| Internet-Draft | IPv4.5 | April 2026 |
| Matsukami | Expires 22 October 2026 | [Page] |
The global IPv4 address space was exhausted at the IANA level in 2011, and Carrier-Grade NAT (CGN) has since served as the primary operational workaround. CGN preserves connectivity but violates the end-to-end principle, complicates application development, and introduces substantial operational overhead.¶
This document specifies IPv4.5, a pragmatic extension of IPv4 that introduces a 96-bit address space organized as a Locator/Identifier separation: a 32-bit IPv4 Locator, a 16-bit Site Identifier, and a 48-bit Endpoint Identifier. IPv4.5 packets are encapsulated in UDP (port 4242) for transparent transit through existing IPv4 routers, NAT devices, and firewalls without requiring infrastructure changes.¶
Session security is established through a hybrid post-quantum key exchange combining ML-KEM-768 [FIPS203] and X25519 [RFC7748], performed once per session. Subsequent data protection uses symmetric AEAD ciphers (AES-256-GCM or ChaCha20-Poly1305).¶
The design enforces strict separation of concerns across four independent planes: data, control, identity, and cryptographic. Higher-level functions such as semantic routing and self-sovereign identity are explicitly out of scope for this specification.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The IPv4 address pool managed by IANA was exhausted in February 2011. Subsequent exhaustion at each Regional Internet Registry (RIR) has forced network operators to rely on Carrier-Grade NAT (CGN) [RFC6598] as a large-scale address sharing mechanism. While CGN preserves IPv4 reachability, it introduces the following well-documented problems:¶
IPv6 [RFC8200] was designed to resolve address exhaustion definitively, but its adoption has progressed slowly after more than two decades of availability. As of 2026, IPv6 accounts for approximately 45-50% of Internet traffic by volume, and growth has decelerated. Key barriers include dual-stack operational cost, the absence of day-one benefit for early adopters, and a large installed base of IPv4-only applications and embedded devices.¶
Furthermore, neither IPv4 nor IPv6 was designed with post-quantum cryptography (PQC) in mind. Future quantum computers capable of running Shor's algorithm would break classical elliptic-curve and RSA key exchange mechanisms, enabling "harvest now, decrypt later" attacks against recorded traffic.¶
IPv4.5 is designed to satisfy the following goals:¶
The following are explicitly OUT OF SCOPE for this document:¶
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, NOT RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
IPv4.5 is organized into four independent planes, each with a well-defined scope and interface boundary:¶
+------------------+------------------+---------------------+ | Identity Plane | Control Plane | Cryptographic Plane | | (optional; | (ELMS, INP, | (ML-KEM-768 + | | handshake only) | mobility) | X25519, AEAD) | +------------------+------------------+---------------------+ | Data Plane (packet forwarding + AEAD protection) | +-----------------------------------------------------------+
IPv4.5 defines four operating modes for staged deployment:¶
An IPv4.5 address is 96 bits wide, consisting of three contiguous fields:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Locator (32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Site Identifier (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Endpoint Identifier (48 bits, continued) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The total address space is 2^96 ≈ 7.9 × 10^28, sufficient for all projected 6G, IoT, and cloud workloads through at least 2050 by multiple orders of magnitude.¶
The canonical textual representation of an IPv4.5 address is:¶
<dotted-decimal-ipv4>::<hex-site-id>::<hex-eid>¶
where the Endpoint Identifier is written as three 16-bit groups separated by colons. Leading zeros within each group MAY be omitted. The double-colon (::) serves as a field separator and MUST NOT be interpreted using IPv6 zero-compression rules.¶
Example:¶
192.0.2.1::1234::DEAD:BEEF:0001 Locator: 192.0.2.1 Site ID: 0x1234 Endpoint ID: 0xDEADBEEF0001¶
An implementation parsing an IPv4.5 address MUST reject strings that do not contain exactly two "::" separators.¶
