RFC 2766: Network Address Translation - Protocol Translation (NAT-PT)

Obsoleted by: 4966 HISTORIC

Network Working Group G. Tsirtsis Request for Comments: 2766 BT Category: Standards Track P. Srisuresh Campio Communications February 2000

Network Address Translation - Protocol Translation (NAT-PT)

Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract This document specifies an IPv4-to-IPv6 transition mechanism, in addition to those already specified in [TRANS]. This solution attempts to provide transparent routing, as defined in [NAT-TERM], to end-nodes in V6 realm trying to communicate with end-nodes in V4 realm and vice versa. This is achieved using a combination of Network Address Translation and Protocol Translation. The scheme described does not mandate dual-stacks (i.e., IPv4 as well as V6 protocol support) or special purpose routing requirements (such as requiring tunneling support) on end nodes. This scheme is based on a combination of address translation theme as described in [NAT-TERM] and V6/V4 protocol translation theme as described in [SIIT]. Acknowledgements Special thanks to Pedro Marques for reviewing an earlier version of this memo. Also, many thanks to Alan O'Neill and Martin Tatham, as the mechanism described in this document was initially developed through discussions with them.

Tsirtsis & Srisuresh Standards Track [Page 1]

RFC 2766 NAT-PT February 20001. Introduction.................................................. 2 2. Terminology................................................... 3 2.1 Network Address Translation (NAT)......................... 4 2.2 NAT-PT flavors............................................ 4 2.2.1 Traditional-NAT-PT................................... 4 2.2.2 Bi-directional-NAT-PT................................ 5 2.3 Protocol Translation (PT)................................. 5 2.4 Application Level Gateway (ALG)........................... 5 2.5 Requirements.............................................. 5 3. Traditional-NAT-PT operation (V6 to V4)....................... 6 3.1 NAT-PT Outgoing Sessions.................................. 6 3.2 NAPT-PT Outgoing Sessions................................. 7 4. Use of DNS-ALG for Address assignment......................... 8 4.1 V4 Address Assignment for Incoming Connections (V4 to V6). 9 4.2 V4 Address Assignment for Outgoing Connections (V6 to V4). 11 5. Protocol Translation Details.................................. 12 5.1 Translating IPv4 Headers to IPv6 Headers.................. 13 5.2 Translating IPv6 Headers to IPv4 Headers.................. 13 5.3 TCP/UDP/ICMP Checksum Update.............................. 13 6. FTP Application Level Gateway (FTP-ALG) Support............... 14 6.1 Payload modifications for V4 originated FTP sessions...... 15 6.2 Payload modifications for V6 originated FTP sessions...... 16 6.3 Header updates for FTP control packets.................... 16 7. NAT-PT Limitations and Future Work............................ 17 7.1 Topology Limitations...................................... 17 7.2 Protocol Translation Limitations.......................... 17 7.3 Impact of Address Translation............................. 18 7.4 Lack of End-to-End Security............................... 18 7.5 DNS Translation and DNSSEC................................ 18 8. Applicability Statement....................................... 18 9. Security Considerations....................................... 19 10. References................................................... 19 Authors' Addresses............................................... 20 Full Copyright Statement......................................... 21 1 . Introduction

Tsirtsis & Srisuresh Standards Track [Page 2]

RFC 2766 NAT-PT February 2000SIIT] describes a protocol translation mechanism that allows communication between IPv6-only and IPv4-only nodes via protocol independent translation of IPv4 and IPv6 datagrams, requiring no state information for the session. The SIIT proposal assumes that V6 nodes are assigned a V4 address for communicating with V4 nodes, and does not specify a mechanism for the assignment of these addresses. NAT-PT uses a pool of V4 addresses for assignment to V6 nodes on a dynamic basis as sessions are initiated across V4-V6 boundaries. The V4 addresses are assumed to be globally unique. NAT-PT with private V4 addresses is outside the scope of this document and for further study. NAT-PT binds addresses in V6 network with addresses in V4 network and vice versa to provide transparent routing [NAT-TERM] for the datagrams traversing between address realms. This requires no changes to end nodes and IP packet routing is completely transparent [NAT-TERM] to end nodes. It does, however, require NAT-PT to track the sessions it supports and mandates that inbound and outbound datagrams pertaining to a session traverse the same NAT-PT router. You will note that the topology restrictions on NAT-PT are the same with those described for V4 NATs in [NAT-TERM]. Protocol translation details specified in [SIIT] would be used to extend address translation with protocol syntax/semantics translation. A detailed applicability statement for NAT-PT may be found at the end of this document in section 7. By combining SIIT protocol translation with the dynamic address translation capabilities of NAT and appropriate ALGs, NAT-PT provides a complete solution that would allow a large number of commonly used applications to interoperate between IPv6-only nodes and IPv4-only A fundamental assumption for NAT-PT is only to be use when no other native IPv6 or IPv6 over IPv4 tunneled means of communication is possible. In other words the aim is to only use translation between IPv6 only nodes and IPv4 only nodes, while translation between IPv6 only nodes and the IPv4 part of a dual stack node should be avoided over other alternatives. 2 . TerminologyNAT-TERM]. The following lists terms specific to this document.

