Foreword note: This proposal stacks additional functionality on top of the RFC 3056 6to4 standard in a way which violates specific portions of that standard. The standard would need revisions before this policy could be implemented. Refer to the attached appendix for details.

Template: ARIN-POLICY-PROPOSAL-TEMPLATE-1.0

  1. Policy Proposal Name: IPv4 to IPv6 Fast Migration
  2. Author
    1. name: William Herrin
    2. email: bill@herrin.us
    3. telephone:
    4. organization: Self
  3. Proposal Version: 2.1
  4. Submission Date:
  5. Proposal type: New
  6. Policy term: permanent
  7. Policy statement:

ARIN shall encourage and support the use of the RFC 3056 6to4 standard for rapid deployment of IPv6 by existing IPv4 registrants within the ARIN region prior to IPv4 exhaustion. This deployment shall consist of three phases:

Transition phase: 1/1/2008 through 1/1/2010

ARIN shall recommend that all native IPv6 providers implement a 6to4 encapsulating router and a 2002::/16 route within their networks.

ARIN shall notify those seeking end-user IPv6 provider-independent space that existing IPv4 registrants may use and announce 6to4 space instead if desired.

ARIN shall recommend that native IPv6 providers constrain IPv6 table growth by filtering 2002:: routes as specified in the 6to4 RFC and encapsulating affected IPv6 traffic into IPv4 packets.

ARIN shall establish a mechanism for setting a permanent login to the NRO 6to4 reverse DNS (RDNS) delegation system for the delegations associated with a particular block of assigned or allocated IPv4 addresses. ARIN shall request that NRO implement such a permanent login so that once set by ARIN, no further weakly authenticated access will be permitted to the delegations associated with that block of IPv4 addresses.

Organizations holding IPv4 space under ARIN's Registration Services Agreement (the RSA) may request an RNDS permanent login associated with no more than one of the IPv4 assignments or allocations held by that organization. This RNDS permanent login is attached to and indivisible from the IPv4 assignment or allocation.

Organizations wishing to request an RDNS permanent login for legacy IPv4 space not managed under the RSA shall first accept the RSA as associated with that address block. These legacy registrations will be treated as end-user assignments unless otherwise requested by the registrant. As these networks are grandfathered, no initial assignment fees will be due and no use qualifications will be requested. As specified by ARIN's end-user assignment policy, only ARIN's then-current annual maintenance fee will be due.

As this proposal requires an update to the filtering rules in RFC 3056, the start of the transition phase will if necessary be delayed until 30 days after such an update RFC is published.

Mixed phase: 1/1/2010 until IPv4 use declines

ARIN shall cease accepting permanent password requests for blocks to which a permanent password has not already been assigned. By 2/1/2010, ARIN shall publish a list of all 2002:: blocks covered by permanent passwords. These blocks shall be considered valid provider-independent blocks.

ARIN shall cease offering 6to4 as an alternative to end-user IPv6 provider-independent assignments.

ARIN shall recommend that native IPv6 providers accept route advertisements for the exact provided list of 2002:: prefixes.

ARIN shall advise that organizations which filter 6to4 advertisements per the RFC may continue to do so with the expectation of full reachability until the deployment of IPv4 declines.

Using the best available practices, ARIN staff shall make periodic assessments no more than 2 years apart as to whether IPv4 use has declined to a point which justifies moving to native phase. 

Native phase: Following the decline of IPv4

ARIN shall recommend that native IPv6 providers accept and propagate advertisements for the exact provided list of 2002:: prefixes, treating such prefixes no differently than they would any other IPv6 assignment by ARIN.

ARIN shall recommend that any network which does not receive 2002:: routes discontinue originating a 2002::/16 route and cease encapsulating 2002:: destined packets into IPv4 packets.

ARIN shall advise that network providers who improperly continue to filter 2002:: routes may be unable to reach valid hosts within ARIN's territory. ARIN shall consider such network providers to not be fully connected to the Internet.

  1. Rationale:

RFC 3056 allocated 2002::/16 for use in IPv6 islands existing within the IPv4 network. A translating router is assigned a specific IPv4 address. The IPv6 island is then connected to that router using subnets in 2002:ipv4:addr::/48. The translator encapsulates IPv6 traffic for other 2002:: addresses into IPv4 packets and sends them to the corresponding IPv4 address for decapsulation. It similarly encapsulates packets for native IPv6 destinations and sends them to a public anycast 6to4 encapsulator. This policy extends the use of 2002::/16 for the IPv6 islands' eventual transition to a natively connected IPv6 network.