The following addresses are reserved and MUST NOT be assigned to operational endpoints:¶
| Pattern | Purpose |
|---|---|
| 0.0.0.0::0::0:0:0 | Unspecified address |
| 127.0.0.1::*::* | Loopback (all Site IDs and EIDs) |
| 224.0.0.0/4::*::* | Multicast Locator range |
| LOCATOR::FFFF::* | Site-local scope |
| LOCATOR::FFFE::* | Link-local scope |
| LOCATOR::FFFF::FFFF:* | IPv4-Embedded EID (compatibility) |
For Edge Translator (Mode B) operation, a pure IPv4 endpoint with address A.B.C.D behind translator at address T is represented as:¶
T::FFFF::FFFF:<hex-A><hex-B>:<hex-C><hex-D> Example: IPv4 198.51.100.42 behind translator 203.0.113.1: 203.0.113.1::FFFF::FFFF:C633:642A¶
To mitigate cross-session endpoint tracking, implementations SHOULD use a per-session randomly generated EID (Ephemeral Network Interface Designator, eNID). An eNID:¶
The IPv4.5 fixed header is exactly 20 bytes. When operating in Mode C, the Locator fields are carried in the outer IPv4 header and are NOT repeated in the IPv4.5 header.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver=1| Type | Hop Limit | Payload Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Flags | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Site ID (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Source Endpoint ID (48 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Site ID (16 bits) | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Destination Endpoint ID (48 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Identifies the purpose of the packet:¶
| Value | Name | Description |
|---|---|---|
| 0 | DATA | Carries upper-layer payload |
| 1 | HANDSHAKE | Session establishment and key exchange |
| 2 | CONTROL | Control-plane messages (ELMS, INP) |
| 3 | ECHO | Echo request/reply (diagnostic) |
| 4 | ERROR | Reports error conditions to the sender |
| 5 | KEEPALIVE | NAT/firewall session keepalive |
| 6-14 | — | Unassigned; see Section 14.5 |
| 15 | — | Reserved; MUST NOT be used |
| Bit | Symbol | Meaning |
|---|---|---|
| 0 (MSB) | E | Payload is AEAD-encrypted and authenticated |
| 1 | F | Fragmentation extension header is present |
| 2 | X | Additional extension headers are present |
| 3 | M | More fragments follow (used with F) |
| 4 | C | Compression (reserved for future use) |
| 5 | N | NAT traversal extension present |
| 6-7 | — | Reserved; MUST be sent as zero |
In Mode C, an IPv4.5 packet is encapsulated in UDP [RFC0768] over IPv4 [RFC0791]:¶
+---------------------------------------------------+ | Outer IPv4 Header (20 bytes) | | IHL=5, Protocol=17 (UDP), TTL=64 | | DF=1 (Don't Fragment MUST be set) | | Src IP = Sending anchor Locator | | Dst IP = Receiving anchor Locator | +---------------------------------------------------+ | UDP Header (8 bytes) | | Src Port = 4242 (or ephemeral) | | Dst Port = 4242 | +---------------------------------------------------+ | IPv4.5 Fixed Header (20 bytes) | +---------------------------------------------------+ | Extension Headers (variable, optional) | +---------------------------------------------------+ | Upper-Layer Payload (variable) | +---------------------------------------------------+
The outer IPv4 DF bit MUST be set to enable Path MTU Discovery (Section 6.1). The outer IP TTL SHOULD be set to 64.¶
Extension headers provide optional functionality. They are chained using the Next Header field and MUST be processed in the order they appear.¶
| Next Header | Extension Type | Description |
|---|---|---|
| 0x00 | Hop-by-Hop Options | Options processed by every forwarding node |
| 0x01 | Routing | Explicit source routing via designated anchors |
| 0x02 | Mobility | Locator change notification for mobile endpoints |
| 0x03 | Fragmentation | Source-originated fragmentation and reassembly |
| 0x04 | Authentication | Handshake signature and certificate chain |
| 0x05 | ESP-X | AEAD-encrypted and authenticated payload container |
| 0x06 | Destination Options | Options processed only by the destination |
| 0xFF | No Next Header | No content follows |
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Reserved | Fragment Offset | Res |M | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification (32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fragment reassembly MUST time out after 60 seconds. Incomplete fragment sets MUST be silently discarded.¶
