Port Set Definition Algorithms Analysis
draft-tsou-softwire-port-set-algorithms-analysis-03
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Tina Tsou , Tetsuya Murakami , Simon Perreault | ||
| Last updated | 2013-03-14 | ||
| Stream | (None) | ||
| Formats | plain text xml htmlized pdfized bibtex | ||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-tsou-softwire-port-set-algorithms-analysis-03
Internet Engineering Task Force T. Tsou, Ed.
Internet-Draft Huawei Technologies (USA)
Intended status: Informational T. Murakami
Expires: September 15, 2013 IP Infusion
S. Perreault
Viagenie
March 14, 2013
Port Set Definition Algorithms Analysis
draft-tsou-softwire-port-set-algorithms-analysis-03
Abstract
This memo analyses the some port set definition algorithms which
encodes port set infomation into IPv6 address so as to support
stateless IPv4 to IPv6 transition technologies, e.g. 4rd-U and MAP.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 15, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Tsou, et al. Expires September 15, 2013 [Page 1]
Internet-Draft Port Set Algorithms Analysis March 2013
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Various types of algorithms . . . . . . . . . . . . . . . . . 4
3.1. GMA style algorithms . . . . . . . . . . . . . . . . . . . 4
3.1.1. MAP . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.2. 4rd-U . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.3. Summary . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. Mask/Value style algorithms . . . . . . . . . . . . . . . 7
3.3. Cryptographical style algorithms . . . . . . . . . . . . . 9
4. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Tsou, et al. Expires September 15, 2013 [Page 2]
Internet-Draft Port Set Algorithms Analysis March 2013
1. Introduction
Some stateless IPv4 to IPv6 stransition technologies are invented by
the industrial to provide IPv4 network service through IPv6 network,
which also support IPv4 address sharing via port sets. These
technologies can significantly simplify the implementation of the
border router and reduce resource requirement.
In these solutions, a port set is assigned to each CPE, and can be
calculated by a port set ID in conjunction with some other
parameters; for any port number, the corresponding port set ID can
also be derived, that means, the mapping algorithm must be
reversible. When the CPE needs to send an IPv4 packet, it can map an
IPv4 packet into an IPv6 packet, either by translation or
encapsulation, the IPv4 address and port set ID will be embedded into
an IPv6 address; when the BR receive the IPv6 packet, it will
decapsulate it. When the BR need to forward an IPv4 packet to the
CPE, it will first derive the port set ID from the port, and then map
the IPv4 packet into an IPv6 packet.
In order to support these technologies, some port set definition
algorithms are worked out. It may be useful to analyse the
characteristics of these algorithms for better understanding and to
choose a proper algorithm for different needs.
A good port set definition algorithm must be reversible, easy to
implement, and should be able to define non-continuous or random port
sets for better security, be able to exclude the well known ports, 0
~ 1023 or 0 ~ 4095, etc.
This memo will analyse the following characterics:
o Port set type: continuous, non-continuous, random
o Stateless: yes or no
o Security: security level, continuous port set provides common
security, random port set provides good security.
o Implementation: implementation complexity, performance, etc.
o Friendliness for NAT44: comply with NAT44 or not
o Sharing ratio: maximum, minimum sharing ratio
o Revert calculation from port number to PSID at BR.
Tsou, et al. Expires September 15, 2013 [Page 3]
Internet-Draft Port Set Algorithms Analysis March 2013
o Exclude well known ports
2. Terminology
BR: Border Router.
CPE: Customer Premise Equipment.
GMA: Generalized Modulus Algorithm.
MAP: Map Address and Port.
PSID: Port Set ID, one of the key parameters used to derived a
set of ports.
3. Various types of algorithms
Currently, the port set definition algorithms can be classified into
three categories: GMA style, Mask/Value style and cryptographical
style.
3.1. GMA style algorithms
Currently there are three sets of draft support GMA style algorithm:
MAP [I-D.ietf-softwire-map-04], 4rd-U [I-D.ietf-softwire-4rd-04] and,
but they are not exactly all the same.
3.1.1. MAP
In MAP [I-D.ietf-softwire-map-04], a port set can be defined by the
following parameters:
R: sharing ratio;
P: PSID;
M: maximum number of contiguous ports.
To derive a port from the port set, the following equation can be
used:
Port = R * M * j + M * P + i
j is port range index: j = (4096 / M) / R to ((65536 / M) / R) - 1,
if the port numbers (0 - 4095) are excluded.
Tsou, et al. Expires September 15, 2013 [Page 4]
Internet-Draft Port Set Algorithms Analysis March 2013
i is the port index in a sub port set, i = 0 to M-1;
To derive the PSID from a given port:
PSID = (floor(Port/M)) % R, where % is the modulus operator.
Parameter M is to generate non-continuous ports sets, rather than a
single continuous port set, which brings better sercurity. If M=1, a
single continuous port set is defined.
PSID will be encoded in the IPv6 address, as shown in Figure 1 and
Figure 2.
