Internet Engineering Task Force Q. Sun Internet-Draft China Telecom Intended status: Standards Track M. Boucadair Expires: May 11, 2013 X. Deng France Telecom C. Zhou Huawei Technologies T. Tsou Huawei Technologies (USA) S. Perreault Viagenie November 7, 2012 Using PCP To Coordinate Between the CGN and Home Gateway draft-tsou-pcp-natcoord-09 Abstract This document defines an extension to the base PCP. New OpCode is defined to enhance PCP with the ability to reserve port sets for internal hosts. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 11, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Sun, et al. Expires May 11, 2013 [Page 1] Internet-Draft NAT Coordination Using Port Allocation November 2012 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Application Scenario . . . . . . . . . . . . . . . . . . . . . 3 2. MAP_PORT_SET Opcode . . . . . . . . . . . . . . . . . . . . . 3 2.1. MAP_PORT_SET Operation Packet Formats . . . . . . . . . . 4 2.2. MAP_PORT_SET Mapping Table Example . . . . . . . . . . . . 8 3. MAP_PORT_SET Operation . . . . . . . . . . . . . . . . . . . . 8 3.1. Generating a MAP_PORT_SET Request . . . . . . . . . . . . 8 3.2. Renewing a MAP_PORT_SET Mapping . . . . . . . . . . . . . 8 3.3. Processing a MAP_PORT_SET Request . . . . . . . . . . . . 9 3.4. Processing a MAP_PORT_SET Response . . . . . . . . . . . . 10 4. Mapping Lifetime and Deletion . . . . . . . . . . . . . . . . 10 5. PREFER_FAILURE Option for MAP_PORT_SET Opcode . . . . . . . . 10 6. Coexistence with MAP OpCode . . . . . . . . . . . . . . . . . 10 7. MAP_PORT_SET Failover . . . . . . . . . . . . . . . . . . . . 11 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 10. Authors List . . . . . . . . . . . . . . . . . . . . . . . . . 11 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 12.1. Normative References . . . . . . . . . . . . . . . . . . . 12 12.2. informative References . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 Sun, et al. Expires May 11, 2013 [Page 2] Internet-Draft NAT Coordination Using Port Allocation November 2012 1. Application Scenario PCP can be used to control an upstream device to achieve the following goals: 1. A plain IP address (i.e., a non-shared) can be assigned to a given subscriber because it subscribed to a service which uses a protocol that don't embed a transport number or because the NAT is the only deployed platform to manage IP addresses. 2. An application (e.g., sensor) does not need to listen to a whole range of ports available on a given IP address. Only a limited set of ports are used to bind its running services. For such devices, the external port(s) and IP address can be delegated to that application and therefore avoid enforcing NAT in the network side for its associated flows. The NAT in the PCP- controlled device should be bypassed. 3. A device able to restrict its source ports can be delegated an external port restricted IP address. The PCP-controlled device should be instructed to by-pass the NAT when handling flows destined/issued to that device. This document extends PCP with the ability to reserve port sets instead of individual ports. This is motivated by the need to offload to a port-restricted device in lightweight 4over6 [I-D.cui-softwire-b4-translated-ds-lite], reduce the logging and enhance the performance of the CGN. A candidate solution is to define a new Option to request for this feature be enforced by the PCP-controlled device. Nevertheless, this solution is not efficient when large port sets are assigned (e.g., address sharing ratio of 1:2 or 1:8). Another issue, is when no NAT is enforced in the PCP-controlled device but only a Port Range Router (PRR) function, the request has not to indicate the internal ports. For those reasons, a new PCP OpCode is defined in this document. 2. MAP_PORT_SET Opcode This section defines a new Opcode to request a port set from a PCP- controlled device. The format of MAP_PORT_SET is designed to be close to the MAP message format. The port set is encoded using a port mask to convey a contiguous port range. Sun, et al. Expires May 11, 2013 [Page 3] Internet-Draft NAT Coordination Using Port Allocation November 2012 By analogy, a port set binding can be seen as an aggregate of MAP mappings. When assigning a port set to a PCP Client, the PCP- controlled device maintains a binding between the source IP address of the PCP request, the assigned external IP address and the assigned port set. Allocating port sets can greatly reduce individual MAP requests for a PCP client when requesting a bulk of ports at one time. This mechanism can be applied for lightweight 4over6 [I-D.cui-softwire-b4-translated-ds-lite] in port-set allocation process. It can also be applied to stateless PCP-controlled device, in which the Internal address, External address and Port set is determined algorithmically. MAP_PORT_SET: Create an explicit dynamic mapping between an Internal IP Address and an External IP Address + Port set It is totally up to the PCP server to determine the port-set quota for each PCP client. In addition, when the PCP-controlled device supports multiple port-sets delegation for a given PCP client, the PCP client MAY re-initiate a PCP request to get another port set when it has exhausted all the ports within the port-set. PCP-controlled device SHOULD provide a configuration option to allow administrators to configure the size of each individual port set (denoted as MAX_REQUEST_QUOTA) to be assigned and the size of the total ports for a PCP client (denoted as MAX_USER_QUOTA). 