Internet Engineering Task Force (IETF) Y. Cui Request for Comments: 7596 Tsinghua University Category: Standards Track Q. Sun ISSN: 2070-1721 China Telecom M. Boucadair France Telecom T. Tsou Huawei Technologies Y. Lee Comcast I. Farrer Deutsche Telekom AG July 2015
Internet Engineering Task Force (IETF) Y. Cui Request for Comments: 7596 Tsinghua University Category: Standards Track Q. Sun ISSN: 2070-1721 China Telecom M. Boucadair France Telecom T. Tsou Huawei Technologies Y. Lee Comcast I. Farrer Deutsche Telekom AG July 2015
Lightweight 4over6: An Extension to the Dual-Stack Lite Architecture
轻量级4over6:双栈Lite架构的扩展
Abstract
摘要
Dual-Stack Lite (DS-Lite) (RFC 6333) describes an architecture for transporting IPv4 packets over an IPv6 network. This document specifies an extension to DS-Lite called "Lightweight 4over6", which moves the Network Address and Port Translation (NAPT) function from the centralized DS-Lite tunnel concentrator to the tunnel client located in the Customer Premises Equipment (CPE). This removes the requirement for a Carrier Grade NAT function in the tunnel concentrator and reduces the amount of centralized state that must be held to a per-subscriber level. In order to delegate the NAPT function and make IPv4 address sharing possible, port-restricted IPv4 addresses are allocated to the CPEs.
双栈Lite(DS Lite)(RFC 6333)描述了通过IPv6网络传输IPv4数据包的体系结构。本文档指定了DS Lite的一个扩展名为“轻量级4over6”,它将网络地址和端口转换(NAPT)功能从集中式DS Lite隧道集中器移动到位于客户场所设备(CPE)中的隧道客户端。这消除了隧道集中器中对载波级NAT功能的要求,并减少了必须保持在每个用户级别的集中式状态量。为了委派NAPT功能并使IPv4地址共享成为可能,将端口受限的IPv4地址分配给CPE。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7596.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7596.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3 2. Conventions .....................................................4 3. Terminology .....................................................5 4. Lightweight 4over6 Architecture .................................6 5. Lightweight B4 Behavior .........................................7 5.1. Lightweight B4 Provisioning with DHCPv6 ....................7 5.2. Lightweight B4 Data-Plane Behavior ........................10 5.2.1. Fragmentation Behavior .............................11 6. Lightweight AFTR Behavior ......................................12 6.1. Binding Table Maintenance .................................12 6.2. lwAFTR Data-Plane Behavior ................................13 7. Additional IPv4 Address and Port-Set Provisioning Mechanisms ...14 8. ICMP Processing ................................................14 8.1. ICMPv4 Processing by the lwAFTR ...........................15 8.2. ICMPv4 Processing by the lwB4 .............................15 9. Security Considerations ........................................15 10. References ....................................................16 10.1. Normative References .....................................16 10.2. Informative References ...................................17 Acknowledgements ..................................................19 Contributors ......................................................19 Authors' Addresses ................................................21
1. Introduction ....................................................3 2. Conventions .....................................................4 3. Terminology .....................................................5 4. Lightweight 4over6 Architecture .................................6 5. Lightweight B4 Behavior .........................................7 5.1. Lightweight B4 Provisioning with DHCPv6 ....................7 5.2. Lightweight B4 Data-Plane Behavior ........................10 5.2.1. Fragmentation Behavior .............................11 6. Lightweight AFTR Behavior ......................................12 6.1. Binding Table Maintenance .................................12 6.2. lwAFTR Data-Plane Behavior ................................13 7. Additional IPv4 Address and Port-Set Provisioning Mechanisms ...14 8. ICMP Processing ................................................14 8.1. ICMPv4 Processing by the lwAFTR ...........................15 8.2. ICMPv4 Processing by the lwB4 .............................15 9. Security Considerations ........................................15 10. References ....................................................16 10.1. Normative References .....................................16 10.2. Informative References ...................................17 Acknowledgements ..................................................19 Contributors ......................................................19 Authors' Addresses ................................................21
Dual-Stack Lite (DS-Lite) [RFC6333] defines a model for providing IPv4 access over an IPv6 network using two well-known technologies: IP in IP [RFC2473] and Network Address Translation (NAT). The DS-Lite architecture defines two major functional elements as follows:
双栈Lite(DS Lite)[RFC6333]使用两种众所周知的技术定义了通过IPv6网络提供IPv4访问的模型:IP中的IP[RFC2473]和网络地址转换(NAT)。DS Lite体系结构定义了以下两个主要功能元素:
Basic Bridging BroadBand (B4) element: A function implemented on a dual-stack-capable node (either a directly connected device or a CPE) that creates an IPv4-in-IPv6 tunnel to an AFTR.
基本桥接宽带(B4)元素:在支持双堆栈的节点(直接连接的设备或CPE)上实现的功能,该节点创建到AFTR的IPv4-in-IPv6隧道。
Address Family Transition Router (AFTR) element: The combination of an IPv4-in-IPv6 tunnel endpoint and an IPv4-IPv4 NAT implemented on the same node.
地址族转换路由器(AFTR)元素:IPv4-in-IPv6隧道端点和在同一节点上实现的IPv4-IPv4 NAT的组合。
As the AFTR performs the centralized NAT44 function, it dynamically assigns public IPv4 addresses and ports to a requesting host's traffic (as described in [RFC3022]). To achieve this, the AFTR must dynamically maintain per-flow state in the form of active NAPT sessions. For service providers with a large number of B4 clients, the size and associated costs for scaling the AFTR can quickly become prohibitive. Maintaining per-flow state can also place a large NAPT logging overhead on the service provider in countries where logging is a legal requirement.
当AFTR执行集中式NAT44功能时,它会将公共IPv4地址和端口动态分配给请求主机的流量(如[RFC3022]中所述)。为了实现这一点,AFTR必须以活动NAPT会话的形式动态维护每个流状态。对于拥有大量B4客户的服务提供商,扩展AFTR的规模和相关成本可能很快变得令人望而却步。在法律要求进行日志记录的国家/地区,维护每流状态也会给服务提供商带来很大的NAPT日志记录开销。
This document describes a mechanism called "Lightweight 4over6" (lw4o6), which provides a solution for these problems. By relocating the NAPT functionality from the centralized AFTR to the distributed B4s, a number of benefits can be realized:
本文档描述了一种称为“轻量级4over6”(lw4o6)的机制,它为这些问题提供了解决方案。通过将NAPT功能从集中式AFTR重新定位到分布式B4s,可以实现许多好处:
o NAPT44 functionality is already widely supported and used in today's CPE devices. lw4o6 uses this to provide private<->public NAPT44, meaning that the service provider does not need a centralized NAT44 function.
o NAPT44功能已经在当今的CPE设备中得到广泛支持和使用。lw4o6使用它来提供私有<->公共NAPT44,这意味着服务提供商不需要集中式NAT44功能。
o The amount of state that must be maintained centrally in the AFTR can be reduced from per-flow to per-subscriber. This reduces the amount of resources (memory and processing power) necessary in the AFTR.
o AFTR中必须集中维护的状态量可以从每个流减少到每个订户。这减少了AFTR所需的资源量(内存和处理能力)。
o The reduction of maintained state results in a greatly reduced logging overhead on the service provider.
o 维护状态的减少大大减少了服务提供者的日志记录开销。
Operators' IPv6 and IPv4 addressing architectures remain independent of each other. Therefore, flexible IPv4/IPv6 addressing schemes can be deployed.
运营商的IPv6和IPv4寻址体系结构彼此独立。因此,可以部署灵活的IPv4/IPv6寻址方案。
Lightweight 4over6 is a solution designed specifically for complete independence between IPv6 subnet prefixes and IPv4 addresses with or without IPv4 address sharing. This is accomplished by maintaining state for each softwire (per-subscriber state) in the central lwAFTR and a hub-and-spoke forwarding architecture. "Mapping of Address and Port with Encapsulation (MAP-E)" [RFC7597] also offers these capabilities or, alternatively, allows for a reduction of the amount of centralized state using rules to express IPv4/IPv6 address mappings. This introduces an algorithmic relationship between the IPv6 subnet and IPv4 address. This relationship also allows the option of direct, meshed connectivity between users.