All IPv4.5 implementations MUST support Path MTU Discovery (PMTUD) as defined in [RFC1191] and [RFC8201]. Implementations SHOULD also implement Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] as a fallback when ICMP messages are filtered.¶
The minimum IPv4.5 Path MTU is 1280 bytes. In Mode C, the minimum effective payload MTU is:¶
1280 - 20 (outer IPv4) - 8 (UDP) - 20 (IPv4.5) = 1232 bytes¶
The Don't Fragment (DF) bit MUST be set in the outer IPv4 header. When a router drops an oversized packet, it MUST return an ICMP Fragmentation Needed (Type 3, Code 4) message to the sending anchor. The anchor MUST propagate this information to the originating endpoint via an IPv4.5 ERROR message (Type 4, Error Code MTU_EXCEEDED).¶
Source endpoints MUST fragment packets that exceed the discovered Path MTU using the IPv4.5 Fragmentation Extension Header (Next Header 0x03). Intermediate nodes MUST NOT fragment IPv4.5 packets.¶
When an IPv4.5-aware node forwards a packet, it MUST decrement the Hop Limit by 1. If the resulting value is zero:¶
A new DNS resource record type, AX, is defined to carry IPv4.5 addresses. An AX record contains a 96-bit IPv4.5 address in network byte order and supports standard TTL semantics identical to A and AAAA records.¶
host.example.com. 3600 IN AX 192.0.2.1::0100::DEAD:BEEF:0001 host.example.com. 3600 IN A 192.0.2.1 host.example.com. 3600 IN AAAA 2001:db8::1¶
When A, AAAA, and AX records are all present, endpoints SHOULD use a Happy Eyeballs v3 algorithm (extending [RFC8305]) with AX as the highest-preference address family.¶
For EIDs not directly resolvable via DNS, ELMS provides Locator resolution. ELMS is a distributed, decentralized service. Three implementation architectures are defined:¶
ELMS resolution MUST be performed by the control-plane daemon. Results MUST be cached locally. ELMS queries MUST NOT block the forwarding fast path.¶
IPv4.5 session establishment follows these steps:¶
Endpoints MAY request specific session service characteristics through INP. INP operates at the session level only. Per-packet intent fields in the data plane are explicitly prohibited by this specification.¶
| Class | Description | Authorization |
|---|---|---|
| BEST_EFFORT | Default forwarding treatment | None required |
| LOW_LATENCY | Expedited Forwarding treatment | Operator policy |
| HIGH_BANDWIDTH | Guaranteed bandwidth reservation | Operator policy |
| DETERMINISTIC | Hard real-time guarantee | Pre-arranged contract |
| BACKGROUND | Lower-than-default priority | None required |
When an endpoint changes its network attachment point (Locator), it MUST:¶
Existing session keys remain valid across a Locator change. Re-authentication is NOT required.¶
Identity authentication in IPv4.5 is OPTIONAL. When used, it occurs exclusively during the HANDSHAKE phase. The data plane MUST NOT carry identity assertions after handshake completion.¶
When no identity model is selected, the session uses only ephemeral EIDs (eNIDs) and ephemeral cryptographic key pairs. Anonymous mode is the DEFAULT and MUST be supported by all implementations.¶
Endpoints authenticate using X.509 certificates [RFC5280] compatible with the existing Web PKI. This mode is RECOMMENDED for server-to-client authentication in public-facing services.¶
Endpoints authenticate using W3C Decentralized Identifiers [W3C-DID]. DID documents are resolved from the decentralized identifier infrastructure; no certificate authority is required. This mode is OPTIONAL.¶
Endpoints sharing a pre-established symmetric secret authenticate using PSK mode. PSK MUST be combined with the hybrid PQC key exchange (Section 10) to preserve forward secrecy. RECOMMENDED for constrained IoT devices and closed enterprise deployments.¶
IPv4.5 session establishment uses a hybrid key exchange combining:¶
