WDIFF

draft-ietf-ngtrans-isatap-02.txt --> draft-ietf-ngtrans-isatap-03.txt

NGTRANS Working Group Fred L. F. Templin
INTERNET-DRAFT SRI International
T. Gleeson
Cisco Systems K.K.
M. Talwar
D. Thaler
Microsoft Corporation

Expires 21 May 2001 21 November 2001 30 July 2002 30 January 2002

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

draft-ietf-ngtrans-isatap-02.txt

draft-ietf-ngtrans-isatap-03.txt

Abstract

This document specifies an intra-site automatic tunneling protocol the Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP) for connecting that connects IPv6 hosts and routers (nodes) within
predominantly IPv4-based networks. This method is based on an IPv6
aggregatable global unicast address format (described herein) that
embeds the
IPv4 address of sites. ISATAP is a node within the EUI-64 format interface
identifier. This document assumes that, during the IPv4 to IPv6 co-
existence and transition phase, many sites will deploy mechanism that enables incremental
deployment of IPv6
incrementally within their IPv4 interior routing domains; especially
those sites which have large and complex pre-existing IPv4
infrastructures. Within such sites, by treating the address format and methods
described in this document will enable IPv6 deployment for nodes that
do not share site's IPv4 infrastructure as a common
Non-Broadcast Multiple Access (NBMA) link with an IPv6 gateway for their site.

While other works in progress in the NGTRANS working group propose layer. ISATAP mechanisms for assigning globally-unique
use a new IPv6 interface identifier format that embeds an IPv4
address prefixes to
sites and methods for inter-domain routing between such sites, the
approach outlined in - this memo enables large-scale incremental
deployment of IPv6 for nodes automatic IPv6-in-IPv4 tunneling within a site's pre-existing IPv4
infrastructure without incurring aggregation scaling issues at
site, whether the
border gateways nor requiring site-wide deployment of special site uses globally assigned or private IPv4
services such as multicast.
addresses. The approach proposed by new interface identifier format can be used with both
local and global unicast IPv6 prefixes - this document
supports enables IPv6 routing within
both the site-local locally and global IPv6 globally. ISATAP mechanisms introduce no impact on
routing domains as well as automatic IPv6 in IPv4 tunneling across
portions of a site's IPv4 infrastructure which have table size and require no native IPv6
support. Additionally, this approach supports automatic tunneling
within sites which use non globally-unique special IPv4 address assignments,
such as when Network Address Translation [NAT] is used. services (e.g., IPv4
multicast).

Status of this Memo

This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Templin Expires 21 May 2001 [Page 1]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can

Templin, et. al. Expires 30 July 2002 [Page 1]

INTERNET-DRAFT ISATAP 30 January 2002

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

1. Introduction

The IETF NGTRANS working group anticipates an heterogeneous IPv4/IPv6
infrastructure in the near future and thus is chartered to develop
mechanisms to support IPv4/IPv6 coexistence and transition toward
global IPv6 deployment. For the most part, existing NGTRANS
approaches focus on inter-domain routing between IPv6 islands using
the existing global IPv4 backbone as transit. But, these islands may
themselves comprise complex heterogeneous IPv4/IPv6 networks (e.g.
large academic or commercial campus intranets) that require intra-
domain IPv4 to IPv6 transition mechanisms and strategies as well. In
order to address this requirement, this

This document presents a simple
and simple, scalable approach that enables
incremental deployment of IPv6
nodes within predominantly IPv4-based intranets. sites in a manner
that is compatible with inter-domain transition mechanisms, e.g.,
[6TO4]. We refer to this approach as the Intra-Site Automatic Tunnel
Addressing Protocol, or ISATAP (pronounced: "ice-a-tap"). ISATAP is based on an aggregatable global unicast address format that
carries a standard 64-bit IPv6 address prefix [ADDR][AGGR] with a
specially-constructed 64-bit EUI-64 Interface Identifier [EUI64].
This address format is fully compatible with both native IPv6 and
NGTRANS routing practices (e.g. [6to4],[6BONE]). But, the interface
identifier in an ISATAP address employs a special construction that
encapsulates an IPv4 address suitable for automatic IPv6-in-IPv4 tun-
neling. Since tunneling occurs only within the site-level prefix of
the ISATAP address, the embedded IPv4 address NEED NOT be globally
unique; rather, it need only be topologically correct for (and unique
within) the context of the site.

ISATAP
allows dual-stack nodes that do not share a common link with

Templin Expires 21 May 2001 [Page 2]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001 an IPv6 gateway
router to join the global IPv6 network by automatically tun-
neling tunnel packets to the IPv6 messages next-hop address
through IPv4, i.e., the site's IPv4 routing infrastructure within
their site. Two methods is treated as an
NBMA link layer.

This document specifies details for automatic discovery the transmission of an IPv6 gateway
for packets
over ISATAP links (i.e., automatic IPv6-in-IPv4 tunneling), including
a new EUI-64 [EUI64] based interface identifier [ADDR][AGGR] format
that embeds an IPv4 address. This format supports configuration of
global, site-local and link-local addresses as specified in [AUTO] as
well as simple link-layer address autoconfiguration mapping. Simple validity checks for
received packets are provided. This approach
allows large-scale intra-site deployment without incurring aggrega-
tion scaling issues at border gateways, since only a single global given. Also specified in this document is the
operation of IPv6 address prefix need be used Neighbor Discovery for the entire site. (Multiple pre-
fixes are, however, supported ISATAP, as permitted for
NBMA links by [DISC]. The document finally presents deployment and may be used
security considerations for ISATAP.

