Internet Engineering Task Force (IETF) X.

Li
Request for Comments: 7599 C. Bao
Category: Standards Track Tsinghua University
ISSN: 2070-1721 W. Dec, Ed.
O. Troan
Cisco Systems
S. Matsushima
SoftBank Telecom
T. Murakami
IP Infusion
July 2015

Mapping of Address and Port using Translation (MAP-T)

Abstract

This document specifies the solution architecture based on "Mapping

of Address and Port" stateless IPv6-IPv4 Network Address Translation
(NAT64) for providing shared or non-shared IPv4 address connectivity
to and across an IPv6 network.

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force

(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.

Information about the current status of this document, any errata,

and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7599.

Li, et al. Standards Track [Page 1]

RFC 7599 MAP-T July 2015

Copyright Notice

Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust’s Legal

Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Li, et al. Standards Track [Page 2]

RFC 7599 MAP-T July 2015

Table of Contents

1. Introduction ....................................................4
2. Conventions .....................................................4
3. Terminology .....................................................5
4. Architecture ....................................................6
5. Mapping Rules ...................................................8
5.1. Destinations outside the MAP Domain ........................8
6. The IPv6 Interface Identifier ...................................9
7. MAP-T Configuration ............................................10
7.1. MAP CE ....................................................10
7.2. MAP BR ....................................................11
8. MAP-T Packet Forwarding ........................................11
8.1. IPv4 to IPv6 at the CE ....................................11
8.2. IPv6 to IPv4 at the CE ....................................12
8.3. IPv6 to IPv4 at the BR ....................................12
8.4. IPv4 to IPv6 at the BR ....................................13
9. ICMP Handling ..................................................13
10. Fragmentation and Path MTU Discovery ..........................14
10.1. Fragmentation in the MAP Domain ..........................14
10.2. Receiving IPv4 Fragments on the MAP Domain Borders .......14
10.3. Sending IPv4 Fragments to the Outside ....................14
11. NAT44 Considerations ..........................................15
12. Usage Considerations ..........................................15
12.1. EA-Bit Length 0 ..........................................15
12.2. Mesh and Hub-and-Spoke Modes .............................15
12.3. Communication with IPv6 Servers in the MAP-T Domain ......15
12.4. Compatibility with Other NAT64 Solutions .................16
13. Security Considerations .......................................16
14. References ....................................................17
14.1. Normative References .....................................17
14.2. Informative References ...................................18
Appendix A. Examples of MAP-T Translation .........................21
Appendix B. Port-Mapping Algorithm ................................24
Acknowledgements ..................................................25
Contributors ......................................................25
Authors’ Addresses ................................................26

Li, et al. Standards Track [Page 3]

RFC 7599 MAP-T July 2015

1. Introduction

Experiences from initial service provider IPv6 network deployments,

such as [RFC6219], indicate that successful transition to IPv6 can
happen while supporting legacy IPv4 users without a full end-to-end
dual-IP-stack deployment. However, due to public IPv4 address
exhaustion, this requires an IPv6 technology that supports IPv4 users
utilizing shared IPv4 addressing, while also allowing the network
operator to optimize their operations around IPv6 network practices.
The use of double NAT64 translation-based solutions is an optimal way
to address these requirements, especially in combination with
stateless translation techniques that minimize operational challenges
outlined in [Solutions-4v6].

The Mapping of Address and Port using Translation (MAP-T)

architecture specified in this document is such a double stateless
NAT64-based solution. It builds on existing stateless NAT64
techniques specified in [RFC6145], along with the stateless
algorithmic address and transport-layer port-mapping scheme defined
in the Mapping of Address and Port with Encapsulation (MAP-E)
specification [RFC7597]. The MAP-T solution differs from MAP-E in
that MAP-T uses IPv4-IPv6 translation, rather than encapsulation, as
the form of IPv6 domain transport. The translation mode is
considered advantageous in scenarios where the encapsulation
overhead, or IPv6 operational practices (e.g., the use of IPv6-only
servers, or reliance on IPv6 + protocol headers for traffic
classification) rule out encapsulation. These scenarios are
presented in [MAP-T-Use-Cases].

2. Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].

Li, et al. Standards Track [Page 4]

RFC 7599 MAP-T July 2015

3. Terminology

MAP-T: Mapping of Address and Port using

Translation.

MAP Customer Edge (CE): A device functioning as a Customer Edge

router in a MAP deployment. A typical MAP CE
adopting MAP Rules will serve a residential
site with one WAN-side IPv6-addressed
interface and one or more LAN-side interfaces
addressed using private IPv4 addressing.

MAP Border Relay (BR): A MAP-enabled router managed by the service

provider at the edge of a MAP domain. A BR
has at least an IPv6-enabled interface and an
IPv4 interface connected to the native IPv4
network. A MAP BR may also be referred to as
simply a "BR" within the context of MAP.

MAP domain: One or more MAP CEs and BRs connected by

means of an IPv6 network and sharing a common
set of MAP Rules. A service provider may
deploy a single MAP domain or may utilize
multiple MAP domains.

MAP Rule: A set of parameters describing the mapping

between an IPv4 prefix, IPv4 address, or
shared IPv4 address and an IPv6 prefix or
address. Each MAP domain uses a different
mapping rule set.

