3. Scenarios and Overview
There are roughly three scenarios:
1. (Generic) router-to-router tunnels.
2. Site-to-router or router-to-site tunnels. These refer to tunnels
between a site's IPv6 (border) device and an IPv6 upstream
provider's router. A degenerate case of a site is a single host.
3. Host-to-host tunnels.
IPv6/IPv4 hosts and routers can tunnel IPv6 datagrams over regions of
IPv4 forwarding topology by encapsulating them within IPv4 packets.
Tunneling can be used in a variety of ways.
.--------. _----_ .--------.
|v6-in-v4| _( IPv4 )_ |v6-in-v4|
| Router | <======( Internet )=====> | Router |
| A | (_ _) | B |
'--------' '----' '--------'
^ IPsec tunnel between ^
| Router A and Router B |
V V
Figure 1: Router-to-Router Scenario.
IPv6/IPv4 routers interconnected by an IPv4 infrastructure can tunnel
IPv6 packets between themselves. In this case, the tunnel spans one
segment of the end-to-end path that the IPv6 packet takes.
The source and destination addresses of the IPv6 packets traversing
the tunnel could come from a wide range of IPv6 prefixes, so binding
IPv6 addresses to be used to the SA is not generally feasible. IPv6
ingress filtering must be performed to mitigate the IPv6 address
spoofing threat.
A specific case of router-to-router tunnels, when one router resides
at an end site, is described in the next section.
This is a generalization of host-to-router and router-to-host
tunneling, because the issues when connecting a whole site (using a
router) and connecting a single host are roughly equal.
_----_ .---------. IPsec _----_ IPsec .-------.
_( IPv6 )_ |v6-in-v4 | Tunnel _( IPv4 )_ Tunnel | V4/V6 |
( Internet )<--->| Router |<=======( Internet )=======>| Site B |
(_ _) | A | (_ _) '--------'
'----' '---------' '----'
^
|
V
.--------.
| Native |
| IPv6 |
| node |
'--------'
Figure 2: Router-to-Site Scenario.
IPv6/IPv4 routers can tunnel IPv6 packets to their final destination
IPv6/IPv4 site. This tunnel spans only the last segment of the end-
to-end path.
+---------------------+
| IPv6 Network |
| |
.--------. _----_ | .--------. |
| V6/V4 | _( IPv4 )_ | |v6-in-v4| |
| Site B |<====( Internet )==========>| Router | |
'--------' (_ _) | | A | |
'----' | '--------' |
IPsec tunnel between | ^ |
IPv6 Site and Router A | | |
| V |
| .-------. |
| | V6 | |
| | Hosts | |
| '--------' |
+---------------------+
Figure 3: Site-to-Router Scenario.
In the other direction, IPv6/IPv4 hosts can tunnel IPv6 packets to an
intermediary IPv6/IPv4 router that is reachable via an IPv4
infrastructure. This type of tunnel spans the first segment of the
packet's end-to-end path.
The hosts in the site originate the packets with IPv6 source
addresses coming from a well-known prefix, whereas the destination
addresses could be any nodes on the Internet.
In this case, an IPsec tunnel mode SA could be bound to the prefix
that was allocated to the router at Site B, and Router A could verify
that the source address of the packet matches the prefix. Site B
will not be able to do a similar verification for the packets it
receives. This may be quite reasonable for most of the deployment
cases, for example, an Internet Service Provider (ISP) allocating a
/48 to a customer. The Customer Premises Equipment (CPE) where the
tunnel is terminated "trusts" (in a weak sense) the ISP's router, and
the ISP's router can verify that Site B is the only one that can
originate packets within the /48.
IPv6 spoofing must be prevented, and setting up ingress filtering may
require some amount of manual configuration; see more of these
options in Section 5.
.--------. _----_ .--------.
| V6/V4 | _( IPv4 )_ | V6/V4 |
| Host | <======( Internet )=====> | Host |
| A | (_ _) | B |
'--------' '----' '--------'
IPsec tunnel between
Host A and Host B
Figure 4: Host-to-Host Scenario.
IPv6/IPv4 hosts interconnected by an IPv4 infrastructure can tunnel
IPv6 packets between themselves. In this case, the tunnel spans the
entire end-to-end path.
In this case, the source and the destination IPv6 addresses are known
a priori. A tunnel mode SA could be bound to these specific
addresses. Address verification prevents IPv6 source address
spoofing completely.
As noted in the Introduction, automatic host-to-host tunneling
methods (e.g., 6to4) are out of scope for this memo.
