变量。
In this case, the gateway doesn't provide IPv6; the ISP may or may not provide IPv6, but this is not relevant since the non-upgraded gateway would prevent the hosts from using the ISP service. Some hosts will try to get IPv6 connectivity in order to run applications that require IPv6, or work better with IPv6. The hosts, in this case, will have to handle the IPv6 transition mechanisms on their own.
在这种情况下,网关不提供IPv6;ISP可能提供也可能不提供IPv6,但这与此无关,因为未升级的网关将阻止主机使用ISP服务。一些主机将尝试获得IPv6连接,以便运行需要IPv6的应用程序,或更好地使用IPv6。在这种情况下,主机必须自己处理IPv6转换机制。
There are two variations of this case, depending on the type of service implemented by the gateway. In many cases, the gateway is a direct obstacle to the deployment of IPv6, but a gateway which is some form of bridge-mode CPE or which is a plain (neither filtering nor NAT) router does not really fall into this category.
这种情况有两种变体,具体取决于网关实现的服务类型。在许多情况下,网关是部署IPv6的直接障碍,但某种形式的网桥模式CPE或普通(既不是过滤也不是NAT)路由器的网关并不真正属于这一类。
The focus of Case A is to enable communication between a host on the unmanaged network and some IPv6-only hosts outside of the network.
案例A的重点是启用非托管网络上的主机与网络外的某些仅限IPv6的主机之间的通信。
The primary focus in the immediate future, i.e., for the early adopters of IPv6, will be peer-to-peer applications. However, as IPv6 deployment progresses, we will likely find a situation where some networks have IPv6-only services deployed, at which point we would like case A client applications to be able to access those services.
不久的将来,即IPv6的早期采用者的主要关注点将是对等应用程序。然而,随着IPv6部署的进展,我们可能会发现一些网络部署了仅限IPv6的服务,此时我们希望case a客户端应用程序能够访问这些服务。
Local applications are not a primary focus of Case A. At this stage, we expect all clients in the unmanaged network to have either IPv4 only or dual stack support. Local applications can continue working using IPv4.
本地应用程序不是案例a的主要关注点。在此阶段,我们希望非托管网络中的所有客户端都只支持IPv4或双堆栈。本地应用程序可以使用IPv4继续工作。
Server applications are also not a primary focus of Case A. Server applications require DNS support, which is difficult to engineer for clients located behind a NAT, which is likely to be present in this case. Besides, server applications presently cater mostly to IPv4 clients; putting up an IPv6-only server is not very attractive.
服务器应用程序也不是案例a的主要关注点。服务器应用程序需要DNS支持,这对于位于NAT后面的客户端来说很难设计,在这种情况下可能会出现这种情况。此外,服务器应用程序目前主要面向IPv4客户端;建立一个只支持IPv6的服务器不是很有吸引力。
In contrast, peer-to-peer applications are probably both attractive and easy to deploy: they are deployed in a coordinated fashion as part of a peer-to-peer network, which means that hosts can all receive some form of an IPv6 upgrade; they often provide their own naming infrastructure, in which case they are not dependent on DNS services.
相比之下,对等应用程序可能既有吸引力又易于部署:它们作为对等网络的一部分以协调的方式部署,这意味着所有主机都可以接收某种形式的IPv6升级;他们通常提供自己的命名基础设施,在这种情况下,他们不依赖DNS服务。
We saw in 5.1.1 that the likely motivation for deployment of IPv6 connectivity in hosts in case A is a desire to use peer-to-peer and client IPv6 applications. These applications require that all participating nodes get some form of IPv6 connectivity, i.e., at least one globally reachable IPv6 address.
我们在5.1.1中看到,在主机中部署IPv6连接的动机可能是希望使用对等和客户端IPv6应用程序。这些应用程序要求所有参与节点获得某种形式的IPv6连接,即至少一个全局可访问的IPv6地址。
If the local gateway provides global IPv4 addresses to the local hosts, then these hosts can individually exercise the mechanisms described in case C, "IPv6 connectivity without provider support." If the local gateway implements a NAT function, another type of mechanism is needed. The mechanism to provide connectivity to peers behind NAT should be easy to deploy, and light weight; it will have to involve tunneling over a protocol that can easily traverse NAT, either TCP or preferably UDP, as tunneling over TCP can result in poor performance in cases of time-outs and retransmissions. If servers are needed, these servers will, in practice, have to be deployed as part of the "support infrastructure" for the peer-to-peer network or for an IPv6-based service; economic reality implies that the cost of running these servers should be as low as possible.
