📄 rfc2766.txt
字号:
a host in IPv6 domain to a host in IPv4 domain through a
traditional-NAT-PT
3.1 Basic-NAT-PT Operation
[IPv6-B]-+
| +==============+
[IPv6-A]-+-[NAT-PT]---------| IPv4 network |--[IPv4-C]
| +==============+
(pool of v4 addresses)
Figure 1: IPv6 to IPv4 communication
Node IPv6-A has an IPv6 address -> FEDC:BA98::7654:3210
Node IPv6-B has an IPv6 address -> FEDC:BA98::7654:3211
Node IPv4-C has an IPv4 address -> 132.146.243.30
NAT-PT has a pool of addresses including the IPv4 subnet
120.130.26/24
The V4 addresses in the address pool could be allocated one-to-one to
the V6 addresses of the V6 end nodes in which case one needs as many
V4 addresses as V6 end points. In this document we assume that the V6
network has less V4 addresses than V6 end nodes and thus dynamic
address allocation is required for at least some of them.
Say the IPv6 Node A wants to communicate with the IPv4 Node C. Node
A creates a packet with:
Source Address, SA=FEDC:BA98::7654:3210 and Destination
Address, DA = PREFIX::132.146.243.30
NOTE: The prefix PREFIX::/96 is advertised in the stub domain by the
NAT-PT, and packets addressed to this PREFIX will be routed to the
NAT-PT. The pre-configured PREFIX only needs to be routable within
the IPv6 stub domain and as such it can be any routable prefix that
the network administrator chooses.
The packet is routed via the NAT-PT gateway, where it is translated
to IPv4.
Tsirtsis & Srisuresh Standards Track [Page 6]
RFC 2766 NAT-PT February 2000
If the outgoing packet is not a session initialisation packet, the
NAT-PT SHOULD already have stored some state about the related
session, including assigned IPv4 address and other parameters for the
translation. If this state does not exist, the packet SHOULD be
silently discarded.
If the packet is a session initialisation packet, the NAT-PT locally
allocates an address (e.g: 120.130.26.10) from its pool of
addresses and the packet is translated to IPv4. The translation
parameters are cached for the duration of the session and the IPv6 to
IPv4 mapping is retained by NAT-PT.
The resulting IPv4 packet has SA=120.130.26.10 and DA=132.146.243.30.
Any returning traffic will be recognised as belonging to the same
session by NAT-PT. NAT-PT will use the state information to translate
the packet, and the resulting addresses will be
SA=PREFIX::132.146.243.30, DA=FEDC:BA98::7654:3210. Note that this
packet can now be routed inside the IPv6-only stub network as normal.
3.2 NAPT-PT Operation
NAPT-PT, which stands for "Network Address Port Translation +
Protocol Translation", would allow V6 nodes to communicate with the
V4 nodes transparently using a single V4 address. The TCP/UDP ports
of the V6 nodes are translated into TCP/UDP ports of the registered
V4 address.
While NAT-PT support is limited to TCP, UDP and other port
multiplexing type of applications, NAPT-PT solves a problem that is
inherent with NAT-PT. That is, NAT-PT would fall flat when the pool
of V4 addresses assigned for translation purposes is exhausted. Once
the address pool is exhausted, newer V6 nodes cannot establish
sessions with the outside world anymore. NAPT-PT, on the other hand,
will allow for a maximum of 63K TCP and 63K UDP sessions per IPv4
address before having no TCP and UDP ports left to assign.
To modify the example sited in figure 1, we could have NAPT-PT on the
border router (instead of NAT-PT) and all V6 addresses could be
mapped to a single v4 address 120.130.26.10.
IPv6 Node A would establish a TCP session with the IPv4 Node C as
follows:
Node A creates a packet with:
Source Address, SA=FEDC:BA98::7654:3210 , source TCP port = 3017 and
Destination Address, DA = PREFIX::132.146.243.30, destination TCP
port = 23.
Tsirtsis & Srisuresh Standards Track [Page 7]
RFC 2766 NAT-PT February 2000
When the packet reaches the NAPT-PT box, NAPT-PT would assign one of
the TCP ports from the assigned V4 address to translate the tuple of
(Source Address, Source TCP port) as follows:
SA=120.130.26.10, source TCP port = 1025 and
DA=132.146.243.30, destination TCP port = 23.
The returning traffic from 132.146.243.30, TCP port 23 will be
recognised as belonging to the same session and will be translated
back to V6 as follows:
SA = PREFIX::132.146.243.30, source TCP port = 23;
DA = FEDC:BA98::7654:3210 , destination TCP port = 3017
Inbound NAPT-PT sessions are restricted to one server per service,
assigned via static TCP/UDP port mapping. For example, the Node
[IPv6-A] in figure 1 may be the only HTTP server (port 80) in the V6
domain. Node [IPv4-C] sends a packet:
SA=132.146.243.30, source TCP port = 1025 and
DA=120.130.26.10, destination TCP port = 80
NAPT-PT will translate this packet to:
SA=PREFIX::132.146.243.30, source TCP port = 1025
DA=FEDC:BA98::7654:3210, destination TCP port = 80
In the above example, note that all sessions which reach NAPT-PT with
a destination port of 80 will be redirected to the same node [IPv6-
A].
4. Use of DNS-ALG for Address Assignment
An IPv4 address is assigned by NAT-PT to a V6 node when NAT-PT
identifies the start of session, inbound or outbound. Identification
of the start of a new inbound session is performed differently than
for outbound sessions. However, the same V4 address pool is used for
assignment to V6 nodes, irrespective of whether a session is
initiated outbound from a V6 node or initiated inbound from a V4
node.
