Framework for Multi-domain IPv6-only Underlay Network and IPv4-as-a-Service

IPv6 capabilities have been widely deployed over the past decade, with IPv6 traffic growing at a faster rate than IPv4. As of 2022, most IPv6 deployments rely on dual-stack . However, dual-stack has long-term drawbacks, including duplicated network resources and states, as well as increased operational complexity from maintaining both protocol stacks. For instance, when broadband users experience access service failure, Network Providers (NPs) must determine whether the failure stems from IPv4 or IPv6, effectively doubling the troubleshooting effort. Once IPv6 adoption becomes dominant, transitioning to IPv6-only can reduce resource overhead and simplify operations. In 2016, the IAB stated that it “expects the IETF to no longer mandate IPv4 compatibility in new or updated protocols, with future IETF work focusing on IPv6 optimization”. To ensure service continuity after IPv4 address exhaustion, NPs must deploy IPv6 while maintaining access to the global IPv4 Internet, which is commonly referred to as IPv4-as-a-Service, and a logical approach for IPv6-only networks. The network infrastructure of large NPs typically consists of at least an access section and a backbone section. The access section serves customers by delivering access links, assigning addresses, and enabling two-way data transmission. The backbone section, also known as the backbone network, is typically a multi-domain network comprising interconnected autonomous systems (ASes), each with a full-mesh or partial-mesh topology. The backbone network is sometimes referred to as the underlay network. Accordingly, IPv6-only deployment involves two key sections: IPv6-only in the access section and IPv6-only in the backbone section. For the IPv6-only deployment in the access section, to date various transition technologies such as 464XLAT , MAP-T , MAP-E , and DS-Lite have been developed and deployed . These solutions allocate only IPv6 addresses to customer terminals or networks, addressing IPv4 address exhaustion on the user side while enabling access to both IPv4 and IPv6 Internet services. describes a deployment scenario referred to as "an IPv6-Mostly network", where IPv6-only and IPv4-enabled endpoints coexist on the same network (network segment, VLAN, SSID etc.). It allows IPv6-capable devices to remain IPv6-only while the network is seamlessly supplying IPv4 access to those that require it. However, the current IPv6-only ecosystem remains incomplete, particularly in backbone networks. For large-scale network NPs, a comprehensive multi-domain IPv6-only framework is needed to integrate multiple related technologies to ensure seamless IPv4 and IPv6 data transmission. A key objective is to enable efficient IPv4 service delivery across a multi-domain IPv6-only network, utilizing tunneling or translation to forward data between edge PE devices. With such a framework, IPv4-IPv6 packet conversion relies on stateless address mapping at the edges, meaning no user-specific state or translation tables are required for packet processing. In addition, there should be no IPv4-to-IPv6 conversion gateway along the data path. Unless otherwise stated, the term “IPv6-only network” in this document refers specifically to “IPv6-only underlay network”. This document presents a framework for building a large-scale IPv6-only network from the perspective of network operators. As it is described at a high level, this framework is not meant to replace existing IPv6-only technologies but rather to leverage and remain compatible with them, nor does it propose any new IPv6 transition mechanisms or IPv4-as-a-Service solutions. When transmitting IPv4 service data, this framework enables end-to-end tunneling or translation across multiple network providers, and therefore is different from existing SRv6/MPLS VPN solutions which are for a single NP. It also differs from "IPinIP" tunneling in that this approach includes a control plane, whereas "IP-in-IP" does not.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The following terms are used in this document: AS: Autonomous System. CE: Customer Edge. DC: Data Center. IPv4-embedded IPv6 address: An IPv6 address embedded with a 32-bit IPv4 address used to represent an IPv4 node in an IPv6 network. (). IPv4-embedded IPv6 packet: An IPv6 packet created through encapsulation or translation of an IPv4 packet, where the source and destination IPv4 addresses are statelessly mapped to corresponding IPv6 addresses. Multi-domain IPv6-only underlay network: IPv6-only underlay network which consists of multiple ASes operated by single or multiple network providers. MR-DB: Mapping Rule DataBase. NP: Network Provider. NSP: Network-Specific Prefix. P: Provider Router. PE: Provider Edge (Section 5.2 of ). UE: User Equipment, e.g., mobile phone.