MAP rule set: A rule set is composed of all the MAP Rules
communicated to a device that are intended to
determine the device’s IP+port mapping and
forwarding operations. The MAP rule set is
interchangeably referred to in this document
as a MAP rule table or as simply a "rule
table". Two specific types of rules -- the
Basic Mapping Rule (BMR) and the Forwarding
Mapping Rule (FMR) -- are defined in
Section 5 of [RFC7597]. The Default Mapping
Rule (DMR) is defined in this document.

MAP rule table: See MAP rule set.

MAP node: A device that implements MAP.

Li, et al. Standards Track [Page 5]

RFC 7599 MAP-T July 2015

Port set: Each node has a separate part of the

transport-layer port space; this is denoted
as a port set.

Port Set ID (PSID): Algorithmically identifies a set of ports

exclusively assigned to a CE.

Shared IPv4 address: An IPv4 address that is shared among multiple

CEs. Only ports that belong to the assigned
port set can be used for communication. Also
known as a port-restricted IPv4 address.

End-user IPv6 prefix: The IPv6 prefix assigned to an End-user CE by

means other than MAP itself, e.g.,
provisioned using DHCPv6 Prefix Delegation
(PD) [RFC3633], assigned via Stateless
Address Autoconfiguration (SLAAC) [RFC4862],
or configured manually. It is unique for
each CE.

MAP IPv6 address: The IPv6 address used to reach the MAP
function of a CE from other CEs and from BRs.

Rule IPv6 prefix: An IPv6 prefix assigned by a service provider

for a MAP Rule.

Rule IPv4 prefix: An IPv4 prefix assigned by a service provider

for a MAP Rule.

Embedded Address (EA) bits:

The IPv4 EA-bits in the IPv6 address identify
an IPv4 prefix/address (or part thereof) or a
shared IPv4 address (or part thereof) and a
Port Set Identifier.

4. Architecture

Figure 1 depicts the overall MAP-T architecture, which sees any

number of privately addressed IPv4 users (N and M) connected by means
of MAP-T CEs to an IPv6 network that is equipped with one or more
MAP-T BRs. CEs and BRs that share MAP configuration parameters,
referred to as "MAP Rules", form a MAP-T domain.

Li, et al. Standards Track [Page 6]

RFC 7599 MAP-T July 2015

Functionally, the MAP-T CE and BR utilize and extend some

well-established technology building blocks to allow the IPv4 users
to correspond with nodes on the public IPv4 network or on the IPv6
network as follows:

o A (NAT44) Network Address and Port Translation (NAPT) [RFC2663]

function on a MAP CE is extended with support for restricting the
allowable TCP/UDP ports for a given IPv4 address. The IPv4
address and port range used are determined by the MAP provisioning
process and identical to MAP-E [RFC7597].

o A stateless NAT64 function [RFC6145] is extended to allow

stateless mapping of IPv4 and transport-layer port ranges to the
IPv6 address space.

User N
Private IPv4
| Network
|
O--+---------------O
| | MAP-T CE |
| +-----+--------+ |
| NAPT44| MAP-T | |
| +-----+ | +-._ ,-------. .------.
| +--------+ | ,-’ ‘-. ,-’ ‘-.
O------------------O / \ O---------O / Public \
/ IPv6-only \ | MAP-T |/ IPv4 \
( Network --+ Border +- Network )
\ / | Relay |\ /
O------------------O \ / O---------O \ /
| MAP-T CE | ;". ,-’ ‘-. ,-’
| +-----+--------+ | ," ‘----+--’ ------’
| NAPT44| MAP-T | |, |
| +-----+ | + IPv6 node(s)
| | +--------+ | (with IPv4-embedded IPv6 address)
O---+--------------O
|
User M
Private IPv4
Network

Figure 1: MAP-T Architecture

Each MAP-T CE is assigned with a regular IPv6 prefix from the

operator’s IPv6 network. This, in conjunction with MAP domain
configuration settings and the use of the MAP procedures, allows the
computation of a MAP IPv6 address and a corresponding IPv4 address.
To allow for IPv4 address sharing, the CE may also have to be

Li, et al. Standards Track [Page 7]

RFC 7599 MAP-T July 2015

configured with a TCP/UDP port range that is identified by means of a

MAP Port Set Identifier (PSID) value. Each CE is responsible for
forwarding traffic between a given user’s private IPv4 address space
and the MAP domain’s IPv6 address space. The IPv4-IPv6 adaptation
uses stateless NAT64, in conjunction with the MAP algorithm for
address computation.

The MAP-T BR connects one or more MAP-T domains to external IPv4

networks using stateless NAT64 as extended by the MAP-T behavior
described in this document.

In contrast to MAP-E, NAT64 technology is used in the architecture

for two purposes. First, it is intended to diminish encapsulation
overhead and allow IPv4 and IPv6 traffic to be treated as similarly
as possible. Second, it is intended to allow IPv4-only nodes to
correspond directly with IPv6 nodes in the MAP-T domain that have
IPv4-embedded IPv6 addresses as per [RFC6052].

The MAP-T architecture is based on the following key properties:

1. Algorithmic IPv4-IPv6 address mapping codified as MAP Rules, as

described in Section 5

2. A MAP IPv6 address identifier, as described in Section 6

3. MAP-T IPv4-IPv6 forwarding behavior, as described in Section 8

5. Mapping Rules

The MAP-T algorithmic mapping rules are identical to those in

Section 5 of the MAP-E specification [RFC7597], with the following
exception: the forwarding of traffic to and from IPv4 destinations
outside a MAP-T domain is to be performed as described in this
document, instead of Section 5.4 of the MAP-E specification.