0 8 15
+---------------+----------+------+-------------------+
| P |
----------------+-----------------+-------------------+
| A (j) | PSID (K) | M (i) |
+---------------+----------+------+-------------------+
|<----a bits--->|<-----k bits---->|<------m bits----->|
Figure 1: Bit representation
| 32 bits | | 16 bits |
+--------------------------+ +-------------------+
| IPv4 destination address | | IPv4 dest port |
+--------------------------+ +-------------------+
: : ___/ :
| p bits | / q bits :
+----------+ +------------+
|IPv4 sufx| |Port-Set ID |
+----------+ +------------+
\ / ____/ ________/
\ : __/ _____/
\ : / /
| n bits | o bits | m bits | 128-n-o-m bits |
+--------------------+-----------+---------+------------+----------+
| Rule IPv6 prefix | EA bits |subnet ID| interface ID |
+--------------------+-----------+---------+-----------------------+
|<--- End-user IPv6 prefix --->|
Figure 2: Deriving of MAP IPv6 address
Tsou, et al. Expires September 15, 2013 [Page 5]
Internet-Draft Port Set Algorithms Analysis March 2013
3.1.2. 4rd-U
In 4rd-U [I-D.ietf-softwire-4rd-04], PSID itself is sufficient for
defining a port set, as shown in Figure 3.
To derive the PSID from a given port, it only needs to take out the
PSID bits from the 16bit port number.
+--------------------------------------------+
| CE IPv6 prefix |
+--------------------------+-----------------+
: Longest match : :
: with a Rule IPv6 prefix : :
: || : :
: \/ : EA-bits length :
+--------------------------+ | :
| Rule IPv6 prefix |<----'---->:<-.->:
+--------------------------+ : \
|| : : Length of the
\/ : : Rule IPv6 suffix
+-----------------+-----------+(if the rule has one)
|Rule IPv4 prefix | EA bits |
+-----------------+-----------+
: :
+-----------------------------+
| CE 4rd IPv4 prefix |
+-----------------------------+
________/ \_________ :
/ \ :
: ____:________________/ \__
: / : \
: =< 32 : : > 32 :
+----------------+ +-----------------+----+
|IPv4 prfx or add| OR | IPv4 address |PSID|
+----------------+ +-----------------+----+
: 32 : || :
\/
(by default) (If WKPs authorized)
: : : :
+---+----+---------+ +----+-------------+
Ports in |> 0|PSID|any value| OR |PSID| any value |
the CE port set +---+----+---------+ +----+-------------+
: 4 : 12 : : 16 :
Figure 3: From CE IPv6 prefix to 4rd IPv4 address and Port set
Tsou, et al. Expires September 15, 2013 [Page 6]
Internet-Draft Port Set Algorithms Analysis March 2013
3.1.3. Summary
-------------------------------+-------------------------
Port set type | no-continuous
-------------------------------+-------------------------
Stateless | yes
-------------------------------+-------------------------
Security | good
-------------------------------+-------------------------
Implementation | easy
-------------------------------+-------------------------
Friendliness for NAT44 | yes
-------------------------------+-------------------------
Sharing ratio | up to 2^12
-------------------------------+-------------------------
Revert calculation from |
port number to PSID at BR | yes
-------------------------------+-------------------------
Exclude well known ports | yes, 0~1023 or 0~4095
-------------------------------+-------------------------
1. 4rd-U is a parameter-free algorithm, which is different MAP; while
MAP can provide more variation due to the extra parameter(s). From
the port set definition point of view, MAP and 4rd-U provide the same
level of security.
2. MAP support sharing ratio up to 2^16, although it may not be
necessary.
3.2. Mask/Value style algorithms
[RFC6431] defines an IPCP option to allocate port set to CPEs, as
shown in Figure 4.
[I-D.b4-translated-ds-lite-09] also uses tis type of port set
definition algorithm defined in [I-D.dhc-port-set-option-00].
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M| Reserved | Port Range Value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Port Range Mask |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: IPCP option format
Tsou, et al. Expires September 15, 2013 [Page 7]
Internet-Draft Port Set Algorithms Analysis March 2013
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| OPTION_PORT_SET | option-length |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Port Set Index |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| Port Set Mask |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
Figure 5: DHCP port set option format
The Port Range Value can be encoded in IPv6 address, similar as
parameter PSID in other technologies, e.g. MAP
[I-D.ietf-softwire-map-04].
To derive the Port Range Value from a given port, the port number
should porform bit-and operation with the Port Range Mask.
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Mask
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| | (two significant bits)
v v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0| Port Range Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|x x x 0 x 1 x x x x x x x x x x| Usable ports
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (x may be set to 0 or 1)
Figure 6: Example of Port Range Mask and Port Range Value
This alogrithm can have some kind of randomization effect by setting
different number of bits and bits at different location in the Port
Range Mask.
This algorithm may have a problem if the well known ports(0~1023 or
0~4096) need to be excluded, it is a bit difficult to achieve that.