2.1. MAP_PORT_SET Operation Packet Formats The MAP_PORT_SET Opcode has a similar packet layout for both requests and response. Figure 1 shows the format of the MAP_PORT_SET request. Sun, et al. Expires May 11, 2013 [Page 4] Internet-Draft NAT Coordination Using Port Allocation November 2012 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | PORT_SET_Nonce (96bits) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | Reserved (24 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Suggested Port Set Index | Suggested Port Set Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Suggested External IP Address (128 bits) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 Figure 1: MAP_PORT_SET Opcode Request format These fields are described below: o Requested lifetime (in common header): Requested lifetime of this port set mapping, in seconds. The value 0 indicates "delete". o PORT_SET_Nonce: Random value chosen by the PCP client which SHOULD be different for individual PCP requests. But the same value MUST be kept in one request re-transmission. See Section 11.2 of [I-D.ietf-pcp-base]. o Protocol: the default value is zero (to indicate all transport protocols). o Reserved bits: 24 bits MUST be set to 0. o Suggested Port Set Index (PSI): The PSI indicates the value of the significant bits of the Port Mask. By default, PSI is set to 0 in a request. It can also convey Suggested Port Set Index if the client has a hint on it. The first k bits on the left of the 2-octet field is the Port Set Index value, with the rest of the field right padding zeros. o Suggested Port Set Mask (PSM): The PSM indicates the position of the bits that are used to build the Port Set Index. The 1 values in the Port Set Mask indicate by their position the significant bits of the Port Set Value. By default, PSM is set to 0 in a request. It can also convey Suggested Port Set Mask if the client Sun, et al. Expires May 11, 2013 [Page 5] Internet-Draft NAT Coordination Using Port Allocation November 2012 has a hint on it. The first k bits on the left is padding ones while the remained (16-k) bits of the 2-octet field on the right is padding zeros. o Suggested External IP Address: Suggested external IPv4 or IPv6 address. Same as Section 10.1 of [I-D.ietf-pcp-base]. In the context of Port Set Option, the port number should consist of port set prefix and port number suffix. The port set prefix can be got from Port Set Index and Port Set Mask, while port number suffix can change continuously. The format of port number is shown below. 0 15 +-----------------------+-----------------------------+ | port set prefix | port number suffix | +-----------------------+-----------------------------+ |<-------k bits-------->|<--------(16-k) bits-------->| In order to exclude the system ports ([I-D.ietf-tsvwg-iana-ports]) or ports saved by SPs, the former port-sets that contains well-known ports SHOULD NOT be assigned. Figure 2 shows the format of Opcode-specific information in a response packet for the MAP_PORT_SET Opcode: Sun, et al. Expires May 11, 2013 [Page 6] Internet-Draft NAT Coordination Using Port Allocation November 2012 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | PORT_SET_Nonce (96bits) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | Reserved (24 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Suggested Port Set Index | Suggested Port Set Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Assigned External IP Address (128 bits) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 Figure 2: MAP_PORT_SET Opcode format of Response These fields are described below: o Lifetime (in common header): On an error response, this indicates how long clients should assume they'll get the same error response from the PCP server if they repeat the same request. On a success response, this indicates the lifetime for this mapping, in seconds. o PORT_SET_Nonce: MUST be copied from the request. o Protocol: MUST be copied from the request. o Reserved bits: 16 bits MUST be set to 0. o Assigned Port Set Index (PSI): The PSI indicates the value of the significant bits of the Port Mask. o Assigned Port Set Mask (PSM): The Port Set Mask indicates the position of the bits