轻量级4over6是一种专门为IPv6子网前缀和IPv4地址(无论是否共享IPv4地址)之间完全独立而设计的解决方案。这是通过维护中央lwAFTR中每个软线(每个用户状态)的状态和一个中心辐射转发架构来实现的。“地址和端口的封装映射(MAP-E)”[RFC7597]还提供了这些功能,或者,允许使用规则来表示IPv4/IPv6地址映射,从而减少集中式状态的数量。这将在IPv6子网和IPv4地址之间引入算法关系。这种关系还允许用户之间选择直接的网状连接。
The tunneling mechanism remains the same for DS-Lite and Lightweight 4over6. This document describes the changes to DS-Lite that are necessary to implement Lightweight 4over6. These changes mainly concern the configuration parameters and provisioning method necessary for the functional elements.
DS Lite和轻量级4over6的隧道机制保持不变。本文档描述了实现轻量级4over6所需的DS Lite更改。这些更改主要涉及功能元素所需的配置参数和配置方法。
One of the features of Lightweight 4over6 is to keep per-subscriber state in the service provider's network. This technique is categorized as a "binding approach" [Unified-v4-in-v6] that defines a unified IPv4-in-IPv6 softwire CPE.
轻量级4over6的一个特性是在服务提供商的网络中保持每个用户的状态。这种技术被归类为“绑定方法”[Unified-v4-in-v6],它定义了统一的IPv4-in-IPv6软线CPE。
This document extends the mechanism defined in [RFC7040] by allowing address sharing. The solution in this document is also a variant of Address plus Port (A+P) called "Binding Table Mode" (see Section 4.4 of [RFC6346]).
本文档通过允许地址共享扩展了[RFC7040]中定义的机制。本文档中的解决方案也是地址加端口(a+P)的一种变体,称为“绑定表模式”(见[RFC6346]第4.4节)。
This document focuses on architectural considerations, particularly on the expected behavior of the involved functional elements and their interfaces. Deployment-specific issues such as redundancy and provisioning policy are out of scope for this document.
本文档主要关注体系结构方面的考虑,特别是涉及的功能元素及其接口的预期行为。特定于部署的问题(如冗余和资源调配策略)超出了本文档的范围。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This document defines the following terms:
本文件定义了以下术语:
Lightweight 4over6 (lw4o6): An IPv4-over-IPv6 hub-and-spoke mechanism that extends DS-Lite by moving the IPv4 translation (NAPT44) function from the AFTR to the B4.
轻量级4over6(lw4o6):一种IPv4-over-IPv6中心辐射机制,通过将IPv4转换(NAPT44)功能从AFTR移动到B4来扩展DS Lite。
Lightweight B4 (lwB4): A B4 element [RFC6333] that supports Lightweight 4over6 extensions. An lwB4 is a function implemented on a dual-stack-capable node -- either a directly connected device or a CPE -- that supports port-restricted IPv4 address allocation, implements NAPT44 functionality, and creates a tunnel to an lwAFTR.
轻量级B4(lwB4):支持轻量级4over6扩展的B4元素[RFC6333]。lwB4是在支持双堆栈的节点(直接连接的设备或CPE)上实现的功能,支持端口受限的IPv4地址分配,实现NAPT44功能,并创建到lwAFTR的隧道。
Lightweight AFTR (lwAFTR): An AFTR element [RFC6333] that supports the Lightweight 4over6 extension. An lwAFTR is an IPv4-in-IPv6 tunnel endpoint that maintains per-subscriber address binding only and does not perform a NAPT44 function.
轻量级AFTR(lwAFTR):支持轻量级4over6扩展的AFTR元素[RFC6333]。lwAFTR是IPv4-in-IPv6隧道终结点,仅维护每个订户地址绑定,不执行NAPT44功能。
Restricted port set: A non-overlapping range of allowed external ports allocated to the lwB4 to use for NAPT44. Source ports of IPv4 packets sent by the B4 must belong to the assigned port set. The port set is used for all port-aware IP protocols (TCP, UDP, the Stream Control Transmission Protocol (SCTP), etc.).
受限端口集:分配给lwB4用于NAPT44的允许外部端口的非重叠范围。B4发送的IPv4数据包的源端口必须属于分配的端口集。端口集用于所有端口感知IP协议(TCP、UDP、流控制传输协议(SCTP)等)。
Port-restricted IPv4 address: A public IPv4 address with a restricted port set. In Lightweight 4over6, multiple B4s may share the same IPv4 address; however, their port sets must be non-overlapping.
端口受限IPv4地址:具有受限端口集的公共IPv4地址。在轻量级4over6中,多个B4可以共享相同的IPv4地址;但是,它们的端口集必须不重叠。
Throughout the remainder of this document, the terms "B4" and "AFTR" should be understood to refer specifically to a DS-Lite implementation. The terms "lwB4" and "lwAFTR" refer to a Lightweight 4over6 implementation.
在本文件的其余部分,术语“B4”和“AFTR”应理解为专门指DS Lite实现。术语“lwB4”和“lwAFTR”指的是轻量级4over6实现。
The Lightweight 4over6 architecture is functionally similar to DS-Lite. lwB4s and an lwAFTR are connected through an IPv6-enabled network. Both approaches use an IPv4-in-IPv6 encapsulation scheme to deliver IPv4 connectivity. The following figure shows the data plane with the main functional change between DS-Lite and lw4o6:
轻量级4over6体系结构在功能上类似于DS Lite。LWB4和lwAFTR通过支持IPv6的网络连接。这两种方法都使用IPv4-in-IPv6封装方案来提供IPv4连接。下图显示了DS Lite和lw4o6之间主要功能变化的数据平面:
+--------+ +---------+ IPv4-in-IPv6 +---------+ +-------------+ |IPv4 LAN|---| B4 |================|AFTR/NAPT|---|IPv4 Internet| +--------+ +---------+ +---------+ +-------------+ DS-Lite NAPT model: all state in the AFTR
+--------+ +---------+ IPv4-in-IPv6 +---------+ +-------------+ |IPv4 LAN|---| B4 |================|AFTR/NAPT|---|IPv4 Internet| +--------+ +---------+ +---------+ +-------------+ DS-Lite NAPT model: all state in the AFTR
+--------+ +---------+ IPv4-in-IPv6 +------+ +-------------+ |IPv4 LAN|---|lwB4/NAPT|================|lwAFTR|---|IPv4 Internet| +--------+ +---------+ +------+ +-------------+ lw4o6 NAPT model: subscriber state in the lwAFTR, NAPT state in the lwB4
+--------+ +---------+ IPv4-in-IPv6 +------+ +-------------+ |IPv4 LAN|---|lwB4/NAPT|================|lwAFTR|---|IPv4 Internet| +--------+ +---------+ +------+ +-------------+ lw4o6 NAPT model: subscriber state in the lwAFTR, NAPT state in the lwB4
Figure 1: Comparison of DS-Lite and Lightweight 4over6 Data Plane
图1:DS Lite和轻量级4over6数据平面的比较
There are three main components in the Lightweight 4over6 architecture:
轻量级4over6体系结构中有三个主要组件:
o The lwB4, which performs the NAPT function and IPv4/IPv6 encapsulation/decapsulation.
o lwB4,执行NAPT功能和IPv4/IPv6封装/去封装。
o The lwAFTR, which performs the IPv4/IPv6 encapsulation/ decapsulation.
o lwAFTR,执行IPv4/IPv6封装/解除封装。
o The provisioning system, which tells the lwB4 which IPv4 address and port set to use.
o 配置系统,它告诉lwB4要使用的IPv4地址和端口集。
The lwB4 differs from a regular B4 in that it now performs the NAPT functionality. This means that it needs to be provisioned with the public IPv4 address and port set it is allowed to use. This information is provided through a provisioning mechanism such as DHCP, the Port Control Protocol (PCP) [RFC6887], or the Broadband Forum's TR-69 specification [TR069].
lwB4与常规B4的不同之处在于,它现在执行NAPT功能。这意味着需要为其提供允许使用的公共IPv4地址和端口集。该信息通过配置机制提供,如DHCP、端口控制协议(PCP)[RFC6887]或宽带论坛的TR-69规范[TR069]。
The lwAFTR needs to know the binding between the IPv6 address of each subscriber as well as the IPv4 address and port set allocated to each subscriber. This information is used to perform ingress filtering upstream and encapsulation downstream. Note that this is per-subscriber state, as opposed to per-flow state in the regular AFTR case.
lwAFTR需要知道每个订户的IPv6地址以及分配给每个订户的IPv4地址和端口集之间的绑定。此信息用于执行上游的入口过滤和下游的封装。请注意,这是每个订户状态,而不是常规AFTR情况下的每个流状态。
The consequence of this architecture is that the information maintained by the provisioning mechanism and the one maintained by the lwAFTR MUST be synchronized (see Figure 2). The precise mechanism whereby this synchronization occurs is out of scope for this document.