The hybrid construction ensures session key security as long as at least one of the two component algorithms remains unbroken.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Subtype=0x01 | Identity Type | Cipher Suite (16) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Client Random Nonce (32 bytes) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | X25519 Ephemeral Public Key (32 bytes) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ML-KEM-768 Public Key (1184 bytes) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identity Material (variable, type-dependent) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The total Client Hello size is approximately 1252 bytes before identity material, which exceeds the minimum Mode C MTU of 1232 bytes. Sending implementations MUST fragment the Client Hello using the Fragmentation Extension Header when the discovered path MTU is insufficient.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Subtype=0x02 |Selected Cipher| Session ID (16 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Server Random Nonce (32 bytes) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | X25519 Ephemeral Public Key (32 bytes) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ML-KEM-768 Ciphertext (1088 bytes) | | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identity Material + Signature (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
After the handshake exchange, both parties independently compute:¶
shared_x25519 = X25519(local_eph_priv, remote_eph_pub) [32 bytes] shared_kem = ML-KEM-768.Decapsulate(ct, local_mlkem_priv) [32 bytes] ikm = shared_x25519 || shared_kem [64 bytes] salt = client_nonce || server_nonce [64 bytes] tx_key = HKDF-SHA-256(ikm, salt, "IPv4.5-C2S-KEY-v1", 32) [32 bytes] rx_key = HKDF-SHA-256(ikm, salt, "IPv4.5-S2C-KEY-v1", 32) [32 bytes]¶
The HKDF construction follows [RFC5116] and [RFC8446] Section 7.1. Labels are fixed ASCII strings. Implementations MUST verify that both X25519 and ML-KEM operations succeed before proceeding to data exchange.¶
| Code | Cipher Suite | Recommendation |
|---|---|---|
| 0x01 | AES-256-GCM | RECOMMENDED for hardware with AES-NI |
| 0x02 | ChaCha20-Poly1305 | RECOMMENDED for software-only implementations |
| 0x03-0xFF | — | Reserved |
Both suites provide Authenticated Encryption with Associated Data (AEAD) as specified in [RFC5116].¶
The AEAD nonce (96 bits) for DATA packet protection is constructed as:¶
nonce = session_id (16) || reserved (16) || sequence_no (64)¶
The sequence number MUST start at 1 and MUST be incremented by 1 for each DATA packet transmitted. Implementations MUST initiate key rotation before the sequence number reaches 2^32. Nonces MUST NEVER be reused under the same session key.¶
All session key material is derived from ephemeral key pairs generated fresh for each session. Long-term identity keys are used only to authenticate the handshake and are never used for encryption.¶
Active sessions MUST be re-keyed upon whichever of the following thresholds occurs first:¶
Key material from the previous epoch MUST be explicitly zeroized using compiler-barrier-protected routines before being overwritten.¶
IPv4.5 provides transparent IPv4 transit, not full backward compatibility.¶
Mode A traffic (pure IPv4) is entirely unaffected. Mode C traffic traverses unmodified IPv4 routers as standard UDP/4242 traffic. Firewalls blocking non-standard UDP ports may prevent IPv4.5 sessions. Implementations SHOULD attempt UDP/4242 first, and if blocked, retry using UDP/443.¶
Operators deploying IPv4.5 SHOULD configure firewalls to permit inbound and outbound UDP/4242 during the transition period.¶
A static EID enables correlation of an endpoint's sessions across time and network positions, analogous to MAC address tracking. Implementations SHOULD use ephemeral EIDs (eNIDs) for user-facing applications. See Section 4.5.¶
The Locator is carried in cleartext in the outer IPv4 header. The Site ID is carried in cleartext in the IPv4.5 fixed header. Both fields are observable to all on-path entities. No protection of Locator or Site ID confidentiality is provided by this specification.¶
IPv4.5 does not protect against traffic analysis based on timing, packet sizes, or communication volumes. Applications requiring traffic analysis resistance SHOULD use Tor or mixnet overlays operating over IPv4.5 sessions.¶
This specification is designed to protect against: passive eavesdropping (including by future quantum computers via "harvest now, decrypt later"); active injection, modification, or replay of IPv4.5 packets; endpoint impersonation during session establishment; and session hijacking.¶