如果本地网关向本地主机提供全局IPv4地址,则这些主机可以单独执行案例C“无提供商支持的IPv6连接”中描述的机制。如果本地网关实现NAT功能,则需要另一种机制。向NAT后面的对等方提供连接的机制应该易于部署,并且重量轻;它必须涉及通过一个协议进行隧道传输,该协议可以很容易地穿越NAT,无论是TCP还是UDP,因为在超时和重新传输的情况下,通过TCP进行隧道传输可能会导致性能低下。如果需要服务器,这些服务器实际上必须作为对等网络或基于IPv6的服务的“支持基础设施”的一部分进行部署;经济现实意味着运行这些服务器的成本应该尽可能低。
At this phase of IPv6 deployment, hosts in the unmanaged domain have access to DNS services over IPv4 through the existing gateway. DNS resolvers are supposed to serve AAAA records, even if they only implement IPv4; the local hosts should thus be able to obtain the IPv6 addresses of IPv6-only servers.
在IPv6部署的此阶段,非托管域中的主机可以通过现有网关通过IPv4访问DNS服务。DNS解析程序应该服务于AAAA记录,即使它们只实现IPv4;因此,本地主机应该能够获得仅IPv6服务器的IPv6地址。
Reverse lookup is difficult to provide for hosts on the unmanaged network if the gateway is not upgraded. This is a potential issue for client applications. Some servers require a reverse lookup as part of accepting a client's connection, and may require that the direct lookup of the corresponding name matches the IPv6 address of the client. There is thus a requirement to provide either a reverse lookup solution, or to make sure that IPv6 servers do not require reverse lookup.
如果网关未升级,则很难为非托管网络上的主机提供反向查找。这是客户端应用程序的一个潜在问题。某些服务器需要反向查找作为接受客户端连接的一部分,并且可能需要直接查找对应名称以匹配客户端的IPv6地址。因此,需要提供反向查找解决方案,或者确保IPv6服务器不需要反向查找。
In this case, the ISP and gateway are both dual stack. The gateway can use native IPv6 connectivity to the ISP and can use an IPv6 prefix allocated by the ISP.
在这种情况下,ISP和网关都是双栈。网关可以使用到ISP的本机IPv6连接,也可以使用ISP分配的IPv6前缀。
If the ISP and the gateway are dual-stack, client applications, peer-to-peer applications, and server applications can all be enabled easily on the unmanaged network.
如果ISP和网关是双堆栈的,则可以在非托管网络上轻松启用客户端应用程序、对等应用程序和服务器应用程序。
We expect the unmanaged network to include three kinds of hosts: IPv4 only, IPv6-only, and dual stack. Obviously, dual stack hosts can interact easily with either IPv4 only hosts or IPv6-only hosts, but an IPv4 only host and an IPv6-only host cannot communicate without a third party performing some kind of translation service. Our analysis concludes that unmanaged networks should not have to provide such translation services.
我们希望非托管网络包括三种主机:仅IPv4、仅IPv6和双堆栈。显然,双栈主机可以轻松地与仅IPv4主机或仅IPv6主机进行交互,但如果没有第三方执行某种转换服务,仅IPv4主机和仅IPv6主机将无法通信。我们的分析得出结论,非托管网络不应提供此类翻译服务。
The argument for providing translation services is that their availability would accelerate the deployment of IPv6-only devices, and thus the transition to IPv6. This is, however, a dubious argument since it can also be argued that the availability of these translation services will reduce the pressure to provide IPv6 at all, and to just continue fielding IPv4-only devices. The remaining pressure to provide IPv6 connectivity would just be the difference in "quality of service" between a translated exchange and a native interconnect.
