Network Working Group G. Chen
Internet-Draft China Mobile
Intended status: Informational February 18, 2013
Expires: August 22, 2013
Analysis of CGN Port Allocation Method
draft-chen-sunset4-cgn-port-allocation-00
Abstract
The document enumerated methods of port assignment in CGN contexts.
The analysis categorized the different methods with several key
features. Corresponding to those features, the uses of existing
protocols are also described. The potential concerns and workaround
have been discussed. It's expected the document could provide a
informative base line to help operators choosing a proper method.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 22, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Chen Expires August 22, 2013 [Page 1]
Internet-Draft cgn-port February 2013
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Port Allocation Management . . . . . . . . . . . . . . . . . . 3
2.1. NAT vs NAPT . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Dynamic vs Static . . . . . . . . . . . . . . . . . . . . . 4
2.3. Centralized vs Distributed . . . . . . . . . . . . . . . . 5
3. Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chen Expires August 22, 2013 [Page 2]
Internet-Draft cgn-port February 2013
1. Introduction
With the depletion of IPv4 address, CGN has been adopted by ISPs to
expand IPv4 spaces. Relying upon the mechanism of multiplexing
multiple subscribers' connections over a smaller number of shared
IPv4 addresses, CGN mapped IP addresses from one address realm to
another, providing transparent routing to end hosts.
[I-D.ietf-behave-lsn-requirements] defined the term of CGN. Several
proposals including DS-Lite, NAT64, NAT444 would likely fall into the
scope. [RFC6269] has provided a thoughtful analysis on the issues of
IP sharing. It was point out that those IP sharing bring the impacts
to law enforcement since the information of source address would be
lost during the translation. Network administrators have to log the
mapping status for each connection in order to identify a specific
user associated with an IP address. It would post a challenge to
operators, since it requires additional storage resource and data
inspection process for indentifying the real users. It's desirable
to compact the logging information by a rational port allocation.
Those allocation policies should consider the tradeoff between port
utilization and log storage compression. The document is trying to
enumerate the several dimensions for assigning the port information.
It's expected administrator could use those factors to determine
their own properties.
2. Port Allocation Management
This section lists several factors to allocate the port information
for CGN equipments. It likely that each allocation model would have
an exemplified case. The relevant issues and potential workarounds
have also been described for each aspect.
2.1. NAT vs NAPT
CGN may not do Network Address Port Translation (NAPT), but only
Network Address Translation (NAT). In those cases, there is no
concern about port assignment. Those translation methods would
relieve the demands of log information storage, since NAT does not
have to administer address management with session flows.
Furthermore, there is no requirement to maintain log when CGN
performing stateless translations. Some existing practices are
listed below from two aspects.
o Stateful NAT
The stateful NAT can be implemented either by static address
translation or dynamic address translation.
Chen Expires August 22, 2013 [Page 3]
Internet-Draft cgn-port February 2013
In the case of static address assignment, one-to-one address mapping
for hosts between a private network address and an external network
address would be pre-configured on the NAT operation. Those cases
normally occurred when a server deployed in a internal domain. The
static configuration ensure the stable inbound connectivity. The
static method is also easier for Lawful interception system to derive
the mapped address, since the mapping didn't change with time.
Dynamic address assignment would periodically free the binding so
that the global address could be recycled for later uses. Addresses
could be more efficiently used by time-division manner. It only
requires systems maintaining mappings for per-customer, other than
per-session flow. This method is usually adopted to reduce the log
burden in some protocols.
o Stateless NAT
The stateless NAT is performed in compliant with [RFC6145]. Public
IPv4 address is required to be inserted in IPv6 address. Therefore,
CGN could directly extract the address and no need to record mapping
states. The lawful interception could likely indentify the IPv4
address through received IPv6 address. It's a protocol to eliminate
the log information storage. There are two potential concerns for
those technologies. First off, the static one-to-one mapping may
didn't address the issue of IPv4 depletion. Secondly, it introduced
the dependency of IPv4/IPv6. That would create new limitations since
the change of IPv4 address would cause renumbering of IPv6 addresses.
Whereas, that is useful for the IDC migration where there is IPv6
servers pools to receive inbound connections from IPv4 users
externally[I-D.anderson-siit-dc].
2.2. Dynamic vs Static
When the case comes to port assignment, there are two methods for
port allocations.
o Dynamic assignment
CGN normally do the dynamic assignment. In respect to the received
connections, ports can be allocated to each sessions. NAT64, DS-Lite
and NAT444 would do the dynamic approach by default, since it
achieves maximum port utilization. One downside for this approach is
CGN has to record log information for each session. That would
potential increase the log volume. There is a statistic from field
trials that the average number of connections per customer per day at
approximately 10,000 connections. If log system is required to store
information for 180 days, the testing shown that the amount of data
records would achieve 20T.
Chen Expires August 22, 2013 [Page 4]
Internet-Draft cgn-port February 2013
o Static assignment
The static assignment make a bulk of port reservation for a specific
address. The bulk of port could be either a contiguous or non-
contiguous port range for sake of attacks defense.