该体系结构的结果是,由供应机制维护的信息和由lwAFTR维护的信息必须同步(见图2)。此同步发生的确切机制超出了本文档的范围。
The solution specified in this document allows the assignment of either a full or a shared IPv4 address to requesting CPEs. [RFC7040] provides a mechanism for assigning a full IPv4 address only.
本文档中指定的解决方案允许向请求的CPE分配完整或共享IPv4地址。[RFC7040]提供仅分配完整IPv4地址的机制。
+------------+ /-------|Provisioning|<-----\ | +------------+ | | | V V +--------+ +---------+ IPv4/IPv6 +------+ +-------------+ |IPv4 LAN|---|lwB4/NAPT|==================|lwAFTR|----|IPv4 Internet| +--------+ +---------+ +------+ +-------------+
+------------+ /-------|Provisioning|<-----\ | +------------+ | | | V V +--------+ +---------+ IPv4/IPv6 +------+ +-------------+ |IPv4 LAN|---|lwB4/NAPT|==================|lwAFTR|----|IPv4 Internet| +--------+ +---------+ +------+ +-------------+
Figure 2: Lightweight 4over6 Provisioning Synchronization
图2:轻量级4over6配置同步
With DS-Lite, the B4 element only needs to be configured with a single DS-Lite-specific parameter so that it can set up the softwire (the IPv6 address of the AFTR). Its IPv4 address can be taken from the well-known range 192.0.0.0/29.
对于DS-Lite,B4元素只需要配置一个DS-Lite特定的参数,这样它就可以设置软线(AFTR的IPv6地址)。它的IPv4地址可以取自众所周知的192.0.0.0/29范围。
In lw4o6, a number of lw4o6-specific configuration parameters must be provisioned to the lwB4. These are:
在lw4o6中,必须向lwB4提供许多特定于lw4o6的配置参数。这些是:
o IPv6 address for the lwAFTR
o lwAFTR的IPv6地址
o IPv4 external (public) address for NAPT44
o NAPT44的IPv4外部(公共)地址
o Restricted port set to use for NAPT44
o 设置为用于NAPT44的受限端口
o IPv6 binding prefix
o IPv6绑定前缀
The lwB4 MUST implement DHCPv6-based configuration using OPTION_S46_CONT_LW as described in Section 5.3 of [RFC7598]. This means that the lifetime of the softwire and the derived configuration information (e.g., IPv4 shared address, IPv4 address) are bound to the lifetime of the DHCPv6 lease. If stateful IPv4 configuration or additional IPv4 configuration information is required, DHCP 4o6 [RFC7341] MUST be used.
lwB4必须使用[RFC7598]第5.3节中所述的选项_S46_CONT_LW实现基于DHCPv6的配置。这意味着软线的生存期和派生的配置信息(例如,IPv4共享地址、IPv4地址)绑定到DHCPv6租约的生存期。如果需要有状态IPv4配置或其他IPv4配置信息,则必须使用DHCP 4o6[RFC7341]。
Although it would be possible to extend lw4o6 to have more than one active lw4o6 tunnel configured simultaneously, this document is only concerned with the use of a single tunnel.
虽然可以将lw4o6扩展为同时配置多个活动lw4o6隧道,但本文档仅涉及单个隧道的使用。
The IPv6 binding prefix field is provisioned so that the Customer Edge (CE) can identify the correct prefix to use as the tunnel source. On receipt of the necessary configuration parameters listed above, the lwB4 performs a longest-prefix match between the IPv6 binding prefix and its currently active IPv6 prefixes. The result forms the subnet to be used for sourcing the lw4o6 tunnel. The full /128 address is then constructed in the same manner as [RFC7597].
已设置IPv6绑定前缀字段,以便客户边缘(CE)可以识别要用作隧道源的正确前缀。在收到上面列出的必要配置参数后,lwB4将在IPv6绑定前缀与其当前活动的IPv6前缀之间执行最长前缀匹配。结果形成用于寻找lw4o6隧道的子网。然后以与[RFC7597]相同的方式构造完整的/128地址。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Operator Assigned Prefix | . (64 bits) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Zero Padding | IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Addr cont. | PSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Operator Assigned Prefix | . (64 bits) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Zero Padding | IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Addr cont. | PSID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Construction of the lw4o6 /128 Prefix
图3:lw4o6/128前缀的构造
Operator Assigned Prefix: IPv6 prefix allocated to the client. If the prefix length is less than 64, it is right-padded with zeros to 64 bits.
操作员分配的前缀:分配给客户端的IPv6前缀。如果前缀长度小于64,则用0到64位右填充。
Padding: Padding (all zeros).
填充:填充(全部为零)。
IPv4 Address: Public IPv4 address allocated to the client.
IPv4地址:分配给客户端的公共IPv4地址。
PSID: Port Set ID. Allocated to the client; left-padded with zeros to 16 bits. If no PSID is provisioned, all zeros.
PSID:分配给客户端的端口集ID;左填充0到16位。如果未设置PSID,则全部为零。
In the event that the lwB4's IPv6 encapsulation source address is changed for any reason (such as the DHCPv6 lease expiring), the lwB4's dynamic provisioning process MUST be re-initiated. When the lwB4's public IPv4 address or Port Set ID is changed for any reason, the lwB4 MUST flush its NAPT table.
如果lwB4的IPv6封装源地址因任何原因发生更改(如DHCPv6租约到期),则必须重新启动lwB4的动态资源调配过程。当lwB4的公共IPv4地址或端口集ID因任何原因发生更改时,lwB4必须刷新其NAPT表。
An lwB4 MUST support dynamic port-restricted IPv4 address provisioning. The port-set algorithm for provisioning this is described in Section 5.1 of [RFC7597]. For lw4o6, the number of a-bits SHOULD be 0, thus allocating a single contiguous port set to each lwB4.
lwB4必须支持动态端口受限IPv4地址设置。[RFC7597]第5.1节中描述了用于配置此功能的端口集算法。对于lw4o6,a位的数量应为0,因此将单个连续端口集分配给每个lwB4。
Provisioning of the lwB4 using DHCPv6 as described here allocates a single PSID to the client. In the event that the client is concurrently using all of the provisioned L4 ports, it may be unable to initiate any additional outbound connections. DHCPv6-based provisioning does not provide a mechanism for the client to request more L4 port numbers. Other provisioning mechanisms (e.g., PCP-based provisioning [PCP-PORT_SET]) provide this function. Issues relevant to IP address sharing are discussed in more detail in [RFC6269].
如本文所述,使用DHCPv6配置lwB4会将单个PSID分配给客户端。如果客户端同时使用所有已配置的L4端口,则可能无法启动任何其他出站连接。基于DHCPv6的资源调配没有为客户端请求更多L4端口号提供机制。其他供应机制(例如,基于PCP的供应[PCP-PORT_SET])提供此功能。[RFC6269]中详细讨论了与IP地址共享相关的问题。
Unless an lwB4 is being allocated a full IPv4 address, it is RECOMMENDED that PSIDs containing the system ports (0-1023) not be allocated to lwB4s. The reserved ports are more likely to be reserved by middleware, and therefore we recommend that they not be issued to clients other than as a deliberate assignment. Section 5.2.2 of [RFC6269] provides analysis of allocating system ports to clients with IPv4 address sharing.