Policies determining what type of sessions are allowed and in which
direction and from/to which nodes is out of the scope of this
document.
Tsirtsis & Srisuresh Standards Track [Page 8]
RFC 2766 NAT-PT February 2000
IPv4 name to address mappings are held in the DNS with "A" records.
IPv6 name to address mappings are at the moment held in the DNS with
"AAAA" records. "A6" records have also been defined but at the time
of writing they are neither fully standardized nor deployed.
In any case, the DNS-ALG's principle of operation described in this
section is the same with either "AAAA" or "A6" records. The only
difference is that a name resolution using "A6" records may require
more than one query - reply pairs. The DNS-ALG SHOULD, in that case,
track all the replies in the transaction before translating an "A6"
record to an "A" record.
One of the aims of NAT-PT design is to only use translation when
there is no other means of communication, such as native IPv6 or some
form of tunneling. For the following discussion NAT-PT, in addition
to the IPv4 connectivity that it has it may also have a native IPv6
and/or a tunneled IPv6 connection.
4.1 V4 Address assignment for incoming connections (V4 to V6)
[DNS]--+
| [DNS]------[DNS]-------[DNS]
[IPv6-B]-+ | |
| +==============+ |
[IPv6-A]-+----[NAT-PT]------| IPv4 network |--[IPv4-C]
| +==============+
(pool of v4 addresses)
Figure 2: IPv4 to IPv6 communication
Node IPv6-A has an IPv6 address -> FEDC:BA98::7654:3210
Node IPv6-B has an IPv6 address -> FEDC:BA98::7654:3211
Node IPv4-C has an IPv4 address -> 132.146.243.30
NAT-PT has a pool of addresses including the IPv4 subnet
120.130.26/24
In figure 2 above, when Node C's name resolver sends a name look up
request for Node A, the lookup query is directed to the DNS server on
the V6 network. Considering that NAT-PT is residing on the border
router between V4 and V6 networks, this request datagram would
traverse through the NAT-PT router. The DNS-ALG on the NAT-PT device
would modify DNS Queries for A records going into the V6 domain as
follows: (Note that a TCP/UDP DNS packet is recognised by the fact
that its source or destination port number is 53)
a) For Node Name to Node Address Query requests: Change the Query
type from "A" to "AAAA" or "A6".
Tsirtsis & Srisuresh Standards Track [Page 9]
RFC 2766 NAT-PT February 2000
b) For Node address to Node name query requests: Replace the
string "IN-ADDR.ARPA" with the string "IP6.INT". Replace the
V4 address octets (in reverse order) preceding the string "IN-
ADDR.ARPA" with the corresponding V6 address (if there exists a
map) octets in reverse order.
In the opposite direction, when a DNS response traverses from the DNS
server on the V6 network to the V4 node, the DNS-ALG once again
intercepts the DNS packet and would:
a) Translate DNS responses for "AAAA" or "A6" records into "A"
records, (only translate "A6" records when the name has
completely been resolved)
b) Replace the V6 address resolved by the V6 DNS with the V4
address internally assigned by the NAT-PT router.
If a V4 address is not previously assigned to this V6 node, NAT-PT
would assign one at this time. As an example say IPv4-C attempts to
initialise a session with node IPv6-A by making a name lookup ("A"
record) for Node-A . The name query goes to the local DNS and from
there it is propagated to the DNS server of the IPv6 network. The
DNS-ALG intercepts and translates the "A" query to "AAAA" or "A6"
query and then forwards it to the DNS server in the IPv6 network
which replies as follows: (The example uses AAAA records for
convenience)
Node-A AAAA FEDC:BA98::7654:3210,
this is returned by the DNS server and gets intercepted and
translated by the DNS-ALG to:
Node-A A 120.130.26.1
The DNS-ALG also holds the mapping between FEDC:BA98::7654:3210 and
120.130.26.1 in NAT-PT. The "A" record is then returned to Node-C.
Node-C can now initiate a session as follows:
SA=132.146.243.30, source TCP port = 1025 and
DA=120.130.26.1, destination TCP port = 80
the packet will be routed to NAT-PT, which since it already holds a
mapping between FEDC:BA98::7654:3210 and 120.130.26.1 can translate
the packet to:
SA=PREFIX::132.146.243.30, source TCP port = 1025
DA=FEDC:BA98::7654:3210, destination TCP port = 80
the communication can now proceed as normal.
Tsirtsis & Srisuresh Standards Track [Page 10]
RFC 2766 NAT-PT February 2000
The TTL values on all DNS resource records (RRs) passing through
NAT-PT SHOULD be set to 0 so that DNS servers/clients do not cache
temporarily assigned RRs. Note, however, that due to some buggy DNS
client implementations a value of 1 might in some cases work better.
The TTL values should be left unchanged for statically mapped
addresses.
Address mappings for incoming sessions, as described above, are
subject to denial of service attacks since one can make multiple
queries for nodes residing in the V6 network causing the DNS-ALG to
map all V4 addresses in NAT-PT and thus block legitimate incoming
sessions. Thus, address mappings for incoming sessions should time
out to minimise the effect of denial of service attacks.
Additionally, one IPv4 address (using NAPT-PT, see 3.2) could be
reserved for outgoing sessions only to minimise the effect of such
attacks to outgoing sessions.
4.2 V4 Address assignment for outgoing connections (V6 to V4)
V6 nodes learn the address of V4 nodes from the DNS server in the V4
domain or from the DNS server internal to the V6 network. We
recommend that DNS servers internal to V6 domains maintain a mapping
of names to IPv6 addresses for internal nodes and possibly cache
mappings for some external nodes. In the case where the DNS server in
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -