Source Address Finding (SAF) for IPv6 Translation Mechanisms - - PowerPoint PPT Presentation

source address finding saf for
SMART_READER_LITE
LIVE PREVIEW

Source Address Finding (SAF) for IPv6 Translation Mechanisms - - PowerPoint PPT Presentation

Jan 02, 2024 456 likes •545 views

Source Address Finding (SAF) for IPv6 Translation Mechanisms draft-thaler-ipv6-saf-01.txt Dave Thaler dthaler@microsoft.com IETF 74 - 6AI BOF 1 UNilateral Self-Address Fixing (UNSAF) 1:1 address mappings (NAT66) avoid most of the issues

slide-1
SLIDE 1

Source Address Finding (SAF) for IPv6 Translation Mechanisms

draft-thaler-ipv6-saf-01.txt

Dave Thaler

dthaler@microsoft.com

1 IETF 74 - 6AI BOF

slide-2
SLIDE 2

UNilateral Self-Address Fixing (UNSAF)

  • 1:1 address mappings (NAT66) avoid most of the issues

with NAT, except:

– Address seen by other end is different from what is seen locally

  • Many apps break when both ends don’t see the same

address

  • IAB RFC 3424 (November 2002) defined “UNSAF”:

– UNSAF mechanisms learn the address others see you as – endpoint “fixes” up the address it reports/advertises, since it’s different from what the endpoint originally thought – UNSAF mechanisms “can be considered at best as short term fixes” – UNSAF mechanisms require an exit strategy

  • Previously it was “IPv6”, but not if we end up with NAT66…

IETF 74 - 6AI BOF 2

slide-3
SLIDE 3

SAF = Source Address Finding

  • Can regain end-to-end transparency if
  • 1. Use reversible 1:1 translation between host and

NAT66

  • 2. Learn (“find”) the external address and assign it to a

virtual interface in the host

  • Compare vs tunnel-with-header-compression

– Same: no changes to TCP/IP, sockets, apps required – Different: allows single-box deployment (at expense

  • f losing e2e transparency) as a deployment step

IETF 74 - 6AI BOF 3

slide-4
SLIDE 4

Incremental deployment (1/2)

IETF 74 - 6AI BOF 4

IPv6 Internet

NAT66 NAT66

JL JL

  • Someone drops

in 1 or more NAT66 boxes

  • Some apps work

(same that work through NAT44)

  • Some apps break
  • Network still sees

some benefit

  • Hosts still see

some pain

A::B X::Y

slide-5
SLIDE 5

Incremental deployment (2/2)

IETF 74 - 6AI BOF 5

IPv6 Internet

NAT66 NAT66

JJ JJ

  • Upgrade hosts
  • Host finds X::Y
  • Host adds it on

virtual interface

  • TCP/IP uses it

normally

  • VIf translates X::Y

to A::B, NAT66 translates it back

X::Y X::Y

NAT66 Vif(s) NAT66 Vif(s)

A::B

slide-6
SLIDE 6

SAF Mechanisms

  • A “SAF” mechanism is one that learns the

information needed to configure the virtual interface

  • Discussion of actual mechanisms is out of scope

for this document and presentation

– But it’s not rocket science – No per-flow negotiation needed since address is flow- independent – Need not involve changes to NAT66 devices

  • Discussion of architectural constraints is in scope

IETF 74 - 6AI BOF 6

slide-7
SLIDE 7

Requirements for SAF Mechanisms

  • 1. MUST find external addresses (and other config)
  • 2. SHOULD work even if network beyond NAT66 is

unreachable

  • 3. MUST learn Valid/Preferred lifetimes of addrs
  • 4. MUST NOT require a separate external address per

translator

  • 5. SHOULD support RFC3041 (privacy) addrs
  • 6. SHOULD support CGAs

IETF 74 - 6AI BOF 7