除非为lwB4分配了完整的IPv4地址,否则建议不要将包含系统端口(0-1023)的PSID分配给lwB4。保留的端口更有可能由中间件保留,因此我们建议不要将它们发布给客户机,除非作为故意的分配。[RFC6269]的第5.2.2节提供了将系统端口分配给具有IPv4地址共享的客户端的分析。
In the event that the lwB4 receives an ICMPv6 error message (Type 1, Code 5) originating from the lwAFTR, the lwB4 interprets this to mean that no matching entry in the lwAFTR's binding table has been found, so the IPv4 payload is not being forwarded by the lwAFTR. The lwB4 MAY then re-initiate the dynamic port-restricted provisioning process. The lwB4's re-initiation policy SHOULD be configurable.
如果lwB4接收到源自lwAFTR的ICMPv6错误消息(类型1,代码5),lwAFTR将其解释为在lwAFTR的绑定表中未找到匹配项,因此lwAFTR未转发IPv4有效负载。lwB4随后可重新启动动态端口受限供应过程。lwB4的重新启动策略应可配置。
On receipt of such an ICMP error message, the lwB4 MUST validate the source address to be the same as the lwAFTR address that is configured. In the event that these addresses do not match, the lwB4 MUST discard the ICMP error message.
收到此类ICMP错误消息后,lwB4必须验证源地址是否与配置的lwAFTR地址相同。如果这些地址不匹配,lwB4必须丢弃ICMP错误消息。
In order to prevent forged ICMP messages (using the spoofed lwAFTR address as the source) from being sent to lwB4s, the operator can implement network ingress filtering as described in [RFC2827].
为了防止伪造的ICMP消息(使用伪造的lwAFTR地址作为源)被发送到LWB4,运营商可以实施[RFC2827]中所述的网络入口过滤。
The DNS considerations described in Sections 5.5 and 6.4 of [RFC6333] apply to Lightweight 4over6; lw4o6 implementations MUST comply with all requirements stated there.
[RFC6333]第5.5节和第6.4节中描述的DNS注意事项适用于轻型4over6;lw4o6实施必须符合此处规定的所有要求。
Several sections of [RFC6333] provide background information on the B4's data-plane functionality and MUST be implemented by the lwB4, as they are common to both solutions. The relevant sections are:
[RFC6333]的几个章节提供了B4数据平面功能的背景信息,并且必须由lwB4实现,因为它们对两种解决方案都是通用的。有关章节包括:
5.2 Encapsulation Covering encapsulation and decapsulation of tunneled traffic
5.2 封装覆盖隧道交通的封装和去封装
5.3 Fragmentation and Reassembly Covering MTU and fragmentation considerations (referencing [RFC2473])
5.3 涵盖MTU和碎片注意事项的碎片和重新组装(参考[RFC2473])
7.1 Tunneling Covering tunneling and Traffic Class mapping between IPv4 and IPv6 (referencing [RFC2473]). Also see [RFC2983]
7.1 隧道覆盖IPv4和IPv6之间的隧道和流量类映射(参考[RFC2473])。另见[RFC2983]
The lwB4 element performs IPv4 address translation (NAPT44) as well as encapsulation and decapsulation. It runs standard NAPT44 [RFC3022] using the allocated port-restricted address as its external IPv4 address and range of source ports.
lwB4元素执行IPv4地址转换(NAPT44)以及封装和解封装。它运行标准NAPT44[RFC3022],使用分配的端口限制地址作为其外部IPv4地址和源端口范围。
The working flow of the lwB4 is illustrated in Figure 4.
lwB4的工作流程如图4所示。
+-------------+ | lwB4 | +--------+ IPv4 |------+------| IPv4-in-IPv6 +----------+ |IPv4 LAN|------->| |Encap.|-------------->|Configured| | |<-------| NAPT | or |<--------------| lwAFTR | +--------+ | |Decap.| +----------+ +------+------+
+-------------+ | lwB4 | +--------+ IPv4 |------+------| IPv4-in-IPv6 +----------+ |IPv4 LAN|------->| |Encap.|-------------->|Configured| | |<-------| NAPT | or |<--------------| lwAFTR | +--------+ | |Decap.| +----------+ +------+------+
Figure 4: Working Flow of the lwB4
图4:lwB4的工作流程
Hosts connected to the customer's network behind the lwB4 source IPv4 packets with an [RFC1918] address. When the lwB4 receives such an IPv4 packet, it performs a NAPT44 function on the source address and port by using the public IPv4 address and a port number from the allocated port set. Then, it encapsulates the packet with an IPv6 header. The destination IPv6 address is the lwAFTR's IPv6 address, and the source IPv6 address is the lwB4's IPv6 tunnel endpoint address. Finally, the lwB4 forwards the encapsulated packet to the configured lwAFTR.
使用[RFC1918]地址连接到lwB4源IPv4数据包后面的客户网络的主机。当lwB4接收到这样的IPv4数据包时,它通过使用公共IPv4地址和分配的端口集的端口号,在源地址和端口上执行NAPT44功能。然后,它用IPv6报头封装数据包。目标IPv6地址是lwAFTR的IPv6地址,源IPv6地址是lwB4的IPv6隧道端点地址。最后,lwB4将封装的分组转发给配置的lwAFTR。
When the lwB4 receives an IPv4-in-IPv6 packet from the lwAFTR, it decapsulates the IPv4 packet from the IPv6 packet. Then, it performs NAPT44 translation on the destination address and port, based on the available information in its local NAPT44 table.
当lwB4从lwAFTR接收到IPv6中的IPv4数据包时,它将从IPv6数据包中解除IPv4数据包的封装。然后,它根据本地NAPT44表中的可用信息对目标地址和端口执行NAPT44转换。
If the IPv6 source address does not match the configured lwAFTR address, then the packet MUST be discarded. If the decapsulated IPv4 packet does not match the lwB4's configuration (i.e., invalid destination IPv4 address or port), then the packet MUST be dropped. An ICMPv4 error message (Type 3, Code 13 -- Destination Unreachable, Communication Administratively Prohibited) MAY be sent back to the lwAFTR. The ICMP policy SHOULD be configurable.
如果IPv6源地址与配置的lwAFTR地址不匹配,则必须丢弃数据包。如果解除封装的IPv4数据包与lwB4的配置不匹配(即目标IPv4地址或端口无效),则必须丢弃该数据包。ICMPv4错误消息(类型3,代码13——无法到达目的地,管理禁止通信)可能会发送回lwAFTR。ICMP策略应该是可配置的。
The lwB4 is responsible for performing Application Layer Gateway (ALG) functions (e.g., SIP, FTP) and other NAPT traversal mechanisms (e.g., Universal Plug and Play (UPnP) IGD (Internet Gateway Device), the NAT Port Mapping Protocol (NAT-PMP), manual binding configuration, PCP) for the internal hosts, if necessary. This requirement is typical for NAPT44 gateways available today.
如有必要,lwB4负责为内部主机执行应用层网关(ALG)功能(如SIP、FTP)和其他NAPT遍历机制(如通用即插即用(UPnP)IGD(互联网网关设备)、NAT端口映射协议(NAT-PMP)、手动绑定配置(PCP)。这是目前可用的NAPT44网关的典型要求。
It is possible that an lwB4 is co-located in a host. In this case, the functions of NAPT44 and encapsulation/decapsulation are implemented inside the host.
lwB4可能位于主机中的同一位置。在这种情况下,NAPT44和封装/去封装功能在主机内部实现。
For TCP and UDP traffic, the NAPT44 implemented in the lwB4 MUST conform to the behavior and best current practices documented in [RFC4787], [RFC5508], and [RFC5382]. If the lwB4 supports the Datagram Congestion Control Protocol (DCCP), then the requirements in [RFC5597] MUST be implemented.