This framework is designed to assist large NPs in deploying IPv6-only networks in a multi-domain environment. Large-scale NPs usually manage network infrastructure comprising multiple interconnected Autonomous Systems (ASes). This is referred to as a "Multi-domain Underlay Network" in this document. These ASes often support different functions, such as metro area networks (MANs), backbone networks, 4G/5G mobile core networks, Data Centers (DCs), and may be administered by separate departments or NPs with different routing and security policies. In a multi-domain network environment, edge nodes are commonly referred to as Provider Edge (PE) routers. The ingress PE is the router where a packet enters the network, while the egress PE is the router where it exits. Internal nodes are typically called Provider (P) routers. As some Internet services may remain IPv4-based even in an IPv6-dominated environment, an IPv6-only network should support access to IPv4-only services, as well as native IPv6 services. describes a routing scenario where IPv4 packets are transported over an IPv6 network, based on and , along with a separate OSPFv3 routing table for IPv4-embedded IPv6 routes in the IPv6 network. Since it is based on the OSPF protocol, it supports IPv4-as-a-Service within a single AS. To facilitate the illustration of the framework from the perspective of NPs, Figure 1 shows a multi-domain network, namely NP-1, which consists of three interconnected ASes, i.e., AS1, AS2, and AS3. Among them, AS1 and AS2 are operated by NP-1, AS3 is operated by NP-2. Routers located outside the backbone but directly connected to it are referred to as Customer Edge (CE) routers. AS1 of NP-1 provides connectivity services to mobile, home broadband, and enterprise customers, represented by CE1, CE2, and CE3, respectively. defines IPv4 service continuity requirements for IPv6 CE routers, extending the basic IPv6 CE specifications to support IPv4 delivery in IPv6-only access networks. Additionally, service instances in DCs often require cross-site communication, whether on-premises or in external data centers. A multi-domain network must facilitate these data center connections. Network NP-1 should support at least two connectivity modes for data centers: the first is between a data center and individual users, for instance, a user of CE1 accesses a service instance hosted in DC1; The second is between data centers, for instance, communications occur between service instances hosted in DC1 and DC2, respectively. Regarding external interconnection, NP-3 is a neighboring network of NP-2. AS4 of NP-3 is an IPv4-only network and does not support IPv6. The interconnection protocol between AS3 and AS4 is BGP that supports IPv4 route advertisement.

For network NP-1, deploying IPv6-only without a unified framework may lead to independent adoption of IPv6 transition approaches across different ASes. This can result in multiple IPv6-only islands interconnected by IPv4 links between domains. Furthermore, the network may operate multiple IPv4-IPv6 packet conversion gateways with varying functionalities. In such cases, IPv6 packets converted from IPv4 packets may need to revert to IPv4 at the egress of one AS, then back to IPv6 in the next AS. The number of conversion gateways increases with the number of ASes. An excessive number of IPv4-IPv6 conversion gateways introduces network complexity and increases capital expenditures (CAPEX). Thus, a unified framework is required to define network edge behavior for IPv4 service delivery and eliminate unnecessary IPv4/IPv6 conversion gateways within the multi-domain network. For IPv6-only deployment guided by a unified framework, IPv4 protocol instances are gradually disabled and IPv6 will be the primary network-layer protocol. Specifically, core P routers, such as P1, P2, P3, and P4, operate only IPv6 protocol, while PE routers, such as PE1, PE2, PE3, and PE4, support IPv4 protocol on interfaces facing IPv4 client networks and IPv6 on interfaces facing the core, requiring them to handle both address families. Network NP-1 transports packets that originate and terminate outside the network. These packets enter the IPv6 network at a PE router, traverse the network, and exit through another PE router to continue their path.

