Port Set Definition Algorithms Analysis
draft-tsou-softwire-port-set-algorithms-analysis-01
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Tina Tsou , Tetsuya Murakami , Simon Perreault | ||
| Last updated | 2012-03-12 | ||
| Stream | (None) | ||
| Formats | plain text htmlized pdfized bibtex | ||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-tsou-softwire-port-set-algorithms-analysis-01
Internet Engineering Task Force T. Tsou, Ed.
Internet-Draft Huawei Technologies (USA)
Intended status: Informational T. Murakami
Expires: September 13, 2012 IP Infusion
S. Perreault
Viagenie
March 12, 2012
Port Set Definition Algorithms Analysis
draft-tsou-softwire-port-set-algorithms-analysis-01
Abstract
This memo analyses the some port set definition algorithms which
encodes port set infomation into IPv6 address so as to support
stateless IPv4 to IPv6 transition technologies, e.g. 4rd-U and MAP.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2012.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Tsou, et al. Expires September 13, 2012 [Page 1]
Internet-Draft Port Set Algorithms Analysis March 2012
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Various types of algorithms . . . . . . . . . . . . . . . . . 4
3.1. GMA style algorithms . . . . . . . . . . . . . . . . . . . 4
3.1.1. MAP . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.2. 4rd-U . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.3. divi-pd . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.4. Summary . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. Mask/Value style algorithms . . . . . . . . . . . . . . . 8
3.3. Cryptographical style algorithms . . . . . . . . . . . . . 10
4. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Tsou, et al. Expires September 13, 2012 [Page 2]
Internet-Draft Port Set Algorithms Analysis March 2012
1. Introduction
Some stateless IPv4 to IPv6 stransition technologies are invented by
the industrial to provide IPv4 network service through IPv6 network,
which also support IPv4 address sharing via port sets. These
technologies can significantly simplify the implementation of the
border router and reduce resource requirement.
In these solutions, a port set is assigned to each CPE, and can be
calculated by a port set ID in conjunction with some other
parameters; for any port number, the corresponding port set ID can
also be derived, that means, the mapping algorithm must be
reversible. When the CPE needs to send an IPv4 packet, it can map an
IPv4 packet into an IPv6 packet, either by translation or
encapsulation, the IPv4 address and port set ID will be embedded into
an IPv6 address; when the BR receive the IPv6 packet, it will
decapsulate it. When the BR need to forward an IPv4 packet to the
CPE, it will first derive the port set ID from the port, and then map
the IPv4 packet into an IPv6 packet.
In order to support these technologies, some port set definition
algorithms are worked out. It may be useful to analyse the
characteristics of these algorithms for better understanding and to
choose a proper algorithm for different needs.
A good port set definition algorithm must be reversible, easy to
implement, and should be able to define non-continuous or random port
sets for better security, be able to exclude the well known ports, 0
~ 1023 or 0 ~ 4095, etc.
This memo will analyse the following characterics:
o Port set type: continuous, non-continuous, random
o Stateless: yes or no
o Security: security level, continuous port set provide common
security, random port set provide good security.
o Implementation: implementation complexity, performance, etc.
o Friendliness for NAT44: comply with NAT44 or not
o Sharing ratio: maximum, minimum sharing ratio
o Revert calculation from port number to PSID at BR.
Tsou, et al. Expires September 13, 2012 [Page 3]
Internet-Draft Port Set Algorithms Analysis March 2012
o Exclude well known ports
2. Terminology
BR: Border Router.
CPE: Customer Premise Equipment.
GMA: Generalized Modulus Algorithm.
MAP: Map Address and Port.
PSID: Port Set ID, one of the key parameters used to derived a
set of ports.
3. Various types of algorithms
Currently, the port set definition algorithms can be classified into
three categories: GMA style, Mask/Value style and cryptographical
style.
3.1. GMA style algorithms
Currently there are three sets of draft support GMA style algorithm:
MAP [I-D.mdt-softwire-mapping-address-and-port], 4rd-U
[I-D.despres-softwire-4rd-u] and divi-pd [I-D.xli-behave-divi-pd],
but they are not exactly all the same.
3.1.1. MAP
In MAP [I-D.mdt-softwire-mapping-address-and-port], a port set can be
defined by the following parameters:
R: sharing ratio;
P: PSID;
M: maximum number of contiguous ports.
To derive a port port from the port set, the following equation can
be used:
Port = R * M * j + M * P + i
j is port range index: j = (4096 / M) / R to ((65536 / M) / R) - 1,
if the port numbers (0 - 4095) are excluded.
Tsou, et al. Expires September 13, 2012 [Page 4]
Internet-Draft Port Set Algorithms Analysis March 2012
i is the port index in a sub port set, i = 0 to M-1;
To derive the PSID from a given port:
PSID = (floor(Port/M)) % R, where % is the modulus operator.
Parameter M is to generate non-continuous ports sets, rather than a
single continuous port set, which brings better sercurity. If M=1, a
single continuous port set is defined.
PSID will be encoded in the IPv6 address, as shown in Figure 1 and
Figure 2.