对于TCP和UDP流量,lwB4中实现的NAPT44必须符合[RFC4787]、[RFC5508]和[RFC5382]中记录的行为和最佳当前实践。如果lwB4支持数据报拥塞控制协议(DCCP),则必须执行[RFC5597]中的要求。
The NAPT44 in the lwB4 MUST implement ICMP message handling behavior conforming to the best current practice documented in [RFC5508]. If the lwB4 receives an ICMP error (for errors detected inside the IPv6 tunnel), the node relays the ICMP error message to the original source (the lwAFTR). This behavior SHOULD be implemented conforming to Section 8 of [RFC2473].
lwB4中的NAPT44必须实现ICMP消息处理行为,符合[RFC5508]中记录的最佳当前实践。如果lwB4接收到ICMP错误(对于在IPv6隧道内检测到的错误),则节点将ICMP错误消息中继到原始源(lwAFTR)。应按照[RFC2473]第8节的要求实施该行为。
If IPv4 hosts behind different lwB4s sharing the same IPv4 address send fragments to the same IPv4 destination host outside the Lightweight 4over6 domain, those hosts may use the same IPv4 fragmentation identifier, resulting in incorrect reassembly of the fragments at the destination host. Given that the IPv4 fragmentation identifier is a 16-bit field, it could be used similarly to port ranges: An lwB4 could rewrite the IPv4 fragmentation identifier to be within its allocated port set, if the resulting fragment identifier space is large enough related to the rate at which fragments are
如果共享相同IPv4地址的不同LWB4后面的IPv4主机将碎片发送到轻型4over6域外的相同IPv4目标主机,则这些主机可能使用相同的IPv4碎片标识符,从而导致在目标主机上错误地重新组装碎片。考虑到IPv4碎片标识符是一个16位字段,它可以类似于端口范围使用:lwB4可以重写IPv4碎片标识符,使其位于其分配的端口集内,前提是生成的碎片标识符空间足够大,与碎片传输速率相关
sent. However, splitting the identifier space in this fashion would increase the probability of reassembly collision for all connections through the lwB4. See also Section 5.3.1 of [RFC6864].
发送。然而,以这种方式分割标识符空间将增加通过lwB4的所有连接重新组装冲突的概率。另见[RFC6864]第5.3.1节。
The lwAFTR maintains an address binding table containing the binding between the lwB4's IPv6 address, the allocated IPv4 address, and the restricted port set. Unlike the DS-Lite extended binding table, which is a 5-tuple NAPT table and is defined in Section 6.6 of [RFC6333], each entry in the Lightweight 4over6 binding table contains the following 3-tuples:
lwAFTR维护一个地址绑定表,其中包含lwB4的IPv6地址、分配的IPv4地址和受限端口集之间的绑定。与DS Lite扩展绑定表不同,DS Lite扩展绑定表是一个5元组NAPT表,在[RFC6333]的第6.6节中定义,轻量级4over6绑定表中的每个条目都包含以下3元组:
o IPv6 address for a single lwB4
o 单个lwB4的IPv6地址
o Public IPv4 address
o 公共IPv4地址
o Restricted port set
o 受限端口集
The entry has two functions: the IPv6 encapsulation of inbound IPv4 packets destined to the lwB4 and the validation of outbound IPv4-in-IPv6 packets received from the lwB4 for decapsulation.
该条目有两个功能:对发送到lwB4的入站IPv4数据包进行IPv6封装,以及对从lwB4接收的出站IPv4-in-IPv6数据包进行验证以进行解封装。
The lwAFTR does not perform NAPT and so does not need session entries.
lwAFTR不执行NAPT,因此不需要会话条目。
The lwAFTR MUST synchronize the binding information with the port-restricted address provisioning process. If the lwAFTR does not participate in the port-restricted address provisioning process, the binding MUST be synchronized through other methods (e.g., out-of-band static update).
lwAFTR必须将绑定信息与端口受限地址设置过程同步。如果lwAFTR不参与端口受限地址供应过程,则必须通过其他方法(例如带外静态更新)同步绑定。
If the lwAFTR participates in the port-restricted provisioning process, then its binding table MUST be created as part of this process.
如果lwAFTR参与端口受限配置过程,则必须在此过程中创建其绑定表。
For all provisioning processes, the lifetime of binding table entries MUST be synchronized with the lifetime of address allocations.
对于所有配置过程,绑定表项的生存期必须与地址分配的生存期同步。
Several sections of [RFC6333] provide background information on the AFTR's data-plane functionality and MUST be implemented by the lwAFTR, as they are common to both solutions. The relevant sections are:
[RFC6333]的几个章节提供了AFTR数据平面功能的背景信息,并且必须由lwAFTR实施,因为它们对两种解决方案都是通用的。有关章节包括:
6.2 Encapsulation Covering encapsulation and decapsulation of tunneled traffic
6.2 封装覆盖隧道交通的封装和去封装
6.3 Fragmentation and Reassembly Fragmentation and reassembly considerations (referencing [RFC2473])
6.3 碎片和重新组装碎片和重新组装注意事项(参考[RFC2473])
7.1 Tunneling Covering tunneling and Traffic Class mapping between IPv4 and IPv6 (referencing [RFC2473]). Also see [RFC2983]
7.1 隧道覆盖IPv4和IPv6之间的隧道和流量类映射(参考[RFC2473])。另见[RFC2983]
When the lwAFTR receives an IPv4-in-IPv6 packet from an lwB4, it decapsulates the IPv6 header and verifies the source addresses and port in the binding table. If both the source IPv4 and IPv6 addresses match a single entry in the binding table and the source port is in the allowed port set for that entry, the lwAFTR forwards the packet to the IPv4 destination.
当lwAFTR从lwB4接收到IPv4-in-IPv6数据包时,它将解除IPv6标头的封装,并验证绑定表中的源地址和端口。如果源IPv4和IPv6地址都与绑定表中的单个条目匹配,并且源端口位于该条目允许的端口集中,则lwAFTR将数据包转发到IPv4目标。
If no match is found (e.g., no matching IPv4 address entry, port out of range), the lwAFTR MUST discard or implement a policy (such as redirection) on the packet. An ICMPv6 Type 1, Code 5 (Destination Unreachable, source address failed ingress/egress policy) error message MAY be sent back to the requesting lwB4. The ICMP policy SHOULD be configurable.
如果未找到匹配项(例如,没有匹配的IPv4地址条目,端口超出范围),lwAFTR必须放弃或在数据包上实施策略(如重定向)。ICMPv6类型1,代码5(目标不可到达,源地址失败的入口/出口策略)错误消息可发送回请求lwB4。ICMP策略应该是可配置的。
When the lwAFTR receives an inbound IPv4 packet, it uses the IPv4 destination address and port to look up the destination lwB4's IPv6 address in its binding table. If a match is found, the lwAFTR encapsulates the IPv4 packet. The source is the lwAFTR's IPv6 address, and the destination is the lwB4's IPv6 address from the matched entry. Then, the lwAFTR forwards the packet to the lwB4 natively over the IPv6 network.
当lwAFTR接收到入站IPv4数据包时,它使用IPv4目标地址和端口在其绑定表中查找目标lwB4的IPv6地址。如果找到匹配项,lwAFTR将封装IPv4数据包。源是lwAFTR的IPv6地址,目标是匹配条目中lwB4的IPv6地址。然后,lwAFTR通过IPv6网络将分组本地转发给lwB4。
If no match is found, the lwAFTR MUST discard the packet. An ICMPv4 Type 3, Code 1 (Destination Unreachable, Host Unreachable) error message MAY be sent back. The ICMP policy SHOULD be configurable.