2. Applicability Statement

ISATAP provides the following features:

- treats site's IPv4 infrastructure as an NBMA link layer using
automatic IPv6-in-IPv4 tunneling (i.e., no configured tunnel state)

- enables incremental deployment of IPv6 hosts within IPv4 sites with
no aggregation scaling issues at border gateways

- requires no special IPv4 services within the site renumbering (e.g., multicast)

- supports both stateless address autoconfiguration and simliar purposes.) Finally, this approach manual
configuration

Templin, et. al. Expires 30 July 2002 [Page 2]

INTERNET-DRAFT ISATAP 30 January 2002

- supports networks which that use non-globally unique IPv4 addresses, such as addresses (e.g.,
when private address allocations [PRIVATE] and/or are used), but does not
allow the virtual ISATAP link to span a Network Address Translation
Translator [NAT] are
used.

2. Changes

Major changes from version 01 to version 02:

- Cleaned up text and tightened up terminology. Changed "IPv6 destination
address" to "IPv6 next-hop address" under "sending rules". Changed
definition compatible with other NGTRANS mechanisms (e.g., [6TO4])

3. Terminology

The terminology of ISATAP prefix [IPv6] applies to include this document. The following
additional terms are defined:

link:
same definition as [AUTO][DISC].

underlying link:
a link layer that supports IPv4 (for ISATAP), and site-local. Changed
language in sections 4 and 5

- Updated status of Linux implementation

Major changes from version 00 to version 01:

- Revised draft to require *different* /64 prefixs for MAY also support
IPv6 natively.

ISATAP link:
one or more underlying links used for IPv4 tunneling. The IPv4
network layer addresses and native IPv6 addresses. Thus, of the underlying links are used as
link-layer addresses on the ISATAP link.

ISATAP interface:
a node's attachment to an ISATAP
interface is assigned link.

ISATAP prefix:
a /64 prefix that is distinct from the
prefixes assigned used to any other interfaces attached to the
node - be they physical or logical interfaces. This approach
eliminates ISATAP-specific sending rules presented in earlier
draft versions.

- Changed sense of 'u/l' bit in the ISATAP configure an address interface
identifier to indicate "local scope", since ISATAP interface
identifiers are unique only within the scope of the ISATAP
prefix. (See section 4.)

Major changes from personal draft to version 00:

- Title change to provide higher-level description of field of
use addressed by this draft. Removed other extraneous text.

Templin Expires 21 May 2001 [Page 3]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

- Major new section on automatic discovery of off-link IPv6 routers
when IPv6-IPv4 compatibility addresses are used.

3. Terminology

The terminology of [IPv6] applies to this document. Additionally, the
following terms are used extensively throughout this document:

ISATAP prefix:
Any link-local, site-local or globally aggregatable IPv6 prefix declared
as such. An ISATAP interface. This
prefix configures ONLY is administratively assigned to the ISATAP addresses within its
scope; native IPv6 addresses SHOULD link and MUST NOT
be configured duplicated on an ISATAP prefix. native IPv6 links.

ISATAP address:
An
an IPv6 address with an ISATAP prefix and an IPv4 address embedded in
the ISATAP format interface
identifier in the manner described constructed as specified in section 4 below.

Native IPv6 address:
An IPv6 address constructed using a non-ISATAP prefix.

ISATAP pseudo-interface: 4.

ISATAP encapsulation of IPv6 packets inside IPv4 packets occurs
at a point that is logically equivalent to router:
an IPv6 interface,
with the link layer being the IPv4 unicast network. This point
is referred to as a pseudo-interface. An ISATAP pseudo-interface
is assigned node that has an ISATAP address through address autoconfiguration. interface over which it forwards
packets not explicitly addressed to itself.

ISATAP router:
An IPv6 router supporting host:
any node that has an ISATAP pseudo-interface. It interface and is normally
an interior router within not an heterogeneous IPv6/IPv4 network. ISATAP host:
An router.

4. Transmission of IPv6 host which has an Packets on ISATAP pseudo-interface.

4. Links

ISATAP Address Format

In the following sections, we will motivate our proposed extensions
of the existing IEEE OUI reserved by links transmit IPv6 packets via automatic tunneling using the Internet Assigned Numbers
Authority [IANA] to support IEEE EUI-64 format addresses

Templin, et. al. Expires 30 July 2002 [Page 3]

INTERNET-DRAFT ISATAP 30 January 2002

site's IPv4 infrastructure as well an NBMA link layer. Automatic tunneling
for ISATAP uses the same mechanisms specified in [MECH,3.1-3.6],
i.e., IPv6 packets are automatically encapsulated in IPv4 using 'ip-
protocol-41' as the payload type number. Specific considerations for
ISATAP address format itself. links are given below:

4.1. IEEE EUI-64 ISATAP Interface Identifiers in IPv6 Addresses Identifier Construction

IPv6 aggregatable global and local-use unicast addresses [ADDR] [ADDR][AGGR] include a 64-bit interface identifier iden-
tifier field in "modified EUI-64 format", based on the IEEE EUI-64
[EUI64] specification. (Modified EUI-64 format [EUI64],

Templin Expires 21 May 2001 [Page 4]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

which is specified as inverts the concatenation sense of a 24-bit company_id value
(also known as
the OUI) assigned by 'u/l' bit from its specification in [EUI64], i.e., 'u/l' = 0
indicates local-use.) ISATAP specifies an [EUI64]-format address con-
struction for the IEEE Registration Authority
(IEEE/RAC) and a 40-bit extension identifier assigned Organizationally-Unique Identifier (OUI) owned by
the address-
ing authority for that OUI. (Normally, the addressing authority Internet Assigned Numbers Authority [IANA]. This format (given
below) is
the organization used to which the IEEE has allocated the OUI). IEEE EUI-
64 construct both native [EUI64] addresses for general
use and modified EUI-64 format interface identifiers are formatted as follows: for use in IPv6
unicast addresses:

|0 1|1 2|2 3|3 4|4 3|4 6|
|0 5|6 3|4 1|2 7|8 9|0 3|
+----------------+----------------+----------------+----------------+
|ccccccugcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
+----------------+----------------+----------------+----------------+
+------------------------+--------+--------+------------------------+
| OUI ("00-00-5E"+u+g) | TYPE | TSE | TSD |
+------------------------+--------+--------+------------------------+

Where 'c' are the company-specific bits of the OUI, 'u' is the
universal/local bit, 'g' is the individual/group bit and 'm' are the
extension identifier bits. (NOTE: [ADDR] specifies that the fields are:

OUI IANA's OUI: 00-00-5E with 'u' bit
is inverted from its normal sense in the IEEE context; therefore u=1
indicates global scope and u=0 indicates local scope).