This policy addresses four of the difficulties ARIN faces:

  1. The looming exhaustion of the IPv4 space.
  2. Obsolete and incorrect legacy IPv4 registration and contact information.
  3. Legacy IPv4 registrants don't pay their fair share.
  4. The need to constrain route announcements in the IPv6 Default-Free Zone

The looming exhaustion of the IPv4 space.

IPv4 space is rapidly running out with potentially disastrous consequences. Various ideas have been floated to slow or mitigate this process, but thus far only one permanent solution is on the table: migrate to IPv6.

Unfortunately, IPv6 uptake has been slow. Usage projections suggest that the IPv4 space will be completely exhausted long before IPv6 has reached a level of ubiquity necessary to replace it.

The proposed policy encourages a the rapid deployment of IPv6 by making IPv6 allocations and assignments trivially available to all existing IPv4 registrants at no additional cost.

Obsolete and incorrect legacy IPv4 registration and contact information.

Many of the IPv4 registrations established before ARIN's stewardship of the Americas portion of the IPv4 space show obsolete and incorrect contact and organizational information. Some of the space is defunct.

This policy encourages those registrants to voluntarily come forward, update their contact information and voluntarily join ARIN's normal management process so that they may deploy 6to4 IPv6 addresses for production use and join the next generation of the Internet.

Legacy IPv4 registrants don't pay their fair share.

Registrants holding pre-ARIN address space receive services from ARIN such as reverse-DNS but do not pay their fair share of ARIN's annual $10M operating expenses.

This policy encourages those registrants to voluntarily sign the Registration Services Agreement (RSA) and join ARIN's regular operating process as end-users so that they may deploy 6to4 IPv6 addresses for production use and join the next generation of the Internet.

The need to constrain route announcements in the IPv6 Default-Free Zone

Routers on the portion of the Internet backbone which do not implement a default route (the default-free zone or DFZ) can support a fixed number of individual routes. This limit is set by the amount of memory in the routers, the amount of time it takes routers to load the BGP table and related dynamic stability issues. The system is severely stressed by the current presence of some 220,000 advertised IPv4 prefixes and might fail if the same 220,000 routes were rapidly imported into IPv6.

This policy reduces the number of routes added to the IPv6 DFZ in the near term by placing most provider-independent (PI) assignments under a 2002::/16 aggregated route. Providers may defer introducing the individual routes into the DFZ until such a time as their infrastructure can readily support it or until IPv4 deployment (and the IPv4 routes advertised) begins to wane. Further, because only one of the 6to4 blocks associated with an organization's IPv4 blocks can be imported to IPv6, the total number of routes eventually added to IPv6 will likely number less than 55,000.

More comments:

Reverse DNS

The Number Resource Organization (NRO) manages reverse DNS delegations for 2002::/16 on behalf of ARIN and the other Regional Internet Registries. Access to perform delegations is weakly authenticated: any machine within the affected /48 may set or change the delegation via https://6to4.nro.net/. For production use of 2002::/16, a more strongly authenticated access is required.

By accepting strong authentication for only one of an organization's 2002:: assignments, ARIN strongly discourages organizations from attempting to announce multiple discontiguous blocks of IPv6 addresses into the global routing table.

Additional Notes

It would be reasonable to reward folks like the 6Bone users for their efforts as first adopters instead of disrespecting them in favor of the IPv4 holders. This proposal neither precludes nor addresses that.

A common criticism of this proposal is that no organization which has needed IPv6 space has failed to get it, making this proposal redundant. This proposal is not intended to address individual organizations' existing need for IPv6 addresses as clearly all such organizations already have them. Instead, it targets organizations' communal need to have completed deployment of IPv6 prior to IPv4's exhaustion. It does so by artificially creating a need for IPv6. Many if not most network administrators share a common trait: the desire to tinker. Given possession of a new gadget, many admins will choose to try it out. Having tried it, many will then find that they need it after all.

Current IPv6 assignment policy disrespects the IPv4 early adopters (legacy registrants) by refusing provider-independent space to those who can not meet today's significantly more stringent requirements. While done with the best intent, such policy engenders hostility and procrastination among a group whose enthusiastic participation could offer significant impetus to the IPv6 deployment effort. This proposal reverses that trend, offering legacy registrants a time-limited opportunity to join the IPv6 deployment effort in a personally advantageous manner while side-stepping the routing problems such participation might otherwise cause.