5.1. Destinations outside the MAP Domain

IPv4 traffic sent by MAP nodes that are all within one MAP domain is
translated to IPv6, with the sender’s MAP IPv6 address, derived via
the Basic Mapping Rule (BMR), as the IPv6 source address and the
recipient’s MAP IPv6 address, derived via the Forwarding Mapping Rule
(FMR), as the IPv6 destination address.

IPv4-addressed destinations outside of the MAP domain are represented

by means of IPv4-embedded IPv6 addresses as per [RFC6052], using the
BR’s IPv6 prefix. For a CE sending traffic to any such destination,
the source address of the IPv6 packet will be that of the CE’s MAP
IPv6 address, and the destination IPv6 address will be the

Li, et al. Standards Track [Page 8]

RFC 7599 MAP-T July 2015

destination IPv4-embedded IPv6 address. This address mapping is said

to be following the MAP-T Default Mapping Rule (DMR) and is defined
in terms of the IPv6 prefix advertised by one or more BRs, which
provide external connectivity. A typical MAP-T CE will install an
IPv4 default route using this rule. A BR will use this rule when
translating all outside IPv4 source addresses to the IPv6 MAP domain.

The DMR IPv6 prefix length SHOULD be 64 bits long by default and in
any case MUST NOT exceed 96 bits. The mapping of the IPv4
destination behind the IPv6 prefix will by default follow the /64
rule as per [RFC6052]. Any trailing bits after the IPv4 address are
set to 0x0.

6. The IPv6 Interface Identifier

The interface identifier format of a MAP-T node is the same as the

format described in Section 6 of [RFC7597]. The format diagram is
provided here for convenience:

| 128-n-o-s bits |
| 16 bits| 32 bits | 16 bits|
+--------+----------------+--------+
| 0 | IPv4 address | PSID |
+--------+----------------+--------+

Figure 2: IPv6 Interface Identifier

In the case of an IPv4 prefix, the IPv4 address field is right-padded

with zeros up to 32 bits. The PSID is left-padded with zeros to
create a 16-bit field. For an IPv4 prefix or a complete IPv4
address, the PSID field is zero.

If the End-user IPv6 prefix length is larger than 64, the most
significant parts of the interface identifier are overwritten by the
prefix.

Li, et al. Standards Track [Page 9]

RFC 7599 MAP-T July 2015

7. MAP-T Configuration

For a given MAP domain, the BR and CE MUST be configured with the
following MAP parameters. The values for these parameters are
identical for all CEs and BRs within a given MAP-T domain.

o The Basic Mapping Rule and, optionally, the Forwarding Mapping

Rules, including the Rule IPv6 prefix, Rule IPv4 prefix, and
Length of embedded address bits

o Use of hub-and-spoke mode or Mesh mode (if all traffic should be

sent to the BR, or if direct CE-to-CE correspondence should be
supported)

o Use of IPv4-IPv6 translation (MAP-T)

o The BR’s IPv6 prefix used in the DMR

7.1. MAP CE

For a given MAP domain, the MAP configuration parameters are the same
across all CEs within that domain. These values may be conveyed and
configured on the CEs using a variety of methods, including DHCPv6,
the Broadband Forum’s "TR-69" Residential Gateway management
interface [TR069], the Network Configuration Protocol (NETCONF), or
manual configuration. This document does not prescribe any of these
methods but recommends that a MAP CE SHOULD implement DHCPv6 options
as per [RFC7598]. Other configuration and management methods may use
the data model described by this option for consistency and
convenience of implementation on CEs that support multiple
configuration methods.

Besides the MAP configuration parameters, a CE requires an IPv6

prefix to be assigned to the CE. This End-user IPv6 prefix is
configured as part of obtaining IPv6 Internet access and is acquired
using standard IPv6 means applicable in the network where the CE is
located.

The MAP provisioning parameters, and hence the IPv4 service itself,
are tied to the End-user IPv6 prefix; thus, the MAP service is also
tied to this in terms of authorization, accounting, etc.

A single MAP CE MAY be connected to more than one MAP domain, just as
any router may have more than one IPv4-enabled service-provider-
facing interface and more than one set of associated addresses
assigned by DHCPv6. Each domain within which a given CE operates

Li, et al. Standards Track [Page 10]

RFC 7599 MAP-T July 2015

would require its own set of MAP configuration elements and would
generate its own IPv4 address. Each MAP domain requires a distinct
End-user IPv6 prefix.

7.2. MAP BR

The MAP BR MUST be configured with the same MAP elements as the MAP
CEs operating within the same domain.

For increased reliability and load balancing, the BR IPv6 prefix MAY
be shared across a given MAP domain. As MAP is stateless, any BR may
be used for forwarding to/from the domain at any time.

Since MAP uses provider address space, no specific IPv6 or IPv4

routes need to be advertised externally outside the service
provider’s network for MAP to operate. However, the BR prefix needs
to be advertised in the service provider’s IGP.

8. MAP-T Packet Forwarding

The end-to-end packet flow in MAP-T involves an IPv4 or IPv6 packet

being forwarded by a CE or BR in one of two directions for each such
case. This section presents a conceptual view of the operations
involved in such forwarding.

8.1. IPv4 to IPv6 at the CE

A MAP-T CE receiving IPv4 packets SHOULD perform NAPT44 processing

and create any necessary NAPT44 bindings. The source address and
source port range of packets resulting from the NAPT44 processing
MUST correspond to the source IPv4 address and source transport port
range assigned to the CE by means of the MAP Basic Mapping Rule
(BMR).