But if the operator do not have a specific usage for the well known
ports, then it is OK to allocate those port to end users, just like
other common ports. Some tests have done and prove that is OK.
Tsou, et al. Expires September 15, 2013 [Page 8]
Internet-Draft Port Set Algorithms Analysis March 2013
-------------------------------+----------------------------
Port set type | continuous, no-continuous
-------------------------------+----------------------------
Stateless | yes
-------------------------------+----------------------------
Security | good
-------------------------------+----------------------------
Implementation | easy
-------------------------------+----------------------------
Friendliness for NAT44 | yes
-------------------------------+----------------------------
Sharing ratio | up to 2^16
-------------------------------+----------------------------
Revert calculation from |
port number to PSID at BR | yes
-------------------------------+----------------------------
Exclude well known ports | difficult
-------------------------------+----------------------------
3.3. Cryptographical style algorithms
The cryptographical port set definition algorithm introduced in
[RFC6431] can provide very good security, but it is very difficult to
derive the port set infomation, e.g. the starting point, from a given
port. This algorithm can only be used in stateful scenarios, the BR
must be operated in stateful mode.
In order to use this kind of algorithm in a stateless scenario, the
algorithm must be reversible, that is, with some given information,
it should be able to derive the port set information from a given
port number.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M| Reserved | function |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| starting point | number of delegated ports |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| key K ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: Format of the Cryptographically Random Port Range Option
Tsou, et al. Expires September 15, 2013 [Page 9]
Internet-Draft Port Set Algorithms Analysis March 2013
-------------------------------+----------------------------
Port set type | continuous, no-continuous
-------------------------------+----------------------------
Stateless | No *
-------------------------------+----------------------------
Security | Very good
-------------------------------+----------------------------
Implementation | difficult
-------------------------------+----------------------------
Friendliness for NAT44 | yes
-------------------------------+----------------------------
Sharing ratio | up to 2^16
-------------------------------+----------------------------
Revert calculation from |
port number to PSID at BR | No *
-------------------------------+----------------------------
Exclude well known ports | difficult
-------------------------------+----------------------------
* It may be possible to find a cryptographic algorithm which can be
reversed, e.g. define a reversible one-to-one mapping algorithm. But
that is out the scope of this memo. If strong security is required,
it may be worth giving this topic further study.
4. Conclusion
GMA and value/mask methods are easy to implement and can provide
reasonable security. If high security is desired, cryptographically
random port set can be considered.
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
The port set should be as random as possible, in order to make it
difficult to predict what the next port will be used, to avoid some
potential TCP attack [RFC6056].
7. References
Tsou, et al. Expires September 15, 2013 [Page 10]
Internet-Draft Port Set Algorithms Analysis March 2013
7.1. Normative References
[I-D.dhc-port-set-option-00]
Sun, Q., Li, Y., Sun, Q., Bajko, G., and M. Boucadair,
"Dynamic Host Configuration Protocol (DHCP) Option for
Port Set Assignment (Work in progress)", Oct 2012.
[I-D.ietf-softwire-4rd-04]
Jiang, S., Despres, R., Penno, R., Lee, Y., Chen, G., and
M. Chen, "IPv4 Residual Deployment via IPv6 - a unified
Stateless Solution (4rd) (Work in progress)", Oct 2012.
[I-D.ietf-softwire-map-04]
Troan, O., Dec, W., Li, X., Bao, C., Matsushima, S., and
T. Murakami, "Mapping of Address and Port (MAP) (Work in
progress)", Feb 2013.
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-
Protocol Port Randomization", BCP 156, RFC 6056,
January 2011.
[RFC6431] Boucadair, M., Levis, P., Bajko, G., Savolainen, T., and
T. Tsou, "Huawei Port Range Configuration Options for PPP
IP Control Protocol (IPCP)", RFC 6431, November 2011.
7.2. Informative References
[I-D.b4-translated-ds-lite-09]
Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Li, Y., and I.
Farrer, "Mapping of Address and Port (MAP) (Work in
progress)", Oct 2012.
[I-D.bsd-softwire-stateless-port-index-analysis]
Boucadair, M., Skoberne, N., and W. Dec, "Analysis of Port
Indexing Algorithms", Sept 2011.
Authors' Addresses
Tina Tsou (editor)
Huawei Technologies (USA)
2330 Central Expressway
Santa Clara CA 95050
USA
Phone: +1 408 330 4424
Email: tina.tsou.zouting@huawei.com
Tsou, et al. Expires September 15, 2013 [Page 11]
Internet-Draft Port Set Algorithms Analysis March 2013
Tetsuya Murakami
IP Infusion
1188 East Arques Avenue
Sunnyval
USA
Email: tetsuya@ipinfusion.com
Simon Perreault
Viagenie
246 Aberdeen
Quebec, QC G1R 2E1
Canada
Phone: +1 418 656 9254
Email: simon.perreault@viagenie.ca
URI: http://viagenie.ca
Tsou, et al. Expires September 15, 2013 [Page 12]