Tsirtsis & Srisuresh Standards Track [Page 3]


RFC 2766 NAT-PT February 20002.1 Network Address Translation (NAT)NAT-TERM], but is not identical. IPv4 NAT translates
   one IPv4 address into another IPv4 address. In this document, NAT
   refers to translation of an IPv4 address into an IPv6 address and
   vice versa.

   While the V4 NAT [NAT-TERM] provides routing between private V4 and
   external V4 address realms, NAT in this document provides routing
   between a V6 address realm and an external V4 address realm.

2.2 NAT-PT flavors2.2.1 Traditional NAT-PTTsirtsis & Srisuresh        Standards Track                     [Page 4]

RFC 2766 NAT-PT February 20002.2.2 Bi-Directional-NAT-PTDNS-ALG] must be employed in conjunction with Bi-Directional-NAT-PT to facilitate name to address mapping. Specifically, the DNS-ALG must be capable of translating V6 addresses in DNS Queries and responses into their V4-address bindings, and vice versa, as DNS packets traverse between V6 and V4 realms. 2.3 Protocol Translation (PT)SIIT]. 2.4 Application Level Gateway (ALG)NAT-TERM] is an application specific agent that allows a V6 node to communicate with a V4 node and vice versa. Some applications carry network addresses in payloads. NAT-PT is application unaware and does not snoop the payload. ALG could work in conjunction with NAT-PT to provide support for many such applications. 2.5 RequirementsKEYWORDS].

Tsirtsis & Srisuresh Standards Track [Page 5]

RFC 2766 NAT-PT February 20003 . Traditional-NAT-PT Operation (V6 to V4)NAT-TERM] and address/protocol translation, allowing a large number of applications in V6 and V4 realms to inter-operate without requiring any changes to these applications. In the following paragraphs we describe the operation of traditional-NAT-PT and the way that connections can be initiated from a host in IPv6 domain to a host in IPv4 domain through a traditional-NAT-PT 3.1 Basic-NAT-PT Operation

Tsirtsis & Srisuresh Standards Track [Page 6]

RFC 2766 NAT-PT February 20003.2 NAPT-PT Operation

Tsirtsis & Srisuresh Standards Track [Page 7]

RFC 2766 NAT-PT February 20004 . Use of DNS-ALG for Address Assignment

Tsirtsis & Srisuresh Standards Track [Page 8]

RFC 2766 NAT-PT February 20004.1 V4 Address assignment for incoming connections (V4 to V6)

Tsirtsis & Srisuresh Standards Track [Page 9]

RFC 2766 NAT-PT February 2000

Tsirtsis & Srisuresh Standards Track [Page 10]

RFC 2766 NAT-PT February 20004.2 V4 Address assignment for outgoing connections (V6 to V4)

Tsirtsis & Srisuresh Standards Track [Page 11]

RFC 2766 NAT-PT February 2000section 7.5 of this document for details. 5 . Protocol Translation DetailsSIIT], but there are some modifications required to SIIT because of the fact that NAT-PT also performs Network Address Translation.

Tsirtsis & Srisuresh Standards Track [Page 12]

RFC 2766 NAT-PT February 20005.1 Translating IPv4 headers to IPv6 headers5.2 Translating IPv6 headers to IPv4 headers5.3 TCP/UDP/ICMP Checksum Update

Tsirtsis & Srisuresh Standards Track [Page 13]

RFC 2766 NAT-PT February 20005.3.1 TCP/UDP/ICMP Checksum Update from IPv4 to IPv6NAT]. In the case of NAPT-PT, TCP/UDP checksum should be adjusted to account for the address and TCP/UDP port changes, going from V4 to V6 address. When the checksum of a V4 UDP packet is set to zero, NAT-PT MUST evaluate the checksum in its entirety for the V6-translated UDP packet. If a V4 UDP packet with a checksum of zero arrives in fragments, NAT-PT MUST await all the fragments until they can be assembled into a single non-fragmented packet and evaluate the checksum prior to forwarding the translated V6 UDP packet. ICMPv6, unlike ICMPv4, uses a pseudo-header, just like UDP and TCP during checksum computation. As a result, when the ICMPv6 header checksum is computed [SIIT], the checksum needs to be adjusted to account for the additional pseudo-header. Note, there may also be adjustments required to the checksum due to changes in the source and destination addresses (and changes in TCP/UDP/ICMP identifiers in the case of NAPT-PT) of the payload carried within ICMP. 5.3.2 TCP/UDP/ICMP Checksum Update from IPv6 to IPv4NAT]. In the case of NAPT-PT, TCP/UDP checksums should be adjusted to account for the address and TCP/UDP port changes, going from V6 to V4 addresses. For UDP packets, optionally, the checksum may simply be changed to zero. The checksum calculation for a V4 ICMP header needs to be derived from the V6 ICMP header by running the checksum adjustment algorithm [NAT] to remove the V6 pseudo header from the computation. Note, the adjustment must additionally take into account changes to the checksum as a result of updates to the source and destination addresses (and transport ports in the case of NAPT-PT) made to the payload carried within ICMP. 6 . FTP Application Level Gateway (FTP-ALG) Support