提供翻译服务的理由是,翻译服务的可用性将加速仅IPv6设备的部署,从而加速向IPv6的过渡。然而,这是一个可疑的论点,因为也可以认为这些翻译服务的可用性将减少提供IPv6的压力,并继续部署仅IPv4的设备。提供IPv6连接的剩余压力只是转换后的exchange和本机互连之间的“服务质量”差异。
The argument against translation service is the difficulty of providing these services for all applications, compared to the relative ease of installing dual stack solutions in an unmanaged network. Translation services can be provided either by application relays, such as HTTP proxies, or by network level services, such as NAT-PT [RFC2766]. Application relays pose several operational problems: first, one must develop relays for all applications; second, one must develop a management infrastructure to provision the host with the addresses of the relays; in addition, the application may have to be modified if one wants to use the relay selectively, e.g., only when direct connection is not available. Network level translation poses similar problems: in practice, network level actions must be complemented by "application layer gateways" that will rewrite references to IP addresses in the protocol, and while these relays are not necessary for every application, they are necessary for enough applications to make any sort of generalized translation quite problematic; hosts may need to be parameterized to use the translation service, and designing the right algorithm to decide when to translate DNS requests has proven very difficult.
反对转换服务的理由是,与在非托管网络中安装双堆栈解决方案相对容易相比,为所有应用程序提供这些服务比较困难。翻译服务可以由应用程序中继(如HTTP代理)或网络级服务(如NAT-PT[RFC2766])提供。应用继电器存在几个操作问题:首先,必须为所有应用开发继电器;第二,必须开发管理基础设施,为主机提供中继地址;此外,如果想要选择性地使用继电器,例如,仅当直接连接不可用时,可能必须修改应用程序。网络级转换带来了类似的问题:在实践中,网络级操作必须由“应用层网关”来补充,该网关将重写协议中对IP地址的引用,虽然这些中继不是每个应用程序所必需的,它们对于足够多的应用程序来说是必要的,以使任何类型的广义翻译都成问题;主机可能需要参数化才能使用翻译服务,而设计正确的算法来决定何时翻译DNS请求被证明是非常困难的。
Not assuming translation services in the network appears to be both more practical and more robust. If the market requirement for a new device requires that it interact with both IPv4 and IPv6 hosts, we may expect the manufacturers of these devices to program them with a dual stack capability; in particular, we expect general purpose systems, such as personal computers, to be effectively dual-stack. The only devices that are expected to be capable of only supporting IPv6 are those designed for specific applications, which do not require interoperation with IPv4-only systems. We also observe that providing both IPv4 and IPv6 connectivity in an unmanaged network is not particularly difficult: we have a fair amount of experience using IPv4 in unmanaged networks in parallel with other protocols, such as IPX.
不假设网络中的翻译服务更实用,也更可靠。如果市场对新设备的需求要求它同时与IPv4和IPv6主机交互,我们可能期望这些设备的制造商使用双堆栈功能对其进行编程;特别是,我们期望通用系统,如个人计算机,能够有效地实现双栈。预计只能支持IPv6的设备是为特定应用程序设计的设备,这些应用程序不需要与仅IPv4的系统进行互操作。我们还发现,在非托管网络中同时提供IPv4和IPv6连接并不特别困难:我们在非托管网络中与其他协议(如IPX)并行使用IPv4方面有相当多的经验。
In Case B, the upgraded gateway will act as an IPv6 router; it will continue providing the IPv4 connectivity, perhaps using NAT. Nodes in the local network will typically obtain:
在情况B中,升级后的网关将充当IPv6路由器;它将继续提供IPv4连接,可能使用NAT。本地网络中的节点通常将获得:
- IPv4 addresses (from or via the gateway), - IPv6 link local addresses, and - IPv6 global addresses.
- IPv4地址(来自或通过网关)、-IPv6链路本地地址和-IPv6全局地址。
In some networks, NAT will not be in use and the local hosts will actually obtain global IPv4 addresses. We will not elaborate on this, as the availability of global IPv4 addresses does not bring any additional complexity to the transition mechanisms.
在某些网络中,NAT将不被使用,而本地主机将实际获得全局IPv4地址。我们将不详细说明这一点,因为全局IPv4地址的可用性不会给转换机制带来任何额外的复杂性。
To enable this scenario, the gateway needs to use a mechanism to obtain a global IPv6 address prefix from the ISP, and advertise this address prefix to the hosts in the unmanaged network; several solutions will be assessed in a companion memo [EVAL].