[I-D.donley-behave-deterministic-cgn]has described a deterministic
NAT to reserve a port range for each specific IP address. That is a
significant improvement for lightening log volume. However, a trade-
off should be made when administor has to consider the port
utilization. For the administor who prioritize the port utilization,
dynamic assignment maybe a suitable solution for them. Another
consideration is using Address-Dependent Mapping or Address and Port-
Dependent Mapping[RFC4787] to increase the port utilization. This
feature has already been implemented as vendor-specific features.
Whereas, it should be noted that REQ-7, REQ-12
in[I-D.ietf-behave-lsn-requirements] may reduce the needs.
2.3. Centralized vs Distributed
The port allocation can be managed as a centralized way on CGN or
distributed to downstream devices(e.g, CPE connected with CGN) .
o Centralized Assignment
A centralized method would make port assignment when traffic come to
CGN box. The allocation policy is enforced on CGN. CGN make either
a dynamic or static port assignment to the received session.
o Distributed Assignment
CGN could also delegate the pre-allocated port range to customer edge
devices. That can be achieved through additional out-band
provisioning signals(e.g.[I-D.ietf-pcp-base]
,[I-D.tsou-pcp-natcoord][I-D.ietf-softwire-map-dhcp]). The
distributed model normally performed A+P for static port assignment.
CGN should hold the corresponding mapping in accordance with assigned
ports. Those methods would shift CGN port computation into
downstream devices. The detailed benefits to CGN was documented in
[I-D.ietf-softwire-stateless-4v6-motivation].
3. Discussions
With demands of reducing log volume, there are several approaches of
port assignment described in the aforementioned section. It could be
found that a trade-off between maximum port utilization and log
volume always exist regarding justifications of different solutions.
In respect to difference of port assignment, the granularity of log
Chen Expires August 22, 2013 [Page 5]
Internet-Draft cgn-port February 2013
could be ranked as per-session, per-port-bulk, per-customer and None.
With the reduction of log volume, port utilization is likely
decreased. Therefore, the decision should be made if there is a
quantitative statistic to evaluate what is gain from reducing log
volume and loss from decreasing port utilization. Those data
analysis is planned to be added after further lab testing. Operators
could choose the proper method considering following:
o Average connectivities per customer per day
o Peak connectivities per day
o The amount of public IPv4 address in CGN
o Application demands for specific ports
o The parallel processing capabilities of CGN
o The tolerance of Log volume
4. Security Considerations
TBD
5. IANA Considerations
This document makes no request of IANA.
6. References
6.1. Normative References
[I-D.ietf-pcp-base]
Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)",
draft-ietf-pcp-base-29 (work in progress), November 2012.
[I-D.ietf-softwire-map-dhcp]
Mrugalski, T., Troan, O., Bao, C., Dec, W., and L. Yeh,
"DHCPv6 Options for Mapping of Address and Port",
draft-ietf-softwire-map-dhcp-01 (work in progress),
August 2012.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127,
Chen Expires August 22, 2013 [Page 6]
Internet-Draft cgn-port February 2013
RFC 4787, January 2007.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, April 2011.
6.2. Informative References
[I-D.anderson-siit-dc]
Anderson, T., "Stateless IP/ICMP Translation in IPv6 Data
Centre Environments", draft-anderson-siit-dc-00 (work in
progress), November 2012.
[I-D.donley-behave-deterministic-cgn]
Donley, C., Grundemann, C., Sarawat, V., Sundaresan, K.,
and O. Vautrin, "Deterministic Address Mapping to Reduce
Logging in Carrier Grade NAT Deployments",
draft-donley-behave-deterministic-cgn-05 (work in
progress), January 2013.
[I-D.ietf-behave-lsn-requirements]
Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
and H. Ashida, "Common requirements for Carrier Grade NATs
(CGNs)", draft-ietf-behave-lsn-requirements-10 (work in
progress), December 2012.
[I-D.ietf-softwire-stateless-4v6-motivation]
Boucadair, M., Matsushima, S., Lee, Y., Bonness, O.,
Borges, I., and G. Chen, "Motivations for Carrier-side
Stateless IPv4 over IPv6 Migration Solutions",
draft-ietf-softwire-stateless-4v6-motivation-05 (work in
progress), November 2012.
[I-D.tsou-pcp-natcoord]
Sun, Q., Boucadair, M., Deng, X., Zhou, C., Tsou, T., and
S. Perreault, "Using PCP To Coordinate Between the CGN and
Home Gateway", draft-tsou-pcp-natcoord-09 (work in
progress), November 2012.
[RFC6269] Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
Roberts, "Issues with IP Address Sharing", RFC 6269,
June 2011.
Chen Expires August 22, 2013 [Page 7]
Internet-Draft cgn-port February 2013
Author's Address
Gang Chen
China Mobile
53A,Xibianmennei Ave.,
Xuanwu District,
Beijing 100053
China
Email: phdgang@gmail.com
Chen Expires August 22, 2013 [Page 8]