The IPv4 packet is subject to a longest IPv4 destination address +

port match MAP Rule selection, which then determines the parameters
for the subsequent NAT64 operation. By default, all traffic is
matched to the DMR and is subject to the stateless NAT64 operation
using the DMR parameters for NAT64 (Section 5.1). Packets that are
matched to (optional) Forwarding Mapping Rules (FMRs) are subject to
the stateless NAT64 operation using the FMR parameters (Section 5)
for the MAP algorithm. In all cases, the CE’s MAP IPv6 address
(Section 6) is used as a source address.

A MAP-T CE MUST support a Default Mapping Rule and SHOULD support one
or more Forwarding Mapping Rules.

Li, et al. Standards Track [Page 11]

RFC 7599 MAP-T July 2015

8.2. IPv6 to IPv4 at the CE

A MAP-T CE receiving an IPv6 packet performs its regular IPv6

operations (filtering, pre-routing, etc.). Only packets that are
addressed to the CE’s MAP-T IPv6 addresses, and with source addresses
matching the IPv6 MAP Rule prefixes of a DMR or FMR, are processed by
the MAP-T CE, with the DMR or FMR being selected based on a longest
match. The CE MUST check that each MAP-T received packet’s
transport-layer destination port number is in the range allowed for
by the CE’s MAP BMR configuration. The CE MUST silently drop any
nonconforming packet and increment an appropriate counter. When
receiving a packet whose source IP address longest matches an FMR
prefix, the CE MUST perform a check of consistency of the source
address against the allowed values as per the derived allocated
source port range. If the source port number of a packet is found to
be outside the allocated range, the CE MUST drop the packet and
SHOULD respond with an ICMPv6 "Destination Unreachable, source
address failed ingress/egress policy" (Type 1, Code 5).

For each MAP-T processed packet, the CE’s NAT64 function MUST compute
an IPv4 source and destination address. The IPv4 destination address
is computed by extracting relevant information from the IPv6
destination and the information stored in the BMR as per Section 5.
The IPv4 source address is formed by classifying a packet’s source as
longest matching a DMR or FMR rule prefix, and then using the
respective rule parameters for the NAT64 operation.

The resulting IPv4 packet is then forwarded to the CE’s NAPT44

function, where the destination IPv4 address and port number MUST be
mapped to their original value before being forwarded according to
the CE’s regular IPv4 rules. When the NAPT44 function is not
enabled, by virtue of MAP configuration, the traffic from the
stateless NAT64 function is directly forwarded according to the CE’s
IPv4 rules.

8.3. IPv6 to IPv4 at the BR

A MAP-T BR receiving an IPv6 packet MUST select a matching MAP Rule

based on a longest address match of the packet’s source address
against the MAP Rules present on the BR. In combination with the
Port Set ID derived from the packet’s source IPv6 address, the
selected MAP Rule allows the BR to verify that the CE is using its
allowed address and port range. Thus, the BR MUST perform a
validation of the consistency of the source against the allowed
values from the identified port range. If the packet’s source port
number is found to be outside the range allowed, the BR MUST drop the

Li, et al. Standards Track [Page 12]

RFC 7599 MAP-T July 2015

packet and increment a counter to indicate the event. The BR SHOULD

also respond with an ICMPv6 "Destination Unreachable, source address
failed ingress/egress policy" (Type 1, Code 5).

When constructing the IPv4 packet, the BR MUST derive the source and
destination IPv4 addresses as per Section 5 of this document and
translate the IPv6-to-IPv4 headers as per [RFC6145]. The resulting
IPv4 packet is then passed to regular IPv4 forwarding.

8.4. IPv4 to IPv6 at the BR

A MAP-T BR receiving IPv4 packets uses a longest match IPv4 +

transport-layer port lookup to identify the target MAP-T domain and
select the FMR and DMR rules. The MAP-T BR MUST then compute and
apply the IPv6 destination addresses from the IPv4 destination
address and port as per the selected FMR. The MAP-T BR MUST also
compute and apply the IPv6 source addresses from the IPv4 source
address as per Section 5.1 (i.e., using the IPv4 source and the BR’s
IPv6 prefix, it forms an IPv6-embedded IPv4 address). The generic
IPv4-to-IPv6 header translation procedures outlined in [RFC6145]
apply throughout. The resulting IPv6 packets are then passed to
regular IPv6 forwarding.

Note that the operation of a BR, when forwarding to/from MAP-T

domains that are defined without IPv4 address sharing, is the same as
that of stateless NAT64 IPv4/IPv6 translation.

9. ICMP Handling

MAP-T CEs and BRs MUST follow ICMP/ICMPv6 translation as per

[RFC6145]; however, additional behavior is also required due to the
presence of NAPT44. Unlike TCP and UDP, which provide two transport-
protocol port fields to represent both source and destination, the
ICMP/ICMPv6 [RFC792] [RFC4443] Query message header has only one ID
field, which needs to be used to identify a sending IPv4 host. When
receiving IPv4 ICMP messages, the MAP-T CE MUST rewrite the ID field
to a port value derived from the CE’s Port Set ID.

A MAP-T BR receiving an IPv4 ICMP packet that contains an ID field

that is bound for a shared address in the MAP-T domain SHOULD use the
ID value as a substitute for the destination port in determining the
IPv6 destination address. In all other cases, the MAP-T BR MUST
derive the destination IPv6 address by simply mapping the destination
IPv4 address without additional port information.