To support IPv4-as-a-Service in a multi-domain IPv6-only network, the framework proposes each PE device to be allocated and identified by at least one IPv6 mapping prefix, denoted by Pref6(PE). Each PE device will also have one or more associated IPv4 address blocks which are extracted from local IPv4 routing table or address pool. The mapping relationship between an IPv4 address block and its corresponding IPv6 prefix is called an address mapping rule, which can be represented at a minimum by the following data structure. IPv4 address block: Pref6(PE) Note that the address mapping rule contains not only the data structure described above, but also other necessary information to support IPv4 service delivery over the IPv6-only network. The detailed structure definition of the address mapping rule is out of the scope of this document. The address mapping rule of destination address will determine the direction of IPv4 service data transmission in a multi-domain IPv6-only network. When the address mapping rule corresponding to the destination address of a given IPv4 packet is available, the ingress PE can generate corresponding IPv6 source and destination addresses from its IPv4 source and destination address as below, The IPv6 source address is derived by appending the IPv4 source address to its local IPv6 mapping prefix, i.e., Pref6(ingress PE). The IPv6 destination address is derived by appending the IPv4 destination address to the Pref6(egress PE) in its address mapping rule. Since the address mapping rule adopts prefix-level mapping, there is no need to maintain user-related status or translation tables for packet conversion at the PE devices. This framework proposes to use algorithmic translation of an IPv4 address to a corresponding IPv6 address, and vice versa, using only statically configured information. With this approach, IPv4-embedded IPv6 addresses are composed by concatenating the prefix, the 32 bits of the IPv4 address, and the suffix (if needed) to obtain a 128-bit address. As specified in , commonly used prefix lengths include 32/40/48/56/64/96; in this model the embedded IPv4 address occupies the last 32 bits. The middle bits may be set to zero (or otherwise as per the operator's addressing plan). Examples of such representations are presented in Table 1.

Prior to IPv4/IPv6 packets conversion, an ingress PE needs to obtain the address mapping rule for the destination address within or across domains. To meet this requirement, specific mechanism of address mapping rule exchange needs to be designed, so an egress PE can inform other PEs that an IPv4 packet with a destination address being within a specific IPv4 address block should be forwarded to itself directly.

To enable IPv4 service data forwarding in a multi-domain IPv6-only network, IPv4 packets must be converted to IPv6 packets - either at the UEs/CEs or at the PEs located at the edge of the network. Consider the network case of Section 3, when an ingress PE, e.g., PE1, receives an IPv4 packet (destined for a remote IPv4 network, e.g., NP-3) from a client-facing interface, it queries its mapping rule database (i.e., MR-DB) to find the rule that best matches the packet's destination IPv4 address. The IPv6 mapping prefix in the rule identifies the corresponding egress PE. In this case, the ingress and egress PEs reside in different autonomous systems (ASes): the ingress PE (PE1) is in AS1 of NP-1, while the egress PE (PE3) is in AS2 of NP-2. The ingress PE converts the IPv4 destination address into an IPv6 address using PE3's IPv6 mapping prefix and forwards the IPv6 packet to PE3. Upon receiving the IPv6 packet, PE3 extracts the original IPv4 source and destination addresses from the IPv4-embedded IPv6 addresses and reconstructs the IPv4 packet. The packet is then forwarded to NP-3 based on the IPv4 routing table maintained at PE3. In this case, the IPv6 data path is between PE1 and PE3, there are only two IPv4-IPv6 conversion actions, which occur in PE1 and PE3 respectively, as shown in Figure 2.

| | | | +--+ +--+ +--+ | | / \ / \ / \ | +--+ +----+ | | AS1 | | AS2 | | AS3 | | / \ |UE/ |-----PE1 P1---P2 P3---P4 PE3---| IPv4 | |CE | | IPv6 | | IPv6 | | IPv6 | \ NW / +----+ \ / \ / \ / +--+ +--+ +--+ +--+ Figure 2: End-to-end IPv4 Service Delivery from Ingress to Egress]]> It should be noted that P3 and P4 are P routers from the perspective of the framework defined by this document, although they are the network edges of network providers. To support the MR-DB operations in the framework, PE1 and PE3 should support . For the mapping rules to propagate from PE3 to PE1 across the network, the intermediate BGP speakers (e.g., route reflectors / ASBRs) that propagate the relevant NLRI MUST support . provides IPv4-to-Pref6 mappings processing at each PE device. specifies the extensions necessary to allow the advertising of IPv4 NLRI or VPN-IPv4 NLRI with a next-hop address that belongs to the IPv6 protocol. It allows gradual deployment of the functionality of advertising IPv4 reachability via an IPv6 next hop without any flag day nor any risk of traffic black-holing.

