IETF Logo Mail Archive

[v6ops] Re: I-D Action: draft-ietf-v6ops-nat64-wkp-1918-00.txt

Jen Linkova <furry13@gmail.com> Wed, 11 February 2026 08:18 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@mail2.ietf.org
Delivered-To: v6ops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 303F2B53AEA2 for <v6ops@mail2.ietf.org>; Wed, 11 Feb 2026 00:18:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.749
X-Spam-Level:
X-Spam-Status: No, score=-0.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_GMAIL_RCVD=1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTTP_ESCAPED_HOST=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFjlUZjMO-EA for <v6ops@mail2.ietf.org>; Wed, 11 Feb 2026 00:18:22 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 96FA3B53AE9F for <v6ops@ietf.org>; Wed, 11 Feb 2026 00:18:22 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-5032e951106so14800381cf.0 for <v6ops@ietf.org>; Wed, 11 Feb 2026 00:18:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770797902; cv=none; d=google.com; s=arc-20240605; b=PRU3inzpgwuh2CYKrGueZRGYNLyWgSAzoW270LFl0XmwcmPzaV0IGnf0GmrJkxXeAE 9Oo0BwJeE6CKWitcqHEtAJb7IkeVAKCQZAMbo5S8jsijxGbjJ08Ti73+e4qfz/bduqeg 2HKeNBXhkX7ioD61H2noFEu+2j6BaajWML9alZiCB6bMZ1xn6yzpaqDdrv33TpDks1zm EnaW0mt/sD3ShZbdJyTrRKM1vYpYr8A+mWfo6wL2VzuNPLoSKocg5M0Yuh7A/q4d27wQ YKpXs1Cx3V6pTuLczAFZogm3iuB1XH8ni+cyZaky68NaVfonUFLjzC3BjQzxIS4mvjMb V2PA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=tiFupujIzqj9qzhyNmLt4MxnSLXIua4TRxINuHM78gY=; fh=JVFqXpoL59OFBG9/6ZXJUUnIbrb/qoSkLgIGUvuMujM=; b=eZiG9TKZpRGa+n6oiwX/dmlyyAdz02bFZMZrpHs6pJwCXPrjWhxYvbdvfLWSzQv8Kv 9i6D15klJIHkAvG247Uajv7eo1xazJWUXqX13H7wERAsHbbd9kXHF/+ETTXNIX9WMlgo t//0KVKnEbLqTELznYKtZgQqGFWOfRElNJSi517L9KL6epyNe2l4xZGM9djU1EDbhnVn mQSZy7bHHtVf3PzaNjGaUNK3aqwsn6Z46ip8hkioCg19R/ztXrBaCpm6LbIOZHIv9G9E 4mrpiN+8iiRd8a5p/oaC3dOUnoMhDk8mCuCrU3RSwPCulXAW0ZQT1N2djsV26fL/EFeu 5xwg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770797902; x=1771402702; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tiFupujIzqj9qzhyNmLt4MxnSLXIua4TRxINuHM78gY=; b=aAWszn3Ej7lR42o/LUSo/DkjYucuKDawZepFH7tdx9/uLfwOegEiVs9KMQCiEt3gUC bXzBYk36Hj+8So0kYNhg0HGn75pJOOFZMlhGV60RhQoCg50UbxniQ8Q/CgkjZtWEcLkP FIJXMjIyXgnFgNQgLztGR3EWULmffsiOhnRBzplfrDM7XiXNMQa2ZzE/MlnM3c5jwlwD 7Ss06teXT5R5BKCP8jjESlJcUwe28Lj8WaUFOMGyYyNd4ce8tazRZCYd/8d7PFk852OP