Internet DRAFT - draft-cheng-behave-nat44-fixed-port
draft-cheng-behave-nat44-fixed-port
Network working group D. Cheng
Internet Draft Huawei Technologies
Category: Standards Track
Expires: February 25 2011
August 25, 2010
NAT44 with Pre-allcoated Ports
draft-cheng-behave-nat44-pre-allocated-ports-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 4, 2010.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Cheng Expires February, 2011 [Page 1]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
carefully, as they describe your rights and restrictions with
respect to this document.
Abstract
This document specifies a NAT44 operation model where external
ports are pre-allocated per subscriber. The NAT44 function is
deployed in carrier's networks also known as CGN. Two new RADIUS
attributes are proposed to support that operation for
configuration and billing purpose. Translation logging on a
NAT44 device is significantly reduced with this operational model.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
Table of Contents
1. Introduction....................................................2
2. Terminology.....................................................4
3. Operation.......................................................4
3.1. An Example.................................................6
4. RADIUS Attributes...............................................6
4.1. Nat-Max-Port-Count Attribute...............................7
4.2. Nat-Port-Range Attribute...................................8
5. Table of Attributes.............................................8
6. Security........................................................9
7. IANA Considerations.............................................9
8. Acknowledgements................................................9
9. References......................................................9
9.1. Normative References.......................................9
9.2. Informative References.....................................9
10. Authors' Addresses............................................10
1. Introduction
There are currently several IPv4 address sharing mechanisms such as
NAT444([I-D.shirasaki-nat444-isp-shared-addr]) and DS-Lite
([I-D.ietf-softwire-dual-stack-lite]) because of shortage of IPv4
addresses. When an IP flow is initiated from a user side and its
source IPv4 address is replaced by a shared IPv4 address at a NAT44
device, the source TCP/UDP port in the IPv4 packet is also replaced
by one dynamically allocated by the NAT44 device, most likely from a
single port pool, and as such, the IP flow can be uniquely
Cheng Expires February 2011 [Page 2]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
identified end-to-end. A NAT44 device usually randomizes the port
selection, and this practice helps enhance the security in the
network.
However, such practice increases the translation logging task on
a NAT44 device. Note each NAT44 translation log entry corresponds
to a unique IP flow and typically includes the destination address
and port, translated source address (the shared IPv4 address),
translated source port (the one allocated by the NAT44 device),
original source address and port, etc. It requires large volume of
storage and also processing capacity on a NAT44 device for such
operation (see Section 11 of
[I-D.ietf-intarea-shared-addressing-issues]).
This document proposes an operation model for NAT44, where a maximum
number of TCP/UDP ports is configured on a RADIUS server for each
subscriber as part of the user profile. This information is passed to
the NAT44 device where a subscriber is attached. The NAT44
dynamically pre-allocates a port range for a given subscriber, and
the number of ports in that range must be less or equal to the
maximum number of ports that has been assigned. When a new IP flow
arrives from the subscriber, the NAT44 then allocates dynamically a
port from the pre-allocated port range for the subscriber, also
assigns a shared IPv4 address. The NAT44 would need to pass the
pre-allocated port range along with the shared IPv4 address to the
RADIUS server and the information may be used for billing purpose.
The communication between the NAT44 and RADIUS server uses RADIUS
protocol ([RFC2865]), requiring NAS co-locates with the NAT44 device.
Note a NAT44 may pre-allocate more than one port ranges for any
given subscriber, as long as the total number of ports is less or
equal to the maximum number of ports configured on the RADIUS
server for that subscriber. The actual pre-allocation is entirely
based on necessity during the operation, but the actual algorithm
behind this is out of the scope of this document.
This NAT44 port pre-allocation model using RADIUS service could
hopefully reduce substantially the intensity on a NAT44 when
performing session based logging, while still able to conduct
port allocation with randomization.
To support this operation model, two new RADIUS attributes are
defined in this document as follows:
1) The Nat-Max-Port-Count attribute carries the maximum number of
TCP/UDP ports that a NAT44 device can use for a given subscriber
Cheng Expires February 2011 [Page 3]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
during the translation. The information is configured on a
RADIUS server and passed to a NAT44 device.
2) The Nat-Port-Range attribute carries a block of contiguous
ports that a NAT44 device pre-allocates for a given subscriber
along with a shared IPv4 address. This information is passed
to a RADIUS server from the NAT44 device.