In order to support encapsulation of legacy IEEE EUI-48 (24-bit)
extension identifier values, [EUI64] 'g' bits (3 octets)

TYPE Type field; specifies that the first two
octets interpretation of the EUI-64 40-bit extension identifier (bits 24 through 39
of the EUI-64 address itself) SHALL BE 0xFFFE if the extension iden-
tifier encapsulates an EUI-48 value. [EUI64] further specifies that
the first two octets of the extension identifier SHALL NOT be 0xFFFF,
since this value is reserved by the IEEE/RAC. However, all other 40-
bit extension identifier values are available for assignment by the
OUI addressing authority.

4.2. An EUI-64 Interface Identifier Format for IANA

The IANA owns IEEE OUI: 00-00-5E, and [IANA] specifies EUI-48 format
(24-bit) interface identifier assignments within that OUI. But,
[IANA] does not specify how these legacy EUI-48 assignments will be
written in EUI-64 format, nor does it specify a format for future
40-bit extension identifier assignments. We propose the following
format for EUI-64 addresses within IANA's OUI reservation:

Templin Expires 21 May 2001 [Page 5]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

|0 2|2 3|3 3|4 6|
|0 3|4 1|2 9|0 3|
+------------------------+--------+--------+------------------------+
| OUI ("00-00-5E"+u+g) | TYPE | TSE | TSD |
+------------------------+--------+--------+------------------------+

Where the fields are:

OUI IANA's OUI: 00-00-5E with 'u' and 'g' bits (3 octets)

TYPE Type field; indicates how (TSE, TSD) are interpreted (1 octet)

TSE Type-Specific Extension (1 octet)

TSD Type-Specific Data (3 octets)

And the following interpretations are defined specified based on TYPE:

TYPE (TSE, TSD) Interpretation
---- -------------------------
0x00-0xFD RESERVED for future IANA use
0xFE (TSE, TSD) together contain an embedded IPv4 address
0xFF TSD is interpreted based on TSE as follows:

TSE TSD Interpretation
--- ------------------
0x00-0xFD RESERVED for future IANA use
0xFE TSD contains 24-bit EUI-48 intf id

Templin, et. al. Expires 30 July 2002 [Page 4]

INTERNET-DRAFT ISATAP 30 January 2002

0xFF RESERVED by IEEE/RAC

Essentially,

Thus, if TYPE=0xFE, TSE is treated as an extension of TSD. If TYPE=0xFF, TSE is treated as
an extension of TYPE. Other values for TYPE (and hence, (hence, other interpretations interpreta-
tions of TSE, TSD) are reserved for future IANA use. This format conforms to

The above specification is compatible with all requirements specified
in [EUI64] and supports encapsulation aspects of [EUI64],
including support for encapsulating legacy EUI-48 interface identifiers
in the manner described by that document. For example, identif-
iers (e.g., an existing IANA EUI-48 format multicast address such as:

01-00-5E-01-02-03

would be written in the IANA EUI-64 format '01-00-
5E-01-02-03' is encapsulated as:

01-00-5E-FF-FE-01-02-03 '01-00-5E-FF-FE-01-02-03'). But, this proposed format the
specification also provides a special TYPE (0xFE) for
embedding to indicate an IPv4 addresses within the IANA 40-bit extension identifier.
This special TYPE forms the basis for the ISATAP
address format as

Templin Expires 21 May 2001 [Page 6]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

described in the following sections.

4.3. ISATAP Address Construction

Using is embedded. Thus, when the proposed IANA-specific method for first four octets of a [ADDR]-
compatible IPv6 interface identifier con-
struction discussed are: '00-00-5E-FE' (note: the
'u/l' bit MUST be 0) the interface identifier is said to be in sections 4.1 and 4.2 (with TYPE=0xFE), "ISA-
TAP format" and
with reference to [ADDR], we can construct the next four octets embed an ISATAP IPv4 address encoded in
network byte order (least significant octet first). Addresses con-
figured on the ISATAP interface MUST use the ISATAP interface iden-
tifier format.

4.2. Stateless Autoconfiguration and Link-Local Addresses

ISATAP addresses are unicast addresses [ADDR,2.5] that use ISATAP
format interface identifiers as fol-
lows:

| 3| 13 | 8 | 24 | 16 | 8 | 8 follows:

| 8 64 bits | 8 32 bits | 32 bits |
+--+-----+---+--------+--------+---+---+---+---+---+---+---+----+
|FP| TLA |RES| NLA
+------------------------------+---------------+----------------+
| link-local, site-local or | SLA 0000:5EFE | 0x| 0x| 0x| 0x| IPv4 Address |
| global unicast prefix | ID | | ID | ID | 00| 00| 5E| FE| of Endpoint |
+--+-----+---+--------+--------+--------------------------------+

(NOTE: since ISATAP address interface identifiers are interpreted
only within the local scope of the /64 link |
+------------------------------+---------------+----------------+

Link-local, site-local, and global ISATAP prefix, we set the u/l
bit addresses can be created
exactly as specified in the least significant octet of the OUI to '0' to indicate
local scope.)

