Network working group D. Cheng
Internet Draft Huawei Technologies
Category: Standards Track
Expires: August 28, 2011
February 28, 2011
RADIUS Extensions for NAT Forwarding Port
draft-cheng-behave-nat-fwd-port-radius-ext-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Cheng Expires August 28 2011 [Page 1]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
Abstract
This memo proposes two new RADIUS attributes with each to carry
an Internal Port number and a Configured External Port number,
both are associated with a specific NAT device and a specific user,
and are configured on a RADIUS server such that when the user
requests an Internet connection, the port mapping information can
be conveyed to NAS that co-locates with the NAT device via RADIUS
protocol, and is used during the NAT operation for IP flows to and
from that user. The two attributes also include an IPv4 address or
IPv6 address, respectively, as the pinhole internal IP address at
the NAT device.
Table of Contents
1. Introduction....................................................2
2. Terminology.....................................................3
3. Operation.......................................................3
4. RADIUS Attributes...............................................5
5. Table of Attributes.............................................7
6. Security........................................................8
7. IANA Considerations.............................................8
8. Acknowledgements................................................8
9. References......................................................8
9.1. Normative References.......................................8
9.2. Informative References.....................................8
10. Authors' Addresses.............................................9
1. Introduction
In most of the scenarios, the port mapping on a NAT device is
dynamically created when the IP packets of an IP connection
initiated by a user arrives. For some applications, the port
mapping needs to be pre-defined allowing IP packets of
applications from outside a NAT device to pass through and
"port forwarded" to the correct user located behind the NAT
device.
Port Control Protocol or PCP ([I-D.draft-ietf-pcp-base]),
provides a mechanism to create pinholes from an external IP
address to an internal IP address and port on a NAT device
just to achieve the "port forwarding" purpose. PCP is a
server-client protocol capable of creating or deleting a pinhole
along with a rich set of features on a NAT device in dynamic
fashion. In some deployment, all users need is a few, typically
just one pre-configured port mapping for applications such
Cheng Expires August 28 2011 [Page 2]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
as web cam at home, and the lifetime of such a port mapping
remains valid throughout the duration of the customer's Internet
service connection time. In such an environment, it is possible
to statically configure a port mapping on the RADIUS server for
a user and let the RADIUS protocol to propagate the information
to the associated NAT device.
In a broadband network, customer information is usually stored
on a RADIUS server and at the time when a user initiates an
Internet service request, the RADIUS server will populate
the user's configuration information to the NAS, which is
usually co-located with the BNG, after the connection
request is granted. In many cases, the NAT function is also on
the BNG, and therefore the port forwarding information can be
configured on the RADIUS server as part of the user profile.
This memo proposes two new RADIUS attributes to carry Internal
Port number and Configured External Port number, both are associated
with a specific NAT device and a specific user, with an IPv4
address or IPv6 address as the pinhole internal address,
respectively, and are configured on a RADIUS server such that
when the user requests an Internet connection, the port mapping
information can be conveyed to the NAS that co-locates with the
NAT device via RADIUS protocol, and is used during the NAT operation
for IP flows to and from that user.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Operation
Port mapping information for NAT for a user (e.g., a CPE or host)
is configured on a RADIUS server, along with other user information
such as credentials. The port mapping information that is to be
used during the NAT procedure is going to be populated from
the RADIUS server to the NAT device using RADIUS protocol.
In Figure-1, a Network Access Server (NAS), co-located with a NAT
device on a BNG, operates as a RADIUS client. The NAT device that
resides on the BNG performs a single NAT (or firewall) function
such as NAT44, NAT64, etc.
When the user sends a service request, the NAS on the BNG sends
a RADIUS Access-Request message to the RADIUS server, requesting
Cheng Expires August 28 2011 [Page 3]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
authentication. Once the RADIUS server receives the request, it
validates the sending client and if the request is approved, the
RADIUS server replies with an Access-Accept message including a
list of attribute-value pairs that describe the parameters to be
used for this connection, including the port forwarding mapping
specifically configured for the user.
When the RADIUS Access-Accept message arrived at the BNG, the
port mapping information is used to create a pinhole on the NAT,
along with the associated pinhole internal IP address, and also the
external IP address, when it becomes available, for the specific
user. A service granted message is then sent to the user, and after
that point, IP packets from application initiated from network side
(e.g., web cam) can be "port forwarded" by the NAT on the BNG to
the user that is behind the NAT. IP packets belonging to the same
flow but on opposite direction also traverse the same pinhole.
User NAT/NAS AAA
| BNG Server
| | |
|----Service Request------>| |
| | |
| |---------Access-Request------->|
| | |
| |.-------Access-Accept---------|
| | (Nat-IPv4-Port-Forwarding-Map)|
| | (Nat-IPv6-Port-Forwarding-Map)|
|<---Service Granted ------| |
| (other parameters) | |
| | |
| (Create a port mapping |
| for the user, and |
| associate it with the |
| internal IP address |
| and external IP address) |
| | |
| | |
| |------Accounting-Request------>|
| | (Nat-IPv4-Port-Forwarding-Map)|
| | (Nat-IPv6-Port-Forwarding-Map)|
DHCP/PPP RADIUS
Figure 1: RADIUS Message Flow
Cheng Expires August 28 2011 [Page 4]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
When an IP packet travels from behind the NAT outwards (outbound),
the NAT must change the source port number, i.e., the internal port
to the configured external port, and when an IP packet travels from
outside to the inside of the NAT (inbound), the NAT must change the
target port number, i.e., the configured external port to the
internal port.
