Dynamic IPv4 Provisioning for Lightweight 4over6

Lightweight 4over6 (lw4o6) provides IPv4 access over an IPv6 network with a hub-and-spoke softwire architecture. In Lightweight 4over6, each Lightweight B4 (lwB4) is assigned a full, or shared (port-restricted) IPv4 address to be used for IPv4 communication. Provisioning the lwB4 with its IPv4 address, port set and other parameters necessary for building the softwire is a core function of the lw4o6 control plane. describes the use of DHCPv6 for deterministic IPv4 provisioning. The IPv4 address, port set ID (PSID) and address of the lwAFTR are carried in DHCPv6 options defined in . However, the deterministic provisioning of the IPv4 parameters imposes restrictions on the deployment: The IPv4 address' life time is bound to the client's IPv6 tunnel endpoint life time The tunnel must be initiated from a fixed and predictable /64 prefix in the home network topology The IPv4 address and PSID need to be embedded into the IID of the clients' /128 IPv6 address IPv4 address resources are permanently reserved for a client whether it is active or not. This results in less efficient public IPv4 address usage This document describes how lw4o6 uses DHCPv4 over DHCPv6 to achieve dynamic IPv4 address provisioning. The main advantages of using a dynamic provisioning model over a deterministic provisioning model are as follows: No inherent restrictions on the IPv6 source address within the customer internal network that the client uses for sourcing its tunneled traffic The lifetimes of IPv6 and IPv4 addresses are decoupled, allowing for more flexibility in the service provider's addressing policy Inactive clients' addresses can be released/reclaimed for allocation to active clients, so more efficient address usage is possible Since DHCPv4 over IPv4 cannot be used natively in a pure IPv6 network, DHCPv4 over DHCPv6 (DHCP 4o6) allows DHCPv4 messages to be trasported over a pure IPv6 network by encapsulating DHCPv4 messages into specific DHCPv6 options and messages. Note that the dynamic provisioning decouples the IPv6 and IPv4 addresses, the binding info required by lwAFTR turns to be an ayschronous combiantion of (restricted) IPv4 address and IPv6 address. defines a DHCP 4o6 based mechanism for the lwB4 to inform the server of its binding between dynamically allocated IPv4 address and Port Set ID and the IPv6 address that it will use for accessing IPv4-over-IPv6 services The architecture which is described in this document can be implemented with or without the sharing of IPv4 addresses between multiple clients. If IPv4 address sharing is required, then describes the necessary extensions to the DHCPv4 server and client provisioning for the allocation and lease management of shared IPv4 addresses.

Terminology defined in and is used extensively throughout this document. Determinstic provisioning: Lightweight B4 provisioning with DHCPv6 as described in section 5.1 of . The IPv4 address, restricted port set and the address of lwAFTR are carried in DHCPv6 options defined in . Dynamic provisioning: Lightweight B4 provisioning with DHCPv4 over DHCPv6 as described in this document. The IPv4 address and rescricted port set are allocated through DHCP 4o6 transport as defined in . The allocation of lwAFTR's IPv6 address is descirbed in .

As shown in Figure 1, the dynamic provisioning model consists of four functional elements: lwB4, lwAFTR, DHCPv6 Server and DHCP 4o6 Server. Note that these elements are not necessarily separate devices, one or more functional elements could be located on a single device. One existing example of this is the co-location of the DHCP 4o6 Server and lwAFTR as a single gateway device. The differences in the message flow from this co-location are also described below.

Before attempting the DHCP 4o6 configuration process to obtain IPv4 configuration, the lwB4 requires an IPv6 address of a suitable scope to allow communication with the lwAFTR (e.g. a link-local address cannot be used). This IPv6 address can be configured using any applicable method (e.g. SLAAC, DHCPv6, etc.). To enable DHCPv4 over DHCPv6 transport, the lwB4 needs to perform DHCPv6 to retrieve the DHCP 4o6 server's IPv6 address. The option code OPTION_DHCP4_O_DHCP6_SERVER (88) is included in the client's ORO. The DHCPv6 server responds the DHCP 4o6 server's IPv6 address by carrying the addresses in DHCP 4o6 Server Address option as defined in .