GpnuNvixKcf4OQIy9aArIGMj8RK9uJKvWTjCWLd/aEbXjDUWeZ7G4bNYiLsQDrRtgd1B pcbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770797902; x=1771402702; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=tiFupujIzqj9qzhyNmLt4MxnSLXIua4TRxINuHM78gY=; b=HE+OgBKoZxTn9mVPUkH5nKPWrxhdalZkZ34u/FEGK09ekXfkNAF8YbAlboTZtET59A R9OA4YuO29BUDKXvW6oSDsHAYJbUgrpFN8XyUCYgQk5i18B08h6lX0xKg0TjQRg41T0C QPM6Bh9WT5kDHFHcU5XwT8exkZhpVb6B82b2k7S74ywUqULZzTP4xAI4hloZkq3Xe/QB XUKJUuxrs1W4VzKv7gNta6UUg+5sR3GEIJnE9Go1I5WB8IHU8m6Usz/FUojhGqqkc025 6TL4kV9K4PGV8Wlim7V/NxBn66QwcV3MNsa+0OUhlc4bIbOJPNWnlujR8s9MJdDjlK2L vV/A==
X-Gm-Message-State: AOJu0YwCsukAlkPSj6kw4Q5w3zaPQLTfLXSsQf35q6NH0T9qj0VDFabR Y7AMdr1y6D9NFFZNxlBZxw/g4fuqv/9R71GBOa1xy5IEOIU4bEYhutX+fp5u4i52VLnXqmtn24v ObOBxUzzNhIsBhcQkQlMlMcLZJLCzNTc=
X-Gm-Gg: AZuq6aLwaFEklP8sV8CCBgOAYffxsCAnDEC5+YDiONryBLjT3rWMQyVjLIxcRqmQkFX XzIWxH3fT4Wg/dXAv7OGpgsc4LL/NJhfGfppZaLA+utnmCX5MqE6ZBG2Wf90SUOPFvo6xH8TBTd HH1BVt8OQj5Ye2SGzYTChfKrnoOxv2ElDlOUabgy86YIJeRe1rHj2dhwoWqx08UuvfyNFxhT0Mk l0AEXeNQBR5ankmdLAfFhijhHPLc5wWLakCF7Mma6Cf2T6FKeEJMirMmfzaJ29a58Qrvtrw95Px MtrAJZqAByI7yDtGEWZi1hQ9F4iALqsE1Pu+SRywIak=
X-Received: by 2002:ac8:5713:0:b0:4ee:146f:2502 with SMTP id d75a77b69052e-506398aa845mr218176131cf.25.1770797901910; Wed, 11 Feb 2026 00:18:21 -0800 (PST)
MIME-Version: 1.0
References: <176402912041.2287400.16118192869450373390@dt-datatracker-5bd94c585b-wk4l4> <PR0P264MB2885530FF243B2263618C51E88D1A@PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM>
In-Reply-To: <PR0P264MB2885530FF243B2263618C51E88D1A@PR0P264MB2885.FRAP264.PROD.OUTLOOK.COM>
From: Jen Linkova <furry13@gmail.com>
Date: Wed, 11 Feb 2026 19:18:10 +1100
X-Gm-Features: AZwV_Qi3_cUhArV0hGqwLUNgpW5F_wcyak-Z6KwELEWor1xY-pctagOAP0me5M0
Message-ID: <CAFU7BATXTn2S1xMeA0=2F9ktQMJA-6M=oeOju6OahaJHB4G2FQ@mail.gmail.com>
To: mohamed.boucadair@orange.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: EXHV2QIRCWGOBDGJPYQBJTZE4LMYWHNB
X-Message-ID-Hash: EXHV2QIRCWGOBDGJPYQBJTZE4LMYWHNB
X-MailFrom: furry13@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "v6ops@ietf.org" <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [v6ops] Re: I-D Action: draft-ietf-v6ops-nat64-wkp-1918-00.txt
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/PH-W7FrP2nRvTGUM9dggNUmsojM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