that are used to build the Port Set Index. The 1 values in the Port Set Mask indicate by their position the significant bits of the Port Range Value. o Assigned External IP Address (128 bits): This field conveys the assigned external IPv4 (encoded using IPv4-mapped IPv6 address) or IPv6 address for the mapping. On an error response, the Assigned External IP Address is copied from the request. Sun, et al. Expires May 11, 2013 [Page 7] Internet-Draft NAT Coordination Using Port Allocation November 2012 2.2. MAP_PORT_SET Mapping Table Example The following table depicts an example of the mapping table in the PCP Server enabling MAP_PORT_SET OpCode. +-------------+------------+-----------+----------+--------+ | Internal | External | Port | Protocol | NONCE | | Address | Address | Range | | | +-------------+------------+-----------+----------+--------+ | 2001:db8::1 | 192.0.2.33 | 5120-6143 | 0 | nonce1 | | 2001:db8::2 | 192.0.2.33 | 6144-7167 | 0 | nonce2 | | 2001:db8::3 | 192.0.2.33 | 7168-8191 | 0 | nonce3 | | 2001:db8::4 | 192.0.2.33 | 8192-9215 | 0 | nonce4 | +-------------+------------+-----------+----------+--------+ Figure 3: Mapping table example in MAP_PORT_SET 3. MAP_PORT_SET Operation 3.1. Generating a MAP_PORT_SET Request The MAP_PORT_SET request MUST contain values in the Suggested IP Address field, Suggested Port Set Index and Suggested Port Mask. However, this port set indicated in the request of the PCP Client is only a hint; it is up to the PCP Server to assign a port set. If a PCP Client fails to receive an expected response from a server, the PCP client follows the same retransmission procedure defined for MAP in the base PCP specification (section 8.1.1 of [I-D.ietf-pcp-base]). The PORT_SET_Nonce should be copied from the previous MAP_PORT_SET request. If a PCP Client uses out all the ports in the current assigned port set, it MAY generate a new MAP_PORT_SET Request to get another delegated port-set. The Client MUST use a different Mapping Nonce for different MAP_PORT_SET mappings. If USER_EX_QUOTA error is received from the server, the PCP client SHOULD NOT request for another new port set. 3.2. Renewing a MAP_PORT_SET Mapping Port Set mapping renewal for MAP_PORT_SET MUST follow the same procedure for an individual MAP mapping (section 11.2.1 of [I-D.ietf-pcp-base] ) except for considerations related to the internal port (which is included in a MAP request but not present in a MAP_PORT_SET). Sun, et al. Expires May 11, 2013 [Page 8] Internet-Draft NAT Coordination Using Port Allocation November 2012 The MAP_PORT_SET request MUST include the currently assigned IP address and port-set in the Suggested IP address,Suggested Port Set Index and Suggested Port Set Mask. 3.3. Processing a MAP_PORT_SET Request The PCP server SHOULD take exactly the same order as in (section 11.3 of [I-D.ietf-pcp-base]). In particular, as there is no Internal Port in MAP_PORT_SET anymore, all the processes regarding to Internal Port should be neglected accordingly. The PCP Server uses the Internal address as an index to lookup the Mapping table. The PCP Server SHOULD ensure the port sets allocated to different PCP Clients are non-overlap with each other. It SHOULD only assign individual for each MAP_PORT_SET request, rather than an aggregated one. Considerations related to the assignment of the external IP Address are the same as what is defined in (section 11.3 of [I-D.ietf-pcp-base]). The procedures regarding to the port set are similar to the external port processes in MAP Opcode (section 11.3 of [I-D.ietf-pcp-base]), except that the whole port-set should be treated consistently in MAP_PORT_SET Opcode. The same operations for handling the Suggested external port for a MAP request are applied on the Suggested Port Set. The procedures for PORT_SET_Nonce is exactly the same as the Mapping Nonce field defined in (section 11.3 of [I-D.ietf-pcp-base]). The PCP server only needs to remember ONE PORT_SET_Nonce for each mapping (Internal IP Address, External IP address and Port Set). The error codes in MAP_PORT_SET Response mainly have the following possibilities: o If the PCP server or PCP-controlled device does not support MAP_PORT_SET Opcode, the error UNSUPP_OPCODE MUST be returned. o If an option does not make sense, (e.g., the PREFER_FAILURE Option is included in a request with lifetime=0, etc.,), the request is invalid and generates a MALFORMED_OPTION error. This procedure is the same with section 10.3 of [I-D.ietf-pcp-base]. If the requested lifetime is zero, it indicates a request to delete an existing mapping. A PCP server SHOULD maintain MAX_USER_QUOTA and MAX_REQUEST_QUOTA. Sun, et al. Expires May 11, 2013 [Page 9] Internet-Draft NAT Coordination Using Port Allocation November 2012 MAX_USER_QUOTA is to indicate the maximum number of ports a subscriber may get in total, and MAX_REQUEST_QUOTA is to