如果未找到匹配项,lwAFTR必须丢弃该数据包。可能会发回ICMPv4类型3,代码1(目标不可访问,主机不可访问)错误消息。ICMP策略应该是可配置的。
The lwAFTR MUST support hairpinning of traffic between two lwB4s, by performing decapsulation and re-encapsulation of packets from one lwB4 that need to be sent to another lwB4 associated with the same AFTR. The hairpinning policy MUST be configurable.
lwAFTR必须通过对需要发送到与同一AFTR相关联的另一个lwB4的来自一个lwB4的数据包执行去封装和重新封装,来支持两个lwB4之间的流量发夹。发夹策略必须是可配置的。
In addition to the DHCPv6-based mechanism described in Section 5.1, several other IPv4 provisioning protocols have been suggested. These protocols MAY be implemented. These alternatives include:
除了第5.1节中描述的基于DHCPv6的机制外,还建议使用其他几种IPv4配置协议。可以实现这些协议。这些备选方案包括:
o DHCPv4 over DHCPv6: [RFC7341] describes implementing DHCPv4 messages over an IPv6-only service provider's network. This enables leasing of IPv4 addresses and makes DHCPv4 options available to the DHCPv4-over-DHCPv6 client. An lwB4 MAY implement [RFC7341] and [Dyn-Shared-v4Alloc] to retrieve a shared IPv4 address with a set of ports.
o DHCPv4 over DHCPv6:[RFC7341]描述了通过仅限IPv6的服务提供商的网络实现DHCPv4消息。这允许租用IPv4地址,并使DHCPv4选项可用于DHCPv4-over-DHCPv6客户端。lwB4可以实现[RFC7341]和[Dyn-Shared-v4Alloc]来检索具有一组端口的共享IPv4地址。
o PCP [RFC6887]: an lwB4 MAY use [PCP-PORT_SET] to retrieve a restricted IPv4 address and a set of ports.
o PCP[RFC6887]:lwB4可以使用[PCP-PORT_SET]检索受限制的IPv4地址和一组端口。
In a Lightweight 4over6 domain, the binding information MUST be synchronized across the lwB4s, the lwAFTRs, and the provisioning server.
在轻量级4over6域中,绑定信息必须跨LWB4、LWAFTR和资源调配服务器同步。
To prevent interworking complexity, it is RECOMMENDED that an operator use a single provisioning mechanism / protocol for their implementation. In the event that more than one provisioning mechanism / protocol needs to be used (for example, during a migration to a new provisioning mechanism), the operator SHOULD ensure that each provisioning mechanism has a discrete set of resources (e.g., IPv4 address/PSID pools, as well as lwAFTR tunnel addresses and binding tables).
为了避免互通的复杂性,建议运营商使用单一的供应机制/协议来实现。如果需要使用多个配置机制/协议(例如,在迁移到新配置机制的过程中),运营商应确保每个配置机制都有一组离散的资源(例如,IPv4地址/PSID池,以及lwAFTR隧道地址和绑定表)。
For both the lwAFTR and the lwB4, ICMPv6 MUST be handled as described in [RFC2473].
对于lwAFTR和lwB4,必须按照[RFC2473]中的说明处理ICMPv6。
ICMPv4 does not work in an address-sharing environment without special handling [RFC6269]. Due to the port-set style of address sharing, Lightweight 4over6 requires specific ICMP message handling not required by DS-Lite.
ICMPv4在没有特殊处理的地址共享环境中无法工作[RFC6269]。由于地址共享的端口集样式,轻量级4over6需要DS Lite不需要的特定ICMP消息处理。
For inbound ICMP messages, the following behavior SHOULD be implemented by the lwAFTR to provide ICMP error handling and basic remote IPv4 service diagnostics for a port-restricted CPE:
对于入站ICMP消息,lwAFTR应实现以下行为,以便为端口受限的CPE提供ICMP错误处理和基本远程IPv4服务诊断:
1. Check the ICMP Type field.
1. 检查ICMP类型字段。
2. If the ICMP Type field is set to 0 or 8 (echo reply or request), then the lwAFTR MUST take the value of the ICMP Identifier field as the source port and use this value to look up the binding table for an encapsulation destination. If a match is found, the lwAFTR forwards the ICMP packet to the IPv6 address stored in the entry; otherwise, it MUST discard the packet.
2. 如果ICMP类型字段设置为0或8(回显回复或请求),则lwAFTR必须将ICMP标识符字段的值作为源端口,并使用此值查找封装目标的绑定表。如果找到匹配项,lwAFTR将ICMP数据包转发到条目中存储的IPv6地址;否则,它必须丢弃数据包。
3. If the ICMP Type field is set to any other value, then the lwAFTR MUST use the method described in REQ-3 of [RFC5508] to locate the source port within the transport-layer header in the ICMP packet's data field. The destination IPv4 address and source port extracted from the ICMP packet are then used to make a lookup in the binding table. If a match is found, it MUST forward the ICMP reply packet to the IPv6 address stored in the entry; otherwise, it MUST discard the packet.
3. 如果ICMP类型字段设置为任何其他值,则lwAFTR必须使用[RFC5508]的REQ-3中所述的方法在ICMP数据包的数据字段中的传输层报头内定位源端口。然后使用从ICMP数据包提取的目标IPv4地址和源端口在绑定表中进行查找。如果找到匹配项,则必须将ICMP应答数据包转发到条目中存储的IPv6地址;否则,它必须丢弃数据包。
Otherwise, the lwAFTR MUST discard all inbound ICMPv4 messages.
否则,lwAFTR必须丢弃所有入站ICMPv4消息。
The ICMP policy SHOULD be configurable.
ICMP策略应该是可配置的。
The lwB4 MUST implement the requirements defined in [RFC5508] for ICMP forwarding. For ICMP echo request packets originating from the private IPv4 network, the lwB4 SHOULD implement the method described in [RFC6346] and use an available port from its port set as the ICMP identifier.
lwB4必须实现[RFC5508]中定义的ICMP转发要求。对于源自专用IPv4网络的ICMP回显请求数据包,lwB4应实现[RFC6346]中描述的方法,并使用其端口集中的可用端口作为ICMP标识符。
As the port space for a subscriber shrinks due to address sharing, the randomness for the port numbers of the subscriber is decreased significantly. This means that it is much easier for an attacker to guess the port number used, which could result in attacks ranging from throughput reduction to broken connections or data corruption.
由于地址共享,订户的端口空间缩小,订户端口号的随机性显著降低。这意味着攻击者更容易猜测所使用的端口号,这可能导致从吞吐量降低到连接中断或数据损坏的攻击。
The port set for a subscriber can be a set of contiguous ports or non-contiguous ports. Contiguous port sets do not reduce this threat. However, with non-contiguous port sets (which may be generated in a pseudorandom way [RFC6431]), the randomness of the
订阅服务器的端口集可以是一组连续端口或非连续端口。连续端口集不能减少这种威胁。然而,对于非连续端口集(可能以伪随机方式生成[RFC6431])
port number is improved, provided that the attacker is outside the Lightweight 4over6 domain and hence does not know the port-set generation algorithm.
如果攻击者位于轻量级4over6域之外,因此不知道端口集生成算法,则端口号会得到改进。
The lwAFTR MUST rate-limit ICMPv6 error messages (see Section 5.1) to defend against DoS attacks generated by an abuse user.
lwAFTR必须对ICMPv6错误消息进行速率限制(见第5.1节),以防御滥用用户产生的DoS攻击。
More considerations about IP address sharing are discussed in Section 13 of [RFC6269], which is applicable to this solution.
[RFC6269]第13节讨论了有关IP地址共享的更多注意事项,适用于此解决方案。
This document describes a number of different protocols that may be used for the provisioning of lw4o6. In each case, the security considerations relevant to the provisioning protocol are also relevant to the provisioning of lw4o6 using that protocol. lw4o6 does not add any other security considerations specific to these provisioning protocols.
本文档描述了可用于lw4o6供应的许多不同协议。在每种情况下,与供应协议相关的安全注意事项也与使用该协议供应lw4o6相关。lw4o6没有添加任何其他特定于这些供应协议的安全注意事项。
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, <http://www.rfc-editor.org/info/rfc1918>.
[RFC1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.,和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,DOI 10.17487/RFC1918,1996年2月<http://www.rfc-editor.org/info/rfc1918>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, December 1998, <http://www.rfc-editor.org/info/rfc2473>.
[RFC2473]Conta,A.和S.Deering,“IPv6规范中的通用数据包隧道”,RFC 2473,DOI 10.17487/RFC2473,1998年12月<http://www.rfc-editor.org/info/rfc2473>.
[RFC4787] Audet, F., Ed., and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2007, <http://www.rfc-editor.org/info/rfc4787>.
[RFC4787]Audet,F.,Ed.,和C.Jennings,“单播UDP的网络地址转换(NAT)行为要求”,BCP 127,RFC 4787,DOI 10.17487/RFC4787,2007年1月<http://www.rfc-editor.org/info/rfc4787>.
