Internet DRAFT - draft-sunjianping-behave-nat-port-expand
draft-sunjianping-behave-nat-port-expand
Internet Engineering Task Force J. Sun, Ed.
Internet-Draft China Telecom
Intended status: Informational May 2012
Expires: November 2, 2012
Expand NAT TCP/UDP ports deferring IPv4 Exhaustion
draft-sunjianping-behave-nat-port-expand-02
Abstract
This document describes the TCP/UDP port extension (EPORT) model to
enhance Network Address Translation (NAT)capability. EPORT based NAT
helps service provider and enterprise to save mass public IPv4
addresses with enough application sessions offered at same time.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 2, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Sun Expires November 2, 2012 [Page 1]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. EPORT IP option defination . . . . . . . . . . . . . . . . 4
3.1.1. Figure 1. EPORT IP option . . . . . . . . . . . . . . 5
3.2. Elements description and behaviors . . . . . . . . . . . . 5
3.2.1. Figure 2. NAT with EPORT option . . . . . . . . . . . 7
3.2.2. Internal host . . . . . . . . . . . . . . . . . . . . 8
3.2.3. NAT device . . . . . . . . . . . . . . . . . . . . . . 8
3.2.4. Internet intermedia router . . . . . . . . . . . . . . 10
3.2.5. External host . . . . . . . . . . . . . . . . . . . . 10
4. Best practice of EPORT . . . . . . . . . . . . . . . . . . . . 11
4.1. Natural arrangement . . . . . . . . . . . . . . . . . . . 11
4.2. Proactive arrangement . . . . . . . . . . . . . . . . . . 11
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
Sun Expires November 2, 2012 [Page 2]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
1. Introduction
NAT is one of mainstream solutions to save public IPv4 addresses and
has been employed widely, it maintains address and port mapping
mechanism to translate between external address port pair and
internal address port pair.The IANA IPv4 addresses pool has now
depleted before internet move from IPv4 to IPv6 sufficiently.As a
result,NAT(NAPT) becomes the important part of IPv6 transitional
technologies such as DS-lite,NAT444 and NAT64. See [I-D.gundavelli-
softwire-gateway-init-ds-lite] , [I-D.shirasaki-nat444] and [RFC6146]
.
Because TCP or UDP port number length is 2 octets length,for one of
external public IPv4 addresses there are 65535 TCP or UDP ports at
most can be used to establish sessions from internal addresses to
external by NAT device. in consideration of IANA defined port ranges:
"Well Known Ports" is 0-1023, "Registered" is 1024-49151, and
"Dynamic and/or Private" is 49152-65535 ,it recommends that NAT
devices prefer to use the dynamic range first , then Dynamic and/or
Private range .In fact ,one publice IPv4 address' available NAT
translation sessions are less than 64511 for TCP or UDP, this number
seems enough in the past but inadequate when IPv4 address pool
starvation. New session fails to establish on NAT device if 2 octets
port range reached. IPv6 transitional technologies such as DS-
lite,NAT444 and NAT64 that relied on NAT will be affected if IPv4
public address pool ran out . For example , each internal host
behind NAT device requires 400 tcp or udp sessions to access
internet,(it's reasonable because of P2P applications,multi tab web
client , RSS etc.) one of external public ipv4 address can support
only 322 internal hosts at most. ICMP is out of the scope of this
specification temporary.
This document specifies TCP/UDP port extension model which focuses on
extending extra 2 octets tcp/udp port number to IP option named EPORT
without changes of existing TCP/UDP header and 20 octets fixed IPv4
header . EPORT allows a public IP on NAT device to be assigned 4
octets sessions for internal hosts.Thus one of external public ipv4
address can support 21102270 internal hosts at most with same session
requirement for each host described upon.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Sun Expires November 2, 2012 [Page 3]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
2. Terminology
The technology described in this document is known as the TCP/UDP
port extension (EPORT) model to enhance Network Address Translation
(NAT)capability. The abbreviation EPORT will be used along this
text.
This document specifies TCP/UDP port extension model which focuses on
extending extra 2 octets tcp/udp port number to IP option named
EPORT.
UDP is defined in [RFC0768].
TCP is defined in [RFC0793].
IP option related terminology is defined in [RFC0791].
NAT related terminology is defined in [RFC4787].
In this document, the term "NAT" refers to "Network Address/Port
Translator (NAPT)" that multiple internal hosts share a single public
IP address simultaneously. When an internal host opens an outgoing
TCP or UDP session through a NAPT, the NAPT assigns the session a
public IP ddress and port number, so subsequent response packets from
the external host can be received by the NAT device, translated, and
forwarded to the internal host based on the address port mapping
table it maintainces .