By accepting this proposal, ARIN would explicitly favor the use of 6to4 over competing technologies like Teredo, ISATAP, and 6over4. While this is true to an extent, nothing about this policy requires that any network provider other than those directly using 6to4 space implement any 6to4 technologies. An intermediate IPv6 network provider which accepts and propagates 2002:: prefixes the same as any other ARIN-assigned prefixes would be in full compliance with this policy. Further, this policy in no way harms or invalidates the competing technologies.

Shim6 offers a potential way to implement multihoming for small operators using two or more subnets of provider aggregatable space instead of a provider independent assignment. If successful, Shim6 may be ubiquitously deployed as soon as 2015. If Shim6 works out, this current proposal provides a bridge so that IPv4 registrants can continue to employ the benefits of multihoming without harming the IPv6 DFZ even while Shim6 software is developed and deployed.

Waste

This proposal uses only address space already allocated for 6to4.

This proposal limits the injection of routes into the global IPv6 table both with an RDNS policy which strongly discourages the production deployment of more than one such route by any single organization and a filtering policy that allows organizations to aggregate the entire space into a single announced prefix.

  1. Timetable for implementation: January 1, 2008
  2. Meeting presenter:

END OF TEMPLATE

Appendix: Changes needed to 6to4

6to4 presently forbids announcing 2002:: space into the native IPv6 infrastructure based on the desire back in 2001 to avoid propagating the discontiguous mess of IPv4 routes forward in to IPv6. In 2007, this proposal envisions an alternate approach to discourage such pollution while facing the much closer reality of IPv4 address exhaustion. This would require adjustments to the RFC, detailed here:

RFC 3056 section 5.2 specifies:

6to4 prefixes more specific than 2002::/16 must not be propagated in native IPv6 routing, to prevent pollution of the IPv6 routing table by elements of the IPv4 routing table.  Therefore, a 6to4 site which also has a native IPv6 connection MUST NOT advertise its 2002::/48 routing prefix on that connection, and all native IPv6 network   operators MUST filter out and discard any 2002:: routing prefix advertisements longer than /16.

Sites which have at least one native IPv6 connection, in addition to a 6to4 connection, will therefore have at least one IPv6 prefix which is not a 2002:: prefix. Such sites' DNS entries will reflect this and DNS lookups will return multiple addresses. If two such sites need to interoperate, whether the 6to4 route or the native route will be used depends on IPv6 address selection by the individual hosts (or even applications).

This would change to:

6to4 prefixes more specific than 2002::/16 MAY be propagated in native IPv6 routing however such prefixes SHOULD NOT be longer than /40. Organizations SHOULD filter out and discard 2002:: route advertisements longer than /40.
 
Organizations which wish to limit pollution of the IPv6 routing table MAY filter out and discard 2002:: route advertisements longer than /16 received from neighbors to whom only locally authoritative prefixes are advertised (peers and upstream transit providers). Organizations which so filter MUST implement a 2002::/16 route to a 6to4 translating router such that packets destined to filtered 2002:: routes remain reachable via the corresponding IPv4 routes. Organizations which so filter MUST announce the 2002::/16 route to any neighbors to whom a full BGP table is advertised (paid customers) so that those neighbors can reach 2002:: addresses regardless of whether they implement 6to4.
 
Organizations which wish to further limit pollution of the IPv6 routing table MAY filter out and discard 2002:: route advertisements longer than /16 received from neighbors to whom a full BGP table is advertised (paid customers). Organizations which so filter MUST implement a 2002::/16 route to a 6to4 translating router such that packets destined to filtered 2002:: routes remain reachable via the corresponding IPv4 routes. Organizations which so filter MUST announce the 2002::/16 route to all neighbors so that locally authoritative 2002:: addresses remain reachable regardless of whether the neighbor implements 6to4.

Organizations who filter prefixes more specific than 2002::/16 SHOULD consult the Regional Internet Registries for guidance related to those portions of the 2002:: space under their management.

RFC 3056 section 5.2.2 specifies:

On its native IPv6 interface, the relay router MUST advertise a route to 2002::/16. It MUST NOT advertise a longer 2002:: routing prefix on that interface. Routing policy within the native IPv6 routing domain determines the scope of that advertisement, thereby limiting the visibility of the relay router in that domain.

This would change to:

On its native IPv6 interface, the relay router MUST advertise a route to 2002::/16. It MAY advertise longer 2002:: routing prefixes on that interface. Routing policy within the native IPv6 routing domain determines the scope of that advertisement, thereby limiting the visibility of the relay router in that domain.

Additionally, the following statement would be added to RFC 3056:

6to4 translating IPv6 routers which encounter a 2002:: route more specific than /16 SHOULD prefer the native IPv6 routes over 6to4 translation.