Hi Med,

Thank you for your comments, and I'm sorry for not responding earlier.

On Tue, Nov 25, 2025 at 7:10 PM <mohamed.boucadair@orange.com> wrote:
> Please find below some comments, as contributor:
>
> # We may remember that the restriction was part of the deployment guidelines, not main normative part to the algo
>
> ==RFC 6052:
> 3.  Deployment Guidelines   <=========================
>
> 3.1.  Restrictions on the Use of the Well-Known Prefix
> ========

I’m not sure I understand the proposed action here.. The restriction
uses the normative MUST NOT and dictates the behavior we believe is
undesirable in the modern deployment scenarios. Do you have a proposed
text, or is this OK as is?

> # Simplify the problem statement
>
> I think that the problem statement can be simplified to basically ask for the ability of an operator to control whether a given NAT64 instance can serve internal services reachable with private IPv4 addresses. Whether the same or distinct NAT64 instance is used is definitely deployment-specific.

I think it would make a great abstract. For the Intro/problem
statement I think it’s important to explain what use cases are broken
with the current state of affairs and, more importantly, why the
approach proposed in RFC6052 doesn’t fully solve the issue.

>
> I'm afraid the current text in the draft over-justify the need with some weak arguments IMO. See examples below.
>
> (1) Mention of CLAT is not justified here as source address (with private IPv4) synthesis is done with the local prefix, not NAT64 one
>
> CURRENT:
>    However, this requirement introduces significant
>    operational challenges for systems that do not rely on DNS64 and
>    instead use local synthesis such as CLAT (Customer-side Translator,
>    [RFC6877]), or similar approaches.

 It’s not about the source, but about the destination addresses in
this case.  For outgoing packets, CLAT synthesises the destination
IPv6 address using the NAT64 prefix. For example, the scenario when a
CLAT-enabled IPv6-only host needs to communicate to an internal server
which has a private IPv4 address.


> (2) Private IPv4 addresses and Public DNS64
>
> CURRENT:
>    Enterprise and other closed networks often require IPv6-only nodes to
>    communicate with both internal (e.g., using RFC1918 addresses) and
>    external (Internet) IPv4-only destinations.  The restriction in
>    Section 3.1 of RFC6052 prevents such networks from utilizing the WKP
>    and, consequently, from relying on public DNS64 servers which utilize
>    the WKP in order to maximize compatibility.
>
> I don't quite understand the deployment model here: this is mixing reaching internal services (not to be leaked outside) and the use of a public infrastructure.

Agree, this needs to be clarified. The case here is when the local
zones are served by an enterprise DNS server, while everything else is
forwarded to a public DNS. We will add more text to address this.

>
> (3) Seems like an incomplete analysis:
>
> CURRENT:
>    According to Section 3 of [RFC7050], a node must use all learned
>    prefixes when performing local IPv6 address synthesis.  Consequently,
>    if a node discovers both the WKP and the NSP, it will use both
>    prefixes to represent global IPv4 addresses.  This duplication
>    significantly complicates security policies, troubleshooting, and
>    other operational aspects of the network.
>
> I think the more relevant section in rfc7050#section-5.1, which
>
>                       NAT64 "A" ----- IPv4-only servers in a data center
>                      /
>    IPv6-only node---<
>                      \
>                       NAT64 "B" ----- IPv4 Internet
>
>                  Figure 2: NAT64s with IPv4 Address Ranges
>
>                       NAT64 "A" ----- IPv4-only servers in a data center
>                      /
>    IPv6-only host---router
>                      \
>                        NAT64 "B" ----- IPv4 Internet
>
>                   Figure 3: NAT64s with Assisting Router
>
> Which requires some hack because of the 7050 approach.
>
> Things would be straightforward of the destination-based prefix was supported.

Since RFC7050 requires all discovered prefixes to be used (and RFC8781
inherited it), having per-destination NAT64 prefix requires a lot of
changes on endpoints and APIs. Additionally, it would require
deprecating RFC8781 and developing a new RA option. I’m not convinced
it’s worth the effort and the risk. This draft proposes a much easier
way forward.


> # A proposal to relax the constraint to accommodate specific deployments while keeping backward compatibility:
>
> CURRENT:
>    The Well-Known Prefix MAY be used to represent non-global IPv4
>    addresses, such as those defined in [RFC1918] or listed in Section 3
>    of [RFC5735].  By default, address translators MUST translate packets
>    in which an address is composed of the Well-Known Prefix and a non-
>    global IPv4 address; they MUST NOT drop these packets unless
>    configured to do so.
>
> NEW:
>    By default, the Well-Known Prefix MUST NOT be used to represent non-global IPv4
>    addresses, such as those defined in [RFC1918] or listed in Section 3
>    of [RFC5735]. In such case, address translators MUST NOT translate packets in
>    which an address is composed of the Well-Known Prefix and a non-
>    global IPv4 address; they MUST drop these packets. Translators SHOULD
>    provide a configuration parameter to enable representing non-global IPv4
>    addresses using WKP.

