Network Working Group C. Liu
Internet-Draft Q. Sun
Intended status: Informational J. Wu
Expires: December 31, 2016 Tsinghua University
I. Farrer
Deutsche Telekom AG
June 29, 2016
Dynamic IPv4 Provisioning for Lightweight 4over6
draft-liu-softwire-lw4over6-dynamic-provisioning-02
Abstract
Lightweight 4over6 [RFC7596] is an IPv4 over IPv6 hub-and-spoke
mechanism that provides overlay IPv4 services in an IPv6-only access
network. It uses a deterministic, DHCPv6 based method for the
provisioning of IPv4 addresses and port sets to customer CE devices.
This document describes how existing specifications can be used for
the dynamic IPv4 provisioning of Lightweight 4over6, based on DHCPv4
over DHCPv6 [RFC7341].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 31, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Liu, et al. Expires December 31, 2016 [Page 1]
Internet-Draft lw4over6 dynamic provisioning June 2016
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Dynamic Provisioning Model . . . . . . . . . . . . . . . . . 4
3.1. Flow 1: lwB4's IPv6 Addressing and DHCPv6 Configuration . 4
3.2. Flow 2: DHCP 4o6 Function . . . . . . . . . . . . . . . . 5
3.3. Flow 3: lwAFTR Binding Table Maintainence . . . . . . . . 5
3.3.1. Flow 3a: Binding Table Maintenance for Co-located
lwAFTR/DHCP 4o6 Functions . . . . . . . . . . . 5
3.3.2. Flow 3b: Binding Table Maintenance for Distributed
lwAFTR/DHCP 4o6 Functions . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
4.1. Data Retention Requirements . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
6.1. Normative References . . . . . . . . . . . . . . . . . . 7
6.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Lightweight 4over6 [RFC7596] (lw4o6) provides IPv4 access over an
IPv6 network with a hub-and-spoke softwire architecture. In
Lightweight 4over6, each Lightweight B4 (lwB4) is assigned a full, or
shared (port-restricted) IPv4 address to be used for IPv4
communication. Provisioning the lwB4 with its IPv4 address, port set
and other parameters necessary for building the softwire is a core
function of the lw4o6 control plane.
[RFC7596] describes the use of DHCPv6 for deterministic IPv4
provisioning. The IPv4 address, port set ID (PSID) and address of
the lwAFTR are carried in DHCPv6 options defined in [RFC7598].
However, the deterministic provisioning of the IPv4 parameters
imposes restrictions on the deployment:
o The IPv4 address' life time is bound to the client's IPv6 tunnel
endpoint life time
o The tunnel must be initiated from a fixed and predictable /64
prefix in the home network topology
Liu, et al. Expires December 31, 2016 [Page 2]
Internet-Draft lw4over6 dynamic provisioning June 2016
o The IPv4 address and PSID need to be embedded into the IID of the
clients' /128 IPv6 address
o IPv4 address resources are permanently reserved for a client
whether it is active or not. This results in less efficient
public IPv4 address usage
This document describes how lw4o6 uses DHCPv4 over DHCPv6 to achieve
dynamic IPv4 address provisioning. The main advantages of using a
dynamic provisioning model over a deterministic provisioning model
are as follows:
o No inherent restrictions on the IPv6 source address within the
customer internal network that the client uses for sourcing its
tunneled traffic
o The lifetimes of IPv6 and IPv4 addresses are decoupled, allowing
for more flexibility in the service provider's addressing policy
o Inactive clients' addresses can be released/reclaimed for
allocation to active clients, so more efficient address usage is
possible
Since DHCPv4 over IPv4 cannot be used natively in a pure IPv6
network, DHCPv4 over DHCPv6 (DHCP 4o6) [RFC7341] allows DHCPv4
messages to be trasported over a pure IPv6 network by encapsulating
DHCPv4 messages into specific DHCPv6 options and messages.
Note that the dynamic provisioning decouples the IPv6 and IPv4
addresses, the binding info required by lwAFTR turns to be an
ayschronous combiantion of (restricted) IPv4 address and IPv6
address. [I-D.fsc-softwire-dhcp4o6-saddr-opt] defines a DHCP 4o6
based mechanism for the lwB4 to inform the server of its binding
between dynamically allocated IPv4 address and Port Set ID and the
IPv6 address that it will use for accessing IPv4-over-IPv6 services
The architecture which is described in this document can be
implemented with or without the sharing of IPv4 addresses between
multiple clients. If IPv4 address sharing is required, then
[RFC7618] describes the necessary extensions to the DHCPv4 server and
client provisioning for the allocation and lease management of shared
IPv4 addresses.
2. Terminology
Terminology defined in [RFC7341] and [RFC7596] is used extensively
throughout this document.
Liu, et al. Expires December 31, 2016 [Page 3]
Internet-Draft lw4over6 dynamic provisioning June 2016
Determinstic provisioning: Lightweight B4 provisioning with DHCPv6 as
described in section 5.1 of [RFC7596]. The IPv4 address, restricted
port set and the address of lwAFTR are carried in DHCPv6 options
defined in [RFC7598].