This section outlines the multi-domain IPv6-only underlay network framework from the perspective of network operators. As shown in Figure 1, the framework consists of edge PE devices, core P devices, and customer-side IPv4 routers. The PE devices are responsible for performing stateless IPv4/IPv6 packet conversion and should support the following functions: 1. Address Mapping Rule Processing Generate and manage the address mapping rules Exchange the address mapping rules across an IPv6-only network 2. Packet Conversion Generate IPv4-embedded IPv6 packets using either translation or encapsulation

Within PE devices, IPv4/IPv6 address mapping rules are processed at the control layer, which includes two processes, 1. Address Mapping Rule Generation and Management For IPv4 service delivery, IPv4/IPv6 address mapping rules need to be generated. In the network shown in Figure 1, when PE3 receives an IPv4 BGP route advertisement from an IPv4 router, e.g., BR1, it extracts IPv4 address blocks and generates address mapping rules by combining them with its own IPv6 mapping prefix. All the address mapping rules, whether locally generated or received from other PEs, are stored in its local MR-DB. PE devices also support rule management operations, such as insertion, modification, and deletion of address mapping rules. If the address mapping rule of a certain IPv4 address block has not been received by the ingress PE, the IPv4 service data destined to that IPv4 address block will not be forwarded to the correct egress PE. To mitigate this issue, the framework introduces a default egress PE, which advertises a default address mapping rule to all other PEs. The format of the default address mapping rule is as follows: 0.0.0.0/0: Pref6(PE) With the availability of a default egress PE, the ingress PE can deliver the IPv4 packets to the default egress PE when it does not obtain the address mapping rule for that IPv4 address block. 2. Address Mapping Rule Exchange The address mapping rules generated at one PE device need to be sent to other PE devices. This process can be implemented through the routing layer. When an address mapping rule is generated locally, the PE device will convert it into a data structure and forward it to the IPv6 routing engine for transmission. In the opposite direction, upon receiving a routing announcement with an address mapping rule from a neighboring IPv6 router, the PE device extracts and stores it in its MR-DB. To enable address mapping rule transmission at the routing layer, extensions to MP-BGP or other protocols would be required, a typical approach is illustrated in . It should be noted that address mapping rule exchange can be implemented by non-routing mechanisms as well, however, this is outside the scope of this document. Based on the received mapping rule, the ingress PE can identify the appropriate egress PE (i.e., the Pref6(PE) to use as the destination prefix).

In this framework, the forwarding layer of PE devices provides data forwarding capability to IPv4-embedded IPv6 packets. IPv4-embedded IPv6 packets can be generated using either translation or encapsulation for IPv4 data delivery. 1. Translation Translation refers to the packet conversion from one protocol format to the other. When the ingress PE receives an IPv4 packet from its neighboring IPv4 network, it queries the local MR-DB which stores all the address mapping rules, if an address mapping rule for the IPv4 destination address is found, it will generate corresponding IPv6 source and destination addresses from the IPv4 addresses, following the procedure described in Section 4.1. This process should comply with . Upon receiving the IPv6 packet, the egress PE checks whether the destination IPv6 prefix matches its own IPv6 mapping prefix. If not, it discards it or forwards it as a regular IPv6 packet. Otherwise, the egress PE extracts the original IPv4 source and destination addresses from the IPv4-embedded IPv6 addresses and reconstructs the original IPv4 packet, this process should comply with . The IPv4 packet is then forwarded based on the IPv4 routing information maintained at the egress PE. 2. Encapsulation The address mapping process for encapsulation follows the same procedure as translation: When the ingress PE receives an IPv4 packet from its neighboring IPv4 network, it queries the local MR-DB which stores all the address mapping rules, if an address mapping rule for the IPv4 destination address is found, the ingress PE will generate corresponding IPv6 source and destination addresses from the IPv4 addresses, following the procedure described in Section 4.1. Upon receiving the IPv6 packet, the egress PE checks whether its destination IPv6 prefix matches its own IPv6 mapping prefix. If not, it discards it or forwards it as a regular IPv6 packet. Otherwise, the egress PE decapsulates it by removing outer IPv6 header and restores the original IPv4 packet. The IPv4 packet is then forwarded based on the IPv4 routing information maintained at the egress PE. For IPv4-embedded IPv6 packets, regardless of whether translation or encapsulation is used, the Pref6 part of the IPv6 destination address identifies the egress point. Therefore, packet forwarding can be performed by P devices solely based on the Pref6 part of the destination address. In summary, both translation and encapsulation rely on the same control-plane mechanisms (the MR-DB and address mapping rules) and impose identical requirements on the IPv6-only core network (forwarding based on the Pref6 part of the destination address). Although this document illustrates the framework for a multi-domain IPv6-only network operated by multiple NPs, this framework is also applicable to an IPv6-only network operated by a single NP.