indicate the maximum number of ports in each request. Therefore, one PCP Client will have up to N mappings, in which N SHOULD NOT be larger than floor(MAX_USER_QUOTA/MAX_REQUEST_QUOTA). The specific mechanism to configure the quotas is out of scope. If the PCP server is configured to allocate multiple port-set allocation for one subscriber, the same External address SHOULD be assigned to one subscriber in multiple port-set requests to guarantee the consistency. To optimize the number of mapping entries maintained by the PCP server, it is RECOMMENDED to configure the server to assign the maximum allowed port set in a single response. This policy SHOULD be configurable. When MAP_PORT_SET is applied to stateless PCP-controlled device, the PCP server returns an answer indicating the external IP address and port-set as seen by remote peers. 3.4. Processing a MAP_PORT_SET Response On receiving a MAP_PORT_SET Response, the same procedure as the one for individual mapping [section 10.4 of [I-D.ietf-pcp-base]] MUST be followed by the PCP Client to validate the response (except the considerations related to the internal port). 4. Mapping Lifetime and Deletion The procedure for port-set mapping lifetime and deletion is also the same with individual mapping [section 10.5 of [I-D.ietf-pcp-base]]. 5. PREFER_FAILURE Option for MAP_PORT_SET Opcode This option [section 10.2 of [I-D.ietf-pcp-base]] can be applied to MAP_PORT_SET Opcode indicating that if the PCP server cannot map the suggested External Address and port-set, the PCP server should not create a mapping. 6. Coexistence with MAP OpCode Normally, the PCP server for MAP_PORT_SET will not run NAT. So there is no NAT binding in PCP and the PCP server will not run MAP OpCode for the same subscriber. In the case when the PCP client is embedded Sun, et al. Expires May 11, 2013 [Page 10] Internet-Draft NAT Coordination Using Port Allocation November 2012 in the host and the PCP server keeps the NAT bindings for some special-purpose applications, the external address and the port allocated to the subscriber should be consistent with the ones in MAP_PORT_SET response. 7. MAP_PORT_SET Failover The failover mechanism in MAP [section 14 in [I-D.ietf-pcp-base]] and [I-D.boucadair-pcp-failure] can also be applied to MAP_PORT_SET. The only difference compared to MAP is the amount of Mapping entries in MAP_PORT_SET PCP server is much less than MAP. Therefore, the cost of state synchronization has been greatly reduced in MAP_PORT_SET. 8. Security Considerations The same security considerations discussed in [I-D.ietf-pcp-base] have to be taken into account. 9. IANA Considerations The authors request the following new OpCode: MAP_PORT_SET 10. Authors List The following are extended authors who contributed to the effort: Yunqing Chen China Telecom Room 502, No.118, Xizhimennei Street Beijing 100035 P.R.China Chongfeng Xie China Telecom Room 502, No.118, Xizhimennei Street Sun, et al. Expires May 11, 2013 [Page 11] Internet-Draft NAT Coordination Using Port Allocation November 2012 Beijing 100035 P.R.China Yong Cui Tsinghua University Beijing 100084 P.R.China Phone: +86-10-62603059 Email: yong@csnet1.cs.tsinghua.edu.cn Qi Sun Tsinghua University Beijing 100084 P.R.China Phone: +86-10-62785822 Email: sunqibupt@gmail.com Gabor Bajko Nokia Email: gabor.bajko@nokia.com 11. Acknowledgements The authors would like to show sincerely appreciation to Dan Wing, Simon Perreault, Thmoas and Yoshihiro Ohba for their useful comments and suggestions. 12. References 12.1. Normative References [I-D.ietf-pcp-base] Wing, D., "Port Control Protocol (PCP)", October 2012. Sun, et al. Expires May 11, 2013 [Page 12] Internet-Draft NAT Coordination Using Port Allocation November 2012 12.2. informative References [I-D.boucadair-pcp-failure] Boucadair, M., Dupont, F., and R. Penno, "Port Control Protocol (PCP) Failure Scenarios", August 2012. [I-D.cui-softwire-b4-translated-ds-lite] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., and Y. Lee, "Lightweight 4over6: An Extension to DS-Lite Architecture", Feb 2012. Authors' Addresses Qiong Sun China Telecom P.R.China Phone: 86 10 58552936 Email: sunqiong@ctbri.com.cn Mohamed Boucadair France Telecom Rennes, 35000 France Email: mohamed.boucadair@orange.com Xiaohong Deng France Telecom Email: xiaohong.deng@orange-ftgroup.com Cathy Zhou Huawei Technologies Bantian, Longgang District Shenzhen 518129 P.R. China Phone: Email: cathy.zhou@huawei.com Sun, et al. Expires May 11, 2013 [Page 13] Internet-Draft NAT Coordination Using Port Allocation November 2012 Tina Tsou Huawei Technologies (USA) 2330 Central Expressway Santa Clara, CA 95050 USA Phone: +1 408 330 4424 Email: Tina.Tsou.Zouting@huawei.com Simon Perreault Viagenie 246 Aberdeen Quebec, QC G1R 2E1 Canada Phone: +1 418 656 9254 Email: simon.perreault@viagenie.ca Sun, et al. Expires May 11, 2013 [Page 14]