要启用此场景,网关需要使用一种机制从ISP获取全局IPv6地址前缀,并向非托管网络中的主机播发此地址前缀;几个解决方案将在配套备忘录[EVAL]中进行评估。
In case B, hosts in the unmanaged domain have access to DNS services through the gateway. As the gateway and the ISP both support IPv4 and IPv6, these services may be accessible by the IPv4-only hosts using IPv4, by the IPv6-only hosts using IPv6, and by the dual stack hosts using either. Currently, IPv4 only hosts usually discover the IPv4 address of the local DNS resolver using DHCP; there must be a way for IPv6-only hosts to discover the IPv6 address of the DNS resolver.
在案例B中,非托管域中的主机可以通过网关访问DNS服务。由于网关和ISP都支持IPv4和IPv6,因此使用IPv4的仅IPv4主机、使用IPv6的仅IPv6主机以及使用其中一种的双堆栈主机都可以访问这些服务。目前,仅IPv4主机通常使用DHCP发现本地DNS解析程序的IPv4地址;只有IPv6主机才能发现DNS解析程序的IPv6地址。
There must be a way to resolve the name of local hosts to their IPv4 or IPv6 addresses. Typing auto-configured IPv6 addresses in a configuration file is impractical; this implies either some form of dynamic registration of IPv6 addresses in the local service, or a dynamic address discovery mechanism. Possible solutions will be compared in the evaluation draft [EVAL].
必须有办法将本地主机的名称解析为其IPv4或IPv6地址。在配置文件中键入自动配置的IPv6地址是不切实际的;这意味着在本地服务中对IPv6地址进行某种形式的动态注册,或者使用动态地址发现机制。可能的解决方案将在评估草案[EVAL]中进行比较。
The requirement to support server applications in the unmanaged network implies a requirement to publish the IPv6 addresses of local servers in the DNS. There are multiple solutions, including domain name delegation. If efficient reverse lookup functions are to be provided, delegation of a fraction of the ip6.arpa tree is also required.
在非托管网络中支持服务器应用程序的要求意味着需要在DNS中发布本地服务器的IPv6地址。有多种解决方案,包括域名授权。如果要提供高效的反向查找功能,还需要委派一部分ip6.arpa树。
The response to a DNS request should not depend on the protocol by which the request is transported: dual-stack hosts may use either IPv4 or IPv6 to contact the local resolver, the choice of IPv4 or IPv6 may be random, and the value of the response should not depend on a random event.
对DNS请求的响应不应取决于传输请求的协议:双堆栈主机可以使用IPv4或IPv6来联系本地解析程序,IPv4或IPv6的选择可能是随机的,响应的值不应取决于随机事件。
DNS transition issues in a dual IPv4/IPv6 network are discussed in [DNSOPV6].
[DNSOPV6]中讨论了双IPv4/IPv6网络中的DNS转换问题。
In this case, the gateway is dual stack, but the ISP is not. The gateway has been upgraded and offers both IPv4 and IPv6 connectivity to hosts. It cannot rely on the ISP for IPv6 connectivity, because the ISP does not yet offer ISP connectivity.
在这种情况下,网关是双栈的,但ISP不是。网关已升级,并提供到主机的IPv4和IPv6连接。它不能依赖ISP实现IPv6连接,因为ISP尚未提供ISP连接。
Application support in case C should be identical to that of case B.
案例C中的应用程序支持应与案例B中的应用程序支持相同。
The upgraded gateway will behave as an IPv6 router; it will continue providing the IPv4 connectivity, perhaps using NAT. Nodes in the local network will obtain:
升级后的网关将充当IPv6路由器;它将继续提供IPv4连接,可能使用NAT。本地网络中的节点将获得:
- IPv4 addresses (from or via the gateway), - IPv6 link local addresses, - IPv6 global addresses.
- IPv4地址(来自或通过网关)、-IPv6链路本地地址、-IPv6全局地址。
There are two ways to bring immediate IPv6 connectivity on top of an IPv4 only infrastructure: automatic tunnels, e.g., provided by the 6TO4 technology [RFC3056], or configured tunnels. Both technologies have advantages and limitations, which will be studied in another document.
有两种方法可以在只支持IPv4的基础设施上实现即时IPv6连接:自动隧道(例如,由6TO4技术[RFC3056]提供)或配置的隧道。这两种技术都有优点和局限性,将在另一份文件中研究。
There will be some cases where the local hosts actually obtain global IPv4 addresses. We will not discuss this scenario, as it does not make the use of transition technology harder, or more complex. Case A has already examined how hosts could obtain IPv6 connectivity individually.