This specification does NOT protect against: compromised endpoints; physical hardware access; legal compulsion of key material; traffic analysis; or vulnerabilities in cryptographic implementations.¶
Confidentiality: All DATA packets are protected by AEAD using session keys derived from the hybrid PQC handshake.¶
Integrity: AEAD authentication detects and causes rejection of any modified, truncated, or corrupted DATA packet.¶
Replay Protection: Monotonically increasing sequence numbers combined with AEAD authentication prevent replay.¶
Forward Secrecy: Ephemeral key pairs ensure compromise of long-term key material does not expose past sessions.¶
Quantum Resistance: The hybrid ML-KEM-768 + X25519 key exchange is secure against quantum computers running Shor's algorithm. Symmetric keys of 256 bits retain approximately 128 bits of security against Grover's algorithm.¶
Endpoint Authentication (optional): When identity modes are used, signature algorithms SHOULD use ML-DSA-65 [FIPS204] for quantum resistance.¶
Implementations MUST:¶
Implementations MUST NOT:¶
HANDSHAKE processing involves asymmetric cryptographic operations. Implementations SHOULD implement HANDSHAKE rate limiting (recommended: no more than 1000 new sessions per second per anchor) and SHOULD employ a lightweight proof-of-work or cookie mechanism to deter amplified HANDSHAKE flooding.¶
ELMS deployments SHOULD use Anycast addressing, multi-tier caching with signed responses, and rate limiting of Map-Request messages per source address.¶
IANA is requested to assign UDP port 4242 in the "Service Name and Transport Protocol Port Number Registry":¶
IANA is requested to assign IP Protocol Number 144 in the "Assigned Internet Protocol Numbers" registry:¶
IANA is requested to assign a new DNS RR type in the "Domain Name System (DNS) Parameters" registry:¶
The wire format of the AX record carries a 96-bit IPv4.5 address in network byte order (12-byte RDATA field).¶
IANA is requested to assign SAFI value 144 in the "Subsequent Address Family Identifiers (SAFI) Parameters" registry:¶
IANA is requested to create a new registry "IPv4.5 Packet Types" within a new "IPv4.5 Parameters" registry group. Future assignments in values 6-14 require Standards Action [RFC8126].¶
| Value | Name | Reference |
|---|---|---|
| 0 | DATA | This document |
| 1 | HANDSHAKE | This document |
| 2 | CONTROL | This document |
| 3 | ECHO | This document |
| 4 | ERROR | This document |
| 5 | KEEPALIVE | This document |
| 6-14 | Unassigned | Standards Action |
| 15 | Reserved | — |
IANA is requested to create a new registry "IPv4.5 Error Codes" within the "IPv4.5 Parameters" registry group:¶
| Value | Name | Description |
|---|---|---|
| 0 | UNSPECIFIED | Unspecified error |
| 1 | HOP_LIMIT_EXCEEDED | Hop Limit reached zero |
| 2 | MTU_EXCEEDED | Packet exceeds path MTU |
| 3 | UNREACHABLE | Destination unreachable |
| 4 | AUTH_FAILED | Handshake authentication failure |
| 5 | POLICY_DENIED | INP policy rejection |
| 6-255 | Unassigned | Standards Action |
IPv4.5 is deployed as a user-space overlay using Mode C encapsulation. No kernel changes are required. Day-one benefits include quantum-resistant session encryption, ephemeral EIDs for endpoint privacy, and global reachability without CGN for endpoints behind cooperative ISPs.¶
OS kernel integration, router support for ELMS BGP SAFI, and deployment of Edge Translators for IPv4 interoperability. ISPs offering native IPv4.5 addressing can eliminate CGN for IPv4.5- capable subscribers.¶
IP Protocol 144 (Mode D) is assigned and native IPv4.5 forwarding is enabled in router hardware. IPv4 continues as the backward- compatible locator plane.¶
Initial submission to the IETF Datatracker (April 2026).¶
The author thanks the IETF int-area mailing list participants for their ongoing discussion of IPv4 transition mechanisms and addressing architecture.¶
The Locator/Identifier separation concept builds directly on foundations laid by LISP [RFC6830] and its successors [RFC9300] [RFC9301]. The QUIC protocol [RFC9000] demonstrated that a new transport protocol can achieve wide deployment via UDP encapsulation and strongly influenced the Mode C design. The TLS 1.3 security model [RFC8446] informed the session security architecture.¶
The eNID privacy mechanism is modeled after IPv6 Privacy Extensions [RFC8981] and Semantically Opaque Interface Identifiers [RFC7217].¶