2. Terminology
This document introduces two terms as follows:
. Max port count
This is the maximum number of TCP/UDP ports for a given
subscriber, which can be used at a NAT44 device.
. Port range
This specifies a contiguous TCP/UDP ports, indicated by the
port with the smallest numerical number and the port with
the largest numerical number.
3. Operation
The per-subscriber based maximum port count is configured on
a RADIUS server, along with other user information such as
credentials. The value of the port count is based on service
agreement and its specification is out of the scope of this
document.
A Network Access Server (NAS), located on a NAT44 device,
operates as a RADIUS client.
A subscriber initiates a service request, which is sent to the
NAT44 device that hosts a NAS, which in turn sends a RADIUS
Access-Request message to a RADIUS server. If the server approves
the request after validation, it replies with an Access-Accept
message back to the NAS, where the message includes a list of
parameters for the associated IP session but also the maximum
number of ports as defined in this document. While some parameters
are passed to the subscriber, the maximum port count for that
subscriber is recorded on the NAT44 device.
Upon obtaining the maximum port count for a subscriber, the NAT44
device pre-allocates some ports for the subscriber that are used
during NAT44 procedure when receiving IPv4 flows sent from that
Cheng Expires February 2011 [Page 4]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
subscriber. The NAT44 may allocates one or more port ranges, where
each range contains a contiguous ports, and the total number of
ports must be less or equal to the maximum port count that it
records for that subscriber. A NAT44 device may choose to allocate
a small range of ports, and allocate more at a later time as
needed; such practice is good due to its randomization.
At the same time, the NAT44 device also needs to decide the shared
IPv4 address for that subscriber. The shared IPv4 address and the
pre-allocated port range are then passed to the RADIUS server.
When a subscriber initiates an IPv4 flow, the NAT44 device
randomly selects a port from the pre-allocated port range for that
subscriber to replace the original source port, along with the
replacement of the source IPv4 address by the shared IPv4 address.
Figure-1 illustrates how RADIUS protocol is used to configure
the maximum number of ports for a given subscriber on a NAT44
device, and obtains the shared IPv4 address and pre-allocated
port range determined by the NAT44 device for that subscriber.
User NAT44/NAS AAA
| | Server
| | |
|----Service Request------>| |
| | |
| |-----Access-Request -------->|
| | |
| |<----Access-Accept-----------|
| | (Nat-Max-Port-Count) |
| | |
|<---Service Granted ------| |
| (other parameters) | |
| | |
| (NAT44 external port |
| pre-allocation and |
| IPv4 address assignment) |
| | |
| |-----Accounting-Request----->|
| | (Nat-Port-Range) |
| | |
DHCPv4/IPoPPP RADIUS
Figure 1: RADIUS Message Flow
Cheng Expires February 2011 [Page 5]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
[Editor's notes - one issue was raised that a NAT44 may create too
many fixed port ranges for a given maximum port count (perhaps due
to a poor implementation), resulting too many RADIUS messages. It
may be useful to define an additional parameter, called "maximum
port range count", which defines the maximum number of port ranges
a NAT44 may create for a given subscriber. This parameter is defined
along side of the "maximum port count" and carried by the same
RADIUS attribute. This issue and the need of the additional
parameter will be discussed and added to the next revision if
required.]
3.1. An Example
An ISP assigns 1000 ports for the subscriber A based on a
service agreement. This number is the maximum number
of ports that can be used during NAT44 on a NAT44 device for A,
and is configured on a RADIUS server. When A registers with
the ISP's Internet service after required AAA procedure, the
RADIUS server passes the maximum port count (1000) to the NAT44
device that is co-located with a BNG that connects A to
the Internet.
The NAT44 device decides to pre-allocate a small port pool that
contains 40 contiguous ports, from 3500 to 3540, inclusively,
and also assign a shared IPv4 address 192.27.30.15, for A.
The NAT44 device passes this port range (3500-3540) and the
shared IPv4 address 192.27.30.15 together to the RADIUS server.
When A initiates a new IP flow that reaches the NAT44, the
original source IP address is replaced by 192.27.30.15, and
the source port is replaced by an available one that is
randomly selected in the port range, say port 3521.
If at a later time, the port pool (3500-3540) is close to
exhaustion, the NAT44 device pre-allocates a second port range
in a similar fashion, with the same or different number of
ports as in the first one, say from 8500 to 8800, inclusively.