在某些情况下,本地主机实际获得全局IPv4地址。我们不会讨论这种情况,因为它不会使过渡技术的使用变得更困难或更复杂。案例A已经研究了主机如何单独获得IPv6连接。
The local naming requirements in case C are identical to the local naming requirements of case B, with two differences: delegation of domain names, and management of reverse lookup queries.
案例C中的本地命名要求与案例B中的本地命名要求相同,但有两个区别:域名的委托和反向查找查询的管理。
A delegation of some domain name is required in order to publish the IPv6 addresses of servers in the DNS.
为了在DNS中发布服务器的IPv6地址,需要委派一些域名。
A specific mechanism for handling reverse lookup queries will be required if the gateway uses a dynamic mechanism, such as 6to4, to obtain a prefix independently of any IPv6 ISP.
如果网关使用动态机制(如6to4)独立于任何IPv6 ISP获取前缀,则需要处理反向查找查询的特定机制。
In this case, the ISP is IPv6-only, so the gateway loses IPv4 connectivity, and is faced with an IPv6-only service provider. The gateway itself is dual stack, and the unmanaged network includes IPv4 only, IPv6-only, and dual stack hosts. Any interaction between hosts in the unmanaged network and IPv4 hosts on the Internet will require the provision of some inter-protocol services by the ISP.
在这种情况下,ISP仅限IPv6,因此网关将失去IPv4连接,并面临仅限IPv6的服务提供商。网关本身是双栈的,非托管网络包括仅IPv4、仅IPv6和双栈主机。非托管网络中的主机与Internet上的IPv4主机之间的任何交互都需要ISP提供一些协议间服务。
At this phase of the transition, IPv6 hosts can participate in all types of applications with other IPv6 hosts. IPv4 hosts in the unmanaged network will be able to perform local applications with IPv4 or dual stack local hosts.
在此过渡阶段,IPv6主机可以与其他IPv6主机一起参与所有类型的应用程序。非托管网络中的IPv4主机将能够使用IPv4或双堆栈本地主机执行本地应用程序。
As in case B, we will assume that IPv6-only hosts will not interact with IPv4-only hosts, either local or remote. We must however assume that IPv4-only hosts and dual stack hosts will want to interact with IPv4 services available on the Internet: the inability to do so would place the IPv6-only provider at a great commercial disadvantage compared to other Internet service providers.
与案例B一样,我们将假设仅IPv6主机不会与仅IPv4主机(本地或远程)交互。但是,我们必须假设仅IPv4主机和双堆栈主机将希望与Internet上可用的IPv4服务进行交互:如果无法这样做,则与其他Internet服务提供商相比,仅IPv6的提供商在商业上处于极大的劣势。
There are three possible ways that an ISP can provide hosts in the unmanaged network with access to IPv4 applications: by using a set of application relays, by providing an address translation service, or by providing IPv4-over-IPv6 tunnels. Our analysis concludes that a tunnel service seems to be vastly preferable.
ISP可以通过三种可能的方式为非托管网络中的主机提供对IPv4应用程序的访问:使用一组应用程序中继、提供地址转换服务或提供IPv4-over-IPv6隧道。我们的分析得出结论,隧道服务似乎更可取。
We already mentioned the drawbacks of the application gateway approach when analyzing case B: it is necessary to provide relays for all applications, to develop a way to provision the hosts with the addresses of these relays, and to modify the applications so that they will only use the relays when needed. We also observe that in an IPv6-only ISP, the application relays would only be accessible over IPv6, and would thus not be accessible by the "legacy" IPv4-only hosts. The application relay approach is thus not very attractive.
在分析案例B时,我们已经提到了应用网关方法的缺点:必须为所有应用程序提供中继,开发一种向主机提供这些中继地址的方法,并修改应用程序,以便它们仅在需要时使用中继。我们还观察到,在仅限IPv6的ISP中,应用程序中继只能通过IPv6访问,因此“传统”仅限IPv4的主机无法访问。因此,应用中继方法不是很有吸引力。
Providing a network address and protocol translation service between IPv6 and IPv4 would also have many drawbacks. As in case B, it will have to be complemented by "application layer gateways" that will rewrite references to IP addresses in the protocol; hosts may need to be parameterized to use the translation service, and we would have to solve DNS issues. The network level protocol translation service doesn't appear to be very desirable.