Dynamic provisioning: Lightweight B4 provisioning with DHCPv4 over
DHCPv6 as described in this document. The IPv4 address and
rescricted port set are allocated through DHCP 4o6 transport as
defined in [RFC7341]. The allocation of lwAFTR's IPv6 address is
descirbed in [I-D.fsc-softwire-dhcp4o6-saddr-opt].
3. Dynamic Provisioning Model
As shown in Figure 1, the dynamic provisioning model consists of four
functional elements: lwB4, lwAFTR, DHCPv6 Server and DHCP 4o6 Server.
Note that these elements are not necessarily separate devices, one or
more functional elements could be located on a single device. One
existing example of this is the co-location of the DHCP 4o6 Server
and lwAFTR as a single gateway device. The differences in the
message flow from this co-location are also described below.
________ __________
| | | |
| DHCPv6 | | DHCP 4o6 |
| Server | | Server |
|________| |__________|
^ / \
1 | 2 / \ 3a/b
___v____ / \ ________
| | | |
| lwB4 |<---------------->| lwAFTR |
|________| Data Plane |________|
The numbers corresponding to each of the provisioning flows are
described in more detail below.
Figure 1: Dynamic lw4o6 Provisioning Model
3.1. Flow 1: lwB4's IPv6 Addressing and DHCPv6 Configuration
Before attempting the DHCP 4o6 configuration process to obtain IPv4
configuration, the lwB4 requires an IPv6 address of a suitable scope
to allow communication with the lwAFTR (e.g. a link-local address
cannot be used). This IPv6 address can be configured using any
applicable method (e.g. SLAAC, DHCPv6, etc.).
To enable DHCPv4 over DHCPv6 transport, the lwB4 needs to perform
DHCPv6 to retrieve the DHCP 4o6 server's IPv6 address. The option
Liu, et al. Expires December 31, 2016 [Page 4]
Internet-Draft lw4over6 dynamic provisioning June 2016
code OPTION_DHCP4_O_DHCP6_SERVER (88) is included in the client's
ORO. The DHCPv6 server responds the DHCP 4o6 server's IPv6 address
by carrying the addresses in DHCP 4o6 Server Address option as
defined in [RFC7341].
3.2. Flow 2: DHCP 4o6 Function
Once the lwB4 has acquired the IPv6 address of the DHCP 4o6 server,
stateful configuration using DHCP 4o6 is performed to obtain an IPv4
address and (optionally) a port set. The lwB4 sends a DHCPv4
DISCOVER message in a DHCPv4-query Message to the DHCP 4o6 server(s)
to activate the DHCP 4o6 transport. To obtain a shared IPv4 address,
the lwB4 also has to include Parameter Request List option with the
option code OPTION_V4_PORTPARAMS (159) as described in [RFC7618].
To obtain the IPv6 address of lwAFTR and inform the DHCP4o6 server of
the lwB4's IPv6 tunnle source address, the message flow described in
section 5 of [I-D.fsc-softwire-dhcp4o6-saddr-opt] is followed by the
lwB4.
Once successfully completed, the client has been provisioned with the
IPv6 address of the lwAFTR, an IPv4 address and (optionally) a range
of source ports. The server has the /128 IPv6 address that the
client will use its tunnel source associated with the IPv4 lease.
3.3. Flow 3: lwAFTR Binding Table Maintainence
As stated in [RFC7596], the lwAFTR MUST synchronize the binding
information with the port-restricted address provisioning process.
In the dynamic provisioning model described in this document, once
the lwB4's provisioning process is completed and the DHCP 4o6 server
holds the client's /128 IPv6 tunnel endpoint address, this binding
information can be syncronized with the lwAFTR. The method for this
synchronization is dependent on whether the DHCP 4o6 and lwAFTR
functions are co-located on the same physical host.
3.3.1. Flow 3a: Binding Table Maintenance for Co-located lwAFTR/DHCP
4o6 Functions
Here, the lwAFTR maintains its binding table as per section 6.1 of
[RFC7596] and is synchronized with DHCP 4o6 process. The following
DHCP 4o6 messages trigger binding table modification:
DHCPACK: Generated by the DHCP 4o6 server, triggers lwAFTR to add a
new entry or modify an existing entry.
DHCPRELEASE: Generated by lwB4, triggers lwAFTR to delete an
existing entry.
Liu, et al. Expires December 31, 2016 [Page 5]
Internet-Draft lw4over6 dynamic provisioning June 2016
When the DHCP 4o6 server generates a DHCPACK message, information
about the new lease including the client's IPv6 tunnel endpoint
address and IPv4 address/PSID tuple is sent to the lwAFTR process.
The lwAFTR performs a check that this new binding does not match an
existing binding (both the v6 and v4 information must be checked
independently to ensure no conflicts). If no conflicts are found the
lwAFTR creates a new binding table entry for the client.
If there an existing entry is found, the lwAFTR updates the IPv6
address and lifetime fields of the entry.
