Internet Engineering Task Force T. Tsou, Ed. Internet-Draft Huawei Technologies (USA) Intended status: Informational T. Murakami Expires: September 15, 2013 IP Infusion S. Perreault Viagenie March 14, 2013 Port Set Definition Algorithms Analysis draft-tsou-softwire-port-set-algorithms-analysis-03 Abstract This memo analyses the some port set definition algorithms which encodes port set infomation into IPv6 address so as to support stateless IPv4 to IPv6 transition technologies, e.g. 4rd-U and MAP. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 15, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as Tsou, et al. Expires September 15, 2013 [Page 1] Internet-Draft Port Set Algorithms Analysis March 2013 described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Various types of algorithms . . . . . . . . . . . . . . . . . 4 3.1. GMA style algorithms . . . . . . . . . . . . . . . . . . . 4 3.1.1. MAP . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1.2. 4rd-U . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3. Summary . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Mask/Value style algorithms . . . . . . . . . . . . . . . 7 3.3. Cryptographical style algorithms . . . . . . . . . . . . . 9 4. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Tsou, et al. Expires September 15, 2013 [Page 2] Internet-Draft Port Set Algorithms Analysis March 2013 1. Introduction Some stateless IPv4 to IPv6 stransition technologies are invented by the industrial to provide IPv4 network service through IPv6 network, which also support IPv4 address sharing via port sets. These technologies can significantly simplify the implementation of the border router and reduce resource requirement. In these solutions, a port set is assigned to each CPE, and can be calculated by a port set ID in conjunction with some other parameters; for any port number, the corresponding port set ID can also be derived, that means, the mapping algorithm must be reversible. When the CPE needs to send an IPv4 packet, it can map an IPv4 packet into an IPv6 packet, either by translation or encapsulation, the IPv4 address and port set ID will be embedded into an IPv6 address; when the BR receive the IPv6 packet, it will decapsulate it. When the BR need to forward an IPv4 packet to the CPE, it will first derive the port set ID from the port, and then map the IPv4 packet into an IPv6 packet. In order to support these technologies, some port set definition algorithms are worked out. It may be useful to analyse the characteristics of these algorithms for better understanding and to choose a proper algorithm for different needs. A good port set definition algorithm must be reversible, easy to implement, and should be able to define non-continuous or random port sets for better security, be able to exclude the well known ports, 0 ~ 1023 or 0 ~ 4095, etc. This memo will analyse the following characterics: o Port set type: continuous, non-continuous, random o Stateless: yes or no o Security: security level, continuous port set provides common security, random port set provides good security. o Implementation: implementation complexity, performance, etc. o Friendliness for NAT44: comply with NAT44 or not o Sharing ratio: maximum, minimum sharing ratio o Revert calculation from port number to PSID at BR. Tsou, et al. Expires September 15, 2013 [Page 3] Internet-Draft Port Set Algorithms Analysis March 2013 o Exclude well known ports 2. Terminology BR: Border Router. CPE: Customer Premise Equipment. GMA: Generalized Modulus Algorithm. MAP: Map Address and Port. PSID: Port Set ID, one of the key parameters used to derived a set of ports. 3. Various types of algorithms Currently, the port set definition algorithms can be classified into three categories: GMA style, Mask/Value style and cryptographical style. 3.1. GMA style algorithms Currently there are three sets of draft support GMA style algorithm: MAP [I-D.ietf-softwire-map-04], 4rd-U [I-D.ietf-softwire-4rd-04] and, but they are not exactly all the same. 3.1.1. MAP In MAP [I-D.ietf-softwire-map-04], a port set can be defined by the following parameters: R: sharing ratio; P: PSID; M: maximum number of contiguous ports. To derive a port from the port set, the following equation can be used: Port = R * M * j + M * P + i j is port range index: j = (4096 / M) / R to ((65536 / M) / R) - 1, if the port numbers (0 - 4095) are excluded. Tsou, et al. Expires September 15, 2013 [Page 4] Internet-Draft Port Set Algorithms Analysis March 2013 i is the port index in a sub port set, i = 0 to M-1; To derive the PSID from a given port: PSID = (floor(Port/M)) % R, where % is the modulus operator. Parameter M is to generate non-continuous ports sets, rather than a single continuous port set, which brings better sercurity. If M=1, a single continuous port set is defined. PSID will be encoded in the IPv6 address, as shown in Figure 1 and Figure 2. 