在IPv6和IPv4之间提供网络地址和协议转换服务也有许多缺点。与案例B一样,它必须由“应用层网关”来补充,该网关将重写协议中对IP地址的引用;主机可能需要参数化才能使用翻译服务,我们必须解决DNS问题。网络级协议转换服务似乎不是很理想。
The preferable alternative to application relays and network address translation is the provision of an IPv4-over-IPv6 service.
与应用程序中继和网络地址转换相比,更好的替代方案是提供IPv4-over-IPv6服务。
The ISP assigns an IPv6 prefix to the unmanaged network, so hosts have a global IPv6 address and use it for global IPv6 connectivity. This will require delegation of an IPv6 address prefix, as investigated in case C.
ISP为非托管网络分配IPv6前缀,以便主机具有全局IPv6地址,并将其用于全局IPv6连接。这将需要委派IPv6地址前缀,如案例C所述。
To enable IPv4 hosts and dual stack hosts accessibility to remote IPv4 services, the ISP must provide the gateway with at least one IPv4 address, using some form of IPv4-over-IPv6 tunneling. Once such addresses have been provided, the gateway effectively acquires dual-stack connectivity; for hosts inside the unmanaged network, this will be indistinguishable from the IPv4 connectivity obtained in case B or C.
要使IPv4主机和双堆栈主机能够访问远程IPv4服务,ISP必须使用某种形式的IPv4-over-IPv6隧道为网关提供至少一个IPv4地址。一旦提供了这样的地址,网关就有效地获得了双栈连接;对于非托管网络内的主机,这与在情况B或C中获得的IPv4连接无法区分。
The loss of IPv4 connectivity has a direct impact on the provision of naming services. In many IPv4 unmanaged networks, hosts obtain their DNS configuration parameters from the local gateway, typically through the DHCP service. If the same mode of operation is desired in case D, the gateway will have to be provisioned with the address of a DNS resolver and with other DNS parameters, and this provisioning will have to use IPv6 mechanisms. Another consequence is that the DNS service in the gateway will only be able to use IPv6 connectivity to resolve queries; if local hosts perform DNS resolution autonomously, they will have the same restriction.
IPv4连接的丢失会直接影响命名服务的提供。在许多IPv4非托管网络中,主机通常通过DHCP服务从本地网关获取DNS配置参数。如果在案例D中需要相同的操作模式,则必须为网关配置DNS解析程序的地址和其他DNS参数,并且此配置必须使用IPv6机制。另一个结果是网关中的DNS服务将只能使用IPv6连接来解决查询;如果本地主机自动执行DNS解析,它们将具有相同的限制。
On the surface, this seems to indicate that the local hosts will only be able to resolve names if the domain servers are accessible through an IPv6 address documented in an AAAA record. However, the DNS services are just one case of "IPv4 servers accessed by IPv6 hosts": it should be possible to simply send queries through the IPv4 connectivity services to reach the IPv4 only servers.
表面上看,这似乎表明只有通过AAAA记录中记录的IPv6地址访问域服务器时,本地主机才能解析名称。但是,DNS服务只是“由IPv6主机访问的IPv4服务器”的一种情况:应该可以通过IPv4连接服务简单地发送查询以到达仅IPv4的服务器。
The gateway should be able to act as a recursive DNS name server for the remaining IPv4 only hosts.
网关应该能够充当剩余仅IPv4主机的递归DNS名称服务器。
Security considerations are discussed as part of the applications' requirements. They include:
安全注意事项作为应用程序需求的一部分进行了讨论。这些措施包括:
- the guarantee that local applications are only used locally, - the protection of the privacy of clients - the requirement that peer-to-peer connections are only used by authorized peers - the requirement that tunneling protocols used for IPv6 access over IPv4 be designed for secure use - the related requirement that servers in the infrastructure supporting transition scenarios be designed so as to not be vulnerable to abuse.
- 保证本地应用程序仅在本地使用,-保护客户端的隐私-要求对等连接仅由授权的对等方使用-要求用于IPv4上IPv6访问的隧道协议设计为安全使用-相关要求,即支持转换场景的基础架构中的服务器设计为易受虐待。
The security solutions currently used in IPv4 networks include a combination of firewall functions in the gateway, authentication and authorization functions in the applications, encryption and authentication services provided by IP security, Transport Layer Security and application specific services, and host-based security products, such as anti-virus software and host firewalls. The applicability of these tools in IPv6 unmanaged networks will be studied in a another document.