Li, et al. Standards Track [Page 13]

RFC 7599 MAP-T July 2015

10. Fragmentation and Path MTU Discovery

Due to the different sizes of the IPv4 and IPv6 headers, handling the
maximum packet size is relevant for the operation of any system
connecting the two address families. There are three mechanisms to
handle this issue: Path MTU Discovery (PMTUD), fragmentation, and
transport-layer negotiation such as the TCP Maximum Segment Size
(MSS) option [RFC879]. MAP can use all three mechanisms to deal with
different cases.

Note: The NAT64 [RFC6145] mechanism is not lossless. When

IPv4-originated communication traverses a double NAT64 function
(a.k.a. NAT464), any IPv4-originated ICMP-independent Path MTU
Discovery, as specified in [RFC4821], ceases to be entirely reliable.
This is because the DF=1/MF=1 combination as defined in [RFC4821]
results in DF=0/MF=1 after a double NAT64 translation.

10.1. Fragmentation in the MAP Domain

Translating an IPv4 packet to carry it across the MAP domain will

increase its size (typically by 20 bytes). The MTU in the MAP domain
should be well managed, and the IPv6 MTU on the CE WAN-side interface
SHOULD be configured so that no fragmentation occurs within the
boundary of the MAP domain.

Fragmentation in MAP-T domains SHOULD be handled as described in

Sections 4 and 5 of [RFC6145].

10.2. Receiving IPv4 Fragments on the MAP Domain Borders

The forwarding of an IPv4 packet received from outside of the MAP

domain requires the IPv4 destination address and the transport-
protocol destination port. The transport-protocol information is
only available in the first fragment received. As described in
Section 5.3.3 of [RFC6346], a MAP node receiving an IPv4 fragmented
packet from outside SHOULD reassemble the packet before sending the
packet onto the MAP domain. If the first packet received contains
the transport-protocol information, it is possible to optimize this
behavior by using a cache and forwarding the fragments unchanged. A
description of such a caching algorithm is outside the scope of this
document.

10.3. Sending IPv4 Fragments to the Outside

Two IPv4 hosts behind two different MAP CEs with the same IPv4
address sending fragments to an IPv4 destination host outside the
domain may happen to use the same IPv4 fragmentation identifier,
resulting in incorrect reassembly of the fragments at the destination

Li, et al. Standards Track [Page 14]

RFC 7599 MAP-T July 2015

host. Given that the IPv4 fragmentation identifier is a 16-bit

field, it can be used similarly to port ranges. Thus, a MAP CE
SHOULD rewrite the IPv4 fragmentation identifier to a value
equivalent to a port of its allocated port set.

11. NAT44 Considerations

The NAT44 implemented in the MAP CE SHOULD conform to the behavior

and best current practices documented in [RFC4787], [RFC5508], and
[RFC5382]. In MAP address-sharing mode (determined by the MAP
domain / rule configuration parameters), the operation of the NAT44
MUST be restricted to the available port numbers derived via the
Basic Mapping Rule.

12. Usage Considerations

12.1. EA-Bit Length 0

The MAP solution supports the use and configuration of domains where
a BMR expresses an EA-bit length of 0. This results in independence
between the IPv6 prefix assigned to the CE and the IPv4 address
and/or port range used by MAP. The k-bits of PSID information may in
this case be derived from the BMR.

The constraint imposed is that each such MAP domain be composed of

just one MAP CE that has a predetermined IPv6 end-user prefix. The
BR would be configured with an FMR for each such Customer Premises
Equipment (CPE), where the rule would uniquely associate the IPv4
address + optional PSID and the IPv6 prefix of that given CE.

12.2. Mesh and Hub-and-Spoke Modes

The hub-and-spoke mode of communication, whereby all traffic sent by

a MAP-T CE is forwarded via a BR, and the Mesh mode, whereby a CE is
directly able to forward traffic to another CE, are governed by the
activation of Forwarding Mapping Rules that cover the IPv4-prefix
destination and port-index range. By default, a MAP CE configured
only with a BMR, as per this specification, will use it to configure
its IPv4 parameters and IPv6 MAP address without enabling Mesh mode.

12.3. Communication with IPv6 Servers in the MAP-T Domain

By default, MAP-T allows communication between both IPv4-only and any

IPv6-enabled devices, as well as with native IPv6-only servers,
provided that the servers are configured with an IPv4-mapped IPv6
address. This address could be part of the IPv6 prefix used by the
DMR in the MAP-T domain. Such IPv6 servers (e.g., an HTTP server or
a web content cache device) are thus able to serve IPv6 users and

Li, et al. Standards Track [Page 15]

RFC 7599 MAP-T July 2015

IPv4-only users alike, utilizing IPv6. Any such IPv6-only servers

SHOULD have both A and AAAA records in DNS. DNS64 [RFC6147] will be
required only when IPv6 servers in the MAP-T domain are themselves
expected to initiate communication to external IPv4-only hosts.

12.4. Compatibility with Other NAT64 Solutions

The MAP-T CE’s NAT64 function is by default compatible for use with
[RFC6146] stateful NAT64 devices that are placed in the operator’s
network. In such a case, the MAP-T CE’s DMR prefix is configured to
correspond to the NAT64 device prefix. This in effect allows the use
of MAP-T CEs in environments that need to perform statistical
multiplexing of IPv4 addresses, while utilizing stateful NAT64
devices, and can take the role of a customer-side translator (CLAT)
as defined in [RFC6877].