Note that the service request that is initiated by a user can be
associated with a PPP session or relevant DHCPv4/DHCPv6 message,
with the same communication sequence between the RADIUS server and
the NAS, and the installation of the port mapping on the NAT. Also,
there may be different mechanisms as how an internal IP address and
an external IP address (in the context of the NAT) assigned
or determined, respectively, on the NAT for a specific user, but the
forwarding port mapping information will remain the same as
configured on the RADIUS server and is bonded to the specific user
with one of its specific IP address.
A port mapping, once created on the NAT, will remain permanently
in the duration of the user's Internet connection. When the
connection is torn down, the mapping on the NAT must then be
removed accordingly.
In the NAT444 scenario, in order to allow an IPv4 packet generated
from outside of the BNG reaching the user, a forwarding port mapping
is required on the NAT residing on the BNG as described above, but
a separate forwarding port mapping is required on the user, typically
a CPE, and in addition, the two sets of mapping need to be
coordinated, so that an inbound IP packet, i.e., from outside of the
BNG destined to the user, will successfully traverse two NATs before
arriving at the user. The required mechanism for the NAT444 case is
out of the scope of this document.
4. RADIUS Attributes
Two new RADIUS attributes are defined in this document, for IPv4
address and IPv6 address as the NAT pinhole internal address,
respectively.
NAT-IPv4-Forwarding-Port-Map Attribute (Figure-2)
NAT-IPv6-Forwarding-Port-Map Attribute (Figure-3)
Description
Both of the two attributes contain a 16-bit Internal Port that
identifies the source TCP/UDP port number of an IP packet sent
by the user, or the destination port number of an IP packet destined
Cheng Expires August 28 2011 [Page 5]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
to the user, and in both cases, the IP packet travels behind the
NAT device. Also they contain a 16-bit Configured External Port that
identifies the source TCP/UDP port number of an IP packet sent
by the user, or the destination port number of an IP packet
destined to the user, and in both cases, the IP packet travels
outside of the NAT device. In addition, the two attributes contain
a 32-bit IPv4 address or 128-bit IPv6 address, respectively, as
their respective NAT pinhole's internal IP address. Together, the
port pair and IP address determine the port mapping rule for a
specific IP flow that traverses a NAT device.
The attribute MAY appear in an Access-Accept packet, and may also
appear in an Accounting-Request packet. In either case, the attribute
MUST NOT appear more than once in a single packet.
Neither of these attributes MUST NOT appear in any other RADIUS
packets.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Internal Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Configured External Port | Pinhole Internal IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Figure-2 Nat-IPv4-Forwarding-Port-Map Attribute Format
These fields are described below:
Type
Type for NAT-IPv4-Forwarding-Port-Map (value is TBD)
Length
8 octets
Internal Port
Internal port for the pinhole
Configured External Port
External port for the pinhole
Cheng Expires August 28 2011 [Page 6]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
Pinhole IPv4 Address
The internal IPv4 address at the pinhole
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Internal Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Configured External Port | Pinhole Internal IPv6 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| IPv6 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| IPv6 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
| IPv6 Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Figure-3 Nat-IPv6-Forwarding-Port-Map Attribute Format
These fields are described below:
Type
Type for NAT-IPv6-Forwarding-Port-Map (value is TBD)
Length
20 octets
Internal Port
Internal port for the pinhole
Configured External Port
External port for the pinhole
Pinhole IPv6 Address
The internal IPv6 address at the pinhole
5. Table of Attributes
The following table provides a guide as the attributes may be
found in which kinds of packets, and in what quantity.
Cheng Expires August 28 2011 [Page 7]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
Request Accept Reject Challenge Accounting # Attribute
0-1 0-1 0 0 0-1 TBD NAT-IPv4-Forwarding-Port-Map
0-1 0-1 0 0 0-1 TBD NAT-IPv6-Forwarding-Port-Map
The meaning of the above table entries is as follows:
0 This attribute MUST NOT be present.
0-1 Zero or one instance of this attribute MAY be present.
6. Security
Security problems of the RADIUS protocol are discussed in [RFC2865].
7. IANA Considerations
This document requires the assignment of new RADIUS attribute
numbers for the following attributes:
NAT-IPv4-Forwarding-Port-Map
NAT-IPv6-Forwarding-Port-Map
8. Acknowledgements
Thanks to Dan Wing who provided some useful comments.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC2865,
June 2000.
9.2. Informative References
[I-D.draft-ietf-pcp-base] Wing, D., "Port Control Protocol
(PCP), draft-ietf-pcp-base-05, work in progress.
Cheng Expires August 28 2011 [Page 8]
Internet-Draft RADIUS Extensions for NAT Forwarding Port February 2011
10. Authors' Addresses
Dean Cheng
Huawei Technologies
2330 Central Expressway, CA 95050, USA
Phone:+1 408 330 4754
Email: dean.cheng@huawei.com
Cheng Expires August 28 2011 [Page 9]