This option can be used to bypass NAT64 translation and instead send encapsulated IPv6 packets to the IPv4 only server.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Class = 0x0162 | Type = 0x00 |R|R|R| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Optional log message encoded as UTF-8 ~ ~ ~ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 0-3 padding octets with value 0xff | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A NAT64 bypass tunnel is is a Geneve tunnel between a NAT64 gateway and an IPv4-only server. All packets from NAT64 gateway to server SHOULD include this option. Packets from server to NAT64 gateway MUST NOT include this option. The NAT64 gateway SHOULD discard packets from the server if they include this option.
All packets in both directions MUST have protocol type 0x6558 indicating an Ethernet payload. The Ethernet payload MUST have type 0x86dd indicating an IPv6 payload.
The VNI is generated by the NAT64 gateway using a cryptographic hash with a persistent secret and the IPv4 address of the server as input. The VNI MUST remain unchanged when NAT64 gateway or server is restarted. The NAT64 gateway SHOULD drop packets from server if they do not contain the correct VNI.
The MAC of the NAT64 gateway is generated by the NAT64 gateway using a cryptographic hash with a transient secret and the IPv4 address of the server as input. The secet MUST be changed either periodically or when the gateway is restarted. The generated MAC address MUST be a locally assigned unicast address - leaving 46 bits for entropy.
A NAT64 bypass offer message is sent from NAT64 gateway to server in order to offer creation of a tunnel. The packet MUST contain this option. The option SHOULD contain an explanatory log message. The packet payload MUST be a neighbor solicitation message.
The source IP used by the NAT64 gateway MUST remain static even when the gateway MAC changes. The gateway MAY use different source IP addresses for different servers. It is recommended to use fe80::1. The gateway MUST respond to neighbor solicitation messages for this IP address.
When the NAT64 gateway creates a NAT64 mapping it SHOULD send an offer message to the IPv4-only server. The option SHOULD contain a log message with details about the created NAT64 mapping. The source port number of the Geneve packet MAY be the port number allocated by the NAT64 mapping.
When a NAT64 gateway receives an IPv6 packet that cannot be translated to IPv4 (for example due to using an unknown next header) the NAT64 gateway SHOULD send an offer message to the IPv4-only server if none was sent recently. The source port number of the Geneve packet MAY be constructed as two one bits followed by the least significant 14 bits of the original packet's flow label. The log message SHOULD mention why the packet could not be translated.
An IPv4-only server can accept the offer by responding to the neighbor solicitation with a neighbor advertisement. If the MAC address used by the server on the tunnel interface changes it MUST send a neighbor advertisement with the new MAC address.
As of this writing no well-known MAC address has been reserved for this protocol, and there is no plan to request one. If a well-known MAC address does get allocated in the future it SHOULD be used by servers implementing this specification.
The tunnel is considered established once the NAT64 gateway has received a neighbor advertisement from the server or any encapsulated IPv6 packet which would be valid for decapsulation. Only packets with correct VNI can cause the tunnel to be established.
When the NAT64 gateway receives an IPv6 packet which matches an established NAT64 mapping, it MUST be translated even if an applicable tunnel exists.
When the NAT64 gateway receives an IPv6 packet which matches an established tunnel and does not match a NAT64 mapping the gateway SHOULD encapsulate this packet for the server. The encapsulation SHOULD include this option and the log message SHOULD be empty. Source MAC SHOULD be the one generated using a cryptographic hash. Destination MAC MUST be the one learned from the server.
The source port number of the Geneve packet MAY be constructed as two one bits followed by the least significant 14 bits of the inner packet's flow label.
If the encapsulated packet exceeds the MTU of the outgoing IPv4 interface, the gateway MUST generate a packet-too-big message. The gateway MAY generate a packet-too-big message for all IPv6 packets larger than 1280.
If the gateway has encapsulated a packet larger than 1280 octets it MUST translate any fragmentation-needed errors for that packet into packet-too-big messages.
The NAT64 gateway MUST decapsulate Geneve packets from the server and forward the inner IPv6 packet when the following criteria are satisfied:
If the tunnel was not in an established state it SHOULD change to established state when it receives a packet satisfying the decapsulation criteria.
The NAT64 gateway MAY drop decapsulated packets which do not match packets previously encapsulated by the gateway. This MAY be implemented by the NAT64 gateway maintaining a list of source IP addresses it has encapsulated packets from. The NAT64 gateway MAY drop decapsulated packets if the destination IP is not on that list. The NAT64 gateway MAY use other algorithms to filter decapsulated packets.