Term "session" is defined in [RFC2663].
The process of IP option by protocol stack is defined in [RFC1122]
Term "Shared Public address" and "external public ipv4 address" has
same signification in this ducoment that means NAT translation
involved public ip address .
3. Deployment
3.1. EPORT IP option defination
This document defines a new IP option named EPORT option(Extended
TCP/UDP PORT). When NAT device's availabe public IP address,public
port number pairs are used up(It means that NAT device cannot
translate TCP/UDP sessions any more and its capability is full),EPORT
option is inserted by the NAT device into TCP/UDP packets' IP header
to expand existing TCP/UDP port numbers.
EPORT option includes an option-type octet, an option-length octet,
Sun Expires November 2, 2012 [Page 4]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
and the 2 octets option-data according as Case 2 format defined in
[RFC0791] and exhibit below :
3.1.1. Figure 1. EPORT IP option
0 7 15 31
+--------+--------+--------+--------+
|10100001|00000100| EPORT ID |
+--------+--------+--------+--------+
Type=161 Length=4
Figure 1
option-type 1 octets :
1 bit copied flag: 1,this option MUST be copied into all fragments on
fragmentation.
2 bits option class: 01 drawed out from reserved IP option Classes.
5 bits option number:00001 defined as EPORT id.
LENGTH option 8bit:00000100,the EPORT option's total length is 4
octetes.
option-data 16bit: EPORT ID is 2 octets length. EPORT id is
assembled with traditional TCP/UDP port number (as defined in
[RFC0793],[RFC0768]) to identify a unique TCP/UDP session by NAT
device and external public hosts.Loading EPORT ID breaks the 2 octets
port preserving limitation of traditional TCP/UDP port number and
offers sufficient outbound TCP/UDP sessions translated by NAT device.
EPORT ID MUST conjunct with public IP address, public port number
pairs to identify a unique TCP/UDP session.
3.2. Elements description and behaviors
The involved elements of NAT TCP/UDP ports expanding are internal
hosts,NAT device,internet intermedia router and external host.
Internal hosts are assigned the private IP addresses mainly through
DHCPv4 by enterprise or ISP's DHCP server or BRAS. Internal hosts
can open multiple TCP/UDP sessions simultaneously through the NAT
device to access internet service such as WEB,MAIL etc. The NAT
device has one or more shared public addresses to establishes NAT
sessions to translate the private IP address,private port number pair
to a public IP address, public port number pair , and vice versa for
Sun Expires November 2, 2012 [Page 5]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
the duration of the session as defined in [RFC4787]. If NAT device's
availabe public IP address,public port number pairs (64511 pairs for
1 shared public IP address at most as described upon )are occupied
entirely, subsequent sessions initiated by internal hosts will be
refused or preempting sessions in process. In this documents ,NAT
device tags the EPORT IP option with public port number ,public IP
address to translate and forward traffic correctly. Internet
intermedia router is a universal internet router with public
interface IP addresses which takes charge of packet lookup and
transmission to next hop.External host is any internet host with
public IP address .(A internet web server for simplicity)
This section uses the following diagram for reference:
Sun Expires November 2, 2012 [Page 6]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
3.2.1. Figure 2. NAT with EPORT option
|
Internal | External(IPv4 internet)
|
IP:tcp/udp port | IP:tcp/udp port
src:10.1.0.1:6000 | src:218.80.254.1:65535
dst:202.100.0.1:80 | dst:202.100.0.1:80
-----------------------|-------------------------------------->
Before Shared Public address's port number runs out
<----------------------|---------------------------------------
src:202.100.0.1:80 | src:202.100.0.1:80
dst:10.1.0.1:6000 | dst:218.80.254.1:65535
|
|
|
+-------+ |
|Host A +---+ +----+----+
+-------+ | | |
Private +-----+ | +--------+
address | NAT | | inter | +---------+
10.1.0.1 | Device +-------+ media +------------+ Server C|
+-----+ | | router | +---------+
+-------+ | | | +--------+ Public
|Host B +---+ +----+----+ Public address
+-------+ | Shared address 202.100.0.1
Private | Public
address | address
10.100.0.1 | 218.80.254.1
IP:tcp/udp port | IP:EPORT:tcp/udp port
src:10.100.0.1:500 | src:218.80.254.1:100:65535
dst:202.100.0.1:80 | dst:202.100.0.1:80
------------------------|------------------------------------->
EPORT launched after Shared Public address's port number runs out
<-----------------------|--------------------------------------
IP:tcp/udp port | src:202.100.0.1:80
src:202.100.0.1:80 | dst:218.80.254.1:100:65535
dst:10.100.0.1:500 | IP:EPORT:tcp/udp port
|
Port Assignment with EPORT option supported
Figure 2
Sun Expires November 2, 2012 [Page 7]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
3.2.2. Internal host
Internal host is assigned with private IP address. Internal host
MUST implement EPORT option,(The options may appear or not in
datagrams. They must be implemented by all IP modules . (from
[RFC0791] ) in spite of unnecessary in this document.When internal
host receive a IPv4 packet with EPORT option ,it MAY silently ignore
EPORT option part. Internal hosts MUST NOT insert EPORT option into
any packet it sends. Internal hosts act as private hosts described
in [RFC2663].