Tsirtsis & Srisuresh Standards Track [Page 14]

RFC 2766 NAT-PT February 2000FTP-IPV6] suggests EPRT and EPSV command extensions to FTP, with an intent to eventually retire the use of PORT and PASV commands. These extensions may be used on a V4 or V6 node. FTP-ALG, facilitating transparent FTP between V4 and V6 nodes, works as follows. 6.1 Payload modifications for V4 originated FTP sessionsV6ADDR] in the <net-addr> field. TCP port represented by p1,p2 in PORT command must be specified as a decimal <tcp-port> in the EPRT command. Further, <tcp-port> translation may also be required in the case of NAPT-PT. PASV command from a V4 node is be translated into a EPSV command with the <net-prt> argument set to AF #2. EPSV response from a V6 node is translated into PASV response prior to forwarding to the target V4 host. If a V4 host originated the FTP session and was using EPRT and EPSV commands, the FTP-ALG will simply translate the parameters to these commands, without altering the commands themselves. The protocol Number <net-prt> field will be translated from AF #1 to AF #2. <net-addr> will be translated from the V4 address in ASCII to its NAT-PT assigned V6 address in string notation as defined in [V6ADDR]. <tcp-port> argument in EPSV response requires translation only in the case of NAPT-PT.

Tsirtsis & Srisuresh Standards Track [Page 15]

RFC 2766 NAT-PT February 20006.2 Payload modifications for V6 originated FTP sessionsRFC 2428. However, with this approach, the V4 hosts are mandated to have their FTP application upgraded to support EPRT and EPSV extensions to allow access to V4 and V6 hosts, alike. In the second approach, the FTP-ALG will translate the command strings "EPRT" and "EPSV" and their parameters from the V6 node into their equivalent NAT-PT assigned V4 node info and attach to "PORT" and "PASV" commands prior to forwarding to V4 node. Likewise, PASV response from V4 nodes is translated into EPSV response prior to forwarding to the target V6 nodes. However, the FTP-ALG would be unable to translate the command "EPSV<space>ALL" issued by V6 nodes. In such a case, the V4 host, which receives the command, may return an error code indicating unsupported function. This error response may cause many RFC 2428 compliant FTP applications to simply fail, because EPSV support is mandated by RFC 2428. The benefit of this approach, however, is that is does not impose any FTP upgrade requirements on V4 hosts. 6.3 Header updates for FTP control packets

Tsirtsis & Srisuresh Standards Track [Page 16]

RFC 2766 NAT-PT February 20007 . NAT-PT Limitations and Future WorkNAT-TERM] are also associated to NAT-PT. Here are the most important of them in detail, as well as some unique to NAT-PT. 7.1 Topology limitationsNAT-TERM]. Note, this limitation does not apply to packets originating from or directed to dual-stack nodes that do not require packet translation. This is because in a dual-stack set-up, IPv4 addresses implied in a V6 address can be identified from the address format PREFIX::x.y.z.w and a dual-stack router can accordingly route a packet between v4 and dual-stack nodes without tracking state information. This should also not affect IPv6 to IPv6 communication and in fact only actually use translation when no other means of communication is possible. For example NAT-PT may also have a native IPv6 connection and/or some kind of tunneled IPv6 connection. Both of the above connections should be preferred over translation when possible. The above makes sure that NAT-PT is a tool only to be used to assist transition to native IPv6 to IPv6 communication. 7.2 Protocol Translation LimitationsSIIT].

Tsirtsis & Srisuresh Standards Track [Page 17]

RFC 2766 NAT-PT February 20007.3 Impact of Address TranslationNAT-TERM]. 7.4 Lack of end-to-end security7.5 DNS Translation and DNSSECsection 4.2 involves translation of DNS messages. It is clear that this scheme can not be deployed in combination with secure DNS. I.e., an authoritative DNS name server in the V6 domain cannot sign replies to queries that originate from the V4 world. As a result, an V4 end-node that demands DNS replies to be signed will reject replies that have been tampered with by NAT-PT. The good news, however, is that only servers in V6 domain that need to be accessible from the V4 world pay the price for the above limitation, as V4 end-nodes may not access V6 servers due to DNS replies not being signed. Also note that zone transfers between DNS-SEC servers within the same V6 network are not impacted. Clearly, with DNS SEC deployment in DNS servers and end-host resolvers, the scheme suggested in this document would not work. 8 . Applicability Statement

Tsirtsis & Srisuresh Standards Track [Page 18]