Network Working Group                                            G. Chen
Internet-Draft                                              China Mobile
Intended status: Informational                         February 18, 2013
Expires: August 22, 2013

                 Analysis of CGN Port Allocation Method


   The document enumerated methods of port assignment in CGN contexts.
   The analysis categorized the different methods with several key
   features.  Corresponding to those features, the uses of existing
   protocols are also described.  The potential concerns and workaround
   have been discussed.  It's expected the document could provide a
   informative base line to help operators choosing a proper method.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 22, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Chen                     Expires August 22, 2013                [Page 1]

Internet-Draft                  cgn-port                   February 2013

   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Port Allocation Management  . . . . . . . . . . . . . . . . . . 3
     2.1.  NAT vs NAPT . . . . . . . . . . . . . . . . . . . . . . . . 3
     2.2.  Dynamic vs Static . . . . . . . . . . . . . . . . . . . . . 4
     2.3.  Centralized vs Distributed  . . . . . . . . . . . . . . . . 5
   3.  Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     6.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
     6.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chen                     Expires August 22, 2013                [Page 2]

Internet-Draft                  cgn-port                   February 2013

1.  Introduction

   With the depletion of IPv4 address, CGN has been adopted by ISPs to
   expand IPv4 spaces.  Relying upon the mechanism of multiplexing
   multiple subscribers' connections over a smaller number of shared
   IPv4 addresses, CGN mapped IP addresses from one address realm to
   another, providing transparent routing to end hosts.
   [I-D.ietf-behave-lsn-requirements] defined the term of CGN.  Several
   proposals including DS-Lite, NAT64, NAT444 would likely fall into the
   scope.  [RFC6269] has provided a thoughtful analysis on the issues of
   IP sharing.  It was point out that those IP sharing bring the impacts
   to law enforcement since the information of source address would be
   lost during the translation.  Network administrators have to log the
   mapping status for each connection in order to identify a specific
   user associated with an IP address.  It would post a challenge to
   operators, since it requires additional storage resource and data
   inspection process for indentifying the real users.  It's desirable
   to compact the logging information by a rational port allocation.
   Those allocation policies should consider the tradeoff between port
   utilization and log storage compression.  The document is trying to
   enumerate the several dimensions for assigning the port information.
   It's expected administrator could use those factors to determine
   their own properties.

2.  Port Allocation Management

   This section lists several factors to allocate the port information
   for CGN equipments.  It likely that each allocation model would have
   an exemplified case.  The relevant issues and potential workarounds
   have also been described for each aspect.

2.1.  NAT vs NAPT

   CGN may not do Network Address Port Translation (NAPT), but only
   Network Address Translation (NAT).  In those cases, there is no
   concern about port assignment.  Those translation methods would
   relieve the demands of log information storage, since NAT does not
   have to administer address management with session flows.
   Furthermore, there is no requirement to maintain log when CGN
   performing stateless translations.  Some existing practices are
   listed below from two aspects.

   o  Stateful NAT

   The stateful NAT can be implemented either by static address
   translation or dynamic address translation.

Chen                     Expires August 22, 2013                [Page 3]

Internet-Draft                  cgn-port                   February 2013

   In the case of static address assignment, one-to-one address mapping
   for hosts between a private network address and an external network
   address would be pre-configured on the NAT operation.  Those cases
   normally occurred when a server deployed in a internal domain.  The
   static configuration ensure the stable inbound connectivity.  The
   static method is also easier for Lawful interception system to derive
   the mapped address, since the mapping didn't change with time.

   Dynamic address assignment would periodically free the binding so
   that the global address could be recycled for later uses.  Addresses
   could be more efficiently used by time-division manner.  It only
   requires systems maintaining mappings for per-customer, other than
   per-session flow.  This method is usually adopted to reduce the log
   burden in some protocols.

   o  Stateless NAT

   The stateless NAT is performed in compliant with [RFC6145].  Public
   IPv4 address is required to be inserted in IPv6 address.  Therefore,
   CGN could directly extract the address and no need to record mapping
   states.  The lawful interception could likely indentify the IPv4
   address through received IPv6 address.  It's a protocol to eliminate
   the log information storage.  There are two potential concerns for
   those technologies.  First off, the static one-to-one mapping may
   didn't address the issue of IPv4 depletion.  Secondly, it introduced
   the dependency of IPv4/IPv6.  That would create new limitations since
   the change of IPv4 address would cause renumbering of IPv6 addresses.
   Whereas, that is useful for the IDC migration where there is IPv6
   servers pools to receive inbound connections from IPv4 users

2.2.  Dynamic vs Static

   When the case comes to port assignment, there are two methods for
   port allocations.

   o  Dynamic assignment

   CGN normally do the dynamic assignment.  In respect to the received
   connections, ports can be allocated to each sessions.  NAT64, DS-Lite
   and NAT444 would do the dynamic approach by default, since it
   achieves maximum port utilization.  One downside for this approach is
   CGN has to record log information for each session.  That would
   potential increase the log volume.  There is a statistic from field
   trials that the average number of connections per customer per day at
   approximately 10,000 connections.  If log system is required to store
   information for 180 days, the testing shown that the amount of data
   records would achieve 20T.