In Figure 2,Host A and Host B are internal hosts , in order to
exhibit more points, Host A and Host B visit the same server C's HTTP
service at this scenario(As Figure 2 upon).
3.2.3. NAT device
NAT device recieves the tcp/udp packets from internal hosts then:
Case 1. If NAT device' shared Public address' port numbers have not
run out,it MUST translate Private IP address,private port number
pairs to shared public IP address,public port number pairs at
normally( as [RFC2663] describes).The NAT device SHOULD NOT insert
EPORT option into the IP packet it translated.
Case 2. If NAT device' shared Public address' port numbers have run
out,it MUST insert EPORT option between IPv4 basic header and TCP/UDP
header into packets for subsequent sessions.Therefor NAT device
translates subsequent sessions expanding to 4 octet which EPORT ID
cumulated with 2 octets inherent public port number. No matter NAT
device' shared Public address' port numbers have run out or not,it
MUST maintaince a mapping table with 6 elements below ,then translate
and forward packets to the proper next hop:
Sun Expires November 2, 2012 [Page 8]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
+------------------------------------+
| uplayer protocol |
+------------------------------------+
| src IP:src port before translation|
+------------------------------------+
| dst IP:dst port before translation|
+------------------------------------+
| src IP:src port after translation |
+------------------------------------+
| EPORT ID after translation |
+------------------------------------+
| dst IP:dst port after translation |
+------------------------------------+
mapping table elements
Figure 3
The EPORT ID after translation block is newly added ,it is padded all
zero in Case 1 and actual number in Case 2. The EPORT MAY be
assigned in order from low to high bits or by other algorithms which
is out of the scope of this document.
When returning packets include EPORT option,NAT device MUST lookup
mapping table with 6 elements described upon to decide the unique
session and forward it to the proper internal receiver.If no match
entry found, NAT device SHOULD drop the returning packet .
Before the NAT device forwards returning packet to the proper
internal receiver ,it SHOULD check packet's EPORT option ,if exists,
the NAT device SHOULD wippe off the EPORT option from packet.
It's NAT device's responsibility to insert EPORT for incoming
packets,maintain the NAT mapping table ,wipe off returning packet's
EPORT option and forward packet.
In Figure 2, Host A opened a session to Server C, the NAT device
translates its src IP:src port from src:10.1.0.1:6000 to src:
218.80.254.1:65535,it implies that all of Shared Public address' port
number ran out and no subsequent sessions will be translated by NAT
device without EPORT option.
At this time Host B also opened a session to Server C at the same dst
port,the NAT device translates src IP:src port from src:10.100.0.1:
500 to src:218.80.254.1:100:65535(IP:EPORT:src port) and forwards to
intermedia router.
After NAT device received the returning packet from Server C to Host
B with EPORT option,it lookups the NAT mapping table then wippes off
Sun Expires November 2, 2012 [Page 9]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
the EPORT option , translates packet's dst IP:EPORT:dst port from
dst:218.80.254.1:100:65535 to dst:10.100.0.1:500 then forwards to
Host B.
3.2.4. Internet intermedia router
Internet intermedia router also MUST support EPORT option but SHOULD
NOT change the EPORT option without justified reason.(Hierarchical
NAT for example )
Internet intermedia router MUST forward the IPv4 packets with EPORT
option.
3.2.5. External host
External host MUST implement the EPORT option.
The interface between the IP layer and the transport layer MUST
provide full access to all the mechanisms of the IP layer, including
option. The transport layer MUST either have mechanisms to set these
interface parameters, or provide a path to pass them through from an
application, or both. (From [RFC1122]) This document follows the
criterion upon , EPORT option MUST be passed throuth TCP/UDP between
IP header and applications.
