Mobility Extensions for IPv6 W. Haddad (mext) Ericsson Internet-Draft C. Perkins Intended status: Informational WiChorus Inc. Expires: April 14, 2010 October 11, 2009 A Note on NAT64 Interaction with Mobile IPv6 draft-haddad-mext-nat64-mobility-harmful-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 14, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Haddad & Perkins Expires April 14, 2010 [Page 1] Internet-Draft NAT64 Mobility October 2009 Abstract This memo discusses potential NAT64 technology repercussions for mobile nodes using Mobile IPv6. An ambiguity is identified related to the use of DNS during bootstrapping, which is likely to inhibit proper signaling between mobile node and home agent. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions used in this document . . . . . . . . . . . . . . 4 3. NAT64 Incompatibility with Mobile IPv6 . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1. Normative References . . . . . . . . . . . . . . . . . . . 9 6.2. Informative References . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Haddad & Perkins Expires April 14, 2010 [Page 2] Internet-Draft NAT64 Mobility October 2009 1. Introduction NAT64 technology, as described in [I-D.ietf-behave-v6v4-xlate-stateful], enables faster IPv4 network conversion to IPv6-only operation while maintaining contact with the remaining global IPv4 Internet. In this document, we are concerned with IPv6-only nodes attached to a network for which NAT64 provides connectivity with IPv4 networks. This document aims to highlight potential NAT64 repercussions for mobile nodes using Mobile IPv6 ([I-D.ietf-mext-rfc3775bis]) and attached to a network behind a NAT64. Haddad & Perkins Expires April 14, 2010 [Page 3] Internet-Draft NAT64 Mobility October 2009 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Haddad & Perkins Expires April 14, 2010 [Page 4] Internet-Draft NAT64 Mobility October 2009 3. NAT64 Incompatibility with Mobile IPv6 NAT technologies have from the very beginning exhibited numerous incompatibities with the Internet. Hence, the new incompatibility described in this document should not come as a surprise! The NAT64 mechanism considered here complies with the DNS64 technology described in [I-D.ietf-behave-dns64] to provide the querying host with a synthetic DNS response in which, the queried FQDN is locally translated to an IPv6 address using the v6 prefix assigned to the NAT64 v6 interface. By inserting the translated IPv6 address in the synthetic DNS response, the querying node acts as if the destination is also using an IPv6 stack. This, in turn, enables the two nodes to establish a session during which, all exchanged packets are routed through the querying node's local NAT64 in order to reach their destinations. As NAT64 technology is likely to be widely deployed, we consider its behavior in relationship to Mobile IPv6. For this purpose, suppose that a mobile node (MN) configured with an IPv6 home address (HoA) leaves its NAT64-serviced home network and attaches to a foreign network also serviced by NAT64, and configures a new IPv6 address, i.e., a care-of address (CoA). We analyze two scenarios which require using MIPv6 either to maintain a session, or to establish an optimal path to exchange the data packets, using MIPv6 route optimization (RO). In the first scenario, suppose that before detaching from its home network, the MN has established a session with a corresponding node (CN) which is attached to an IPv4 network. Due to the NAT64 presence in the home network, the MN acts as if it were communicating with an IPv6-enabled CN. Hence, the MN decides upon attaching to the new NAT64-serviced foreign network, to run the MIPv6 return routability procedure with the CN by sending first a home test init (HoTI) message via its home agent. Such messages will be discarded either by the CN or by a more intelligent NAT64 -- in which case it would likely be followed by an ICMP message sent to the MN. In both cases, the MN can detect that the RR procedure is failing. Consequently, there is little harm to the MN's communications and no data packet loss since the MN will keep using MIPv6 bidirectional tunneling (BT) mode. However, the situation worsens when we consider another scenario in which the MN decides to establish a session with the same CN from the foreign NAT64-serviced network. In such case, the MN will first obtain a synthetic DNS reply which presents the CN as being an IPv6- enabled node. Based on that, the MN may try to create a binding at the CN. The MN might first run the RR procedure which will Haddad & Perkins Expires April 14, 2010 [Page 5] Internet-Draft NAT64 Mobility October 2009 ultimately fail (for the same reasons as in the first scenario). More likely, the MN will initiate the session with the CN by using the BT mode then switching to the RO mode. In this case, the MN first tunnels its data packets to its HA without having them being intercepted by the foreign NAT64. However, after reaching the HA, the data packets will most likely be dropped at some point. This is due to the presence of the foreign NAT64 IPv6 prefix in the CN's IPv6 address. Haddad & Perkins Expires April 14, 2010 [Page 6] Internet-Draft NAT64 Mobility October 2009 4. Security Considerations This document describes scenarios where a NAT64, using DNS64, can disrupt communications to a mobile node visiting the associated network. It does not introduce any new security vulnerabilities, provide any guidance about how to improve security, or describe any effects on existing security practices. Haddad & Perkins Expires April 14, 2010 [Page 7] Internet-Draft NAT64 Mobility October 2009 5. Acknowledgements Thanks to Francis Dupont and Joel Halpern for reviewing the document at an early stage. Haddad & Perkins Expires April 14, 2010 [Page 8] Internet-Draft NAT64 Mobility October 2009 6. References 6.1. Normative References [I-D.ietf-mext-rfc3775bis] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", draft-ietf-mext-rfc3775bis-04 (work in progress), July 2009. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 6.2. Informative References [I-D.ietf-behave-dns64] Bagnulo, M., Sullivan, A., Matthews, P., and I. Beijnum, "DNS64: DNS extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", draft-ietf-behave-dns64-00 (work in progress), July 2009. [I-D.ietf-behave-v6v4-xlate-stateful] Bagnulo, M., Matthews, P., and I. Beijnum, "NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", draft-ietf-behave-v6v4-xlate-stateful-01 (work in progress), July 2009. Haddad & Perkins Expires April 14, 2010 [Page 9] Internet-Draft NAT64 Mobility October 2009 Authors' Addresses Wassim Haddad Ericsson 6210 Spine Road Boulder, CO 80301 US Phone: +303 473 6963 Email: Wassim.Haddad@ericsson.com Charles E. Perkins WiChorus Inc. 3590 North, 1st Street, Suite 300 San Jose, CA 95134 US Email: Charliep@computer.org Haddad & Perkins Expires April 14, 2010 [Page 10]