0 8 15 +---------------+----------+------+-------------------+ | P | ----------------+-----------------+-------------------+ | A (j) | PSID (K) | M (i) | +---------------+----------+------+-------------------+ |<----a bits--->|<-----k bits---->|<------m bits----->| Figure 1: Bit representation | 32 bits | | 16 bits | +--------------------------+ +-------------------+ | IPv4 destination address | | IPv4 dest port | +--------------------------+ +-------------------+ : : ___/ : | p bits | / q bits : +----------+ +------------+ |IPv4 sufx| |Port-Set ID | +----------+ +------------+ \ / ____/ ________/ \ : __/ _____/ \ : / / | n bits | o bits | m bits | 128-n-o-m bits | +--------------------+-----------+---------+------------+----------+ | Rule IPv6 prefix | EA bits |subnet ID| interface ID | +--------------------+-----------+---------+-----------------------+ |<--- End-user IPv6 prefix --->| Figure 2: Deriving of MAP IPv6 address Tsou, et al. Expires September 15, 2013 [Page 5] Internet-Draft Port Set Algorithms Analysis March 2013 3.1.2. 4rd-U In 4rd-U [I-D.ietf-softwire-4rd-04], PSID itself is sufficient for defining a port set, as shown in Figure 3. To derive the PSID from a given port, it only needs to take out the PSID bits from the 16bit port number. +--------------------------------------------+ | CE IPv6 prefix | +--------------------------+-----------------+ : Longest match : : : with a Rule IPv6 prefix : : : || : : : \/ : EA-bits length : +--------------------------+ | : | Rule IPv6 prefix |<----'---->:<-.->: +--------------------------+ : \ || : : Length of the \/ : : Rule IPv6 suffix +-----------------+-----------+(if the rule has one) |Rule IPv4 prefix | EA bits | +-----------------+-----------+ : : +-----------------------------+ | CE 4rd IPv4 prefix | +-----------------------------+ ________/ \_________ : / \ : : ____:________________/ \__ : / : \ : =< 32 : : > 32 : +----------------+ +-----------------+----+ |IPv4 prfx or add| OR | IPv4 address |PSID| +----------------+ +-----------------+----+ : 32 : || : \/ (by default) (If WKPs authorized) : : : : +---+----+---------+ +----+-------------+ Ports in |> 0|PSID|any value| OR |PSID| any value | the CE port set +---+----+---------+ +----+-------------+ : 4 : 12 : : 16 : Figure 3: From CE IPv6 prefix to 4rd IPv4 address and Port set Tsou, et al. Expires September 15, 2013 [Page 6] Internet-Draft Port Set Algorithms Analysis March 2013 3.1.3. Summary -------------------------------+------------------------- Port set type | no-continuous -------------------------------+------------------------- Stateless | yes -------------------------------+------------------------- Security | good -------------------------------+------------------------- Implementation | easy -------------------------------+------------------------- Friendliness for NAT44 | yes -------------------------------+------------------------- Sharing ratio | up to 2^12 -------------------------------+------------------------- Revert calculation from | port number to PSID at BR | yes -------------------------------+------------------------- Exclude well known ports | yes, 0~1023 or 0~4095 -------------------------------+------------------------- 1. 4rd-U is a parameter-free algorithm, which is different MAP; while MAP can provide more variation due to the extra parameter(s). From the port set definition point of view, MAP and 4rd-U provide the same level of security. 2. MAP support sharing ratio up to 2^16, although it may not be necessary. 3.2. Mask/Value style algorithms [RFC6431] defines an IPCP option to allocate port set to CPEs, as shown in Figure 4. [I-D.b4-translated-ds-lite-09] also uses tis type of port set definition algorithm defined in [I-D.dhc-port-set-option-00]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M| Reserved | Port Range Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Port Range Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4: IPCP option format Tsou, et al. Expires September 15, 2013 [Page 7] Internet-Draft Port Set Algorithms Analysis March 2013 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | OPTION_PORT_SET | option-length | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | Port Set Index | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | Port Set Mask | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ Figure 5: DHCP port set option format The Port Range Value can be encoded in IPv6 address, similar as parameter PSID in other technologies, e.g. MAP [I-D.ietf-softwire-map-04]. To derive the Port Range Value from a given port, the port number should porform bit-and operation with the Port Range Mask. 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | (two significant bits) v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |x x x 0 x 1 x x x x x x x x x x| Usable ports +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (x may be set to 0 or 1) Figure 6: Example of Port Range Mask and Port Range Value This alogrithm can have some kind of randomization effect by setting different number of bits and bits at different location in the Port Range Mask. This algorithm may have a problem if the well known ports(0~1023 or 0~4096) need to be excluded, it is a bit difficult to achieve that. But if the operator do not have a specific usage for the well known ports, then it is OK to allocate those port to end users, just like other common ports. Some tests have done and prove that is OK. Tsou, et al. Expires September 15, 2013 [Page 8] Internet-Draft Port Set