IPv4网络中目前使用的安全解决方案包括网关中的防火墙功能、应用程序中的身份验证和授权功能、IP安全提供的加密和身份验证服务、传输层安全和应用程序特定服务以及基于主机的安全产品的组合,如防病毒软件和主机防火墙。这些工具在IPv6非托管网络中的适用性将在另一份文件中研究。
This document has benefited from the comments of the members of the IETF V6OPS working group, and from extensive reviews by Chris Fischer, Tony Hain, Kurt Erik Lindqvist, Erik Nordmark, Pekka Savola, and Margaret Wasserman.
本文件得益于IETF V6OPS工作组成员的评论,以及Chris Fischer、Tony Hain、Kurt Erik Lindqvist、Erik Nordmark、Pekka Savola和Margaret Wasserman的广泛审查。
[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981.
[RFC791]Postel,J.,“互联网协议”,标准5,RFC7911981年9月。
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[RFC2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,1998年12月。
[EVAL] Evaluation of Transition Mechanisms for Unmanaged Networks, Work in Progress.
[EVAL]评估非托管网络的过渡机制,正在进行中。
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.
[RFC1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.J.和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,1996年2月。
[RFC2608] Guttman, E., Perkins, C., Veizades, J. and M. Day, "Service Location Protocol, Version 2", RFC 2608, June 1999.
[RFC2608]Guttman,E.,Perkins,C.,Veizades,J.和M.Day,“服务位置协议,版本2”,RFC 26081999年6月。
[RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4 Clouds", RFC 3056, February 2001.
[RFC3056]Carpenter,B.和K.Moore,“通过IPv4云连接IPv6域”,RFC 3056,2001年2月。
[RFC3022] Srisuresh, P. and K. Egevang. "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, January 2001.
[RFC3022]Srisuresh,P.和K.Egevang。“传统IP网络地址转换器(传统NAT)”,RFC30222001年1月。
[RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993, November 2000.
[RFC2993]Hain,T.,“NAT的建筑含义”,RFC 29932000年11月。
[RFC3041] Narten, T. and R. Draves, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 3041, January 2001.
[RFC3041]Narten,T.和R.Draves,“IPv6中无状态地址自动配置的隐私扩展”,RFC 3041,2001年1月。
[RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address Translation - Protocol Translation (NAT-PT)", RFC 2766, February 2000.
[RFC2766]Tsirtsis,G.和P.Srisuresh,“网络地址转换-协议转换(NAT-PT)”,RFC 2766,2000年2月。
[DNSOPV6] Durand, A., Ihren, J. and P. Savola, "Operational Considerations and Issues with IPv6 DNS", Work in Progress.
[DNSOPV6]Durand,A.,Ihren,J.和P.Savola,“IPv6 DNS的操作注意事项和问题”,正在进行中。
[DNSINADDR] Senie, D., "Requiring DNS IN-ADDR Mapping", Work in Progress.
[DNSINADDR]Senie,D.,“需要DNS地址映射”,工作正在进行中。
Christian Huitema Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399
Christian Huitema微软公司华盛顿州雷德蒙微软大道一号,邮编:98052-6399
EMail: huitema@microsoft.com
EMail: huitema@microsoft.com
Rob Austein Internet Systems Consortium 950 Charter Street Redwood City, CA 94063 USA
Rob Austein互联网系统联合会950 Charter Street Redwood City,加利福尼亚州94063
EMail: sra@isc.org
EMail: sra@isc.org
Suresh Satapati Cisco Systems, Inc. San Jose, CA 95134 USA
Suresh Satapati思科系统公司,美国加利福尼亚州圣何塞95134
EMail: satapati@cisco.com
EMail: satapati@cisco.com
Ronald van der Pol NLnet Labs Kruislaan 419 1098 VA Amsterdam NL
罗纳德·范德波尔NLnet实验室Kruislaan 419 1098弗吉尼亚州阿姆斯特丹NL
EMail: Ronald.vanderPol@nlnetlabs.nl
EMail: Ronald.vanderPol@nlnetlabs.nl
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78 and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。