When the DHCP 4o6 server receives a DHCPRELEASE message, the lwAFTR
looks up the binding table using the lwB4's IPv6 address, IPv4
address and PSID as index. The lwAFTR deletes the entry either by
removing it from the binding table or by marking the lifetime field
with an invalid value (e.g. 0).
3.3.2. Flow 3b: Binding Table Maintenance for Distributed lwAFTR/DHCP
4o6 Functions
With this architecture, NETCONF [RFC6241] is used for syncronising
client DHCP 4o6 provisioning and the lwAFTR binding table. A YANG
model for lw4o6 is defined in [I-D.sun-softwire-yang]. In this
deployment model, the DHCP 4o6 server and lwAFTR also implements a
NETCONF server. When an IPv4 leasing event occurs (DHCPACK/
DHCPRELEASE messages, or an active lease expiring), the DHCP 4o6
server informs the operator's centralised configuration database of
the change.
The operator's configuration database will then use NETCONF to update
the lwAFTR of the relevant change by adding or removing the binding
table entry which matches he DHCP 4o6 server's IPv4 address lease.
4. Security Considerations
Security considerations in [RFC7596] and [RFC7341] are also relevant
here.
The DHCP message triggered binding table maintenance may be used by
an attacker to send fake DHCP messages to lwAFTR. The operator
network should deploy [RFC2827] to prevent this kind of attack.
4.1. Data Retention Requirements
In some countries, regulations require a service providers to retain
the necessary information to link IP allocatoin information to a
specific customer at a specific point in time.
Liu, et al. Expires December 31, 2016 [Page 6]
Internet-Draft lw4over6 dynamic provisioning June 2016
With a deterministic provisioning model, any individual client will
always receive a pre-determined set of IPv4 provisioning
requirements. In this scenario, the logging requirement may be met
by retaining information on how the DHCPv6 server has been pre-
provisioned, with timestamp information on when changes to the pre-
provisioning have come into effect.
The dynamic provisioning model that is described in this document
brings an additional logging requirement to the service provider: The
retention logs holding allocated IPv4 address and ports, the
associated IPv6 tunnel endpoint and timestamps marking the start and
end of the lease. This is a higher logging overheard than
deterministic provisioning, but is in line with the amount of logging
that service providers currently have.
5. IANA Considerations
This document does not include an IANA request.
6. References
6.1. Normative References
[I-D.fsc-softwire-dhcp4o6-saddr-opt]
Farrer, I., Sun, Q., and Y. Cui, "DHCPv4 over DHCPv6
Source Address Option", draft-fsc-softwire-dhcp4o6-saddr-
opt-04 (work in progress), November 2015.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <http://www.rfc-editor.org/info/rfc2827>.
[RFC7341] Sun, Q., Cui, Y., Siodelski, M., Krishnan, S., and I.
Farrer, "DHCPv4-over-DHCPv6 (DHCP 4o6) Transport",
RFC 7341, DOI 10.17487/RFC7341, August 2014,
<http://www.rfc-editor.org/info/rfc7341>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I.
Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <http://www.rfc-editor.org/info/rfc7596>.
[RFC7618] Cui, Y., Sun, Q., Farrer, I., Lee, Y., Sun, Q., and M.
Boucadair, "Dynamic Allocation of Shared IPv4 Addresses",
RFC 7618, DOI 10.17487/RFC7618, August 2015,
<http://www.rfc-editor.org/info/rfc7618>.
Liu, et al. Expires December 31, 2016 [Page 7]
Internet-Draft lw4over6 dynamic provisioning June 2016
6.2. Informative References
[I-D.sun-softwire-yang]
Sun, Q., Wang, H., Cui, Y., Farrer, I., Boucadair, M., and
R. Asati, "YANG Data Model for IPv4-in-IPv6 Softwire",
draft-sun-softwire-yang-04 (work in progress), October
2015.
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
2003, <http://www.rfc-editor.org/info/rfc3315>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<http://www.rfc-editor.org/info/rfc6241>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013,
<http://www.rfc-editor.org/info/rfc6887>.
[RFC7598] Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec,
W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for
Configuration of Softwire Address and Port-Mapped
Clients", RFC 7598, DOI 10.17487/RFC7598, July 2015,
<http://www.rfc-editor.org/info/rfc7598>.
Authors' Addresses
Cong Liu
Tsinghua University
Department of Computer Science, Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6278-5822
Email: cong-liu13@mails.tsinghua.edu.cn
Liu, et al. Expires December 31, 2016 [Page 8]
Internet-Draft lw4over6 dynamic provisioning June 2016
Qi Sun
Tsinghua University
Department of Computer Science, Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6278-5822
Email: sunqi@csnet1.cs.tsinghua.edu.cn
Jianping Wu
Tsinghua University
Department of Computer Science, Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6278-5983
Email: jianping@cernet.edu.cn
Ian Farrer
Deutsche Telekom AG
CTO-ATI,Landgrabenweg 151
Bonn, NRW 53227
Germany
Email: ian.farrer@telekom.de
Liu, et al. Expires December 31, 2016 [Page 9]