Chen                     Expires August 22, 2013                [Page 4]

Internet-Draft                  cgn-port                   February 2013

   o  Static assignment

   The static assignment make a bulk of port reservation for a specific
   address.  The bulk of port could be either a contiguous or non-
   contiguous port range for sake of attacks defense.
   [I-D.donley-behave-deterministic-cgn]has described a deterministic
   NAT to reserve a port range for each specific IP address.  That is a
   significant improvement for lightening log volume.  However, a trade-
   off should be made when administor has to consider the port
   utilization.  For the administor who prioritize the port utilization,
   dynamic assignment maybe a suitable solution for them.  Another
   consideration is using Address-Dependent Mapping or Address and Port-
   Dependent Mapping[RFC4787] to increase the port utilization.  This
   feature has already been implemented as vendor-specific features.
   Whereas, it should be noted that REQ-7, REQ-12
   in[I-D.ietf-behave-lsn-requirements] may reduce the needs.

2.3.  Centralized vs Distributed

   The port allocation can be managed as a centralized way on CGN or
   distributed to downstream devices(e.g, CPE connected with CGN) .

   o  Centralized Assignment

   A centralized method would make port assignment when traffic come to
   CGN box.  The allocation policy is enforced on CGN.  CGN make either
   a dynamic or static port assignment to the received session.

   o  Distributed Assignment

   CGN could also delegate the pre-allocated port range to customer edge
   devices.  That can be achieved through additional out-band
   provisioning signals(e.g.[I-D.ietf-pcp-base]
   ,[I-D.tsou-pcp-natcoord][I-D.ietf-softwire-map-dhcp]).  The
   distributed model normally performed A+P for static port assignment.
   CGN should hold the corresponding mapping in accordance with assigned
   ports.  Those methods would shift CGN port computation into
   downstream devices.  The detailed benefits to CGN was documented in

3.  Discussions

   With demands of reducing log volume, there are several approaches of
   port assignment described in the aforementioned section.  It could be
   found that a trade-off between maximum port utilization and log
   volume always exist regarding justifications of different solutions.
   In respect to difference of port assignment, the granularity of log

Chen                     Expires August 22, 2013                [Page 5]

Internet-Draft                  cgn-port                   February 2013

   could be ranked as per-session, per-port-bulk, per-customer and None.
   With the reduction of log volume, port utilization is likely
   decreased.  Therefore, the decision should be made if there is a
   quantitative statistic to evaluate what is gain from reducing log
   volume and loss from decreasing port utilization.  Those data
   analysis is planned to be added after further lab testing.  Operators
   could choose the proper method considering following:

   o  Average connectivities per customer per day

   o  Peak connectivities per day

   o  The amount of public IPv4 address in CGN

   o  Application demands for specific ports

   o  The parallel processing capabilities of CGN

   o  The tolerance of Log volume

4.  Security Considerations


5.  IANA Considerations

   This document makes no request of IANA.

6.  References

6.1.  Normative References

              Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
              Selkirk, "Port Control Protocol (PCP)",
              draft-ietf-pcp-base-29 (work in progress), November 2012.

              Mrugalski, T., Troan, O., Bao, C., Dec, W., and L. Yeh,
              "DHCPv6 Options for Mapping of Address and Port",
              draft-ietf-softwire-map-dhcp-01 (work in progress),
              August 2012.

   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,

Chen                     Expires August 22, 2013                [Page 6]

Internet-Draft                  cgn-port                   February 2013

              RFC 4787, January 2007.

   [RFC6145]  Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
              Algorithm", RFC 6145, April 2011.

6.2.  Informative References

              Anderson, T., "Stateless IP/ICMP Translation in IPv6 Data
              Centre Environments", draft-anderson-siit-dc-00 (work in
              progress), November 2012.

              Donley, C., Grundemann, C., Sarawat, V., Sundaresan, K.,
              and O. Vautrin, "Deterministic Address Mapping to Reduce
              Logging in Carrier Grade NAT Deployments",
              draft-donley-behave-deterministic-cgn-05 (work in
              progress), January 2013.

              Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
              and H. Ashida, "Common requirements for Carrier Grade NATs
              (CGNs)", draft-ietf-behave-lsn-requirements-10 (work in
              progress), December 2012.

              Boucadair, M., Matsushima, S., Lee, Y., Bonness, O.,
              Borges, I., and G. Chen, "Motivations for Carrier-side
              Stateless IPv4 over IPv6 Migration Solutions",
              draft-ietf-softwire-stateless-4v6-motivation-05 (work in
              progress), November 2012.

              Sun, Q., Boucadair, M., Deng, X., Zhou, C., Tsou, T., and
              S. Perreault, "Using PCP To Coordinate Between the CGN and
              Home Gateway", draft-tsou-pcp-natcoord-09 (work in
              progress), November 2012.

   [RFC6269]  Ford, M., Boucadair, M., Durand, A., Levis, P., and P.
              Roberts, "Issues with IP Address Sharing", RFC 6269,
              June 2011.

Chen                     Expires August 22, 2013                [Page 7]

Internet-Draft                  cgn-port                   February 2013

Author's Address

   Gang Chen
   China Mobile
   53A,Xibianmennei Ave.,
   Xuanwu District,
   Beijing  100053


Chen                     Expires August 22, 2013                [Page 8]