0 8 15
+---------------+----------+------+-------------------+
| P |
----------------+-----------------+-------------------+
| A (j) | PSID (K) | M (i) |
+---------------+----------+------+-------------------+
|<----a bits--->|<-----k bits---->|<------m bits----->|
Figure 1: Bit representation
| 32 bits | | 16 bits |
+--------------------------+ +-------------------+
| IPv4 destination address | | IPv4 dest port |
+--------------------------+ +-------------------+
: : ___/ :
| p bits | / q bits :
+----------+ +------------+
|IPv4 sufx| |Port-Set ID |
+----------+ +------------+
\ / ____/ ________/
\ : __/ _____/
\ : / /
| n bits | o bits | m bits | 128-n-o-m bits |
+--------------------+-----------+---------+------------+----------+
| Rule IPv6 prefix | EA bits |subnet ID| interface ID |
+--------------------+-----------+---------+-----------------------+
|<--- End-user IPv6 prefix --->|
Figure 2: Deriving of MAP IPv6 address
Tsou, et al. Expires September 13, 2012 [Page 5]
Internet-Draft Port Set Algorithms Analysis March 2012
3.1.2. 4rd-U
In 4rd-U [I-D.despres-softwire-4rd-u], PSID itself is sufficient for
defining a port set, as shown in Figure 4.
To derive the PSID from a given port, it only needs to take out the
PSID bits from the 16bit port number.
+----------------------------+--------------+
| IPv4 address |Port bits 4-15|
+----------------------------+----+---------+
: Longest match : :
: || : :
: \/ :<-->: PSID length = L(RuleIPv4 prefix)
+----------------+-----------+----+ + EA-bits length
|Rule IPv4 prefix|IPv4 suffix|PSID| - 32
+----------------+-----------+----+
: : : :
+----------------+----------------+
|Rule IPv4 prefix| EA bits |
+----------------+----------------+
|| \_______ \__
\/ \ \
+--------------------------+-----------+---+
| Rule IPv6 prefix | EA bits | . |
+--------------------------+-----------+--\+
: \_Domain IPv6 suffix
: : (if applicable)
+------------------------------------------+
| IPv6 prefix |
+------------------------------------------+
Figure 3: From 4rd address to IPv6 prefix (shared-address case)
+-------+
| PSID | 12 - PSID-length
+-------+ |
: 4 : :<-----'----->:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| > 0 | PSID | any value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Port in the port set
Tsou, et al. Expires September 13, 2012 [Page 6]
Internet-Draft Port Set Algorithms Analysis March 2012
3.1.3. divi-pd
divi-pd [I-D.xli-behave-divi-pd] use the same port set definition
algorithm as MAP [I-D.mdt-softwire-mapping-address-and-port], with
only little difference: divi-pd excludes port 0 ~ 1023, while MAP
excludes port 0 ~ 4095.
| n bits | o bits | m bits | 128-n-o-m bits |
+--------------------+-----------+---------+------------+----------+
| Domain IPv6 prefix | EA bits |subnet ID| interface ID |
+--------------------+-----------+---------+-----------------------+
|<--- End-user IPv6 prefix --->|
Figure 5: IPv6 address format
|<------------- EA bits----------->|
| r bits | p bits | q bits |
+-------------+---------------------+------------+
| Domain IPv4 | IPv4 Address suffix |Port Set ID |
+-------------+---------------------+------------+
| 32 bits |
Figure 6: Shared IPv4 address
<-8-><-------- L>=32 -------><48-L><8->
+---+----------------+------+-----+---+
| u | IPv4 address | PSID | 0 | L |
+---+----------------+------+-----+---+
Figure 7: Interface ID
Tsou, et al. Expires September 13, 2012 [Page 7]
Internet-Draft Port Set Algorithms Analysis March 2012
3.1.4. Summary
-------------------------------+-------------------------
Port set type | no-continuous
-------------------------------+-------------------------
Stateless | yes
-------------------------------+-------------------------
Security | good
-------------------------------+-------------------------
Implementation | easy
-------------------------------+-------------------------
Friendliness for NAT44 | yes
-------------------------------+-------------------------
Sharing ratio | up to 2^12
-------------------------------+-------------------------
Revert calculation from |
port number to PSID at BR | yes
-------------------------------+-------------------------
Exclude well known ports | yes, 0~1023 or 0~4095
-------------------------------+-------------------------
1. 4rd-U is a parameter-free algorithm, which is different MAP and
divi-pd; while MAP and divi-pd can provide more variation due the
extra parameter(s). From the port set definition point of view, MAP
4rd-U and divi-pd provide the same level of security.
2. MAP and divi-pd support sharing ratio up to 2^16, although it may
not be necessary.
3.2. Mask/Value style algorithms
[RFC6431] defines an IPCP option to allocate port set to CPEs, as
shown in Figure 8.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M| Reserved | Port Range Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Port Range Mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 8: IPCP option format
The Port Range Value can be encoded in IPv6 address, similar as
parameter PSID in other technologies, e.g. MAP
[I-D.mdt-softwire-mapping-address-and-port].