Once the lwB4 has acquired the IPv6 address of the DHCP 4o6 server, stateful configuration using DHCP 4o6 is performed to obtain an IPv4 address and (optionally) a port set. The lwB4 sends a DHCPv4 DISCOVER message in a DHCPv4-query Message to the DHCP 4o6 server(s) to activate the DHCP 4o6 transport. To obtain a shared IPv4 address, the lwB4 also has to include Parameter Request List option with the option code OPTION_V4_PORTPARAMS (159) as described in . To obtain the IPv6 address of lwAFTR and inform the DHCP4o6 server of the lwB4's IPv6 tunnle source address, the message flow described in section 5 of is followed by the lwB4. Once successfully completed, the client has been provisioned with the IPv6 address of the lwAFTR, an IPv4 address and (optionally) a range of source ports. The server has the /128 IPv6 address that the client will use its tunnel source associated with the IPv4 lease.

As stated in , the lwAFTR MUST synchronize the binding information with the port-restricted address provisioning process. In the dynamic provisioning model described in this document, once the lwB4's provisioning process is completed and the DHCP 4o6 server holds the client's /128 IPv6 tunnel endpoint address, this binding information can be syncronized with the lwAFTR. The method for this synchronization is dependent on whether the DHCP 4o6 and lwAFTR functions are co-located on the same physical host.

Here, the lwAFTR maintains its binding table as per section 6.1 of and is synchronized with DHCP 4o6 process. The following DHCP 4o6 messages trigger binding table modification: Generated by the DHCP 4o6 server, triggers lwAFTR to add a new entry or modify an existing entry. Generated by lwB4, triggers lwAFTR to delete an existing entry. When the DHCP 4o6 server generates a DHCPACK message, information about the new lease including the client's IPv6 tunnel endpoint address and IPv4 address/PSID tuple is sent to the lwAFTR process. The lwAFTR performs a check that this new binding does not match an existing binding (both the v6 and v4 information must be checked independently to ensure no conflicts). If no conflicts are found the lwAFTR creates a new binding table entry for the client. If there an existing entry is found, the lwAFTR updates the IPv6 address and lifetime fields of the entry. When the DHCP 4o6 server receives a DHCPRELEASE message, the lwAFTR looks up the binding table using the lwB4's IPv6 address, IPv4 address and PSID as index. The lwAFTR deletes the entry either by removing it from the binding table or by marking the lifetime field with an invalid value (e.g. 0).

With this architecture, NETCONF is used for syncronising client DHCP 4o6 provisioning and the lwAFTR binding table. A YANG model for lw4o6 is defined in . In this deployment model, the DHCP 4o6 server and lwAFTR also implements a NETCONF server. When an IPv4 leasing event occurs (DHCPACK/DHCPRELEASE messages, or an active lease expiring), the DHCP 4o6 server informs the operator's centralised configuration database of the change. The operator's configuration database will then use NETCONF to update the lwAFTR of the relevant change by adding or removing the binding table entry which matches he DHCP 4o6 server's IPv4 address lease.

Security considerations in and are also relevant here. The DHCP message triggered binding table maintenance may be used by an attacker to send fake DHCP messages to lwAFTR. The operator network should deploy to prevent this kind of attack.

In some countries, regulations require a service providers to retain the necessary information to link IP allocatoin information to a specific customer at a specific point in time. With a deterministic provisioning model, any individual client will always receive a pre-determined set of IPv4 provisioning requirements. In this scenario, the logging requirement may be met by retaining information on how the DHCPv6 server has been pre-provisioned, with timestamp information on when changes to the pre-provisioning have come into effect. The dynamic provisioning model that is described in this document brings an additional logging requirement to the service provider: The retention logs holding allocated IPv4 address and ports, the associated IPv6 tunnel endpoint and timestamps marking the start and end of the lease. This is a higher logging overheard than deterministic provisioning, but is in line with the amount of logging that service providers currently have.

This document does not include an IANA request.