By way of [ADDR], (e.g., by auto-configuration [AUTO]
or manual configuration). For example, an existing node with IPv4 address 140.173.129.8
might be assigned an the IPv6 64-bit address:

3FFE:1a05:510:1111:0:5EFE:8CAD:8108

has a prefix of 3FFE:1a05:510:200::/64. We
can then construct '3FFE:1a05:510:1111::/64' and an ISATAP address for this node as:

3FFE:1a05:510:200:0:5EFE:8CAD:8108

or (perhaps more appropriately) written as the alternative form for
an IPv6 address format inter-
face identifier with embedded IPv4 address: '140.173.129.8'. The
address found in [ADDR]:

3FFE:1a05:510:200:0:5EFE:140.173.129.8

Similarly, we can construct the is alternately written as:

3FFE:1a05:510:1111:0:5EFE:140.173.129.8

The link-local and site-local variants (respectively) of the ISATAP address as: are:

FE80::0:5EFE:140.173.129.8
FEC0::200:0:5EFE:140.173.129.8

4.4. Advantages

By embedding
FEC0::1111:0:5EFE:140.173.129.8

Templin, et. al. Expires 30 July 2002 [Page 5]

INTERNET-DRAFT ISATAP 30 January 2002

4.3. ISATAP Link/Interface Configuration

A node configures an ISATAP link over one or more underlying IPv4 address in
links, i.e., the interface identifier portion of
an IPv6 address as described in section 4.3, we can construct aggre-
gatable global unicast IPv6 addresses that can either ISATAP link MAY be routed glo-
bally via the IPv6 infrastructure configured over one or automatically tunneled locally
across portions of a site's IPv4 infrastructure which have no native
IPv6 support. Additionally, more
link-layer (IPv4) addresses. Each link-layer address 'V4ADDR_LINK' is
used to configure a node with both link-local address 'FE80::0:5EFE:V4ADDR_LINK' on
an ISATAP link and a
native IPv6 link could act interface. ISATAP interfaces MAY be assigned one per link-
layer address, or as a router single interface for nodes that share its

Templin Expires 21 May 2001 [Page 7]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

native link, since multiple link-layer
addresses.

In the former case, the address of each ISATAP node could automatically tunnel mes-
sages across a site's IPv4 domain on behalf interface SHOULD be
added to the Potential Routers List. In the latter case, the inter-
face will accept ISATAP packets addressed to any of the native IPv6 nodes.
An example would IPv4 link-
layer addresses, but will choose one as its primary address, used for
sourcing packets. Only this address need be deployment of represented in the Poten-
tial Routers List.

4.4. Sending Rules and Address Mapping

The IPv6 next-hop address for packets sent on a workgroup LAN. In this
case, one host could configure an ISATAP address link MUST be
an ISATAP address. Packets that do not satisfy this constraint MUST
be discarded and act as a router
for an ICMP destination unreachable indication with code
3 (Address Unreachable) [ICMPv6] MUST be returned. No other hosts which use native IPv6 sending
rules are necessary.

The procedure for mapping unicast addresses on into link-layer addresses
is to simply treat the LAN.

An additional advantage for our proposed method last four octets of embedding the ISATAP address as an
IPv4 address in (in network byte order). No multicast address mappings
are specified.

4.5. Validity Checks for Received Packets

ISATAP interfaces MUST silently discard any received packets that do
not satisfy ONE OF the following validity checks:

- the network-layer (IPv6) source address has a prefix configured on
the ISATAP interface identifier portion of and an IPv6 ISATAP-format interface identifier that
embeds the link-layer (IPv4) source address, i.e., source is on-link

- the link-layer (IPv4) source address not
found is in other approaches such as [6TO4] the Potential Routers List
(see section 5.2), i.e., previous hop is that large numbers of an on-link ISATAP addresses could be assigned within a common IPv6 routing pre-
fix, thus providing maximal aggregation at the border gateways. For
example, the single 64-bit IPv6 prefix:

3FFE:1a05:510:2412::/64

could include literally millions of nodes with router

5. Neighbor Discovery for ISATAP addresses.
This feature would allow a "sparse mode" IPv6 deployment such as the
deployment of sparse populations Links

Section 3.2 of IPv6 hosts [DISC] ("Supported Link Types") provides the following

Templin, et. al. Expires 30 July 2002 [Page 6]

INTERNET-DRAFT ISATAP 30 January 2002

guidelines for non-broadcast multiple access (NBMA) link support:

"Redirect, Neighbor Unreachability Detection and next-hop determi-
nation should be implemented as described in this document. Address
resolution and the mechanism for delivering Router Solicitations
and Advertisements on large numbers of
independent NBMA links throughout a large corporate Intranet.

A final important advantage is that not specified in this method supports both sites
that use globally unique IPv4 address assignments docu-
ment."

ISATAP links SHOULD implement Redirect, Neighbor Unreachability
Detection, and those that use
non-globally unique IPv4 addresses, such next-hop determination exactly as when private address
assignments and/or Network specified in [DISC].
Address Translation are used. By way of
analogy to resolution and the US Postal system, inter-domain transition approaches
such as [6TO4] provide means mechanisms for routing messages "cross-country" to
the "street address" of a distant site while the approach outlined delivering Router Solicita-
tions and Advertisements for ISATAP links are not specified by
[DISC]; instead, they are specified in this document provides localized routing information to reach a
specific (mailstop, apartment number, post office box, etc) WITHIN document. (Note that site. Thus, the site-level routing information need not have
relevance outside the scope
these mechanisms MAY potentially apply to other types of that site.

5. ISATAP Deployment Considerations

Hosts should only use ISATAP on interfaces which do not share a com-
mon link with a native IPv6 router. Routers may configure both ISATAP
and Native IPv6 NBMA links on the same physical interface, but the pre-
fixes used will be distinct. An ISATAP router can be configured on
any ISATAP link to advertise
in the prefix(es) administratively assigned
to that link. Since future.)

5.1. Address Resolution

Protocol addresses (IPv6) in ISATAP is NBMA, these advertisements are not
periodically multicast resolved to link-layer
addresses (IPv4) by a static computation, i.e., the router, but last four octets
are solicited by Rtsols
sent by hosts. Hosts will configure treated as an ISATAP pseudo-interface and
assign it address(es) based on IPv4 address. Thus the ISATAP prefix(es) in functions and conceptual
data structures used by [DISC] for the solicited
Rtadv messages.