The NAT44 then passes this port range (8500-8800) and IPv4
address 192.27.30.15 together to the RADIUS server.
4. RADIUS Attributes
Two new RADIUS attributes are defined in this document in order to
achieve the NAT44 operational model as described in Section 3.
The Nat-Max-Port-Count attribute carries the maximum number of
TCP/UDP ports that a NAT44 device can use during NAT44 procedure
Cheng Expires February 2011 [Page 6]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
for a given subscriber. This maximum number of ports for a given
subscriber is configured on a RADIUS server as part of the user's
profile, and conveyed to the NAT44 device during the user
registration.
The Nat-Port-Range attribute carries a contiguous TCP/UDP ports that
a NAT44 device has pre-allocated to be used during NAT44 procedure
for a given subscriber, along with an IPv4 address, which may be
shared with other subscribers. This information is sent by the NAT44
device to a RADIUS server and may be used for billing purpose.
4.1. Nat-Max-Port-Count Attribute
Description
This Attribute specifies the maximum number of TCP/UDP ports that
is assigned to a NAT44 device corresponding to a specific
subscriber for NAT44 operation.
The Nat-Max-Port-Count MAY appear in an Access-Accept packet, and
it MAY also appear in an Access-Request packet as a hint by the
NAS to the server as a preference, although the RADIUS server is
not required to honor the hint.
The Nat-Max-Port-Count MAY appear in an Accounting-Request
packet.
The Nat-Max-Port-Count MUST NOT appear in any other RADIUS packets.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Max NAT Port Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBD
Length
4 octets.
Max NAT Port Count
The maximum number of TCP/UDP ports that can be used during
NAT44 operation for a given subscriber.
Cheng Expires February 2011 [Page 7]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
4.2. Nat-Port-Range Attribute
Description
This Attribute contains a contiguous TCP/UDP port numbers in a
range, which is pre-allocated by a NAT44 device for a given
subscriber, and an IPv4 address that may be shared with other
subscribers.
The Nat-Port-Range MAY appear in an Accounting-Request
packet.
The Nat-Port-Range MUST NOT appear in any other RADIUS packets.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | External Port Range Start |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External Port Range End | Shared IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Shared IPv4 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBD
Length
10 octets.
External Port Range Start
The smallest port number in a range of contiguous TCP/UDP
ports.
External Port Range End
The largest port number in a range of contiguous TCP/UDP
ports.
5. Table of Attributes
The following table provides a guide as the attributes may be
found in which kinds of packets, and in what quantity.
Cheng Expires February 2011 [Page 8]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
Request Accept Reject Challenge Accounting # Attribute
0-1 0-1 0 0 0-1 TBD Nat-Max-Port-Count
0 0 0 0 0+ TBD NAT-Port-Range
The meaning of the above table entries is as follows:
0 This attribute MUST NOT be present.
0-1 Zero or one instance of this attribute MAY be present.
0+ Zero or more instances of this attribute MAY be present.
6. Security
Security problems of the RADIUS protocol are discussed in [RFC2865].
7. IANA Considerations
This document requires the assignment of two new RADIUS attribute
numbers for the following attribute:
Nat-Max-Port-Count
Nat-Port-Range
8. Acknowledgements
Many thanks to Dan Wing who provided useful suggestions and comments.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC2865,
June 2000.
9.2. Informative References
[I-D.ietf-softwire-dual-stack-lite] Durand, A., "Dual-Stack Lite
Broadband Deployments Following IPv4 Exhaustion",
draft-ietf-softwire-dual-stack-lite-05 (work in progress),
July 2010.
Cheng Expires February 2011 [Page 9]
Internet-Draft NAT44 with Pre-allocated Ports August 2010
[I-D.shirasaki-nat444-isp-shared-addr] Shirasaki, Y., Miyakawa, S.,
Nakagawa, A., Yamaguchi, J., and H. Ashida, "NAT444 addressing
models", draft-shirasaki-nat444-isp-shared-addr-03 (work in
progress), March 2010.
[I-D.ietf-intarea-shared-addressing-issues] M. Ford, M. Boucadair,
A. Durand, P. Levis, P. Roberts,
draft-ietf-intarea-shared-addressing-issues-01, work in progress.
10. Authors' Addresses
Dean Cheng
Huawei Technologies,
2330 Central Expressway, CA 95050, USA
Phone:+1 408 330 4754
Email: Chengd@huawei.com
Cheng Expires February 2011 [Page 10]