External host MUST indentify the EPORT option ,the packet with
different EPORT ID will be identified from heterogeneous sessions and
treated differently by applications even these packets have same TCP/
UDP port number.
External host MUST be allowed to respond to requests from same src
IP,src port but with different EPORT ID.
External host MUST hold the EPORT option and replicate it to the
returning packets of corresponding session same as it has ever been
received .
EPORT Option is not a end to end parameter ,it is assembled by NAT
device at the begining, passes through the intermedia routers ,
identified ,held and returned by external hosts , stripped off by NAT
device at last.
In Figure 2, Server C treats packets from Host A(src:218.80.254.1:
65535,dst:202.100.0.1:80 pair)and from Host B(src:218.80.254.1:100:
65535 ,dst:202.100.0.1:80 pair) as different sessions and hold EPORT
ID 100 for the session from Host B.
When responds to Host B ,Server C copy the EPORT option back into
Sun Expires November 2, 2012 [Page 10]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
packet header(EPORT ID is 100),because NAT device need EPORT ID to
lookup mapping table and translate packet back to internal host B.
4. Best practice of EPORT
There are two fashions to approach EPORT expansion of NAT,the first
is natural arrangement and another is proactive arrangement.
4.1. Natural arrangement
When natural arrangement fashion is selected,the NAT device invokes
EPORT ID to expand outgoing TCP/UDP sessions on demand. The NAT
device assembles the mapping table with EPORT ID and TCP/UDP ports at
real time . This way provides best utilization of EPORT ID and
introduces more pressures on NAT device' overhead because of dynamic
allocation and maintenance of EPORT ID for every enlarged TCP/UDP
sessions. Under this way one public IPv4 address with EPORT will
fulfil Class A private address space as defined in [RFC1918] if each
internal host behind NAT device requires a reasonable TCP or UDP
sessions.
4.2. Proactive arrangement
Another way is proactive arrangement of EPORT ID. It's a trade off
between NAT device complexity and EPORT ID utilization. An ISP or
enterprise could bind each EPORT ID exclusively to one of(or mass of)
internal host behind NAT. On NAT device The layout of EPORT ID is
set statically in advance . The specific internal host's outgoing
TCP/UDP session will be marked by preassigned EPORT ID. Notice that
under this way the internal hosts is more vulnerable and traceable
from internet because statically arranged EPORT ID is following
translated packets.On the contrary, internal zombie computers or
malicious machines can be easily orientated and separated through
EPORT ID.
5. Acknowledgements
The author would like to acknowledge many helpful discussions with
Gj.Huang.
6. IANA Considerations
This draft request IANA to allocate a reserved IP option from IP
OPTION NUMBERS. The suggested Option Type value is 161 in this
document but can be assigned by IANA from IP Option class 0 or 2 .
Sun Expires November 2, 2012 [Page 11]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
7. Security Considerations
Security issues of NAT have been documented at [RFC2663] and
[RFC2993]. In this document the EPORT option is inserted by NAT
device into IPv4 header and transmited through internet to external
host. If Man-in-the-middle intercepts the packets ,it can forge
EPORT ID. When the NAT device receives the packet with EPORT option
forged,it MUST drop the packet whose EPORT ID don't match the mapping
table it has established.
8. References
8.1. Normative References
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
August 1980.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993,
November 2000.
8.2. Informative References
[I-D.gundavelli-softwire-gateway-init-ds-lite]
Brockners, F., Gundavelli, S., Speicher, S., and D. Ward,
"Gateway Initiated Dual-Stack Lite Deployment",
draft-gundavelli-softwire-gateway-init-ds-lite-03 (work in
progress), March 2010.
[I-D.shirasaki-nat444]
Yamagata, I., Shirasaki, Y., Nakagawa, A., Yamaguchi, J.,
and H. Ashida, "NAT444", draft-shirasaki-nat444-03 (work
Sun Expires November 2, 2012 [Page 12]
Internet-Draft Expand NAT TCP/UDP Ports May 2012
in progress), January 2011.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations",
RFC 2663, August 1999.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011.
Author's Address
Jianping Sun (editor)
China Telecom
No.1835,Sourth Pudong Road
Shanghai, Pudong
P.R.China
Phone: +86 021 5875 1214
Email: sunjp@sttri.com.cn
Sun Expires November 2, 2012 [Page 13]