Following ISATAP purpose of address configuration, ISATAP hosts communicate as
regular IPv6 peers. resolution
are not required. The source address of conceptual "neighbor cache" described in [DISC]
is still needed for other functions, such packets will be as neighbor unreachability
detection, but it is not used for address resolution.

The link-layer address option used in

Templin Expires 21 May 2001 [Page 8]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

ISATAP format. Replies sent to this [DISC] is not needed. Implemen-
tations SHOULD NOT send link-layer address can thus be automatically
tunneled over the last IPv6 hop, options in any Neighbor
Discovery packets, and MUST silently ignore any such options in
Neighbor Discovery packets which occurs on are received.

5.2. Router and Prefix Discovery

Since the site's IPv4 infrastructure is treated as an NBMA link
layer, unsolicited Router Advertisements do not provide sufficient
means for router discovery on ISATAP links. Thus, alternate mechan-
isms are required and specified below:

5.2.1. Conceptual Data Structures

ISATAP network.
While nodes may optionally use stateful configuration to set an ISA-
TAP prefix the Prefix List and a "default" route that points to an Default Router List conceptual
data structures exactly as specified in [DISC,5.1]. ISATAP router, links add
a
greatly preferred alternative new conceptual data structure "Potential Router List" and the fol-
lowing new configuration variable:

Templin, et. al. Expires 30 July 2002 [Page 7]

INTERNET-DRAFT ISATAP 30 January 2002

ResolveInterval Time between name service resolutions.
Default and suggested minimum: 1hr

A Potential Router List (PRL) is to provide associated with every ISATAP link.
The PRL provides context for automatic intra-site
IPv6 router discovery and stateless address autoconfiguration [DIS-
CUSS]. The following section presents a means trust basis for the automatic
discovery of ISATAP routers.

5.1. Automatic Discovery of ISATAP Routers

As described in [AUTO], a node that does not share a common link with
an IPv6 router will NOT receive unsolicited Router Advertisements
(Rtadv's), nor will Router Solicitations (Rtsol's) from that node
reach an IPv6
router on the local link. But, the node may still be
able to connect to validation (see security considerations). Each entry in the global IPv6 Internet if
PRL has an ISATAP router IPv4 address and an associated timer used for
the site exists. Hence, polling. The
IPv4 address represents a means for router's ISATAP router discovery interface (likely to be an
"advertising interface"), and is
required. We present the following procedure for a node used to initiate construct the ISATAP router discovery (and link-
local address for that interface.

When the node enables an ISATAP router to respond) when an
on-link IPv6 router is not available:

- The node constructs an ISATAP link local address for itself
(as described in section 4.) as:

FE80::0:5EFE:V4ADDR_NODE

- The node discovers link, it initializes the PRL with
IPv4 address for an ISATAP router
as: V4ADDR_RTR (**)

- The node sends an Rtsol to the IPv6 "all-routers-multicast" address
tunneled addresses discovered through name service lookups for the IPv4 infrastructure Well-
Known Service name "ISATAP" (see "IANA Considerations"). Nodes
periodically repeat this process after ResolveInterval to detect
additions/deletions for the ISATAP router's
IPv4 address. The addresses used in PRL. Initialization of the IPv6 and PRL through
static IPv4 headers are:

ipv6_src: FE80::0:5EFE:V4ADDR_NODE
ipv6_dst: FF02::2
ipv4_src: V4ADDR_NODE
ipv4_dst: V4ADDR_RTR

- Upon receiving the tunneled Rtsol, the ISATAP router sends address assignments and/or an alternate name for lookups
is a unicast Rtadv to supported configuration option, but the unicast address method described above
is preferred.

5.2.2. Validation of the Router Advertisement Messages

A node which sent the
Rtsol; again, by tunneling MUST silently discard any received Router Advertisement mes-
sages that do not satisfy the Rtadv through IPv4. The addresses
used validity checks in [DISC,6.1.2] as well
as the IPv6 and IPv4 headers are:

ipv6_src: FE80::0:5EFE:V4ADDR_RTR
ipv6_dst: FE80::0:5EFE:V4ADDR_NODE
ipv4_src: V4ADDR_RTR
ipv4_dst: V4ADDR_NODE

Templin Expires 21 May 2001 [Page 9]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001 following additional validity check for ISATAP:

- Upon receiving the Rtsol, the originating node performs network-layer (IPv6) source address
autoconfiguration is from the PRL

5.2.3. Router Specification

Advertising ISATAP interfaces of routers behave the same as advertis-
ing interfaces described in [AUTO] and constructs:

- a fully-qualified ISATAP address for use as [DISC,6.2]. However, periodic unsolicited
multicast Router Advertisements are not required, thus the source address "interval
timer" associated with advertising interfaces is not used for that
purpose.

When an ISATAP pseudo-interface

- router receives a default route that points to the valid Router Solicitation on an
advertising ISATAP router

Note (**) that the above procedure assumes interface, it replies with a means for discovering
V4ADDR_RTR. We present two alternative methods for unicast Router Adver-
tisement to the automatic
discovery address of V4ADDR_RTR:

5.2. DNS Well-Known Service Name

The first method for discovering V4ADDR_RTR employs a new DNS Well-
Known Service (WKS) name [DNS1,DNS2]. With the establishment of a new
well-known service name (e.g. "ISATAPGW"), administrators could pub-
lish node which sent the IPv4 Router Solicita-
tion. The source address of the Router Advertisement is a gateway which implementations could use to
discover V4ADDR_RTR. This method has link-local
unicast address associated with the advantage that it can interface. This MAY be
deployed immediately using existing mechanisms. However, it requires
name service lookups and may not always provide the optimum
V4ADDR_RTR resolution for isolated hosts if multiple same
as the destination address of the Router Solicitation.

By default, ISATAP routers
are available.