13. Security Considerations

Spoofing attacks: With consistency checks between IPv4 and IPv6

sources that are performed on IPv4/IPv6 packets received by MAP
nodes, MAP does not introduce any new opportunity for spoofing
attacks that would not already exist in IPv6.

Denial-of-service attacks: In MAP domains where IPv4 addresses are

shared, the fact that IPv4 datagram reassembly may be necessary
introduces an opportunity for DoS attacks. This is inherent in
address sharing and is common with other address-sharing
approaches such as Dual-Stack Lite (DS-Lite) and NAT64/DNS64. The
best protection against such attacks is to accelerate IPv6 support
in both clients and servers.

Routing loop attacks: Routing loop attacks may exist in some

"automatic tunneling" scenarios and are documented in [RFC6324].
They cannot exist with MAP because each BR checks that the IPv6
source address of a received IPv6 packet is a CE address based on
the Forwarding Mapping Rule.

Attacks facilitated by restricted port set: From hosts that are not
subject to ingress filtering [RFC2827], an attacker can inject
spoofed packets during ongoing transport connections [RFC4953]
[RFC5961] [RFC6056]. The attacks depend on guessing which ports
are currently used by target hosts. Using an unrestricted port
set is preferable, i.e., using native IPv6 connections that are
not subject to MAP port-range restrictions. To minimize these
types of attacks when using a restricted port set, the MAP CE’s
NAT44 filtering behavior SHOULD be "Address-Dependent Filtering"
as described in Section 5 of [RFC4787]. Furthermore, the MAP CEs
SHOULD use a DNS transport proxy function to handle DNS traffic

Li, et al. Standards Track [Page 16]

RFC 7599 MAP-T July 2015

and source such traffic from IPv6 interfaces not assigned to

MAP-T. Practicalities of these methods are discussed in
Section 5.9 of [Stateless-4Via6].

ICMP Flooding: Given the necessity to process and translate ICMP and
ICMPv6 messages by the BR and CE nodes, a foreseeable attack
vector is that of a flood of such messages leading to a saturation
of the node’s ICMP computing resources. This attack vector is not
specific to MAP, and its mitigation lies in a combination of
policing the rate of ICMP messages, policing the rate at which
such messages can get processed by the MAP nodes, and of course
identifying and blocking off the source(s) of such traffic.

[RFC6269] outlines general issues with IPv4 address sharing.

14. References

14.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate

Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.

[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
DOI 10.17487/RFC6052, October 2010,
<http://www.rfc-editor.org/info/rfc6052>.

[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation

Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
<http://www.rfc-editor.org/info/rfc6145>.

[RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to
the IPv4 Address Shortage", RFC 6346,
DOI 10.17487/RFC6346, August 2011,
<http://www.rfc-editor.org/info/rfc6346>.

[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015,
<http://www.rfc-editor.org/info/rfc7597>.

Li, et al. Standards Track [Page 17]

RFC 7599 MAP-T July 2015

14.2. Informative References

[MAP-T-Use-Cases]
Maglione, R., Ed., Dec, W., Leung, I., and E. Mallette,
"Use cases for MAP-T", Work in Progress,
draft-maglione-softwire-map-t-scenarios-05, October 2014.

[RFC792] Postel, J., "Internet Control Message Protocol", STD 5,

RFC 792, DOI 10.17487/RFC0792, September 1981,
<http://www.rfc-editor.org/info/rfc792>.

[RFC879] Postel, J., "The TCP Maximum Segment Size and Related
Topics", RFC 879, DOI 10.17487/RFC0879, November 1983,
<http://www.rfc-editor.org/info/rfc879>.

[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address

Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999,
<http://www.rfc-editor.org/info/rfc2663>.

[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:

Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <http://www.rfc-editor.org/info/rfc2827>.

[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic

Host Configuration Protocol (DHCP) version 6", RFC 3633,
DOI 10.17487/RFC3633, December 2003,
<http://www.rfc-editor.org/info/rfc3633>.

[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet

Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification", RFC 4443,
DOI 10.17487/RFC4443, March 2006,
<http://www.rfc-editor.org/info/rfc4443>.

[RFC4787] Audet, F., Ed., and C. Jennings, "Network Address

Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787,
January 2007, <http://www.rfc-editor.org/info/rfc4787>.

[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU

Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007,
<http://www.rfc-editor.org/info/rfc4821>.

Li, et al. Standards Track [Page 18]

RFC 7599 MAP-T July 2015

[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless

Address Autoconfiguration", RFC 4862,
DOI 10.17487/RFC4862, September 2007,
<http://www.rfc-editor.org/info/rfc4862>.

[RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks",

RFC 4953, DOI 10.17487/RFC4953, July 2007,
<http://www.rfc-editor.org/info/rfc4953>.

[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, DOI 10.17487/RFC5382, October 2008,
<http://www.rfc-editor.org/info/rfc5382>.

[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009,
<http://www.rfc-editor.org/info/rfc5508>.

[RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP’s

Robustness to Blind In-Window Attacks", RFC 5961,
DOI 10.17487/RFC5961, August 2010,
<http://www.rfc-editor.org/info/rfc5961>.

[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-

Protocol Port Randomization", BCP 156, RFC 6056,
DOI 10.17487/RFC6056, January 2011,
<http://www.rfc-editor.org/info/rfc6056>.