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008, <http://www.rfc-editor.org/info/rfc5382>.
[RFC5382]Guha,S.,Ed.,Biswas,K.,Ford,B.,Sivakumar,S.,和P.Srisuresh,“TCP的NAT行为要求”,BCP 142,RFC 5382,DOI 10.17487/RFC5382,2008年10月<http://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT Behavioral Requirements for ICMP", BCP 148, RFC 5508, DOI 10.17487/RFC5508, April 2009, <http://www.rfc-editor.org/info/rfc5508>.
[RFC5508]Srisuresh,P.,Ford,B.,Sivakumar,S.,和S.Guha,“ICMP的NAT行为要求”,BCP 148,RFC 5508,DOI 10.17487/RFC5508,2009年4月<http://www.rfc-editor.org/info/rfc5508>.
[RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) Behavioral Requirements for the Datagram Congestion Control Protocol", BCP 150, RFC 5597, DOI 10.17487/RFC5597, September 2009, <http://www.rfc-editor.org/info/rfc5597>.
[RFC5597]Denis Courmont,R.,“数据报拥塞控制协议的网络地址转换(NAT)行为要求”,BCP 150,RFC 5597,DOI 10.17487/RFC5597,2009年9月<http://www.rfc-editor.org/info/rfc5597>.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, <http://www.rfc-editor.org/info/rfc6333>.
[RFC6333]Durand,A.,Droms,R.,Woodyatt,J.,和Y.Lee,“IPv4耗尽后的双栈Lite宽带部署”,RFC 6333,DOI 10.17487/RFC6333,2011年8月<http://www.rfc-editor.org/info/rfc6333>.
[RFC7598] Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec, W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for Configuration of Softwire Address and Port-Mapped Clients", RFC 7598, DOI 10.17487/RFC7598, July 2015, <http://www.rfc-editor.org/info/rfc7598>.
[RFC7598]Mrugalski,T.,Troan,O.,Farrer,I.,Perreault,S.,Dec,W.,Bao,C.,Yeh,L.,和X.Deng,“用于配置软线地址和端口映射客户端的DHCPv6选项”,RFC 7598,DOI 10.17487/RFC7598,2015年7月<http://www.rfc-editor.org/info/rfc7598>.
[B4-Trans-DSLite] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. Farrer, "Lightweight 4over6: An Extension to the DS-Lite Architecture", Work in Progress, draft-cui-softwire-b4-translated-ds-lite-11, February 2013.
[B4 Trans-DSLite]崔,Y.,孙,Q.,布卡代尔,M.,邹,T.,李,Y.,和I.法勒,“轻量级4over6:DS-Lite架构的扩展”,正在进行的工作,草稿-Cui-softwire-B4-translated-DS-Lite-112013年2月。
[DSLite-LW-Ext] Deng, X., Boucadair, M., and C. Zhou, "NAT offload extension to Dual-Stack lite", Work in Progress, draft-zhou-softwire-b4-nat-04, October 2011.
[DSLite LW Ext]Deng,X.,Boucadair,M.,和C.Zhou,“NAT卸载扩展到双堆栈lite”,正在进行的工作,草稿-Zhou-softwire-b4-NAT-042011年10月。
[Dyn-Shared-v4Alloc] Cui, Y., Sun, Q., Farrer, I., Lee, Y., Sun, Q., and M. Boucadair, "Dynamic Allocation of Shared IPv4 Addresses", Work in Progress, draft-ietf-dhc-dynamic-shared-v4allocation-09, May 2015.
[Dyn-Shared-v4Alloc]Cui,Y.,Sun,Q.,Farrer,I.,Lee,Y.,Sun,Q.,和M.Boucadair,“共享IPv4地址的动态分配”,正在进行的工作,草案-ietf-dhc-Dynamic-Shared-v4allocation-09,2015年5月。
[PCP-PORT_SET] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., and S. Perreault, "Port Control Protocol (PCP) Extension for Port Set Allocation", Work in Progress, draft-ietf-pcp-port-set-09, May 2015.
[PCP-PORT_SET]Sun,Q.,Boucadair,M.,Sivakumar,S.,Zhou,C.,Tsou,T.,和S.Perreault,“用于端口集分配的端口控制协议(PCP)扩展”,正在进行的工作,草案-ietf-PCP-PORT-SET-09,2015年5月。
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, <http://www.rfc-editor.org/info/rfc2827>.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,DOI 10.17487/RFC2827,2000年5月<http://www.rfc-editor.org/info/rfc2827>.
[RFC2983] Black, D., "Differentiated Services and Tunnels", RFC 2983, DOI 10.17487/RFC2983, October 2000, <http://www.rfc-editor.org/info/rfc2983>.
[RFC2983]Black,D.,“差异化服务和隧道”,RFC 2983,DOI 10.17487/RFC2983,2000年10月<http://www.rfc-editor.org/info/rfc2983>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001, <http://www.rfc-editor.org/info/rfc3022>.
[RFC3022]Srisuresh,P.和K.Egevang,“传统IP网络地址转换器(传统NAT)”,RFC 3022,DOI 10.17487/RFC3022,2001年1月<http://www.rfc-editor.org/info/rfc3022>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and P. Roberts, "Issues with IP Address Sharing", RFC 6269, DOI 10.17487/RFC6269, June 2011, <http://www.rfc-editor.org/info/rfc6269>.
[RFC6269]福特,M.,Ed.,Boucadair,M.,Durand,A.,Levis,P.,和P.Roberts,“IP地址共享问题”,RFC 6269,DOI 10.17487/RFC62692011年6月<http://www.rfc-editor.org/info/rfc6269>.
[RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to the IPv4 Address Shortage", RFC 6346, DOI 10.17487/RFC6346, August 2011, <http://www.rfc-editor.org/info/rfc6346>.
[RFC6346]Bush,R.,Ed.,“IPv4地址短缺的地址加端口(A+P)方法”,RFC 6346,DOI 10.17487/RFC6346,2011年8月<http://www.rfc-editor.org/info/rfc6346>.
[RFC6431] Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and T. Tsou, "Huawei Port Range Configuration Options for PPP IP Control Protocol (IPCP)", RFC 6431, DOI 10.17487/RFC6431, November 2011, <http://www.rfc-editor.org/info/rfc6431>.
[RFC6431]Boucadair,M.,Levis,P.,Bajko,G.,Savolainen,T.,和T.Tsou,“华为PPP IP控制协议(IPCP)的端口范围配置选项”,RFC 6431,DOI 10.17487/RFC6431,2011年11月<http://www.rfc-editor.org/info/rfc6431>.
[RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field", RFC 6864, DOI 10.17487/RFC6864, February 2013, <http://www.rfc-editor.org/info/rfc6864>.
[RFC6864]Touch,J.,“IPv4 ID字段的更新规范”,RFC 6864,DOI 10.17487/RFC6864,2013年2月<http://www.rfc-editor.org/info/rfc6864>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, DOI 10.17487/RFC6887, April 2013, <http://www.rfc-editor.org/info/rfc6887>.
[RFC6887]Wing,D.,Ed.,Cheshire,S.,Boucadair,M.,Penno,R.,和P.Selkirk,“港口控制协议(PCP)”,RFC 6887,DOI 10.17487/RFC6887,2013年4月<http://www.rfc-editor.org/info/rfc6887>.
[RFC7040] Cui, Y., Wu, J., Wu, P., Vautrin, O., and Y. Lee, "Public IPv4-over-IPv6 Access Network", RFC 7040, DOI 10.17487/RFC7040, November 2013, <http://www.rfc-editor.org/info/rfc7040>.
[RFC7040]Cui,Y.,Wu,J.,Wu,P.,Vautrin,O.,和Y.Lee,“公共IPv4-over-IPv6接入网络”,RFC 7040,DOI 10.17487/RFC70402013年11月<http://www.rfc-editor.org/info/rfc7040>.