5.3. IPv4 Anycast for will not receive Router Advertisements
from other ISATAP routers

[6TO4ANY] proposes an IPv4 anycast prefix for 6to4 relay routers.
The proposal suggests an IPv4 prefix assignment '192.88.99.0/24'
where the single address '192.88.99.1' Thus, Router Advertisement consistency
verification [DISC,6.2.7] is assigned as the "6to4 IPv6
relay anycast address". We propose analogous assignments for not supported by default. Routers MAY

Templin, et. al. Expires 30 July 2002 [Page 8]

INTERNET-DRAFT ISATAP 30 January 2002

OPTIONALLY engage in the pur-
pose exchange of an "ISATAP router anycast address". (Whether the reservation advertisements with other
members of a second /32 assignment from the 6to4 PRL to enable this function.

5.2.4. Host Specification

Hosts periodically poll each entry in the PRL ("PRL(i)") by sending
unicast Router Solicitation messages using the IPv4 anycast prefix proposed address
("V4ADDR_PRL(i)") and associated timer in [6TO4ANY] would be possible, or a separate prefix assignment would
be required the entry. Hosts add the
following variable to support the polling process:

MinRouterSolicitInterval
Minimum time between sending Router Solicitations
to any router. Default and suggested minimum: 15min

When PRL(i) is first added to the list, the host sets its associated
timer to MinRouterSolicitInterval.

Entries are polled when they are created (following a matter of debate short delay as
for initial solicitations [ND,6.3.7]), and TBD.)

ISATAP routers would advertise the ISATAP router anycast prefix via when the intra-domain IPv4 routing infrastructure. Isolated IPv6 nodes
would then use associated timer
expires.

Polling consists of sending Router Solicitations to the ISATAP router anycast link-
local address as constructed from the V4ADDR_RTR entry's IPv4 destination for off-link Rtsol's. This approach has the signifi-
cant advantages that:

- implementations could hard-code the well-known ISATAP
anycast address, thus avoiding service discovery via DNS

- an optimum path i.e., they
are sent to an ISATAP router would be ensured
by intra-domain IPv4 routing

Templin Expires 21 May 2001 [Page 10]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

As 'FE80::0:5EFE:V4ADDR_PRL(i)' instead of 'All-Routers mul-
ticast'. They are otherwise sent in the same manner described above, in
[DISC,6.3.7].

When the IPv4 anycast method for locating ISATAP
routers provides significant functional advantages over host receives a valid Router Advertisement (i.e., one that
satisfies the DNS
approach, while validity checks in sections 4.5 and 5.2.2) it processes
them in the DNS approach can be implemented immediately pend-
ing same manner described in [DISC,6.3.4]. The host addition-
ally resets the registration of a WKS name timer associated with IANA. While the PRL entry that matches the
network-layer source address in the Router Advertisement. The timer
is reset to either method
will work, 0.5 * (the minimum value in the decision router lifetime or
valid lifetime of which to push for standardization any on-link prefixes advertised) or MinRouterSoli-
citInterval; whichever is TBD
pending discussion at upcoming NGTRANS WG meetings. longer.

6. Sending Rules and Routing Considerations

Since each node will be assigned one or more ISATAP prefixes Deployment Considerations

6.1. Host And Router Deployment Considerations

For hosts, if an underlying link supports both IPv4 (over which
are administratively reserved for use ONLY by ISATAP nodes, no spe-
cial sending rules are needed. In particular, correspondent nodes
that share a common ISATAP prefix will always exchange messages using
their ISATAP pseudo-interfaces, whereas nodes that do not share a
common ISATAP prefix will always exchange messages via standard ISA-
TAP is implemented) and also supports IPv6
routing. When sending a message on an natively, then ISATAP pseudo-interface, an
implementation SHOULD verify that MAY
be enabled if the native IPv6 next-hop address employs
the ISATAP address construction rules described in section 4 in order
to detect mis-configured addresses. No other sending rules are neces-
sary.

7. Address Selection

No special address selection rules are necessary.

8. Automatic Deprecation

ISATAP addresses are intended for use only by nodes which do layer does not receive native IPv6 Rtadv's due to Router Adver-
tisements (i.e., does not sharing a common link have connection with an IPv6 router. When native IPv6 Rtadv's become available (such as when
an IPv6 router is deployed on a node's link), the node should con-
struct router). After
a non-ISATAP aggregatable global IPv6 unicast non-link-local address using
address auto-configuration [AUTO] for has been configured and a non-ISATAP IPv6 prefix
discovered through normal means [DISC]. After default router

Templin, et. al. Expires 30 July 2002 [Page 9]

INTERNET-DRAFT ISATAP 30 January 2002

acquired on the node's native IPv6
address is populated in the DNS, link, the node should eventually cease
sending Rtsol's to host MAY discontinue the ISATAP router 'Router
Polling Process' process specified in section 5.2.4 and discontinue use of its ISA-
TAP pseudo-interface. allow exist-
ing ISATAP address configurations to expire as specified in
[DISC,5.3][AUTO,5.5.4]. In this way, ISATAP addresses use will gradually
(and automatically) disappear dimin-
ish as IPv6 routers are widely deployed
within sites.

9. Multicast Considerations

Other works in progress [6TO4MULTI] are currently investigating mul-
ticast addressing issues for [6TO4]. The address format discussed in

Templin Expires 21 May 2001 [Page 11]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

this document is expected throughout the site.

Routers MAY configure a native link to simultaneously support both
native IPv6, and also ISATAP (over IPv4). Routing will operate as
usual between these two domains. Note that the prefixes used on the
ISATAP and native IPv6 interfaces will be compatible with those emerging
approaches.

10. IANA distinct.

When an ISATAP router is configured, the IPv4 address used for its
ISATAP interface SHOULD be added (either automatically or manually)
to the site's name service records for the "ISATAP" Well-Known Ser-
vice name (e.g., by adding an A record in DNS), so it will be added
to the ISATAP Potential Router list of all nodes on the link.

6.2. Site Administration Considerations

The following considerations are noted for sites that deploy ISATAP:

- ISATAP links are administratively defined by a set of router
interfaces, and set of nodes which have those interface addresses
in their potential router lists. Thus, ISATAP links are defined by
administrative (not physical) boundaries.