[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful

NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <http://www.rfc-editor.org/info/rfc6146>.

[RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van

Beijnum, "DNS64: DNS Extensions for Network Address
Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
DOI 10.17487/RFC6147, April 2011,
<http://www.rfc-editor.org/info/rfc6147>.

[RFC6219] Li, X., Bao, C., Chen, M., Zhang, H., and J. Wu, "The
China Education and Research Network (CERNET) IVI
Translation Design and Deployment for the IPv4/IPv6
Coexistence and Transition", RFC 6219,
DOI 10.17487/RFC6219, May 2011,
<http://www.rfc-editor.org/info/rfc6219>.

Li, et al. Standards Track [Page 19]

RFC 7599 MAP-T July 2015

[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011,
<http://www.rfc-editor.org/info/rfc6269>.

[RFC6324] Nakibly, G. and F. Templin, "Routing Loop Attack Using

IPv6 Automatic Tunnels: Problem Statement and Proposed
Mitigations", RFC 6324, DOI 10.17487/RFC6324, August 2011,
<http://www.rfc-editor.org/info/rfc6324>.

[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:

Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013,
<http://www.rfc-editor.org/info/rfc6877>.

[RFC7598] Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec,
W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for
Configuration of Softwire Address and Port-Mapped
Clients", RFC 7598, DOI 10.17487/RFC7598, July 2015,
<http://www.rfc-editor.org/info/rfc7598>.

[Solutions-4v6]
Boucadair, M., Ed., Matsushima, S., Lee, Y., Bonness, O.,
Borges, I., and G. Chen, "Motivations for Carrier-side
Stateless IPv4 over IPv6 Migration Solutions", Work in
Progress, draft-ietf-softwire-stateless-4v6-motivation-05,
November 2012.

[Stateless-4Via6]
Dec, W., Asati, R., Bao, C., Deng, H., and M. Boucadair,
"Stateless 4Via6 Address Sharing", Work in Progress,
draft-dec-stateless-4v6-04, October 2011.

[TR069] Broadband Forum TR-069, "CPE WAN Management Protocol",

Amendment 5, CWMP Version: 1.4, November 2013,
<https://www.broadband-forum.org>.

Li, et al. Standards Track [Page 20]

RFC 7599 MAP-T July 2015

Appendix A. Examples of MAP-T Translation

Example 1 - Basic Mapping Rule:

Given the following MAP domain information and IPv6 end-user prefix
assigned to a MAP CE:

End-user IPv6 prefix: 2001:db8:0012:3400::/56

Basic Mapping Rule: {2001:db8:0000::/40 (Rule IPv6 prefix),
192.0.2.0/24 (Rule IPv4 prefix),
16 (Rule EA-bit length)}
PSID length: (16 - (32 - 24) = 8 (sharing ratio of 256)
PSID offset: 6 (default)

A MAP node (CE or BR) can, via the BMR or equivalent FMR, determine
the IPv4 address and port set as shown below:

EA bits offset: 40
IPv4 suffix bits (p): Length of IPv4 address (32) -
IPv4 prefix length (24) = 8
IPv4 address: 192.0.2.18 (0xc0000212)
PSID start: 40 + p = 40 + 8 = 48
PSID length (q): o - p = (End-user prefix len -
Rule IPv6 prefix len) - p
= (56 - 40) - 8 = 8
PSID: 0x34

Available ports (63 ranges): 1232-1235, 2256-2259, ...... ,

63696-63699, 64720-64723

The BMR information allows a MAP CE to determine (complete) its

IPv6 address within the indicated End-user IPv6 prefix.

IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034

Li, et al. Standards Track [Page 21]

RFC 7599 MAP-T July 2015

Example 2 - BR:

Another example is a MAP-T BR configured with the following FMR

when receiving a packet with the following characteristics:

IPv4 source address: 10.2.3.4 (0x0a020304)

TCP source port: 80
IPv4 destination address: 192.0.2.18 (0xc0000212)
TCP destination port: 1232

Forwarding Mapping Rule: {2001:db8::/40 (Rule IPv6 prefix),

192.0.2.0/24 (Rule IPv4 prefix),
16 (Rule EA-bit length)}

MAP-T BR Prefix (DMR): 2001:db8:ffff::/64

The above information allows the BR to derive the mapped destination

IPv6 address for the corresponding MAP-T CE, and also the source
IPv6 address for the mapped IPv4 source address, as follows:

IPv4 suffix bits (p): 32 - 24 = 8 (18 (0x12))

PSID length: 8
PSID: 0 x34 (1232)

The resulting IPv6 packet will have the following header fields:

IPv6 source address: 2001:db8:ffff:0:000a:0203:0400::

IPv6 destination address: 2001:db8:0012:3400:0000:c000:0212:0034
TCP source port: 80
TCP destination port: 1232

Example 3 - FMR:

An IPv4 host behind a MAP-T CE (configured as per the previous

examples) corresponding with IPv4 host 10.2.3.4 will have its
packets converted into IPv6 using the DMR configured on the MAP-T
CE as follows:

Default Mapping Rule: {2001:db8:ffff::/64 (Rule IPv6 prefix),

0.0.0.0/0 (Rule IPv4 prefix)}

IPv4 source address: 192.0.2.18

IPv4 destination address: 10.2.3.4
IPv4 source port: 1232
IPv4 destination port: 80
MAP-T CE IPv6 source address: 2001:db8:0012:3400:0000:c000:0212:0034
IPv6 destination address: 2001:db8:ffff:0:000a:0203:0400::