To be honest I do not think it’s a good idea. Your suggestion makes
sense for PLATs but not for CLATs (as the vast majority of them are
not managed).

There are two things here:

1. What translators are allowed to do and what they are not. This
should be unified standardized behaviour.
2. What is the default behaviour for managed devices. This might - and
should be - different for managed PLATs and unmanaged CLAT devices.

This document is mostly focused on #1, while your comment is about #2.

How about the following text:

The Well-Known Prefix MAY be used to represent non-global IPv4
addresses, such as those defined in [RFC1918] or listed in Section 3
of [RFC5735].  Address translators MUST translate packets in which an
address is composed of the Well-Known Prefix and a non- global IPv4
address unless configured otherwise.
Implementations MAY choose not to translate such packets by default.
Such implementation SHOULD have a configuration knob to enable
translation for such packets.


> # Need to call out operational implications of relaxing the restriction
>
> There are cautions that we need to call out, such as:
>
> * risk of leak of internal information outside a domain,
> * risk of forwarding errors with overlapping ranges
> * Need for policies when the same instance is used for both internal and external realms

Agree, text will be added in the next revision.

> > -----Message d'origine-----
> > De : internet-drafts@ietf.org <internet-drafts@ietf.org>
> > Envoyé : mardi 25 novembre 2025 01:05
> > À : i-d-announce@ietf.org
> > Cc : v6ops@ietf.org
> > Objet : I-D Action: draft-ietf-v6ops-nat64-wkp-1918-00.txt
> >
> >
> > Internet-Draft draft-ietf-v6ops-nat64-wkp-1918-00.txt is now
> > available. It is a work item of the IPv6 Operations (V6OPS) WG of
> > the IETF.
> >
> >    Title:   NAT64 WKP
> >    Authors: Warren Kumari
> >             Jen Linkova
> >    Name:    draft-ietf-v6ops-nat64-wkp-1918-00.txt
> >    Pages:   7
> >    Dates:   2025-11-24
> >
> > Abstract:
> >
> >    This document removes the requirement introduced in Section 3.1
> > of
> >    RFC6052 that the NAT64 Well-Known Prefix 64:FF9B::/96 MUST NOT
> > be
> >    used to represent non-global IPv4 addresses, such as those
> > defined in
> >    [RFC1918] or listed in Section 3 of [RFC5735].
> >
> > The IETF datatracker status page for this Internet-Draft is:
> > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > datatracker.ietf.org%2Fdoc%2Fdraft-ietf-v6ops-nat64-wkp-
> > 1918%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C6e5bfc6df7
> > 22489f1c3008de2bb677c3%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%
> > 7C638996259852248150%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRyd
> > WUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%
> > 3D%3D%7C0%7C%7C%7C&sdata=PDUVs3RVt0G8ZCJ5t1mMoyr7AoPaGk005F0GB%2Be
> > LzOw%3D&reserved=0
> >
> > There is also an HTML version available at:
> > https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > www.ietf.org%2Farchive%2Fid%2Fdraft-ietf-v6ops-nat64-wkp-1918-
> > 00.html&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C6e5bfc6df7
> > 22489f1c3008de2bb677c3%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%
> > 7C638996259852278079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRyd
> > WUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%
> > 3D%3D%7C0%7C%7C%7C&sdata=GrW%2BM4uLXqpzm8GZhkPKtMREmFvrY3GsFofbttJ
> > Bz6g%3D&reserved=0
> >
> > Internet-Drafts are also available by rsync at:
> > rsync.ietf.org::internet-drafts
> >
> >
> > _______________________________________________
> > I-D-Announce mailing list -- i-d-announce@ietf.org To unsubscribe
> > send an email to i-d-announce-leave@ietf.org
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
> _______________________________________________
> v6ops mailing list -- v6ops@ietf.org
> To unsubscribe send an email to v6ops-leave@ietf.org



-- 
Cheers, Jen Linkova

v2.46.0 | Report a Bug | By Email | System Status