- ISATAP hosts and routers can be deployed in an ad-hoc and independent
fashion. In order particular, ISATAP hosts can be deployed with little/no
advanced knowledge of existing ISATAP routers, and ISATAP routers
can deployed with no reconfiguration requirements for hosts.

- ISATAP nodes periodically send Router Solicitations to support all entries
in the EUI-64 address form described Potential Router List. Worst-case control traffic is on the
order of (M x N), where 'M' is the number of routers in this docu-
ment, we the Potential
Router List and 'N' is the total number of nodes on the ISATAP link.
The MinRouterSolicitInterval of 15min bounds control traffic for
large numbers of nodes even in worst-case scenarios.

- Strategic site administration, along with robust host and router
implementations, can provide significant reductions in control
traffic. At a minimum, site administrators SHOULD ensure that name
service records for the "ISATAP" Well-Known Service name are well
maintained, and represent valid ISATAP routers.

Templin, et. al. Expires 30 July 2002 [Page 10]

INTERNET-DRAFT ISATAP 30 January 2002

7. IANA considerations

We propose that IANA adopt the EUI-64 Interface Identifier for-
mat interface identifier construction
specified in section 4.2 for section 4.1 for the existing IANA IEEE OUI registration
('00-00-5E'). Additionally, we request that the name "ISATAP" be
reserved in the IANA "Protocol and Service Names" assigned numbers
document.

8. Security considerations

Site administrators are advised that, in addition to possible attacks
against IPv6, security attacks against IPv4 MUST also be considered.
Many security considerations in [6OVER4,9] apply also to ISATAP.

Responsible IPv4 site security management is strongly encouraged. In
particular, border gateways SHOULD implement filtering to detect
spoofed IPv4 source addresses at a minimum; ip-protocol-41 filtering
SHOULD also be implemented.

If IPv4 source address filtering is not correctly implemented, the
validity checks in section 4.7 will not be effective in preventing
IPv6 source address spoofing.

If filtering for ip-protocol-41 is not correctly implemented, IPv6
source address spoofing is clearly possible, but this can be elim-
inated if both IPv4 source address filtering, and the validity checks
in section 4.7 are implemented.

[DISC,6.1.2] implies that nodes trust Router Advertisements they
receive from on-link routers, as indicated by a value of 255 in the existing 00-00-5E OUI owned by
IANA. No other actions are required by
IPv6 'hop-limit' field. Since this field is not decremented when ip-
protocol-41 packets traverse multiple IPv4 hops [MECH,3.3], ISATAP
links require a different trust model. In particular, ONLY those
Router Advertisements received from a member of the IANA.

11. Security considerations Potential Routers
List are trusted; all others are silently discarded (see section
5.2.2). This trust model is predicated on IPv4 source address filter-
ing, as described above.

The ISATAP address format does not support privacy extensions for
stateless address autoconfiguration [PRIVACY]. However, such privacy
extensions are intended primarily to avoid revealing one's MAC
address, and since the
ISATAP address format described in this document
accomplishes this same goal.

Additional security issues are called out in [6TO4] and probably
apply here as well.

12. Implementation status

The author has implemented the mechanisms described in this draft
through modifications to interface identifier is derived from the FreeBSD 3.2-RELEASE [FBSD] operating
system with node's IPv4 address,
ISATAP addresses do not have the INRIA [INRIA] IPv6 distribution. As same level of November 12,
2001, a Linux implementation is now integrated in privacy concerns as
IPv6 addresses that use an interface identifier derived from the USAGI Linux
distribution [USAGI].

Additionally, Windows XP RC1 will implement elements MAC
address.

Acknowledgements

Templin, et. al. Expires 30 July 2002 [Page 11]

INTERNET-DRAFT ISATAP 30 January 2002

Some of the mechanism
proposed in this paper.

Acknowledgements

The original ideas presented in this draft were derived from work at
SRI con-
tractual work. The author recognizes that ideas similar to those in
this document may have already been presented by others with internal funds and wishes to
acknowledge any other such authors. The author also wishes to ack-
nowledge the government contract administrators contractual support. Government sponsors
who sponsored supported the
projects work include Monica Farah-Stapleton and Russell
Langan from which these works derived as well as his SRI colleagues
with whom he has discussed U.S. Army CECOM ASEO, and reviewed this work, including Monica
Farah-Stapleton, Dr. Allen Moshfegh from U.S.
Office of Naval Research. Within SRI, Dr. Mike Frankel, J. Peter Marcotullio, Mar-
cotullio, Lou Rodri-
guez, Rodriguez, and Dr. Ambatipudi Sastry.

The author acknowledges valuable input from numerous members of Sastry supported the

Templin Expires 21 May 2001 [Page 12]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001

NGTRANS community which has work
and helped guide the direction of the draft. foster early interest.

The list of contributors is too long to enumerate, but the input from
the community has been vital to the draft's evolution. Alain Durand
deserves special mention following peer reviewers are acknowledged for contributing taking the title time to
review a pre-release of this draft and
the ISATAP acronym. Additionally, Tim Gleenson document and Nathan Lutchansky
numerous helpful suggestions for improvement.

The author finally wishes to provide special acknowledgement input: Jim Bound,
Rich Draves, Cyndi Jung, Ambatipudi Sastry, Aaron Schrader, Ole
Troan, Vlad Yasevich.

The authors acknowledge members of the NGTRANS community who have
made significant contributions to Dave
Thaler, this effort, including Rich Draves,
Alain Durand, Nathan Lutchansky, Art Shelest, Richard Draves, Margaret Wasserman, and others at Microsoft Research
for their ideas on automatic discovery of off-link IPv6 routers. Much
of
Brian Zill.

Finally, the text authors recognize that ideas similar to those in section on deployment considerations derives directly
from discussions with Dave, Art, Rich this
document may have already been presented by others and others. wish to ack-
nowledge any other such contributions.