Algorithms Analysis March 2013 -------------------------------+---------------------------- Port set type | continuous, no-continuous -------------------------------+---------------------------- Stateless | yes -------------------------------+---------------------------- Security | good -------------------------------+---------------------------- Implementation | easy -------------------------------+---------------------------- Friendliness for NAT44 | yes -------------------------------+---------------------------- Sharing ratio | up to 2^16 -------------------------------+---------------------------- Revert calculation from | port number to PSID at BR | yes -------------------------------+---------------------------- Exclude well known ports | difficult -------------------------------+---------------------------- 3.3. Cryptographical style algorithms The cryptographical port set definition algorithm introduced in [RFC6431] can provide very good security, but it is very difficult to derive the port set infomation, e.g. the starting point, from a given port. This algorithm can only be used in stateful scenarios, the BR must be operated in stateful mode. In order to use this kind of algorithm in a stateless scenario, the algorithm must be reversible, that is, with some given information, it should be able to derive the port set information from a given port number. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |M| Reserved | function | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | starting point | number of delegated ports | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | key K ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 7: Format of the Cryptographically Random Port Range Option Tsou, et al. Expires September 15, 2013 [Page 9] Internet-Draft Port Set Algorithms Analysis March 2013 -------------------------------+---------------------------- Port set type | continuous, no-continuous -------------------------------+---------------------------- Stateless | No * -------------------------------+---------------------------- Security | Very good -------------------------------+---------------------------- Implementation | difficult -------------------------------+---------------------------- Friendliness for NAT44 | yes -------------------------------+---------------------------- Sharing ratio | up to 2^16 -------------------------------+---------------------------- Revert calculation from | port number to PSID at BR | No * -------------------------------+---------------------------- Exclude well known ports | difficult -------------------------------+---------------------------- * It may be possible to find a cryptographic algorithm which can be reversed, e.g. define a reversible one-to-one mapping algorithm. But that is out the scope of this memo. If strong security is required, it may be worth giving this topic further study. 4. Conclusion GMA and value/mask methods are easy to implement and can provide reasonable security. If high security is desired, cryptographically random port set can be considered. 5. IANA Considerations This memo includes no request to IANA. 6. Security Considerations The port set should be as random as possible, in order to make it difficult to predict what the next port will be used, to avoid some potential TCP attack [RFC6056]. 7. References Tsou, et al. Expires September 15, 2013 [Page 10] Internet-Draft Port Set Algorithms Analysis March 2013 7.1. Normative References [I-D.dhc-port-set-option-00] Sun, Q., Li, Y., Sun, Q., Bajko, G., and M. Boucadair, "Dynamic Host Configuration Protocol (DHCP) Option for Port Set Assignment (Work in progress)", Oct 2012. [I-D.ietf-softwire-4rd-04] Jiang, S., Despres, R., Penno, R., Lee, Y., Chen, G., and M. Chen, "IPv4 Residual Deployment via IPv6 - a unified Stateless Solution (4rd) (Work in progress)", Oct 2012. [I-D.ietf-softwire-map-04] Troan, O., Dec, W., Li, X., Bao, C., Matsushima, S., and T. Murakami, "Mapping of Address and Port (MAP) (Work in progress)", Feb 2013. [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- Protocol Port Randomization", BCP 156, RFC 6056, January 2011. [RFC6431] Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and T. Tsou, "Huawei Port Range Configuration Options for PPP IP Control Protocol (IPCP)", RFC 6431, November 2011. 7.2. Informative References [I-D.b4-translated-ds-lite-09] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Li, Y., and I. Farrer, "Mapping of Address and Port (MAP) (Work in progress)", Oct 2012. [I-D.bsd-softwire-stateless-port-index-analysis] Boucadair, M., Skoberne, N., and W. Dec, "Analysis of Port Indexing Algorithms", Sept 2011. Authors' Addresses Tina Tsou (editor) Huawei Technologies (USA) 2330 Central Expressway Santa Clara CA 95050 USA Phone: +1 408 330 4424 Email: tina.tsou.zouting@huawei.com Tsou, et al. Expires September 15, 2013 [Page 11] Internet-Draft Port Set Algorithms Analysis March 2013 Tetsuya Murakami IP Infusion 1188 East Arques Avenue Sunnyval USA Email: tetsuya@ipinfusion.com Simon Perreault Viagenie 246 Aberdeen Quebec, QC G1R 2E1 Canada Phone: +1 418 656 9254 Email: simon.perreault@viagenie.ca URI: http://viagenie.ca Tsou, et al. Expires September 15, 2013 [Page 12]