Li, et al. Standards Track [Page 22]

RFC 7599 MAP-T July 2015

Example 4 - Rule with no embedded address bits and no address

sharing:

End-user IPv6 prefix: 2001:db8:0012:3400::/56

Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix),
192.0.2.1/32 (Rule IPv4 prefix),
0 (Rule EA-bit length)}
PSID length: 0 (sharing ratio is 1)
PSID offset: n/a

A MAP node can, via the BMR or equivalent FMR, determine the
IPv4 address and port set as shown below:

EA bits offset: 0
IPv4 suffix bits (p): Length of IPv4 address -
IPv4 prefix length = 32 - 32 = 0
IPv4 address: 192.0.2.18 (0xc0000212)
PSID start: 0
PSID length: 0
PSID: null

The BMR information allows a MAP CE to also determine (complete) its

full IPv6 address by combining the IPv6 prefix with the MAP interface
identifier (that embeds the IPv4 address).

IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0201:0000

Li, et al. Standards Track [Page 23]

RFC 7599 MAP-T July 2015

Example 5 - Rule with no embedded address bits and address sharing

(sharing ratio of 256):

End-user IPv6 prefix: 2001:db8:0012:3400::/56

Basic Mapping Rule: {2001:db8:0012:3400::/56 (Rule IPv6 prefix),
192.0.2.18/32 (Rule IPv4 prefix),
0 (Rule EA-bit length)}
PSID length: (16 - (32 - 24)) = 8 (sharing ratio of 256;
provisioned with DHCPv6)
PSID offset: 6 (default)
PSID: 0x20 (provisioned with DHCPv6)

A MAP node can, via the BMR, determine the IPv4 address and port set
as shown below:

EA bits offset: 0
IPv4 suffix bits (p): Length of IPv4 address -
IPv4 prefix length = 32 - 32 = 0
IPv4 address 192.0.2.18 (0xc0000212)
PSID start: 0
PSID length: 8
PSID: 0x34

Available ports (63 ranges): 1232-1235, 2256-2259, ...... ,

63696-63699, 64720-64723

The BMR information allows a MAP CE to also determine (complete) its

full IPv6 address by combining the IPv6 prefix with the MAP interface
identifier (that embeds the IPv4 address and PSID).

IPv6 address of MAP CE: 2001:db8:0012:3400:0000:c000:0212:0034

Note that the IPv4 address and PSID are not derived from the IPv6
prefix assigned to the CE but are provisioned separately, using, for
example, MAP options in DHCPv6.

Appendix B. Port-Mapping Algorithm

The driving principles and the mathematical expression of the mapping

algorithm used by MAP can be found in Appendix B of [RFC7597].

Li, et al. Standards Track [Page 24]

RFC 7599 MAP-T July 2015

Acknowledgements

This document is based on the ideas of many, particularly Remi

Despres, who has tirelessly worked on generalized mechanisms for
stateless address mapping.

The authors would also like to thank Mohamed Boucadair, Guillaume

Gottard, Dan Wing, Jan Zorz, Nejc Skoberne, Tina Tsou, Gang Chen,
Maoke Chen, Xiaohong Deng, Jouni Korhonen, Tomek Mrugalski, Jacni
Qin, Chunfa Sun, Qiong Sun, Leaf Yeh, Andrew Yourtchenko, Roberta
Maglione, and Hongyu Chen for their review and comments.

Contributors

The following individuals authored major contributions to this

document and made the document possible:

Chongfeng Xie
China Telecom
Room 708, No. 118, Xizhimennei Street
Beijing 100035
China
Phone: +86-10-58552116
Email: [email protected]

Qiong Sun
China Telecom
Room 708, No. 118, Xizhimennei Street
Beijing 100035
China
Phone: +86-10-58552936
Email: [email protected]

Rajiv Asati
Cisco Systems
7025-6 Kit Creek Road
Research Triangle Park, NC 27709
United States
Email: [email protected]

Gang Chen
China Mobile
29, Jinrong Avenue
Xicheng District, Beijing 100033
China
Email: [email protected], [email protected]

Li, et al. Standards Track [Page 25]

RFC 7599 MAP-T July 2015

Wentao Shang
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: [email protected]

Guoliang Han
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: [email protected]

Yu Zhai
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China
Email: [email protected]

Authors’ Addresses

Xing Li
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China

Email: [email protected]

Congxiao Bao
CERNET Center/Tsinghua University
Room 225, Main Building, Tsinghua University
Beijing 100084
China

Email: [email protected]

Wojciech Dec (editor)

Cisco Systems
Haarlerbergpark Haarlerbergweg 13-19
Amsterdam, NOORD-HOLLAND 1101 CH
The Netherlands

Email: [email protected]

Li, et al. Standards Track [Page 26]

RFC 7599 MAP-T July 2015

Ole Troan
Cisco Systems
Philip Pedersens vei 1
Lysaker 1366
Norway

Email: [email protected]

Satoru Matsushima
SoftBank Telecom
1-9-1 Higashi-Shinbashi, Munato-ku
Tokyo
Japan

Email: [email protected]

Tetsuya Murakami
IP Infusion
1188 East Arques Avenue
Sunnyvale, CA 94085
United States

Email: [email protected]

Li, et al. Standards Track [Page 27]