Normative References

[ADDR] Hinden, R., and S. Deering, "IP Version 6 Addressing
Architecture", RFC 2373, July 1998. (Pending approval
of "addr-arch-v3").

[AGGR] Hinden., R, O'Dell, M., and Deering, S., "An IPv6
Aggregatable Global Unicast Address Format",
RFC 2374, July 1998.

[ADDR] Hinden, R., and S. Deering, "IP Version 6 Addressing
Architecture", RFC 2373, July 1998.

[AUTO] Thomson, S., and T. Narten, "IPv6 Stateless Address
Autoconfiguration", RFC 2462, December 1998.

[DISC] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
Discovery for IP Version 6 (IPv6)", RFC 2461,
December 1998.

[DNS1] Mockapetris, P. "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.

[DNS2] Mockapetris, P. "Domain names - Implementation and Specif-
ication",
STD 13, RFC 1035, November 1987.

[DNSSRV] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.

[EUI64] IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
Registration Authority",
http://standards.ieee.org/regauth/oui/tutorials/EUI64.html,
March 1997

[IANA] Reynolds, J., 1997.

[ICMPv6] Conta, A. and J. Postel, "Assigned Numbers", STD 2,
USC/Information Sciences Institute, October 1994.

Templin S. Deering, "Internet Control Message
Protocol (ICMPv6) for the Internet Protocol Version 6
(IPv6) Specification", RFC 2463, December 1998.

Templin, et. al. Expires 21 May 2001 30 July 2002 [Page 13] 12]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001 ISATAP 30 January 2002

[IPV4] Postel, J., "Internet Protocol", RFC 791 791.

[IPV6] Deering, S., and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460

[6TO4] Carpenter, B., and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", RFC 3056, February 2001.

[6TO4ANY] Huitema, C., "An anycast prefix for 6to4 relay routers",
RFC 3068, June 2001.

[6TO4MULTI] Thaler, D., "Support for Multicast over 6to4 Networks",
draft-ietf-ngtrans-6to4-multicast-00.txt (work in pro-
gress) 2460.

[MECH] Gilligan, R., and E. Nordmark, "Transition Mechanisms for
IPv6 Hosts and Routers", RFC 2893, August 2000.

[SELECT] Draves, R., Default Address Selection for IPv6, draft-
ietf-
ipngwg-default-addr-select-06.txt (work in progress)

[FBSD] http://www.freebsd.org

[USAGI] http://www.linux-ipv6.org

[INRIA] ftp://ftp.inria.fr/network/ipv6/

[6BONE] Rockell, R.,

[NAT] Egevang, K., and R. Fink, P. Francis, "The IP Network Address
Translator (NAT)", RFC 2772, February 2000. 1631, May 1994.

[PRIVATE] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.
J., G.,
and E. Lear, "Address Allocation for Private Internets",
RFC 1918, February 1996.

Informative References

[6OVER4] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
Domains without Explicit Tunnels", RFC 2529.

[6TO4] Carpenter, B., and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", RFC 3056, February 2001.

[IANA] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2,
USC/Information Sciences Institute, October 1994.

[PRIVACY] Narten, T., R. Draves, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6", RFC 3041, January 2001.

[NAT] Egevang, K., and P. Francis, "The IP Network Address
Translator (NAT)", IPv6", RFC 1631, May 1994.

[DISCUSS] private discussions with Dave Thaler, Art Shelest, et al. 3041,
January 2001.

Authors Addresses

Fred L. Templin

Templin Expires 21 May 2001 [Page 14]

INTERNET-DRAFT Intra-Site Automatic Tunnel Addressing 21 November 2001
SRI International
333 Ravenswood Ave.
Menlo Park, CA 94025, USA
Phone: (650)-859-3144
Email: templin@erg.sri.com

Tim Gleeson
Cisco Systems K.K.
Shinjuku Mitsu Building
2-1-1 Nishishinjuku, Shinjuku-ku
Tokyo 163-0409, JAPAN
email: tgleeson@cisco.com

Mohit Talwar

Templin, et. al. Expires 30 July 2002 [Page 13]

INTERNET-DRAFT ISATAP 30 January 2002

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
Phone: +1 425 705 3131
EMail: mohitt@microsoft.com

Dave Thaler
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
Phone: +1 425 703 8835
EMail: dthaler@microsoft.com

APPENDIX A: Major Changes

changes from version 02 to version 03:

- Added contributing co-authors

- RSs are now sent to unicast addresses rather than all-routers-multicast

- Brought draft into better alignment with other IPv6
standards-track documents

- Added applicability statement

changes from version 01 to version 02:

- Cleaned up text and tightened up terminology. Changed "IPv6 destination
address" to "IPv6 next-hop address" under "sending rules". Changed
definition of ISATAP prefix to include link and site-local. Changed
language in sections 4 and 5

changes from version 00 to version 01:

- Revised draft to require different /64 prefixs for ISATAP
addresses and native IPv6 addresses. Thus, a node's ISATAP
interface is assigned a /64 prefix that is distinct from the
prefixes assigned to any other interfaces attached to the
node - be they physical or logical interfaces. This approach
eliminates ISATAP-specific sending rules presented in earlier
draft versions.

- Changed sense of 'u/l' bit in the ISATAP address interface
identifier to indicate "local scope", since ISATAP interface

Templin, et. al. Expires 30 July 2002 [Page 14]

INTERNET-DRAFT ISATAP 30 January 2002

identifiers are unique only within the scope of the ISATAP
prefix. (See section 4.)

changes from personal draft to version 00:

- Title change to provide higher-level description of field of
use addressed by this draft. Removed other extraneous text.

- Major new section on automatic discovery of off-link IPv6 routers
when IPv6-IPv4 compatibility addresses are used.

Intellectual Property

The IETF has been notified of intellectual property rights claimed in
regard to some or all of the specification contained in this docu-
ment. For more information consult the online list of claimed
rights.

Templin

Templin, et. al. Expires 21 May 2001 30 July 2002 [Page 15]

----