As shown in Section 4.1, IPv6 mapping prefixes are used by PEs to generate address mapping rules for any IPv4 address blocks. These prefixes are to be allocated from the Network Specific Prefix (NSP). An NSP refers to a dedicated IPv6 prefix (or a set of prefixes) assigned from NP's available IPv6 address pool for IPv4 addresses mapping. For an IPv6-only network, one or more distinct IPv6 mapping prefixes are assigned to each PE device. For any PE device, its IPv6 mapping prefix is part of a larger and routable IPv6 address prefix previously assigned, if Pref6(PE) is allocated from a prefix that is already advertised with a next hop that reaches that PE (or its site), additional FIB entries in the IPv6 core may be avoided. For any IPv4-embedded IPv6 packets, a P device can forward them as regular IPv6 packets without requiring a specific FIB entry for each IPv6 mapping prefix. NPs should carefully determine the IPv6 mapping prefix length during deployment. It is recommended that all IPv6 mapping prefixes have the same length to avoid unnecessary processing cost and complexity introduced by prefix length diversity.

Besides regular security checks on configured address mapping rules, the following two aspects need to be considered.

In this framework, as the receiver of IPv4-embedded IPv6 packets, each egress PE assumes that all ingress PEs are legal and authorized to send IPv4-embedded IPv6 packets to it. After the egress PE receives IPv4-embedded IPv6 packets, it will convert them into IPv4 packets and forward them into the IPv4 Internet. If IPv6 packets cannot guarantee their authenticity or integrity, then there may be a spoofing attack. A malicious ingress PE could send IPv6 packets converted from IPv4 packets to attack an egress PE. Since the PEs in this framework are stateless, even when receiving large-volume traffic flows, they will not increase mapping session counts within the device like a stateful NAT device would, thus avoiding significant consequences. Even if no per-flow state exists, it should be acknowledged that in some extreme cases PEs can possibly be overwhelmed by: bandwidth exhaustion, packet-rate/CPU exhaustion, MR-DB lookup pressure, or queue/buffer exhaustion. To mitigate these issues, measures such as rate limiting, ACLs between PEs, or provision validation are recommended for actual deployment.

The framework allows MP-BGP protocol as one approach to propagate mapping information over an IPv6-only network. However, MP-BGP has inherent vulnerabilities, such as route hijacking, where malicious alterations to routing announcements can redirect service traffic from its intended path or even steer it toward unauthorized destinations. When the capability to advertise address mapping rules via BGP is introduced, attackers may alter the IPv6 mapping prefix within these rules, leading to improper delivery of IPv4 service traffic over an IPv6-only network. Such an attack differs from pre-existing vulnerabilities in that traffic could be forwarded to a remote target across an intervening network infrastructure (e.g., an IPv6 core), allowing an attack to potentially succeed more easily since less infrastructure needs to be compromised. To mitigate this risk, proposes an approach by leveraging RPKI architecture to verify the authenticity of the address mapping rule associated with an IPv4 address block. This framework proposes a default rule 0.0.0.0/0: Pref6(PE), which sends unknown IPv4 traffic (i.e. IPv4 traffic without definite IPv6 address mapping rule) to a "default egress PE". This approach has obvious implications, such as traffic attraction (posing a DoS concentration risk) and becoming a "catch-all" hijack target if rule distribution is compromised. To mitigate these issues, the default rule (0.0.0.0/0:Pref6(PE)) is OPTIONAL and is RECOMMENDED only within a single administrative domain unless explicit bilateral policy exists. Operators SHOULD apply monitoring and rate-limiting/ACLs on the default egress PE, and SHOULD avoid exporting the default rule across inter-domain boundaries.

There are no other special IANA considerations.

The authors would like to thank Brian E. Carpenter, Mohamed Boucadair, Bob Harold, Fred Baker, Xipeng Xiao, Giuseppe Fioccola, Vasilenko Eduard, Zhenbin Li, Jen Linkova, Ron Bonica, Shuping Peng, Jingrong Xie, Eduard Metz, Wu Qin, Dhruv Dhody, Nick Buraglio, Linda Dunbar, Weiqiang Cheng, Aijun Wang, Daryll Swer, Tim Wicinski, David 'equinox' Lamparter, Tianran Zhou and Huaimo Chen for their review and comments.

Contributors Indirection Network Inc.

China guoliang.han@indirectionnet.com

Beijing TC Group

China api_zhao@126.com

Alibaba Cloud

China linjian.slj@alibaba-inc.com