Tsou, et al. Expires September 13, 2012 [Page 8]
Internet-Draft Port Set Algorithms Analysis March 2012
To derive the Port Range Value from a given port, the port number
should porform bit-and operation with the Port Range Mask.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| | (two significant bits)
v v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|x x x 0 x 1 x x x x x x x x x x| Usable ports
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (x may be set to 0 or 1)
Figure 9: Example of Port Range Mask and Port Range Value
This alogrithm can have some kind of randomization effect by setting
different number of bits and bits at different location in the Port
Range Mask.
This algorithm may have a problem if the well known ports(0~1023 or
0~4096) need to be excluded, it is a bit difficult to achieve that.
But if the operator do not have a specific usage for the well known
ports, then it is OK to allocate those port to end users, just like
other common ports. Some tests have done and prove that is OK.
-------------------------------+----------------------------
Port set type | continuous, no-continuous
-------------------------------+----------------------------
Stateless | yes
-------------------------------+----------------------------
Security | good
-------------------------------+----------------------------
Implementation | easy
-------------------------------+----------------------------
Friendliness for NAT44 | yes
-------------------------------+----------------------------
Sharing ratio | up to 2^16
-------------------------------+----------------------------
Revert calculation from |
port number to PSID at BR | yes
-------------------------------+----------------------------
Exclude well known ports | difficult
Tsou, et al. Expires September 13, 2012 [Page 9]
Internet-Draft Port Set Algorithms Analysis March 2012
-------------------------------+----------------------------
3.3. Cryptographical style algorithms
The cryptographical port set definition algorithm introduced in
[RFC6431] can provide very good security, but it is very difficult to
derive the port set infomation, e.g. the starting point, from a given
port. This algorithm can only be used in stateful scenarios, the BR
must be operated in stateful mode.
In order to use this kind of algorithm in a stateless scenario, the
algoritm must be reversible, that is, with some given information, it
should be able to derive the port set information from a given port
number.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M| Reserved | function |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| starting point | number of delegated ports |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key K ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: Format of the Cryptographically Random Port Range Option
Tsou, et al. Expires September 13, 2012 [Page 10]
Internet-Draft Port Set Algorithms Analysis March 2012
-------------------------------+----------------------------
Port set type | continuous, no-continuous
-------------------------------+----------------------------
Stateless | No *
-------------------------------+----------------------------
Security | Very good
-------------------------------+----------------------------
Implementation | difficult
-------------------------------+----------------------------
Friendliness for NAT44 | yes
-------------------------------+----------------------------
Sharing ratio | up to 2^16
-------------------------------+----------------------------
Revert calculation from |
port number to PSID at BR | No *
-------------------------------+----------------------------
Exclude well known ports | difficult
-------------------------------+----------------------------
* It may be possible to find a cryptographic algorithm which can be
reversed, e.g. define a reversible one-to-one mapping algorithm. But
that is out the scope of this memo. If strong security is required,
it may be worth giving this topic further study.
4. Conclusion
TBD.
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
The port set should be as random as possible, in order to make it
difficult to predict what the next port will be used, to avoid some
potential TCP attack [RFC6056].
7. References
7.1. Normative References
[I-D.despres-softwire-4rd-u]
Despres, R., "IPv4 Residual Deployment via IPv6 - Unified
Tsou, et al. Expires September 13, 2012 [Page 11]
Internet-Draft Port Set Algorithms Analysis March 2012
Solution (4rd-U)", Jan 2012.
[I-D.mdt-softwire-mapping-address-and-port]
Troan, O., Matsushima, S., Murakami, T., Li, X., and C.
Bao, "Mapping of Address and Port (MAP)", Jan 2012.
[I-D.xli-behave-divi-pd]
Li, X., Bao, C., Dec, W., and R. Asati, "dIVI-pd: Dual-
Stateless IPv4/IPv6 Translation with Prefix Delegation",
July 2011.
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-
Protocol Port Randomization", BCP 156, RFC 6056,
January 2011.
[RFC6431] Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and
T. Tsou, "Huawei Port Range Configuration Options for PPP
IP Control Protocol (IPCP)", RFC 6431, November 2011.
7.2. Informative References
[I-D.bsd-softwire-stateless-port-index-analysis]
Boucadair, M., Skoberne, N., and W. Dec, "Analysis of Port
Indexing Algorithms", Sept 2011.
Authors' Addresses
Tina Tsou (editor)
Huawei Technologies (USA)
2330 Central Expressway
Santa Clara CA 95050
USA
Phone: +1 408 330 4424
Email: tina.tsou.zouting@huawei.com
Tetsuya Murakami
IP Infusion
1188 East Arques Avenue
Sunnyval
USA
Email: tetsuya@ipinfusion.com
Tsou, et al. Expires September 13, 2012 [Page 12]
Internet-Draft Port Set Algorithms Analysis March 2012
Simon Perreault
Viagenie
246 Aberdeen
Quebec, QC G1R 2E1
Canada
Phone: +1 418 656 9254
Email: simon.perreault@viagenie.ca
URI: http://viagenie.ca
Tsou, et al. Expires September 13, 2012 [Page 13]