[RFC7341] Sun, Q., Cui, Y., Siodelski, M., Krishnan, S., and I. Farrer, "DHCPv4-over-DHCPv6 (DHCP 4o6) Transport", RFC 7341, DOI 10.17487/RFC7341, August 2014, <http://www.rfc-editor.org/info/rfc7341>.
[RFC7341]Sun,Q.,Cui,Y.,Siodelski,M.,Krishnan,S.,和I.Farrer,“DHCPv4-over-DHCPv6(DHCP 4o6)传输”,RFC 7341,DOI 10.17487/RFC73412014年8月<http://www.rfc-editor.org/info/rfc7341>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., Murakami, T., and T. Taylor, Ed., "Mapping of Address and Port with Encapsulation (MAP-E)", RFC 7597, DOI 10.17487/RFC7597, July 2015, <http://www.rfc-editor.org/info/rfc7597>.
[RFC7597]Troan,O.,Ed.,Dec,W.,Li,X.,Bao,C.,Matsushima,S.,Murakami,T.,和T.Taylor,Ed.,“地址和端口的封装映射(MAP-E)”,RFC 7597,DOI 10.17487/RFC7597,2015年7月<http://www.rfc-editor.org/info/rfc7597>.
[Stateless-DS-Lite] Penno, R., Durand, A., Clauberg, A., and L. Hoffmann, "Stateless DS-Lite", Work in Progress, draft-penno-softwire-sdnat-02, March 2012.
[无状态DS-Lite]佩诺,R.,杜兰德,A.,克劳伯格,A.,和L.霍夫曼,“无状态DS-Lite”,在建工程,草稿-PENO-softwire-sdnat-022012年3月。
[TR069] Broadband Forum TR-069, "CPE WAN Management Protocol", Amendment 5, CWMP Version: 1.4, November 2013, <https://www.broadband-forum.org>.
[TR069]宽带论坛TR-069,“CPE WAN管理协议”,修正案5,CWMP版本:1.42013年11月<https://www.broadband-forum.org>.
[Unified-v4-in-v6] Boucadair, M., Farrer, I., Perreault, S., Ed., and S. Sivakumar, Ed., "Unified IPv4-in-IPv6 Softwire CPE", Work in Progress, draft-ietf-softwire-unified-cpe-01, May 2013.
[Unified-v4-in-v6]Boucadair,M.,Farrer,I.,Perreault,S.,Ed.,和S.Sivakumar,Ed.,“统一IPv4-in-IPv6软线CPE”,正在进行的工作,草稿-ietf-Softwire-Unified-CPE-01,2013年5月。
Acknowledgements
致谢
The authors would like to thank Ole Troan, Ralph Droms, and Suresh Krishnan for their comments and feedback.
作者要感谢Ole Troan、Ralph Droms和Suresh Krishnan的评论和反馈。
This document is a merge of three documents: [B4-Trans-DSLite], [DSLite-LW-Ext], and [Stateless-DS-Lite].
本文档是三个文档的合并:[B4 Trans DSLite]、[DSLite LW Ext]和[Stateless DS Lite]。
Contributors
贡献者
The following individuals contributed to this effort:
以下个人对这项工作作出了贡献:
Jianping Wu Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China Phone: +86-10-62785983 Email: jianping@cernet.edu.cn
吴建平清华大学计算机科学系,清华大学北京100084中国电话:+86-10-62785983电子邮件:jianping@cernet.edu.cn
Peng Wu Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 China Phone: +86-10-62785822 Email: pengwu.thu@gmail.com
吴鹏清华大学计算机科学系,清华大学北京100084中国电话:+86-10-62785822电子邮件:吴鹏。thu@gmail.com
Qi Sun Tsinghua University Beijing 100084 China Phone: +86-10-62785822 Email: sunqi@csnet1.cs.tsinghua.edu.cn
齐孙清华大学北京100084中国电话:+86-10-62785822电子邮件:sunqi@csnet1.cs.tsinghua.edu.cn
Chongfeng Xie China Telecom Room 708, No. 118, Xizhimennei Street Beijing 100035 China Phone: +86-10-58552116 Email: xiechf@ctbri.com.cn
中国电信北京西直门内大街118号708室,邮编100035中国电话:+86-10-58552116电子邮件:xiechf@ctbri.com.cn
Xiaohong Deng The University of New South Wales Sydney NSW 2052 Australia Email: dxhbupt@gmail.com
萧红登新南威尔士大学悉尼新南威尔士2052澳大利亚电子邮件:dxhbupt@gmail.com
Cathy Zhou Huawei Technologies Section B, Huawei Industrial Base, Bantian Longgang Shenzhen 518129 China Email: cathyzhou@huawei.com
中国深圳龙岗坂田华为工业基地华为技术B部Cathy Zhou邮编:518129电子邮件:cathyzhou@huawei.com
Alain Durand Juniper Networks 1194 North Mathilda Avenue Sunnyvale, CA 94089-1206 United States Email: adurand@juniper.net
Alain Durand Juniper Networks 1194 North Mathilda Avenue Sunnyvale,CA 94089-1206美国电子邮件:adurand@juniper.net
Reinaldo Penno Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 United States Email: repenno@cisco.com
Reinaldo Penno Cisco Systems,Inc.美国加利福尼亚州圣何塞市西塔斯曼大道170号,邮编95134电子邮件:repenno@cisco.com
Axel Clauberg Deutsche Telekom AG CTO-ATI Landgrabenweg 151 Bonn 53227 Germany Email: axel.clauberg@telekom.de
Axel Clauberg德国电信公司CTO-ATI Landgrabenweg 151波恩53227德国电子邮件:Axel。clauberg@telekom.de
Lionel Hoffmann Bouygues Telecom TECHNOPOLE 13/15 Avenue du Marechal Juin Meudon 92360 France Email: lhoffman@bouyguestelecom.fr
莱昂内尔·霍夫曼·布伊格电信技术中心法国默顿马雷查尔朱因大道13/15号92360电子邮件:lhoffman@bouyguestelecom.fr
Maoke Chen (a.k.a. Noriyuki Arai) BBIX, Inc. Tokyo Shiodome Building, Higashi-Shimbashi 1-9-1 Minato-ku, Tokyo 105-7310 Japan Email: maoke@bbix.net
Maoke Chen(又称Arai Noriyuki)BBIX,Inc.东京Shiodome大厦,东新桥1-9-1 Minato ku,东京105-7310日本电子邮件:maoke@bbix.net
Authors' Addresses
作者地址
Yong Cui Tsinghua University Beijing 100084 China
清华大学崔勇中国北京100084
Phone: +86-10-62603059 Email: yong@csnet1.cs.tsinghua.edu.cn
Phone: +86-10-62603059 Email: yong@csnet1.cs.tsinghua.edu.cn
Qiong Sun China Telecom Room 708, No. 118, Xizhimennei Street Beijing 100035 China
中国北京西直门内大街118号琼阳中国电信708室,邮编100035
Phone: +86-10-58552936 Email: sunqiong@ctbri.com.cn
Phone: +86-10-58552936 Email: sunqiong@ctbri.com.cn
Mohamed Boucadair France Telecom Rennes 35000 France
穆罕默德·布卡达尔法国电信雷恩35000法国
Email: mohamed.boucadair@orange.com
Email: mohamed.boucadair@orange.com
Tina Tsou Huawei Technologies 2330 Central Expressway Santa Clara, CA 95050 United States
Tina Tsou华为技术公司美国加利福尼亚州圣克拉拉中央高速公路2330号,邮编95050
Phone: +1-408-330-4424 Email: tena@huawei.com
Phone: +1-408-330-4424 Email: tena@huawei.com
Yiu L. Lee Comcast One Comcast Center Philadelphia, PA 19103 United States
Yiu L.Lee Comcast美国宾夕法尼亚州费城Comcast中心1号,邮编:19103
Email: yiu_lee@cable.comcast.com
Email: yiu_lee@cable.comcast.com
Ian Farrer Deutsche Telekom AG CTO-ATI, Landgrabenweg 151 Bonn, NRW 53227 Germany
Ian Farrer Deutsche Telekom AG CTO-ATI,德国新南威尔士州波恩市兰德格拉本韦151号,邮编53227
Email: ian.farrer@telekom.de
Email: ian.farrer@telekom.de